Spearphishing utility companies. Bellingcat as gadfly, and target. Facebook takes down more coordinated inauthenticity. Card skimming. Tech regulation. Random acts of cruelty.
Dave Bittner: [00:00:03] LookBack malware's been used in spearphishing campaigns against U.S. utilities. Phishing Bellingcat. Facebook takes down two campaigns of coordinated inauthenticity that had been active in the Middle East and North Africa. The growing problem of online card skimming. The FTC's investigation of Facebook centers on acquisitions. The feds visit Amazon. And followers of a YouTube streamer treat the homeless as punchlines in a big practical joke.
Dave Bittner: [00:00:36] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7, 365 security operation center support around the globe and over 300 security experts in house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to BlackHat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:41] Funding for the CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:55] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 2, 2019.
Dave Bittner: [00:02:03] A new strain of malware has appeared in a phishing campaign directed at U.S. utilities. Between July 19 and 25, Proofpoint identified spearphishing emails that hit at least three U.S. companies in the utilities sector. The phishbait lay in the apparent origin of the emails - they arrived from what Proofpoint thinks is probably an attacker-controlled domain, nceess.com. The domain appears designed to be mistaken for one owned by the U.S. National Council of Examiners for Engineering and Surveying. The phish hook was an attached Microsoft Word document weaponized with malicious macros to install a malware package Proofpoint calls LookBack.
Dave Bittner: [00:02:44] LookBack is a remote access Trojan accompanied by a command-and-control proxy mechanism. The researchers believe there's enough evidence pointing to a nation-state as the actor behind LookBack, but the trail quickly grows cold. The overlaps with earlier campaigns strongly suggest a state-sponsored campaign, but it's insufficient to suggest which state might be responsible. The closest analogues to the LookBack campaign were earlier attacks against Japanese targets in which China's APT10 was suspected, but again, there's not enough evidence for Proofpoint to offer attribution.
Dave Bittner: [00:03:19] Bellingcat, the investigative journalists who've for some time acted as a gadfly to the Russian government, was itself recently the subject of some phishing attacks. RiskIQ has taken a look at that recent phishing campaign, and they conclude that it was indeed closely focused on a small number of investigative journalists who've proven annoying gadflies to the Russian government. The campaign made adroit use of ProtonMail infrastructure, which lent it more plausibility than its phishing attempts might otherwise have enjoyed. The journalists being phished seem, for the most part, to have spit the hook, but the incident serves as an instructive cautionary tale.
Dave Bittner: [00:03:59] Researchers at ThreatConnect analyzed one of the phishing emails and linked 11 domains to the threat actor behind the campaign. All of these domains spoof ProtonMail, and some of them haven't been hosted yet. The researchers say the unused domains are potentially being held for use in future campaigns. Both ProtonMail and ThreatConnect note that Bellingcat has been targeted by Russian APTs in the past and that the domain registrars and resellers used in this campaign have previously been utilized by Fancy Bear.
Dave Bittner: [00:04:31] Russia isn't the only government Bellingcat scrutinizes. The investigative site's reports yesterday led Facebook to take down pages, groups and accounts in both Facebook and Instagram for coordinated inauthenticity organized by the kingdom of Saudi Arabia. Facebook says it took down a total of 217 Facebook accounts, 144 Facebook pages, five Facebook groups and 31 Instagram accounts. The focus of the information operation was on the Middle East and North Africa. The operators posed as locals and also ran some pages that represented themselves as local news organizations.
Dave Bittner: [00:05:09] Facebook also took down accounts originating in Egypt and the United Arab Emirates. This second campaign was, in Facebook's judgment, distinct and unrelated to the Saudi effort, but it too represented coordinated inauthenticity Like the Saudi campaign, this one also had a regional focus. The operators used compromised and bogus accounts to pose as local news organizations. Facebook determined that the activity was connected to two marketing firms with similar names - New Waves in Egypt and Newave in the Emirates. In both cases, the pushing of a government line was fairly obvious, although the effort run from Egypt and the Emirates seems to have shown more sophistication and plausibility than the one operated by Riyadh. Online card skimming seems to be a growing problem. Two major industry groups, the PCI Security Standards Council and the Retail and Hospitality ISAC, have warned of the rapidly developing threat of online pay card skimming.
