Voting machine woes. Router exploits trouble Brazil, Bitpoint alt-coin exchange investigates theft. Facebook fined $5 billion. Power failures probably unrelated to cyberattacks. Amazon Prime phishing.
Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick announcement that you can now get a version of our daily news briefing on your Amazon Alexa. Just set up the CyberWire as part of your flash briefing and say, Alexa, what's my flash briefing? Check it out.
Dave Bittner: [00:00:18] Upgraded voting machines may not be as secure or as upgraded as election officials seem to think. Criminals continue to exploit routers in Brazil. A Japanese cryptocurrency exchange shuts down while it investigates a multimillion-dollar theft. The Federal Trade Commission fines Facebook $5 billion over privacy issues. Weekend power outages seem not to have been the result of cyberattacks. Another city sustains a ransomware attack. And shop carefully on Amazon Prime Day.
Dave Bittner: [00:00:54] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:55] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:10] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 15, 2019. The commonwealth of Pennsylvania has announced its determination to upgrade its election security before 2020, and it's spent more than $14 million in funds - mostly contributed to the state by the federal government - to do so. But this upgrade hasn't proceeded happily. The Associated Press reported in an exclusive over the weekend that county election authorities have, for the most part, gone with voting machines running Windows 7, an operating system that will reach its end-of-life in January. The systems are used, the AP says, quote, "to create ballots, program voting machines, tally votes and report counts," quote. All of this is, as the engineers would delicately put it, suboptimal, and no one is particularly happy about it. U.S. Election Assistance Commission chair Christy McCormick told the AP using Windows 7 systems, quote, "is of concern, and it should be of concern," quote.
Dave Bittner: [00:03:14] The largest U.S. voting system vendor, ES&S, say they've got arguably more secure Windows 10-based systems coming soon and that they're working with Microsoft to provide Windows 7 security upgrades until all systems came to be converted to the latest version of the OS. This is not an unfamiliar problem with Internet of things generally. Vendors modify operating systems in ways that tend to prolong their life beyond the intended limits. There may also be a standards issue here. County election officials tend to take certifications as solid evidence that their systems are secure. But the AP's story goes on to say that Citizens for Better Elections, an advocacy group, says that many county election officials seem to be unaware that many of the systems they intend to use were certified under 2005 standards. In any event, vulnerabilities in systems that count and report votes would open the possibility of direct manipulation of elections, a step beyond the kind of influence operations foreign actors have deployed in the past.
Dave Bittner: [00:04:18] Avast follows up the trend toward cross-site request forgery attacks against routers with a report on the exploit kits used. The attacks had been noted earlier by Radware and Netlab. Victims continue to be concentrated in Brazil.
Dave Bittner: [00:04:33] CoinDesk reports that Japanese alt-coin exchange Bitpoint has halted all activity while it investigates the theft of some $32 million in cryptocurrency. The exchange noticed there was a problem when it observed anomalous behavior in a hot wallet.
Dave Bittner: [00:04:50] The Wall Street Journal reported late Friday that the U.S. Federal Trade Commission has approved a $5 billion settlement in the matter of Facebook privacy missteps in connection with the Cambridge Analytica data scandal. The commission divided along partisan lines in their vote. The three Republicans approved the FTC's proposed settlement, while the two Democrats saw things to dislike in it. The agreement, which now goes to the Department of Justice Civil Division for final review, is expected to include provisions for closer privacy oversight of the social network, but those details weren't immediately available. It's thought the partisan divide may have been over the character of the oversight measures.
Dave Bittner: [00:05:31] As heavy a burden as $5 billion may be, Congressional critics of the fine point to Facebook's very high revenues, which were, The Washington Post notes, $15 billion for the last quarter alone. Facebook had expected a heavy fine and in that same quarterly report said that it had put aside funds to cover that eventuality. Another way of looking at the matter is in terms of profit per employee. At Facebook, that's over $634,000 per employee per year, a record for the tech sector, according to Silicon Valley Business Journal. Nonetheless, it's hard to regard $5 billion as chump change, even around Menlo Park. The settlement easily sets a record for penalties imposed for violating an FTC order. The previous record was a $22.5 million fine against Google in 2012, which, in relative terms, is chicken feed. The FTC has greater latitude in punishing repeat offenders, and were Facebook not a privacy recidivist, it might have gotten off easier. On the other hand, a number of observers, including some members of Congress, think the penalty amounts to a slap on the wrist. An opinion piece in The Verge agrees, arguing that Facebook has behaved badly since its foundation and that it has consistently escaped accountability for such missteps as those on display in the Cambridge Analytica affair.
