Dave Bittner: [00:00:03] Huawei gets to buy some products from U.S. companies again. CISA reiterates warnings about the risk of cyberattack from Iran. Considerations about power grid security. Cryptocurrencies draw criminals, and some of the scammers are looking ahead. Australia and New Zealand will conduct a simulation to study ways of removing abhorrent content from the web. The Senate likes Hack the Pentagon. And tech enthusiasm or voyeurism? You decide.
Dave Bittner: [00:00:37] And now a word from our sponsor Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing the resources. It runs, looks and is just as powerful as a local browser with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you're required to keep your online investigations completely anonymous and safe from cyberthreats, consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show.
Dave Bittner: [00:01:51] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:07] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 1, 2019.
Dave Bittner: [00:02:14] President Trump has agreed to permit Huawei to buy some U.S. products. They'll be allowed to buy the boring kit, as CRN puts it, the stuff not deemed to present a threat to national security. Included in that boring kit would be, for one big example, Google's Android operating system. The White House says this doesn't mean the U.S. intends to go squishy on Huawei and that it remains very much alive to the risks the company poses. For its part, Huawei says it welcomes what the company calls a U-turn in U.S. security policy.
Dave Bittner: [00:02:47] The case reminds many observers of ZTE's experience when the company was pulled back from the brink by a U.S. decision to permit ZTE to continue to buy some of the U.S. products it depended on to keep its business going. The Huawei decision is about U.S. exports to the company, not about permitting Huawei products general access to U.S. markets. The decision has drawn decidedly mixed reviews, but big tech will probably be pleased by any relaxation of export controls.
Dave Bittner: [00:03:19] In an interview with Ars Technica, U.S. CISA Director Krebs repeated his agency's warnings of expected Iranian cyberattacks against U.S. targets. It's more than a regional matter, he said, alluding to tensions around the Arabian Gulf. And he again warned that enterprises should consider destructive wiper attacks a real possibility.
Dave Bittner: [00:03:42] There's been a great deal of recent concern about cyberattacks against power grids, with the U.S. warning of both Russian and Iranian hostile interest in the North American grid and with Russia complaining that the U.S. had staged malware in Russia's own grid, presumably as either a deterrent or as battlespace preparation.
Dave Bittner: [00:04:01] An example of power disruption in Japan that came to light last week wasn't a cyberattack, but it was worth considering as a cautionary tale in the light of such worries about the vulnerability of power generation and distribution. Western Digital disclosed that a 13-minute power failure at its partner Toshiba Memory disrupted flash memory production. The accident is said to have destroyed some six exabytes of product. Production is expected to return to normal in the middle of July, and there may be a noticeable economic effect. Significant fluctuations in flash prices are expected, the disclosure suggests.
Dave Bittner: [00:04:41] Another incident - and this one was an attack - is the ransomware infestation at aviation components manufacturer Asco. That attack remains only partially remediated. Things are said to be improving, but Asco doesn't yet have a projected time for full recovery.
Dave Bittner: [00:04:59] Australia is leading a voluntary international agreement in which governments would swiftly take down abhorrent content posted online. Along with partners from New Zealand, the government intends to hold a major simulation to determine how such a takedown might be managed. As Australian officials put it at the G20, quote, "the commitments from the Australian Taskforce to Combat Terrorist and Extreme Violent Material Online the government set up following the Christchurch terrorist attacks will see tighter monitoring and controls on livestreaming and simulation exercise to further test social media companies' capabilities," end quote.
Dave Bittner: [00:05:38] Altcoins are drawing scammers for familiar Willie-Sutton-esque reasons. That's where the money is.
Dave Bittner: [00:05:45] Iran has taken down two big cryptocurrency mining farms run from disused factories. Authorities say the activity was sufficiently power-hungry to have rendered portion of the grid unstable, with consumers of electricity noticing problems.
Dave Bittner: [00:06:00] A new cryptocurrency, Luno, which is Esperanto for moon, has already become the phishbait in a social engineering campaign. The usual cautions apply, but in this case, note that Luno-phishing is marked by fewer linguistic stigmata than normally appear in phishing emails.
Dave Bittner: [00:06:20] And Facebook's much ballyhooed Libra cryptocurrency, greeted as everything from a new era of trade and remittances outside the stranglehold of central banks to the mark of the beast and, inter alia, something like an Illuminati plot to control everyone's identity - anyway, Libra, as we say, is already the occasion of a competitive criminal scramble to register domains that look or sound sort of the way the scammers imagine a Libra domain would. So prepare yourself in advance. The phishers of coin are already baiting their trawl lines.
