Dave Bittner: [00:00:03] Sprint warns of a data breach. Eclypsium announces discovery of server firmware supply chain problems. Bluetooth Low Energy may be less secure than thought. Congress hears about U.S. census cybersecurity - ransomware and continuity of operations. The FBI offers help decrypting GandCrab-affected files. Venafi on why financial services are especially affected by certificate issues. Congress asks to see NSPM 13, and an arrest is made in Bulgaria's tax agency hack.
Dave Bittner: [00:00:40] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal (x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 17, 2019. U.S. telco Sprint has warned customers that unauthorized persons may have obtained access to their Sprint account. The hackers obtained access in some unspecified manner through the samsung.com add a line website. Sprint says it's taken steps to secure its customers accounts.
Dave Bittner: [00:02:19] Security firm Eclypsium has an account of how a firmware supply chain problem has cropped up in several marks of servers. The issue involves the BMC - that is the base board management controller - and devices from at least six different manufacturers are affected. Eclypsium found two distinct vulnerabilities. First, some BMC firmware update processes fail to verify cryptographic signatures verification before accepting updates. And second, the BMC code that performs the firmware update contains a command injection vulnerability. Some server vendors, notably Lenovo, have released updates and mitigations to address these problems. But Eclypsium notes that supply chain issues of this kind tend to be persistent and can be difficult to fix.
Dave Bittner: [00:03:06] Researchers at Boston University report that they've demonstrated they can defeat the MAC address randomization Bluetooth Low Energy uses to protect devices from being identified and tracked. There is a wide range of ways in which Bluetooth Low Energy can be implemented in a device, but the researchers' conclusions suggest that this isn't as simple a matter as, for example, making sure your AWS S3 buckets are left open to the internet. Even properly, carefully implemented instances can yield a lot more information about a device than had generally been believed.
Dave Bittner: [00:03:40] Congress is raising concerns about the 2020 U.S. census. This is the first U.S. census in which a significant portion of the data collection will be done online with the attendant possibility of hacking, and the customary a priori jitters are to be expected. The Government Accountability Office testified before Congress that, "although the bureau" - that is the Census Bureau - "has taken initial steps to address risk, additional actions are needed, as these risks could adversely impact the cost, quality, schedule and security of the enumeration," end quote. The GAO said it had identified some 330 corrective actions back in May that it brought to the Census Bureau's attention. The Bureau is delaying action on 104 of these, citing either technical or resource issues. That said and all things being equal, the GAO thinks that, quote, "while there's a lot of work needed going forward," they "don't think we're looking at a disaster." The whole point, of course, is to be able to carry out the constitutionally required headcount. And the Census Bureau is confident it can do that while securing the personal data it will collect. Sensibly, they say they have a variety of continuity of operations plans in place and that they're working on a plan that would cover the worst-case catastrophic takedown of its systems.
Dave Bittner: [00:05:01] Continuity of operations and mission assurance are worth thinking about with respect to ransomware too. One of the bigger ransomware demands issued lately has been received by Monroe College, a proprietary school headquartered in the Bronx. Naked Security puts the extortion demand at $1.8 million, and Inside Higher Ed says it's an even 2 million. In any case, what may be most interesting about the episode is the way in which Monroe is working to continue operations. The college has declined to say whether it will pay the ransom, but it has said that its reverted to manual and even face-to-face operations to continue to deliver its product to the students. As President Marc Jerome put it, quote, "we're simply doing it the way colleges did before email and the internet, which results in more personal interactions," end quote.
Dave Bittner: [00:05:50] Given the way in which schools and city governments have been clobbered by ransomware over the course of this year, this particular fallback - readiness to revert to manual backup - is well-worth considering. Every organization has a mission, and IT systems are there to facilitate accomplishing that mission. So it's worth thinking in terms of continuity of operations and mission assurance. If we may be permitted a local observation, had the city mothers and fathers of Baltimore devoted some time and attention to this, they wouldn't have found themselves in this year's ongoing ransomware pickle. And the citizens of Charm City would be spared the sticker shock of a huge water bill that represents a catch-up bill after months of downtime.
Dave Bittner: [00:06:33] Facebook has been under a good bit of scrutiny lately for a variety of things, not the least of which is their recently announced move into cryptocurrency and digital wallets. Tamika Smith has more on that story.
Tamika Smith: [00:06:45] We're approaching a month since Facebook announced its new cryptocurrency, Libra, and their digital wallet, Calibra. The tech giant's move has spawned an increase in domain permutations, drawing out hackers and scammers across the web seeking a payday. Here to talk more about this is Alex Guirakhoo. He's a strategic intelligence analyst at Digital Shadows. Hi, Alex. Welcome to the program.
Alex Guirakhoo: [00:07:08] Hey, Tamika. It's good to be here.
Tamika Smith: [00:07:10] OK. So you recently wrote an article that delves into how scammers and hackers have seen this sort of like a gold rush. So let's start with charts you created. What were you looking for in the results?
