Spyware for states and spouses. Election hacking demos. New ransomware strains, and a clipper for Android. Airline Wi-Fi is not only irritating, but insecure as well.
Dave Bittner: [00:00:03] Spyware in the guise of a missile attack warning app. There's a new Dharma variant out. Android Clipper redirects transactions to crooks' cryptowallets. D-Link exploits rob Brazilian banking customers. Utilities prepare for grid hacks, but researchers say an appliance botnet could cycle demand enough to induce blackouts. Vulnerabilities in airline Wi-Fi and SATCOM connectivity. Election-hacking demos may or may not be realistic. And family spyware proves vulnerable to data exfiltration.
Dave Bittner: [00:00:42] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:48] From the CyberWire studios at DataTribe, there's no place like home. I'm Dave Bittner with your CyberWire summary for Monday, August 13, 2018. The Jerusalem Post reports that security company ClearSky says Hamas has been trying to install a bogus version of a missile warning app on Israeli smartphones. The app is a multifunctional one, designed to record conversations, take pictures, send texts and geolocate the infected phone. ClearSky doesn't think this is a one-off attempt but rather represents a coming trend, and it urges smartphone users likely to be targeted to remain alert.
Dave Bittner: [00:02:31] A new variant of Dharma ransomware is now circulating in the wild. It appends a .cmb extension to the files it encrypts. Like other strains of Dharma, this is installed manually by exploiting Remote Desktop Protocol. There's no decryptor available yet. And, as always, the first defense against a ransomware attack is secure, reliable, regular backup.
Dave Bittner: [00:02:56] Security firm Dr.Web reports that a version of Clipper for Android is in circulation. As its name suggests, the malware replaces cryptowallet addresses in the victim's clipboard with addresses that redirect to the criminals' wallets. Dr.Web says that Android Clipper is being actively hawked in the usual dark web markets and that the criminals who purchase it package and distribute it under the guise of a legitimate app. The good news is that the Clipper Trojan is readily detectable, but one needs the right tools to do so.
Dave Bittner: [00:03:31] Radware reports that vulnerable D-Link routers are being exploited by criminals to send people to bogus Brazilian banks where they're defrauded of their cash. This particular scam is being operated largely against victims in Brazil itself. The caper depends upon the criminals' ability to induce remote unauthenticated changes to some D-Link modems and routers so that their DNS settings point to a DNS server under criminal control. It's an insidious form of attack because it doesn't rely on, for example, phishing emails that an alert user might spot. The exploit is in the modem or router, and the end user might be quite unaware that it's taken place at all. The users are redirected to spoof banking sites that are said, in general, to be quite convincing.
Dave Bittner: [00:04:20] Utilities remain on alert for expected cyberattacks. In the U.S., the Tennessee Valley Authority, a large power provider, is taking steps to secure itself against hacking. Such attacks may not be as direct as expected. Princeton University researchers report results that suggest a botnet of home water heaters and air conditioners could cycle power demand rapidly enough to disrupt a significant portion of the grid.
Dave Bittner: [00:04:49] An IOActive researcher has demonstrated the ability to hack not just in-flight airline Wi-Fi but the satellite communications network they and other aircraft systems depend on. When initially performed in November of last year, the demonstration did not succeed in compromising any aircraft avionics or safety systems, which were prudently and properly isolated from onboard Wi-Fi. But the proof of concept did show that an attacker could access personal devices connected to the Wi-Fi network. It also showed that a botnet was capable of brute-forcing a SATCOM router. And this is the issue with more immediately disturbing potential.
Dave Bittner: [00:05:30] Last week's Black Hat and DEFCON conferences saw a number of reports on proof of concept hacks. These are demonstrations and not attacks found in the wild. So how likely they are to appear in the wild, you may judge for yourself. One of the proofs of concept, presented by Nuix, looked at five vendors of widely used police body cameras. They all had vulnerabilities, but all except one had a particularly disturbing potential for remote access and manipulation of the images the cameras capture. Thus, it would be possible for criminals to either alter or delete body camera footage to suit their purposes. All five devices tested were found susceptible to many of the usual sorts of vulnerabilities found in mobile devices, especially vulnerability to geolocation.
Dave Bittner: [00:06:19] Also at DEFCON was a hacker village that challenged young students to hack a voting machine. It was a demonstration voting machine, not an actual article, but the DEFCON types who constructed it behind the Wall of Sheep say that it was a representative copy. It was especially representative in terms of the vulnerabilities it had. The National Association of Secretaries of State, the NASS, applauded the Wall of Sheep village for its interest in election security but said that they really should be aware of all the security enhancements its members have performed.
Dave Bittner: [00:06:54] Secretaries of state, for our non-U.S. listeners and for those U.S. listeners who snoozed through high school civics class - you know who you are - well, they're state officials whose responsibilities include administering voting. They're not to be confused with the U.S. secretary of state, whose responsibility is foreign policy. The NASS also deplored the creation of mock websites, trials on specially-created demonstration equipment and failures to appreciate the difference between preliminary results, which are more hackable, and actual counts, which are less hackable. But the group does invite the white hat community to contribute their expertise - if not their sixth graders - to the work of keeping elections secure.
