Notes on patching. Foreshadow speculative execution vulnerability. Influence operations. The FBI's new cyber chief. Are stickers a temptation to thieves, hackers, and customs officers?

Dave Bittner: [00:00:00] Hey, everybody. A quick thank you to all of our Patreon supporters. You could find out how to support our show by visiting patreon.com/thecyberwire. We do appreciate it. We've got some Patch Tuesday notes. Both Microsoft and Adobe were busy yesterday. Foreshadow, a new speculative execution vulnerability, has been reported. Malaysia gets attention from Chinese espionage services. There's competition for jihadis mindshare. Influence operations are used as marketing. The U.S. FBI gets a new cyber boss. The Kremlin thinks the BBC is biased in the crypto-wars. And laptop stickers - are they good, bad or ugly?

Dave Bittner: [00:00:49] Time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. So sign up for the Cyber Daily email where every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 15, 2018. Yesterday, of course, was Patch Tuesday for the month of August. And both Microsoft and Adobe issued fixes for their products. Microsoft addressed 60 flaws, two zero days among them, in August's Patch Tuesday. The zero days were CVE-2018-8414 and CVE-2018-8373. CVE-2018-8414 involves the use of .SettingContent-ms files. These are Windows 10 control panel shortcuts, and they're used to distribute malware. Signs of this sort of exploitation began to appear early last month. And Redmond has now upgraded Windows 10 so that Windows shell now validates file paths when .SettingContent-ms files are executed. CVE-2018-8373 is a remote code execution vulnerability that arises from the scripting engine's problematic handling of objects in memory in Internet Explorer.

Dave Bittner: [00:03:14] Among the other vulnerabilities attracting considerable attention is CVE-2018-8340, discovered by researchers at security firm Okta. This one is a security bypass exploit that's made possible when Active Directory Federation Services - that's ADFS - mishandles multifactor authentication requests. Okta's account of the issue suggests that this vulnerability would be most easily used by a malicious insider interested in achieving elevated privileges or in spoofing another legitimate user's account. Adobe also patched, fixing 11 problems in its products. The breakdown is as follows. Five issues were fixed in Adobe Flash Player, three in Adobe Experience Manager, two in Adobe Acrobat and Adobe Reader and one in the Adobe Creative Cloud desktop application. The potential impact of unpatched systems exploitation includes information compromise, privilege escalation, arbitrary code execution and unauthorized data manipulation or alteration.

Dave Bittner: [00:04:19] There's also been a new speculative execution issue identified in Intel's central processing units, a small set of flaws. Three of them are collectively called Foreshadow and join the well-known family to which Spectre and Meltdown belong. Foreshadow is in the process of being mitigated. Microsoft addressed some Foreshadow issues in its monthly round of patches, for example. In any case, there's no known instance of Foreshadow exploitation in the wild, and it would seem unlikely that hackers could easily make use of it to attack systems. There's a company called Upstream that provides mobile device security platforms - especially in fast-growing, emerging markets. As their software was being deployed, they noticed some interesting data traffic that caught their attention. Dimitris Maniatis is head of SecureD, which is one of their mobile security platforms. And he shares what they found.

Dimitris Maniatis: [00:05:14] What was really peculiar is that we started seeing concentration of fraudulent attempts - not on specific apps but from specific devices - which became even more peculiar when we started seeing a similar pattern in a second market that is totally unrelated to the first. So the first market where we saw that was Brazil. Quite literally around the same time, we saw a similar concentration of fraudulent attempts in devices and in an operator in Myanmar. These two markets are typically very unrelated. They don't share any commonalities whatsoever. We went ahead, and we purchased a few of those devices to try and, you know, get to the bottom of what was happening. We put the first device that we bought in Brazil - we put it in a sandbox.

Dimitris Maniatis: [00:06:13] As soon as we powered on the device, quite literally just after unboxing it, we started seeing communications to a third-party server sending information that we identified as being personally identifiable information - like the IMA or GPS location of the device - to a third-party server in Singapore and operated by GMobi. GMobi is a Taiwanese-Chinese provider of services in the wireless industry in general. But more specifically, they operate in ad network, and they operate as firmware over-the-air updater. It made us really concerned to see that, without having accepted any user agreement, without having opted in to use a service by GMobi, we were observing data from the device being transmitted to that server and then seeing communications coming back.

Dave Bittner: [00:07:21] Now let me ask you. Does it seem as though they are specifically targeting inexpensive phones?

