Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick announcement that we have opened up our 2020 CyberWire advertising calendar, and historically, it sells out fast. So if advertising on the CyberWire is something you're considering, now would be the time to reach out. Head on over to our website, thecyberwire.com, where you can request a sponsorship kit. And of course, we thank all of our sponsors for making our show possible.
Dave Bittner: [00:00:26] Iranian threat group Phosphorus, or Charming Kitten, has been found active against U.S. elections and other targets. A big database of PII on Brazilians is up for auction on dark web markets. Prince Harry takes a legal whack at Fleet Street. An Atlantic Council session takes a look at electrical infrastructure cyber risk. An Alabama medical system pays the ransom to get its files back, and HildaCrypt's developers say it was all fun and release their own keys.
Dave Bittner: [00:00:59] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats, and when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire, and we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:23] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 7, 2019. At the end of last week, Microsoft warned that a threat group it calls Phosphorous and that others called Charming Kitten or APT35 is already actively working to effect the 2020 U.S. presidential election. Phosphorus is Iranian and linked to the Iranian government. The principal target appears, Reuters reports, to be President Trump's campaign, and the activity seems to be in its reconnaissance phase. The threat actor's targets are not exclusively campaign operations. Journalists, government officials and Iranian expatriates are also of interest to Phosphorus.
Dave Bittner: [00:03:06] There were apparently four successful account compromises in the campaign, none of which affected either campaigns or journalists. Comment on the Iranian work has tended to say that Tehran has apparently learned from Moscow's playbook, or at least St. Petersburg's. In some ways, this seems correct - false persona, amplified messaging, an attempt to compromise influential accounts and so on - but in another respect, the campaign differs from those that have emanated from Russia.
Dave Bittner: [00:03:35] Russian influence operations have tended to have simple disruption as their aim, with their strategic objective being to widen pre-existing fissures in the societies they target, with a view to eroding trust in those societies' institutions. Such a purely negative objective would seem to be easier to achieve than influencing a society or its leaders in a particular direction. That's what Tehran appears interested in doing. It would apparently welcome a more predictable and tractable American administration. In this respect, the Iranian style in influence operations resembles China's more than it does Russia's.
Dave Bittner: [00:04:13] Teiss reports that a cybercriminal going by the name X4Crow is auctioning what they claim is 16 gigabytes SQL database, holding personal information on about 92 million Brazilian citizens. The data are the usual identity theft gold - names, dates of birth, taxpayer IDs, gender and mothers' names.
Dave Bittner: [00:04:35] Prince Harry is suing the News Group Newspapers and MGN Ltd., alleging, according to reports in The Guardian, that the papers were responsible for phone hacking that invaded his privacy. It's an old incident. The Duke of Sussex is claiming damages from hacking the tabloids are said to have committed against Royal phones between 1994 and 2011. The New York Times published a wrap-up of the incident almost a decade ago, so why now? The Duke of Sussex has his hackles up at press treatment of his duchess.
Dave Bittner: [00:05:07] Speakers at an Atlantic Council event last week warned that cyberattacks on power infrastructure are now a present risk and no longer just a theoretical possibility. Discussions stress the importance of visibility into the systems that deliver power and that visibility should extend from the sensor level through utilities' customer-facing business systems. It should also include the power industry supply chain, as former U.S. Homeland Security Secretary Michael Chertoff argued. The utilities don't operate in a vacuum, he pointed out. They themselves depend upon transportation, telecommunications and other suppliers to actually operate and provide power. Attacks against that supply chain can disrupt the services the utility companies provide.
Dave Bittner: [00:05:52] Siemens released the findings of a survey conducted in partnership with the Ponemon Institute, which found that 54% of utilities professionals expected an attack on critical infrastructure within the next 12 months, while only 42% rated their organization's cyber readiness as high. Additionally, 56% of the respondents said they had experienced an attack in the past 12 months that led to the loss of sensitive information or an outage in the industrial environment. The study was based on a survey of 1,700 utility professionals around the world, and it touched on risks to electrical power and water distribution utilities. In general, the utilities are aware of the risk; the task now is to plan to manage it.
Dave Bittner: [00:06:37] The Tuscaloosa Post says the DCH Health System unlocked ransomware encrypted files by paying the extortionists. When the FBI last week warned that ransomware had become a matter of high concern because of its high impact, a number of media outlets fastened on to what they took to be the bureau's change of heart concerning the wisdom of paying ransomware. That's not actually what they said. The bureau did say that while organizations should evaluate all their options, in general, paying the ransom was a bad idea. There's no guarantee the hoods will actually give you a decryptor that works. In fact, the ransomware is nowadays often, really, a wiper. While in the early days of ransomware it seemed that payment often did indeed get you a decryptor that worked, that hasn't been true recently.
Dave Bittner: [00:07:22] There's also the downside that paying ransom simply fuels a bandit economy. You tend, after all, to get more of the behavior that you reward, and that's as true of ransomware as it is of problems that range from the horrific, like terrorism, to the merely irritating, like the squeegee kids at the corner of Pratt and President here in Charm City. What the bureau does advise is that you tell them, if you've been hit by ransomware, whatever actions you take to recover. In this case, the DCH Health System seems to have rolled the dice and come up with a lucky seven - pricey, but at least they got their data back.
