The CyberWire Daily Podcast 6.12.18
Ep 618 | 6.12.18

Don't get cozy with Cozy Bear. Code-signing issues stem from muddled documentation. Devices ship with inadvertent backdoor. Matryosha attack. Operation WireWire versus BEC scammers.

Transcript

Dave Bittner: [00:00:03] The U.S. Treasury Department announces sanctions against Russian entities it says were too cyber-cozy with the FSB. Code-signing issues look like what we have here is a failure to communicate. Android devices are being shipped with ADB enabled, and cryptojackers enter by the backdoor. A layered criminal attack posing as emails from Samsung spearphishes Russian victims. And Operation WireWire reels in 74 business email compromise suspects.

Dave Bittner: [00:00:37] Time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 12, 2018. The U.S. Treasury Department yesterday announced sanctions against five Russian organizations and three individuals it designated as being in violation of executive order 13694, which authorizes measures against entities engaging in significant, malicious cyber-enabled activities. Here's the Treasury Department's brief summary of what the sanctioned entities have been up to. Quote, "examples of Russia's malign and destabilizing cyber activities include the destructive NotPetya cyberattack, cyber intrusions against the U.S. energy grid to potentially enable future offensive operations and global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyberattacks.

Dave Bittner: [00:02:44] Today's action also targets the Russian government's underwater capabilities. Russia has been active in tracking undersea communication cables, which carry the bulk of the world's telecommunications data," end quote. So Treasury links the five organizations and three individuals to Russia's FSB. The sanctioned organizations include Digital Security, ERPScan - which Treasury says is controlled by Digital Security, a claim ERPScan denies - Embedi, also said to be under Digital Security's control, Kvant Scientific Research Institute - supervised by FSB, Treasury says - and Divetechnoservices, suspected of undersea cable tapping. The three named individuals, all some time managers at Divetechnoservices, are Aleksandr Lvovich Tribun, Oleg Sergeyevich Chirikov and Vladimir Yakovlevich Kaganskiy.

Dave Bittner: [00:03:40] Digital Security, which Treasury holds to be the owner or controller of both ERPScan and Embedi, is singled out for providing technical support to the FSB - specifically since 2015, technical support that, quote, "would increase Russia's offensive cyber capabilities," end quote. ERPScan is a name that will be familiar to many since they do business in at least 35 countries as a business application security provider. They have major offices in Palo Alto, Amsterdam, Prague and Tel Aviv.

Dave Bittner: [00:04:13] As we mentioned, ERPScan strongly denies it's up to anything and also denies being owned by Digital Security. The company said, quote, "it would be superfluous to say this, but, of course, we have nothing to do with the Russian Federal Security Service as well as other government agencies worldwide. We always tried to avoid any political issues and were outside of political events," end quote. ERP's CEO, Alexander Polyakov, says the company's being sanctioned only because he was born in Russia.

Dave Bittner: [00:04:45] Kvant is a different kettle of fish. It's a research institute the Russian government placed under the supervision of the FSB in 2010. It provides material and technical support to that intelligence agency and has recently served as the prime contractor on an FSB project. Divetechnoservices has delivered various underwater equipment to the FSB since, Treasury says, 2007. Divetechnoservices also produced a submersible craft for that intelligence agency. One imagines their expertise contributed to Russia's ability to tap undersea cables. That's been a matter of concern not only to the U.S. but to the United Kingdom as well.

Dave Bittner: [00:05:26] Researchers at LogMeIn, makers of LastPass password management software, recently studied the psychology of password use, specifically the disconnect between what people know are best practices and what they actually do. Steve Schult is senior director of project management at LogMeIn.

Steve Schult: [00:05:44] Some people just think, it won't happen to me. You know, I am not a nation state. I am not a CEO. I am not somebody that is necessarily going to get targeted. You'd be surprised. You'd be surprised how easy it is either to breach that device that you have there - imagine if you have the same email address that gets caught up in three or four different breaches. And somebody has - you know, let's say they're using a pattern, like, you know, my password plus Facebook if it's for Facebook and plus Netflix it's for Netflix. That's very easy if you're looking at the individual level to start to break those down if you get even just one or maybe more than one and able to do targeted attacks at individual websites.

Steve Schult: [00:06:21] Now, there are so many credentials out there that for the average user, you're not going to necessarily have hackers going at that level or, you know, just your average Joe. But especially if you do happen to be an individual who's likely to be targeted, that type of a system definitely won't keep you safe. And as things like machine learning get more and more prevalent and hackers become more sophisticated, even those basic systems are going to be at risk.