Dimitris Maniatis: [00:07:28] For sure, there is a correlation between the two. In general, we're really used to the term ad fraud - advertising fraud - especially over at digital marketing. And we kind of picture advertisers paying more than they would have had to. Essentially, part of their investment - part of the impressions or the clicks that they buy are served or are being clicked by non-humans - either a click farm somewhere obscure or some weird place. Or a bot network might be just generating impressions and clicks to kind of consume the investments that advertisers are making.

Dimitris Maniatis: [00:08:11] What we see here is that, in this scenario, the end user is actually being defrauded. So it's ad fraud taken one step further - to charge users only after a single click. If that click is generated by a bot, that means that the user, without having ever giving their consent, is being charged for a service - or some digital service that they never wanted to buy or never intended to buy. Now, this is essentially an extension of ad fraud that is impacting the consumer and actually defrauding the end consumer from their prepaid airtime or credits. It is - from what you would see as ad fraud, now moving into payment fraud or even financial fraud because it is depleting the prepaid credits of consumers.

Dave Bittner: [00:09:07] That's Dimitris Maniatis. He's from Upstream. You can read more about their research into Android smartphones being sold with pre-installed malicious software. That's on their website.

Dave Bittner: [00:09:19] Regional influence and economic advantage appear to drive renewed Chinese espionage against Malaysian companies and governmental organizations. A United Nations report suggests increasing Iranian prominence in al-Qaida networks. This appears to be an emerging trend as Sunni and Shiite strains of jihadist influencers struggle for inspirational mind share online. You will recall Facebook's removal of some 32 pages that were engaged in what the social medium called inauthentic behavior. They were essentially accounts created with bogus or at least dubious persona that were heavily involved in pushing various inflammatory political memes. Facebook didn't say it was a Russian trolling operation, but it strongly hinted in that direction. The AP talked about this with various academic experts in communications and marketing and concluded that the Facebook pages the social medium recently expunged were following typical advertising playbooks - with affinity marketing supplemented by a heavy dose of moralistic aversion.

Dave Bittner: [00:10:26] The goal is discord, the method rumor, and the amplification is all on the regular people clicking, sharing and liking. So nothing new here, but the skills shown by the presumably Russian persuaders is striking. They've also shown a solid understanding of their market, accurately addressing American social fissures. The endgame is mistrust. It's not so much that they want you to vote one way as opposed to another. They'd apparently rather you just stayed home, going out only to riot because elections are, as the troll farmers would suggest, nothing more than a Potemkin village, a puppet show for the goobers.

Dave Bittner: [00:11:06] In a generally well-reviewed move, the FBI appoints Amy Hess executive assistant director of the Criminal, Cyber, Response and Services Branch. Hess, a veteran of the FBI's science and technology side, is among other things regarded as a Crypto Wars dove at least by bureau standards. Elsewhere in the Crypto Wars, the pro-encryption side has a new champion or at least someone willing to fly their flag of convenience. Sputnik, one of Russia's Putinous (ph) news services, slugging on behalf of the little guy, accuses the BBC of committing fake news by cherry-picking encryption experts who will toe her majesty's government's pro-snooping line.

Dave Bittner: [00:11:50] And finally, do you have stickers on your laptop, maybe one of the attractive CyberWire ones we give away to patrons and friends of the show? Motherboard has an article in which they argue that putting a sticker on your device could lead authorities at border crossing sites or airport security checks, for example, to single you out for more attention than you'd like. What's that? Your laptop sticker says TSA stands for touching stuff always? Why, step over here to the slow line, and please remove your shoes. Or maybe it's got a Macedonian flag on it, and the customs officer at Thessaloniki takes exception and wishes you to answer some questions at greater length. Or the guy in the cargo shorts sees a sticker that says, I brake for deep packet inspection and decides he'll make a run at you over the on-board Wi-Fi. You can tell he's a bad guy because his laptop says, my other computer is your computer.

Dave Bittner: [00:12:47] On the other hand, Motherboard does cite some evidence that common criminals tend to leave heavily stickered laptops alone when they break into cars. Whether that's because they think they're likely to be encrypted or because they think the stickers drive down the retail value is unclear. So what do you think? Is this a problem unique to laptops, or is it like the ordinary risk you run of having your car keyed by someone who disapproves of the candidate whose name is on your bumper sticker? Let us know. To stick or not to stick? That is the question.

Dave Bittner: [00:13:25] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across The Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:25] And I'm pleased to be joined once again by Zulfikar Ramzan. He is the chief technology officer at RSA. They are a Dell Technologies business. Zulfikar, welcome back. We wanted to touch today about SOCs, security operation centers, and particularly some of the challenges they face when it comes to IoT. What can you share with us today?

