The CyberWire Daily Podcast 5.9.18
Ep 595 | 5.9.18

Subborn IoT botnets. Razzle-dazzle HTML phishing lure. Fancy Bear's false flag. Busy Yahoo boys. Crooks turn from Tor to Telegram. Kaspersky and contractors. Patch notes. SB 315 vetoed.

Transcript

Dave Bittner: [00:00:03:22] Hide-and-Seek is a hard to flush botnet. A phishing technique takes advantage of an email client's rendering of HTML. Facebook death threats in 2015 are said to have been the work of Fancy Bear, dressed up as the Cyber Caliphate. Nigeria's Yahoo boys are busier than ever. DHS wonders what it will take to get US Federal contractors to get rid of Kaspersky. Crooks turn from Tor to Telegram. We've got some Patch Tuesday notes, and Georgia's governor vetoes a controversial cybersecurity bill.

Dave Bittner: [00:00:40:15] And now a word from our sponsor LookingGlass Cyber Solutions, an open letter from the malicious botnet on your network.

Botnet: [00:00:51:10] So here we are. It's just you and me at this godforsaken hour. You're looking right at me, too. I'm on the second monitor to the left. Had you seen me, you would have realized I'd compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week; I'll be in Cabo by then working on my tan.

Botnet: [00:01:17:06] I love getting to know your company by the way. Your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber solutions is doing. They've got some kick-butt technology that fends off cyber threats like me. Data breaches, ransomware and stolen credentials, in real time. Be a hero with the LookingGlass Scout Shield Threat Intelligence gateway. See the video at Lookingglasscyber.com.

Dave Bittner: [00:01:59:04] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 9th, 2018.

Dave Bittner: [00:02:11:11] There are some possibly unpleasant developments in the world of IoT botnets. Hitherto you've been able to clear botnet malware from an IoT device by resetting the device. This works because most of the botnet software normally resides in memory, which a reboot flushes.

Dave Bittner: [00:02:28:19] This, however, may be changing. In what Bleeping Computer describes as a "game changer," Bitdefender has described its discovery of the "Hide-and-Seek" botnet, an IoT botnet that survives device reboots. Under certain circumstances Hide-and-Seek copies itself to a folder that houses daemon scripts in Linux-based operating systems, and routers and IoT devices tend to run on a Linux-based OS.

Dave Bittner: [00:02:55:07] Bitdefender thinks Hide-and-Seek is still something of a work in progress, and that large-scale distributed denial-of-service attacks are for now unlikely, but the new approach to achieving persistence in the bot herd will bear watching.

Dave Bittner: [00:03:09:18] Avanan reports finding "baseStriker," a phishing technique that crafts HTML in emails so that malicious links, even those on a blacklist, pass through the Safe Links feature of Microsoft Office 365's Advanced Threat Protection. It works by using the "base" tag to split the malicious link in two. Safe Links passes it, but then the Outlook email client reassembles the link into a nicely rendered and clickable form.

Dave Bittner: [00:03:40:12] The AP says it has evidence showing that 2015 threats communicated via Facebook to spouses of US military personnel were not in fact from ISIS. The unusually repellent threats appear to have been the work of Fancy Bear, which is, of course, Russia's GRU. The threats, issued under the false flag of the Cyber Caliphate, would threaten military families. Here's a representative sample the AP offered. “Dear Angela! Bloody Valentine’s Day! We know everything about you, your husband and your children. We’re much closer than you can even imagine."

Dave Bittner: [00:04:18:08] The threats were, at the time, widely believed to be genuine ISIS communications. They're not the only time the GRU represented itself as ISIS. It did something similar during the hack of France's TV5 that same year. Those operations, arriving around the time of the ISIS-inspired massacre at Charlie Hebdo, were even more disturbing.

Dave Bittner: [00:04:41:09] We've had occasion recently to follow the doings of Nigeria's Yahoo boys and the gangs that employ them. They've been busy. Palo Alto Networks compared 2016 and 2017 and found a significant increase in the rate of cyberattacks by the Nigerian gang Palo Alto tracks as "SilverTerrier." SilverTerrier made on average 17,600 attempts each month during 2017, up from 2016's average of 12,200. The gang's operations are socially engineered, so look to your user awareness training.

Dave Bittner: [00:05:17:20] It's become a standard part of just about every large data breach story these days. Countless usernames and passwords are revealed, which of course leads to recommendations from service providers or authorities to change your passwords. Phillip Dunkelberger is president and CEO of Nok Nok Labs and he also works with the Fido Alliance, a group looking to bring standard space authentication to the masses. He maintains that usernames and passwords have outlived their usefulness.

