The CyberWire Daily Podcast 1.30.19
Ep 770 | 1.30.19

US IC on cyber threats. Iran goes after PII. UAE surveillance described. Scanning for unpatched routers. Huawei’s possible fates. Scam exploits child. FaceTime disclosure. Facebook Research.

Transcript

Dave Bittner: [00:00:04] USIC leaders testify that the major cyber threat comes from Russia, China, North Korea and Iran. Iran's APT39 takes an interest in PII. A UAE surveillance program is revealed. Hackers scanning for unpatched Cisco routers. What Huawei faces in addition to fines. The FaceTime bug and responsible disclosure. Facebook was paying people to pwn their phones. Scam artists exploit a small disabled girl. And the government shutdown's mixed effect on cybersecurity.

Dave Bittner: [00:00:42] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/intel, and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 30, 2019. U.S. Intelligence Community leaders yesterday testified before the Senate about the threat landscape. Cyberthreats figured prominently, The Washington Post says. Russia, China, Iran and North Korea were specifically singled out as aggressive and dangerous and as having significantly increased their cyber capabilities. Criminal or terrorist activity in cyberspace is a less serious problem, although the testimony did note growing systematic and opportunistic collaboration between nation states and criminal groups.

Dave Bittner: [00:02:24] A new report by FireEye on Iran's APT39 discerns a disturbing new interest of the Islamic republic's hacking unit. It's going after personally identifiable information. This is said to be unusual for Iranian state-directed actors, who've hitherto concentrated on other objectives, like trade secrets, state secrets and access to infrastructure.

Dave Bittner: [00:02:48] Reuters reports on a UAE program to intercept iPhone traffic and to engage in other forms of aggressive surveillance. The UAE security program, made possible by American civilians working under contract, became more ambitious and intrusive in 2016, after Emirati-owned DarkMatter assumed responsibility for security work previously performed by U.S. company CyberPoint.

Dave Bittner: [00:03:14] Some of the information collected indicated that Emirati intelligence services were targeting journalists, American citizens and others who would have generally fallen outside the bounds of legitimate surveillance. The more recent activity described in the report seems to go beyond what's normally characterized as lawful intercept technology, and its scope appears to have been more extensive than had hitherto been thought.

Dave Bittner: [00:03:40] Last week, Cisco issued patches for its Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. Attackers are currently scanning actively for unpatched routers, SC Magazine reports. Exploit code has been published, and users should patch.

Dave Bittner: [00:04:00] Huawei's indictment in the U.S. could prove crippling, WIRED says, if it results in loss of access to U.S. technology. That's the same stricture that brought ZTE to the brink last year. It remains to be seen whether the U.S. will proffer the same sort of lifeline.

Dave Bittner: [00:04:17] A FaceTime bug is now the subject of a lawsuit. Ars Technica reports that a Texas attorney is suing Apple because the bug allowed a deposition to be recorded. The plaintiff says he updated his phone to allow group FaceTime calls but not unsolicited eavesdropping and, of course, that he suffered damages, which indeed he might have done. The listen-in-before-they-pick-up vulnerability was, as CNN and others note, discovered by a 14-year-old gamer and subsequently disclosed to Apple by his mom. Mom had trouble getting Apple to pay attention and busily woofed the news at them through every channel, apparently, she could think of, including faxes on law-firm letterhead.

Dave Bittner: [00:04:59] The process by which the vulnerability was discovered and disclosed is interesting, especially insofar as it suggests that responsible disclosure might not be as simple as emailing a company and telling them what you've noticed. In this case, the bug was real, the disclosure both intelligent and responsible, but it need not always be so. Suppose you were contacted by the mother of a teenage gamer with the news that your product was an inadvertent piece of spyware. How seriously would you take the disclosure? And how often do companies get cranky disclosures?

Dave Bittner: [00:05:32] Crowdsourcing bug hunts has certainly proved itself in practice. But suppose every PewDiePie enthusiast - those spiritual descendants of the Howard Stern fan who called into live coverage of OJ Simpson's white Bronco slow-mo chase so he could riff on one of Mr. Stern's taglines - suppose we ask, as a thought experiment, that Mr. Pie's followers called in bug sightings with the persistence they devote to Tide POD challenges. We don't know the answer here. Perhaps bug bounty specialists will weigh in with thoughts on quality control.

Dave Bittner: [00:06:04] Teenagers, as a class, are in the security news as well, with the revelation by TechCrunch that Facebook paid them - a lot of them, apparently - $20 a month to let Facebook install an app on their phones that gave Facebook access to essentially all the information that transited their devices. And it wasn't just teens. The offer was open to users up to the age of 35 and had been in effect quietly since 2016.

Dave Bittner: [00:06:29] The software in question was the Facebook Research VPN. It's now gone from iPhones, removed by Facebook and blocked by Apple. For now, at least, it seems to remain available for Android devices. The data was attractive to Facebook for whatever insights it might offer into its users, to whom, of course, it feeds advertising.

