CyberWire Daily - Domestic cyber squabbling in Belarus and Iran. Pakistan accuses India of a cyber offensive. More on Papua’s data center. More privacy questions for TikTok. Parental control or stalker’s tool?
Episode Date: August 12, 2020Regional rivals tussle in cyberspace, and governments have it out with dissidents and the opposition. Market penetration as an instrument of state power. TikTok gets more unwelcome scrutiny over its p...rivacy practices. Joe Carrigan on a credential harvesting phishing scheme using Zoom as bait. Our guest is Avi Shua from Orca Security on accidental vulnerabilities. And suppressing creepware is apparently harder than it looks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/156 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. the opposition. Market penetration as an instrument of state power. TikTok gets more
unwelcome scrutiny over its privacy practices. Joe Kerrigan on a credential harvesting phishing
scheme using Zoom as bait. Our guest is Avi Shua from Orca Security on accidental vulnerabilities.
And suppressing creepware is apparently harder than it looks.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 12, 2020.
Various accusations of cyber attack have been emerging from regional and domestic rivals.
Shutting down the internet is the 21st century analog of the 20th century's Caesar of
the radio stations and the phone exchange, the 19th century's occupation of the newspaper and
telegraph offices. That's what appears to be going on in Belarus, where internet disruptions that
began at the end of the country's presidential election continue. Belarus has taken the official
view that its internet outage is the work of
ill-intentioned foreign operators. But as Meduza says, domestic dissidents claim,
and most observers are with them on this, that it's the work of Minsk itself.
The opposition had predicted, as voting began, that the government would clamp down on the
internet, and that's what appears to have happened. The country's top-level domain,.by,
was also rendered largely inaccessible to people outside Belarus.
The Guardian sees it as a high-stakes gamble
aimed at disrupting the ability of protesters to organize.
Most such communication has moved to Telegram,
which offers a degree of anonymity,
is hosted where Minsk's RIT doesn't run,
and which has shown itself relatively resistant to being taken down.
Much of Belarus is effectively incommunicado,
with some telephone service also reporting disruption.
The internet blocking has been run through Bieltelekom,
the national telco, and the Belarusian National Traffic Exchange Center.
One probable unintended consequence of the shutdown is that the remaining channels tend to be particularly susceptible to rumor, misdirection, and speculation.
In many social channels, the clock is always striking 13, the Martians have landed, and the man is out to get you.
Sometimes that's even true. The Martians
eventually get through, at least in our editor's experience. But if President Lukashenko doesn't
like that result, he might usefully consult the man in the mirror. The News International
Edition and other outlets report that Pakistan's army assesses recent incidents on soldiers' mobile devices
as representing cyberattacks from inveterate adversary India.
Pakistan's inter-services public relations organization,
the ultimate source of news about the attribution,
accused Indian intelligence services of a range of cybercrimes including deceitful fabrication
by hacking personal mobiles and technical gadgets.
The Pakistan military's media relations arm added ambiguously that
various targets of hostile intelligence agencies are being investigated.
Pakistan army has further enhanced necessary measures to thwart such activities,
including action against violators of standing operating procedures
on cybersecurity, end quote. Other government departments are also being told to go to a higher
level of alert with respect to cybersecurity, and especially to look for security lapses.
Deceitful fabrication suggests either social engineering or disinformation,
but the statement awaits
clarification. Pakistan has grown increasingly skittish about WhatsApp since WhatsApp had been
found susceptible to Pegasus spyware infestations, and there's much discussion of foregoing the use
of WhatsApp in stories covering Pakistan's warning. The National Council of Resistance of Iran,
whose English language service represents the Iranian opposition to much of the rest of the world,
has accused Tehran of attempting to take down the website of the opposition's People's Mojahedin Organization of Iran.
The National Council of Resistance says the attempt, while desperate, and here one must make allowances for partisan hype, was unsuccessful.
and here one must make allowances for partisan hype, was unsuccessful.
Researchers at Orca Security have been investigating what they describe as an all-too-common mistake of leaving an organization vulnerable to attacks by accidentally exposing it through allow-listing external CICD servers.
CICD stands for Continuous Integration and Continuous Delivery, by the way.
Avi Shua is CEO and co-founder at Orca Security, and he shares these insights.