Dave Bittner: [00:07:57] The developers of the HildaCrypt ransomware strain, which they told Bleeping Computer was never used against anyone, has released the decryption keys to his work. That way, should any script kiddies get ahold of the code and use it against anyone, anyone can decrypt their files. It was never meant to do any harm, they said, characterizing it as more of an educational initiative. If so, it seems a singularly ill-conceived educational initiative, like new math or caning in old British public schools. At any rate, the HildaCrypt masters say they now intend to turn their attention to more conventional and benign activities. Good call.
Dave Bittner: [00:08:40] And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:09:35] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:09:44] Hi, Dave.
Dave Bittner: [00:09:44] A story came by via Vice and Motherboard.
Joe Carrigan: [00:09:48] Yeah.
Dave Bittner: [00:09:49] This is from Joseph Cox. And the title is "Legit-Looking iPhone Lightning Cables that Hack You Will Be Mass Produced and Sold."
Joe Carrigan: [00:09:57] Right. This is from MG, who is demoing these at Def Con, I think, this year.
Dave Bittner: [00:10:03] Yep.
Joe Carrigan: [00:10:03] And selling them for $200 a pop.
Dave Bittner: [00:10:05] And what are we talking about here?
Joe Carrigan: [00:10:06] This is a lightning cable. It looks like a lightning cable. It acts like lightning cable. It does everything a lightning cable does. But it also has a Wi-Fi access point built into it. I mean, that's one of the benefits, I guess, of miniaturization, is we can now build a - essentially, a USB cable that is capable of running a Wi-Fi hotspot on it as well.
Dave Bittner: [00:10:29] And this looks exactly like a Apple-branded...
Joe Carrigan: [00:10:34] It does.
Dave Bittner: [00:10:34] ...lightning to USB cable.
Joe Carrigan: [00:10:36] It looks very, very similar. MG is saying that he's doing this completely transparently and out in the open and letting everybody know that these things are there. And that's true, to his credit, that he is doing that. He's not covering it up, not making - not being surreptitious about it. Hak5 will be selling them. Hak5 is the company that sells, like, the Wi-Fi Pineapple and other hacking tools. So seems like a legitimate vendor for these things. But the end result is that - I got to tell you, Dave, we're at a point now where if you don't buy your USB cables from a reputable source, then you shouldn't trust them. I would say you can't trust your lightning cable unless you buy it directly at an Apple store.
Dave Bittner: [00:11:17] Yeah, I guess I have mixed feelings about the availability of something like this and - because of how deliberately it's trying to look like a legit cable.
Joe Carrigan: [00:11:27] Right.
Dave Bittner: [00:11:28] Which I - which, of course, is part of the point here.
Joe Carrigan: [00:11:30] Correct.
Dave Bittner: [00:11:31] I can imagine it wouldn't be that hard for someone to buy a real Apple cable, take it home, swap it out for one of these, return it and have it be put on the shelf at their local Apple store.
Joe Carrigan: [00:11:44] That's a good point.
Dave Bittner: [00:11:45] Yeah.
Joe Carrigan: [00:11:45] Good point.
Dave Bittner: [00:11:47] Do you have any issues with the fact that these types of things are being sold at all?
Joe Carrigan: [00:11:53] I understand your concern with it. I generally don't. Maybe I'm missing something here, but I think it's - somebody is going to make these things, period.
Dave Bittner: [00:12:04] OK.
Joe Carrigan: [00:12:04] The fact that these are readily available and being talked about openly is better than somebody making them and not talking about them. And I think that's a bigger danger. Because these things have a Wi-Fi access point in them, they are detectable because they're going to have to emit some kind of Wi-Fi.
Dave Bittner: [00:12:20] Yeah.
Joe Carrigan: [00:12:20] Right? And you can probably see them on a Wi-Fi analyzer. But nobody's going to do that, right?
Dave Bittner: [00:12:25] Well, and how many - yeah. I mean, open up your Wi-Fi anywhere, there's going to be a dozen devices that are beaconing and, you know...
Joe Carrigan: [00:12:32] Correct, but there's...
Dave Bittner: [00:12:33] ...They're all going to have random names.
Joe Carrigan: [00:12:34] Yeah, but then you have - if you plug this thing in, you'll see, hey, there's a new one, and this signal strength is strong.
Dave Bittner: [00:12:39] Yeah.
Joe Carrigan: [00:12:40] Chances are this is a malicious cable. But by then, it's probably too late, right?
Dave Bittner: [00:12:44] Right.
Dave Bittner: [00:12:46] Right.
Joe Carrigan: [00:12:46] So maybe just plug it into a wall adapter first. I don't know. But, I mean...
Dave Bittner: [00:12:50] So that's going to become part of our routine.
Joe Carrigan: [00:12:52] Right.
Dave Bittner: [00:12:52] Yeah - no.
Joe Carrigan: [00:12:55] But no. It's not.
Joe Carrigan: [00:12:55] It's also not going to become part of our routine to X-ray these cables and make sure they're good, right?
