ICEPick-3PC in the wild. Influence ops warning in Israel. Hackerangriff and a lone hacktivist. OXO and Magecart. The Dark Overlord wants you. Oversharing. Internet autarky. Kaspersky helped NSA?
Dave Bittner: [00:00:03:16] ICEPick-3PC is out in the wild and scooping Android IP addresses. Shin Bet warns of influence operations threatening Israel's April election. German authorities are pretty convinced their doxing situation is the work of a lone, disgruntled student. OXO may have suffered a Magecart infestation. Dark Overlord's labor market play. Facebook sharing, Internet autarky, and did Kaspersky finger an NSA contractor to NSA for mishandling secrets?
Dave Bittner: [00:00:40:04] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud, and guided investigation workflows. All the clarity and context you need to act quickly and with confidence. Don't just take our word for it, explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:43:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 9th, 2019.
Dave Bittner: [00:01:51:10] The Media Trust offers notes on ICEPick-3PC, a malware strain now circulating in the wild. It targets Android devices, mostly, and it's of particular concern to publishers and e-commerce sites. The criminal innovation here, the Media Trust says, is that the malware automates pulling affected devices' IP addresses from them, which facilitates further exploitation.
Dave Bittner: [00:02:16:12] According to Haaretz and other sources, the head of Israel's Shin Bet intelligence service has warned that an unnamed foreign country intends to interfere with the country's upcoming elections.
Dave Bittner: [00:02:28:04] The country's unnamed, but whoopin' and hollerin' that's surged in response to the remarks made recently on TV leave little doubt that Russia is the usual suspect. Security firm, Check Point, has reviewed the various sorts of gambits to expect. They're mostly influence operations, and they follow the playbook used in other engagements with Western elections, mostly in the US: fake Twitter accounts, bogus warnings that you won't be permitted to vote, so you may as well save yourself the trouble, and so on.
Dave Bittner: [00:02:58:22] Authorities were quick to assert that Israel could take care of itself, thank you very much. Their security service said, in an unusual public statement, "The Shin Bet would like to make clear that the state of Israel and the intelligence community have the tools and capabilities to identify, monitor and thwart foreign influence efforts, should there be any. The Israeli defense apparatus is able to guarantee democratic and free elections are held in Israel."
Dave Bittner: [00:03:27:00] If you take these warnings as matters of a priori possibility, then they might do some good. After all, letting Tweets or Facebook posts determine your voting is, to say the least, unwise, as anyone who underwent Operation Birmingham in the US is likely to reflect. Sadder, but wiser now. A positive bit of advice: beware of emails bearing attachments. Just ask the DNC.
Dave Bittner: [00:03:51:23] It's also worth pointing out that, while a priori possibility, even a priori probability, can be a good source of healthy skepticism, it's an unsure guide to attribution, as the arrest of that student in the German Land of Hessen in their doxing case illustrates. Not everything that looks like a state-directed attack is necessarily a state-directed attack. The BKA, Germany's federal criminal police, told Infosecurity magazine that the suspect isn't in custody, but that's normal, given the country's laws on pretrial confinement. They do say that he's admitted the crimes he's suspected of, and said that he acted alone. Their investigation, the BKA says, leads them to the same conclusion.
Dave Bittner: [00:04:36:10] We now return to ordinary cyber crime. The kitchenware company OXO's recent breach is now being called a Magecart infestation. They issued a warning letter to customers late last month. Magecart has been making a pest of itself on a number of sites in recent months.
Dave Bittner: [00:04:54:07] If you've been shopping for a new car recently you may have been surprised to find the array of upgraded automated features that are commonplace in the auto industry's offerings these days. Active cruise control, lane departure warning systems, automatic braking systems, all made possible by networked sensors and processing power with the car. Denis Cosgrove is a principal at Booz Allen Hamilton, and he shares his views on what direction automotive automation is headed.
Denis Cosgrove: [00:05:22:06] What's changing now is the level of connectivity that's coming into the vehicle, and what that enables. And at the same time autonomous features, so we hear a lot about obviously the future of full autonomy, but there are significant milestones along the way around driver assistance, collision avoidance and other autonomous features that are really important to the industry.
Denis Cosgrove: [00:05:42:04] There's an interesting era that we're gonna enter, where there's gonna be a mix of vehicles and capabilities on the road, and so drivers are gonna have to remind themselves, depending on what vehicle they're in, that they don't have blindside assistance, or they don't have lane assist or other items that they might be used to in other vehicles. And in a way that's an analogy also for where the auto industry finds itself, both with technology and securing that technology. There's a lot of current capability, there's also legacy systems on the road, and then there's vehicles that are in the design and early stages of production now that are even more advanced. And somehow they need to not only present that as a coherent product to customers, but then also figure out the right way to secure that range of technology that they have responsibility for.
