Dave Bittner: [00:00:04:03] Operation Sharpshooter is linked to North Korea. Canada begins the extradition process for Meng Wanzhou. Huawei is planning to sue the US for banning its equipment from government use. Facebook may have used questionable tactics to lobby against stricter data protection laws. Thailand passes a controversial cybersecurity law and IBM interns discover a host of vulnerabilities in visitor management systems.
Dave Bittner: [00:00:37:01] Now I'd like to share some words about our sponsor Akamai. You are familiar with cloud security but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7, 365 security operations center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are, at the core, in the cloud or at the edge. If you're going to RSA this year visit Akamai in the North Hall, Booth 6153 to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai, intelligent security starts at the edge. Learn more at akamai, that's A-K-A-M-A-I, dot com slash security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:45:15] The CyberWire podcast is made possible in part by RSA Conference, taking place March 4th through the 8th at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconfernce.com/cyberwire19.
Dave Bittner: [00:02:06:18] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 4th, 2019.
Dave Bittner: [00:02:15:15] McAfee disclosed yesterday that Operation Sharpshooter, a cyber-reconnaissance campaign discovered in December, exhibits "striking similarities" with multiple other attacks attributed to North Korea's Lazarus Group. A government entity gave the researchers code and data from a command-and-control server, used to manage the campaign, which gave them a deeper insight into the group's behavior. The researchers had originally declined to link Operation Sharpshooter to the North Korean group based on code overlap, because the technical links were obvious enough to suggest a potential false flag. The new evidence also shows that the ongoing campaign is "more extensive in complexity, scope and duration of operations" than previously thought. McAfee researchers told the New York Times that they observed the group launching attacks against more than a hundred companies. Its recent attacks have focused primarily on financial services, government and critical infrastructure targets in Germany, Turkey, the United Kingdom, and the United States.
Dave Bittner: [00:03:20:03] The Canadian government has approved the extradition hearing of Huawei's CFO, Meng Wanzhou. A date for the hearing will be decided this Wednesday, although it could be years before she sets foot on American soil, due to Canada's slow-paced judicial process. Previous extradition cases in the country have been known to take more than a decade to reach their conclusions. Reuters says China is "seething" over the decision. Charles Burton, a former Counsellor at the Canadian Embassy in Beijing, told the Canadian Broadcasting Corporation that Canada should expect to face retaliation from China.
Dave Bittner: [00:03:56:13] Ms. Meng is also suing the Canadian government, police force and border agency, on the grounds that the circumstances of her arrest violated her civil rights, according to ZDNet. The lawsuit alleges that Meng was searched and interrogated for three hours before being told she was under arrest. It claims that a Royal Canadian Mounted Police Officer and three border agency officials carried out this search and interrogation "under the false pretense of a routine border check."
Dave Bittner: [00:04:25:14] The New York Times and Reuters report that Huawei will file a lawsuit against the US government later this week for banning its products from use by federal agencies. The suit is expected to challenge an addition to the US National Defense Authorization Act, the NDAA, which barred US government agencies and their contractors from using certain equipment from Chinese companies. When the provision was added last year, Huawei called it "unconstitutional" and The Times says the lawsuit will argue that the act amounts to a "bill of attainder." That particular approach has been tried before, it's essentially the argument Kaspersky used last year when it challenged the US Federal Government wide ban on its security products. It didn't work that time around, but each case is different.
Dave Bittner: [00:05:12:24] Computer Week and the Guardian have seen court documents detailing Facebook's global lobbying efforts against tighter data protection legislation. Among various other revelations, Facebook reportedly threatened to withdraw investments from Europe and Canada if legislators refused to meet the company's demands. Perhaps, most notably, the documents claim that the former Prime Minister of Ireland, Enda Kenny, offered to use the "significant influence" of Ireland's EU presidency. Ireland's current and former data protection commissioners said yesterday that Mr. Kenny never tried to influence their decisions regarding Facebook or data protection regulations. A Facebook spokesperson told the Guardian that the documents were "cherry-picked" to "tell one side of a story."
