Dave Bittner: [00:00:03] FBI and DHS warn that RDP exploitation is up. Facebook's breach exhibits the tension between swift disclosure and sound incident response. A look at slow roll disclosure. Google draws criticism for some content it hosts. North Korea's Reaper group never missed a beat. Citizen Lab says Saudi Arabia is spying on at least one prominent dissident who's a permanent resident in Canada. Nepal's airport is hacked, apparently for the lulz.
Dave Bittner: [00:00:39] Time to tell you about our sponsor, Recorded Future. If you haven't already done so take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:48] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 2, 2018. In the U.S., the FBI and the Department of Homeland Security warn that exploitation of Remote Desktop Protocol - that's RDP - is on the rise. Criminals are using it as an infection vector for various ransomware strains, including CRYSIS, CryptON and SamSam.
Dave Bittner: [00:02:14] The feds offer suggestions about how to protect yourself, and it's all good advice that comes down to following best practices and using good digital hygiene. If you don't need remote connections, don't use RDP. Apply available patches. Don't leave open RDP ports without good reason. Use strong passwords and multifactor authentication, and back up your systems regularly.
Dave Bittner: [00:02:39] Former Facebook executive Alex Stamos, now of Stanford University, tweeted that Facebook's breach indicates the effects of GDPR's coupling of heavy fines with a requirement for swift disclosure. His tweet says announce and cop to max possible affected users - which he thinks produces confusion - a month later, truth is included in official filing. Thus, public announcements are offered on the basis of incomplete investigation. Observers, The Washington Post says, see a difficult tradeoff.
Dave Bittner: [00:03:11] On the one hand, early disclosure can help victims. On the other, it can impede investigation and effective response. As The Post put it, quote, "by getting the word out early, companies alert users that their information may have fallen into bad hands. But they risk creating confusion by disclosing the breaches before key details are available," quote. So early disclosure not only enables the company to pay less in fines to the EU than it would owe if it blew the 72-hour disclosure deadline, but it also gives affected users a chance to take some obvious steps to protect themselves, like changing passwords, logging out and back in again, and so forth. How many victims actually do so is, of course, another matter, but many are concerned that haste to disclose can cause remediation to be botched, or at least what the engineers call suboptimal.
Dave Bittner: [00:04:05] On the other hand - we apologize for reusing our hands today - too many companies have whistled past the graveyard hoping breaches would just go away if they were ignored. We can't be sure these are cases of superstitious whistling or willful blindness, but some of the disclosures over the past few years have really been slow rolled. The Post mentions some in their coverage.
Dave Bittner: [00:04:28] There's Equifax. The credit bureau waited six weeks to disclose that information on 143 million Americans and not a few non-Americans had been breached. There was Uber. The gig economy pioneer took a year to come clean about a hack that affected tens of millions of its contractor drivers. And then there's Yahoo. The company kept its own investors in the dark for two years before letting them know that, yeah, well, Russian hackers got information on 500 million users.
Dave Bittner: [00:05:00] All those companies have faced various penalties and court judgments over their breaches. Facebook is at least being compliant and appears to be working hard to clean up its problems. But here's an example of possible further problems. Facebook Messenger has almost 1.3 billion active users, making it the world's second-biggest instant messaging service. Security firm Bitdefender thinks it's possible that messages, chats and so forth on Messenger could have been accessed with the stolen tokens. No one, they point out, is quite sure yet what was actually taken, and Bitdefender believes we may see worse news to come. The incident continues to drive calls for privacy legislation in the U.S.
Dave Bittner: [00:05:44] Security firm Ping Identity recently released a pair of white papers outlining information gathered from their most recent CISO advisory council meeting, a gathering of security leaders from industries like health care, banking, travel and leisure, education and others. Robb Reck is chief information security officer at Ping Identity, and he joins us to share what they've learned.
Robb Reck: [00:06:06] The first white paper is written for C-Suite leaders outside of security and IAM. It's a tool for those identity or security leaders to use as they want to communicate to their CEO, their CFO, their CIO, what is the importance of identity and, really, where does it fit? The second one is written for identity and security professionals themselves. It's really helping them answer the question what should they be learning about and preparing for, for what's going to be coming up in the next few years around identity.
Dave Bittner: [00:06:37] And so what are some of the key take-homes from each of the papers? What are the things that you hope people come away with?
Robb Reck: [00:06:42] The No. 1 thing I'd say for those listening - if you're looking to kind of help get your executive team on board for identity, this is a great place to start and a great one to download. I'll say a few of the highlights from it. No. 1 is, regardless of where identity reports in the organization, whether it's into IT or into security - in order to minimize breaches, in order to maximize security, you really need to get those teams talking together.
Robb Reck: [00:07:06] There's a lot of synergies that you can get between identity and security. But if they're into different silos - if they're not working closely together, you lose a lot of it and you have a lot of rework that's not necessary. A second key point from that white paper is that identity is essential to digital transformation. And if you look at the top list of items that all of your C-level - C-suits are looking to accomplish, digital transformation is going to be up on that - top of that list.
