The CyberWire Daily Podcast 8.7.19
Ep 901 | 8.7.19

Another speculative execution flaw. LokiBot evolves. APT41 moonlights. Scammers exploit tragedies. Black Hat notes.

Transcript

Dave Bittner: [00:00:03] A new speculative execution processor flaw is addressed with software mitigations. LokiBot gets more persistent, and it adopts steganography for better obfuscation. The cyberspies of APT41 seem to be doing some moonlighting. An accused criminal who bribed telco workers to unlock phones is in custody. Scammers are exploiting the tragedies in El Paso and Dayton. And a call at Black Hat for the security sector to bring in some safety engineers. 

Dave Bittner: [00:00:36]  Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show. 

Dave Bittner: [00:01:41]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:01:56]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 8, 2018 (ph). 

Dave Bittner: [00:02:03]  Bitdefender has warned of a new speculative execution flaw in Intel processors that isn't addressed by the measures taken to mitigate Spectre and Meltdown. The vulnerability could enable a side-channel attack that abused the SWAPGS system instruction. The vulnerability could expose data in privileged portions of the kernel memory, including passwords, tokens, private conversations, encryption and so on. Bitdefender disclosed the vulnerability to Intel last August. The chipmaker decided to address it at the software level, and Microsoft coordinated patches to mitigate the issue. 

Dave Bittner: [00:02:41]  Security firm Trend Micro finds that LokiBot has grown more persistent and also added steganographic obscuration features. Steganography is the art of concealing a message or, in this case, malicious code in an image. LokiBot is still the information stealer it's been since it first came to researchers' attention when it appeared on the black market in 2015 and 2016. TrendLabs says LokiBot continues to be actively traded in these online markets and that it can be expected to remain an active threat for a long time. 

Dave Bittner: [00:03:14]  Our correspondents at Black Hat have been following FireEye's report on a Chinese government threat group, APT41. The security firm's research, published to their website this morning, gives some insight into the interpenetration of criminal groups and espionage services. This has been seen before, especially in the relationship between Russian security services and cybercriminal gangs in that country. There, it's more like a protection racket. You get to run your criminal enterprise, provided you hit the right targets and stay away from the ones that are off-limits, and provided you accept the occasional tasking. 

Dave Bittner: [00:03:49]  At other times, it's more like moonlighting, which is what seems to be the case with APT41. Members of the group execute both espionage and financially motivated crime. At Black Hat last night, FireEye's John Hultquist and Barry Vengerik summarized and answered questions about their company's report. APT41 is known for targeting the video game industry, which the researchers believe is due to gamers in the group making some coin on the side from their hobby. FireEye said they've detected a significant shift in the group's activities that took place in late 2015, when the hackers moved away from intellectual property theft and towards strategic intelligence gathering from multiple different industries. Those industries included health care, telecoms, high-tech companies and software supply chains. 

Dave Bittner: [00:04:37]  But APT41 has continued to target the video game industry, not normally conceived of as having national strategic importance. The operators seem to be pursuing personal financial gain, although the researchers noted that it was strange that the Chinese government would allow them to use the tools used for serious state-sponsored campaigns for personal reasons. Once a tool is used, you can usually consider it blown, and it seems unlikely you'd want to risk that to scoop up what you need to sell skins or loot boxes. 

Dave Bittner: [00:05:08]  But perhaps the moonlighters are freelancers, in which case heaven forgive them, because the Ministry of State Security won't. Or perhaps the tools are already blown, and the ministry doesn't care, regarding the whole thing as something the operators are welcome to do off the clock. Maybe it even keeps their skills up.  

Dave Bittner: [00:05:26]  How many times a day do you enter a password? And would you feel more or less secure if entering passwords became a thing of the past? James Plouffe is a strategic technologist with security firm MobileIron, and he shares these thoughts. 

James Plouffe: [00:05:41]  Like many things in technology, there are certain decisions that are hard to walk back after you've made them. And passwords, I think, are one of those. We didn't have a better solution for a long, long time. It was the only thing that was available to us. But one of the interesting things that's emerged now with the ubiquity of mobile devices and, in particular, biometric and other sensors that exist on them - we start to have better ways of doing authentication and proving identity at our disposal. So we're kind of at an inflection point in the technology landscape where we finally have some resources to start approaching things differently than we have done in the past. And so I think that that's where we're at today. 

Dave Bittner: [00:06:26]  Yeah. I mean, I have to say as an iOS user using Face ID and, before that, Touch ID, I find them to be both convenient and secure. Is that the direction you think we need to head in? 

