FaceTime’s odd bug, and how to squash it. FormBook malware surges through a new hosting service. Some international law enforcement wins. International conflict in cyberspace.
Dave Bittner: [00:00:03] A FaceTime bug lets you listen to someone's phone before they've even picked up. FormBook malware's surge is abetted by a new hosting service. Compromised server market xDedic has been taken down. Europol is looking for Webstresser users. Huawei faces new U.S. criminal charges. Kim's ambitious economic plan may augur ambitious North Korean hacking. The EU foretells a surge in Iranian cyberattacks, and waiting for information operations around the Venezuelan crisis.
Dave Bittner: [00:00:41] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 29th, 2019. Do you use FaceTime, and do you use an up-to-date version of iOS? Do you FaceTime with other iOS devices? Here's some news you can use one way or another. First, a way we recommend you not use the news - a FaceTime bug was disclosed late yesterday. 9To5Mac reported last night that you can call someone using FaceTime and start hearing audio from their phone before they even pick up. It's not exactly covert because the phone will still ring, sing, buzz or sullenly vibrate. But if the person on the other end is inattentive, you'll be hearing their cries, shouts, whispers, imprecations and so on before they've accepted or rejected the call.
Dave Bittner: [00:02:35] The bug works like this. First, you start a FaceTime video call with one of your iPhone contacts. While the phone's dialing - and it doesn't literally dial, but you get the drift - go ahead and swipe up from the bottom of the screen and tap add person. It's like a group chat, only it's not going to be an actual group because the person you add is you, yourself, your own phone number. The group FaceTime call will include you and the microphone of the unwitting person, whether they've interacted with their phone or not. Your phone will show that the person you called joined the chat, but their device will simply continue ringing away on the lock screen.
Dave Bittner: [00:03:11] Course, don't try this. It's rude, uncalled for, creepy. And be sure to tell any of your creepy friends - 'cause of course, you wouldn't consider doing that yourself - well, tell those creepy friends we say who might be tempted along these lines to please restrain themselves. But here's the other way you can use this news, and this you should definitely do. Protect yourself from what would probably be a minor intrusion by locking down your phone.
Dave Bittner: [00:03:35] NSA's Rob Joyce helpfully tweeted some instructions anyone can use, although if you're Fancy Bear, Charming Kitten or the Lazarus Group, take five, leave the room and smoke them if you got them. Here's what Rob Joyce recommends. He says turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered - go to settings, scroll down to FaceTime - it's the green icon with camera - and switch off.
Dave Bittner: [00:04:00] See, there? Twitter can be used for good. The problem seems to affect iOS devices running iOS 12.1 or later. Apple has made the group FaceTime server where the bug is located temporarily unavailable until Cupertino comes up with a permanent fix, which they've promised sometime later this week.
Dave Bittner: [00:04:21] Deep Instinct announced this morning that a new variant of information-stealing FormBook is circulating in the wild. FormBook is a familiar commodity in dark web markets. It's billed as featuring both elaborate evasion cred and powerful credential harvesting capabilities, and it's offered at a fairly low price. FormBook has been known since its discovery was announced in late 2017 by Arbor Networks and FireEye for its use in spam campaigns designed to phish up credentials. FormBook has recently shown increased rates of usage. Deep Instinct says that its own prevention work has been largely in North American retail and hospitality sectors, but that they have reason to believe the attack wave isn't limited geographically.
Dave Bittner: [00:05:05] Jamil Jaffer is VP for strategy and partnerships at IronNet Cybersecurity. He runs a think tank at George Mason's law school called the National Security Institute, and he's a visiting fellow at the Hoover Institution. He recently briefed congressional staffers on Capitol Hill on nation-state threats, collective defense and strategic deterrence in cyberspace.
Jamil Jaffer: [00:05:26] There's often this tendency to think in the United States that, well, you know, the government defends itself, and private sector defends itself. And so in cyberspace, we assume that every company in our economy, whether it's Walmart or Target or Marriott Corporation - they're going to defend themselves against all attackers, whether they are script keys in their basement all the way to nation-states. But of course, in no other context do we expect that. We don't expect Target or Walmart to have surface-to-air missiles on the roofs of their warehouses to defend against Russian Bear bombers, yet in cyberspace we do. And that's an odd construct.
