Cyberattacks and intelligence trade-offs. TrickBot’s new interests. Fancy Bear versus machine learning. Facebook looks for more ad transparency. Retadup take-down.
Dave Bittner: [00:00:03] Senior U.S. officials say the June 20 attacks on Iranian networks helped stop Tehran's attacks on tankers in the Arabian Gulf. TrickBot seems to be going after mobile users' PINs. Fancy Bear has taken note of machine learning and modified her behavior accordingly. Facebook revises its rules to achieve greater transparency in political and issue advertising. And a multinational takedown cleans up the Retadup worm infestation.
Dave Bittner: [00:00:36] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:32] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 29, 2019.
Dave Bittner: [00:02:08] Senior American officials have described the June 20 U.S. cyberattack against Iranian targets. The New York Times says the officials see the operation as a success. In addition to taking down military networks, the cyberattack wiped out a database essential to the Islamic Revolutionary Guards Corps' operations against tankers in the Arabian Gulf. The Times report says that Iranian military and paramilitary authorities are still trying to recover their systems.
Dave Bittner: [00:02:38] The June 20 attack was chosen as nonlethal and indeed nonkinetic retaliation for Iran's shootdown of a Global Hawk drone operating in what the U.S. and the rest of the civilized world considered international airspace. Iran disagrees, claiming that the drone was flying in Iranian airspace. The cyberattack was authorized after U.S. President Trump rejected proposals for retaliatory airstrikes.
Dave Bittner: [00:03:05] The operation against the Revolutionary Guard is seen as an instance of the more assertive U.S. military posture in cyberspace, what Director NSA and Commander U.S. Cyber Command Paul Nakasone calls persistent engagement. There's some discussion of whether the cyberattack was worth it, and in that respect it's worth considering what people take to be the inevitable downsides of this sort of operation. First, there are concerns that attack code might be re-engineered and repurposed by the target. This concern hasn't been raised much in the context of the June 20 strikes.
Dave Bittner: [00:03:41] Second comes the downside that's attracted more attention, including - according to reports - attention within the U.S. government. Using a capability of this kind alerts the target to one's presence in its networks, and so the U.S. might have exposed and lost the access it evidently had to Iranian systems. This would be an instance of the familiar complaint about cyberattack tools - they're generally held to be not so much use-it-or-lose-it capabilities as they are thought to be single-shot weapons that once employed can't reliably be used again.
Dave Bittner: [00:04:16] There's something to these considerations, to be sure, but any military attack decision is, or at least ought to be, the conclusion of a cost-benefit calculation, and in this case, the benefits were held to outweigh the costs. That at least is the view of the officials who talked on background to The Times. It's probably also the view of tanker operators in the Gulf.
Dave Bittner: [00:04:39] Consider a familiar problem from the older discipline of electronic warfare. You've found an enemy radio network. Do you jam it? Do you destroy the emitters themselves with artillery or airstrikes? Maybe. Those would certainly deny the enemy the use of that network. On the other hand, if the enemy network is transmitting a lot of ill-conceived orders that are misdirecting the enemy forces, why not let it continue to operate? Or, to take a case closer to the one believed to exist in the Gulf, if you’re reading all the enemy traffic and if the stations on that network are well-informed, chatty and poorly secured, then it might well be worth letting them keep talking.
Dave Bittner: [00:05:20] In this case, the decision seems to have been that the benefits of attack outweighed the costs an attack might exact in terms of access. We'll leave it at that and just add - good hunting, Cyber Command.
Dave Bittner: [00:05:33] Researchers at Secureworks report that TrickBot is exhibiting new functionality that poses a particular threat to mobile users. The malware now seeks PINs that could be used to give GOLD BLACKBURN, the threat group behind TrickBot, the ability to access voice and text communications. Code injected through user interaction with a bogus sign-in page initiates TrickBot's record function.
Dave Bittner: [00:06:00] It's easy to grow accustomed to the convenience of biometric security features on our mobile devices. I know I have. But some suggest it's important we not allow ourselves a false sense of security. Martin Zizi is founder and CEO of biometric security company Aerendir Mobile.