Dave Bittner: [00:06:08] Magecart is the best-known umbrella term for the criminal campaigns that employ this tactic, which has been on the rise since its appearance in 2015. The most common infection vector for the JavaScript sniffers that do the stealing are third-party applications that are widely used by merchants. These typically include advertising scripts, live chat functions and customer rating features. Troy Leach, the PCI Council's CTO, advises attention to security detail and a commitment to using best practices. He said, quote, "following PCI SSC standards and guidance such as regular review of software and closely monitoring changes in the environment can help defend against these attacks," end quote. By any measure, online card skimming is a big issue. Security firm Malwarebytes says it blocked some 65,000 attempts in July alone, which suggests the magnitude of the problem.
Dave Bittner: [00:07:02] The U.S. Federal Trade Commission's recently opened antitrust investigation of Facebook is, for now, concentrating on the social network's acquisitions. The Wall Street Journal says that investigators are interested in seeing whether Facebook's acquisition of potentially disruptive smaller rivals formed part of a deliberate strategy to neutralize competitors.
Dave Bittner: [00:07:24] An FTC look at Facebook is probably overdetermined by the company's run of controversial news. But a recently revealed inspection of Amazon's Virginia facility by the Federal Reserve probably signals a deeper trend toward closer regulation or at least scrutiny of tech companies offering essential services to the financial sector. The visit took place in April, but it now seems prescient given this week's breach disclosure from Capital One.
Dave Bittner: [00:07:51] And finally, a repellent bit of YouTube trolling is sending the homeless to a non-existent shelter on Reseda Boulevard in the Los Angeles neighborhood of Tarzana. The deeply unfunny gag is apparently the work of fans of a YouTuber known as Ice Poseidon - real name Paul Denino, 24 years of age. Members of the Purple Army, as Mr. Denino's followers are known, are urging homeless people looking for shelter to find it at Ice Poseidon's expensive rental, described in press reports as a mansion. There was no shelter there, except for Mr. Denino, who is believed to have paid as much as $25,000 in rent a month before vacating the property this spring. He could probably afford it. A profile of the YouTuber in the New Yorker puts his monthly income at around $60,000.
Dave Bittner: [00:08:41] Ice Poseidon sort of got the joke, but now says it's no longer funny. The Los Angeles Daily News quotes him as saying you've got some sad, pathetic people on the internet that literally just don't care about people. At some point, I realized it's not a joke anymore. Maybe the first time it was. Now it's not funny. It's dumb.
Dave Bittner: [00:09:05] And now a message from our sponsor, ObserveIT.
Unidentified Person: [00:09:10] Great party, huh?
Dave Bittner: [00:09:11] Yeah. Yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? What? Oh, no, looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person: [00:09:31] Did someone say trouble? I bet I can help.
Dave Bittner: [00:09:33] Who are you?
Unidentified Person: [00:09:34] To catch insider threats, you need complete visibility into risky user activity. Here, I'll show you how ObserveIT works.
Dave Bittner: [00:09:42] Wow. Now I can see what happened before, during and after the incident. And I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person: [00:09:51] Exactly. Now if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:09:57] But wait, what's your name? Oh, well. Thanks, ObserveIT and whoever she is. ObserveIT enables security teams to detect a risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire.
Dave Bittner: [00:10:25] And joining me once again is Professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, it's great to have you back. You sent over a somewhat provocative topic that you wanted to discuss today, and it's can you smell security issues in software. That has my attention. All right, what are we getting at here?
Awais Rashid: [00:10:44] So code smells are a well known phenomenon in software, but more from a software maintenance perspective. So this was a term that was coined by Martin Fowler. And one example of that is the, you know, the shotgun surgery code smell. So for instance, if you want to make some changes and if you have to make a single change and you have to make a lot of little changes in a lot of different places, then effectively, you're doing a kind of shotgun surgery, which means that your code is not very well modularized, so to speak.