Dave Bittner: [00:06:27:20] Yeah, it's interesting to me that, you know, what I would describe as leading edge vulnerabilities grab headlines, people's ability to shut down a car, or remotely control its steering, or shift it into a different gear, something like that. But beyond that, what do you think are the actual real-world concerns that people will have day-to-day as these vehicles become more and more automated?
Denis Cosgrove: [00:06:52:24] I think one of the challenges we've had in the vehicle cyber security conversation is that it usually starts with someone like me describing cars being hacked and driven off bridges, or spontaneously combusting, some other doomsday scenario. In reality, and it's a little bit counterintuitive, but the more that the vehicle evolves and looks less like a traditional car, the more that we are passive passengers in increasingly autonomous vehicles, the more the security scenario and concerns look like conventional issues. And what I mean by that is, you know, a lot of times we think about autonomy advancing, and we consider things like spoofing GPS or road signs so the sensor misreads them. That all kinda makes sense when you're thinking about new features. But what autonomy actually does is has you sit in the vehicle and buy things, right? So payment processing. It keeps a log of where you've been, where you're going, your pattern of life. It may be part of how messaging information leaves you and comes in and out of the vehicle. We may have, you know, microphones, will have microphones in the vehicle that could potentially be vulnerable.
Denis Cosgrove: [00:08:07:12] These are all more like the normal things that we worry about, payment information, privacy concerns and cyber security, and so autonomy is gonna change the landscape in automotive, in a way it'll actually bring it more into the mainstream from a security perspective.
Dave Bittner: [00:08:22:19] That's Denis Cosgrove from Booz Allen Hamilton.
Dave Bittner: [00:08:28:20] So you think it's just the good guys who are working hard to get that notoriously scarce cyber security talent? Think again. The skids over at the Dark Overlord, who rose to a certain cheap level of fame by leaking spoilers to Orange is the New Black, went on a recruiting binge recently, just before they undertook their latest caper, doxing insurance companies in the service of a bogus conspiracy theory about the 9/11 terror attacks.
Dave Bittner: [00:08:55:20] CyberScoop reports that for some months prior to its recent doxing of insurance firms for 9/11 claim information, the Dark Overlord was actively seeking both talent and attention. Nothing in their recruiting pitches sheds light to the group's avowed financial motives.
Dave Bittner: [00:09:12:17] "Do YOU want to get rich? Come work for us!" That's the job posting the gang used in November on the KickAss Forum, a kind of career builder for cyber criminals. No high-minded appeals to the inner Robin Hood or even the inner Ed Snowden or Julian Assange, who, we must observe, is nice to his cat and does not dye his white hair. No, it's straight-up mercenary stuff.
Dave Bittner: [00:09:36:08] Any marketer hopes that mindshare leads to marketshare, and it's no different in the black market. It seems that they were looking for the kind of notoriety that might lead to sales of the stolen, and truth be told not very interesting, files they plan to offer this month.
Dave Bittner: [00:09:51:20] The criminal gang's headcount was reduced in the spring of 2018 when Serbian police devoted some attention to the Dark Overlord's activities. All labor markets face their distinctive pressures. If you find that one of those pressures is the prospect of arrest, consider: you might be the bad guys.
Dave Bittner: [00:10:11:05] More concerns are being expressed about Facebook's access to data being overshared by some apps. Privacy International found that more than half of the apps it tested shared usage data with the social network. One might dismiss this as relatively unimportant SDK data, but in the aggregate, as researchers point out, the data can tell interested parties a lot about a user, including some information that shades into what's protected under GDPR.
Dave Bittner: [00:10:39:18] Vietnam alleges that Facebook is in violation of that country's new, harsh, and autarkic Internet laws. Facebook denies any wrongdoing. Wrongdoing under Vietnamese law, one hastens to note. The Vietnam News Agency, an official outlet, cited a finding of that country's Ministry of Information and Communication, saying that, "Facebook had reportedly not responded to a request to remove fanpages provoking activities against the state." The violations of the cyber security law, which the Ministry characterized as "serious," included allowing personal accounts to post "slanderous" content, "anti-government sentiment," and "defamation of individuals and organisations."
Dave Bittner: [00:11:22:17] Facebook said it didn't do it. A representative said, "We have a clear process for governments to report illegal content to us, and we review all those requests against our terms of service and local law. We are transparent about the content restrictions we make in accordance with local law in our Transparency Report."
Dave Bittner: [00:11:42:19] Three things are worth noting. First, the Vietnamese cyber security law deals prominently with censorship and content moderation. Second, Facebook seems to be saying not that the content is out of its hands, but rather that the content it permits doesn't necessarily violate Vietnamese law. Admittedly the company's response amounts to a kind of non-denial denial, but it's not a clarion defense of free expression either. Facebook's in a tough spot here. And third, we can probably expect more of this, as the Internet seems to be on its way to splintering into a set of national autarkic preserves.