Dave Bittner: [00:07:41] And finally, one would think that the practice of taking risque selfies might have gone into eclipse after the exposure and arrest of former U.S. Representative Anthony Weiner. He is - you'll recall - the Democrat of New York who so disported himself behind the inadequately anonymized nom demure Carlos Danger. Alas, think again. DEFCON saw a presentation by researchers from Germany's Fraunhofer Institute for Secure Information Technology, who delivered a presentation called "All Your Family Secrets Belong to Us: Worrisome Security Issues in Tracker Apps."
Dave Bittner: [00:08:20] They looked in particular at one app, Couple Vow, designed to enable partners to keep tabs on one another without the expense and embarrassment of hiring a private eye. They found that making a simple GET request of the app server was enough to serve up user information. The information the researchers accessed included not only intimate pictures, best shared between couples who trust one another enough to not use Couple Vow, but 1.7 million passwords too. The app is available on Google Play, and the researchers are awaiting a reply to their inquiries from Google. Maybe they could hire a private eye.
Dave Bittner: [00:09:05] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single, open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's White Paper, on a comprehensive approach to security across the digital workspace, will take you through the details and much more. You'll find it at the cyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. That's cyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:10:05] Joining me once again is Ben Yelin. He's the senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting story came by about driver's license photos being used by police for identification with facial recognition software. This was right in our backyard in Hagerstown, Md. What's going on here?
Ben Yelin: [00:10:27] Yes, this is a fascinating incident. So what happened in Hagerstown - a woman was a victim of a robbery. She didn't have any information on the individual who robbed her except his first name and the fact that they had communicated on Instagram. So she had the Instagram profile. She provided that picture to law enforcement. Law enforcement cross-checked that photograph with the state's driver's license database. And using their facial recognition software were able to identify the perpetrator. He has been arrested and charged.
Ben Yelin: [00:10:59] And this is a legal law enforcement procedure. It's legal in 31 states within the United States. The Georgetown Center for Privacy and Technology estimates that in 2016, there were facial images of 117 million U.S. adults within our law enforcement database. Just to give you some context, I would guess that's about half of all American adults. That's probably pretty problematic for some people to hear. From a legal perspective, I think this is on very solid constitutional ground. You and I have talked a million times about the third-party doctrine...
Dave Bittner: [00:11:35] Right.
Ben Yelin: [00:11:36] ...The legal principle that says that if you voluntarily submit information to a third party, you have forfeited your reasonable expectation of privacy for that information. And even though the Supreme Court decision we talked about last week in Carpenter cut against the third-party doctrine in some ways, the core of the doctrine is still good law. It's still in existence. And this is sort of the textbook case.
Ben Yelin: [00:12:00] I think one of the law enforcement officials who's worked with facial recognition software says look. When you go into the DMV or, as we call it here in Maryland, the MVA and take that driver's license picture, you know darn well that that's going to go into a state database. They're going to have that photograph. You lose your expectation of privacy in that image.
Ben Yelin: [00:12:23] And whatever happens with that image - whether it's cross-checked against an Instagram post or, you know, used in some other way to identify you as the perpetrator of a crime - once you take that photograph, it's out in the public sphere. Whether that's fair or not, you know, I think this is an interesting question. We all have to drive to get to our work.
Dave Bittner: [00:12:47] Right.
Ben Yelin: [00:12:48] To go about our personal affairs and to drive, we need a driver's license. And to get a driver's license, we need to have our picture taken. But the logic is that if you really wanted to stay off the grid, and you really wanted your face not to be in this facial recognition system, then you do have the option of not getting a driver's license.
Dave Bittner: [00:13:09] You could take the bus.
Ben Yelin: [00:13:09] So that's the logic there. Exactly, take the bus. Live off the grid. Move into the woods. But once you're on the grid - you know, once you're part of this system, this is sort of, you know, the consequence of making that visit to the DMV. So I think it's on solid legal footing even if it seems like a pretty big invasion of privacy.
Dave Bittner: [00:13:29] So I guess what's particularly interesting here is that cross-referencing with a social media source to the state database.
Ben Yelin: [00:13:38] Yeah. Be careful who you communicate with on Instagram if you decide to commit robberies. I mean, the facial software recognition is stronger than it's ever been. It's more effective than it's ever been. It, you know, can identify, you know, square millimeters on your face. And it's become more of an exact science.
Dave Bittner: [00:13:58] Right.
Ben Yelin: [00:13:59] So a person really is making a series of choices that leads them to be eligible for prosecution based on facial recognition. The first choice is to go to the MVA, to go to the DMV and get one's picture taken for a driver's license. And the second choice is to have your picture available on social media websites. You are sharing your information there. That information is bound to become public.
Dave Bittner: [00:14:24] It's really a note of caution. If you don't want your images to be widely available, then, you know, look at that social media platform's privacy policies and restricts that image as best you can. But if it's out there, it's certainly fair game for law enforcement - especially when the victim of the crime was able to identify the perpetrator.
Dave Bittner: [00:14:49] All right, Ben Yelin, thanks for joining us.
Ben Yelin: [00:14:51] Thank you.
Dave Bittner: [00:14:57] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:15:05] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.
Dave Bittner: [00:15:32] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Huh. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:15:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.