Robb Reck: [00:07:31] Digital transformation is all about knowing your customer experience better, knowing what your customers are doing. And identity is a key part of that. As you start to look at identity as a building block for digital transformation, you start to get the importance that it deserves there. And the third thing I'd pull out of that first white paper is as you're thinking about identity, you shouldn't just be thinking about workforce.
Robb Reck: [00:07:53] You need to think about it across three different areas. You have your employees. You have your customers. And you also have your partners. And in order to have a comprehensive program, you really need to think about plans for each of those three groups. And the plans are quite different between them. As the nature - how you work with your workforce and how you work with partners is going to be very different than how you work with your customers.
Dave Bittner: [00:08:13] And are there any areas that you all feel as though are being overlooked, that aren't being given the attention they deserve?
Robb Reck: [00:08:20] Certainly the understanding of the differentiation between where does identity start and where does marketing start, those are really tough questions to answer. And I think you have to get both of those groups together. You can start to make a lot of mistakes if you just go to the marketing team and ask them, how are we going to manage these details? By bringing in the security and identity folks early, understanding what are the compliance requirements, you can answer some of those questions in a scalable way that's not going to get you in trouble with things like GDPR.
Robb Reck: [00:08:50] And as you look at our second white paper, there's, I think, a really relevant point there. So the second one where we're talking about what's coming in the future, one of those key things is password authentication or zero log in. And how do we get to a place where users on a day-to-day basis are not having to enter a password? Using different kinds of signals, doing different telemetry, you can start to manage risk.
Robb Reck: [00:09:12] But the second one, which is where I was getting to here, is we look at things like behavior, analytics and machine learning or, as we at Ping call it, just intelligence. As you build intelligence into identity - that is what we've seen from all of these companies that are harvesting and selling information on consumers. The flip side of that coin is consent and privacy, right? These are two areas that you really have to think about both as you're coming up with your plan.
Robb Reck: [00:09:37] As we use customer data to make smarter choices, as we use customer data to give a better experience, we also have to provide customers with the ability to opt in and to opt out and to truly own their own data about themselves. It's going to be a balance for years to come here. And those organizations that are able to quickly recognize that it is a market differentiator to be the ones who can not only give a good experience but also let customers know what's being held about them - those are the ones who are going to win in this new world that's coming up.
Dave Bittner: [00:10:06] That's Robb Reck from Ping Identity. The white papers are titled “7 Trends That Will Shape the Future of Identity” and “8 Things Your C-Suite Should Know About Identity.” You can find both of them on the Ping Identity website.
Dave Bittner: [00:10:20] Google is having trouble keeping unwanted material off its platforms. YouTubers have posted instructions for hacking Facebook. The Telegraph reports that the videos address such topics as how to get into people's Facebook profiles by stealing access tokens and other elements of what observers have called the daisy chain of vulnerabilities that were exploited in the recent breach. YouTube has removed some but apparently not yet all of the instructional videos. They've drawn thousands of views.
Dave Bittner: [00:10:50] How serious a matter this might be is unknown, especially since Facebook says it's closed the vulnerabilities. But the videos can't be regarded as a good thing. One of the YouTube screenshots the Telegraph reproduces includes an unidiomatic disclaimer across the bottom. For only educational purposes, says the note underneath the picture of the hacker shown with hands clasped perhaps in prayer while wearing fingerless gloves, a Guy Fawkes mask and the obligatory hoodie.
Dave Bittner: [00:11:21] Right, educational purposes only - education in the LOLs. And what's with the hoodie anyway? Are anarcho-syndicalist hacktivists and cybercriminals really that uniform-conscious? You're apparently likelier to see U.S. Marines wandering around outdoors without their cover than you are to see Jack and Jill Hacker (ph) without their hoodies. Well, all we know is what we read in the papers and see on TV and in the movies, so it must be true.
Dave Bittner: [00:11:51] Google is also taking some criticism for the sorts of advertising it accepts. Fraudsters are apparently still able to buy ads despite Mountain View's public determination to stop them from doing so. The Times of London complains that they were able to buy ads at the rate of a dollar per click with the obviously fraudulent come-ons of buy fake ID, buy fake passport and buy fake reviews. The two incidents really don't seem to indicate any malice toward Facebook, nor any particular commitment to collaboration with criminal enterprises as a business model. Instead, they offer another instance of the difficulty of content moderation, especially when the business of posting and hosting content can move in near real time.
Dave Bittner: [00:12:35] Hopes that the North Korean government might dial back their hacking thanks to the lure of becoming something approaching a more normal country seemed to have faltered. Palo Alto Networks notes that Pyongyang's Reaper group deployed malware NOKKI and DOGCALL in June against a range of companies. The campaign involved exfiltration of screenshots, keylogging and staging of further infestations. The motive was apparently the DPRK's usual one, financial gain.
