Dave Bittner: [00:00:00] FireEye calls out Iran with a moderate confidence for a long-running DNS-hijacking campaign. Smart doorbells may not be smart enough for their users' comfort, if reports of video sharing are to be credited. Crooks are finding Fuze cards as handy as consumers do. Poland makes two arrests in an espionage case linked to Huawei. And the Russian media are happy to offer sympathy for NSA for some alleged security lapses at Fort Meade.
Dave Bittner: [00:00:37] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud and guided investigation workflows, all the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:40] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 11, 2019. Researchers at security firm FireEye's Mandiant division are connecting a long-running DNS-hijacking campaign that's affected enterprises worldwide, many of them private-sector infrastructure companies and Middle Eastern governments, to Iran, according to SecurityWeek. The attribution is tentative and, as usual, circumstantial. And FireEye notes that there may be more than one threat group at work. But their report concludes with moderate confidence that the operation is, quote, "conducted by persons based in Iran and that the activity aligns with Iranian government interests," end quote. It's worth noting that moderate confidence is based on IP addresses and alignment with government policy. It's enough to cue further investigation and to inform defensive measures.
Dave Bittner: [00:02:36] FireEye says they've seen three ways the attackers have worked. In the first, the attackers create a Let's Encrypt certificate and change the A record. FireEye points out that Cisco Talos researchers have earlier reported the same approach. A second tactic involves altering the DNS NS record. And the third method uses DNS redirection. The attackers aren't likely to go away anytime soon. If they are, as FireEye maintains, operating under the sponsorship and direction of the Iranian government, then Iranian cyber operators are showing continuing growth and sophistication and effectiveness.
(SOUNDBITE OF BELL)
Dave Bittner: [00:03:16] Alexa, could you get that? Unless, you know, it's someone circulating a petition to save the leprechauns or something like that. Amazon's Ring, a smart doorbell and security system, seems to involve more natural intelligence than users might have expected. The Intercept reports that video feeds from Ring's home cameras are being watched, analyzed and possibly shared by human watch standers and the company executives in mostly Ukrainian developer shops. Ring told TechCrunch that this mischaracterizes what happened and that Ring only uses less private neighborhood-watch video for training purposes. And TechCrunch does observe that Ring seems to have grown more security-conscious since its acquisition by Amazon. However the story develops, it again suggests the backward-striking potential of network security devices.
Dave Bittner: [00:04:09] Krebs on Security passes on a warning from the U.S. Secret Service. Street hoods who use stolen credit cards are turning to Fuze cards as a convenient way of holding a large number of cards on a single, well, card. The Fuze card, which seems like a nice, convenient and entirely legitimate idea, is a storage device the size and shape of a credit card on which the user can load multiple cards on a single Fuze. There are no numbers printed on the card itself, which should alleviate worries about shoulder surfing, capturing numbers with a phone camera and so on. Unfortunately, crooks have also figured out the advantages. You look suspicious if you're shuffling through a bunch of stolen cards at a terminal. With a Fuze card, it's easier to look legit.
Dave Bittner: [00:04:54] Polish authorities have made two arrests in an espionage case linked to Huawei. The Wall Street Journal reports that the suspects, who haven't been publicly identified, are Huawei's sales director for Poland, a Chinese national, and a former deputy head of security for Poland's Internal Security Agency, a Polish citizen. While Polish authorities haven't named the Huawei executive they've arrested, the state media have said he's Weijing Wang, who's known by his colleagues, associates and customers in Poland as Stanislaw Wang. One informant told the Journal, quote, "he was a really well-known Chinese guy in Poland and was always around," end quote - sounding more like a Damon Runyon character than he probably intended.
Dave Bittner: [00:05:38] Anyway, this well-known guy, this Stan Wang who was always around, is said to be a graduate of a Chinese intelligence school and to have served in that country's consulate in the port city of Gdansk. The police also made a search of both the Chinese national's home and the local Huawei offices. They are said to have seized documents and electronic data thought relevant to the case. Both men have entered a plea of not guilty. The espionage charges could bring a sentence of up to 10 years.
Dave Bittner: [00:06:08] The case is significant in that it's a spying beef. The Huawei CFO arrested in Vancouver on a U.S. complaint is being held on suspicion of evading sanctions - not so with the arrest in Poland. This directly concerns espionage. And one of the things Huawei has offered in its defense as it faces suspicion of being a security risk is that none of its people are being charged with espionage. That's now no longer true.
Dave Bittner: [00:06:35] Those interested in the Russian media's take on Kaspersky's role in the Hal Martin case may consult RT and Sputnik. Mr. Martin, you will recall, is the former NSA contractor arrested in 2016 on charges of mishandling and misappropriating classified information. The executive summary - Moscow's press is looking at the whole affair with understandable schadenfreude. NSA security is sorry, not what's to be expected from a world-class intelligence service. And Fort Meade owes Kaspersky its thanks and maybe an apology.