Zulfikar Ramzan: [00:14:45] Yeah. You know, so I'm reminded here of a movie that came out a number of years ago called "Airplane II". And if you remember, William Shatner - obviously, everybody knows on this podcast from his role in "Star Trek" - played the role of Commander Buck Murdock in that movie. And there's a scene in the movie where he's looking at the - all the switches and controls and knobs and lights that are going off and on inside of his operations center. And in trademark William Shatner histrionics, he has this virtual nervous breakdown about all the events that are hitting him at once.

(SOUNDBITE OF FILM, "AIRPLANE II: THE SEQUEL")

William Shatner: [00:15:13] (As Commander Buck Murdock) We've all got our switches, lights and knobs to deal with, Striker. I mean, down here there are literally hundreds and thousands of blinking, beeping and flashing lights - blinking and beeping and flashing. They're flashing, and they're beeping. I can't stand it anymore. They're blinking and beeping and...

Robert Hays: [00:15:29] (As Ted Striker) Sir.

William Shatner: [00:15:29] (As Commander Buck Murdock) ...Flashing. Why doesn't someone just pull the plug?

Robert Hays: [00:15:33] (As Ted Striker) Hold yourself together, sir.

William Shatner: [00:15:33] (As Commander Buck Murdock) I'm all right. I'm all right.

Zulfikar Ramzan: [00:15:34] And that, to me, personifies what happens in the security operations center already - where people are dealing with events constantly, where they're deluged with a barrage of noise, if you will. And when you think about things like IoT coming into the fold, all these new devices, they can all generate their own sets of alerts. I think organizations can quickly find themselves in a world where they can no longer begin to reason about what's happening in their environment. And we have to take a really quick set of actions and meaningful, intelligent actions to be able to address that problem before it becomes too much of an issue.

Dave Bittner: [00:16:05] So what do you suppose the solution is? Are we talking about automation? How do you filter that firehose of information coming in at you?

Zulfikar Ramzan: [00:16:13] Yes. I think there's a multipart plan that people have to engage in. The first part of that plan is, first of all, just pre-process your data. The reality is if you just collect data and try to use it later without thinking about pre-processing it and identifying the most salient elements, there's a good chance you're no longer going to be able to make any kind of meaningful insight out of that data. The reality is you don't want to just stockpile a bunch of food only to have it go rotten while you're hungry trying to find something. The same thing applies to your data.

Zulfikar Ramzan: [00:16:38] The second thing is to apply analytics to your data, so you can group all these different alerts around attack campaigns. The reality is when attacks happen in organizations, a bunch of alerts are generated. Those alerts are related to a common campaign. If we don't tie those alerts together, there's a good chance that your security analysts will be off in different directions investigating different parts of an incident without realizing there's a common big picture that they need to be considering.

Zulfikar Ramzan: [00:17:04] And then the third thing is to really focus not just on looking at what's happening in one part of your environment - be able to pivot across what's happening in different elements. So for example, be able to look at how - what's happening on the network core and be able to then translate that to what's happening at the edge in terms of endpoint devices or IoT or what have you. And even beyond that, can you look at what's happening with your cloud services? Proper security incident response requires being able to trace an incident end to end, which in terms means that you have to be able to look at all the different elements that are involved in one common orientation.

Zulfikar Ramzan: [00:17:37] And the fourth piece of advice I have is to really take a risk orientation. Don't just look at the underlying probability that something is going wrong. Figure out what the impact is in the organization. So for example, if you do see two alerts, and one alert happens to be on a critical production server, and the other alert happens to be on a system whose only piece of important information is the lunch menu for the cafeteria, clearly you should focus on the production server. And as silly as that example sounds, most organizations don't distinguish between incidents. They treat every incident like it's the same. If you can pull in business context into your security operations center to make that intelligent determination about what's really critical, you can go a long way.

Zulfikar Ramzan: [00:18:16] And then finally, I do recommend automation that you mentioned earlier. I think, to me, the linchpin for automation being successful is getting the first few pieces of that equation right. If you can get the first elements correct, then you can start to employ automation technologies that take care of many of the simpler cases, the more obvious cases and whatnot. But to me, the key to making automation successful is to have that inventory upfront - have the right incidence response plan initially so that your automation capabilities are designed in a way that are going to produce results in a very meaningful fashion.

Dave Bittner: [00:18:45] Zulfikar Ramzan, thanks for joining us.

Zulfikar Ramzan: [00:18:47] My pleasure, as always.

Dave Bittner: [00:18:53] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:19:01] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.