Dave Bittner: [00:13:07] The University of Toronto's Citizen Lab reports finding Pegasus spyware from NSO Group in a Saudi dissident's phone. The affected person, Omar Abdulaziz, is a permanent resident of Canada. He's been critical of the kingdom and has received asylum in Canada. Citizen Lab attributes the infection to the Saudi government, and they say they've been unable to find any Canadian permission given for surveillance of Abdulaziz or anyone else.
Dave Bittner: [00:13:36] And finally, Tribhuvan International Airport in Nepal saw its official website taken offline between September 28 and 30. It appears to have been a case of hacktivism if counting coup for the lulz can be considered hacktivism. The unidentified hacker who claimed responsibility commented, typical idiot security. Nepalese authorities think it's some guy in Indonesia. Their report doesn't say whether they think he's wearing a hoodie, but be on the lookout.
Dave Bittner: [00:14:12] Now a moment to tell you about our sponsor ObserveIt. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIt, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIt is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIt focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIt. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIt for sponsoring our show.
Dave Bittner: [00:15:21] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He is also my co-host on the Hacking Humans podcast. Joe, welcome back. We have a story from Naked Security - from Sophos, right? And the title of it is "Android Password Managers Vulnerable to Phishing Apps."
Joe Carrigan: [00:15:41] Yes, it is.
Dave Bittner: [00:15:41] Take us through what's going on here.
Joe Carrigan: [00:15:43] All right, so what's happening is there are these Android password manager apps.
Dave Bittner: [00:15:47] Right.
Joe Carrigan: [00:15:47] And I'm a big proponent of password managers, whichever one you choose to use. The way they work with websites is different from the way they work with apps.
Dave Bittner: [00:15:56] OK.
Joe Carrigan: [00:15:56] So if you're on your desktop. And you're going to have these things integrate with your browser, they're going to check the site certificate before they send the username and password - right? - to make sure you're not on a phishing website.
Dave Bittner: [00:16:08] I see - before they automatically fill in your information.
Joe Carrigan: [00:16:11] They're going to autofill.
Dave Bittner: [00:16:12] They double-check.
Joe Carrigan: [00:16:13] Exactly. Before they autofill, they double-check. They - which is a great idea. However, once you are talking about using an app, that becomes a different issue. Let's say I'm a customer of Dave's bank.
Dave Bittner: [00:16:27] Right.
Joe Carrigan: [00:16:27] Right. And I go, and I download Dave's banking app to get access to Dave's bank.
Dave Bittner: [00:16:32] Right.
Joe Carrigan: [00:16:33] The password manager is going to say, this is Dave's bank app, and I'm going to go ahead and fill it in.
Dave Bittner: [00:16:39] Right.
Joe Carrigan: [00:16:39] Right. But let's say somebody malicious out there creates a bank app called Dave's bank and fills out enough metadata in the package to make it look like Dave's bank. They can fool the password manager into providing the credentials - the legitimate credentials to my account to the malicious app. And once I've done that - autofilled the - I've told the password manager to autofill the username and password. It just gets sent to the attacker, and then the attacker logs into my account at Dave's bank and drains my account.
Dave Bittner: [00:17:11] I see. So this is a matter of the apps not having as accessible a way to check the authenticity.
Joe Carrigan: [00:17:20] Correct because, you know, there's a way to check the authenticity, but it can be spoofed is the problem.
Dave Bittner: [00:17:25] I see.
Joe Carrigan: [00:17:26] So they're advocating a new method in Android apps. And they say in this article they would call it - get verified domain names in the API. So that LastPass - or any of these other password managers could call that function in that app and get a list of the verified domain names that they're getting. There would have to be some kind of cryptography behind the scenes.
Dave Bittner: [00:17:48] Right.
Joe Carrigan: [00:17:48] And, of course, the get verified domain names method or function would be under the control of the malicious app. So they could respond with anything they needed respond with, I think.
Dave Bittner: [00:18:00] Yeah.
Joe Carrigan: [00:18:00] So I don't know how this would work exactly. I'm not an Android developer. But - so there has to be some significant cryptography under the hood for that.
Dave Bittner: [00:18:09] Yeah, it's interesting too because - it's sort of it's a multilayered thing here because for this to happen you've already gotten to the point where you have downloaded - you've been fooled once by downloading the malicious app.
Joe Carrigan: [00:18:19] Correct.
Dave Bittner: [00:18:20] And so really this is a matter of the - the password managers are doing what they're supposed to do but unable to successfully take that second look to verify that what - they're filling in your username and password where they should be.
Joe Carrigan: [00:18:37] Right.
Dave Bittner: [00:18:37] Yeah.
Joe Carrigan: [00:18:38] This is like when the malicious software was actually targeting password managers. It's still out there targeting password managers.
Dave Bittner: [00:18:45] Right.
Joe Carrigan: [00:18:46] So, yeah, that's the keys to the kingdom. And now they're just finding other ways to get in and get everything you have.
Dave Bittner: [00:18:52] Yeah. OK, something else to look out for. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:18:56] It's my pleasure, Dave.
Dave Bittner: [00:19:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com
Dave Bittner: [00:19:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they are co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.