Awais Rashid: [00:11:16] And recently, ourselves and other researchers as well - particularly at North Carolina State University - have been looking at as to is there an equivalent of the code smell, but more like a security smell? And there are interesting findings that you can actually see by looking at the code in itself that there are symptoms of where there might be, for example, poor security practices. So I mentioned there is work that has gone on at North Carolina State University, and they have looked at, particularly, code scripts that are used to deploy various pieces of software. And there are particular smells that you see there in the sense of that there are admin privileges by default or hardcoded secrets, empty passwords and things like that.
Awais Rashid: [00:12:12] And the reverse side of that is that we have ourselves been looking at whether the challenges that developers face, do they indicate that there are some kind of usability smells into how hard it is for them to use security and cryptographic APIs. And again, what we've found is that there are particular types of usability smells that indicate that it's not easy for developers to use the kind of security functionalities that the various APIs provides.
Dave Bittner: [00:12:40] Now when we're using this notion of smell, obviously metaphorically here, is it - is there a certain amount of intuition that's implied?
Awais Rashid: [00:12:50] I think it's more than intuition in the sense that a smell does not necessarily mean that it is an actual vulnerability. But it indicates that there might be a weakness here. There could be good reasons why people may have done something that particular manner, and that may also not necessarily mean that it leads to a vulnerability. But it actually tells you that something might be wrong here, and that requires some attention and looking into. And you might want to consider whether the security configurations in the code at that point are right.
Dave Bittner: [00:13:21] So an indicator that leads you to further investigation.
Awais Rashid: [00:13:25] Absolutely. And it also helps developers, for example, reflect as they're looking at the code or reviewing their own code or other people's code. But also it helps, for example, those people who develop APIs or libraries to consider as to whether they are making them more or less usable for other developers who will be using them.
Dave Bittner: [00:13:46] All right. Well, Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:13:54] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:14:53] Open source software governance and DevOps automation firm Sonatype recently published the fifth edition of their "State of the Software Supply Chain" report. It highlights best practices and what they label exemplary open source software projects and development teams. Matt Howard is chief marketing officer at Sonatype.
Matt Howard: [00:15:13] Well, first of all, the supply of open source continues to explode exponentially. You're talking about a vast number of open source libraries that are available. And this massive supply is being met with continued exponential growth and demand from development organizations around the world - you know, one and two-person development shops all the way up to, you know, Fortune 50 kind of development shops. The world of software as we know it is largely being driven by supply of open source, and the developers' demand for open source reflects that.
Matt Howard: [00:15:50] So in addition to sort of supply and demand dynamics, we're basically seeing a world where post-Equifax and more recently, you know, some fairly high-profile breaches along the lines of event-stream, we're seeing that organizations, commercial organizations in particular, are becoming, I think, more aware of the need to govern the quality of the open source libraries that they're utilizing to build their mission critical software.
Dave Bittner: [00:16:18] You mentioned earlier the word exemplary, and that's a word that comes up a lot throughout this report. Can you describe to us, I mean, what are some of the things that you see from dev teams and projects that you label exemplary?
Matt Howard: [00:16:34] Yeah, I mean, just to put this in the context - just so we're clear about what we looked at - I mean, we are - at Sonatype, we're the curators of the Maven Central Repository, which is the world's largest public repository for Java components. So as a result, we have the ability to sort of do some pretty deep and rigorous research that no one else in the world would have. And we discovered, you know, some interesting and important things that I think are about to set a new perspective in software development.
Matt Howard: [00:17:06] Specifically, mean time to repair a vulnerability is something that we all understand. So if you're in the world of software, and you get a new zero-day announcement from somebody like Apache, the question is if you've got an application in the wild, in production, are you aware of whether or not that particular library is in your application? Do you have a dependency? If so, is that dependency in the call flow? Is it potentially going to, you know, is it exploitable in the wild? And if it is, how quickly could you, you know, find it and remediate it is really kind of a question that I think all organizations post-Equifax are kind of grappling with.
