The CyberWire Daily Podcast 11.7.18
Ep 721 | 11.7.18

A quick look back at the US midterms, and the cyber Pearl Harbor that wasn’t. Update Apache Struts. Smishing with the Play Store. Another advance fee scam.

Transcript

Dave Bittner: [00:00:03:12] A quick look back at US midterm elections and at what did and didn't happen. Is Iran looking at waging cyber-enabled economic warfare? If you use Apache Struts, update now to avoid remote code execution. A spyware-delivering app is smishing Spanish speaking users of the Play Store. And once again people really seem to think that Elon Musk will return them their Bitcoin donations tenfold. (Enough people to make crime pay, anyway).

Dave Bittner: [00:00:38:21] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's In-Platform Analytics and Automation you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect Platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest White Paper, titled Threat Intelligence Platforms, Open Source versus Commercial.

Dave Bittner: [00:01:24:23] As a member of a maturing security team evaluating threat intelligence platforms, or TIP, you may be asking yourself whether you should use an open source solution, like a Malware Information Sharing Platform, or MISP, or buy a tip from one of the many vendors offering solutions. In this White Paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:09:08] Major funding for the CyberWire Podcast is provided by Cylance. From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 7th 2018.

Dave Bittner: [00:02:22:02] The US midterms are over with, as the Wall Street Journal puts it, "no significant foreign influence seen" by either officials or private companies watching the vote for cyberattacks. That is there was no apparent wave of hacked databases, manipulated vote counts, voter suppression by electronic alteration of records, systematic fraudulent voting enabled by computer network attack, denial-of-service, and so on. What we've had occasion to call "hacking proper." This is despite the various problems found in voting hardware around the country - no more than usual.

Dave Bittner: [00:02:57:08] Most observers didn't even see a particularly large spike in election-targeting information operations. Facebook did confirm that the coordinated inauthenticity they found, in about a hundred accounts the social network suspended this week, was connected to Russian operators. Those operators included, unsurprisingly, the notorious St. Petersburg troll farm that calls itself the Internet Research Agency.

Dave Bittner: [00:03:23:04] The various ongoing influence operations spotted seemed to amount to a new normal, and can be expected to continue post election. Some of that disinformation will seek to shake confidence that the election was fairly conducted, as the US Department of Homeland Security emphasized in press briefings yesterday. All that matters to the adversaries is creating an impression that the vote was untrustworthy.

Dave Bittner: [00:03:47:09] All of this is of course gratifying to see. The apparent lack of hacking proper may remind older observers of what happened - for the most part nothing really - at the end of the Y2K panic. But it's also likely that, as Fifth Domain reflects, that the relatively smooth election was the result of some intelligent preparation over the past two years. There's surely more effective sharing of information between Federal agencies and state election bodies, and the Department of Homeland Security seems to have been patiently working to build some sensible consensus models.

Dave Bittner: [00:04:22:09] What effect, if any, the barking about US Cyber Command's ability and willingness to rain virtual scunion down on foreign state that so much as looked sideways at the polling, is of course unknown. The US willingness to openly signal that it was prepared to cry havoc and release the dogs of the world wide web was interesting and will be worth watching in the future.

Dave Bittner: [00:04:45:21] Those interested in nation-state threat actors and what might be expected of them, may find the Foundation for Defense of Democracies' outline of Iran's "cyber-enabled economic warfare" interesting. Their analysis suggests that Iran's willingness and ability to learn have made it a more dangerous actor in cyberspace. The study also concludes that reimposition of sanctions against Iran, for what the US considers Tehran's violations of the Agreed Framework to limit nuclear proliferation in the region, will embolden the regime to resume cyber attacks against economic targets in regional rivals like Saudi Arabia and perennial adversaries like the US and Israel.

Dave Bittner: [00:05:28:22] In the aftermath of a data breach, it's become routine for observers to keep an eye on the dark web, to see if and how quickly the breached data makes its way into underground online markets. Christian Lees is CISO and he also heads up the Intelligence Team at InfoArmor, where they spend a good amount of time monitoring the dark web.