James Plouffe: [00:06:38]  Yeah, absolutely. And I think what you hit on just there, Dave, is an excellent point. For a long time, security and convenience have had a particular tension, right? If you think about, in particular, the case of passwords, there's been a tendency of folks to reuse passwords because remembering a lot of passwords is difficult, and that helps contribute to some of the risk that passwords create. So if you think about something like Face ID, it does a very accurate 3D model of your face, so you can get very strong authentication, but it's very easy for you as a user, right? You just hold the phone up, and it does its thing, and things just sort of automagically work. 

James Plouffe: [00:07:19]  And I was a relatively late upgrader to the iPhone - to the iPhones that supported Face ID, and I was actually a little bit cagey coming off Touch ID. I was like, how is this possibly going to work as well? How am I going to live without a home button? But I had it for a day, and I was like, why did I ever use a home button? 

Dave Bittner: [00:07:39]  Yeah, my experience was pretty much the same. 

James Plouffe: [00:07:41]  You know, when you combine that with some of the other capabilities that are out there for, you know, technology providers - the advent of things like online ID-proofing services where not only can you take advantage of the biometric sensors on the devices, but you're able to use things like the cameras to scan government-issued photo ID. 

James Plouffe: [00:08:02]  Before I got on the flight to get where I am, doing check-in, I had to do passport verification, but I didn't need to stop by the desk at the airport to do that. Just when I opened up the app, it said, please take a picture of your passport, and it confirmed that I was the right passenger, and it streamlined that whole thing. When you combine all those things together, you really do start to get to a point where you have some pretty attractive options for security. 

Dave Bittner: [00:08:25]  It strikes me that it seems like we're lagging on the desktop. You know, there are - I guess there are some computers now that are having things like Touch ID, but we're not really seeing the same progress on the desktop. Where do you think that's heading? Is it going to be - will our mobile devices connect with our desktop devices? Will the desktop devices integrate this sort of hardware? Where do you think we're headed? 

James Plouffe: [00:08:48]  That's an interesting question. I think, you know, we'll probably see a little bit of hardware. And as you know, we have seen some of that with some vendors. But I think there's two interesting dynamics at play. One is the fact that folks typically always have their mobile device with them, and they already have this hardware, so using a mobile device as kind of the authenticator external to your laptop is something that can work pretty well because we also have ways to transmit that data over things like Bluetooth and so on. I saw an interesting stat recently that was talking about the amount of web traffic that was coming from mobile devices compared to PCs and desktops, and it's actually eight times more data is coming from mobile devices than from PCs in a Cisco survey where they kind of project what the internet utilization is. 

James Plouffe: [00:09:41]  You know, more than just having to figure out how we solve the question of how we authenticate on laptops and desktops, I think you'll actually see more and more things just move to a pure mobile world. I know that I don't spend a lot of time on my laptop these days. I'm either using, you know, an iPad or an iPhone, and I think we'll continue to see that trend, you know, progress. 

Dave Bittner: [00:10:03]  Do you see us heading towards a time when we jettison the use of passwords altogether? 

James Plouffe: [00:10:10]  I think the limitations of passwords have been well understood for a very long, long time. And I think, as we kind of discussed earlier, it's been difficult to move away from that decision. But when you look at some of the standards efforts coming out of folks like the FIDO Alliance, the fact that they've just submitted WebAuthn to the W3C for ratification - you know, we start to see opportunities to take advantage of the biometrics, to use things like cryptographic challenges instead of passwords. 

James Plouffe: [00:10:42]  Like all things in technology, the transition will probably be slower than we want, but it's definitely headed the right direction, and I think a lot of the right folks are thinking about this. And even today, if you look at technologies like Windows Hello supports FIDO authentication, so it's possible to do not just authentication to your local laptop, but also then take advantage of those capabilities for things like single sign-on to other services that integrate with Microsoft Hello. As much as we would probably like it to be tomorrow, at least it's heading the right direction. 

Dave Bittner: [00:11:21]  That's James Plouffe from MobileIron. 

Dave Bittner: [00:11:25]  The leader of a conspiracy to unlock AT&T phones has been extradited from Hong Kong to the United States. The U.S. Justice Department announced yesterday that it had indicted a Pakistani national, Muhammad Fahd, with conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer and four counts of violating the Travel Act. 

Dave Bittner: [00:11:53]  Fahd allegedly bribed workers at AT&T's facility in Bothell, Wash., to disable AT&T proprietary locking software on customers' phones. This would enable the unlocked phones to be used in any compatible network. Since AT&T subsidized a substantial cost of phones for customers in service contracts with the company, unlocked phones are valuable commodities. Fahd is also alleged to have bribed AT&T employees to enable him to install malware in customers' phones. Three of his alleged co-conspirators have already pleaded guilty. Hong Kong authorities shipped Mr. Fahd Stateside on August 2. 

