Hybrid war and tactical influence operations. Separ lives off the land. NoRelationship attacks get past email filters. Responsible disclosure. Man-in-the-room bug. Ship hacking. Password managers.
Dave Bittner: [00:00:03] Influencing soldiers through their social media - Instagram works best; Twitter, not so much. Separ credential-stealing malware successfully lives off the land. No relationship attacks get past some email filters. Spamming users to get your point across may not be the best form of disclosure. University researchers find a man in the room bug. Other researchers think they could capsize a ship. And password managers remain a good idea.
Dave Bittner: [00:00:36] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are login credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day, but without complete visibility inside your network, your investigation could take hours or even weeks. And that's assuming you were able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of the complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Look for ExtraHop at RSA or be the blue team in the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:37] The CyberWire podcast is made possible in part by RSA Conference taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.
Dave Bittner: [00:01:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 21, 2019. Social media posed enough operational security problems for Russian forces operating against Ukraine that the Russian army cracked down on their soldiers' online presence. It was revealing information about units operations, including such matters as their very presence in Ukraine, a presence Russian hybrid war doctrine would have preferred to cover with the fig leaf of green men militia, plausible deniability and also general OPSEC. It's a general problem certainly not confined to the Russian army.
Dave Bittner: [00:02:37] During a recent exercise, NATO red team operators ran various phishing trawls and honeypots against NATO soldiers. The results were discouraging. Military personnel put enough personal information online to render them vulnerable to influence and social engineering. Troops also discuss matters better left undiscussed, of course, but the NATO exercise is interesting in that it showed that the personal data overshared online enabled the red team to, as NATO puts it, induce certain behaviors, such as leaving their positions, not fulfilling duties, et cetera. More specific than that, the report doesn't get.
Dave Bittner: [00:03:13] There are some interesting side lights on which social networks were most easily used to exert a malign influence over the troops. Twitter was basically a waste of time. Instagram and Facebook were a different matter altogether. Blue forces during the exercise did succeed in recognizing and blocking some bogus Facebook pages, but others got through. And Joe and Jane Troop were suckers for Instagram.
Dave Bittner: [00:03:39] Security firm Deep Instinct says it's observing new instances of Separ credential-stealing malware. A maliciously crafted Adobe file is the typical infection vector. Once installed in a victim's system, Separ lives off the land by abusing legitimate files and tools. The attack is simple but effective. The malicious script is short and easily overlooked, and the dual-use software it takes advantage of makes it relatively quiet, even without elaborate obfuscation. And it's said to bypass many legacy antivirus products.
Dave Bittner: [00:04:12] Another attack in circulation is evading Exchange Online protection URL filters. According to researchers at security firm Avanan, no-relationship attacks are evading the link parsers that many filters use to screen email for malicious links when link parsers don't scan the full document, instead consulting a relationship file for a list of links that a document attached to an email contains. If a malicious link is removed from the xml.rels file that accompanies the document, the link is simply not noticed by many parsers.
Dave Bittner: [00:04:48] As you go about your day minding your own business, have you ever stopped to consider how many times a day you're being recorded by some sort of video camera or other security surveillance device? Our U.K. correspondent Carole Theriault did, and she files this report.
Carole Theriault: [00:05:04] Did you guys know that London is ranked by some as the most spied-upon city in the world, ahead of China? The estimate count of 2018 CCTV cameras in London - 500,000. For a city of 9.2 million, that's a camera for every 18 people. So for context, Chicago is touted as the U.S. city with the most surveillance, and it has an estimated 4,000 cameras, which pales in comparison to London's half a million. So maybe we shouldn't be surprised that London's Met Police got the thumbs-up to try out a live facial recognition system. Now, of course, not everyone is on-side with these trials, including Big Brother Watch, a privacy group who pooh-poohs the idea of mass surveillance.
Carole Theriault: [00:05:47] First, you got to understand how the Met's automated facial recognition system works. So the Met load up a watch list. These are pics of offenders that have fallen foul of the police or the court. These pics are analyzed by the software to measure the structure of each face - the distance between the eyes, the nose, the mouth, the jaw, the eyebrow shape, et cetera. The surveillance system is placed in a van to monitor an area of London. If they find anyone that matches one of the offender pics, the system sends an alert to a nearby officer, who can review and verify the match and then make the decision on what next steps to take. Ivan Balhatchet, strategic lead for this technology, had this to say. Quote, "the technology being tested in this trial is developing all the time and has the potential to be invaluable to day-to-day policing," unquote.
Carole Theriault: [00:06:32] Now, the system has been criticized for its unreliability. According to information released under the Freedom of Information laws last May, the Met's automated facial recognition system has a false positive rate in the 90 percent range. So that means for every 10 people it matches to an identity of an offender on the system, only one is correct. Even so, this technology must seem like a godsend to the London Met, who have been facing serious budget cuts.