Dave Bittner: [00:07:11] The concern for NSA's professional standards is touching, even if somewhat tongue-in-cheek, but it's a legitimate observation. How do you let terabytes of secret material walk out of a secure facility? Perhaps some explanation will be forthcoming should Mr. Martin enter the guilty plea the government expects later this month. Details of the allocution could be instructive.
Dave Bittner: [00:07:38] Now a moment to tell you about our sponsor, Attila Security. Attacks on the U.S. defense industrial base supply chain, otherwise known as DIBs, is one of the most pervasive cyber threats facing our nation today. DIBs are vulnerable for a variety of reasons, ranging from legacy software and systems and a corporate culture that values operations over IT security. Cyber criminals exploit these weaknesses and target their attacks on DIBs in order to gain access to government networks. Attila Security is tackling this threat head-on. Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any non-technical user. GoSilent is a firewall and VPN in one and turns unsecured data transmissions into top-secret-level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit attilasec.com. That's spelled attilasec.com. And we thank Attila for sponsoring our show.
Dave Bittner: [00:09:02] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. Your team has been working on an attack that you call Persian stalker, and we want to dig into that today. Give us the background here. What are you all looking at?
Craig Williams: [00:09:20] Well, Persian Stalker is probably one of the longest probes we've done in a while. I actually had a hard time because my co-workers were putting out a 35-page blog post. But one of the things that I thought was so interesting about this was the fact that it targeted secure messaging apps. You know, if you think back to some of the research we've done prior in the year, you may remember when we did the MDM research on iOS devices, we saw people intercepting these same type of apps and, you know, pilfering out the contents of what were thought to be secure messaging. And so when we saw something similar again being exploited in the wild, yet through a different means, it naturally shot to the top our mind.
Dave Bittner: [00:09:58] And so what's going on here? What are they doing, and who are they targeting?
Craig Williams: [00:10:02] Well, it looks like they're targeting the people in Iran. And they're basically, you know, spying on them. It's one of the cases of the government trying to find ways to monitor the people. That's our current moderate confidence guess, I'd say. And to do that, they have a number of ways of actually getting apps onto the phone and looking at those what were thought to be encrypted communications.
Dave Bittner: [00:10:25] You know, is this is a case where they're taking a legitimate app and replacing it with a version that's been modified?
Craig Williams: [00:10:31] In some cases, yes. You know, I think one of the more interesting things here is that it's a case of state-sponsored actors basically deploying surveillance mechanisms, right? And there are several described in the paper, you know, specific ones around Telegram and Instagram and even things like manipulating BGP to actually modify the way the traffic is routed in the country. It's a lot of interesting things. It's a lot of insidious ways to monitor the population.
Craig Williams: [00:10:58] And I think this is the type of thing we're going to see more of, right? This type of software and these type of techniques, they're not going to go away. We're going to continue to see them. And I think that's why it's so important that we document these so that users can be aware that, not only is it happening, but know what to look for so that they can tell if it's happening to them.
Dave Bittner: [00:11:17] Yeah. I mean, it seems to me like, if nothing else, it also injects a certain amount of uncertainty into the mix of people who are relying on these sorts of apps to not be a hundred percent sure that they're safe.
Craig Williams: [00:11:31] Well, and especially if you happen to unfortunately be in a country that's attempted to ban the apps, right? And in a lot of those cases, people can't turn to like the trusted Google App Store - right? - or the trusted Apple App Store and download those apps because they've been banned. And as a result, they're forced to use, you know, let's call it gray area app stores where the software may or may not be legitimate. And even if it appears to be legitimate, it may be tampered with to allow people to monitor your communications.
Dave Bittner: [00:11:59] Yeah. The research is on the Talos website, and it's called Persian Stalkers. So check it out. Craig Williams, thanks for joining us.
Craig Williams: [00:12:06] Thank you.
Dave Bittner: [00:12:11] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course, but nowadays it also means all-image or anthropomorphized incredibly. There is a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminator's. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report - "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:13:10] My guest today is Rajiv Dholakia. He's VP of products and business development at Nok Nok Labs, a company focused on making authentication simple, strong and scalable in modern computing environments. Our conversation focused on biometric authentication, especially the emerging field of behavioral biometrics.
Rajiv Dholakia: [00:13:31] Obviously biometric measures have been with us for a long time. You know, we used thumbprints on paper, for example, for a long time to try and match people up when they presented themselves. And then with the advent of the iPhone, biometrics started to flow into mobile devices. And the iPhone Touch ID was was one of the first widespread where you could use biometric initially to unlock your phone instead of using a PIN, for example. And, by the way, obviously, I should say that mobile biometrics have been a huge hit.
Rajiv Dholakia: [00:14:10] If you've ever used a device that has one of these capabilities, whether it's a face or a finger or hopefully someday a voice, et cetera, you're never going to go back to a device without that convenience because it is just so natural. And it's not something that taxes you cognitively. And this is what users like. And if you can build in the right security behind it, which people like Apple and Samsung and the FIDO Alliance have done, then you have high assurance that this is going to respect your privacy, that it's going to be secure and that you're going to be protected from what we call scalable attacks.
