Social engineering and the power of brands. Insecure check-ins? APT10 is quiet but not gone. MacOS Keychain bug. Assessment of Chinese device manufacturers continues.
Dave Bittner: [00:00:03] Social engineering with a few twists. Some airlines may be exposing passenger data with insecure check-in links. APT 10 may be lying low for now. But the U.S. Department of Homeland Security expects the cyber spies to be back. A researcher finds a macOS Keychain bug but would rather not tell Apple about it.
Dave Bittner: [00:00:22] Governments in Europe and North America continue to assess risks associated with Huawei and ZTE. Carole Theriault reports on the security of a popular video player's update mechanism. And a trojan hides in The Sims 4.
Dave Bittner: [00:00:42] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 7, 2019.
Dave Bittner: [00:01:54] There are a few fresh - or at least not yet entirely stale - approaches to social engineering out in the wild. We'll begin with a variation on the familiar tech support scheme. Security firm Symantec has found one in circulation that does a moderately good job of mimicking Symantec's own Norton Security software's conduct of a system scan. If you're watching, it casually goes through its paces. It looks more or less like the genuine article. But instead of scanning for problems, it's installing them. Whoever's behind the spoofed approach is using it to trick people into downloading malware or, at the very least, the sort of junk we've all come to call potentially unwanted programs.
Dave Bittner: [00:02:35] Researchers at Akamai have reported finding a phishing campaign that uses Google Translate to obtain Facebook and Google credentials. It's convincing in the way it spoofs two well-known brands to build up the victim's trust. It also uses Google Translate to hide what it's up to behind the gibberish.
Dave Bittner: [00:02:54] The scam runs something like this. The victim receives an email that purports to be a notification from Google that a device somewhere has newly logged into the victim's account and that they sure hope it's you, the victim. You are then invited to follow a link to verify that the log-in is legitimate. If you do this, the malicious domain of a credential harvesting page is loaded via Google Translate. You will, of course, be invited to sign into your Google account.
Dave Bittner: [00:03:20] It may not stop there. There's a good chance you'll subsequently be wafted over to a bogus Facebook log-in page because, of course, you'll want to keep that account secure as well, no? Be careful of such alerts. Akamai says the fraud looks pretty good on a mobile device. But it's much less convincing on a laptop or desktop.
Dave Bittner: [00:03:41] A well-known video player software package recently raised eyebrows with how they've chosen to implement updates. Our U.K. correspondent Carole Theriault has the story.
Carole Theriault: [00:03:51] Well, developers at the popular open-source video player VLC have defended a decision not to use HTTPS for software updates. This has upset some of their users. I reached out to Paul Ducklin of Sophos' Naked Security to find out if they're actually doing security properly. Duck, thanks so much for taking the time to chat with me today for the Daily.
Carole Theriault: [00:04:17] Now, according to Eduard Kovacs' article from SecurityWeek, the VLC open-source video player communicates with its server over HTTP, not HTTPS. And some people are in a big hoo-ha about this. So what's going on here?
Paul Ducklin: [00:04:34] Oh, is it the end of the world? Shouldn't we all be using HTTPS now?
Carole Theriault: [00:04:38] (Laughter).
Paul Ducklin: [00:04:38] Well, there are kind of three parts to this. There's - the whole idea of using HTTPS is not just that you encrypt the transaction so no one knows what it is you're looking at and people can't - but also that it's authenticated so that nobody can tamper with it along the way.
Paul Ducklin: [00:04:55] So that's great. When you're viewing a website, you want to see the padlock. You want to think - get a fighting chance of knowing you're on the right site. And you want to be sure that what you're seeing wasn't fiddled with along the way. So the news you're reading is as it was served up.
Carole Theriault: [00:05:09] OK.
Paul Ducklin: [00:05:10] So obviously, when you're doing a web download for an update, it would be nice to use HTTPS because you get those properties. However, it seems that what VLC are doing is another step that, if they weren't doing but were using HTTPS, kind of would get forgotten about. They have a digital signature in the file you actually download.