Dave Bittner: [00:06:56] The GAO recently published a report, "Federal Agencies Need to Strengthen Online Identity Verification Processes," urging federal agencies to up their game when it comes to user authentication. Patrick Cox is founder of TRUSTID, a company that specializes in call authentication.
Patrick Cox: [00:07:15] The traditional way - I say traditional, meaning maybe the last 10 or 15 years. The way authentication has worked in these channels is primarily asking questions, right? We all know the drill. What's your mother's maiden name? What's your date of birth? What's your social security number - things like that? And that's broken. That's really what led us here today is that that information is just totally broken.
Dave Bittner: [00:07:38] And so what are the alternatives then?
Patrick Cox: [00:07:40] Well, three ways to authenticate somebody. One, obviously, is ask you questions, and that's called knowledge-based identity proofing. The second one would be ownership. So you think about a credit card, a physical, unique device, right? That would be ownership authentication. Having a device - a key, for example - a key to a safety deposit box would be an ownership token. And the final one is what we'd call inherent, something you inherently are, so a fingerprint, a retinal scan, you know, DNA. Things like that would indicate who you are. Those are the only three tools we have in the authentication arsenal. So questioning, you know, is really easy to understand why you do that, especially over a phone call, because it's hard, if not impossible, to get a fingerprint or something over a phone call, right? So it becomes more challenging.
Dave Bittner: [00:08:26] I know one of the concerns here is that if you move to a digital method, if you do something that, you know, requires something like a mobile device, well, not everybody has a mobile device.
Patrick Cox: [00:08:39] Absolutely true. And so what we've been advocating for - in fact, we do this millions and millions of times each day for some of the largest financial institutions in the country - is relying far less on the asking of questions - right? - the knowledge information. That whole approach, frankly, is broken because criminals know your date of birth, right? It's on social media. It's been shared. The sad news with all the data breaches and hacks and so on out there, they have your Social Security number. They have your address. They have your mortgage payment information. The information has been shared with the bad guys.
Patrick Cox: [00:09:13] And so what we advocate for is using more ownership authentication. So if you're calling from a mobile phone, as you say, Dave, it's pretty common sense to say, hey, if we can make sure that mobile phone is unique, it's not duplicated, it's actually engaged in the interaction, it's in that person's possession because they've obviously used some sort of, probably, inherence method - right? - they've used a facial scan or a fingerprint or a passcode to get access to that phone, that's great. And then, also, it's nice, though, on a phone call, even if it's a landline, you could do the same thing for landline phones. Yes, which is great, right? Now you've got basically 100% coverage because if the person is able to call in, then they can identity proof with that ownership token, the phone itself. Doesn't have to just be mobile. It can be landline as well.
Dave Bittner: [00:09:58] And is that, like, something as simple as a callback system, where they're calling you so they know the number they're calling, or I guess using some sort of caller ID to verify the number you're calling from?
Patrick Cox: [00:10:09] Yeah, so you'd use the caller ID information, which is great. However, you probably heard of a thing called spoofing, where criminals and others can...
Dave Bittner: [00:10:16] Yeah.
Patrick Cox: [00:10:17] Yeah, they can fake your phone number. So if you can solve for the spoofing problem - and there's technology today that does that - and, also, if you can solve for what we call the virtualization problem - and there's technology that solves that - when I say virtualization, think about calls from Skype or Google Voice, right? There's not really a physical device. It's not really a physical location. It's more of a virtual login username and password. You can deal with that technology and be able to identity proof these calls if you can solve for the spoofing and virtualization problems. And again, as I said, there's really proven technology out there to do those things.
Dave Bittner: [00:10:50] That's Patrick Cox from TRUSTID.
Dave Bittner: [00:10:54] Deutsche Welle reports that an unprecedented power failure yesterday affecting Argentina, Uruguay and Paraguay remains under investigation, but Argentina's energy ministry says a cyberattack is not among the main alternatives being considered. MSNBC quotes New York City's Mayor de Blasio saying, the city is as certain as we can be that Manhattan's weekend blackout was not caused by a cyberattack. Power has been largely restored in both instances. Official announcements concerning grid failures now routinely address the possibility of cyberattack.