At the end of the day, these days, everyone loves to use SaaS.
You integrate external CICD services, you may be using any other external services as part of your internal processes.
And you need to open them to intimately integrated into an environment.
If you think about that, if you use a service like Bitbucket or GitHub or any one of these services,
it's essentially outsourcing or putting in an external service, something which is pretty intimate part of your development process.
And as such, it's needed to communicate with your internal processes.
So naturally, you need you open it is many times done by simply opening a wall,
a wall allowing access from these external services to your internal services.
And you may notice that it means that you opened an internal service to the world.
And this seems right.
At the end of the day, these are reputable services,
and you don't expect Git, Abort, Lazier to attack you.
So what happens next if someone makes this configuration error?
What specifically is the problem here? How are they opening themselves up?
So it might seem like a valid configuration.
You open a hole in your policy to allow these external services to communicate with your internal servers that
might not be secure to the same extent as you'd want, but you're opening it only for these
reputable companies that are certainly not going to attack you. So it seems fine. But what usually
the practitioner don't understand is that when you open it to these services,
it's not like you're only opening it to the employees of Bitbucket or to the employees of GitHub.
You are, in fact, opening it to any of these company customers.
With the folks that you work with, when you're describing these sorts of things to put into place,
what are some of the reasons that they give to you why they haven't used
such a system so far? My main suggestion
is that any organization that works in the cloud these days
must make sure that they have the tools and processes
to understand the security posture of its environment across the technology
stack.
There will be mistakes, there will be misconfiguration because people do mistakes and they can be both in the application and the configuration
and might involve different parts of them.
And you must make sure that you have the tools and processes to detect them and handle them.
And don't assume that it can be fixed only by training or people make mistakes and security
program must assume that they'll continue to make mistakes and we need to be able to fix it and
find them as fast as possible. That's Avi Shua from Orca Security. The Wall Street Journal reports
that TikTok had until last November collected MAC addresses in an undisclosed user tracking program,
a technique that appears to violate Google's rules on how apps may collect user data.
TikTok told the journal that it remains committed to protecting the privacy and safety of the TikTok community.
Like our peers, we constantly update our app to keep up with evolving security challenges.
The company added that the current version of TikTok does not collect MAC addresses.
In an unrelated development, Reuters says that TikTok's proposed move of data centers from the U.S.
to a presumably friendlier Europe may have also hit a snag,
as French regulators, the CNIL,
acknowledge that they have an open investigation into the service's
privacy safeguards a cnil spokesman told reuters quote the cnil began investigations into the
tick-tock.com website and the tick-tock application in may 2020 the cnil had indeed received a
complaint at that date to date the, the CNIL continues its investigations
and participates in ongoing European work.
End quote.
And finally, yesterday was the deadline
Google gave stalkerware vendors to stop advertising
on the Mountain View marketing giant's search platform.
But TechCrunch finds that a number of such apps,
designed to give you the ability to snoop on someone's device usage without their knowledge or consent, are still present with ads.
It's a tough problem, tougher than it would appear.
Few people in the civilized world would want to empower stalkers and domestic abusers to keep track of their fixation's digital exhaust.
It's creepy, sure, but it's also dangerous. Having said that,
there are plenty of parents who want to have some insight into what their minor children are doing
online, and that's far more defensible. Google sought to carve out an exception to its rules
to accommodate what we might call in loco parentis software, but that's tough to do.
in loco parentis software, but that's tough to do.
Cyberspace is more dual use than just about anywhere else,
and the tool that might help keep your child from using your credit card to buy skater gear can alas be repurposed as creepware.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your
Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting report came from the folks over at Inky.
They are an email security company.
They do a lot of work protecting people against phishing and those
sorts of things. And this article is called Zoom and Doom, How Inky Unraveled a Credential
Harvesting Phishing Scam. There's some interesting stuff in this report here. Joe, you want to unpack
it for us? Yeah. So it starts off talking about Zoom, the teleconferencing company. This is an absolutely amazing statistic that in December of last year,
they had 10 million daily participants in meetings. Now they have 300 million in April
of this year. Okay. And that's because of course, we're all working from home, right? I mean,
I attend Zoom meetings several times a week. This is not really surprising, but I mean,
several times a week. This is not really surprising, but I mean, that's a remarkable level of growth. And actually, this phishing scam doesn't actually exploit anything in Zoom.
