CyberWire Daily - BlueKeep proofs-of-concept. BeiTaAd plug-in is a serious Android pest. Cyber espionage against the EU’s Moscow embassy. Influence operations. A motive for GPS spoofing?
Episode Date: June 6, 2019BlueKeep proof-of-concept exploits have been developed, and people are urged to patch. An annoying, disruptive advertising plug-in comes bundled with a couple of hundred Android apps in the Play Store.... The EU’s Moscow embassy seems to have been the focus of Russian cyber espionage since 2017. Influence operations feature a small core of sites surrounded by many amplifying accounts. A possible motive for GPS spoofing. Johannes Ullrich from SANS and the ISC Stormcast podcast on Google throwing their weight behind MTA-STS, a protocol to make e-mail more secure. Guest is Josh Stella from Fugue on security and compliance in cloud infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Blue Keep proof-of-concept exploits have been developed and people are urged to patch.
An annoying disruptive advertising plugin comes bundled with a couple of hundred Android apps in the Play Store.
The EU's Moscow embassy seems to have been the focus of Russian cyber espionage since 2017.
Influence operations feature a small core of sites surrounded by many amplifying accounts,
and a possible motive for GPS spoofing.
and a possible motive for GPS spoofing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 6, 2019.
Microsoft and NSA, among others, have been urging users to apply Microsoft's patch for the BlueKeep vulnerability. BlueKeep, to review, is a remote desktop protocol vulnerability, CVE-2019-0708,
that afflicts older but still widely used versions of Windows systems.
Several researchers independently say they've seen BlueKeep proof-of-concept exploits.
For the most part, they're not sharing these with the wide world,
but instead they're hoping the demonstrations will motivate people to patch.
The worries around Bluekeep are that it's well adapted to use spy worms that could propagate themselves across the internet the way WannaCry did a bit more than a year ago.
File this one under I for irritating.
File this one under I for irritating.
Lookout Security has taken a look at the Android apps hawked in the Google Play Store,
and it's noticed to everyone's dismay that far too many of those apps,
like around 230 of them, have a bundled advertising plug-in.
And installing this one is a little like inviting some wide boy,
some fairground snake oil barker, into your life.
Quit it.
The plug-in at issue is buy to add, and it sounds positively maddening.
It's not as if this is just mildly irritating, but not really a problem.
No, it's a problem.
Buy to add uses obfuscation, normally seen in malware,
to help obtrude itself into users' attention,
bypassing some of the protections you might have in place.
Once it's in, it yammers wildly across lock screens,
hoots video ads while the phone's supposed to be asleep,
and when you yourself might be asleep or otherwise occupied, and so forth.
More than 440 million devices are believed to be infested.
Buy to add can be hyperactive enough to render a phone effectively unusable.
Seriously, quit it.
Anywho, Lookout sees a depressing trend here.
It's the old familiar offense-defense seesaw.
Lookout says, This buy-to-add-plugin family provides insight into future development of mobile adware.
As official app stores continue to increase restrictions on out-of-app advertisements,
we are likely to see other developers employ similar techniques to avoid detection.
End quote.
And that's just great.
Seriously, stop it.
And now, for real, here's something you'll really like.
Say, friend, would you like to take a chance on a swell prize?
Well, step right up and take our listener and reader survey at thecyberwire.com slash survey.
Help us improve the quality, relevance, and value of our content.
The survey is short, and it should take you less than five minutes or so to complete.
And of course, your participation is completely voluntary, anonymous, and confidential.
What can you win?
Well, could we interest you in a pen, a pad, a sticker,
or even a swell CyberWire pint glass made out of real glass?
Act now.
TheCyberWire.com slash survey.
As organizations move their assets to the cloud,
keeping up with security and compliance issues can be challenging, to say the least.
Josh Stella is co-founder and CTO of Fugue,
a cloud infrastructure automation and security company.
He advocates a testing technique called chaos engineering.
Cloud is a very different place than the data center.