Rajiv Dholakia: [00:14:49] This third wave of biometrics has to do with behavior. One of the nice things about the mobile device is that it comes with a lot of sensors that are packed into the device. That's a GPS sensor or a gyroscope or other kinds of things that indicate angle, temperature sensing. There's lots of interesting sensors in that phone that are used for a variety of different purposes. As it turns out, you can use software to monitor these various sensors and try to create a composite picture of the person that is supposedly using the device.
Rajiv Dholakia: [00:15:26] And this composite picture, for example, may indicate that you, David, are someone that holds the phone at a certain angle fairly consistently, that your typing speed is something predictable, that you tend to make the same kinds of mistakes and, you know, erase things when you type, that your locations are typically within a certain geo fence, if you will. So it's the collection of all of these different signals that together create this probabilistic view that it's probably David that's holding the phone.
Rajiv Dholakia: [00:16:08] And this new wave is called behavioral biometrics, and we're still in the early days of this technology today. Typically, these behavioral biometrics are not used as the primary mode of authentication. So a good way to think about the user journey is that when you want to onboard someone for the very first time, then, at that point, you have to go through a proofing process with them. So David has to prove to a bank that he is David by virtue of whatever the bank has set up as an identity-proofing process, whether that's government ID, whether that's being present in person, presenting maybe, you know, a utility bill and a driver's license or a passport or a birth certificate. Identity proofing is a whole competence in itself.
Rajiv Dholakia: [00:17:00] So once you've proofed someone, then typically you hand them a credential of some kind. And whether that credential is a password, a token of some kind, the usage of biometrics on their phone which you have to hold them to use, like Touch ID - enrolling a user and giving them that credential, you basically tell them, please present this credential to me when you wish to access my services. And that is typically called authentication.
Rajiv Dholakia: [00:17:26] Once you've authenticated someone, you start a session with them. And for reasons of convenience sometimes, particularly because the old ways of doing authentication, the non-biometric ways of doing authentication, were kind of clumsy, like passwords or, you know, fiddly tokens that you carried around with you, like OKP tokens, you wanted to try and maintain long-lived sessions without having to go back and ask the user to prove who they are over again.
Rajiv Dholakia: [00:17:55] And so in this strong session management, we have typically used what I call risk signals in order to figure out whether it's the same person still or has something changed. And it's in that session management that things like behavioral biometrics fit best. And then when, for some reason, the collection of your risk and your behavior biometrics - which, in our view, are simply a part of the risk management spectrum - indicate that maybe the user changed or something didn't match or, you know, something about the sensors is indicating that something's off, then you can go back. And you can say, hey, would you please swipe your finger? Would you please present your password or your token or whatever it is that you originally authenticated with?
Rajiv Dholakia: [00:18:42] And so that is what we think the right scope for behavioral biometrics is. It's an augmentation to the primary authentication and proofing that has already been done. So it's not a substitute for proofing or for authentication. But once you've proofed someone and authenticated someone, if you want to maintain a long-lived session with lower risk, then behavioral biometrics may be something for you to consider.
Dave Bittner: [00:19:13] And is there any data that's been gathered on the effect of - the effectiveness of this in terms of, you know, do the users like it, and is it helping with the security?
Rajiv Dholakia: [00:19:22] Well, that's a great question. So I think the - these are very, very early days. Obviously there are vendor proprietary claims about the effectiveness of this technology. There are no objective standards. So a - you know, even for about basic biometrics, like mobile biometrics now, there are well-established standards that measure the efficacy of the biometric sensor on your phone, like the fingerprint sensor or the facial recognition. And there is a well-studied range of practice about how you would attack these systems, how you would defend them, what kind of attacks are possible, et cetera.
Rajiv Dholakia: [00:20:04] We are in very early days of biometrics, so it's still sort of an unproven technology. So there are a lot of vendor claims about the relative effectiveness of this. But a lot of the effectiveness may be coming from things like device ID rather than from the behavioral techniques themselves. However, you know, behavioral techniques are very promising. And I suspect that over the next decade, you know, people like NIST and others will start to take a harder look at what the actual effectiveness of the behavioral techniques happens to be and how you would start to incorporate them in a more consistent way.
Rajiv Dholakia: [00:20:43] And so I think, to me, these things are by themselves in isolation never replacements for each other. You need to use these techniques all cobbled together - so strong proofing, strong authentication, strong risk signals, and then things like behavioral biometrics to augment those risk assessments if you feel like you need really long-lived sessions with the user.
Dave Bittner: [00:21:14] That's Rajiv Dholakia from Nok Nok Labs. And that's the CyberWire.
Dave Bittner: [00:21:23] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider-threat management platform. Learn more at observeit.com.
Dave Bittner: [00:21:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.