Dave Bittner: [00:06:53] Security firm Proofpoint recently shared warnings that bad actors are increasingly targeting specific individuals within organizations, making use of techniques like social engineering to gain access. With this in mind, they say it's important for organizations to focus on the human side of cybersecurity. Gretel Egan is security awareness and training strategist at Proofpoint.
Gretel Egan: [00:07:15] First, you need to look at the threat intelligence that you have. Most people are monitoring email. Most people have threat detection tools in place, so great idea to take a look at what is coming into your organization and who is receiving - who is the intended recipient, if things are being blocked, you know, of those types of attacks and how those attacks are being structured. What type of messages are in these emails? Are there malicious attachments? Are there malicious links? How are they being structured? And then really kind of taking a look at who and what departments and what roles are cyberattackers valuing?
Gretel Egan: [00:07:57] But maybe it's a little different than my perception of who I think cyberattackers might be going after. We do see a lot of organizations kind of assuming that those VIPs or the very visible C-level executives - that these are the people that cyberattackers are going to go after. And certainly, they are. However, we see attackers looking up and down org charts to find their points of compromise. Important to really know how your organization in specific is being attacked.
Gretel Egan: [00:08:31] Another way - a second way to figure that out is to use some security awareness and training tools - things like phishing simulations, phishing tests, where you send out simulated phishing attacks - different types, different structures - and look at the people within your organization who are vulnerable and susceptible to those types of attacks. Who's clicking? Who's engaging? Who is being tricked into providing credentials or being tricked into going to, you know, a malicious website based on the way you've structured your test.
Dave Bittner: [00:09:05] Now, when you're testing your employees for phishing, is it better to take a carrot or a stick approach if someone does click through on that link? Or is - it seems to me like that's a moment for education rather than, perhaps, punishment.
Gretel Egan: [00:09:18] It certainly is what we advocate. Really basically, it comes down to the fact that organizations are allowing their technology to fail. We have these purpose-built technical tools that are not 100% capable of stopping everything that's coming in. But at the same time, these same organizations are sometimes looking to their users to be right 100% of the time. That's just not going to happen.
Gretel Egan: [00:09:45] We really advocate for making it a positive learning experience for the user at that moment rather than a, quote, unquote, "punishing experience," if you will. You don't really want to turn that moment into a point where an employee feels not only vulnerable because they've exhibited potentially a susceptible behavior that's a dangerous behavior, but then also to feel kind of attacked by their organization in that same moment. So really a great idea, what we advocate for, is much more of a carrot approach, taking that as a learning moment, a teachable moment, and moving ahead in a positive direction to try to positively influence future behavior.
Gretel Egan: [00:10:31] The human factor, in our opinion, will always be at play when you have people making decisions, posting to social media, taking actions on mobile devices, on downloading apps and interacting with things. I don't see a point where technical safeguards are going to catch up enough to stop all threats.
Dave Bittner: [00:10:52] That's Gretel Egan from Proofpoint.
Dave Bittner: [00:10:55] The just-passed Senate version of the National Defense Authorization Act for 2020 includes strong encouragement for defense and security agencies to use crowdsourced security testing. The report that accompanies the act specifically calls out the Defense Department's Hack the Pentagon program as a model.
Dave Bittner: [00:11:14] And finally, in a bit of good news, the creator of the AI-powered app DeepNude has taken down and stopped selling his invention. DeepNude was an app that would transform ordinary photos of women - and tellingly, it only worked on women - and automatically transform the photo into an apparent nude. So yeah, horrifying. Many consider it a sign of what's to come in the deep-fake field. But for now, at least this one is gone.
Dave Bittner: [00:11:51] And now a word from our sponsor Edgewise. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time-consuming and offers limited value that's hard to measure. There's a better approach - Edgewise Zero Trust Auto-Segmentation. Edgewise is impossibly simple microsegmentation in one click, delivering results immediately with a security outcome that's provable and management that's zero-touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application in any environment without any architectural changes. They provide measurable improvement by quantifying attack path risk reduction and demonstrate isolation between critical services so that your application can't be breached. Learn more at edgewise.net/cyberwire. That's edgewise.net/cyberwire. And we thank Edgewise for sponsoring our show.
Dave Bittner: [00:13:18] Joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. I wanted to touch base with you today about two-factor authentication, particularly on mobile devices, and ways that some of the bad guys have figured out how to bypass that.
Justin Harvey: [00:13:35] Yeah, Dave. Just like a car with brakes - we tell everyone your car must have brakes, but if you don't take care of them or if you don't understand how and why and where to use them, you're probably going to crash. And the same is true a little bit for multifactor authentication. For years now, we've been saying, get MFA, use it on everything you've got. But we're starting to see adversaries really take advantage of that through a few ways.