Christian Lees: [00:05:48:21] The state of the dark web today is, in my humble opinion, could be compared to any other major market place; it's driven by supply and demand and it's much like an organism; it moves, it corrects itself, it adapts. Being in the dark web every day, I see it absolutely growing. It's growing massive and very quickly.

Dave Bittner: [00:06:13:19] We see marketing messages, certainly towards consumers, that it's this scary thing, this bad neighborhood that you don't want to accidentally wander into or find your information in there. How does that compare to what you see?

Christian Lees: [00:06:27:12] It's actually a great question, I mean, again I think that when we think of the dark web, we automatically think of that guy with the hoodie and you know he has like no face. In my humble opinion, I really think that what's going on in the dark web is again of course nationally, we have this kind of elite closed area, kind of like what you alluded to, almost like a speakeasy, right, it's like two knocks and a whistle and they open the door and you go in. There's certainly that kind of environment, a very closed marketplace, but this is really for the elite threat actor and I think what we are seeing today is these elite threat actors, that are very difficult to get to, are more willing to kind of engage third party brokers, and that's where we kind of see the dark web absolutely expanding. So let's let these third party brokers resell in the more kind of open environment.

Dave Bittner: [00:07:30:01] So for organizations that are out there trying to protect themselves, what's an appropriate way for them to dial in the amount of concern and attention they should pay to the dark web?

Christian Lees: [00:07:39:21] That's a very difficult question because we as consumers and we as organizations, we are doing nothing but increasing our digital identity every single day. And that's what fuels the underground economy. For example compromised credentials, which is largely commodity based data, within the underground economy, but we are so willing to go use our credentials often times unfortunately our corporate credentials for these third party websites, this is where the suppliers gets their goods. Compromising these third party websites and that fuels the underground economy. So I think that many organizations, you know, they have a sophistication level that they can monitor open source environments and check for their data. But for the small and medium businesses, it's pretty difficult to understand the dark web and obviously I recommend that they partner with an organization that helps them hunt the hunter within the underground economy.

Christian Lees: [00:08:50:08] You know I speak all over the world, I speak to the InfoSec community and something that I find a little disappointing is I hear this constant trend, or this constant comment in the info security world of it's not a matter of if, it's a matter of when, and it just drives me insane. So I would just like to take one minute and acknowledge the amazing work that the good people do, the info security. We protect every day, we do a really great job. So I think it's really worthwhile just to acknowledge that. However, having said that, something that we are currently researching in the underground economy, is threat actors. They are, like I said, the underground economy; it's an organism, it adapts, it moves. They are in recognition at how well organizations do protect, for example, it was not long ago that you could simply go to your bank with your user name and password, so threat actors were regularly selling a user name and a password and a URL to log into and that threat actor could have a heyday with that. However today, these organizations tend to protect with system variables.

Christian Lees: [00:10:11:06] So threat actors today are actually not only selling the credentials, they are also selling the variables of your environment, of your machine itself. So for example if I were to go to my financial institution, they're going to look at perhaps my browser or an MT5# in my browser. They're going to look at perhaps maybe cookies that I have on my system, or you know patching level or the resolution of my screen, and they're going to make kind of like this pre-decision about me prior to ever successfully putting in my credentials, that if my environment doesn't essentially match the known variables of these credentials, they're going to step up challenge on me and threat actors have got wise to this so now in these underground economy dark markets, they're actually selling not only the credentials but they're selling the user's environments, the variables, along with the cookies, you know, all of the settings. And they package it up and just stay a small web browser extension that you load. Therefore you can bypass the step up challenge, which to me is absolutely mind blowing.

Dave Bittner: [00:11:32:14] That's Christian Lees from InfoArmor.

Dave Bittner: [00:11:36:22] The Apache Software Foundations urge users of Struts 2.3.36 to update the Commons FileUpload Library to avoid a remote code execution flaw. Struts is widely used and the recommendation should be taken seriously.

Dave Bittner: [00:11:53:10] Security firm Trend Micro warns that a malicious app in Google Play is appearing in Spanish-language smishing attacks. At the end of October TrendLabs researchers found an app, Movil Secure, available in the Play Store. It represents itself as a mobile token service but was in fact spyware. The developers, who've succeeded in getting other malicious wares into the chain-link-fenced garden of Google Play, were unusually slick and persuasive in offering a professional looking impersonation of a legitimate app.