Jamil Jaffer: [00:05:56] And so if we're going to have that expectation of private industry, well, then industries got to come together, work with one another because you can't expect a single company to defend against a committed nation-state. They have to come together as an industry, come together across industries and frankly, come together with the government to really create a collective defense system where they're sharing information constantly, creating almost a radar picture of the U.S. cyber environment and then figure out if and when the government has information, it can take its own action to both stop the activity, but also deter that activity going forward.
Jamil Jaffer: [00:06:25] And that's the really hard part of this calculus because we're not used to thinking about a government industry working this tightly together. But given these new expectations, we almost have to do that and change our constructs.
Dave Bittner: [00:06:35] Now, what about from a global leadership point of view? What role should the United States take in setting norms for these sorts of things?
Jamil Jaffer: [00:06:44] Well, that's a great question. I mean, look. There is really a divide when it comes to cyberspace about how to address - whether it's cyberwarfare activities or the like - sort of the - Western nations have one perspective. They say, look. There are nation-state behaviors that we've always engaged in - surveillance and the like. We understand that every nation's going to do that. That's fine, and everyone will sort of - the chips will fall where they may. But when it comes to destructive activity, we should think about how to work together to limit those things like we have done in the warfare space. But then you look at totalitarian states or, you know, somewhat totalitarian states like China and Russia.
Jamil Jaffer: [00:07:17] You see, there, what they're looking to do with sort of cybersecurity norms and the like is really to suppress internal dissent - right? - rather than address these external activities. In fact, they're happy to engage in external activities. And so how you bridge that divide, I think, is a hard one. The U.S. has to lead that space, but it's going to be a tough place for us to get real consensus.
Jamil Jaffer: [00:07:37] In the absence of a consensus on norms, though, we still do have to deter bad cyberactivity. And you know, a lot of people said, well, deterrence doesn't work in cyberspace. I don't believe that. I think we simply don't practice deterrence in cyberspace today. We don't talk about our capabilities. We don't talk about our red lines. And frankly, when bad things happen to us, we don't take action or respond in a way that will make people really understand the consequences of their actions and not take action in the future. So that's a challenge.
Dave Bittner: [00:08:01] Yeah. I mean, it strikes me that in terms of defense or even offensive capabilities, there's a reticence to tip your hand to allow the other folks to know what you may have. And to me, this strikes me as being different than, you know, in the kinetic world where, if you're a member of the nuclear weapons club, well, everybody knows what your capabilities are.
Jamil Jaffer: [00:08:22] That's exactly right. And you know - I mean, if you recall back in the sort of '80s and '90s when we were really engaged in that sort of mano-a -mano fight with the Russians - right? - the Cold War - we made it very clear what our capabilities were, what our red lines were. And what if Russia did this to us or to our allies - we would do in response.
Jamil Jaffer: [00:08:39] Today in cyberspace, we don't talk about capabilities, as you just pointed out, right? We sort of keep them very close to the vest, in part because they came out of, originally - out of the intelligence community. And so we're used to, in the intelligence community, holding those secrets very tight. But the reality is that you can't deter someone if they don't know what your capabilities are. They don't know what you're willing to do. They don't know what line, if they crossed, you would respond.
Jamil Jaffer: [00:08:59] And by the way, you know, we have these sort of weird hiccups about cyberspace where we think - oftentimes we think, well, if it happens to me in cyberspace, I've got to respond in cyberspace. No reason why that's true, right? We also have these hiccups where we say, well, because cyberspace is built of zeros and ones and is a - is built on binary systems, well, then we have to have attribution that's perfect. We've never expected that in the real world. We didn't need to have, you know, the audio of Muammar Gaddafi saying, I ordered the bombing of that Berlin discotheque, to take direct kinetic action against him back in the 1980s.
Jamil Jaffer: [00:09:29] And yet today in cyberspace, we have this sort of - almost a fetish about cyberspace that we have to say, well, attribution has to be perfect. The weaponry has to be in cyberspace. None of those things are true. And those all go to - in my mind, at least - the sort of reasons why we don't actually have deterrence in cyberspace today. It's not because it doesn't work. It's 'cause we don't really practice it.
Dave Bittner: [00:09:47] That's Jamil Jaffer from IronNet Cybersecurity.
Dave Bittner: [00:09:53] xDedic, the online marketplace that traded in hacked servers, has been taken down. The FBI announced that the illicit services site had been seized pursuant to a U.S. federal warrant. The Bureau estimates that the site facilitated some $68 million in fraud during the time it was in operation. The takedown was an international operation featuring substantial European support and cooperation.
