International cyber conflict: India and Pakistan; Australia and China. Rietspoof malware. Microsoft ejects cyptojackers from its store. NCSC may go easy on Huawei. Parliament criticizes Facebook.
Dave Bittner:[00:00:01] Just the other day, my son, Jack, came to me and said, Daddy, there's a snowstorm coming. Do you think we could buy a new snow shovel? I like to dig out the driveway of the little old lady who lives next door so she doesn't fall and hurt herself. And I said, Jack, if enough people go to patreon.com/thecyberwire, maybe we can get you that snow shovel. I'm kidding, of course. He doesn't need a new snow shovel. He's got hands. Next thing you know, he's going to want a pair of gloves.
Dave Bittner:[00:00:37] Cyber conflict flares in the subcontinent. Australian political parties, as well as Parliament, are subjected to attempted cyberattacks. A new strain of malware is being distributed through messaging apps. Microsoft pulls cryptojacking Windows 10 apps from its store. Britain's NCSC is rumored to have concluded that it can mitigate Huawei risks. Facebook gets a harsh report from Westminster. And a hacker claims a higher motive for his breach but still wants bitcoin.
Dave Bittner:[00:01:11] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are login credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day. But without complete visibility inside your network, your investigation could take hours, or even weeks. And that's assuming you are able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of the complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Look for ExtraHop at RSA or be the blue team in the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. The CyberWire podcast is made possible in part by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.
Dave Bittner:[00:02:33] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 19, 2019.
Dave Bittner:[00:02:41] The website of Pakistan's foreign ministry was rendered inaccessible over the weekend, probably by a denial-of-service attack. Speculation regards the attack as probably originating from India. Last week's terrorist massacre of 30 Indian security personnel in the suicide bombing of a convoy moving through Jammu in Kashmir's Pulwama district may have prompted the cyberattack. A Pakistani terrorist group claimed responsibility for the bombing. It's worth noting that low-level cyber conflict between India and Pakistan has persisted for years and that many of the actors on both sides have been patriotic hacktivists not necessarily operating under state direction.
Dave Bittner:[00:03:23] Australian Prime Minister Morrison said yesterday that three political parties - Liberal, Labor and National - have been targeted by sophisticated foreign actors. The attempts came to light during investigation of attempts on Parliament systems. Chinese intelligence services are the leading suspects, according to reports in The Sydney Morning Herald and elsewhere.
Dave Bittner:[00:03:44] China's foreign ministry denies any involvement and says reports of Chinese attacks are both baseless and irresponsible and are likely to poison possibilities of future harmonious cooperation between China and Australia.
Dave Bittner:[00:03:59] Security firm Avast reports a new malware family, Rietspoof, spreading through instant messages. Rietspoof, which Avast says is now being updated daily, combines various file formats and multi-stage attacks that give it unusual versatility. The attack is delivered through such instant messaging clients as Skype or Live Messenger, where what Avast calls a highly obfuscated, visual basic script carries a hard-coded, encrypted CAB file. That file is expanded into a digitally signed executable, which in turn installs a downloader. Avast says research is in its early stage and that little is known about the attacker's methods or motives, still less, their identity, but Rietspoof looks like a malware family that bears watching.
Dave Bittner:[00:04:45] We often hear stories of how unauthorized access to an organization begins with a simple phishing email. And many organizations have implemented combinations of technical solutions and training to prevent outsiders from gaining access. Igal Gofman is head of security research at XM Cyber, and his team has been tracking infiltration techniques that begin with access to a low-level user's machine within an organization, and it pivots from there.
Igal Gofman:[00:05:13] Let's say somebody malicious out there was able to gain full access to a user machine located in the in the corporate headquarters. And the adversary's main goal is stealing, let's say, some kind of credit card information from a database server located at some remote location. And, however, the database network is isolated from the user headquarter network, and it's not easy accessible from regular users.
Igal Gofman:[00:05:38] So the headquarter network and the database network are completely isolated, and there is no - a user from the headquarter is not able to log in to the database network. Because the adversary has full system access, he can easily locate the user in that application, and he can hijack all email session and messages and inject, let's say, a malicious URL or document using some kind of a macro inside the document and to trick the user to click on this document or your app.
Igal Gofman:[00:06:10] So basically, the adversary hijack mail correspondence, a real mail correspondence, and he's not faking anything. And this is the strong side of this attack. This way, instead of targeting a user outside the organization by sending, you know, phishing emails, the adversary can manipulate real correspondence between a compromised user and the target user.