Dave Bittner: [00:06:46] Now, you all have done some research on the psychology of passwords. Can you share some of the findings from that work?

Steve Schult: [00:06:53] Absolutely. So despite individuals and businesses facing these major, global cyber threats, people don't seem to be changing their password too much with password use. Now, I'm sure that many people listening may have used the same password for multiple accounts. Ninety-one percent in our survey - 91 percent know that using that same password for multiple accounts is a security risk. But 59 percent mostly or always use the same passwords. So even though people know this is a bad practice, they still haven't changed their behavior. We haven't seen that behavior change yet.

Steve Schult: [00:07:26] Same thing for information that's posted on social media - 56 percent of people believe that there's no way a hacker could guess one of their passwords from information posted on social media. But if you look at some of the password lists of the most commonly used passwords out there, you see some basic things like people's names, family members' names, pets, birthdays - just some of the basics. And there is a lot of public information out there about people. Hackers can certainly - even if you may - most people do not think that it's possible to guess that. People still aren't changing the behavior of how they're creating secure passwords.

Dave Bittner: [00:08:00] Now, where do you all stand right now on the notion of how frequently a password should be changed? I've heard some people say that too much frequency can actually be trouble and that, really, the length and strength of the password is the key factor there. Is that the current thinking still?

Steve Schult: [00:08:17] It's not just about frequency of passwords. So there was an old school of thought back to the oldness guidelines of, you should be changing - rotating your passwords every 90 days. And we saw that go into the corporate world in terms of password reset requirements. And the latest NIST guidelines that came out last year are less about, how often are you rotating your password? And how how secure is that password itself? Now, if you work in an environment where you need to frequently rotate passwords, odds are people are just incrementing it by one or changing one letter or doing behavior that doesn't really make the organization more secure. Businesses are now realizing that complexity of password, length of password, do you have - it's less about replacing Es with threes and and Ls with ones or any of those basic patterns there. It's more about creating a long, strong and unique password that really drives strong security behavior.

Steve Schult: [00:09:17] The old behavior of, oh, let me just figure out some password so I can get by, it's not really how humans work. Humans aren't going to create memorable passwords all the time. And that's why at LastPass, you know, we encourage people to create long, strong and unique passwords for every website. And, you know, it's not uncommon for our users to have hundred-character passwords in there. Honestly, what's preventing that more is the inputs on the website side. You know, some websites, even secure websites, still say, you know, enter in an eight-character password, and you can't use any special characters.

Steve Schult: [00:09:48] And yeah, I'd like to think that as a digital society, we're starting to get beyond that. But for the average user, almost more important is putting a second factor in there. And many websites, many services are starting to allow that. People are starting to go beyond just the - you know, use SMS as a second factor and starting to allow things like - well, LastPass has our own authenticator. Google authenticator's a very common one. Microsoft authenticator - just some of the basics for two-factor because if you do have a situation where somebody does get that credential - and this is the old adage of something you know and something you have. So that something you have is really what'll stop the hacker there, not something that - you know, you're rotating passwords every 30, 60, 90 days.

Dave Bittner: [00:10:27] That's Steve Schult from LogMeIn.

Dave Bittner: [00:10:31] Security firm Okta reports a long-standing third-party code-signing issue in MacOS signature checks. The fault isn't in Apple code itself. It lies, rather, in unclear documentation that led developers to use the API incorrectly. The documentation has since been clarified. Okta's report on the issue is interesting in a number of respects. Their disclosure timeline is particularly worth a look. They began the process back in February and were able to go public just today. Vendors are said to have been shipping Android devices with an enabled ADB - that's Android Debug Bridge - effectively, leaving an open backdoor. Security firm Qihoo 360 reported the problem in February, but there seemed to be few signs that it's abated. Most of the manufacturers whose devices are affected are located in Asia. ADB is a legitimate tool, but it's supposed to be disabled before devices shipped. Some researchers are observing the ADB exploited to cryptojack victim devices.

Dave Bittner: [00:11:36] A wave of spearphishing is hitting Russian IT device service centers, according to Fortinet researchers. The emails, which have the clumsy look of machine translation as opposed to native or even non-native speakers of Russian, purport to be from Samsung. The exploit uses an old and patched vulnerability in Microsoft Office documents - CVE-2017-11882. There's no attribution being reported, but it has the look of a criminal campaign. The attacks use a multilayer payload, a non-Russian Matryoshka, as security firm Fortinet calls the technique, alluding to the nested Matryoshka dolls familiar in Russian curio shops. Fortinet sees this more complex and layered approach growing more common. They speculate that this trend is due to greater user awareness. It's not as easy as it once was to trick someone into opening a simple executable file.