Dave Bittner: [00:12:30]  Scammers are already exploiting the shootings in El Paso and Dayton. In the wake of any significant event, happy or tragic, scammers crawl out from under the rocks to exploit the well-intentioned, the curious and the gullible. This past week's events have been tragic, and criminals are losing no time in trying to turn a profit from the news of the killings in Texas and Ohio. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, warned yesterday that criminal campaigns designed to do just that are already in progress. Be particularly wary of emails whose subject lines allude to either or both tragedies. But also be aware, as CISA cautions, that scammers won't confine themselves to email - quote, "be wary of fraudulent social media pleas, calls, texts, donation websites and door-to-door solicitations related to these events." Sadly, that's good advice. 

Dave Bittner: [00:13:30]  And now a message from our sponsor ObserveIT. 

Unidentified Person: [00:13:35]  Great party, huh? 

Dave Bittner: [00:13:37]  Yeah, yeah. Great party. Could you excuse me for just a moment? Hey, you. What are you doing? What - oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss. 

Unidentified Person: [00:13:56]  Did someone say trouble? I bet I can help. 

Dave Bittner: [00:13:59]  Who are you? 

Unidentified Person: [00:14:00]  To catch insider threats, you need complete visibility into risky user activity. Here - I'll show you how ObserveIT works. 

Dave Bittner: [00:14:07]  Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this. 

Unidentified Person: [00:14:17]  Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it. 

Dave Bittner: [00:14:23]  But wait; what's your name? Oh, well. Thanks, ObserveIT - and whoever she is. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire. 

Dave Bittner: [00:14:50]  And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. An article came by from The Verge. And this is about Virginia instituting, or, I guess, updating, their revenge porn laws to cover deep fakes. What do we got going on here? 

Ben Yelin: [00:15:11]  Yeah. So back in 2014, Virginia first enacted a statute to ban the use of revenge porn. So they defined it as nude videos with the intent to coerce, harass or intimidate another person. What they just passed earlier this year in their legislative session - and it just went into effect very recently - is that an image or video falsely created - which we think refers to deep fakes, but also potentially something just like a plain photoshopped image or a faked image - would also violate that law. This is a part of a criminal statute. So you - under this statute, you could subject yourself to imprisonment or a relatively large fine. 

Ben Yelin: [00:15:59]  This is the first legislation, I believe, nationwide that applies revenge porn statutes to deep fakes. And I think the Virginia Legislature is ahead of the curve in realizing that the use of these faked images can be just as exploitative as the use of regular revenge porn. And, you know, this is activity that the person who's being shown on one of these videos or images has not even participated in voluntarily or involuntarily. So I think it's a good addition to what was already a strong statute on revenge porn and signals that there is now interest among both federal and state legislatures in trying to regulate this phenomena of deep fakes. 

Dave Bittner: [00:16:47]  Do you suspect this is - this sort of thing will make its way across the country, or could we see action on a federal level? 

Ben Yelin: [00:16:53]  So there have been whispers about action at the federal level. There's some bipartisan support. This article mentions a bill introduced by a Republican senator and Democratic House member that would institute some regulations on deep fakes. Texas passed its own law on this, but the law in that case deals with our political system and not with nonconsensual pornography, which is the basis of the Virginia statute. 

Ben Yelin: [00:17:21]  So I think Virginia really could be setting a trend here, especially as this issue becomes more prevalent, these videos become more prevalent, people's knowledge of the fact that some of what they view on the internet may be a deep fake. It's just starting to get ingrained in our minds that we shouldn't believe everything we see coming out of a person's mouth on a video. I think as that starts to get ingrained in our minds, our lawmakers are going to take notice and are going to take action. And I think Virginia has done the country a service in providing a model statute to accomplish that goal. 

Dave Bittner: [00:17:56]  There's certainly been a lot of attention to this issue. And I suppose - I mean, part - it's natural for it to sort of bleed over into the political arena as well. 

Ben Yelin: [00:18:05]  Yeah. So there's been a viral video that's gone around over the past year or so that has former President Obama giving a speech that he never actually gave. But the deep fake technology is so advanced at this point that it really looks like he's giving that speech. And this can be really dangerous. I mean, we've seen the spread of so-called fake news over the past several of years. People are seeing things come across their social media feeds that have been created out of whole cloth or have been doctored in some way. 

Ben Yelin: [00:18:36]  And this can distort people's view of their own political leaders and our own political system and can really be detrimental to democracy. The people don't have proper information on what's real and what's fake and what their political leaders have actually said and what they were purported to have said, then that can really affect the functioning of our democracy. So even beyond the issues discussed in this Virginia statute, I think there's going to be a big debate as to how we can sanction or in some way regulate these deep fake videos. 

Dave Bittner: [00:19:11]  Ben Yelin, as always, thanks for joining us. 

Ben Yelin: [00:19:14]  Thank you. 

Dave Bittner: [00:19:19]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:32]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.