In the data center, security was usually imposed in the form of a perimeter,
you know, having the corporate network,
making sure there were intrusion detection systems and firewalls properly configured and changes to those configurations
were done via change control boards. You know, there was a process. Well, the cloud has really
kind of turned this on its head because in the cloud, a developer can build a new network in
literally seconds and can change it in seconds. You're no longer putting in a purchase request,
filling out forms. You're just hitting an in a purchase request, filling out forms,
you're just hitting an API call that says, give me a network, or give me compute instances.
And so what are the real world implications of that in terms of standing up defenses?
The Gartner published, I don't know, a couple of years ago now, that somewhere between 80 and 90% of data breaches on the cloud are due to misconfiguration of cloud resources
by the customer using that cloud. It's pretty easy to go find lots of headlines about, you know,
millions of people's personal records being publicly exposed on the internet, for example,
because somebody configured an S3 bucket and flipped one little switch out of the
thousands and thousands of possible configurations that said, make this open to the world. And this
happens over and over again. And that's a pretty serious real world, you know, implication.
Now, one of the things that you speak of, and I suppose champion is this notion of chaos
engineering.
Can you describe to us what does that mean? Chaos engineering was made famous by Netflix
several years ago. And the idea was randomly break stuff. And if your system is architected
correctly, it will continue to function. They famously put out a tool called Chaos Monkey that would go and
take down servers. And so in the Netflix infrastructure view of the world, it's often
called immutable infrastructure. The system as a whole should recover from that. A new server should
appear to fill in the role of the old one. You cannot predict what's going to happen in the
production environment. You can try, but you're going to fail. You cannot predict what's going to happen in the production environment.
You can try, but you're going to fail.
You cannot predict what's going to go wrong, when it's going to happen.
But the way chaos engineering applies to security is let's go open dangerous ports in the firewalls.
Let's go turn on public access to things that should be hidden.
Let's go do all kinds of things randomly to the environment, remove tagging
from things so that they disappear from security monitors and cost monitors. Let's just go do
destructive things to the infrastructure. And if we have a really resilient system,
those things will be corrected very quickly. And that's a big part of what Fugue does. We have
the ability to give our customers
self-healing infrastructure. So it's really a sophisticated kind of stress test, I suppose.
That's a pretty good description. And just like a stress test, you don't know what's going to
happen until you try it. I think that's a pretty good description. A lot of what folks are doing
now around security is they're guessing
what's going to go wrong and build scripts to look for that or have monitors watching for things that
are predictable that could go wrong. But what they're missing is bad guys are really creative,
right? And so are developers. So are good guys who don't mean to do harm, but might by accident.
And so you simply can't predict everything that's going to go wrong. So that stress test idea is right. You push the system and see what actually fails that you're
not handling. It's a really different way of thinking about infrastructure and security and
configuration and not something you could do in the data center because humans had to go out and
do the work. Now because of these APIs, the same things that give the developers
the ability to get things wrong, it gives security the ability to automate getting it right.
That's Josh Stella from Fugue. The EU's mission to Moscow suffered a long-running,
sophisticated cyber espionage event that began in February 2017 and continued through its discovery in April, BuzzFeed reports.
Russian organizations, probably intelligence services, are believed to be behind the attack,
which netted the hackers an undisclosed haul of information.
The EU did not disclose the incident, evidently not wishing to royal political waters on the eve of European elections,
in which Russian influence operations became
a sensitive matter.
It's worth reviewing, in this context, Symantec's reports on Russian influence operations in
the 2016 U.S. elections.
The report indicates Moscow's efforts to have been more extensive, more patient, and more
balanced ideologically than previously assumed.
A core group of main accounts, often bogus news services,
was supported by a very large number of auxiliary accounts responsible for amplification.
Messaging was designed to appeal to left and right roughly equally, with the most disaffected
partisans most heavily targeted. So the playbook appears to be, roughly speaking, this. Establish some core accounts, place divisive messages designed to inflame the disaffected,
and then amplify the messages with herds of ancillary social media accounts.