Dave Bittner: [00:06:01:10] Thailand's parliament unanimously passed a controversial cybersecurity law that critics say will give the country's military government sweeping powers to monitor or seize data without a court order. The Asia Internet Coalition, which represents major technology companies such as Google and Facebook, said in a statement that "the Law's ambiguously defined scope, vague language, and lack of safeguards raises serious privacy concerns for both individuals and businesses." The law bears similarities to Vietnam's cybersecurity legislation, which went into effect at the beginning of this year. That law outlawed criticism of the government and gave the government the ability to seize data from internet companies without a warrant.
Dave Bittner: [00:06:44:09] Unlike Vietnam's law, however, Thailand's legislation doesn't require foreign technology companies to open local offices and store data in country. This has led to concerns about the enforcement of Thailand's law internationally, since it will apply to all companies around the world that collect or use the personal data of Thai citizens. Critics assert that Thailand has a history of censoring websites and imprisoning citizens for comments they've posted online. Two years ago, in a widely cited case, a 33 year old man was sentenced to 35 years on prison for making Facebook posts that were deemed insulting to Thailand's royal family.
Dave Bittner: [00:07:24:07] IBM's X-Force Red earlier today disclosed 19 vulnerabilities in five popular visitor management systems, which could allow an attacker to gain physical access to an organization or establish a foothold within the organization's network. Some of the vulnerabilities also allowed for data exfiltration, which could expose sensitive information on customers.
Dave Bittner: [00:07:47:12] The gravity of the vulnerabilities depends on what the systems are used for, how they're configured within an organization's network, and what data they collect. Daniel Crowley, IBM X-Force Red's research director, told Threatpost that "depending on how each of these systems are deployed, these vulnerabilities represent a serious to high-impact risk for companies."
Dave Bittner: [00:08:10:05] Student researchers with X-Force Red discovered the vulnerabilities and reported them to the vendors. Some patches have been rolled out already, and others are still in progress. One of the vendors, Jolly Technologies, did not issue patches for the seven vulnerabilities identified in its Lobby Track Desktop. The company told WIRED that the product is intentionally shipped in "kiosk mode" so that buyers can customize the software to meet their needs. This default configuration is meant to be changed by the owner before setting it up for public use.
Dave Bittner: [00:08:43:13] Finally, we've got a crew out in the City by the Other Bay, that is, San Francisco. This is the week of the 2019 RSA Conference, and things are just getting started. The Innovation Sandbox is in progress now, and we'll have notes on it in tomorrow's podcast. Why tomorrow? Well, the Chesapeake is three hours ahead and we don't wanna keep you waiting until well into the evening. But we'll have the story tomorrow.
Dave Bittner: [00:09:13:16] Now a moment to tell you about our sponsor ObserveIT.
Dave Bittner: [00:09:16:19] The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys, your employees, contractors and privileged users. In fact, a whooping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data, but to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:10:21:16] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute, and also my co-host on the Hacking Humans Podcast. Joe great to have you back.
Joe Carrigan: [00:10:30:24] It's good to be back Dave.
Dave Bittner: [00:10:32:17] We had a story come by, this is from Threatpost, and it's about an interesting vulnerability some researchers discovered with the popular Ring doorbells.
Joe Carrigan: [00:10:42:08] The Ring doorbell flaw. Basically what it is, the older versions of these doorbells, this is owned by Amazon, these doorbells would transmit the data from the ring device to the user's phone, in the clear.
Dave Bittner: [00:10:59:18] So the video and audio streams...
Joe Carrigan: [00:11:01:20] ...would be in the clear.
Dave Bittner: [00:11:03:02] Oh, okay.
Joe Carrigan: [00:11:03:23] And it was possible not only to intercept it but also to spoof it. That was an interesting aspect of this. It looks like it's easier to execute this attack if you're on the same WiFi network as the user's phone.
Dave Bittner: [00:11:15:16] So walk me through what happens here. I have a ring device looking at my front porch.
Joe Carrigan: [00:11:22:08] Right, let's say you're at home. Right, and you don't have very good network security on your home network. So I am outside with a device and I can connect to your network because either you don't have a password on it or you're using WEP or using a weak password and I've broken into your network.