There's nothing that Zoom can do about this. It's just these attackers are using Zoom as a hook for
a phishing email. And they might be sending an email from a compromised Zoom account, but
a lot of times they're not. They're just sending it from a fake domain like zoomcommunications.com
or zoomvideoconference.com. These attackers have registered these domains. And I think these
domains, I think Zoom has a good cyber swatting case here. They can probably get control of those
domains. They're actually using the company name Zoom and what they do, communications or video
conferencing in the URL. So I think, I think Zoom should go after, after these domains and try to
just get them and then gain control and redirect to their stuff. That's my advice to them if I was
consulting them, which I'm not. So I'm just giving free security consulting services
to Zoom here.
But anyway, what these phishing emails are doing
is they're actually trying to harvest credentials
for Microsoft Office 365 users.
So you click on the link and it takes you to a page
impersonating a Microsoft login.
Hmm.
So it's saying you've been invited to a Zoom meeting.
Right.
You click on the link and it takes you to an office or an Outlook, whatever,
something in the Microsoft suite.
Yeah.
A login for that.
Which to me would be a red flag.
But, you know, I'm not really steeped in the cloud computing or cloud environment.
Yeah.
It's something that could kind of make sense.
You know, I mean, I remember years ago,
I would be trying to navigate a network
and I'd have to go to some other place
and they'd say, you have to log in.
And I said, I thought I already logged in.
And I'd make sure that I was going to the right place
and it would work.
It would log in and I'd get there.
But so I imagine that there's some kind of thing
going on here psychologically with
people where they're going, oh, well, since we use Microsoft, maybe I have to go into my Microsoft
account to access my Zoom, to access a Zoom meeting. It kind of makes sense. I mean, it's not
right thinking, but this stuff is a lot of smoke and mirrors and a black art to just about everybody
who is not living day to day-day in the technical world.
How often do these cloud services just sort of pop up and say,
hey, you need to re-log in?
Yeah, that's happened as well.
Yeah, something's happened and you need to log in.
And most of us think, all right, well, it's a little bit of a nuisance,
not a big deal.
You put in your credentials and away you go. Yeah, and a lot of times that can happen if your IP address changes, right?
Right, and so I think this is taking advantage of that, how routine that has become that we don't really
think twice about it. When one of these things pops up, we think, oh, all right, well, you know,
I want to get my work done, better log in again. Right. So you just go ahead and do it, right? And
that's what happens. A couple of interesting things about this campaign. One is that if this,
some of these emails have an attachment, and when you click on
the attachment, what that actually loads up is the malicious web page, but the malicious web page is
hosted on your computer. So these attachments are actually composed of HTML, JavaScript, and PHP
that's obfuscated. So it's unreadable to humans. You couldn't read it. And
also a lot of automated security tools can't read it as well. So it's a clever way to evade
URL reputation checkers because this does not involve checking a URL. You're opening a local
file. Then on the back end, I imagine that there's probably some JavaScript when you click submit that just opens another web connection out to a site and just sends that across in some JSON
packet or something, right? So these credentials are then just exfiltrated. Yeah. And these, you
know, as we've talked about before, we talk about this all the time on Hacking Humans, how legit
these login pages look because they're actually just scooping up
the HTML code from the real site.
Right, yeah.
HTML is, all of the web is just text-based, right?
All the code, there's no compilation of web page.
It's a text file that gets sent down to me
and rendered in my browser,
along with other text files like JavaScript and CSS,
but they're all still text files.
They're not binaries.
So there is no way to stop somebody
from having complete access to all of the source code
for your webpage.
You can't do it unless you don't want to display
your webpage to them.
Right, right, right.
All right, well, it's an interesting look
into this particular phishing campaign,
taking advantage of that popularity of Zoom.
And I suppose the lesson here is look twice, think twice before you just reflexively log into some of these cloud services.
Yeah, that's the lesson.
Also, another lesson, whenever you have cloud services, multi-factor authentication, multi-factor authentication, multi-factor authentication.
authentication, multi-factor authentication, multi-factor authentication. These credentials will not do an attacker any good if you have a good multi-factor authentication solution
implemented. Yeah. All right. Well, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.