Dave Bittner: [00:10:16] In the U.S., the FBI and IRS led the investigation with assistance from U.S. Immigration and Customs Enforcement's Homeland Security Investigations and the Florida Department of Law Enforcement. The Department of Justice's Office of International Affairs and the Criminal Division's Computer Crime and Intellectual Property Section also helped.
Dave Bittner: [00:10:35] In Europe, the lead effort was a Belgian-Ukrainian operation by Belgium's federal prosecutor's office and the federal computer crime unit and by the national police and the Prosecutor General's Office of Ukraine. Europol rendered significant assistance, as well. And Germany's Bundeskriminalamt helped seize xDedic's infrastructure. We list the agencies to say bravo and also for the pleasure of seeing so much effective cooperation.
Dave Bittner: [00:11:03] xDedic's infrastructure had been located mostly in Belgium and Ukraine. Its proprietors are unlikely to go unscathed. Cyberpolice Ukraine tweeted that they already have three suspects in custody. The xDedic takedown is an example of supply-side action against the criminal economy, but users of illicit services shouldn't feel they've got a pass.
Dave Bittner: [00:11:25] Europol is pursuing users of booter services, the DDoS-for-hire service Webstresser having been taken down. The authorities are now tackling the demand side of this criminal market and are very interested in getting to know the people who used Webstresser services. Webstresser, like most other DDoS-for-hire outfits, covered its shame with a fig leaf of security testing, but few should be deceived by such a flimsy excuse. It didn't work in Eden, and it's not working now.
Dave Bittner: [00:11:56] The U.S. has filed more charges against Huawei - 13 counts, the New York Law Journal and many others report. They involve fraud and money laundering, with some of that fraud serving theft of intellectual property. China's government continues to object that Huawei didn't do nothing - nothing, we tell you - and has urged Canada and the U.S. to drop the extradition proceedings that would send Huawei CFO Meng Wanzhou to face the music in American court. Ms. Meng, who also - fun fact - goes by Sabrina or Cathy - which is, in itself, an entirely innocent concession to dealing with tenured North American anglophones - well, she remains in Vancouver.
Dave Bittner: [00:12:35] Canadian Prime Minister Trudeau fired his ambassador to China over the weekend because the envoy made remarks to the effect that Ms. Meng maybe should be released, that there might be sound political or even legal reasons for doing so. Trudeau was having none of it, and the wheels of Canadian justice will continue to grind.
Dave Bittner: [00:12:54] Finally, a few notes on international flashpoints that seem to have a good chance of sparking into hacking, or at least information campaigns. North Korean ruler Kim has announced ambitious financial goals for the year, and CyberScoop says many observers think these goals are likely to prompt a surge in DPRK hacking. North Korean hacking has long had a strong, perhaps dominant, strain of theft in it. Computer crime is an attractive way of redressing the pariah-state's perennial, sanctions-induced financial straits.
Dave Bittner: [00:13:27] European officials warn that rising tensions between Iran, its regional rivals and those global powers that disapprove of the Islamic republic's policies are likely to prompt a spur of hacking by Iran's increasingly capable and resourceful cyber operators.
Dave Bittner: [00:13:43] Finally, since Russia has, for obscure reasons having mainly to do with yanking the Yankees' chain in the Western Hemisphere, decided to nail its flag to the mast of Chavismo in Venezuela, one might expect various cyber campaigns in support of embattled, and now officially illegitimate, President Maduro. The U.S. has tightened sanctions on Venezuela to even more crippling levels. And the EU says it will recognize the head of the country's National Assembly as the legitimate acting president unless elections are promptly held.
Dave Bittner: [00:14:21] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:29] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. And he's also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:15:39] Hi, Dave.
Dave Bittner: [00:15:40] An interesting article came by from WIRED, and this is about tweets that give away more location data than you think. This is an article from Issie Lapowsky. What's going on here? What's the location data that they're revealing here?
Joe Carrigan: [00:15:56] So some time ago, Twitter thought it would be a great idea to allow you to geotag your tweets...
Dave Bittner: [00:16:02] OK.
Joe Carrigan: [00:16:02] ...With your location. Like, I'm in New York City, or something.
Dave Bittner: [00:16:06] OK.
Joe Carrigan: [00:16:06] And you had to opt in to it.
Dave Bittner: [00:16:09] Right.
Joe Carrigan: [00:16:09] And their rationale for this was that it will provide you a better personalized experience.
Dave Bittner: [00:16:17] OK.
