Dave Bittner: [00:00:03] Project Zero warns that a use-after-free vulnerability in widely used Android devices is being exploited in the wild. Uzbekistan's National Security Service continues to get stick in the court of public opinion for sloppy opsec. Check Point reports on what appears to be an Egyptian domestic surveillance operation. Palo Alto reports on a newly discovered Chinese state threat actor. A new volley in the cryptowars. And Vlad gets out the rubber chicken.
Dave Bittner: [00:00:36] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:26] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice to help fix faster while methodology driven assessments ensure compliance needs are met, at bugcrowd.com.
Dave Bittner: [00:01:54] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 4, 2019. Google's Project Zero has determined that at least 18 widely used Android devices are vulnerable to exploitation of a use-after-free condition and that this vulnerability is being exploited in the wild. It's a local privilege exploitation vulnerability that exposes susceptible devices to full takeover. Ars Technica points out that there are two ways in which the vulnerability could be triggered. A user could install a malicious app, or the attacker could combine the exploit with a second one that takes advantage of an issue in the code the Chrome browser uses to render content. Ars Technica also cites Google as pointing to either Herzliya-based NSO Group or some of its customers as the actors behind the attacks. But NSO Group has said that the whole affair has nothing whatsoever to do with them, and their reply to Ars Technica is worth quoting in its entirety. Quote, "NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO. Our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives," end quote. The October Android update is expected to address the issue. Watch for it in the next few days.
Dave Bittner: [00:03:17] Uzbekistan's National Security Service, whose cyber-espionage tools were blown in the course of testing them against Kaspersky security software, is being credited with developing its own malware, possibly because none of the lawful intercept companies out there are willing to sell to them. But that assessment may be premature. Kaspersky thinks that the Uzbek service, now named after its totem animal, SandCat, was in fact buying tools from a vendor, which they name as Tel Aviv-based Candiru, which specializes in developing and selling lawful intercept tools for Windows systems. Their wares, Forbes reports, have been found in use before by both Saudi and Emirati intelligence services. It may be time for Candiru, if they were indeed selling to SandCat, to consider firing the customer. Sloppy customers are bad customers, Kaspersky researcher Brian Bartholomew told Forbes. That's as true of the cyber sector as it is of the hospitality industry. Selling exploits to Uzbekistan, where the customer proceeded to set up a test machine exposed to the internet with an IP address of Military Unit 02616, is a little like the Holiday Inn renting rooms to The Who. Has happened, as a matter of fact, in Flint, Mich., back in 1967. The Flint Chamber of Commerce is still talking about it. Or so we've heard.
Dave Bittner: [00:04:41] Check Point has linked a domestic surveillance effort to Egyptian intelligence services. The campaign used spyware embedded in security apps. That is, apps that advertise themselves as offering security enhancements but which in fact contained spyware. The apps were made available in Google's Play store and included secure mail, a Gmail extension that promised security but which in fact socially engineered people into providing credentials, iLoud200%, a smart storage solution that freed up space on your phone and also sent location info to external servers, and IndexY, a caller ID service that collected and reported users' call logs. Check Point calls it the Eye on the Nile and says that the targets were carefully selected, hand-picked political and social activists, high-profile journalists and members of nonprofit organizations in Egypt. They don't exactly attribute the activity to the Egyptian government, but they do note that whoever's behind the Eye on the Nile speaks Arabic, is familiar with the Egyptian ecosystem and is most interested in domestic Egyptian targets. But The Register and others are happy to connect the dots and call the operation for Cairo.