Justin Harvey: [00:14:03] The first is mobile SIM number rerouting. So this is where - let's say that you're with a large mobile carrier. Your phone has been working for years. But the adversary can look up your phone number and figure out which provider you're with. Then, they will call the provider up and social engineer them to essentially reset the password. And then they'll log in as you and reroute your SIM card, or the number going to their SIM card, to their SIM card. So essentially, they're hijacking your phone number, and then it's as easy as the adversary going in, starting the two-factor, and it sends them an SMS, but instead of sending the real owner the code, it's going to the adversary.
Justin Harvey: [00:14:48] I think the best way to guard yourself against these types of attacks is figuring out and determining what sort of customer identification process your mobile phone provider has and making sure that your answers are strong.
Justin Harvey: [00:15:03] That actually leads us into the second type of multifactor override, which is abusing the recovery process. Most multifactor platforms have the capability so that if you lose your phone, you lose the device that creates that code, you can answer a few questions and get a temporary code back. And talking to my adversary simulation team today, and they said, yes, the majority of the questions and answers are relatively simple. And even in some cases, it said, like, what's the name of your first - your eldest sibling or your youngest sibling or your first sibling? And all of that information can be obtained via background questions or background checks.
Justin Harvey: [00:15:48] It's highly advised to guard yourself against these two types of attacks by picking really strong questions and answers and not who your first dog was. But - and, in fact, when I get those types where I have to pick from a dropdown and some of them are the most simple questions to answer, sometimes I think of a fake answer and put it in there.
Justin Harvey: [00:16:08] The best course of action is to use the Microsoft Authenticator, the Google Authenticator, real apps within your phone, or even, in some cases, go back to hard token. And then on top of that, if you are, let's say, a CIO, CISO or someone who has control over these platforms, really look to strengthen your recovery process so that it's not as easy to get a new code without having the token, essentially. But it seems like, to me, SMS-based texting is probably the lowest form of multifactor and has the highest degree of risk associated with it.
Dave Bittner: [00:16:44] But I suppose still better than nothing.
Justin Harvey: [00:16:46] Absolutely. When it comes to telephone or SMS-based two-factor, there's even some different types of attacks, like the SS7 intercept capability. So SS7 is more of a nation-state-style attack where you can set up your own cell tower, in essence, and you can intercept traffic coming through there. And I want to at least point out in most Five Eyes countries, those are all illegal to use and set up, but it has happened out in the wild. It's more of a nation-state-style attack, but it's worth mentioning there.
Justin Harvey: [00:17:18] There's malware intercept, so creating a piece of malware that goes on a phone, typically Android, since they don't have a walled garden app type of approach like Apple does. But malware has been seen out there in the wild that reads texts and looks for two factors and sends them to a centralized repository.
Justin Harvey: [00:17:39] You've got your standard social engineering types of attacks where, Dave, if I wanted to get access to the CyberWire platform itself, maybe I call you as a Bank of America representative and said, hi, this is Justin with Bank of America. Dave, there's a problem with your account. I'd like to prove that it's you. I'm going to send you a code. Could you read it back to me? And I actually go to this - to your platform, and I create a login request, and then you get it, and you're like, is this Bank of America or is this my own CyberWire? It's very hard to tell in some cases.
Justin Harvey: [00:18:09] And then the final type that we are seeing quite a bit of is using the Modlishka proxy platform, which is, essentially, you're going to create a login page just like the login page that you want to get access to. You send the user through a phishing email to have them go enter their credentials, and it's very much like a business email compromise style of attack where you have your own website and you're mimicking the two-factor login of the victim. The victim goes there. They're not really paying attention. They enter in their credentials. You steal those credentials and proxy it back to the real two-factor, which gives you the challenge, which allows the user to enter it in. Because you're running the platform, you can see everything going in. And, essentially, you grab that and log in right behind them - actually, not even behind them. You're logging in for them. They might see an error code, and then they're - boom, you're in.
Dave Bittner: [00:19:04] Yeah, it's a lot to look out for. But at the same time, it seems like there are some good solutions out there.
Justin Harvey: [00:19:08] Yeah, I would say try to stay away from SMS-based multifactor and really focus on using Google Authenticator and Microsoft Authenticator.
Dave Bittner: [00:19:17] All right. Well, as always, Justin Harvey, thanks for joining us.
Justin Harvey: [00:19:20] Thank you.
Dave Bittner: [00:19:25] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.