The CyberWire Daily Podcast 4.1.19
Ep 812 | 4.1.19

Patch Magento soon. Toyota hacked again. Exodus spyware hits app stores. Moscow seeks to corral VPN providers. Facebook wants regulation. Swatting sentence. Phishing tackle in Nigeria.

Transcript

Dave Bittner: [00:00:03] Magento users are urged to patch as risk of exploitation rises. Toyota experiences another cyberattack, and some observers blame, on grounds of motive, opportunity and track record, OceanLotus. Exodus spyware in the Google Play Store looks like a case of lawful intercept tools getting loose. Moscow seeks to control and limit VPN providers. Mr. Zuckerberg wants regulation. Mr. Barriss gets 20 years for swatting. And, hey, there’s phishing tackle on the Nigerian National Assembly site.

Dave Bittner: [00:00:42] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 1, 2019. As the risk of Magento e-commerce software exploitation rises, experts recommend immediate patching. Magento has made patches available, and users of its products should apply them. We note that last Friday, we carelessly referred to Magento as Magneto, which, of course, it is not. Magento is an e-commerce platform; Magneto is a mutant supervillain and founder of Factor Three, as Professor Charles Xavier would have told our e-commerce desk had they asked him.

Dave Bittner: [00:02:26] Toyota disclosed Friday that attackers had accessed customer sales data on its servers in Japan. There's no attribution yet, but speculation has turned toward Vietnamese threat group APT32, also known as OceanLotus. There have been multiple reports since February that Vietnam’s government has been engaged in a campaign of industrial espionage aimed at giving its incipient domestic automobile industry a leg up. Toyota's operations in Vietnam may also have been hit in this most recent wave of attacks. The carmaker’s Australian subsidiary sustained an attacker earlier in March.

Dave Bittner: [00:03:03] We heard from Lucy Security CEO Colin Bastable about the latest incident. He said, quote, "I expect that Toyota's Japanese customers are collateral damage in an attempt to steal Toyota's intellectual property," end quote. Noting how widespread industrial espionage has become, Bastable added, quote, "all businesses which hold valuable IP should assume that they will be attacked. Unfortunately, businesses seem incapable of learning from others' experiences and must become victims in order to adapt," end quote.

Dave Bittner: [00:03:36] Independent security researchers posting their results to Security Without Borders say they’ve found more Android apps fronting for spyware. The apps represent themselves as mobile operators’ service applications, and they appear to have been written in, and probably largely for, an Italian market. The researchers perceive connections between the intercept agent, which they’re calling Exodus, and Italian company eSurv, which is based in the southern Italian city of Catanzaro and specializes in video management and analytics. The spyware’s command-and-control server is apparently identical to one used to manage eSurv surveillance cameras. Motherboard calls Exodus a case of lawful intercept gone wrong, and they think eSurv may have developed it for Italian police, but neither the company nor the police have responded to their inquiries.

Dave Bittner: [00:04:28] It's worth noting that there is such a thing as a lawful intercept tool. It's spyware used, ideally, in a carefully restricted and overseen law enforcement investigation. Think of it as a legal wiretap, only done over the internet and mobile telecom networks - a modern version of getting a court order to put a bug on a phone. Problem here is that if, indeed, Exodus is the lawful intercept tool many say it appears to be, it's scooping up a lot of quite innocent people's devices and data. There's other issues here as well - the difficulty of controlling what gets into even the walled garden of official app stores.

Dave Bittner: [00:05:06] We heard from Will LaSala of OneSpan, who emailed to point out that, quote, "this underscores that relying on Google or Apple to detect malicious apps is not a safe idea. Customers should look to protect their own apps with app shielding rather than look towards the platform vendors for increased security,” end quote. It’s easy, he said, for platform vendors to err on the side of convenience - quote, “as such, app developers and companies deploying apps really need to take security into their own hands to ensure their users are protected," end quote.