Dave Bittner: [00:06:48] This is a bad look for Facebook, already in hot water over privacy and looking for indulgence in the form of the hiring of the Electronic Freedom Foundation's counsel to come in and help them clean up data-handling and privacy matters. Several governments are raising their eyebrows over the program, and Apple is none too happy, either. The relationship between Facebook and Apple is likely to be strained in ways that will affect Facebook adversely. It's already revoked Facebook's enterprise certificates.

Dave Bittner: [00:07:18] There's tension at play, of course, between the privacy implications of online social media platforms and the legitimate benefits they provide for keeping in touch with friends and family and staying informed about goings on in our communities. Mark Orlando is chief technology officer for Raytheon Cyber Protection Solutions, and he worries about how easy it is to overshare online.

Mark Orlando: [00:07:41] Unfortunately, as individuals and consumers and personal internet users, we're sort of conditioned at this point to overshare about any number of things through all of the various social media channels that are out there, communities like Facebook and Twitter. But also increasingly, I think, we've seen a lot of consumer services and other sites that have social features and are using that social element and that sharing element to expand their business model and have their customers interact with each other.

Mark Orlando: [00:08:16] And now I think also what we're seeing is there's increasing interconnectivity between those communities. So between Facebook, Twitter and now Amazon, and like I said, some of these other, you know, e-commerce companies and apps adopting these social features and utilizing those communities to expand their brand awareness, expand their customer base, that sort of thing.

Mark Orlando: [00:08:37] So you know, I think, unfortunately, if you're doing anything over the internet these days, whether it's emailing or browsing or shopping or selling goods and services yourself, you know, you're engaged in some sort of social activity. And I think the tendency, unfortunately, is to overshare rather than, you know, try to control your information, try to be mindful of what's out there. So I think a lot of people do it without even realizing they're doing it.

Dave Bittner: [00:09:04] What kind of advice do you have for folks to be more mindful of it? I mean, I think, you know, a lot of what we enjoy about the internet involves sharing things, and connecting with friends and family and so forth. So, I mean, how do you know what the right level is to dial in?

Mark Orlando: [00:09:20] Right. It's really tough to know where that line is. And what I tell my friends and family is just, you know, assume that nothing is private. And while it's always good to kind of maintain awareness of, you know, what you're sharing, and what the privacy settings are, you know, on your social media accounts and on your, you know, e-commerce accounts and so forth, you pretty much have to just assume that no matter what you set it to, that information is not going to remain private, even if that means it's being shared between different companies. And so, you know, really, it's best to kind of err on the side of, you know, don't share anything that you wouldn't willingly post out in a public forum, even if it's with a network that appears to you to be closed.

Dave Bittner: [00:10:02] Yeah. I remember, you know, years ago, someone saying to me, you know, don't put anything in an email that you wouldn't put on a postcard.

Mark Orlando: [00:10:09] Right. Exactly. And I think that still holds very much to be true. I think now we're kind of - I wouldn't say fooled, but I think we're sort of led to believe that now that there are more granular and more obvious privacy controls with some of these sites and services, I think that kind of makes people think that it's really true privacy and that locking down their accounts or their profiles means that they're protecting their information. And I think that's true to a certain extent.

Mark Orlando: [00:10:37] But, you know, as we've seen with some of the recent news stories - the Quora breach and some of the other kind of big breaches that have happened recently involving sites that use Facebook and other sites for third-party authentication - you know, even if you have set your privacy settings to where you think no one's going to be able to view your information, it can still get out.

Mark Orlando: [00:10:58] As users and consumers, we're not always aware of the value that our data has. So even seemingly innocuous data, like high-level details about yourself, location, you know, information that can be gleaned from your mobile devices, for example, or embedded devices, you know, we're not always aware of the value that information has. And unfortunately, that data - and especially that data in aggregate - does have a lot of value to various kind of nefarious groups and parties, you know, on the black market, where that information is bought and sold.

Mark Orlando: [00:11:29] So even if you don't think that a certain piece of data that's collected from your profile or your device, for example, or your browsing history or your computer, for that matter - even if you don't think that has a lot of value, the fact remains that that data can still be a target and still does, in fact, hold value for a variety of different parties that you wouldn't necessarily want to have, you know, access to that data.

Dave Bittner: [00:11:54] That's Mark Orlando from Raytheon Cyber Protection Solutions.

Dave Bittner: [00:12:00] Some scam artists sent what may be a record for loathsomeness by swiping the story and pictures of a brave little girl with cerebral palsy to swindle sympathetic people into donating to a bogus charity in support of medical care she doesn't need. The family shared the story of the Mighty Miss Maya, her nickname, and her progress toward her first independent steps, on Facebook and Instagram. But for encouragement, inspiration and joy, not for solicitation of donations. But grifters see a child's struggles as opportunity.