Carole Theriault: [00:07:01] So imagine the allure of facial recognition technology. It's like a bag of pollen to an overworked bee. But the Met need to keep the public onside for this to work. It's a delicate balance between improving safety and respecting the privacy of the people the cops are paid to protect. Now, last week, we saw the ninth trial of this facial recognition technology. It took place in the London Borough of Romford, and a minor altercation did not help matters.
Carole Theriault: [00:07:28] OK. Let me walk you through it. So this man finds out that there's an active facial surveillance trial in the area and pulls up the top of his sweater to cover the bottom of his face, puts down his head to walk past. But a plain-clothed police officer stops him and asked him to show his ID. He did, but then he told the officer to piss off, which is basically the British equivalent of a salty, go away now, please. The cop handed this man a 90-pound fine after he protested angrily at being stopped. But this tête-à-tête has ruffled quite a few feathers because the Met's official page on these facial recognition trials clearly states, quote, "it's not an offense or considered obstruction to actively avoid being scanned," unquote.
Carole Theriault: [00:08:12] So what the Met Police are saying on their website and what the Met Police are actually doing are not aligned. And the concern is it will add to the frustrations and tensions around the use of facial recognition technology in the most spied-upon city in the world. Now, we wait for the full, independent evaluation of this facial recognition technology. And as we wait, Big Brother Watch announced its legal challenge against the U.K.'s mass surveillance technologies will be heard in Europe's highest human rights court. I can't help but think that in these unique political times, Big Brother Watch better get its skates on. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:08:53] Don't forget you can check out Carole Theriault on the "Smashing Security" podcast with her co-host Graham Cluley. Their guest this week is Joe Carrigan, my co-host on the "Hacking Humans" podcast. It's a small, little world. Do check it out. It's a fun show.
Dave Bittner: [00:09:08] A VKontakte hack suggests where the limits of responsible disclosure may lie. And as Naked Security suggests, the line should probably be drawn on this side of spamming thousands of people to make a point. App developer Bagosi found an issue with Russian social network VKontakte then decided to turn it loose when Bagosi judged that VKontakte wasn't paying sufficient attention. Bagosi claimed the Valentine's Day spam it induced was a harmless and necessary attention-getting caper. ZDNet says VKontakte was not amused and shut down much of Bagosi's presence on its platform.
Dave Bittner: [00:09:46] Two other interesting potential hacks are in the news this week. One is a proof of concept, the other more of a thought experiment. The proof of concept comes from researchers at the University of New Haven. They found it possible to eavesdrop on users of the popular virtual reality program Bigscreen. Bigscreen is described as a virtual living room used for entertainment, communication and collaboration.
Dave Bittner: [00:10:10] Since the University of New Haven researchers were able to do such things as turn on user microphones and enter Bigscreen sessions without the user's knowledge, they call their proof of concept a man-in-the-room attack. The researchers disclosed their findings to Bigscreen, and the company fixed the vulnerabilities last week. So good on all of you for responsible disclosure and responsible patching.
Dave Bittner: [00:10:35] The other potential hack we'll call a thought experiment because actually doing it would be pretty devastating. Pen Test Partners who've been noodling some maritime system vulnerabilities recently were wondering whether it might be possible to send a ship to Davy Jones' locker and leave no easy-to-get-at evidence to tell any tales. After thinking it through, they concluded that it could be done through NMEA 0183 messaging. GPS devices and other shipboard systems use such messaging to communicate. So suppose you got into a ship's network. It's a little like hacking a car.
Dave Bittner: [00:11:11] Many ship's devices use Windows XP or Windows NT. And Pen Test Partners thinks, reasonably enough, that a lot of those devices still have their default credentials installed. Even if they don't, they're likely to be susceptible to a firmware downgrade compromise that the researchers think is a relatively trivial hack. Once an attacker is in, he or she could meddle with the ship's ballast, render the ship unstable and capsize it - an IoT vulnerability with uniquely maritime implications. Don't try this at home or at sea. And if you're operating a vessel, take a look at the claimed vulnerability.
Dave Bittner: [00:11:51] A report this week from Independent Security Evaluators called out password managers as being potentially leaky. The researchers said that the password managers they tested stored either a master password or user credentials in a device's insecure memory while the managers were in use. They said there was no insecure condition while the managers were not in use. The researchers also said they still recommended that people use password managers and that those services made a substantial contribution to security. They wished, however, that the password manager vendors would improve application memory management.
Dave Bittner: [00:12:27] Many of the password manager vendors took issue with the report. Dashlane said that the insecurity the report described arose when an entire system was compromised and that there's effectively no way of preventing an attacker with that sort of access from getting anything that's on the compromised system. LastPass said that in their recent releases, they've already mitigated the vulnerability. LastPass shuts down and clears memory when a user logs out.