Dave Bittner: [00:05:39] The Russian government has served 10 VPN providers with notice that they have 30 days to connect their services to a government blacklist of forbidden sites or cease operations. The companies who got the letter were NordVPN, HideMyAss, Hola VPN, OpenVPN, VyprVPN, ExpressVPN, TorGuard, IPVanish, Kaspersky Secure Connection and VPN Unlimited. Four of these - TorGuard, VyprVPN, OpenVPN and NordVPN - have already stated their intention of exiting the Russian market rather than comply. The Russian government had earlier put the strong arm on search engines to align their results with official policy. Moscow says that they're simply trying to secure the freedom of the internet and not censor it, but that explanation finds few takers.

Dave Bittner: [00:06:32] Facebook CEO Zuckerberg has an op-ed in The Washington Post in which he asks governments to regulate him. First, he’d like to be told what content he needs to block. Second, he wants election laws to be more broadly applied and to regulate content about issues as well as content about candidates. Third, he likes GDPR and thinks it might serve as a model for a global system of privacy enforcement. Finally, he wants data portability guaranteed. If users put data on one service, they ought to be able to move it to another.

Dave Bittner: [00:07:06] His proposal isn’t really rent-seeking, but it’s obvious how laws like this would be good for Facebook. They would certainly shift regulatory and reputational risk from Facebook to the government. It’s less obvious how such regulation would be received by those with strong First Amendment sensibilities, but then, that’s not really big tech’s concern. Tyler Barriss has been sentenced to 20 years in a U.S. federal prison for his admitted role in Andrew Finch's December 2017 swatting death. Barriss' two alleged conspirators, Shane Gaskill and Casey Viner, will have their own fate decided later. They have both protested their innocence.

Dave Bittner: [00:07:47] This was an unusually repellent case that put all the internet's sadly familiar disinhibition and disconnection from reality on display. It's worth reviewing what happened. Mr. Viner, 18 years old at the time, allegedly asked Mr. Barriss to swat Mr. Gaskill, then age 19, in his Wichita, Kan., home. Viner and Gaskill were engaged at the time in an online squabble prompted by their play of Call of Duty. Mr. Gaskill provided the wrong address and then, the government alleges, goaded Mr. Barriss into swatting him. So Mr. Barriss called 911 from his home in California pretending to be an armed man holding his family hostage and gave police the address he'd received. When the police showed up, the door was answered by the man who lived there with his family, Andrew Finch, and who had no acquaintance with and no connection to any of the three involved in the Call of Duty affair of honor. Police shot Finch in the mistaken belief that he was armed and going for his gun, which, of course, he wasn't. Mr. Barriss said he was sorry in court Friday, but that remorse seems both late and thin, especially given what he did last April when he gained access from jail, broadcasting, you are about to get swatted. And finally, Bleeping Computer may have called it ironic, but it somehow seems inevitable. The website of the Nigerian National Assembly, for about two weeks, was serving up a landing page for phishing attacks that were after DHL credentials. Needless to say, it wasn't government policy to host this phishing tackle.

Dave Bittner: [00:09:29] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything you need to know about Security Orchestration, Automation, and Response" The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:10:45] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He is also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back.

Joe Carrigan: [00:10:54] Hi, Dave.

Dave Bittner: [00:10:55] A story came by recently about an app that turned out was up to no good. Describe to us what's going on here.

Joe Carrigan: [00:11:02] The app was called MobiiSpy.

Dave Bittner: [00:11:04] Right.

Joe Carrigan: [00:11:04] And it's one of these apps that, ostensibly, is for users to install on their children's phones to monitor where they are, possibly for an employer to install on their phones to monitor the location of their phones. But in actuality, what these apps are usually used for is by abusive spouses to track the location and the activity on the phones of their partners.

Dave Bittner: [00:11:29] I see.

Joe Carrigan: [00:11:29] OK? So this MobiiSpy app would store data in the cloud. And it left 95,000 images and more than 25,000 audio recordings of, presumably, phone calls accessible to anybody who knew where they were.

Dave Bittner: [00:11:49] So no login, no - this is an unlocked...

Joe Carrigan: [00:11:52] Right.

Dave Bittner: [00:11:53] ...Bucket of information that...

Joe Carrigan: [00:11:54] Exactly.

Dave Bittner: [00:11:54] ...Was just hung out there, no security whatsoever.

Joe Carrigan: [00:11:57] And no authentication. And the location of the database was hardcoded into the app.