Joe Carrigan: [00:16:18] This is what we always hear from these social media companies - a better personalized experience.
Dave Bittner: [00:16:21] Right.
Joe Carrigan: [00:16:22] I will applaud Twitter here for making this something that people had to opt in to.
Dave Bittner: [00:16:27] Yeah.
Joe Carrigan: [00:16:27] However, they weren't just storing the general location. They were actually storing the specific GPS coordinates of the person's device when they sent the tweet.
Dave Bittner: [00:16:38] Oh.
Joe Carrigan: [00:16:39] Now, this information was not available to the user in a readily visible format, nor available to Twitter users - the standard Twitter users. But if you use the API, you can extract this information.
Dave Bittner: [00:16:52] Let me make sure I'm clear here. So I would say, I'm in New York City.
Joe Carrigan: [00:16:55] Right.
Dave Bittner: [00:16:56] But in doing so, Twitter, behind the scenes, would also log my precise GPS coordinates.
Joe Carrigan: [00:17:00] Right. You're at the corner of 5th Avenue and 26th - 2nd Street.
Dave Bittner: [00:17:04] OK. Right. OK.
Joe Carrigan: [00:17:04] I don't know what's there, Dave.
Dave Bittner: [00:17:06] Yeah, my favorite adult theater.
Joe Carrigan: [00:17:07] Right (laughter).
Dave Bittner: [00:17:07] Yeah, OK. Go on.
Joe Carrigan: [00:17:08] I was just picking numbers out of random.
Dave Bittner: [00:17:09] Right.
Joe Carrigan: [00:17:10] So there were some researchers who found out this information was available, and they're going to be publishing a paper in the Network and Distributed System Security Symposium coming up.
Dave Bittner: [00:17:22] OK.
Joe Carrigan: [00:17:22] And they have developed a tool that goes through the Twitter API, finds this information and can identify your home and your place of business and other things with, like, 80 percent accuracy.
Dave Bittner: [00:17:35] So they're taking the information that was logged behind the scenes.
Joe Carrigan: [00:17:39] Right.
Dave Bittner: [00:17:40] So you opted in but maybe did not know the precision with which you were opting in.
Joe Carrigan: [00:17:44] Correct.
Dave Bittner: [00:17:45] So they go in, and they sort of sift through this and they figure out, I suppose, based on repetition. So they correlate those bits of information. Maybe you tweeted, I'm home, and then they look at the GPS tag.
Joe Carrigan: [00:17:56] Right. Or...
Dave Bittner: [00:17:57] Yeah. OK.
Joe Carrigan: [00:17:57] If you're tweeting from this location at 10:00 at night...
Dave Bittner: [00:17:59] Yup.
Joe Carrigan: [00:18:00] ...And you're regularly tweeting from that location – 10 o’clock at night, that's probably your house.
Dave Bittner: [00:18:03] Right.
Joe Carrigan: [00:18:04] Right?
Dave Bittner: [00:18:04] Right.
Joe Carrigan: [00:18:05] So fortunately, if you go to the Twitter app and you have this turned on, you can turn it off right now by going into your privacy and safety settings. And Twitter also provides you with an easy way to delete your location information from old tweets.
Dave Bittner: [00:18:19] Right. Now Twitter also changed the way that they handle this. I think back in 2016, they made it a little more overt that you have to opt in to this degree of tagging.
Joe Carrigan: [00:18:30] Right, 'cause - and that's the problem with it was that in 2009, when they started it, they didn't really tell you that you were opting in to a really precise version of this tagging.
Dave Bittner: [00:18:39] Yeah. And I guess the other criticism is that when they changed that in 2016 to make it more of an overt opt-in, they also didn't make it any harder to get the historical data.
Joe Carrigan: [00:18:50] Right.
Dave Bittner: [00:18:50] Yeah.
Joe Carrigan: [00:18:50] Right. The historical data is still there right now for tweets that were stored between 2009 and 2016.
Dave Bittner: [00:18:57] Yeah. All right, so if this is something that concerns you, you can go into your Twitter settings, and you can scrub that data, right?
Joe Carrigan: [00:19:04] Right. You go to your settings, privacy and safety, and there's a big, red button under privacy that says, delete location information. Click that button.
Dave Bittner: [00:19:13] All right. All right, good enough. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:16] It's my pleasure, Dave.
Dave Bittner: [00:19:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading Insider Threat Management platform. Learn more at observeit.com.
Dave Bittner: [00:19:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.