The CyberWire Daily Podcast 2.27.18
Ep 544 | 2.27.18

Cryptojacking through an AWS S3 bucket. Threats, risk, and unintentional mistakes. Crime and punishment. Industry notes. Alien hackers?

Transcript

Dave Bittner: [00:00:00:15] Thanks again to our Patreon supporters for helping us keep the doors open here at The CyberWire, every little bit does help and we do appreciate it. You can find out more at patreon.com/thecyberwire.

Dave Bittner: [00:00:14:15] CoinHive has installed a misconfigured AWS S3 bucket. Unintentional password collection. Threat and risk trends for 2018. Avalanche phisher king is rearrested in Kiev. Huawei says it's being picked on. Apple makes nice with Beijing. We've got some industry notes - controlling interests and an ICS security series B round. Reality Winner wants her confession suppressed. Hal Martin's packrat defense may have received an unexpected boost. And could alien signals be alien hacks?

Dave Bittner: [00:00:50:06] Now some notes from our sponsor, Cylance. You've heard of Emotet, the banking Trojan that reemerged at the end of 2017 to trouble online banking customers. For now it's hitting financial institutions, mostly in Austria and Germany, but even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well, don't get cocky kid, your language community could well be in the on deck circle. The new Emotet has a bad new dropper, it knows when you're sandboxing it and it evades attempts to analyze it. Fortunately you're in luck, no matter where you are, Cylance can protect you. Check out Cylance's blog post about Emotet at cylance.com. We not only thank them for sponsoring the CyberWire, but we suggest you head on over to cylance.com for the skinny on Emotet.

Dave Bittner: [00:01:46:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, February 27th, 2018.

Dave Bittner: [00:01:56:07] The CoinHive cryptojacker found last week in the Los Angeles Times has an explanation - it was apparently introduced by a hacker who simply exploited an unsecured Amazon Web Services S3 Bucket. The hacker obfuscated the CoinHive code making it more difficult to detect. Another illicit, but more amiable visitor deposited a helpful note in the bucket for the LA Times administrators to find. It says, "Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it."

Dave Bittner: [00:02:33:23] An editor, perhaps at the Times itself, would amend this to be, "before another bad guy finds it." Amazon has been working to help its customers make better security choices. Users of Amazon Web Services would do well to inspect how their buckets are configured.

Dave Bittner: [00:02:50:12] Princeton University researchers conclude that website analytic services have been unintentionally collecting passwords. The researchers began by looking at the Autotrack data collection service used by the product analytics shop, Mixpanel. Autotrack is described as a "comprehensive user data collection service" the researchers found that Autotrack had been collecting password data unintentionally, even though the service incorporated heuristics designed to prevent just that. They then determined that other services were also unintentionally harvesting passwords.

Dave Bittner: [00:03:25:09] CrowdStrike released its 2018 Global Threat Report yesterday. Among the findings are the rise of supply chain compromise and cryptocurrency related fraud as significantly expanded attack vectors. Another interesting finding is the speed with which successful attackers are able to pivot laterally from an initial compromise, just under two hours.

Dave Bittner: [00:03:46:21] Haystax this morning released its 2018 insider threat predictions. They see ordinary employees eclipsing privileged users as insider risks, and they see behavioral monitoring becoming the new normal.

Dave Bittner: [00:04:00:12] An Adobe Flash bug patched earlier this month has resurfaced in malicious Microsoft Word files, as criminals seek to repurpose the exploit against vulnerable systems.

Dave Bittner: [00:04:11:14] A few quick industry notes. Huawei continues to protest that it's being singled out unfairly as a security risk by US authorities. Apple has quietly acceded to Chinese government requests that it grant access to Chinese iCloud accounts. In happier news, South Korea's SK Telecom has taken a controlling interest in Swiss quantum encryption shop ID Quantique. And Boston-based CyberX, the critical infrastructure defense shop, announced today that it's received $18 million in Series B funding from investors led by Norwest Venture Partners.

Dave Bittner: [00:04:47:13] Ukrainian authorities have again arrested Gennadiy Kapkanov, said to have been the leader of the Avalanche phishing gang. Mr. Kapkanof was arrested in Poltavz in November of 2016, but was released under shady circumstances and has been on the lam since then. Police scooped him up in Kiev this Sunday.

Dave Bittner: [00:05:07:18] When it comes to securing systems, hardware and software are likely top of mind for most people. But what about firmware? Terry Dunlap is co-founder and CEO of ReFirm Labs where they specialize in IoT security, specifically vetting and validating firmware.

Terry Dunlap: [00:05:24:06] What we've been able to find in a lot of our research, when we look at the firmware of IoT devices, is insecure coding practices, using a lot of stir copies that create buffer overflows, command injection attacks, things of that nature, that if somebody was actually educated, or took the time to thoughtfully program a lot of the functions that are in these IoT devices, we wouldn't be in the situation that we're in today. That's the number one problem that we face in IoT.