Dave Bittner: [00:12:01] Wow.

Joe Carrigan: [00:12:01] So you could extract it and then start looking at the data on website - on the cloud - on the database.

Dave Bittner: [00:12:09] Now, there's a story here about the attempts for responsible disclosure with this, right?

Joe Carrigan: [00:12:14] Correct. The researcher was Cian Heasley, who found the server. And he reached out to MobiiSpy to try to get them to seal up the breach and got no response from their CEO and founder - nothing. And then he reached out to Motherboard. And Motherboard was like, well, how else can we address this? They reached out to GoDaddy and to Codero, who is the cloud hoster. Codero was the cloud hoster.

Dave Bittner: [00:12:38] Yeah.

Joe Carrigan: [00:12:39] Who said they couldn't do anything. So Motherboard did the next responsible step. And they publicized the information. Now they did not publicize the name of the app because that would represent too much of a risk to the people whose data was exposed.

Dave Bittner: [00:12:53] OK.

Joe Carrigan: [00:12:53] But they did name Codero and GoDaddy in the original app. And then guess what? Codero said, oh, maybe we can help you.

Dave Bittner: [00:13:02] So the hosting provider...

Joe Carrigan: [00:13:03] Right. The hosting provider, who initially said, no, we can't do anything about it. Well, now that you've talked about us in the public, OK, we're going to do something about it.

Dave Bittner: [00:13:09] Sort of got shamed into it, I guess.

Joe Carrigan: [00:13:11] Right. Exactly.

Dave Bittner: [00:13:11] Yeah.

Joe Carrigan: [00:13:12] They issued a letter to MobiiSpy with a deadline of hours, not days. And MobiiSpy did not respond. They eventually took the content down and made it no longer accessible.

Dave Bittner: [00:13:22] Huh.

Joe Carrigan: [00:13:22] MobiiSpy app is no longer - I can't find it in the Google Play Store at all.

Dave Bittner: [00:13:25] OK.

Joe Carrigan: [00:13:26] According to the Motherboard article, the website's gone and everything. But this irritates me.

Dave Bittner: [00:13:32] (Laughter) It's close to home for you, right?

Joe Carrigan: [00:13:34] Yeah. There is a number of issues going on here.

Dave Bittner: [00:13:37] OK.

Joe Carrigan: [00:13:37] No. 1, you don't need these kind of apps, OK? If I want to know where the location of my family is, I share my location on Google Maps with my family. In fact, I do that, so I can tell where my family is, and they can tell where I am.

Dave Bittner: [00:13:52] But they're aware that they're sharing that information with you.

Joe Carrigan: [00:13:54] Not only are they aware of it. But every six months or three months, Google sends you an email to let you know who you're sharing your information with.

Dave Bittner: [00:14:00] Right. So you've got consent there.

Joe Carrigan: [00:14:02] So you've got not just consent but continual consent.

Dave Bittner: [00:14:05] OK.

Joe Carrigan: [00:14:06] And so there is no need for this kind of a tracking app on a phone.

Dave Bittner: [00:14:10] OK. You're covered in other ways by...

Joe Carrigan: [00:14:13] You're covered in other ways.

Dave Bittner: [00:14:13] ...Both of the popular operating systems.

Joe Carrigan: [00:14:15] The only reason for these apps to exist is for people to be abusive to other people.

Dave Bittner: [00:14:20] OK.

Joe Carrigan: [00:14:21] And this is my opinion. But I really don't think that these apps have a legitimate purpose.

Dave Bittner: [00:14:25] Right - so not a fan.

Joe Carrigan: [00:14:26] Not a fan.

Dave Bittner: [00:14:27] Yeah.

Joe Carrigan: [00:14:27] Right. The other thing in here - and this is something I find very frustrating - one of my roles is vulnerability disclosure manager at the Information Security Institute.

Dave Bittner: [00:14:36] At Johns Hopkins.

Joe Carrigan: [00:14:37] At Johns Hopkins.

Dave Bittner: [00:14:38] OK.

Joe Carrigan: [00:14:38] And frequently, when we disclose vulnerabilities, I send a package over to a lot of these companies - and I've sent packages to companies, and I have said, who do I disclose software vulnerabilities to? And they go, I don't know.