Dave Bittner: [00:05:55] Palo Alto Networks has published an "Adversary Playbook" for PKPLUG, a recently identified Chinese state espionage actor that's concerned itself with domestic surveillance of Uyghurs and international espionage directed against countries opposed to Belt and Road. The group is behind the HenBox Android malware distributed through third-party app stores. Cabinet members in the U.S., the U.K. and Australia have jointly asked Facebook to hold off on plans to implement end-to-end encryption. Buzzfeed yesterday obtained a copy of a letter. U.S. Attorney General Barr, U.K. Home Security Secretary Patel, Australian Home Affairs Minister Dutton and acting U.S. Homeland Security Secretary McAleenan were to publish today. The open letter, which ZDNet says will be issued in conjunction with announcement of a new data sharing agreement among the three countries, specifically asks that the social network not make it impossible for authorities to legally access content related to child sexual exploitation and abuse, terrorism and foreign interference in democratic institutions.
Dave Bittner: [00:07:03] The letter is framed as a response to Facebook's Privacy First initiative. The officials write, quote, "We support strong encryption, which is used by billions of people every day for services such as banking, commerce and communications. We also respect promises made by technology companies to protect users' data," end quote. But they go on to remind Facebook that they also have a responsibility to protect people from various forms of harm that can be detected or stopped if the authorities can read the traffic when they need to do so. They are looking, they write, for balance with privacy and security on one side and public safety on the other.
Dave Bittner: [00:07:41] Specifically, they ask Facebook to do these things. First - embed public safety into their system designs. Second - enable lawful access to content. Third - consult with governments on the matter. And fourth - not implement the changes proposed under Privacy First until Facebook has ensured it can maintain the safety of its users. Facebook is clearly in a tough position - under pressure from both sides of the privacy-security balance.
Dave Bittner: [00:08:09] And finally, it was evidently open mic night at Russian Energy Week. President Vladimir Putin did a little improv about American concerns over election interference. When asked about Russian meddling in U.S. elections, Vladimir Vladimirovich said, in an appropriate stage whisper, I'll tell you a secret. Yes, we'll definitely do it. Just don't tell anyone.
Dave Bittner: [00:08:35] Ah, the guy kills it, doesn't he? Be sure to catch his act if you happen by the Chuckle Hut in the Arbat. Come to think of it, we think it's just around the corner from the Burger King.
Dave Bittner: [00:08:49] And now a word from our sponsor, Edwards Performance Solutions. It's commonly accepted that cybersecurity is a business risk, not an IT problem. What may not be as commonly accepted is that cybersecurity needs to be an integral part of every business strategy and that cybersecurity can actually be an asset to your business. Achieving this outcome is a journey. The journey starts with an understanding of what information is important to the business, what business processes generate, use, store or transmit that information and what are the rules and regulations impacting the information? The next part of the journey is understanding the risks to the business and those information assets, followed closely by establishing a governance structure to manage those business risks. This includes managing the risk to your supply chain. The journey is not an easy one and is fraught with roadblocks and obstacles. You may need a guide. Edwards Performance Solutions is ready to be your guide in this journey. Please visit their website, edwps.com, to learn more. That's edwps.com. And we thank Edwards Performance Solutions for sponsoring our show.
Dave Bittner: [00:10:08] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. We wanted to touch on threat hunting today. Why don't we start off - what is threat hunting, and what is it not?
Justin Harvey: [00:10:21] So threat hunting is looking for adversaries that are already present within your network or your endpoints. Enterprises today are spending money on things like antivirus and firewalls and intrusion detection and prevention systems for their network. But what do you do if any of that fails? It really only takes a couple systems for an adversary to move around or to subvert, and then they're in and persistent within your environment. And so what threat hunting is, is the constant and continuous searching for basically two things, Dave. No. 1 - it's looking for the anomalous. So it's looking for things that don't smell quite right, but it could be a new patch that has changed that registry key or a new program has shown up because someone installed it or looking at things like the suspicious - things like, perhaps this registry key was added with this new potentially unwanted program, or the suspicious being someone logging in directly into a Linux system using a root login instead of logging in as the user and then becoming superuser. So threat hunting is really looking for the things that are misplaced or shouldn't be there.
Dave Bittner: [00:11:43] So is this an expensive thing to spin up within an organization? When do you know when it's time to activate this process?
