CyberWire Daily - Another speculative execution flaw. LokiBot evolves. APT41 moonlights. Scammers exploit tragedies. Black Hat notes.
Episode Date: August 7, 2019A new speculative execution processor flaw is addressed with software mitigations. LokiBot gets more persistent, and it adopts steganography for better obfuscation. The cyber-spies of APT41 seem to be... doing some moonlighting. An accused criminal who bribed telco workers to unlock phones is in custody. Scammers are exploiting the tragedies in El Paso and Dayton. And a call at Black Hat for the security sector to bring in some safety engineers. Ben Yelin from UMD CHHS on Virginia updating legislation to address Deep Fakes. Guest is James Plouffe from MobileIron on the challenges of authentication and the legacy of passwords. Â Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A new speculative execution processor flaw is addressed with software mitigations.
LokiBot gets more persistent and it adopts steganography for better obfuscation.
The cyber spies of APT41 seem to be doing some moonlighting.
An accused criminal who bribed telco workers to unlock phones is in custody.
Scammers are exploiting the tragedies in El Paso and Dayton.
And a call at Black Hat for the security sector to bring in some safety engineers.
hat for the security sector to bring in some safety engineers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 8th, 2018.
Bitdefender has warned of a new speculative execution flaw in Intel processors that isn't
addressed by the measures taken to mitigate Spectre and
Meltdown. The vulnerability could enable a side-channel attack that abused the SWAPGS system
instruction. The vulnerability could expose data in privileged portions of the kernel memory,
including passwords, tokens, private conversations, encryptions, and so on.
Bitdefender disclosed the vulnerability to Intel last August.
The chipmaker decided to address it at the software level,
and Microsoft coordinated patches to mitigate the issue.
Security firm Trend Micro finds that LokiBot has grown more persistent
and also added steganographic obscuration features.
Steganography is the art of concealing a message,
or in this case malicious code, in an image.
LokiBot is still the information stealer it's been
since it first came to researchers' attention
when it appeared on the black market in 2015 and 2016.
TrendLab says LokiBot continues to be actively traded in these online markets
and that it can be expected to remain an active threat for a long time.
Our correspondents at Black Hat have been following FireEye's report
on a Chinese government threat group, ABT41.
The security firm's research, published to their website this morning,
gives some insight into the interpenetration of criminal groups and espionage services.
This has been seen before, especially in the relationship between Russian security services
and cyber-criminal gangs in that country.
There, it's more like a protection racket.
You get to run your criminal enterprise, provided you hit the right targets
and stay away from the ones that are off-limits, and provided you accept the occasional tasking.
At other times, it's more like moonlighting, which is what seems to be the case with APT41.
Members of the group execute both espionage
and financially motivated crime.
At Black Hat last night,
FireEyes' John Holtquist and Barry Van Garick
summarized and answered questions
about their company's report.
APT41 is known for targeting the video game industry,
which the researchers believe is due to gamers in the group making some coin on the side from their hobby. FireEye said
they've detected a significant shift in the group's activities that took place in late 2015
when the hackers moved away from intellectual property theft and toward strategic intelligence
gathering from multiple different industries. Those industries included healthcare, telecoms, high-tech companies, and software supply chains.
But APT41 has continued to target the video game industry,
not normally conceived of as having national strategic importance.
The operators seem to be pursuing personal financial gain,
although the researchers noted that it was strange that the Chinese government would allow them to use the tools used for serious state-sponsored campaigns
for personal reasons. Once a tool is used, you can usually consider it blown, and it seems unlikely
you'd want to risk that to scoop up what you need to sell skins or loot boxes. But perhaps the
Moonlighters are freelancers, in which case, heaven forgive them, because the Ministry of State Security won't.
Or perhaps the tools are already blown, and the Ministry doesn't care, regarding the whole thing as something the operators are welcome to do off the clock.
Maybe it even keeps their skills up.
How many times a day do you enter a password, and would you feel more or less secure if entering passwords
became a thing of the past? James Plouffe is a strategic technologist with security firm Mobile
Iron, and he shares these thoughts. Like many things in technology, there are certain decisions
that are hard to walk back after you've made them, and passwords, I think, are one of those.
