Fancy Bear in Czech government systems. Watering hole attacks. Quora breached. Marriott breach follow-up. Kubernetes privilege escalation flaw. Scams kicked out of Apple’s App Store.
Dave Bittner: [0:00:03] Fancy Bears and free-ranging catphish disport themselves in the Czech Republic. China's reported to have used watering hole attacks to gain entry into Australian institutions. Quora suffers a data breach. Marriott's breach response earns mediocre marks. A Kubernetes privilege escalation flaw is found and patched. Two scam apps are rejected from Apple's App Store. And an object lesson in the difficulty of controlling fake news or, at least, fake op-eds.
Dave Bittner: [0:00:40] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [0:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 4, 2018. Reuters reports that the Czech Republic's BIS counterintelligence service yesterday attributed last year's cyberattacks on the foreign ministry to Russia's GRU, also known, of course, as Turla, Sofacy and Fancy Bear. At the time, the ministry said the incidents appeared to be the work of a foreign intelligence service, but they were unsure which one. The foreign ministry said no confidential material was compromised. BIS said that some 150 staff mailboxes were accessed, with the GRU copying emails and attachments.
Dave Bittner: [0:02:30] The report sees this essentially as battlespace preparation. As BIS puts it, the GRU, quote, "thus obtained data that may be used for future attacks, as well as a list of potential targets in virtually all the important state institutions," end quote. Another recurrent warning that figured in the report, widespread use of undeclared intelligence officers operating under diplomatic cover. In fairness to Fancy Bear, Russia's not the only espionage power being name-checked - checked (laughter) - in the report. BIS also points out that the Chinese services are also quite active. Their interest is, characteristically, industrial espionage.
Dave Bittner: [0:03:13] The Sydney Morning Herald has, in this context, an interesting account of how China used watering hole attacks to gain a foothold in the various Australian institutions Beijing's intelligence services were interested in prospecting. A visit to the watering holes provided the entry point for installation of malware tools into a leading foreign policy think tank, the Lowy Institute, as well as the Australian National University.
Dave Bittner: [0:03:41] Last week, the big breach news, of course, was of the goings on at Marriott. This week, another large breach has been reported. Quora, the widely used question-and-answer site, was hacked, and the attackers made away with passwords, names, email addresses and direct messages belonging to some 100 million users. The stolen passwords are said somewhat vaguely to have been encrypted. Ars Technica thinks this probably means that they were passed through a one-way hash function, which, function matters. Some are relatively easily cracked with off-the-shelf tools. Others are strongly resistant to breaking. Quora discovered the breach Friday. Causes remain under investigation.
Dave Bittner: [0:04:25] Marriott is not drawing good reviews for its response to the breach it disclosed last week. The hospitality chain is, for example, using the domain email/marriott.com to send notifications to the half-billion or so affected customers. But as TechCrunch points out, that domain is easily spoofed by typosquatters, and several security firms working gratis and pro bono have preemptively registered several of the more plausibly typosquatting domains. Observers see a string of breaches going back to 2015, beginning shortly after Marriott's acquisition of Starwood's properties and reservations service. The breaches mostly involved Starwood, with many missed opportunities to prevent the recent problem. A lesson being drawn is that corporate mergers and acquisitions represent a clear cybersecurity danger point.
Dave Bittner: [0:05:20] Google researchers found a privilege escalation flaw in Kubernetes. It's now patched. Users should upgrade. The issue will also be addressed in forthcoming releases. This is believed to be the first significant vulnerability to be discovered in Kubernetes, and it's serious enough to warrant a CVSS score of 9.8. Exploitation of the bug could enable an attacker to obtain full administrative privilege on any node running in a Kubernetes cluster.
Dave Bittner: [0:05:52] Do you carry more than one mobile device? Does your company insist on keeping your online personal and professional lives physically separated, or do you carry one device and carefully commingle the two? Brian Egenrieder is from mobile device security company SyncDog, and he joins us with some perspective.
Brian Egenrieder: [0:06:10] We're kind of in an imbalance or an interesting intersection in a market where, you know, a lot of people are out there carrying two phones around, a work phone and a personal phone. In fact, we often see, you know, people's work phones are, like, an iPhone 6, for example, and their personal phone is an iPhone 10. And, you know, you have that disparity of, like, why am I using this older technology when I'm carrying something right beside it that's much better?
Brian Egenrieder: [0:06:34] Or, conversely, people that are allowed to use their personal phones for work often have to sign documents that say if you leave the company, that company has the right to wipe your entire device, which creates kind of this Big Brother aspect or lack of trust between the employee and the company. The reason they're all being done is that companies are simply apprehensive or concerned about, you know, where that data is and how they can control it.
Dave Bittner: [0:06:59] Now, and part of this is practical as well. As the price of these mobile devices goes up, you can understand where the whole notion of people bringing their own devices could be attractive to a company who might not want to foot the bill for that.