Dave Bittner: [00:12:33] Some hoods went so far as to threaten the family with further harassment and identity theft unless they paid $30,000 in protection. The criminals remain at large, but we hope they're caught. And when they are, may their names be forgotten. As for the Mighty Miss Maya, we hope one day to see video of her dancing. And when you see a touching appeal online, donate with due diligence.

Dave Bittner: [00:12:58] Finally, what effect did the government shutdown have on cybersecurity? Virginia's Senator Warner has asked Homeland Security Secretary Nielsen for an accounting, and, no doubt, one will be forthcoming. But SecurityScorecard has issued a preliminary assessment, and it's surprisingly mixed. Sure, there were all the expiring certificates. And to be sure, a full understanding of what went on will await more extensive study.

Dave Bittner: [00:13:22] But at least two important areas showed a distinct improvement. Patching and application of endpoint protections both rose noticeably, and those are good things. Why that happened is a matter of speculation, but The Washington Post's informed guess is as good as any we can think of. IT staffs were less distracted by urgent but unimportant requests from the people they answer to and so could devote time and attention to patching and upgrades.

Dave Bittner: [00:13:49] So is this evidence that a lot of the GS-15s who stayed home were, in fact, nonessential personnel in some more than formal sense? Couldn't be. This isn't a "Dilbert" cartoon after all. At any rate, bravo to the IT staffers who made hay while the sun shown.

Dave Bittner: [00:14:12] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:15:20] And I'm pleased to be joined once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. Your team has been tracking something that you refer to as PyLocky. Part of that sounds familiar to me. What's going on here?

Craig Williams: [00:15:36] Well, PyLocky is basically another family of ransomware trying to masquerade itself off as a Locky variant, right? Now, if you remember Locky, it was a piece of ransomware that was relatively popular probably around 2017. And so, you know, it basically lost its market share when Necurs kind of got away. And so now there's a new attacker out there trying to kind of cash in on that reputation, right?

Craig Williams: [00:15:59] You've got to remember, when it comes to ransomware, there's this fundamental problem of, can I trust the attacker? And so what we've seen time and time again, even with things, like, as far back as TeslaCrypt, is the attacker will try to masquerade themselves as a relatively - and I'm using air quotes here, for those of you who can't see it - you know, trustworthy piece of malware, right?

Craig Williams: [00:16:21] And so in order to solicit that ransom, there needs to be a reason for the victim to think they'll get their files back, right? No one's going to go through the trouble of turning currency into bitcoin, or whatever the ransom is, and sending that across the internet without a reason to be paying. And so that's really, I think, why they're trying to piggyback on that Locky namesake.

Dave Bittner: [00:16:40] And how are they doing that? Or are they - are they successful? Are people falling for the ruse?

Craig Williams: [00:16:47] You know, I would assume so, right? It's relatively popular these days. And, you know, when we were looking at it, we immediately realized, hey, this is written in Python, right? There's a few differences here that are important to note. And so we were able to actually spot a few interesting things when we looked at it. One of the most interesting things actually allowed us to write a decryptor And so, you know, as you know, Talos has its overall goal. For those of you with our T-shirts, you may notice on the back it says, PISSING OFF THE BAD GUYS in all capital letters.

Dave Bittner: [00:17:16] (Laughter).

Craig Williams: [00:17:18] In pursuit of that protection, we've decided to release our decryption tool free on GitHub for the world to use. And so if you'd like, you can go to talosintelligence.com and pull down that tool. And as I said, it's open source, so people can extend it. People can modify it.

Craig Williams: [00:17:33] But there is one caveat here, and, unfortunately, it's a big one. So the problem with this tool is that in order for the actual decryption to be successful, you've got to capture some of the traffic that comes out of the box when the malware executes. So that really does shrink our effectiveness.

Craig Williams: [00:17:50] However, you know, we do have a solution that may work for some people, and so I appreciate the opportunity to get out here and let people know that we have this tool. And so if you do happen to have traffic capturing going on in your network, even if it's a small window, and you do have a PyLocky infection, well, we can help you out, and you can, hopefully, resurrect the box.

Dave Bittner: [00:18:08] So any indications who's behind this particular variant?

Craig Williams: [00:18:12] You know, not yet. Attribution is always an interesting critter, right? We've seen more and more, especially after Olympic Destroyer and some of the other more interesting samples, where attribution based off of a software sample alone is a little bit hinky. At Talos, we're really cautious. You know, you remember when we talked about Olympic Destroyer months and months ago, we pointed out how it had multiple false flags, how the attackers were intentionally including things to mislead researchers.

Craig Williams: [00:18:37] And so unless we have pretty conclusive data and other types of intel to, you know, increase that confidence, we're not going to go out and claim attribution because we're not 100 percent about it. We're very conservative with that at Talos. And we just want to make sure that if we do tell our users something, that they can trust that it's the case.

Dave Bittner: [00:18:57] Yeah. Yeah, makes sense. All right. Well, Craig Williams, thanks for joining us.

Dave Bittner: [00:19:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.