Justin Harvey: [00:11:51] Well, I think all enterprises of sufficient size - meaning, really, in the SMB market, I think threat hunting is going to be too spendy (ph) to do it yourself. I think that most managed service providers or managed detection and response providers should be supplying that for the SMB market. But for the larger enterprises that are managing their own infrastructure, it should absolutely be a part of their cyberdefense program. The barrier to entry to threat hunting is there's simply not enough people in the industry today in order to not only run the threat hunt program but develop the threat program. Many of my clients are struggling with saying, OK, I know we need to do threat hunting. And I kind of have some people to do it. But what do I do? And really, there have been some vendors out there. They are automating their EDR systems in order to codify things like the MITRE ATT&CK matrix and putting that in their agent or in their software so that human beings don't have to remember every little nit-picky thing that the ATT&CK matrix for MITRE presupposes. And so with that automation, it still gives our threat hunters a leg up in order to find the anomalous and the suspicious.
Dave Bittner: [00:13:11] So what's your advice? So what's the best way for someone to get started?
Justin Harvey: [00:13:14] The best advice here is to bring in a trusted third-party, hopefully one that has a threat-hunt methodology in order to give to the threat hunters. In my experience, or at least in the old days - the old days being several years ago - threat hunting was just merely hiring a bunch of smart infosec people and throwing them against the problem saying, go find evil. Go find the anomalous and the suspicious. And that hasn't been working at scale. So I think number one is to settle on a threat-hunting methodology. Ours, the one that we've developed amongst my team, is what we call intel-driven hypothesis-based threat-hunting methodology. But there's a lot of other types of methodologies out there that are just as good.
Justin Harvey: [00:14:02] The second step, Dave, would be focusing on a technology set that will support codifying things like the MITRE ATT&CK matrix into an EDR product. So not only do you have to have the people, the methodology, but you also have to have the tools and the visibility amongst the endpoints and the networks in order to surface that telemetry and then to analyze it. So some of our customers utilize EDR products that send all their data back to a centralized source - perhaps it's Splunk, perhaps it's their SIM, perhaps it's the EDR console - and then they hunt within that environment in order to find those adversaries linked within the network and the endpoints.
Dave Bittner: [00:14:47] All right, good information as always. Justin Harvey, thanks for joining us.
Dave Bittner: [00:14:55] Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep this savvier hoods' hands off your endpoints, Blackberry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:15:55] My guest today is Paige Schaffer. She's CEO of Generali Global Assistance's Identity and Digital Protection Services global unit. Our topic today is the recently published University of Texas at Austin identity threat and assessment prediction, or ITAP, report.
Paige Schaffer: [00:16:11] We've been involved with the University of Texas for the past several years. And I really don't think there's anyone like them that does, really from a research standpoint, looks at those relays for identity compromise and abuse in as many different ways as they can. So they just capture thousands of details. And they're really looking at the aggregation of the information to kind of trend risks and head them off at the pass, if you will.
Dave Bittner: [00:16:46] Well, let's go through some of the key findings together. What were some of the things that caught your eye?
Paige Schaffer: [00:16:51] One of the first things that kind of leapt out, which really shouldn't be a surprise, but that really 45% of identity compromise is from an inside threat. Now that could mean a lot of things where companies are concerned. But, you know, it makes sense that employees have intimate knowledge of organization networks, their infrastructure, their practices. And so it's almost like it's too easy. And I - you know, unfortunately, there can be employee ignorance, which gives way to cyber threats. So really just unwittingly giving access with unauthenticated users, folks clicking on attachments or opening up links that are malicious, some are phishing emails. Some of it is not malicious intending to be by the employee.
Dave Bittner: [00:17:48] Right.
Paige Schaffer: [00:17:48] It's just kind of dumb luck and not being savvy to it. And much of that has to do with the type of culture that an organization establishes where cyber protection is concerned. And so if you've got a culture that puts cybersecurity at the forefront, then that company is going to be harder to penetrate and less vulnerable to all of the threats, including the ones inside. But if you don't have the mentality to kind of drive that culture, that cultural shift to kind of empowering a cyber-secure organization, it's going to be tougher to do.