Igal Gofman:[00:06:32] So in our example, let's say the target user is one of the IT personnel. We can easily trick the IT person to click on an injected URL document. He will not suspect that anything is wrong and open in this URL document. And then this option will direct, for example, the user account of this IP personnel or some internal watering hole website, exposing - he's a high-privileged credential, and, of course, bypassing many of the detection and application control mechanisms.
Igal Gofman:[00:07:04] Now, at this stage, the adversary has a high-privileged user account. He can use this account to connect to some kind of a jump host or some kind of a Privileged Access Workstation. This is the Microsoft term for a jump host. And then from there, he can obviously access the isolated databases. And basically, this is a game over. Once he was able to get himself a high-privileged user account, he can - basically, that's the game over, and the target was achieved.
Igal Gofman:[00:07:33] So an effective solution - infecting email messaging defense mechanism will include some kind of a malware or spam boxing. All messages and attachments transported through the organization mail server - let's say, for example, a chain (ph) server - should be scanned for malware, viruses and spyware. And if malware is detected, the messages should be quarantined or deleted.
Dave Bittner:[00:07:55] That's Igal Gofman from XM Cyber.
Dave Bittner:[00:08:00] Following Symantec's discovery that the apps were installing Monero cryptojackers in users' devices, Microsoft pulled eight Windows 10 applications from its store. The unwanted apps included Fast-search Lite, Battery Optimizer, VPN Browser+, Downloader for YouTube Videos, Clean Master+, FastTube, Findoo Browser 2019 and Findoo Mobile and Desktop Search. Symantec says that the applications were nominally produced by three developers but that evidence in the source code and adjacent domains suggests to them that, in fact, all eight apps are the work of one developer or group of developers.
Dave Bittner:[00:08:39] Reports in The Telegraph and elsewhere suggest that a report on Huawei's security issue and the company's suitability for participation in 5G networks from the U.K.'s National Cyber Security Centre will be very far from the harsh condemnation that had been widely suspected. The NCSC is believed to have concluded that the risks Huawei poses are manageable and that GCHQ sees its way clear to mitigating them.
Dave Bittner:[00:09:04] On Friday, MI6 head Alex Younger said he wanted a proper conversation over giving Huawei a role in 5G networks, but the specific concerns he expressed concentrated on the dangers a monopoly would present. So Huawei is not out of the woods by a long shot, but if the rumors about the NCSC report are borne out, that will be good news, indeed, for the company.
Dave Bittner:[00:09:28] Facebook has not fared as well in Westminster. The Digital, Culture, Media and Sport Committee has published its final report on disinformation and fake news, and Facebook figures prominently, both in terms of content moderation and data handling. The report says in its summary, quote, "Facebook intentionally and knowingly violated both data privacy and anti-competition laws," end quote.
Dave Bittner:[00:09:53] The report recommends that tech companies be given a compulsory code of ethics to be overseen by an independent regulator who could take legal action against companies it found in violation of the code. It also recommends that social networks be required to remove known sources of harmful content, including proven sources of disinformation.
Dave Bittner:[00:10:13] For its part, Facebook says it would welcome helpful regulation. It's also mooting the idea of setting up its own tribunal, a kind of 40-person Supreme Court that would adjudicate disputes over whether content was being unfairly judged in violation of the social network's terms of service.
Dave Bittner:[00:10:32] The black market is, as many have noted, after all, a market. It follows familiar laws of supply and demand. As supply of any commodity rises, prices drop. And it seems clear that user information is now a relatively low-priced commodity. At the end of last week, Gnosticplayers released his third tranche of PII, mostly user credentials, taken from eight databases Gnosticplayers claims to have hacked. He's asking just over 2.62 bitcoin for the almost 93 million users' data.
Dave Bittner:[00:11:03] We note that ZDNet, which has been in touch with someone credibly claiming to be Gnosticplayers, is treating him as a singular he. At any rate, that's about $14,500. Gnosticplayers, who trades in the Dream Market, had earlier offered 16 databases with 620 million users' data and another batch of eight databases containing 127 million users' information. 2.62 bitcoin doesn't seem like much for 93 million users' data, but money isn't the sole object.
Dave Bittner:[00:11:35] Gnosticplayers told ZDNet that his goal is twofold. He wants, first of all, to sell a billion records and then go hide out in some degree of comfort. It seems, at the rates he's charging, that such comfort may be more squalid than luxurious - cozy, no doubt, but frosty and frayed around the edges.