Dave Bittner: [00:12:52] 1Password thinks that any cure for the issue would make matters worse. KeePass says something similar. But everyone, vendors and researchers alike, agree on this. For heaven's sake, use a password manager, and don't set every account you use to Ninja or Camaro just because it's easy for you to remember.
Dave Bittner: [00:13:15] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? Akamai's edge security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the North Hall Booth 6153 to take part in their Crack the Code Challenge for an opportunity to win a new 3D printer. Akamai - "Intelligent Security Starts at the Edge." Learn more at Akamai. That's akamai.com/security. That's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:14:26] And I'm pleased to be joined once again by Emily Wilson. She's the VP of research at Terbium Labs. We want to focus today on what you are seeing in terms of law enforcement and dark web activity. You've seen some things shifting around lately.
Emily Wilson: [00:14:41] I have. I have. And I know we're all very tired of hearing 2019 predictions. So instead, I will call this something I'm watching...
Dave Bittner: [00:14:50] OK.
Emily Wilson: [00:14:51] ...Something I'm watching this year. So I'm keeping an eye on the kind of shifting attention that law enforcement is paying toward the different dark web communities. When we think about law enforcement takedowns or activity when it comes to the dark web, we're thinking mostly about heavy hitters like drugs or weapons or child abuse. That's what we think of historically. You know, when you go after these major markets, that's what all of the indictments or all of the attention is going toward. We have to get the guns off of the street. And we have to, you know, win the war on drugs.
Dave Bittner: [00:15:24] Right.
Emily Wilson: [00:15:25] What I'm curious to see, though - with some precedent that was set last year - is how law enforcement attention shifts toward cybercrime that's related to fraud activity. So last year, we saw a couple of things that got my attention. Early last year, we saw the indictment come down against the Infraud Organization - so a prolific group with, you know, scores of individuals who were operating fraud schemes and of course, you know, the Infraud website and network itself.
Emily Wilson: [00:15:56] Then, a few months later, in kind of midsummer, we saw the FIN7 indictment come down. Right? And so we saw, again, law enforcement - international coordinated law enforcement attention toward cybercrime using fraud, stolen payment cards - these criminal networks that are more involved in financial fraud than they are in guns or drugs or other kinds of violence.
Emily Wilson: [00:16:18] And so I'm watching to see what happens this year for a couple of reasons. One, we've obviously seen a lot of attention for many months now about, you know, the efforts of Magecart - seems like every other day there's a new Magecart victim that we're talking about.
Emily Wilson: [00:16:34] The other thing, as we all know unfortunately very well, is that we are entering another election cycle. And so there is going to be more attention around cybercrime activity as related to disinformation, as related to election security. And I think that we are going to see fraud come up in that - payment card fraud, money laundering. I think we're going to see that come up more and more.
Emily Wilson: [00:16:57] We've already seen it come up in the individuals that were indicted for the DNC hacks. Right? There was money laundering there. We know about Facebook ads that are being purchased to, you know, spread propaganda. That's going to continue. That's something we now have to expect from our elections going forward. And so what does that shifting attention look like? How do we see dark web fraud communities, dark web payment card communities potentially being caught up in that?
Emily Wilson: [00:17:25] It's a very effective way to launder money, using stolen payment cards. They're readily available. It's easy to get lost in the noise of all of the fraud that's happening in the payment card networks. So it's a useful tool, and organized crime syndicates know that. So they're going to keep using them. It's a good way to pay for all of the work that they're doing, and it's a good way to move money around.
Dave Bittner: [00:17:46] Now, how much of this, do you think, is politically motivated? I guess what I'm getting at is - what do you suspect has caused this shift to occur?
Emily Wilson: [00:17:54] The shift in payment card usage or the shift in law enforcement?
Dave Bittner: [00:17:58] The shift in law enforcement.
Emily Wilson: [00:18:00] I think it's a combination of having opportunities, getting tips, getting a break in a case and being able to go after an organization and the fact that we are seeing things like this get caught up in sexier topics that would warrant budget effectively.
Emily Wilson: [00:18:16] You know, one of the things about fraud that's kept it sort of out of the limelight in the dark web takedowns of the past is that fraud isn't sexy. Fraud - no one really cares. People care about guns. They care about drugs. They care about children. You can put names and faces toward that. You can create a sense of urgency there. But fraud is sort of an acceptable part of doing business - until you put it in the terms of election hacking or until you put it into the terms of broader data security issues, as you have with Magecart - until you start seeing grouped victims in the hundreds of millions or you talk about state security or propaganda. That's when we start to see attention going toward those. And I think people know to expect it now. They're going to be looking for it, and I think we're going to see some fallout from that as a result.
Dave Bittner: [00:19:04] All right. Well, time will tell. Emily Wilson, thanks for joining us.
Dave Bittner: [00:19:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:25] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:53] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.