We didn't have a better solution
for a long, long time. It was the only thing that was available to us. But one of the interesting
things that's emerged now with the ubiquity of mobile devices, and in particular, biometric and
other sensors that exist on them, we start to have better ways of doing authentication and proving identity at our
disposal. So we're kind of at an inflection point in the technology landscape where we finally have
some resources to start approaching things differently than we have done in the past.
And so I think that that's where we're at today. Yeah. I mean, I have to say, as an iOS user using Face ID and before that Touch ID, I find them to be both convenient and secure.
Is that the direction you think we need to head in?
Yeah, absolutely.
And I think what you hit on just there, Dave, is an excellent point.
For a long time, security and convenience have had a particular tension, right? If you think about, in particular, the case of passwords,
there's been a tendency of folks to reuse passwords
because remembering a lot of passwords is difficult
and that helps contribute to some of the risk
that passwords create.
So if you think about something like Face ID,
it does a very accurate 3D model of your face.
So you can get very strong authentication,
but it's very easy for you as a
user, right? You just hold the phone up and it does its thing and things just sort of automagically
work. And I was a relatively late upgrader to the iPhones that supported Face ID. And I was actually
a little bit cagey coming off Touch ID. I was like, how is this possibly going to work as well?
How am I going to live without a home button?
But I had it for a day, and I was like, why did I ever use a home button?
My experience was pretty much the same.
You know, when you combine that with some of the other capabilities that are out there
for technology providers, the advent of things like online ID proofing services, where
not only can you take advantage of the biometric sensors on the devices, but you're able to use
things like the cameras to scan government issued photo IDs. Before I got on the flight to get where
I am doing check in, I had to do passport verification, but I didn't need to stop by the
desk at the airport to do that. Just when I opened up the app, it said, please take a picture of your passport. And it confirmed that
I was the right passenger and it streamlined that whole thing. When you combine all those things
together, you really do start to get to a point where you have some pretty attractive options for
security. It strikes me that it seems like we're lagging on the desktop. You know, there are,
I guess there are some computers now that are having things like
Touch ID, but we're not really seeing the same progress on the desktop.
Where do you think that's heading?
Is it going to be, will our mobile devices connect with our desktop devices?
Will the desktop devices integrate this sort of hardware?
Where do you think we're headed?
That's an interesting question.
I think, you know, we'll probably see a little bit of hardware. And as you know, we have seen some of
that with some vendors. But I think there's two interesting dynamics at play. One is the fact that
folks typically always have their mobile device with them, and they already have this hardware.
So using a mobile device as kind of the authenticator external to your laptop is something that can work pretty well because we also have ways to transmit that data over things like Bluetooth and so on. devices compared to PCs and desktops. And it's actually eight times more data is coming from
mobile devices than from PCs and a Cisco survey where they kind of project what the internet
utilization is, you know, more than just having to figure out how we solve the question of how
we authenticate on laptops and desktops. I think you'll actually see more and more things just move to a pure mobile world. I know that I don't spend a lot of time on my laptop these days. I'm either using,
you know, an iPad or an iPhone. And I think we'll continue to see that trend, you know, progress.
Do you see us heading towards a time when we jettison the use of passwords altogether?
I think the limitations of passwords
have been well understood for a very long, long time.
And I think as we kind of discussed earlier,
it's been difficult to move away from that decision.
But when you look at some of the standards efforts
coming out of folks like the FIDO Alliance,
the fact that they've just submitted WebAuthn
to the W3C for ratification. You know,
we start to see opportunities to take advantage of the biometrics, to use things like cryptographic
challenges instead of passwords. Like all things in technology, the transition will probably be
slower than we want, but it's definitely headed the right direction. And I think a lot of the
right folks are thinking about this. And even today, if you look at technologies like Windows
Hello supports FIDO authentication. So it's possible to do not just authentication to your
local laptop, but also then take advantage of those capabilities for things like single sign-on to other services
that integrate with Microsoft Hello. As much as we would probably like it to be tomorrow,
at least it's heading the right direction. That's James Plouffe from Mobile Iron.
The leader of a conspiracy to unlock AT&T phones has been extradited from Hong Kong to the United
States. The U.S. Justice
Department announced yesterday that it had indicted a Pakistani national, Mohammad Fahd,
with conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud
and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in
furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.