Dave Bittner:[00:11:54] Second of all, Gnosticplayers wants to contribute to the downfall of American pigs. A manifesto that accompanies his offerings suggests why he's got it in for the Americans, who are, we think, generally a lovable crowd, although we admit that we can be something of an acquired taste.
Dave Bittner:[00:12:11] Mr. Players is offering support for a convicted Apophis Squad hacker. George Duke-Cohan is a young and talented boy, Mr. Players writes. Instead of giving him a chance, the U.K. government sends him to prison for three years. And not only that, after he's through his three years detention at her majesty's pleasure, the Americans are lined up to take a whack at him, as we noted in a discussion of his indictment last week. The U.S. charges could get Mr. Duke-Cohan a further 63 years in Club Fed. That's a high-end estimate of his sentence. But still, it is, after all, a long time. So bad on her majesty's government, says Mr. Players. May this upcoming release of dumps serve as a reminder, he writes. When countries claim to respect their citizens, they have duty. Protect them.
Dave Bittner:[00:12:57] Anywho, Mr. Players thinks this is unfair. If he is not given a fair justice during the upcoming days, weeks, years, more data will be released. We note that Gnosticplayers is selling, not dumping, the data he's ripped off. So let justice be done, or more data be sold, at least until Mr. Players makes enough altcoin to retire to wherever he wants to go because, after all, political altruism has its limits, and those limits are probably somewhere south of $14,500. That much change will get you a nice commercial cleaning franchise in some markets.
Dave Bittner:[00:13:32] Although, admittedly, that's probably more conventional work in social utility than it's fair to expect from a hacker of Mr. Players' mad skills. Is it us or does Mr. Players' diction sound kind of shadow broker-ish? Not, of course, that he's a shadow broker, but where have these guys been these days anyway? Wealthy elites has been missing you at the Davos.
Dave Bittner:[00:13:59] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security. But what about security at the edge? Akamai's edge security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the North Hall, booth 6153 to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. That's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner:[00:15:08] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He's also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back.
Joe Carrigan:[00:15:17] It's great to be back, Dave.
Dave Bittner:[00:15:18] We've got an article here from the Naked Security blog over at Sophos. This is written by Paul Ducklin - friend of the show.
Joe Carrigan:[00:15:25] Yep.
Dave Bittner:[00:15:25] And the title is "Apple Fighting Pirate App Developers Will Insist on Two-Factor Authentication for Coders."
Joe Carrigan:[00:15:31] Right.
Dave Bittner:[00:15:32] What's going on here?
Joe Carrigan:[00:15:33] OK. So Apple has this this program called the Enterprise Certificate program...
Dave Bittner:[00:15:38] Right.
Joe Carrigan:[00:15:39] ...Which is a way that allows - let's say you wanted to develop an app specifically for the CyberWire.
Dave Bittner:[00:15:43] OK.
Joe Carrigan:[00:15:44] But you didn't want to put it into the App Store. And you didn't want to wait for Apple to approve it. And you wanted it to do a little bit more nosing around the phone for security purposes of your company data, right?
Dave Bittner:[00:15:55] So this is an internal use app...
Joe Carrigan:[00:15:56] Internal use only.
Dave Bittner:[00:15:57] ...For CyberWire employees, let's say.
Joe Carrigan:[00:15:59] Correct.
Dave Bittner:[00:15:59] OK.
Joe Carrigan:[00:16:00] Now, Facebook and Google were recently chastised for abusing this program by distributing apps to other people...
Dave Bittner:[00:16:08] Right.
Joe Carrigan:[00:16:09] ...Outside of the company that Apple said, well, this doesn't amount to an employee. But they were doing a lot of - I like the way this article puts it. This article describes the app as way too snoopy...
Dave Bittner:[00:16:21] Right.
Joe Carrigan:[00:16:22] ...Or just too Snoopy for the App Store. So they use their enterprise certificate. And Apple, you know, essentially grabbed Facebook and Google by the necks and shook vigorously and said, this will not be the case. You will not be abusing this.
Dave Bittner:[00:16:33] Right.
Joe Carrigan:[00:16:34] Right. So it turns out that this program can be used to develop rogue apps. It's essentially the closest thing that Apple has to the Android equivalent, which is let - allow apps from other sources.
Dave Bittner:[00:16:45] Right - to sideload apps.
Joe Carrigan:[00:16:46] Yeah, sideload apps and...
Dave Bittner:[00:16:48] Yep.
Joe Carrigan:[00:16:48] ...Or for developer options, right?
Dave Bittner:[00:16:49] OK.