Dave Bittner: [00:12:19:07] It's not just Facebook and Vietnam either, TechCrunch reports that LinkedIn is bringing its Chinese operations into compliance with that country's user identification laws.
Dave Bittner: [00:12:30:13] Finally, POLITICO has an exclusive out on the increasingly strange story of alleged NSA leaker and classified data packrat, Hal Martin. That's a packrat to the tune of an alleged 50 terabytes of secrets, which is a lot to keep in a Glen Burnie shed. Kaspersky is said to have fingered Mr. Martin to NSA after the Russian security firm received some odd Tweets from the former contractor. Ironists have noted, and there's no shortage of ironists on the Internet, that Kaspersky did this bit of good citizenship while plenty of US government officials were busy getting the Russian security company kicked out of their networks.
Dave Bittner: [00:13:13:18] Now a moment to tell you about our sponsor, Attila Security. Attacks on the US Defense Industrial Base supply chain, otherwise known as DIBS, is one of the most pervasive cyber threats facing our nation today. DIBS are vulnerable for a variety of reasons ranging from legacy software and systems, and a corporate culture that values operations over IT security. Cyber criminals exploit these weaknesses and target their attacks on DIBS in order to gain access to government networks.
Dave Bittner: [00:13:43:21] Attila Security is tackling this threat head on. Attila Security's Go Silent technology features a portable security appliance that installs in minutes by any non-technical user. Go Silent is a firewall and VPN in one, and turns unsecured data transmissions into top secret level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit attilasec.com, that's spelled A-T-T-I-L-A-S-E-C.com. And we thank Attila for sponsoring our show.
Dave Bittner: [00:14:38:08] And I'm pleased to be joined once again by Dr. Charles Clancy, he's the executive director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, it's great to have you back. We saw a story come by, this was on the Tech Xplore website, and it was about researchers uncovering security gaps in the 5G mobile communication standard. What's going on here? What do we need to know?
Dr. Charles Clancy: [00:15:00:15] So within 5G there's been a major overhaul of the entire security underpinnings, they've cleaned up a lot of the vulnerabilities that plagued the earlier generations of cellular technologies. And researchers in Europe essentially took the new design for authentication and key agreement in 5G and built a formal model out of what was in the standard. They then took that formal model and put it into a model verification tool that then was able to spit out essentially things that you may be able to do with the standard as currently written, but that don't adhere to some of the standards design objectives.
Dave Bittner: [00:15:41:04] Now, where do we sit in terms of deployment? Are we at a stage where they can take this feedback and use it? Or is it too late?
Dr. Charles Clancy: [00:15:51:03] It's not necessarily too late, some of the standards are still in development. For example, the AKA protocol is currently going through final review within the Internet engineering task-force. They may elect to include some of the countermeasures. But if you look at the two vulnerabilities that were discovered, neither one is that significant, in my opinion. Essentially, the two new things that they discovered, one is that if you replay an authentication request to a phone and you reuse an old counter, then the phone will respond back and the phone will use the same numeric response, as long as you ask the same numeric question. And so, while you don't necessarily know the identity of the phone, you may be able to track that it is the same phone. So if you had a rogue cell tower that was able to implement this, it might be able to tell that the same phone was in the area, but it wouldn't necessarily know who that phone belonged to.
Dr. Charles Clancy: [00:16:54:13] The second vulnerability that they discovered is, depending on how you define a vulnerability, the key agreement protocol uses what's known as an implicit confirmation. There is no message that goes from the phone to the network, and back to the phone, that says, "I have affirmatively computed the correct key, and here is my proof of that," and then a response message coming back. Instead they basically just take the key that was derived and start encrypting messages with it, start securing your data sessions to the network with it. And if for some reason the key was not properly derived, or you are a hacker who is trying to spoof, you wouldn't know the key, and then therefore those messages would fail and not be delivered to the network. So there's the potential for someone to try and overwhelm the network with a bunch of false authentications, and make it believe that there are phones that are there, that are really not there. But again, it doesn't lead to the compromise of any individual user's privacy or security.
Dave Bittner: [00:18:03:12] Yeah, so it seems like, while significant, these are sort of nipping around the edges, I suppose?
Dr. Charles Clancy: [00:18:09:00] Correct. These are the sorts of vulnerabilities that are commonly found in cryptographic protocols, and in many cases they are acknowledged, they're observed as a limitation, but there's typically not a proactive set of objectives to necessarily fix them. None of them are fatal flaws that are gonna lead to the downfall of the system, much like we saw with Wi-Fi in the early days.
Dave Bittner: [00:18:35:23] I see. Dr. Charles Clancy, thanks for joining us.
Dave Bittner: [00:18:43:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire Podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:19:06:12] Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.