Phillip Dunkelberger: [00:05:45:20] One, they were never designed for usability. They were really designed for quick local access and if you think back, they were invented in the mainframe days so terminal access and use. They were really not designed to be usable - they had no idea of using something like a PC or, even more troublesome, a tablet or a laptop, where you've got much less screen space and keyboard space.

Phillip Dunkelberger: [00:06:09:16] The complication that has come in trying to secure them - upper and lower case, special characters, longer lengths, changing them all the time, doing essentially password rotation - has not worked well. The other piece is that from a security standpoint you end up storing them in some kind of container or database that becomes a large attack surface that if I want to steal credentials, I can just attack that particular database and steal a lot of people's credentials.

Phillip Dunkelberger: [00:06:39:13] And what that has led to from a security standpoint, 81 percent of the people according to the Verizon studies and echoed by Dr Larry Ponemon, who invented Cost of a Data Breach, 81 percent plus of all data breaches begin with a stolen credential. So usability, not good for tablets and phones, from a security standpoint, creates a big attack surface and is really not secure in a modern architecture today.

Dave Bittner: [00:07:06:04] And so in your estimation, what's next?

Phillip Dunkelberger: [00:07:09:04] What is next is the industry who created that particular modality, usernames and passwords and other types of inventions over time, has got to think about the problem differently. The way we've been able to do that is think about things like what would it mean to the world if we didn't have to use passwords any more? If we could use a better more natural way of logging in? Something like a selfie or a fingerprint swipe or your voice? Those would be something that would be an improvement from a usability standpoint, and then could we separate the idea of storing large amounts of information or biometrics on a back-end database that could be attacked?

Phillip Dunkelberger: [00:07:50:04] So, both of those ideas are something the industry's been working on and that has led us to the announcement this week of two standards bodies. One is a recommended standards body, the FIDOAlliance.org and the W3C which is an official standards body; it governs a number of different standard protocols for the internet. The one that we'll talk about today is the browser protocol and two standards organizations with a lot of industry heavyweights in it, coming together to find a better way to do authentication.

Dave Bittner: [00:08:25:08] So let's dig into that some. Take us through what you're hoping to achieve with the browser standards.

Phillip Dunkelberger: [00:08:30:16] The browser standards that were announced was the coming together of the FIDO Alliance, which means fast identity online, which has had over 300 plus companies involved in developing a protocol or a handshake. Being able to replace common usernames and passwords or other non scalable items like deploying hardware, small tokens, those kind of things, that are very costly to manage and replace, replacing that with an infrastructure that basically turns secure elements on your device or on your laptop or phone, and common ways of using it like a selfie or your voice or fingerprint.

Phillip Dunkelberger: [00:09:10:02] All of those things being able to replace a username and password in a standard format that allows people to plug them together easily and build a better way of authentication.

Dave Bittner: [00:09:20:10] And so, what kind of timeline do you suppose we're on in terms of making this an official standard?

Phillip Dunkelberger: [00:09:25:16] Well that's a great question. I was a CEO in a prior life of Pretty Good Privacy, PGP as it's well known in the industry - that standards body of making an encryption standard took us roughly ten years. Because of the pressing problems that we have with the theft of credentials and the large attack surfaces that are out there, we've been able to get to this kind of recommended standard in less than five years and I think that what we're going to see is the roll-out beginning later this year, with people like Google, and Microsoft announcing at the most recent RSA Conference that this will be available over the course of their product or at least over the next year.

Phillip Dunkelberger: [00:10:06:18] So this is going to be available on a broad scale within a year. All of these are just component parts of the protocol that will let the technologist implement it, and let the users, whether they're corporate or consumer users, enjoy the benefit. So we didn't dig the hole of usernames and passwords in five years; we're not going to get out of this in a short period of time, but for the first time we're building new roadways or thinking about the roadways differently than we have in the past to make usability and security something that's available to everybody.

Dave Bittner: [00:10:43:23] That's Phillip Dunkelberger from Nok Nok Labs. You can learn more about the FIDO Alliance and their authentication standards at FIDOalliance.org.

Dave Bittner: [00:10:54:14] Microsoft patched some 67 issues with its products yesterday. One of the vulnerabilities addressed merits particular attention, CVE-2018-8174, which affects the way the Windows' scripting engine handles certain classes of objects, is already being exploited in the wild. Adobe also patched, addressing issues in Flash Player and the Adobe Creative Suite. VpnMentor is offering an "unofficial" fix for vulnerable Dasan GPON routers. If you can't wait for Dasan, give the offer a look, but a circumspect and cautious one. Unofficial stuff can be good, but caveat emptor.

Dave Bittner: [00:11:35:13] The US Department of Homeland Security is wondering what it will take to get Federal contractors to purge Kaspersky products from their systems. Secretary Nielsen is musing aloud and darkly about punitive contracting measures to bring the primes and subs into line.