Alex Guirakhoo: [00:07:22] I initially was doing some research completely unrelated for a client report, and I had noticed that there was a weirdly high number of domains that were being created that essentially upended the client's name brand with either Libra or Calibra. I thought to myself, hey, that's a little bit weird, because spoof domains are extremely common, but it's a bit more rare to see a consolidated effort like this. And so that got me thinking.
Alex Guirakhoo: [00:07:46] What I did was I went into Shadow Search, which is a tool that searches across Digital Shadows' data repository and basically includes everything from WHOIS records and CVs to threat actor profiles and dark web search results. And I used that to pull up a list of all the domains that we had collected on that either had Libra or Calibra in the URL that were created either on or around the days of the announcement, which was on June 18.
Tamika Smith: [00:08:12] Interesting. So all of the domains that were set up on the 18, as you categorize them in your article, they're hosting malicious content. But they're split up into different categories. Can you talk about that?
Alex Guirakhoo: [00:08:23] Yeah. So essentially the three different categories that I came up with were the boring ones, so those that aren't really doing much. They're sitting there, parked, not hosting content. But the more interesting ones I split into the two different categories. So they were either directly impersonating the Libra, Calibra website or they were using the Libra, Calibra brand to run a type of scam.
Tamika Smith: [00:08:46] Does GDPR have a role to play in what countries are going to be hit the hardest by this?
Alex Guirakhoo: [00:08:52] So the way that GDPR will work is that it's really only going to be effective on the companies themselves and whether or not they operate within essentially the jurisdiction of GDPR. It's not really going to curb anything that these criminals are going to do. In the long run, it might tighten up security controls that the companies will have in place and kind of put these up in the forefront within an organization's policies. And that in itself could make it more difficult for attackers to target these kinds of organizations.
Tamika Smith: [00:09:18] So now let's look at cryptocurrency in itself. It's not new. Everyone knows about cryptocurrency. Most - one of the ones that became very famous is bitcoin. But now, you know, Facebook is in the game as well. And they're attracting a lot of attention, garnering attention from political figures and the banking industry. What makes their currency different from, say, bitcoin?
Alex Guirakhoo: [00:09:42] Yeah. So everyone knows about Facebook. They're extremely popular. They have a strong footing in the tech world. And so, like you said, it's natural that they attract a lot of this kind of attention.
Tamika Smith: [00:09:52] As of right now, Facebook has no plans on offering Calibra's digital wallet services in its largest market in India. And India has made it very clear that they're not happy with having a private cryptocurrency in their market as well, so much so that the country's economic affairs secretary said in a Bloomberg interview that they would not be comfortable with a private cryptocurrency and that they will be proposing stringent penalties, including prison sentences up to 10 years.
Alex Guirakhoo: [00:10:20] So Facebook is absolutely huge. And essentially, the goal with Libra and the Calibra wallet is to leverage their big - their global platform to create an easy-to-use, borderless currency. But in practice, like you said, that can be a bit more difficult. With India saying that they're not too comfortable with the implementation of cryptocurrencies like Libra, it raises a couple of questions. But mainly things like blockchain networks, which typically operate in a more decentralized manner, it can make it difficult to regulate it in the way that you would a more traditional currency.
Alex Guirakhoo: [00:10:53] But the way that Libra appears to be set up, it seems more centralized than most other cryptocurrencies, like you mentioned, bitcoin. And so it's probably more likely that Facebook will try to abide by the laws within countries like India and that Libra would be operating otherwise. But we'll have to see how that actually works and how that's implemented once the cryptocurrency actually comes around in 2020 because it's difficult to fully manage a blockchain network, especially with regards to cryptocurrencies, because people can always use VPNs to get around things like IP blacklisting. So it is possible. And essentially, we'll just have to see what happens come 2020.
Tamika Smith: [00:11:28] Exactly. So we'll have to leave the conversation here for now. Thank you so much for joining the conversation, Alex.
Alex Guirakhoo: [00:11:35] It was so nice to be on. Thank you so much.
Tamika Smith: [00:11:37] Alex Guirakhoo is a strategic intelligence analyst at Digital Shadows. You can find him tweeting @photon_research, tweeting about Facebook's Libra, leaky SMB file shares, among other topics.
Dave Bittner: [00:11:50] And Tamika Smith joins me in the studio now. Tamika, along with the folks sort of going out on this gold rush for domain names, representatives from Facebook had some time in front of Congress yesterday. They got a bit of a grilling.
Tamika Smith: [00:12:04] Yes, they did, specifically David Marcus. He's the co-creator of Facebook's new
digital currency, Libra. What I thought was very interesting is that he knew, from what I could see, that he was stepping into a zone where a lot of criticism was going to be coming his way. He brought up the independent Libra Association, which includes companies in the financial sector, blockchain sector, venture capitalist companies, nonprofits. They're specifically there to regulate this new currency and to make sure that implementing safeguards is what they're there to do and, most importantly, that Facebook will only get 1% of the vote on this association.
Dave Bittner: [00:12:49] All right. Well, it's certainly interesting developments. I think Facebook is under a lot more scrutiny than perhaps they had hoped to be under or even bet on. Tamika Smith, thanks for keeping an eye on this stuff.