Terry Dunlap: [00:05:54:03] All these problems that we're facing, from a coding level, had been eliminated primarily in laptops, in servers and things like that. So, we're seeing a regression back to the wild wild west days of the 1990s, when Windows was always so vulnerable. We don't see those problems anymore because they've been pretty much eradicated in today's desktop and server laptop market. But we see this resurrection of these problems now in IoT, for whatever reason.

Dave Bittner: [00:06:22:19] What do you suppose those reasons are? Is there insufficient market pressure to have a watchdog on the programming side of things?

Terry Dunlap: [00:06:31:06] I think the pressure is margin pressure - to get this stuff created as quickly as possible at the cheapest possible rate. And so a lot of the firmware that we've analyzed, once we've talked to manufacturers, a lot of it isn't even produced in-house by the manufacturers. It's all outsourced overseas to South East Asian original device manufacturers.

Dave Bittner: [00:06:53:24] Is the message getting out? Are manufacturers starting to realize that this is something they need to pay attention to?

Terry Dunlap: [00:06:59:22] I think they're starting to notice, but I think a lot of them are still of the mindset, well, it's not going to happen to me. I think, when you look at more IoT or IIoT devices, like in critical infrastructure, people are taking a more serious look at what's going on. But if you look at your device manufacturers, like your low-end IP security cameras, your routers, your switches, some of the toys now, I don't think there's a lot of focus on security there, because a lot of those people, based on what I can tell, are the mindset of, okay, so what happens if, you know, my IoT Internet connected toy gets hacked? So what?

Dave Bittner: [00:07:40:13] Firmware, it seems to me, is something that easy to overlook - it's deep down in the system. It's not top of mind.

Terry Dunlap: [00:07:51:17] No it's not, because most people are familiar with the term hardware and software. Not many people know what firmware is. I would probably bet a large chunk of CTOs and maybe even CISO's at large corporations probably have never considered firmware a threat factor. So it does require some education. I think people are starting to understand, especially in the C suite of a lot of these companies. Most of us everyday Joe's don't encounter firmware that often, unless we see an update for maybe our phone, because our phone runs firmware.

Terry Dunlap: [00:08:25:03] So if you have an iPhone or an Android and there's an OS update, that's basically firmware that's being pushed to your phone. If we find a firmware that actually has a hard coded backdoor in it, and a lot of the back doors that we've encountered are usually left there, quite by accident, by engineers, so they can facilitate and expedite testing, and, unfortunately, maybe they're not following a check list, but those back doors are never removed into the final product. So, if a manufacturer notices that they can push out a firmware update that will completely rewrite the existing firmware and remove that back door.

Terry Dunlap: [00:09:01:24] Now, I'll give you an interesting story here. A few years ago we were approached from a foreign telecom company who was interested in having us evaluate the security of one of their Internet gateway devices. We took a look at the device and we said, yes, there's a hardcoded username and password in there, probably by mistake. Here's our report, talk to the manufacturer, your vendor, and see if they can get it removed. Some weeks, months go by, we get the updated version. We look, and we say, yes, the back door and password has been removed. However, it's been moved to a different location in the firmware. So this is being done maliciously.

Terry Dunlap: [00:09:42:19] What the telecom company decided to do after that - we didn't get any further information. But, this is the type of trickery that goes on under the hood, depending on who you're dealing with. It's hard to catch this stuff. But there are people out there, in rare cases, like this one that I just explained, where it's done maliciously.

Dave Bittner: [00:10:02:13] That's Terry Dunlap from ReFirm Labs. Full disclosure, ReFirm Labs and the CyberWire are both located in the DataTribe start up studios. This interview came through our normal editorial channels.

Dave Bittner: [00:10:15:07] The trials of two accused NSA leakers have become a bit stickier for the prosecution. Reality Winner, the Georgia-based former NSA staffer and former contractor, who admitted to FBI agents that she was the source of highly classified documents leaked to the intercept, wants her confession to stealing and leaking classified documents suppressed. She maintains that she was improperly Mirandized by the FBI agents who interviewed her. She also appears to be positioning herself as a whistleblower, as various whistleblowing advocates point with alarms to the chilling effect her prosecution will have on future leakers. Which is, of course, from the Government's perspective, a feature and not a bug.

Dave Bittner: [00:10:56:21] In a Federal courtroom in Baltimore, the case of former NSA contractor, Hal Martin, is in progress. Judge Marvin Garbis, who's presiding over the case, has some questions about the degree of proof the prosecution will need to present to get a guilty verdict. According to Politico and CyberScoop, the judge has asked whether the government must show that Mr. Martin knew he had specific classified documents in his possession, or if he could be prosecuted under the Espionage Act of 1917, without the government having to offer such proof. Judge Garbis has asked both prosecution and defense to address this question in briefs.