Martin Zizi: [00:06:18] If you have a biometric database, you know database are essentially breachable, hackable if they are interested. So you and I can survive the loss of our credit cards, the loss of the Social Security number, we lost a few, but in the end, we're bitching about getting our credential back on ship, and we move on. If you lose your biometric now and in the future of the IOT, your loss is perpetual because if you lose your face or your finger imprint, there is no way this side of the galaxy that you can get a new face or new fingers. So database are a no-go, for example.
Martin Zizi: [00:06:57] Another is that some of the technology are perfectly fine to unlock a phone or to make a small buy on Amazon or wherever, you know - transfer money from phone to phone. But they don't meet the stringency criteria of unhackability, unspoofability and even reliability that are needed. Because let's say if a biometric works at 95%, it's fantastic as a product, and I use that. But 95% if I do bank transfer is not OK; I need 99.5% at least. And even there, I need probably to have two-factor to be ensuring that you don't get access to my money, and I don't access to yours.
Dave Bittner: [00:07:37] So is this a matter of using a combination of things to increase the reliability and security?
Martin Zizi: [00:07:44] It might, but it, again, gives a false sense of confidence. If you use signals or information that are nonrelated, it's a plus. But look at the pseudo-solution. I could see the way you walk, your gait, the way you hold your phone, your hands, where you live, you have one girlfriend, two girlfriend, one wife, do you go doing ice skating on Saturday - you aggregate data and then you build profile, and these profiles that are essentially multifactor can maybe get at your identity. But there are two problems with that. First, it's a statistical analysis, and it takes weeks to reach 80%, 85% of accuracy, and imagine how much more time you need to reach higher level of safety. And second, it's done incompatible with democracy. You understand? We're not cattle to be tagged from cradle to tomb.
Martin Zizi: [00:08:38] It's raised a new question. In which society do you want to live? Do we want to be, at the gate of the airport, banned because we have a moving violation? You understand? So I think - I'm not advocating for a solution versus the other. I think it's about time that the consumer, that the people and everyone involved - because it concerns us all - start to understand and make the informed choice because it's all about choice, and it's all about giving to people the access to the right information so that they can choose. Oh, I'm fine with face recognition, for example. Besides the fact that it's funny to open my phone with it, I'm fine with it because I see no problem with that. But then I've been at least told the problem.
Dave Bittner: [00:09:24] That's Martin Zizi from Aerendir Mobile.
Dave Bittner: [00:09:30] BlackBerry Cylance's ThreatVector threat research team has released new research into a malware sample used by APT28 - that is, Fancy Bear, Russia's GRU. ThreatVector's new research details analysis of samples U.S. Cyber Command uploaded to VirusTotal. They found that the malware is, quote, "a multithreaded DLL backdoor that gives the threat actor full access to and control of the target host," quote. Fancy Bear's stripped-down malware is surrounded by a great deal of benign code, and ThreatVector thinks the new approach represents a response to widespread defensive use of machine learning.
Dave Bittner: [00:10:09] Facebook has announced a revision to its rules concerning political advertising. The rules will govern both campaign ads and advocacy ads concerning social and political issues. They aim at producing disclosures that would achieve greater transparency with respect to who's sponsoring and paying for the advertising.
Dave Bittner: [00:10:30] Finally, Avast has helped the French Gendarmerie take down the Retadup worm's command-and-control infrastructure. Retadup has been active over the past two years, but the coordinated action took over the controlling gang's servers and had them send uninstall commands to approximately 850,000 infected Windows machines. A design flaw in Retadup's code enabled the deletion, as Avast engineers discovered.
Dave Bittner: [00:10:57] Retadup has been a particular nuisance in Latin America, with Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentina and Cuba combining for 85% of the botnet. It's been used for a variety of purposes, but over the past year, Retadup has been mostly employed in cryptojacking.
Dave Bittner: [00:11:15] So bravo, Avast, and all credit to the Gendarmes' cybersecurity bureau. A side note on attribution - the skid who claimed responsibility for Retadup has been boasting in social media under the name Black Joker. It appears that his identity may now be known. Security researchers at Under the Breach tracked the gentleman's spoor through social media and were able to find him using domain registration data. Under the Breach told ZDNet that the fellow appears to be a 26-year-old Palestinian.
Dave Bittner: [00:11:47] His name is being quite properly withheld by the media for now, but we imagine that his contact information has been provided to the French authorities, the FBI and various other interested parties.
