More Elon Musk impersonators in social media. Cryptocurrency raided. Spearphishing in Palestine. BlackTech espionage group. Apple upgrades. Polar Flow fitness app and oversharing.
Dave Bittner: [00:00:03] Advance fee scams run by Elon Musk impersonators use rescued boys soccer team as phish bait. Bancor wallets robbed of cryptocurrencies. Palestinian police have been spear-phished. The BlackTech espionage group is using stolen certificates to sign malware. Apple's upgrades are out; one privacy enhancement has a workaround. Microsoft is in the process of patching. And another fitness app overshares.
Dave Bittner: [00:00:35] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:46] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:50] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 10, 2018.
Dave Bittner: [00:01:58] If you've been following the saga of the boys trapped in a cave in Thailand, you'll be happy to know that they're now all reported to be out and safe - a happy ending saddened by the accidental death of a volunteer diver who worked on the rescue. You'll also, no doubt, be aware that Elon Musk offered the use of a mini-sub to get the boys out. The sub was not, in the end, necessary. But, of course, the story has drawn scammers.
Dave Bittner: [00:02:25] The usual impersonators have shown up on social media claiming to be Elon Musk and offering, in the midst of updates on the mini-sub, a fortune in cryptocurrency to those who play ball. It's the usual, tired advanced fee scam. If you incautiously navigate over to the scammer's webpage, you'll learn that all you have to do is send between 0.1 and 5 bitcoin in order to receive from 1 to 50 bitcoin back. If you find yourself tempted, lie down until the temptation goes away.
Dave Bittner: [00:02:58] A wallet operated by Bancor, a cryptocurrency exchange that raised $150 million in a 2017 ICO, has been compromised. Thieves are said to have made off with $10 million in Bancor's own BNT, $12.5 million in ether and a million dollars in Pundi X's NPXS. Bancor has frozen BNT but says it can't do much about the ether or NPXS.
Dave Bittner: [00:03:27] A spear-phishing campaign against Palestinian law enforcement officials is reported to be underway. Its use of my Micropsia malware and its development in Delphi lead security company Check Point to suspect that it's the work of the same group Cisco's Talos labs and Palo Alto Networks Unit 42 found engaging in a similar campaign last year. Check Point speculates that the group may be affiliated with Hamas.
Dave Bittner: [00:03:55] Researchers at security firm ESET have found an espionage group, BlackTech, using certificates stolen from Taiwanese firms - D-Link and Changing Information Technology - to sign Plead backdoor malware. BlackTech has been most active against East Asian targets. ESET assesses their work as sophisticated, a cut above the usual.
Dave Bittner: [00:04:20] Apple issued security fixes and updates for many of its products yesterday. The patches and upgrades affect macOS, WatchOS, tvOS, Safari, iTunes for Windows, iCloud for Windows and iOS. The iOS upgrade has attracted considerable attention. Among other things, it offers USB Restricted Mode, which disables an iPhone or iPad Lightning port beginning one hour after the device was last locked. USB Restricted Mode prevents the port from transferring data until the device is properly unlocked. Beyond its obvious value in lowering the risk of losing sensitive data should an iPhone or iPad be lost or stolen, the mode is particularly attractive to people who don't want police or other authorities rummaging their devices.
Dave Bittner: [00:05:06] A workaround has already been found, however. Researchers at security firm ElcomSoft found that if the police act quickly enough, they can prevent USB Restricted Mode from kicking in. If they connect an iPhone they've seized to a compatible USB accessory within that one-hour window, the phone won't enter USB Restricted Mode. Where can you get such a compatible accessory? As observers like Graham Cluley pointed out with customary cheerfulness, Apple itself will sell it to you. A Lightning to USB camera adapter can be yours, officer, for the low, low price of $39.
Dave Bittner: [00:05:44] The FS-ISAC - that's the Financial Services Information Sharing and Analysis Center - recently teamed up with Deloitte to survey cybersecurity professionals in financial services. We'll hear first from John Carlson from the FS-ISAC, and he'll be joined by Julie Bernard from Deloitte.
John Carlson: [00:06:02] Well, the survey, actually, was developed by Deloitte. We worked in partnership with Julie Bernard and her team at Deloitte. We've had a longstanding relationship with Deloitte in terms of working with our members to benchmark and understand how the changing cyberthreat environment is evolving and what sort of strategies are top of mind for chief information security officers.