Dave Bittner: [00:12:32] A multinational sweep picked up a large ring of business email scammers. The U.S. Justice Department counts 74 collars. The Justice Department's announcement notes that a number of the victims were senior citizens, particularly vulnerable to this form of wire fraud, capable as it is of wiping out a lifetime of savings. The arrests were part of Operation WireWire, which brought the U.S. Department of Justice, Homeland Security and Treasury, as well as the U.S. Postal Inspection Service, into partnership with authorities in Nigeria, Poland, Canada, Mauritius, Indonesia and Malaysia. U.S. state and local police also rendered assistance. Operation WireWire was conducted over six months. Most of the arrests were made in the United States, but Nigerian police bagged 29. And Canadian, Mauritian and Polish authorities nabbed one apiece. WireWire seized about $2.4 million in funds and disrupted and recovered some $14 million in fraudulent wire transfers. Bravo to all the investigators who worked on the case.

Dave Bittner: [00:13:39] The Kim-Trump summit went off in Singapore yesterday as planned. It focused, as expected, on nuclear issues. Cyber conflict between the U.S. and the DPRK is expected to resume or continue its now-familiar course.

Dave Bittner: [00:14:00] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:01] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had an interesting article come by from Lawfare. And the title is "The Encryption Debate Isn't About Stopping Terrorists, It's About Solving Crime." What are they getting at here?

Ben Yelin: [00:15:19] So when you see congressional testimony from members of law enforcement - and we saw it most recently with the head of the FBI, Christopher Wray. They always frame this encryption problem in terms of the war on terrorism or the war against foreign adversaries. And they say that it's very hard for the government to piece together a puzzle to catch terrorists, to conduct the war on terror if they're not allowed or if they're not able to encroach on these encrypted devices. And I think this article makes a very good point that in the vast majority of circumstances, the full weight of law enforcement, the full resources of all of our law enforcement agencies will probably be able to find something, whether it's technological expertise, some sort of hacking service, hacking software. They'll usually be able to get into those devices. They have the resources. There aren't that many terrorists (laughter) relative to the number of law enforcement agents. You don't see that in the criminal context.

Ben Yelin: [00:16:20] Here, we're not talking about the FBI and the federal government and the entire national security apparatus. We're probably talking about a local police department or the state police or a state agency. And when we're talking about state-level criminal offenses, the numbers are reversed. The number of agents pales in comparison to the number of crimes. So if we give the government the power and the tools to break some of these stringent encryption methods, yes, we could say we'd be doing it to protect us against terrorism. But, really, that would be a slippery slope to sort of cut corners at the state and local level and have - make it much easier to decrypt the devices of your standard criminals who aren't involved in terrorism or espionage.

Ben Yelin: [00:17:08] I think what this author is trying to say is that it's misleading to claim that we're only trying to have encryption-breaking technology to fight the war on terror. Eventually, these techniques are going to be available to law enforcement, even though, normally, they don't necessarily have the resources to use them.

Dave Bittner: [00:17:25] And does this author think that's a good thing?

Ben Yelin: [00:17:27] This author does not think that's (laughter) - does not think that's a good thing. I think this author thinks that it's sort of misleading that, you know, we make arguments about the policy of encryption on false pretenses...

Dave Bittner: [00:17:39] I see.

Ben Yelin: [00:17:40] ...And that we should have a more honest conversation. If we actually want law enforcement to have the vast power to decrypt untold number of devices from criminals and, potentially, people falsely accused of crimes in your garden variety state or local prosecution, then that's very problematic. That's a debate we could be having, but that's not the debate we are having. When we see congressional testimony, they always frame it in terms of catching terrorists. If that were really the case, if that was the only intention of law enforcement, they probably wouldn't need to purchase packing software.

Ben Yelin: [00:18:14] They - with their level of expertise and resources relative to the number of terrorists they're trying to track down, what this offers, plainly, is they would be able to decrypt those devices. So I think in this author's view, it's just misleading to frame the problem as something that's going to be applied in terrorism cases when it's something that could also apply to garden variety criminal prosecution cases.

Dave Bittner: [00:18:38] I see. All right. As always, Ben Yelin, thanks for joining us.

Ben Yelin: [00:18:41] Thank you.

Dave Bittner: [00:18:46] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:15] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.