Carole Theriault: [00:05:35] Oh.
Paul Ducklin: [00:05:35] And in a way, if you - if you could only pick that or HTTPS, I'd take the digital signature in the file because it stays with the file after it's downloaded.
Carole Theriault: [00:05:46] OK, explain to us how that works.
Paul Ducklin: [00:05:47] Well, the idea is when you think of - when you do an HTTPS connection, basically your browser and the web server do a kind of cryptographic dance to agree a security key, to check the certificates out, figure out, yes, I'm probably on the right site. And then what you get is basically a network connection that is scrambulated (ph), encrypted.
Carole Theriault: [00:06:08] Got you.
Paul Ducklin: [00:06:09] Then you just talk regular old HTTP over that encrypted connection, and nobody can see inside. So they don't actually - if they're sniffing the traffic, they don't even know whether you're talking HTTP or whether you're sending email or what you're doing.
Carole Theriault: [00:06:22] OK.
Paul Ducklin: [00:06:22] So in other words, TLS is short for transport layer security. And it's about securing the network pipe during the time that you're connected to a website and during the download. It doesn't say anything about the integrity of the stuff you download after it arrives. So of course, I could get something bad but delivered to me securely.
Paul Ducklin: [00:06:45] Yes. And indeed, you'll find these days, now that HTTPS certificates are easy to get through a service like Let's Encrypt, that an ever-increasing proportion of phishing sites will set up a temporary web server. They'll go and get a free certificate. Now, those certificates only last three months, just for safety's sake. But, you know, a phisher needs - what? - three hours, three days, three minutes. Increasingly, phishing sites have the padlock. They have the certificate. The certificate says, yes, this site really is called, youveneverheardofmebefore.com.
Paul Ducklin: [00:07:18] So just looking for the padlock alone is not enough. Although, what we usually recommend people do is, if there isn't a padlock, steer clear of the site because who knows what's going on? And who knows whether what you're seeing is actually what you're supposed to see. In the case of downloading an update, however, you download the file. If someone tampers with it along the way, then there's a secondary check done by the update process. And you - in an ideal world, for software updates, you want both.
Carole Theriault: [00:07:51] Yeah. So what we're basically saying - and I think we agree - VLC, good job that you're checking the file. But maybe also implement HTTPS because it's just good for all of us.
Paul Ducklin: [00:08:01] Agreed, HTTPS alone would not be enough.
Carole Theriault: [00:08:05] Right.
Paul Ducklin: [00:08:05] But the absence of HTTPS just draws attention to them and raises a whole load of questions that I think it would be much easier for them if they didn't have to answer.
Carole Theriault: [00:08:17] Yeah. And they wouldn't have to be dealing with this little nightmare on Twitter at the moment.
Paul Ducklin: [00:08:20] Yeah and going, oh, well, she'll be right, folks. It's really not too bad.
Carole Theriault: [00:08:23] Yeah.
Paul Ducklin: [00:08:24] And, you know, are you sitting comfortably? Here's the explanation. Best defense, not be there.
Carole Theriault: [00:08:29] I couldn't have said that better myself. Thank you, Paul Ducklin from Naked Security at Sophos. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:08:37] Don't forget, you can catch Carole Theriault on her podcast, “Smashing Security,” along with her second-banana sidekick, Graham something or other. Check it out.
Dave Bittner: [00:08:47] Air travelers, take note. Links airlines send for online check-in may be insecure. Security firm Wandera has published a study of some 40 global air carriers and found that eight of them put passenger data at risk by using unencrypted links.
Dave Bittner: [00:09:04] The U.S. Department of Homeland Security commented that China's APT 10 has been quieter since two of its alleged operators were indicted late last year. But DHS is pretty confident APT 10 hasn't gone away and will be heard from again. Among APT 10's more prominent activities last year, according to Recorded Future and Rapid7, was a campaign against Norwegian-managed service provider Visma. Microsoft Security thinks otherwise and that the threat actor in this case was APT 31, also known as Zirconium.