Matt Howard: [00:17:52] That's on the commercial consumption side of the equation. If you look at, you know, the open source project side of it, all of these open source projects themselves have dependencies. So these are in many respects, there's these transitive dependencies. So an open source project has dependencies within dependencies within dependencies. It's kind of a Russian doll metaphor. And the question is when there's a new vulnerability disclosed, do the open source projects themselves remediate those vulnerabilities? And if so, how quickly do they do it? So that's a question of hygiene with respect to vulnerability or dependency management. So that's the idea that - what's the mean time to remediate a vulnerability. MTTR is one characteristic that we were particularly interested in studying.
Matt Howard: [00:18:39] What we found is, you know, pretty surprising, that the mean time to remediate a vulnerability in - across 36,000 open source projects that we studied is 326 days. The median time is 180 days. So essentially, what that says is, you know, on average across 36,000 open source projects, when a new vulnerability is disclosed, that project will fix the vulnerability in its library within 326 days.
Matt Howard: [00:19:11] Is that good or bad? I think as an industry, we're just now getting to a point where we understand what hygiene looks like for open source components and projects. And over time, we'll probably get to a better position to judge whether it's good or bad. And ultimately perhaps, you know, we'll see organizations change consumption patterns, and popularity will rise and fall based on the quality or the hygiene that's being practiced by a particular project.
Matt Howard: [00:19:37] The other thing I want to touch on is the idea of mean time to update. Dependency management in software development has been talked about for a long time, and there's an old saying that the best engineering teams - or really good engineering teams reserve time in their project schedule to do dependency management. But the best engineering teams actually automate that process. And so if we - if you're really good, you're going to be constantly updating your dependencies to either the most current version of the library or perhaps the next most current version of the library. And this idea of updating your dependencies constantly is a really important and interesting hygiene characteristic that's exhibited by both open source project teams as well as by commercial teams - commercial development teams.
Matt Howard: [00:20:28] And in this particular case, what we found is that the teams - the open source projects that practice good MTTU - that's mean time to update, meaning they themselves are constantly updating their own dependencies - almost by default, they practice really good security hygiene with respect to remediation. The point is if they're always fresh in terms of their dependencies, they're going to be secure as well.
Matt Howard: [00:20:53] And so stepping back from the research, we realize that perhaps the more important characteristic when looking at hygiene across open source projects is mean time to update, or the pace at which you do dependency management, versus mean time to remediate.
Dave Bittner: [00:21:10] So what are the key take-homes here? In terms of advice for folks who want to be heading in the direction of joining those groups of exemplaries, what are the good places for them to start?
Matt Howard: [00:21:20] The take-home here is that modern software development teams are really manufacturing software applications in a very similar process to the way that Toyota manufactures cars. If you think about it, you know, decades and decades ago, Toyota invented supply chain automation for how to build cars with physical parts. And the world of software as we now know it is realizing that it's important to automate your software supply chain so that you can manufacturer applications using digital parts called open source libraries.
Matt Howard: [00:21:57] A long time ago, Edwards Deming was instrumental in helping companies like Toyota automate their supply chains. And he essentially, you know, taught four principles. You want to source your parts from the absolute best suppliers in the world. You want to source only the best parts from those suppliers. You want to track and trace the location of all of those parts as they move through the software supply chain or the manufacturing process. And ultimately, you want to have a bill of materials after the application - or using the analogy, the vehicle is put into production - you want to have a bill of materials so that you can conduct an orderly and effective recall in the event that you're notified of a faulty part.
Matt Howard: [00:22:41] So the analogy is how quickly could an organization respond to the Apache disclosure with respect to the Struts vulnerability? You know, some organizations responded very well if they had a grasp of their software supply chain. Other organizations struggled, quite frankly, to respond. Looking at the analogy, think about Toyota and how quickly and efficiently they were able to conduct an orderly and effective recall when they had the Takata airbag defect a few years ago. So in that view of the world, we're basically seeing very clearly that not all those open source parts are created equal. There is a real difference between high quality and lower quality. And we also know that whether you're manufacturing physical goods or digital goods, it's always a really good idea to source the best parts and the best suppliers, much like Deming taught Toyota decades ago.
Dave Bittner: [00:23:35] That's Matt Howard from Sonatype. We've been discussing their "State of the Software Supply Chain" report.
Dave Bittner: [00:23:46] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:24:09] Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.