Dave Bittner: [00:12:26:12] But of course you don't really need to even be that persuasive. For example, nobody falls for advanced fee scams any more, right? I mean really, right? I mean you know who's going to believe that someone would actually marry you if you sent them some money? After all, that scam was exposed as far back as the Three Stooges' Crash Goes The Hash, opus 77, 1944, when the society matron was saved by freelance reporters from the bogus marriage proposal of a crook who styled himself the Prince Shaam of Ubedarn. (By the way if you don't know Mr Howard and and Fine's Opus 77, our film criticism desk recommends it highly: "A film of novelistic complexity" they say, going on to call it "a ringing affirmation of journalist integrity and a rejection of the bald cynicism of Citizen Kane. Two thumbs way way up and it makes Last Year at Marienbad look like an 8mm knock off of It's a Wonderful Life.")

Dave Bittner: [00:13:25:12] And for sure, no-one would think that Elon Musk is actually like giving away ten times the amount of Bitcoin you send over to him just to "establish your identity." Right? Wrong.

Dave Bittner: [00:13:39:12] It seems that a relatively convincing set of hijacked Twitter accounts, up for only about a day, convinced people to send in 392 Bitcoin payments, amounting to about $180,000. Let that sink in. People were convinced enough to act 392 times and give the bogus Elon a nice 180K payday. But what's that you ask? Weren't people looking for the blue check seal of authenticity? They were looking and the blue check was there for all to see. They overlooked usage errors and bad grammar to swallow the phishbait hook, line and sinker.

Dave Bittner: [00:14:19:02] So those who live by the blue check, die by the blue check, figuratively of course. So if you're asked to send some money in advance, just don't. And if you slip up and do, then lawyer up. May we recommend someone like I. Cheathem, the attorney featured in the Stooges' Fine Opus 83, Pests in a Mess.

Dave Bittner: [00:14:45:23] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware's White Paper on A Comprehensive Approach to Security Across the Digital Workspace, will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:46:06] And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, it's great to have you back. I wanted to touch today on breach notification laws and the impact that they have on incident response. What can you share with us?

Justin Harvey: [00:16:01:15] Well I've been seeing a trend that companies are rushing to notify regulators of a data breach and the startling aspect is how they revise their numbers. And I'm not going to call anyone out specifically, but you see some organizations that are reporting the tens of millions, or the hundreds of millions, identities that they have been suspected to have been stolen. And that sets off a firestorm of activity; people are getting worried, they don't know really yet if they've been affected. And many times these organizations can actually do themselves a disservice or harm by alerting the regulators and being so public, because the adversaries are now aware that there has been a breach and/or that they have been found.

Justin Harvey: [00:16:55:11] And I think that a more pragmatic approach has to be adopted by our industry, by organizations and by regulators to have a time period for investigation. My team frequently responds to these large scale incidents and breaches. It's really quite startling being on the inside and not exactly knowing the extent and then organizations go public. There's still a little bit of revising that has to happen in the public sense. So I think that regulators really need to give that time period to companies in order to get their facts straight, to understand the scope of the impact. And be able to articulate that in a very clear way to the public before rushing to judgment.

Dave Bittner: [00:17:48:07] So do you envision this being something where the organization could perhaps contact the regulators and say "hey we've had a breach" and then allow them to make their case, "This is why we think it's in everyone's best interest to wait a little while before we go public with this."

Justin Harvey: [00:18:06:10] Yes, I think that there's a gradient approach that should be adopted by regulators, so that the first level would be, "We have an incident, we think it's of this scope, but give us some time," and be able to have a dialog with regulators saying, "It's going to take us two weeks to do the forensics on these 30 machines and then after those two weeks we will report back on what we know." And if there's some empirical data to support the initial compromise vector and the initial compromise numbers, then the regulator can then help them go public from that. But right now it seems to be more of a Boolean, a black and white decision point by regulators.

Dave Bittner: [00:18:52:22] Alright interesting. Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:56:24] Thank you.

Dave Bittner: [00:19:02:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:30:00] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.