Dave Bittner: [00:11:33:11] This is thought to favor the defendant's case. His lawyers are essentially representing him as an eccentric but fundamentally well-intentioned packrat. The sheer volume of classified material allegedly recovered from his shed in the Baltimore suburb of Glen Burnie, may give the prosecution difficulty. It was around 50 terabytes. Who knows what could be in there? Maybe not even Mr. Martin.

Dave Bittner: [00:11:57:11] Finally we offer some thoughts for the UFOlogical community. Alien experiencers, you can stop worrying about abduction and start worrying about malware. That's right, where once the Greys might have been out to administer an interstellar colonoscopy to learn whatever can be learned from the Terran fundament, now it seems more probably you'll face an intergalactic Stuxnet. That's right, we've long thought that actively sending messages to aliens, are you listening Mr. Musk? Was a stupendously imprudent thing to do. But, what harm could just listening for them in traditional SETI fashion do? Well, a lot, according to astrophysicists Michael Hippke and John Learned, respectively from the Sonneberg Observatory and the University of Hawaii.

Dave Bittner: [00:12:41:14] How do you know that signal isn't downloading malicious extraterrestrial code? I mean, come on, it's not like we're Frank Drake listening for spacefarers' morse code on our Heathkit ham radios anymore. All of this stuff is networked and automated, which, by the way, is the same reason SETI volunteers are such good candidates for cryptojacking.

Dave Bittner: [00:13:01:06] Hippke and Learned conclude, at the end of their thought experiment, that on balance it's worth the risk. But, here's how they framed that risk in their paper's abstract, "A complex message from space may require the use of computers to display, analyze and understand. Such a message cannot be decontaminated with certainty, and technical risks remain which can pose an existential threat."

Dave Bittner: [00:13:25:10] Well okay, that's right, if it's just an existential risk then alright. If you wouldn't take the USB drive you found in the parking lot and plug it into your system why in the name of Gort would you process an alien signal on that same system? You don't know where that's been!

Dave Bittner: [00:13:46:12] Now a moment to tell you about our sponsor, ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore, they're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:52:19] Joining me once again is Johannes Ullrich. He's from the SANS Technology Institute and he's also the host of the ISC Stormcast podcast. Johannes, welcome back. You know, it is not uncommon for me and many other people to go searching for the cheapest possible cables online, if I need a USB cable or a lightning cable or whatever kind of cable, but you want to make the point that maybe not all these cables are secure?

Johannes Ullrich: [00:15:17:02] Yes, in particular, if you find a cable and may not even pay for it there is actually a lot of complex software and hardware that goes into these cables. If you're, for example, looking at a modern USB C or a thunderbolt cable, those cables have firmware inside the cable, that of course can easily be replaced. Aside from that, there's also another type of cable that I've come across lately. It looks like a USB charging cable, and functions as such, but it also has a little SIM card built in and has the ability, with a microphone, to listen in on conversations in the room. An owner of this cable could then also request that the GPS card, and even though that's fairly rough, it just uses the triangulation of the cell phone network. This cable is sometimes sold as spy devices and will actually act quite well.

Johannes Ullrich: [00:16:17:02] The idea according to manufacturers is that you leave a cable like this as a charging cable in your car, and if your car ever gets stolen you can use it to essentially find your car. But actually they work a lot better as an eaves-dropping device than as a GPS. That, of course, has all kinds of privacy implications if you have an innocent-looking USB cable in your office that could be turned into a microphone at any time via a remote phone call.

Dave Bittner: [00:16:47:10] I have also seen, available on line, devices that just look like a standard USB charger, a little tiny brick, but inside there's a camera and microphone.

Johannes Ullrich: [00:16:56:17] Correct. Now they're typically not remotely accessible. The problem with these cables in particular is that all you have to do is you have to send an SMS message to the phone number associated with the cable, which will then cause the cable to call you back and allow you to listen in on any conversations in the room.

Dave Bittner: [00:17:14:20] Wow. Interesting times, when you have to worry about your cables having their own phone number.

Johannes Ullrich: [00:17:20:24] Right, and I would say if you get a cable you don't quite trust, you'll maybe find one in the office all of a sudden, usually you can break it a little bit at the connectors, and if the connector comes apart and a SIM card pops out then it's probably a bad sign.

Dave Bittner: [00:17:35:16] Good advice as always. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:17:39:07] Thank you.

Dave Bittner: [00:17:42:17] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security - follow the behavior, find the threat. Visit e8security.com to learn more.

Dave Bittner: [00:18:04:10] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:18:14:04] Our show is produced by Pratt Street Media with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.