Dave Bittner: [00:11:31] The Syracuse City School District in central New York State has confirmed that a cyber incident it sustained last week was, in fact, a ransomware attack. This is the most recent in a string of ransomware attacks against local governments and their services. Syracuse schools haven't yet brought their systems back online. The town of New Bedford, Mass., also sustained a recent cyberattack, but the city is keeping quiet about the details, acting, it says, on the advice of the security consultants it's hired to help with recovery.
Dave Bittner: [00:12:03] And it's Amazon Prime Day, as you may have noticed. Even if you haven't noticed, the grifters, scammers, the hoods all have. Amazon Prime is being used as phishbait all over the place, so shop carefully.
Dave Bittner: [00:12:21] And now a word from our sponsor, KnowBe4, the experts in new-school approaches to defeating social engineering. You ever wonder how hackers and con artists know so much about their targets? Basically, there's more information out there on everyone than you'd like to believe. There's even a name for it, open source intelligence - OSINT. Kevin Mitnick, KnowBe4's chief hacking officer, can show you what the bad guys can find out about you. Go to knowbe4.com/osint and register for a free webinar with people who know a thing or two about mind-blowing underground OSINT secrets that you need to know. That's knowbe4.com/osint. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:13:15] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, it's good to have you back.
Joe Carrigan: [00:13:24] It's good to be back, Dave.
Dave Bittner: [00:13:25] Joe, we have been following this story about Apple and Zoom...
Joe Carrigan: [00:13:30] Right.
Dave Bittner: [00:13:30] ...The conferencing software, and how Zoom had installed a web server on Macs. And if you uninstalled the Zoom app, this web server would stay behind...
Joe Carrigan: [00:13:43] Correct.
Dave Bittner: [00:13:43] ...To, Zoom says, to facilitate easier reinstallation...
Joe Carrigan: [00:13:48] Right.
Dave Bittner: [00:13:50] ...Of the app.
Joe Carrigan: [00:13:50] Right. Well, the vulnerability actually stems from a problem with this ease-of-use feature, if you want to call it that, that Zoom was insisting on, now has since backtracked from it. But the idea that when I click the link, I just get - it just works. Zoom just comes up, and I'm teleconferenced in, right?
Dave Bittner: [00:14:08] Right. Right.
Joe Carrigan: [00:14:08] And the link - the person who administers the Zoom conference can turn my camera on and my microphone on so that, presumably, I don't have to sit there going, how do I get my audio connections...
Dave Bittner: [00:14:21] Right.
Joe Carrigan: [00:14:22] ...To work, just like I did this past Tuesday in a Webex meeting.
Dave Bittner: [00:14:25] (Laughter) Yeah, exactly.
Joe Carrigan: [00:14:26] That happened to me.
Dave Bittner: [00:14:26] Well, yeah - yes, they are - they're - yes.
Joe Carrigan: [00:14:29] I had to type in the chat and say, hold on; let me set my audio settings right. But...
Dave Bittner: [00:14:34] Yeah, we've all been through that for sure.
Joe Carrigan: [00:14:35] Right, exactly. And Zoom is, from a user perspective, saying, well, that's too much. Let's just do this. Well, that is also too much. But really, what's interesting in this is that the Apple version of the software contained a web server on your machine that even after you uninstalled Zoom, when you clicked on another link, this web server would help and reinstall the software again. And it was seamless. So the user didn't see it getting installed. Apple then, this week - late this week, has pushed out an update that goes in - a silent update that goes in and removes this server from your machine.
Dave Bittner: [00:15:13] Right, right. Now, this I find interesting as well. There's a person on Twitter. His name is Eric Capuano. And I think he captured - he captured this in this tweet. He said, InfoSec Twitter - how dare you silently install a vulnerable web server on my system? Also InfoSec Twitter - how dare you silently remove a vulnerable web server from my system?
Joe Carrigan: [00:15:37] Right.
Dave Bittner: [00:15:37] Everyone else - I guess there was a bad thing that could turn on my camera, but it's gone now.
Joe Carrigan: [00:15:41] Right, yeah.
Dave Bittner: [00:15:42] Yeah.
Joe Carrigan: [00:15:42] That's right.