Dave Bittner: [00:14:50] So you're the guy who has to send this out and...

Joe Carrigan: [00:14:53] Right.

Dave Bittner: [00:14:53] ...Try to give them the good news, bad news (laughter).

Joe Carrigan: [00:14:56] Right. Right. Bad news - we found a vulnerability. Good news - here's how you fix it.

Dave Bittner: [00:15:00] We're coming to you first, yeah.

Joe Carrigan: [00:15:01] Right. We're coming to you first because we're going to responsibly disclose this...

Dave Bittner: [00:15:03] Right.

Joe Carrigan: [00:15:03] ...Just like Cian did here.

Dave Bittner: [00:15:06] Yeah.

Joe Carrigan: [00:15:06] I like what - the process that Cian Heasley and Motherboard did.

Dave Bittner: [00:15:10] Right.

Joe Carrigan: [00:15:11] But frequently, when I disclose vulnerabilities to people, we tell them, you have 14 days to respond, or we're going to go public with it.

Dave Bittner: [00:15:17] Mmm hmm.

Joe Carrigan: [00:15:18] And the reason we tell them you have 14 days is because the first time - first couple of times we did it, we said, you have a 90-day window in which to fix this, and we will disclose it after that. And we heard nothing back.

Dave Bittner: [00:15:29] (Laughter).

Joe Carrigan: [00:15:30] So we tell people 14 days so that...

Dave Bittner: [00:15:32] So you're using a little social engineering here...

Joe Carrigan: [00:15:34] Exactly.

Dave Bittner: [00:15:35] ...To turn up the heat (laughter).

Joe Carrigan: [00:15:36] Exactly. We tell people 14 days. And if they go, whoa, whoa, we can't fix this in 14 days, then we say, oh, good, OK, how long do you need?

Dave Bittner: [00:15:42] Right.

Joe Carrigan: [00:15:43] How long do you need?

Dave Bittner: [00:15:43] So at least you get...

Joe Carrigan: [00:15:44] Let's discuss it.

Dave Bittner: [00:15:44] You get a response from them...

Joe Carrigan: [00:15:46] Right.

Dave Bittner: [00:15:46] ...Because you inject that sense of urgency.

Joe Carrigan: [00:15:48] Right.

Dave Bittner: [00:15:49] Yeah, yeah.

Joe Carrigan: [00:15:49] We give them an artificial time constraint...

Dave Bittner: [00:15:52] Right.

Joe Carrigan: [00:15:52] ...Although it's not really artificial. We will release the data in 14 days if we don't hear back from them.

Dave Bittner: [00:15:56] I see.

Joe Carrigan: [00:15:57] But I do want to reiterate that if they if they so much as respond to us during that 14-day period, then we start a conversation immediately. And if they if they ask for any amount of time, we'll grant it.

Dave Bittner: [00:16:08] Yeah.

Joe Carrigan: [00:16:08] You know, I mean, we're not going to give you two years.

Dave Bittner: [00:16:10] Right.

Joe Carrigan: [00:16:11] But...

Dave Bittner: [00:16:11] You're going to be reasonable about it.

Joe Carrigan: [00:16:11] Yeah. We're going to be reasonable. If you say, we need 90 days to fix this - we need six months to fix it, OK, that's fine. As long as we're credited with finding the bug, we're fine with that.

Dave Bittner: [00:16:19] Yeah. Just don't stick your head in the sand.

Joe Carrigan: [00:16:21] Yeah, don't stick your head in the sand.

Dave Bittner: [00:16:23] All right. Well, another one of those sad stories we see playing out here with people's personal information just being hung out there, and maybe a lesson about using these types of apps.

Joe Carrigan: [00:16:33] It seems the only way to get these companies to do something is to publicly shame them.

Dave Bittner: [00:16:37] Yeah. It's a shame.

Joe Carrigan: [00:16:38] It is a shame. It is a shame.

Dave Bittner: [00:16:39] All right. Well, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:16:41] My pleasure, Dave.

Dave Bittner: [00:16:47] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.

Dave Bittner: [00:16:54] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:17:05] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:17:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.