Julie Bernard: [00:06:28] This particular benchmark fills a bit of a gap. Many of the programs already assessed themselves on a NIST Cybersecurity Framework basis. We actually did not focus that many questions on the NIST CSF. We focused more on the input and the orchestration than programs, and the profile of the companies themselves so that you actually could look at peers. So if you are a multinational institution, whether you're a bank or an insurance company, you may have some commonalities. If you have assets under management over a trillion dollars, or if your revenue is over, say, $2 billion, how do you look, compared to the rest? Things that may drive security spend beyond what we hear in some industry news around security spend as a percentage of IT spend.
Dave Bittner: [00:07:32] I see. So sort of clustering like groups together so that the data is more relevant for folks within those groups. What were some of the key findings there?
Julie Bernard: [00:07:42] It's still a little bit early, I think, in our survey, perhaps. This is a bit of a linear study. However, what we did found some things that surprised us a little bit, and some other things didn't quite. One of the surprises was how you are actually orchestrated doesn't matter that much, meaning whether you have a centralized program or a decentralized program, to a certain extent, how much you spend does not necessarily equate to a maturity score on NIST.
Julie Bernard: [00:08:16] What wasn't exactly surprising was - it looked at a couple of different denominators - that smaller companies, for example, tend to spend a bit more on a per-person basis than larger companies. And that, to me, kind of makes sense because there's not as many people to amortize share cost if you're with a smaller company.
Dave Bittner: [00:08:41] John, I think the financial services side of things certainly gets a lot of attention for the amount of regulation that it has. And I think because of that, it is looked to as - when it comes to cybersecurity, as generally being organizations that are setting the standard, that have their - for lack of a better word - that have their stuff together. Does this survey reflect that? And if so, how does that allow the financial services side to be an example to folks in other industries who are looking at their own cybersecurity posture?
John Carlson: [00:09:16] Well, yeah, I think it does because the survey, in my mind, was really helpful in terms of teasing out, I think, probably something that has been evolving over some time. But the survey, I think, served a foot stomp in terms of underscoring the importance of chief information security officers to be more strategic, to not only focus on the day-to-day operational issues of defending networks, of protecting information, of implementing controls, but also helping the company think about how it's going to defend itself in the future and how to integrate the security controls into the full suite of products and services and efforts to educate their customers on how to defend themselves against these types of cyberattacks. I thought that was one of the key findings from the study in terms of thinking more strategically, in addition to all the good work and the hard work that's done on a day-to-day basis to defend networks and protect information of customers.
Dave Bittner: [00:10:18] That was John Carlson from the FS-ISAC. He was joined by Julie Bernard from Deloitte. You can find their report, "The State of Cybersecurity at Financial Institutions." That's on the Deloitte website.
Dave Bittner: [00:10:32] Today is, of course, Microsoft's Patch Tuesday. Updates are issuing from Redmond now as we record this show. Keep an eye on Microsoft's security tech center for the fixes as they roll out.
Dave Bittner: [00:10:45] The Polar Flow fitness app, popular among soldiers, spooks and others professionally devoted to staying fit in odd corners of the Earth, may be oversharing. According to researchers at the investigative shop Bellingcat and the Netherlands news outfit De Correspondent, what's at issue is Polar Flow's Explore feature, which lets users find new routes and activities near them that other users have shared. The researchers looked at sensitive locations and say they were able to identify 6,460 individuals who were busily keeping themselves fit. They were able to find heart rates, routes, dates, times, duration and pace of exercises.
Dave Bittner: [00:11:26] That's not likely to be directly useful to a hostile intelligence service, although one hesitates to rule out creative possibilities entirely, but it does enable someone to gather a good indication of whether a particular installation is active, how many people, roughly speaking, are there, the routes they tend to follow and, of course, the geolocation of the fitness buff's quarters. Patterns of activity reveal, or at least confirm, the locations of sensitive sites and, because people tend to turn the tracker off when they get home, the residences of the users. Minimally, the app would seem to have some potential as a doxing or harassment tool.
Dave Bittner: [00:12:05] One of the Bellingcat researchers explained, quote, "tracing all of this information is very simple through the site. Find a military base. Select an exercise published there to identify the attached profile and see where else this person has exercised. As people tend to turn their fitness trackers on or off when leaving or entering their homes, they unwittingly mark their houses on the map," quote. Polar, the manufacturer of the app, points out that it was not breached, but it also wants to offer better privacy, and so it's temporarily suspended the Explore API until it comes up with some better approaches. The episode is reminiscent of one from last year when fitness app Strava's similar heatmap exhibited oversharing.