Dave Bittner: [00:18:30] And it does strike me that it has been a bit of a shift, that in years past, you know, the IT department, the security folks, it was up to them to handle these sorts of things. And it was their responsibility. And it seems to me like this has shifted to being a company-wide responsibility these days.
Paige Schaffer: [00:18:50] You know, it really is. It could be anything from - well, first of all, everything that we trade in is information - and so whether it's employees coming on board with human resource information on employees, whether it is client information that's out there, selling to particular audiences. It's not only about kind of the technical cyber threat, it is about information security. So now, you know, you've started to see over the past couple of years, you have clear delineation between kind of IT infrastructure and info security. And so you see more and more roles in larger companies that have huge divisions that are really looking after the information that they are responsible for.
Paige Schaffer: [00:19:38] The other thing I thought that was interesting is - and also not surprising - is that almost 75% of the cases that have happened where identity theft is concerned, they are cyber vulnerabilities. So it is - folks are getting information online through computers, through software. And I think that there is a little bit of delusion around folks that say, oh, well, I've got antivirus software. Well, antivirus software doesn't necessarily protect you from an identity theft.
Dave Bittner: [00:20:11] There were a few things in the report that were really surprising to me. One of them was that the victims were most often college graduates. That's counterintuitive to me.
Paige Schaffer: [00:20:24] It's true. Most are college graduates. And I would say that we have a large percentage of seniors that are victims as well. Identity theft thieves are going to make it easier for themselves. And I would say college graduates and as well as seniors, if you look at the age range now, those college graduates today are very dialed into social media. And all sorts of things on social media - whether it's Facebook, whether it's Snapchat - all of these things, they're engaging in sharing lots of information. And so putting that information out there makes it easier for identity thieves to kind of piece together a profile that - whether you have your birth date or graduation or where you're from, your address that you're sharing on a particular social media site, and then they go after credit card information or tie that with birth date - it just makes it easier.
Paige Schaffer: [00:21:26] I think there's some different tactics that folks take with seniors in that they're maybe not as technically savvy, but they are a little - you know, if I think about my mother, who's very active on email and the web, quick to say, hey, this looks serious. Should I share this information? Now she's got a daughter that works in this business. So she's gotten better about saying, hey, I probably shouldn't do this. And - but there are a lot of folks that, quite frankly, thieves are savvy about and kind of scare them into, well, if you don't do this, you're - you know, the latest was the IRS scam, where we've got a warrant out for your arrest kind of thing.
Dave Bittner: [00:22:10] Right.
Paige Schaffer: [00:22:10] I think the other thing that was really kind of glaringly interesting in this study is when you think about all of the types of losses experienced by victims - financial loss, property loss, reputational damage - by far it is emotional distress that's most frequently reported by victims. So over 80% ranging from medium to high levels of really truly emotional trauma. So where almost 50% felt like they had a medium level of emotional distress, another 32% experienced really high level of emotional stress. And this is in sync with - we also, Generali, we conducted a survey, a global cyber barometer survey, early this year in February. And over 82% of global respondents consider a cyberattack extremely stressful. And almost 50% of respondents wouldn't know how to fix their situation if they were compromised.
Paige Schaffer: [00:23:18] So again, really another reason why full-service resolution services are important and really knowing what next steps to take so you can alleviate some of that stress. Again, I would kind of hammer home how important it is that organizations are really working towards a culture that embodies cyber safety. And those that don't will just increasingly fall further behind as those criminals get more and more sophisticated. So I would say for these market sectors, we see an opportunity to leverage today's age of data breaches and the need for information security by really providing their members, customers, employees with identity protection services. They can really differentiate themselves while also creating a culture of information security from within. And we see that to be a win-win.
Dave Bittner: [00:24:16] That's Paige Schaffer. She's CEO of Generali Global Assistance's Identity and Digital Protection Services global unit. And we were discussing the University of Texas ITAP report.
Dave Bittner: [00:24:31] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:44] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.