Dave Bittner: [00:12:04] Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:13:08] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. We had a story come by from Slate. This was written by Josh Kaplan. And the title is "License Plate Readers Are Creeping Into Neighborhoods Across the Country." What's going on here?
Ben Yelin: [00:13:28] So a startup company that specializes in automatic license plate reading has been selling their services to security companies that manage large apartment buildings. This article takes place in New York City, where most of the large apartment buildings in the country can be found. And one thing that's very interesting about this is, while law enforcement has obviously used automatic license plate reading to help solve usually serious crimes, this private security company, in conjunction with the managers of these large apartment buildings, are actually using the license plate reading technology for more mundane tasks, like figuring out whether somebody lied about getting hit by a car in a parking lot, which would have relieved them of their rent payments for one month.
Ben Yelin: [00:14:20] And I think the - the upshot of the story is that because the use of this technology has become ubiquitous and also very cheap, it's becoming far more prevalent. And it's not just a high-tech law enforcement tool. It's also becoming something that private organizations can use to monitor their users.
Dave Bittner: [00:14:40] Now, I can see an apartment complex making a case for registering my car to make sure that I live there, if I - you know, I am entitled to a parking place, that sort of thing. I don't know how I feel about them tracking my comings and goings.
Ben Yelin: [00:14:55] You know, you don't really have any legal leg to stand on here. Based on current Supreme Court precedent, we have a very unsettled view of the legality of automatic license plate readers. There's been some conflicting case law on it. Basically, because of what's called the public view doctrine, law enforcement and private companies, as well, have the right to surveil you when you make yourself available in public. And so it's not like they're going into your private garage and collecting your - and reading your license plate there. They're doing it on public avenues.
Ben Yelin: [00:15:30] Of course in the past, even when license plate reading technology became more prevalent, it was still expensive, and it still required some level of police work to set it up and to do the tracking. Now, because it's so cheap and so readily available and the technology is much better, you can conduct this sort of routine mass surveillance to figure out whether, you know, someone's been crashing on a couch in an apartment building because their car has been in the parking lot and they don't have a resident sticker in their car, you know, for a period of five to seven days.
Ben Yelin: [00:16:09] So yeah, I mean, I think most people might expect that their license plate could be read for serious law enforcement matters but not for mundane property management business that people probably think is beneath the importance level for such a technology.
Ben Yelin: [00:16:29] The public view adoption was developed at a time when we were anticipating and thinking of police spotting somebody darting down the street running or, you know, some human intelligence source saw a criminal suspect in a store at a time that a robbery took place. It's different when we're talking about the routine collection of a significant amount of data, and it also requires very little human capital.
Ben Yelin: [00:16:57] So I think what I'm trying to say there is that there's nobody sitting in the apartment building, you know, firing up their camera and taking pictures of license plates every 30 seconds. It's all automated, so it's conducted on a mass scale. There really isn't an opt-out for users. And my guess is that most people who live in these apartment buildings where security companies are using this technology are probably completely unaware that it's being used.
Dave Bittner: [00:17:26] I suppose, though - I mean, it's fair to say there's upsides to this. If I'm a - an apartment complex and someone is coming and dumping trash on my property or something like that, this could make it easier to track someone like that down.
Ben Yelin: [00:17:40] Absolutely. I mean, it's a great tool for law enforcement. There's - it's actually - I mean, studies have shown that it has been an effective tool at solving both serious and petty crimes because you can pinpoint somebody's location based on where their vehicle was at a given time. So there are absolutely benefits from a law enforcement perspective and from a private security perspective. They absolutely have an interest in seeing which cars are coming in and out of their property and when they're coming in and out and the duration of time that that car has spent in that parking lot.
Ben Yelin: [00:18:13] So there are all sorts of routine reasons, many of which are mentioned in this article, why a security company would be interested in that information. But once again, you know - are those benefits to these private security organizations and to these property managers sufficient to justify the bulk collection of tenants' real-time whereabouts? And I think that's kind of an unanswerable question. Yes, it does add a level of convenience for property managers and for law enforcement. But I think that also comes at an expense to personal privacy.
Dave Bittner: [00:18:49] Well Ben Yelin, thanks for joining us.
Ben Yelin: [00:18:50] Thank you.
Dave Bittner: [00:18:56] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor Observe IT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.