Tamika Smith: [00:13:03] Of course.
Dave Bittner: [00:13:04] The U.S. FBI has issued a flash alert offering master decryption keys and other useful information concerning the now possibly retired but still troublesome GandCrab ransomware. Good for the Bureau, we say. Now anyone can create their own decryptor.
Dave Bittner: [00:13:20] A survey by Venafi suggests that financial services are likelier to suffer a certificate-related outage than are businesses in other sectors. They're particularly vulnerable because, as Venifi puts it, quote, "financial services organizations rely on machine identities to secure and protect a wide range of business-critical machine-to-machine communication," end quote.
Dave Bittner: [00:13:42] Bulgarian authorities have arrested a 20-year-old man in connection with a data breach at the National Tax Agency that exposed some 7 million people's personal information. The unidentified suspect is said to have been a legitimate penetration tester who went over to the dark side.
Dave Bittner: [00:13:59] And this just in - humans now read the CyberWire on Alexa. Lack the time or inclination to read the Daily News Briefing? Let us do it for you on your Alexa. Just say, Alexa, what's my flash briefing? - or, Alexa, what's in the news? - after you've set the CyberWire as part of your flash briefing, and your regular podcast hosts - most likely me - will take it away.
Dave Bittner: [00:14:27] And now a word from our sponsor, KnowBe4, the experts in new-school approaches to defeating social engineering. You ever wonder how hackers and con artists know so much about their targets? Basically, there's more information out there on everyone than you'd like to believe. There's even a name for it - open-source intelligence, OSINT. Kevin Mitnick, KnowBe4's chief hacking officer, can show you what the bad guys can find out about you. Go to knowbe4.com/osint and register for a free webinar with people who know a thing or two about mind-blowing underground OSINT secrets that you need to know. That's knowbe4.com/osint. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:21] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. Saw a publication - this was a press release from the EFF, the Electronic Frontier Foundation - and this was outlining how Justice Department efforts to break encryption of Facebook Messenger must be made public. What's going on here?
Ben Yelin: [00:15:46] So last year, the DOJ made an effort to obtain the Facebook messages of a customer who they believed was involved in gang activity, specifically the MS-13 gang, the one that we've heard so much about over the past several years. Facebook, as most technology companies have done, refused the request. DOJ tried to get an injunction, get a court order to hold that company in contempt and actually force them to break their own encryption. If this sounds familiar, it is. I mean, most famously, we saw it with Apple and the FBI back in 2016 when the FBI wanted access into the device used by the terrorists in San Bernardino.
Dave Bittner: [00:16:30] Right.
Ben Yelin: [00:16:30] They got into a major legal skirmish. Eventually, FBI was able to break encryption without getting Apple's cooperation. The court actually denied the government's effort to get Facebook to decrypt their messaging service. And what EFF is petitioning is to get that opinion public. The reason that's so important for people who care about digital privacy and civil liberties is there's going to be some reasoning contained within that decision that would apply to all different types of other cases. Now, depending on what court that is, that could be mandatory authority, if it's in a federal court that's located in California and that would have to rely on this decision, or it can be persuasive authority, where courts from other states might look to this California case and say, here's really persuasive reasoning as to why we should not force Facebook to decrypt their own messaging service.
Ben Yelin: [00:17:24] And so far, the federal judge has denied the EFF and other civil liberties groups' petition to make that information public. So the case is still classified. We don't have the government's reasoning. That's left EFF to do a lot of guesswork. And what they're arguing is that in order to keep the public informed about the government's anti-encryption tactics, that information needs to become public. And I think they have a very compelling case.
Dave Bittner: [00:17:55] What are the odds that you think they'll prevail in this?
Ben Yelin: [00:17:59] Well, you know, this is something that's up to the judge. I'm sure the judge is being heavily persuaded by the DOJ because any public opinion on this, even if it's partially redacted, could reveal methods that the federal government uses to decrypt devices or software, any type of technology. So there is that element where law enforcement is always reluctant to unveil the tactics that they use in conducting their work.
Dave Bittner: [00:18:33] And to be clear, I mean, that's a legitimate argument from the DOJ side.
Ben Yelin: [00:18:37] Absolutely. It's completely legitimate. You know, there are other ways to get basic information out there about the legal reasoning in particular, under what federal statute did the judge base his or her decision. And that, I think, could be done without revealing any of the underlying information about law enforcement tactics.
Ben Yelin: [00:18:59] Now, frankly, there's a lot we don't know about the case. So there might be something contained in there that is classified. And that would really harm law enforcement efforts as it relates to either dealing with technology companies or confronting groups like MS-13. But my inkling is that if a judge was amenable to refusing the DOJ's request to decrypt Facebook software, perhaps they'd be amenable to a petition from a civil liberties group to get that opinion unsealed. So far, that's been unfounded. But that would be a logical conclusion from the original decision.
Dave Bittner: [00:19:35] All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:37] Thank you.
Dave Bittner: [00:19:43] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:56] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.