Dave Bittner: [00:09:40] A researcher has found a macOS Keychain zero-day. But he won't share it with Apple until Cupertino sets up a proper bug bounty program. The researcher says he's not greedy, nor is he angling for a big payout. But he thinks bug bounties are the proper way to handle disclosure of vulnerabilities researchers uncover.
Dave Bittner: [00:10:01] Huawei seems likely to be excluded from Canada's 5G. It seems, the South China Morning Post reports, more a matter of when than if. In Germany, it's still looking like an if, but trending conditionally toward when. Deutsche Welle says that Berlin is taking its time and that a decision to use Huawei gear would amount to an act of faith. Chancellor Merkel wants assurances from Beijing that the sort of intelligence and security collaboration Chinese law enjoins wouldn't, in fact, be required should Huawei be permitted to play a major role in Germany's telecommunications infrastructure.
Dave Bittner: [00:10:37] Huawei's smaller counterpart, ZTE, has also come in for its share of hostile scrutiny. Czech cyber officials said earlier this week that the company was unlikely to be invited to participate in Prague's buildout of the nation's telecoms infrastructure. And some U.S. senators, notably Senator Rubio, Republican of Florida, have been making noises about the potential security threat ZTE represents.
Dave Bittner: [00:11:03] The Chinese companies and Huawei in particular are undertaking various measures to mollify their critics. They are receiving some support in this effort from various telecommunications providers who would like to continue to use equipment they find affordable and reliable. The latest European telco to side with Huawei is Turkey's Turkcell, which says that while security is, of course, an important concern, it's unfair to punish a company for uncorroborated allegations.
Dave Bittner: [00:11:32] In Poland, where a Huawei representative has been accused of spying, the company has offered to establish a security center that would allay fears that the device manufacturer was a reliable collaborator with Chinese intelligence. In the U.K., where a widely reported but as yet unreleased report from the GCHQ office charged with monitoring Huawei as a security risk is expected to be harsh, Huawei has written a letter to Parliament in an attempt to manage expectations.
Dave Bittner: [00:12:00] Since GCHQ is expected to say that Huawei has delivered on few to none of the promises it made to address security concerns, Huawei has preemptively answered by telling Westminster that it will really need three to five years to do everything the security watchdogs expect of it.
Dave Bittner: [00:12:19] And finally, there's a story of an electrical provider breach in South Africa. Johannesburg-based Eskom, which says it provides 95 percent of the electricity consumed in South Africa, has sustained a breach that has two causes. The first is a familiar one, an unsecured database holding customer information.
Dave Bittner: [00:12:40] The second issue has to do with an Azorult trojan on a company computer. Azorult is an information stealer. How did it get there? Well, according to Bleeping Computer, the malware was misrepresenting itself as a downloader for The Sims 4 game. Presumably, somebody needed a break.
Dave Bittner: [00:13:03] And now a word from our sponsor, KnowBe4. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. Wouldn't it be great if you had insight into the latest threats and could find out, what would Kevin do? Well, now you can. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, will give you an inside look into Kevin's mind. You'll learn more about the world of penetration testing and social engineering with firsthand experiences and some disconcerting discoveries. In this webinar, you'll see exclusive demos of the latest bad-guy attack strategies. You'll find out how these vulnerabilities may affect your organization, and you'll learn what you can do to stop the bad guys - in other words, what would Kevin do. Go to knowbe4.com/cyberwire to register for the webinar. That's knowbe4.com/cyberwire. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:14] And joining me once again is Professor Awais Rashid. He's a professor of cyber security at University of Bristol. Awais, welcome back. We wanted to talk today about some thoughts you have on some of the challenges folks are facing when it comes to securing their smartphones. What do you want to share with us today?
Awais Rashid: [00:14:32] So the challenges of smartphone security and privacy are highlighted by a lot of people over the years. We know that, you know, often users struggle to set up their smartphones to keep their data private when they don't necessarily want it to be shared. There is also analysis that, for example, third-party applications on smartphones can potentially also leak information. I think one thing that has not been studied very well to date is as to what is the impact of the different features that manufacturers often provide.