Dave Bittner: [00:15:43] So - but what do you make of this - some people pushing back on Apple's capability to silently alter your computer for what they...
Joe Carrigan: [00:15:52] Right, to uninstall software.
Dave Bittner: [00:15:54] Uninstall software from what they say are for security reasons. And in this case, that is absolutely true.
Joe Carrigan: [00:16:00] Correct.
Dave Bittner: [00:16:00] What do you make of people getting spun up about that?
Joe Carrigan: [00:16:03] I don't know. I mean, I tend to think that when you buy an Apple device, you're going into the Apple ecosystem, right? And part of that ecosystem is they have a security culture, and they have the idea that the user is not really in control of their computer experience - that they are.
Dave Bittner: [00:16:16] To the degree they are on other - with other OSs.
Joe Carrigan: [00:16:19] Right. This is...
Dave Bittner: [00:16:20] Yeah.
Joe Carrigan: [00:16:20] This is the main reason I don't like Apple. As a guy who comes from a technical background, I enjoy using a Windows machine or Linux machines.
Dave Bittner: [00:16:30] Right.
Joe Carrigan: [00:16:31] I don't want the Apple experience. I don't want them telling me what to do. So if you don't want Apple behaving this way, don't buy an Apple.
Dave Bittner: [00:16:41] Right.
Joe Carrigan: [00:16:41] Right? But the vast majority of people, just like this tweet says, are - have the attitude that, hey, there was something bad, and Apple took care of it.
Dave Bittner: [00:16:50] Yeah, we're good here.
Joe Carrigan: [00:16:51] We're good. We're done. You know, and I think that what really prompted Apple to do this was the fact that Zoom's web server didn't uninstall as part of the app uninstall. That's probably in violation of the developer agreement.
Dave Bittner: [00:17:04] I would imagine so, (laughter) yes.
Joe Carrigan: [00:17:05] I don't know that it is. I'm not an app developer for Apple.
Dave Bittner: [00:17:08] Yeah, it makes sense that it would.
Joe Carrigan: [00:17:10] Yeah.
Dave Bittner: [00:17:10] I mean, it's just - it's bad form, if nothing else, to...
Joe Carrigan: [00:17:13] Right.
Dave Bittner: [00:17:13] ...Leave behind a web server running after your user has requested that your software be uninstalled.
Joe Carrigan: [00:17:19] Right, exactly.
Dave Bittner: [00:17:20] Yeah. And there's an article Zack Whittaker wrote over on TechCrunch. And part of it includes a quote from a spokesperson from Zoom who said, we're happy to have worked with Apple on testing this update.
Joe Carrigan: [00:17:33] Right, yeah.
Dave Bittner: [00:17:34] I'm just guessing what that...
Joe Carrigan: [00:17:35] Everybody's all grins over there, right?
Dave Bittner: [00:17:37] ...Conversation was like. Right. I'm just seeing...
Dave Bittner: [00:17:39] I'm just imagining Apple saying to - speculating here, but thinking that Apple's saying, OK, so here's what's going to happen.
Joe Carrigan: [00:17:45] Right.
Dave Bittner: [00:17:46] And Zoom saying, OK, right. Yup, OK. OK, very good. We're good. We're good.
Joe Carrigan: [00:17:50] You have a lot of computers that we want to have access to...
Dave Bittner: [00:17:53] Right.
Joe Carrigan: [00:17:53] ...So, yup, OK.
Dave Bittner: [00:17:53] Right, right. Yeah.
Joe Carrigan: [00:17:54] I mean, this is - like I said, this is why you buy an Apple.
Dave Bittner: [00:17:56] Yeah.
Joe Carrigan: [00:17:57] You know, it's because of the security posture and because a lot of this - a lot of this maintenance, which would - you'd have to do yourself on other operating systems is handled by Apple themselves.
Dave Bittner: [00:18:07] Yeah. All right, well, it's an interesting kerfuffle. And, certainly, I mean, it's a security event as well.
Joe Carrigan: [00:18:13] It is.
Dave Bittner: [00:18:13] Yeah. All right, well, Joe Carrigan, as always, thanks for joining us.
Joe Carrigan: [00:18:17] My pleasure, Dave.
Dave Bittner: [00:18:22] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:35] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: [00:18:50] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcasts.
Dave Bittner: [00:19:03] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.