Brian Egenrieder: [0:07:14] You're absolutely right. And, you know, we already see too that people don't treat their work devices the same they would with their personal devices. You know, when you've shelled out, you know, $1,000 on your own or, you know, $1,200, now with some of these newer iPhones, if not more, you know, you take care of that. You're concerned about it breaking or losing it. When it's a work device, you're like, whoops, I dropped it - no big deal. They'll just have to get me another one.
Brian Egenrieder: [0:07:36] Yes, companies are becoming more and more apprehensive about this because everybody is now using a smartphone for their personal device, so you can't get away anymore with handing somebody an iPhone 6 or an older technology. It becomes a deterrent. You know, it used to be, hey, we're going to give you an iPhone for work. And it was - you know, it was a selling appeal for a company to bring somebody on. Now, if it's not the latest and greatest, it's actually hurting their reputation versus helping it.
Dave Bittner: [0:08:02] Yeah, it's interesting. I think as those mobile devices become more a primary device in our lives, it seems like that has shifted quite a bit.
Brian Egenrieder: [0:08:12] Absolutely. And the work world's changed. You know, the 9-to-5 job, you know, doesn't seem to exist anymore. The - (laughter) I always say the yabba-dabba-doo time, where the bell rings, and you slide down the back of the dinosaur...
Dave Bittner: [0:08:22] (Laughter).
Brian Egenrieder: [0:08:22] ...And your day is done, and you don't think about work anymore, is long done. So, you know, people are working certainly not 24 hours a day, but throughout all times of the day, you know, and travel. And just, you know, the world has definitely become more mobile, so being constrained to the four walls of the corporation and only being able to access, you know, sensitive data while you're there is just unrealistic. And so you have to find a solution that enables people to get the job done while they're outside the four walls of the company.
Dave Bittner: [0:08:52] Yeah, it strikes me also as interesting that there hasn't been more of a response for this sort of thing from the manufacturers themselves, from Apple and Android. Clearly, there's a need for this. You know, we have multiple logins on our desktop computers. It seems like there's a market opportunity here to be able to segregate your personal from your professional life on a single mobile device, and yet, that isn't really being filled by the manufacturers themselves.
Brian Egenrieder: [0:09:21] Yeah. You know, and some have tried. And some even have products out there right now. But as you're probably not surprised by, you know, Samsung for example has a product, but it's Android-only. And it's Samsung Android only and only on some of the devices of Samsung. So they have something, but obviously they're like, hey, we're not going to give anybody an excuse to not buy a Samsung. So they completely focus on that environment alone, and that's just not realistic. You're going to have Android and iOS users, you know, across the board in any company of any size, really. It's - there are definitely users of both technologies, you know, anywhere you go.
Dave Bittner: [0:09:57] That's Brian Egenrieder from SyncDog.
Dave Bittner: [0:10:01] Fingerprint ID, like the Touch ID system featured on iOS devices, is attractive for many reasons as an authentication measure. It's difficult to spoof, for one thing, the hot epoxy gummy bear hack featured in the first "Ant-Man" movie aside. But it needn't be spoofed if a user can be induced to let their finger do the walking through a couple of payment approvals. That's been the case with two scam, or at least scammy, apps - Fitness Balance app and Calories Tracker app, both of which Apple has now booted from the walled garden of the App Store.
Dave Bittner: [0:10:36] The two apps displayed a message telling people to keep their finger on the iOS Touch ID feature, meanwhile flashing a quick payment window likely to be unnoticed because it was, for most intents and purposes, in the background and only up for at most two seconds. Keeping your finger on the pad, of course, authorized a payment whose authorization was acknowledged in another flashed pop-up that also probably would go unnoticed. Even if you did notice it, that hundred bucks or so was already gone, baby, gone. So farewell to Fitness Balance and Calorie Tracker. We hardly knew you.
Dave Bittner: [0:11:12] Robin Sage, please meet Tatiana Horakova. You two should really talk about trolling for catphish. Sure, your personae are entirely fictive. But in this day, who would be so narrow-minded as to dismiss someone's life experiences and the voice they contribute to our mosaic of discourse on the legalistic grounds and pedantic grounds that such a person doesn't exist? Take a broader view. Don't view Robin Sage and Tatiana Horakova as names, but rather as definite descriptions, like the present king of France. Bertrand Russell would get it, and so can we, right?
Dave Bittner: [0:11:50] Anywho, you'll remember that Robin Sage was the name of a fictitious person used in an experiment in gullibility conducted in 2009. She was socially constructed in social media as a 25-year-old cyber threat analyst for Naval Network War Command with a degree from MIT and 10 years work experience. She attracted dinner invitations and job interviews from at least two large and famous corporations, whom we won't name because at this point shaming would just be piling on. Not everyone was taken in since some people bothered to check the phone number provided in contact information or looked into MIT alumni records or simply found the idea that anyone could have accomplished by the age of 25 what Ms. Sage claimed.