Awais Rashid: [00:15:03] So, you know, the examples of these would be default location services, things like iCloud, Google's system, you know, or ad tracking, for instance. And some of the recent work that we have done actually shows that the users find it really, really hard to understand the features that actually even manufacturers build into the - into the phones - and what is their impact on their privacy from using these features.
Dave Bittner: [00:15:25] And so what are the solutions here? Is this a matter of education, awareness? Or do governments have to get involved?
Awais Rashid: [00:15:33] So I think there are multiple - multiple solutions. We can't - we can't always push the burden onto the users because, you know, as a user, what you want to do is you want to get your phone. You want to enjoy it. And, for instance, you know, when you're setting up your new phone, you're quite tempted to skip, you know, all those settings that you are being asked about because you want to now use your new device that you have bought. And you want to start using its functionality.
Awais Rashid: [00:15:57] But also, you know, a lot of the times, it is not particularly clear to users as to what happens when they are utilizing - utilizing a feature. So for instance, let's take Apple as an example. You know, when you get a new smartphone, you know, you are told that you ought to be signing into - into iCloud and so on and so forth. And now increasingly, over the years, Apple has started to make the implications of that much clearer.
Awais Rashid: [00:16:24] But still, it's not really very, very clear to users as to what the opt-out necessarily means for them, what may happen when they opt in. But also, if you don't set it up, then you keep getting these reminders that you ought to set it up. And it's very, very hard for users to actually understand how much information to give up to gain the benefits that they ought to be gaining. And in fact, we don't really provide enough of that information.
Awais Rashid: [00:16:48] Regulation is one possible way of doing it. But, you know, it has been shown that, for example, consent and so on alone does not actually really empower users. A lot of - I'm not just suggesting mobile manufacturers - a lot of services use opt-out mechanisms, which are a really poor way of actually encouraging users to give consent because you basically go, do you want to opt out? If not, you can carry on. And the easiest path is to carry on.
Awais Rashid: [00:17:15] So there is a lot of scientific research around this to highlight as to what are the implications of these kind of mechanisms that then almost guide users towards making a choice when - which is not necessarily best-informed and is not necessarily empowering.
Dave Bittner: [00:17:33] It seems to me like the - some of the app developers in particular take advantage of that anticipation. You want to get to using that app as quickly as possible. But then there's a - kind of a set-it-and-forget-it problem, where you may give permission once for that moment when you want to use that app. But that setting is there for the rest of the time you have that app installed on your device.
Awais Rashid: [00:17:53] Absolutely. And many times, users would agree to an initial default setting, thinking they will go back and change it. But then, over time, you just simply forget you're going to have to change it. Similarly, in some cases, for example, devices would show that - even manufacturers would show that your device set-up is not complete because you haven't signed into a particular service. But you don't actually need that service to continue to use the - to use the device properly.
Awais Rashid: [00:18:19] However, there is this kind of mental burden on you to say, well, actually you haven't finished yet. You need to come back and finish it. And the only way you can get rid of that message is by going and signing in when you don't necessarily need to sign in.
Awais Rashid: [00:18:31] And many times, actually, it's not even app developers. You know, it's how we present permissions to users. So for instance, you might download an app. And it says it needs access to your photos, for instance. And it may not be that it needs access to your photos. It needs access to some storage, which requires it to store, maybe, some images in your device.
Awais Rashid: [00:18:50] But as a user, it's not clear to you why? Should it really have access to that storage? Why does it need access to that storage? And I think the ecosystem is very complicated. There is a lot of value in it. But equally, we don't necessarily make it easy for users to understand what they are giving up, how much they ought to be giving up and what's the benefit do they get.
Dave Bittner: [00:19:08] It's going to be interesting to see how this plays out over time. Awais Rashid, thanks for joining us.
Dave Bittner: [00:19:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.