Dave Bittner: [00:12:52] So if you must exercise, consider OPSEC. And doesn't all about self-inspection smell faintly, at least, of narcissism? Here's an OPSEC tip from an unexpected source. Robert Maynard Hutchins, the long-serving, mid-20th century president of the University of Chicago, is famous for having said, as he was de-emphasizing athletics and taking his university out of the Big Ten Conference, quote, "when I feel like exercising, I just lie down until the feeling goes away," end quote. So how about it, you Rangers, you SEALs, you SAS types, you Spetsnaz? Take a tip from the Great Bookie himself and lie down. Maybe read some of the classics, like Epictetus. No, seriously, do keep running, and enjoy the parkours.
Dave Bittner: [00:13:46] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels built on the ThreatConnect platform. The products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper, entitled "More is Not More: Busting the Myth that More Threat Intel Feeds Lead to Better Security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account, visit threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:15:05] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. I saw an interesting article come back on Microsoft's research blog, and they were sort of celebrating that the second Homomorphic Encryption Standardization Workshop had delivered the goods. What are these standards we're talking about here? And why is homomorphic encryption something that we should be happy about?
Jonathan Katz: [00:15:33] Fully homomorphic encryption was one of these things that, for a long time, was kind of a pipe dream of cryptographers. And only relatively recently - less than 10 years ago - were the first proposals for fully homomorphic encryption came out. And what's been amazing since then is how quickly the idea of fully homomorphic encryption has gone from being something that was completely unfeasible, namely because it was very inefficient, to something that is still very slow, very inefficient, but it has now been implemented. It has now been used for several toy projects and, like you mentioned, have now even been standardized by a group of researchers at Microsoft and other institutions.
Jonathan Katz: [00:16:11] So for those who don't know, fully homomorphic encryption is a technology that allows computation to be done on encrypted data. Essentially, that means that somebody can encrypt some data, send it to somebody else. And that second party can then process the data without even seeing it, without learning anything about it, and then send it back to the first party, who can decrypt and get the result. So it's really a fabulous idea. It would have a lot of applications. And the standardization workshop that you mentioned was trying to develop a set of standard schemes and security parameters for these fully homomorphic encryption schemes.
Dave Bittner: [00:16:47] Now is this a matter of the algorithms or the underlying technology improving over time? I mean, I remember when I was a kid and the first Rubik's Cubes came out, there were solutions published. But in the decades since then, those solutions have gotten more efficient. And, you know, you see people solving Rubik's Cubes practically instantaneously these days. Is it a similar sort of march of progress where, over time, people come up with clever ways to have this be more practical?
Jonathan Katz: [00:17:15] Oh, yeah, absolutely. I mean, the initial ideas, like I said, were relatively - were extremely slow. But then, people built on them. People came up with all kinds of different improvements, different underlying assumptions they could use to build schemes, different ways of optimizing them, better ways of implementing them, and have really been able to improve the performance by several orders of magnitude.
Jonathan Katz: [00:17:36] Now it doesn't mean that we're going to be seeing widespread application of a fully homomorphic encryption anytime soon. Like I said, it's still relatively slow. It's still unclear what kind of the killer application for this will be where that kind of a slowdown is going to be acceptable. And also, this standardization workshop - it's not clear that it has any force, per se. It was done, like I said, by Microsoft and several academic researchers. It wasn't done by a traditional standardization body or organization like NIST or one of the IEEE organizations. And so they really just put it out there kind of as a benchmark for people to follow. But we'll see whether anybody ends up adopting it.
Dave Bittner: [00:18:15] So take me through what are the advantages of having these sort of standardization drafts out there?
Jonathan Katz: [00:18:21] Well, the one thing that's very helpful is that it gives people, like I said, a benchmark. It gives them something to base further improvements on. It tells people what the current best schemes are, so it gives people a target if they want to look for further improvements. And it also spent a fair bit of time coming up with security estimates for the existing schemes. So this basically means looking at what the best-known attacks are on the existing schemes. And again, that just provides some kind of a common benchmark for people if they're looking to develop improvements on those attacks.
Dave Bittner: [00:18:52] All right. Well, it's interesting stuff, as always. Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:18:56] Great. Thank you.
Dave Bittner: [00:19:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:19:21] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.