Dave Bittner: [00:12:58] Yeah.
Joe Carrigan: [00:12:59] We've talked about doing that before - taking them over to the TSA and letting them do that (laughter).
Dave Bittner: [00:13:02] Yeah. I guess - yeah. The trouble I'm having is that - the fact that there is no labeling on this, which I understand is the point (laughter).
Joe Carrigan: [00:13:09] Right. Right. I get your concern.
Dave Bittner: [00:13:13] Yeah.
Joe Carrigan: [00:13:13] I get your concern, 100%.
Dave Bittner: [00:13:14] Yeah.
Joe Carrigan: [00:13:14] It is not an invalid concern. And I'm not 100% married to my position on this, either, you know, that this is cool, and it's neat that they're making it. And Hak5 does this kind of thing. You know, they...
Dave Bittner: [00:13:27] It's not the only type of tool in this sort of brand of tools.
Joe Carrigan: [00:13:30] Right.
Dave Bittner: [00:13:30] I mean, there's all kinds of similar things that...
Joe Carrigan: [00:13:33] Yeah. If you go to Hak5's website, you can get a Wi-Fi Pineapple that'll let you - which will let you spoof other people's Wi-Fi. That's what the device does, among other things. So - but this is an interesting one.
Dave Bittner: [00:13:45] The fact that it's being mass-produced so the price comes way down...
Joe Carrigan: [00:13:48] Right.
Dave Bittner: [00:13:49] ...Which greatly increases the possibility that you could find yourself subject to one of these.
Joe Carrigan: [00:13:54] Right. Imagine these things costing less than an actual lightning cable for Apple, right?
Dave Bittner: [00:14:01] (Laughter) Right. Yes. Right.
Joe Carrigan: [00:14:02] And now I sell them on Amazon and in my local area - right? - because I can kind of localize where I'm going to sell them.
Dave Bittner: [00:14:09] I'm just imagining just leaving these things around on - at trade shows.
Joe Carrigan: [00:14:13] Even better.
Dave Bittner: [00:14:14] Just leaving them around because - I think you and I have talked about before - if you leave one of these in the lunchroom at your office...
Joe Carrigan: [00:14:21] It's gone.
Dave Bittner: [00:14:21] ...For a couple days, it is gone.
Joe Carrigan: [00:14:22] Right.
Dave Bittner: [00:14:23] Somebody's going to notice it, and within a couple of days, if you don't grab it, someone else is going to.
Joe Carrigan: [00:14:28] Exactly.
Dave Bittner: [00:14:28] Because, ooh, a free lightning cable.
Joe Carrigan: [00:14:30] That's right.
Dave Bittner: [00:14:30] And that's the point.
Joe Carrigan: [00:14:31] Yep.
Dave Bittner: [00:14:32] And I don't - I'm not sure how you fight against that.
Joe Carrigan: [00:14:35] Yeah.
Dave Bittner: [00:14:35] Like you said, you buy your own, and - I don't know - mark them with a Sharpie so you know yours are yours. Ugh, I'm just going to lock myself in a room somewhere and never connect...
Joe Carrigan: [00:14:44] I'm going to get a flip phone.
Dave Bittner: [00:14:46] Like - right. Yeah. Get my - pull my abacus out of the closet.
Joe Carrigan: [00:14:50] Right.
Dave Bittner: [00:14:50] Do all my computing that way.
Joe Carrigan: [00:14:51] Build a log cabin in the woods of West Virginia.
Dave Bittner: [00:14:54] Yeah, that'll go well.
Joe Carrigan: [00:14:55] Right (laughter).
Dave Bittner: [00:14:56] All right. Well, I'm curious to hear what our listeners think about this.
Joe Carrigan: [00:15:00] Yeah.
Dave Bittner: [00:15:01] It just - you understand my discomfort.
Joe Carrigan: [00:15:03] I absolutely understand your discomfort, yes.
Dave Bittner: [00:15:05] And yet I understand the legitimate uses of this.
Joe Carrigan: [00:15:08] And this does oog (ph) me out a little bit.
Dave Bittner: [00:15:10] There's just something about it that - it's a mild discomfort that I just can't seem to shake. And maybe the problem is me, not the device. But...
Joe Carrigan: [00:15:18] I don't know, Dave. I don't think it's you.
Dave Bittner: [00:15:19] (Laughter).
Joe Carrigan: [00:15:19] I think the problem is that we're seeing so much now that we're just learning we can't trust anything. We have these things. We have deepfakes. We have other things that you would - you think you can trust, but you just can't trust them.
Dave Bittner: [00:15:30] Right, right. Because what we all need is another source of low-level anxiety in our lives.
Joe Carrigan: [00:15:35] (Laughter) Right, exactly.
Dave Bittner: [00:15:37] Right? Yeah.
Dave Bittner: [00:15:40] All right.
Joe Carrigan: [00:15:40] I don't know what this is going to do to us, evolutionarily. I'd like to know.
Dave Bittner: [00:15:42] Yeah, I don't know. All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:15:46] It's my pleasure, Dave.
Dave Bittner: [00:15:52] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:16:04] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:16:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.