Dave Bittner: [00:11:36:24] Connected to my WiFi.
Joe Carrigan: [00:11:37:23] Right.
Dave Bittner: [00:11:38:06] Home WiFi, alright.
Joe Carrigan: [00:11:39:05] So, now your doorbell rings and you are interacting with the doorbell, if I'm sitting out in my car in the front or anywhere nearby with a long range antenna, I can monitor the traffic between your doorbell, your smart doorbell and your phone. And then I can also save it of course and maybe play it back at a later point in time.
Dave Bittner: [00:11:58:06] Oh, I see.
Joe Carrigan: [00:11:58:22] So, one of the features of these systems is they can remotely unlock the door, right?
Dave Bittner: [00:12:03:17] Right.
Joe Carrigan: [00:12:04:06] So, if I wanted to get into your house it's possible for me to spoof it. Right. Playback some video of your buddy coming over and then you unlock the door.
Dave Bittner: [00:12:13:15] Ah, or like the babysitter.
Joe Carrigan: [00:12:15:07] Right, the babysitter.
Dave Bittner: [00:12:15:24] The babysitter comes to watch the kids while I'm at work, after school, I record that.
Joe Carrigan: [00:12:22:03] Yeah. I don't know if that would be a good attack vector, I think you have to be in the same WiFi network as the phone.
Dave Bittner: [00:12:27:16] Yeah, but I'm getting to the part where if I can record that video of the babysitter then I could use that to playback to you, to trick you into thinking that it's the babysitter at the door and then you unlock the door.
Joe Carrigan: [00:12:40:01] Right.
Dave Bittner: [00:12:40:13] Huh. Now that's an interesting way in isn't it.
Joe Carrigan: [00:12:43:05] Yeah.
Dave Bittner: [00:12:44:03] So, what is Ring's response to this?
Joe Carrigan: [00:12:46:20] Well Ring has actually issued a patch to the vulnerability in the latest version of the app, which is 3.4.7. So if you have a Ring device you should go out and update right now and it'll update the device and everything and secure the traffic.
Dave Bittner: [00:13:02:02] Just make sure you have the latest version.
Joe Carrigan: [00:13:03:20] Correct. And that's one of the things I always harp on, make sure your software is up to date.
Dave Bittner: [00:13:08:06] Yeah, and I think it's particular interesting with some of these devices that you kind of set and forget. They're hanging around in your house, these sort of remote devices. Because that Ring doorbell is going to be doing its job 24/7 and you don't really think about it. It's not if it ain't broke don't fix it.
Joe Carrigan: [00:13:25:18] Yeah, but it is broke. [LAUGHS]
Dave Bittner: [00:13:27:10] Well, yeah, right, right. Right.
Joe Carrigan: [00:13:29:21] It's time to fix it.
Dave Bittner: [00:13:30:16] Yeah. Yeah.
Joe Carrigan: [00:13:31:23] But, yeah, you're right. When people say, "if it isn't broken don't fix it," but that statement has always kind of frustrated me. Because just because something is working good enough doesn't mean it's working properly.
Dave Bittner: [00:13:44:07] Right.
Joe Carrigan: [00:13:44:16] It could be working better. It might have a problem that you don't know about, like this, that's causing you harm.
Dave Bittner: [00:13:51:10] Yeah, I suppose it's like, "I don't drive with a seatbelt, I haven't crashed so far." [LAUGHS]
Joe Carrigan: [00:13:56:02] Right, exactly. Same kind of thinking.
Dave Bittner: [00:13:58:10] Right, right.
Dave Bittner: [00:14:00:02] Alright, well if you have a Ring, check and make sure that you're updated to the latest version. Joe Carrigan thanks for joining us.
Joe Carrigan: [00:14:06:18] It's my pleasure.
Dave Bittner: [00:14:11:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:14:24:14] Don't forget to check out the Grumpy Old Geeks Podcast, where I contribute to a regular segment called Security, Huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future Podcast, which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:52:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.