Dave Bittner: [00:11:53:11] Feeling increasingly exposed and ill-at-ease on Tor, it appears that the criminal underground is turning to Telegram when it feels the need for an online forum.

Dave Bittner: [00:12:04:15] Georgia Governor Nathan Deal has vetoed that state's ill-received State Bill 315, called "catastrophically stupid," in BoingBoing's headline assessment, which would have criminalized many common and legitimate security research practices. It also would have authorized certain forms of hacking back under the rubric of "active defense." The "hack back" provisions of the law were also greeted with widespread skepticism. A number of commentators thought the bill would not only have criminalized innocent white hats, but also inspired poorly-informed and difficult-to-contain cyber vigilante activity. So there you go. Those checks-and-balances you learned about in high-school civics class are alive and well in the Peach State.

Dave Bittner: [00:12:54:00] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it any more. They're too difficult to deploy, too time consuming to maintain, and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization.

Dave Bittner: [00:13:28:10] That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at Observeit.com/cyberwire. That's Observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:03:06] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:14:09:12] Hi Dave.

Dave Bittner: [00:14:10:05] So, you sent over an interesting article that was about the state of Delaware, who started dipping their toes in the water to have mobile driver’s licenses. What's going on here?

Joe Carrigan: [00:14:21:01] I'll tell you what I think, and this is just me doing what's probably the easiest part of my job, and that's going, "This is going to be bad."

Dave Bittner: [00:14:31:18] Go on.

Joe Carrigan: [00:14:32:19] So the mobile driver’s license, two of the key features that the article talked about, one of them was the ability to identify yourself as over the age of 18 or over the age of 21, without having to disclose other information, like your address and your name and everything.

Dave Bittner: [00:14:46:13] Oh I see.

Joe Carrigan: [00:14:47:10] Which is a good concept, a good idea. I like that idea.

Dave Bittner: [00:14:51:09] So if I want to get into a bar, I can use this ID with the bouncer at the door without him finding out where I live?

Joe Carrigan: [00:15:02:19] Right. It just has a picture of you and says yes, you're over 21.

Dave Bittner: [00:15:06:06] I see.

Joe Carrigan: [00:15:06:08] And that's it. That's great. If there was a way to secure that to be the only way that a picture of you could show up on your phone with the statement saying, yes, you're over 21, then that would be fine. However my prediction is that there will be all kinds of apps released that will permit people to have essentially what amounts to a fake ID. Just smile for this picture and we'll put up the picture and say yes, you're over 21 in this app.

Dave Bittner: [00:15:32:20] And it's hard to put a hologram on an iPhone app right?

Joe Carrigan: [00:15:36:03] Absolutely. I don't know that it's possible to put a hologram on an iPhone app.

Dave Bittner: [00:15:41:09] But also there's some interesting uses from law enforcement to use this during a traffic stop. They talk about the officer could ping your smartphone and request the driver’s license information before even walking up to your vehicle.

Joe Carrigan: [00:15:54:14] That's right, and that gives me concern because my initial reaction or thought on this is as soon as this comes out and becomes widely available, everybody who has a malicious intent will be trying to get into every single person's driver's license who has one of these apps on their phone. It's basically a big sign that says "Come hack me." Not that I know of any vulnerabilities on this system, but it is certainly part of the attack surface that is going to garner a lot of attention.

Dave Bittner: [00:16:25:04] It's interesting because so far the driver's license is something that we've kept off of our smart devices. You have your license in your wallet, all that information, your driver's license number, generally I don't have on my phone, so we talk about all of this private information is on our phone, this would push even more to your mobile device.

Joe Carrigan: [00:16:46:08] Exactly. It would push more information that is not usually on your phone to your phone. I just have a couple of concerns with this. I'd like to learn a little bit more about it.

Dave Bittner: [00:16:56:14] Hopefully it'll be one of those things you can opt into, so for the folks who see the benefits of it, they could do it but if you wanted an old-fashioned driver’s license you could still do that.

Joe Carrigan: [00:17:05:06] It's very easy to opt out. You just tell them that you don't have a smartphone.

Dave Bittner: [00:17:09:06] And you hope nobody calls you while you're standing in line telling them that, right?

Joe Carrigan: [00:17:12:20] And if it does ring, you just go "I don't know what's happening."

Dave Bittner: [00:17:15:17] "What's that noise? I hear that noise every now and then, I'm not sure what it is."

Joe Carrigan: [00:17:18:17] I'm about to back up. That's what the noise is.

Dave Bittner: [00:17:21:16] Alright, we'll keep an eye on it. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:17:24:09] It's my pleasure, Dave.

Dave Bittner: [00:17:29:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence, visit Cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:17:49:01] And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at VMware.com.

Dave Bittner: [00:17:58:00] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.