Joe Carrigan:[00:16:50] But in order for me to do that, I still have to have a certificate with Apple so that Apple can, at some point in time in the future, revoke that certificate, like they did for a day with Facebook and Google, and make the app not work.
Dave Bittner:[00:17:01] OK.
Joe Carrigan:[00:17:01] So if I know your password to your enterprise certificate...
Dave Bittner:[00:17:06] So I'm developing for CyberWire.
Joe Carrigan:[00:17:08] Right.
Dave Bittner:[00:17:09] Somehow, you compromise my credentials.
Joe Carrigan:[00:17:11] Correct.
Dave Bittner:[00:17:11] OK.
Joe Carrigan:[00:17:11] And I go out, and I generate an app that is malicious and then sign it with your enterprise certificate.
Dave Bittner:[00:17:19] Oh, I see.
Joe Carrigan:[00:17:19] Then I can distribute it. And it will come up as a valid app. Right? So what they're - what Apple is going to start doing is requiring two-factor authentication so that that particular abuse case can't take place anymore. So now when I try to go sign the app with your certificate, you'll get a message on your phone that says, here's your code. And I don't get that message.
Dave Bittner:[00:17:38] I see. Right. OK. Well, this seems non-controversial to me. But there are some folks who aren't very happy about it.
Joe Carrigan:[00:17:44] The article goes on to talk a couple of recent cases that are not necessarily from the developer community. The article talks about an attorney who's suing Apple with a class action lawsuit, saying that he and millions of other people have been economically damaged by two-factor authentication.
Dave Bittner:[00:17:58] (Laughter).
Joe Carrigan:[00:17:58] I think the crux of his lawsuit, if I...
Dave Bittner:[00:18:01] What is his hourly rate if (laughter)...
Joe Carrigan:[00:18:04] I don't know.
Dave Bittner:[00:18:04] ...The two-factor is an economic loss? But go on.
Joe Carrigan:[00:18:07] He said it was taking five minutes for every time he needed to use two-factor, which is a ridiculous amount of time.
Dave Bittner:[00:18:12] OK (laughter).
Joe Carrigan:[00:18:13] I find it incredibly difficult to believe that.
Dave Bittner:[00:18:15] Yeah.
Joe Carrigan:[00:18:15] It never takes five minutes.
Dave Bittner:[00:18:17] OK.
Joe Carrigan:[00:18:18] If you're security conscious and minded, you should always ask if two-factor authentication is available. And if it isn't, maybe you should reconsider using that product or service.
Dave Bittner:[00:18:27] Right. Well, yes. I think that's an excellent point that - I would make the argument that that should be part of your buying decision.
Joe Carrigan:[00:18:33] Yeah.
Dave Bittner:[00:18:33] Is two-factor available with your product?
Joe Carrigan:[00:18:35] Right.
Dave Bittner:[00:18:36] If it's something that's important to you...
Joe Carrigan:[00:18:37] Again, Dave, we're dealing with a huge education problem for the general populace of - if you ask people who don't live and breathe this stuff every day what two-factor authentication is, I'll bet you get 50 percent of the people who've never even heard of it.
Dave Bittner:[00:18:50] Yeah. That's true. All right. Well, I would say I'm on team Apple with this one (laughter).
Joe Carrigan:[00:18:56] Yeah, I am, too.
Dave Bittner:[00:18:57] I think it's probably for the best in the long run. And why not? Make - certainly, developers have some privileges that other folks don't when it comes to potentially putting...
Joe Carrigan:[00:19:07] Yeah.
Dave Bittner:[00:19:07] ...Dangerous stuff out there.
Joe Carrigan:[00:19:08] Especially for developers.
Dave Bittner:[00:19:10] Yeah.
Joe Carrigan:[00:19:10] They should absolutely require developers to use two-factor authentication. I think this is a no-brainer. The general populace, the user community, not using two-factor authentication - I can...
Dave Bittner:[00:19:22] And more sympathy for that.
Joe Carrigan:[00:19:23] I don't know.
Dave Bittner:[00:19:26] As much as - it pains you to say it, doesn't it? You can't...
Joe Carrigan:[00:19:28] I at least understand...
Dave Bittner:[00:19:29] You can't bring yourself...
Joe Carrigan:[00:19:29] ...There's a difference between the two populations (laughter).
Dave Bittner:[00:19:31] OK. All right, fair enough. That's as far as we'll get you. All right. Joe Carrigan, thanks for joining us.
Joe Carrigan:[00:19:36] My pleasure, Dave.
Dave Bittner:[00:19:41] And that's the CyberWire.
Dave Bittner:[00:19:42] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.