Symantec thinks the accounts were heavily automated, lots of bots,
but that the automation was designed to be tweaked and steered by human operators
to adjust the events, responses, and newly perceived
opportunities, insofar that there is a common denominator among the accounts, it's inauthenticity,
presenting yourself as something or someone you're not, a concerned progressive, let's say,
or a principled conservative, or whatever suits your disruptive purpose. Because again, the message
isn't important. What's important to the information
operator is disruption, not conviction. This would seem to suggest that bot hunting, looking for and
suppressing coordinated inauthenticity, may offer more promise than the sort of largely algorithm
driven content moderation that YouTube has announced this week, which hasn't succeeded
in pleasing people on any side of any particular
divide. There's been a wave of Russian GPS spoofing since last autumn. Some of it was in
the Baltic region. Some of it was in the Black Sea. C4ISR Network suggests a possible motive for
the Black Sea incidents, at least. It may have been executive protection against drones. The
incidents seem to have been highly correlated with Vladimir Putin's movements,
and there's some speculation that it was intended to keep any hostile drones away from the Russian president.
To close this segment on a serious note, today, of course, is the 75th anniversary of D-Day.
It's being marked by national leaders
and veterans. The veterans won't be with us much longer. The generation that fought the Second
World War is passing swiftly. The nation recently marked another somber milestone with the passing
of the last of the U.S. Army's code talkers. The Navajo, who served in the Marine Corps,
are better known, but the Army also had its secure communications specialists,
17 of whom were from the Mohawk Nation.
The last Aguasazne Mohawk Army code-talker,
Louis Levi Oaks, died last week at the age of 94
and was buried on June 1st with full military honors.
Technician Oaks served in the South Pacific, New Guinea, and the Philippines,
and he earned a silver star for his valor. Soldier, rest, and our condolences to your family and friends. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Institute and host of the ISC Stormcast podcast. Johannes, it's always great to have you back. We wanted to talk today about MTA-STS, which is a protocol that Google seems to be throwing their weight behind. What do we need to know about this? really tries to solve the problem that we have with the privacy and with the integrity of email.
When it comes to HTTP to browsing the web, pretty much all websites that matter these days are using
HTTPS. And we do have some mechanisms like strict transport security in order to ensure
that any man in the middle can't downgrade us to HTTP.
With email, that's a little bit more complicated.
The problem with email is that the connection that really matters here
is the connection between mail servers.
And of course, as an end user, we don't really have any influence over this.
Now, they came up with a real great way to secure that connection,
and that's
start TLS. So if your mail server connects to my mail server, my mail server will tell it,
okay, I'm supporting start TLS. Let's switch to TLS. Small problem with that, this initial
negotiation is still in the clear. It's not protected. And there have been ISPs, there have been countries
that essentially just remove that start TLS advertisement. So what we really have to do is
we have to figure out, does a mail server support start TLS? Should I expect this particular feature
to be enabled? And that's what MTA STS is trying to solve. And so what's going on here
under the hood? How's it actually working? So what actually happens here is that your mail server
will first do a DNS lookup for specific record that I have to set up to check does this domain support star TLS. If that record exists,
then your mail server will check my website
to then retrieve my star TLS policy.
It's not really that hard to set up,
but yes, there are a couple of moving parts.
You have to add that DNS record.
You have to add a specific file to your web server
in order to enable this.
And with Google throwing their weight behind it, does that mean it's likely to gain some
traction?
That's my hope here because we all exchange email with Gmail users at one point or another.
So Google being one of the big mail providers implementing this really, I hope, helps.
The other part of this that Google implemented is if you are supporting this feature, Google will actually send you a report once a day.
A quick summary. It's of just a one line JSON snippet telling you how many email connections Google mail servers established with your mail servers,
how many of them use star TLS, how many didn't use star TLS.
So that also helps you a little bit find out, do you have your system misconfigured?
Or is actually someone trying to play tricks with some of your systems?
At this point, I think Google is the only large, at least email provider,
supporting this particular part of
this feature. Now, are there any potential issues with backward compatibility or anything
along those lines? Well, for the most part, if a mail server that you exchange email with doesn't
support this feature, it's just being ignored. The one problem, of course, if you are enforcing Star TLS, then you better make sure it works.
So if now Star TLS is broken because you forgot to renew certificates, you didn't configure it on all of your mail servers,
then, of course, mail connections will fail if the other side is enforcing this feature.
I see.
All right.
Well, we'll keep track of it.
Interesting development.
Johannes Ulrich,
thanks for joining us.
Thank you.
Cyber threats are evolving
every second,
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow. Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.