Dave Bittner: [0:12:35] In any case, experimenter Thomas Ryan blew the gaffe with a presentation at Black Hat in July 2010, so Robin's run lasted less than seven months. Ms. Horakova has had an even longer, more illustrious career. And she's successfully trolled, among others, the prime minister of the Czech Republic. Ms. - or perhaps more appropriately - Dr. Horakova has a knock-out resume. Founder and director of a medical not-for-profit that sends physicians into conflict zones, she arranged the release of Bulgarian nurses held by the late Libyan leader Moammar Gadhafi. She offered herself in exchange for a hostage held by FARC guerrillas in Colombia. She turned down no less than three Nobel Peace Prize nominations, got a big humanitarian grant from the Vatican and lots of other good stuff too. She's also a frequent contributor of high-minded op-eds to Czech media outlets. Foreign Policy pedantically objects that there's no evidence Tatiana Horakova exists. Says you, Foreign Policy. If she doesn't exist, how has she succeeded in showing up in Czech newspapers for more than 10 years? Explain that.
Dave Bittner: [0:13:48] Actually, there probably is an explanation. Reporter Prokop Vodrazka of the skeptical paper Novy Denik thinks it's just someone sitting in a flat, laughing at everybody. It's like a character straight out of "The Good Soldier Svejk." If you want a serious take on the difficulty of controlling for fake news, however, look no farther than Tatiana Horakova.
Dave Bittner: [0:14:17] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [0:15:26] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. We had a story come by - this is from TechCrunch, but it certainly made the rounds in the press - about some security researchers who found fundamental weaknesses in the encryption on several Crucial and Samsung SSD drives. And these are storage devices. What's going on here?
Jonathan Katz: [0:15:55] Yeah, these researchers were looking at hardware-based encryption. That's encryption that's being done at the hardware level, done by the disk drive itself that a user might buy. And the findings of these researchers were actually pretty scary. Basically, when they looked at what was actually going on, when they physically examined these hard drives, they found that in many cases, it would be very easy for an attacker to bypass the encryption that had been done and recover a user's files. And that's exactly the sort of thing that these encryption - encrypted hard drives are supposed to protect against.
Dave Bittner: [0:16:28] And what - so what was going on here? Was this a flaw in the implementation of the encryption in the hard drives' actual hardware?
Jonathan Katz: [0:16:36] Yeah, it was a flaw, not so much in the implementation of the encryption itself, but in the way that the keys were being managed. So just as an example, on many of these hard drives, there would be a default password that was set at the time of the manufacture. And if the user didn't go ahead and change that, then that default password would allow an attacker to have access to the contents of the encrypted drive. So you can be using the best encryption in the world, but if there's a default password that everybody knows about that's being used, you're not going to get any protection from that.
Dave Bittner: [0:17:06] Yeah, and it was interesting that - on the software side that, I suppose, many systems were just taking the security of this encryption for granted. If the hard drive said - or the SSD drive said this was encrypted, then the system would say, that's good enough for us.
Jonathan Katz: [0:17:22] That was a very interesting part of this attack, actually. So I guess - exactly what you said - people who were using software encryption, those software encryption schemes would basically trust the underlying hardware. And if the hardware would tell them, yes, you know, don't worry - we're encrypting stuff - then the software would not go ahead and encrypt. And, you know, really what you have here - you can think of the hard drive as lying, right? It's telling the software that it's doing proper encryption when it's really not. And so I think that the software encryption algorithms are now going to be updated to encrypt anyway, even if the drive tells them that they're doing - that it's doing encryption.
Dave Bittner: [0:17:58] Now, what about some of the developments - for example, I know Apple has made a lot of - out of their T2 chip. They've taken that encryption onto a dedicated piece of hardware, you know, a secure enclave off of the hard drive and separate from - taking that workload off of the main processor from the computer itself. They say that increases security and speed.
Jonathan Katz: [0:18:20] Right, so the devices that are put out by Apple were not affected by this particular line of research. Of course, you know, until somebody actually looks at what's going on, we can't really say much about the security of those devices. But I think in general, Apple has a pretty good track record of building secure devices. I think the global message here really is that the algorithms that are being used need to be open source so that they can be evaluated by security researchers.
Jonathan Katz: [0:18:46] One of the problems in this example here is that the Samsung drives, for example, were not revealing exactly what algorithm they were using for their encryption. And so there was no way, really, for anybody to analyze it, short of going in and actually physically trying to attack these drives. And I think Apple has done a pretty good job of at least releasing the high-level details of their design, even if they don't release all the details of what they're doing.
Dave Bittner: [0:19:09] No, it's interesting. All right, Jonathan Katz, thanks for joining us.
Jonathan Katz: [0:19:13] Great, thank you.
Dave Bittner: [0:19:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [0:19:40] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.
Dave Bittner: [0:19:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.