FOD allegedly bribed workers at AT&T's facility in Bothell, Washington,
to disable AT&T proprietary locking software on customers' phones.
This would enable the unlocked phones to be used in any compatible network.
Since AT&T subsidized a substantial cost of phones for customers in service contracts with the company,
unlocked phones are valuable commodities.
Fahd is also alleged to have bribed AT&T employees to enable him to install malware in customers' phones.
Three of his alleged co-conspirators have already pleaded guilty.
Hong Kong authorities shipped Mr. Fahd stateside on August 2nd.
Scammers are already exploiting the shootings in El Paso and Dayton.
In the wake of any significant event, happy or tragic,
scammers crawl out from under the rocks to exploit the well-intentioned, the curious, and the gullible.
This past week's events have been tragic,
and criminals are losing no time in trying to turn a profit from the news of the killings in Texas and Ohio.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA,
warned yesterday that criminal campaigns designed to do just that are already in progress.
Be particularly wary of emails whose subject lines allude to either or both tragedies,
but also be aware, as CISA cautions,
that scammers won't confine themselves to email.
Quote,
Be wary of fraudulent social media pleas,
calls, texts, donation websites,
and door-to-door solicitations related to these events.
Sadly, that's good advice.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the university
of maryland center for health and homeland security uh ben it's always great to have you
back um the article came by from the verge and this is about virginia uh instituting or i guess
updating their revenge porn laws to cover deep fakes what What do we got going on here? Yeah, so back in 2014, Virginia
first enacted a statute to ban the use of revenge porn. So they defined it as nude videos with the
intent to coerce, harass, or intimidate another person. What they just passed earlier this year
in their legislative session, and it just went into effect very recently, is that a image or video falsely created,
which we think refers to deep fakes, but also potentially something just like a plain
photoshopped image or a faked image, would also violate that law. This is a part of a criminal statute. So under this statute, you could subject yourself to imprisonment or a relatively large fine.
This is the first legislation, I believe, nationwide that applies revenge porn statutes
to deepfakes.
And I think the Virginia legislature is ahead of the curve in realizing that the use of these faked images
can be just as exploitative as the use of regular revenge porn. And this is activity that the person
who's being shown on one of these videos or images has not even participated in voluntarily or
involuntarily. So I think it's a good addition to what was already a strong statute on revenge porn and signals that there is now interest among both federal and state legislatures in trying to regulate this phenomena of deep fakes.
Do you suspect this sort of thing will make its way across the country, or could we see action on a federal level?
So there have been whispers about action at the federal level.
There's some bipartisan support.
This article mentions a bill introduced by a Republican senator and Democratic House member that would institute some regulations on deepfakes.
Texas passed its own law on this.
on deepfakes. Texas passed its own law on this, but the law in that case deals with our political system and not with non-consensual pornography, which is the basis of the Virginia
statute. So I think Virginia really could be setting a trend here, especially as this issue
becomes more prevalent, these videos become more prevalent, people's knowledge of the fact that
some of what they view on the internet may be a deepfake. It's just starting to get ingrained in our minds that we shouldn't believe everything we see coming out of a person's mouth on a video. I think as that starts to get ingrained in our minds, our lawmakers are going to take notice and are going to take action. And I think Virginia has done the country a service in providing a model statute to accomplish that goal.
There's certainly been a lot of attention to this issue.
And I suppose, I mean, it's natural for it to sort of bleed over into the political arena as well.
Yeah. So there's been a viral video that's gone around over the past year or so that has former President Obama giving a speech
that he never actually gave. But the deepfake technology is so advanced at this point that it
really looks like he's giving that speech. And this can be really dangerous. I mean, we've seen
the spread of so-called fake news over the past several years. People are seeing things come
across their social media feeds that have been created out of whole cloth or have been doctored in some way. And this can distort
people's view of their own political leaders and our own political system, and can really be
detrimental to democracy. If people don't have proper information on what's real and what's fake
and what their political leaders have actually said
and what they were purported to have said, then that can really affect the functioning of our
democracy. So even beyond the issues discussed in this Virginia statute, I think there's going to
be a big debate as to how we can sanction or in some way regulate these deepfake videos.
Ben Yellen, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.