CyberWire Daily - Domestic Kitten spyware. Crypto wallet shenanigans. Firmware issues enable cold boot attacks. BlueBorne bugs are still out and about. Tech support scams. Election security.
Episode Date: September 13, 2018In today's podcast we hear that an Iranian domestic spyware campaign has been reported: it's most interested in ethnic Kurds. A bogus cryptocurrency wallet site is taken down. F-Secure warns of a wide...spread firmware problem that could be exploited for cold boot attacks. The BlueBorne Bluetooth bugs are apparently still out there. Tech support scam ads are taken down. Policies for election security continue to evolve. And Facebook's founder offers some thoughts on how his platform can save democracy. Ben Yelin from UMD CHHS with analysis of a Florida court decision on the use of cell site simulators. Guest is Josh Mayfield from Absolute Software with tips on cyber hygiene. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_13.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An Iranian domestic spyware campaign's been reported.
It's most interested in ethnic Kurds.
A bogus cryptocurrency wallet site's been taken
down. F-Secure warns of a widespread firmware problem that could be exploited for cold boot
attacks. The blue-borne Bluetooth bugs are apparently still out there. Tech support scam
ads have been taken down. Policies for election security continue to evolve. And Facebook's
founder offers some thoughts on
how his platform can save democracy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, September 13th, 2018.
Checkpoint reports finding an Iranian domestic spyware campaign. Domestic kitten, as
some are calling it for now because Iranian threat actors get names inspired by Persian cats,
appears to be targeting ethnic Kurds and Turks. It's also prospecting potential adherents of or
recruits to ISIS. The Islamic State, remember, is no friend of the Islamic
Republic. The former is Sunni, the latter Shiite. Users are baited into downloading the spyware
with an offer to install an app likely to be of interest to them. According to the Times of Israel,
Kurdish targets were prospected with a spoofed version of ANF, a Kurdish news agency.
ISIS prospects were offered jihad-themed wallpaper for their device.
Kurdistan 24 reports that the data exfiltrated by the spyware included contact lists, call records, SMS messages, browser history,
bookmarks, photos, and geolocation.
It may also have been able to capture local voice recordings.
Checkpoint doesn't directly attribute the campaign to the Islamic Republic,
but opposition Kurdish leaders aren't reticent at all about doing so.
The surveillance campaign coincides with a fresh wave of measures Tehran is taking
against unrest among its Kurdish citizens.
Flashpoint has discovered a malicious website that spoofs the Jax cryptocurrency wallet site.
The bogus site has been taken down.
Its goal was looting wallets.
Cloudflare took the copycat site down.
Flashpoint points out that this is essentially a social engineering attack
and doesn't represent any exploitation of any vulnerabilities in the
Jax site itself. Once the malicious files are installed on a victim's device, they'll watch
the clipboard for wallet addresses, which are then swapped for an address belonging to a wallet
controlled by the attacker. Cryptocurrencies continue to be off the highs they reached late
last year, as some realistic skepticism about speculating in altcoin begins to sink in.
There is one exception.
Quartz reports that Dogecoin, the cryptocurrency that originated as a literal joke
and got away from the jokesters, is still soaring.
Organizations are hit with a barrage of marketing messages
promising the one true solution to all of your cybersecurity fears.
And to be fair, one of the ways we pay the bills here is by sharing some of those advertiser messages with you.
Josh Mayfield is Director of Security Strategy at Absolute Software,
and he notes the contrast between vendor and security professional messages and emphasizes the importance of staying focused.
If you're an IT or an IT security professional, you are struggling to keep up.
You want to be an enabler for your business and help it proceed up and to the right.
However, from the vendor and the security ecosystem, the other direction is more troubling,
where it is a
lot of doom and gloom and a lot of fear mongering. And I don't mean that in a real negative sense,
but there's this anticipation of fear, whereas on the user side, the IT professional and security
professional, oftentimes they have ambition toward hope and a utopia that they're trying to strive for.
And so that interferes sometimes with the way they perceive a given problem.
There's an ever-growing need for greater cybersecurity.
And what I find is that when organizations are just more disciplined and focused on what needs to be done,
they can actually achieve a lot more than chasing this or chasing that.
So let's explore that some.
I mean, take us through what sorts of things do you recommend?
The real basis of my shtick, I guess, out there is to try to reinvigorate this notion of the foundations,
of making certain that our cyber hygiene is as best as it can be.
Growing up, my father and grandfather had this saying of an ounce of prevention is worth a pound
of cure. And I think a lot of the malware myopia really stems from this hair trigger patellar
reflex that we have with the looming threats that are out there and new ones popping onto the scene every day. And it's so easy to shift our focus over there, but a lot
of that can be avoided. 99% of successful attacks target specific vulnerabilities that could have
been mitigated beforehand. And so if we keep focusing on the latest threat actor out there and the latest malware strain, we could
actually be misdirected where we're looking at one thing and get flanked on the side, which we
could have fortified. Yeah. How much of this in your estimation is this notion that I don't have
to have a completely impenetrable barrier, but I just have to be less attractive than the next person down the street.
That's right. Your organization doesn't have to be Fort Knox, and it doesn't have to be
impenetrable, to your point. This is a probabilistic exercise. We just need to
lower the probability. We need to compress the attack surface. It will never go to zero.
We will never get rid of all potential threats. You have something that attackers want,
We will never get rid of all potential threats. You have something that attackers want, information. So they're going to deploy all that human ingenuity to get to it, but we've been able to mitigate the human catastrophes that stem from natural disasters. We can take the same approach to our cybersecurity,
and we can reduce the effects. We can reduce the opportunity for fallout instead of trying to
chase things down once they've already hit landfall. I think the things that are going
to require a lot of attention
is the heterogeneity of everything.
Once upon a time, to be a user was to be an inside-the-walls employee.
To be accessing data meant you were going through a Windows machine,
and the applications you used meant you were logging into CA or SAP
or an Oracle system.
And this was just commonplace.
But with the explosion of cloud applications, cloud infrastructure, virtualization containers,
and the heterogeneity of what we're trying to support, and even down to the hardware of do you use a Mac,
do you use a Windows PC, do you use Dell or HP, all of these aspects really, that's what it comes down to.
You have to orchestrate all of this heterogeneity. And that's the main thing I think we're going to
have to get our hands around, is normalizing all that out there that is not standard.
That's Josh Mayfield from Absolute Software.
F-Secure has found a firmware vulnerability that affects most laptops and desktops.
It enables a variety of cold boot attack that exposes encryption keys and other sensitive information.
It's a proof of concept and not apparently something being exploited in the wild.
One expects the device makers to address the issue as they're able.
One expects the device makers to address the issue as they're able.
Armis reminds everyone that the BlueBorne Bluetooth bugs, a set of nine bugs, is still out there.
A year after its disclosure, patches for BlueBorne are available, but users have lagged in applying them.
About two billion devices remain vulnerable, Armis estimates.
Microsoft has purged some 3,000 ads for dodgy tech support services that had appeared in association with Redmond's TechNet. Many of them were swiftly replaced in altered form,
which suggests the difficulties even the most straightforward and uncontroversial forms of
content moderation face. Such moderation will become even more important if the copyright
protection measures enacted yesterday by the EU have their expected effect.
U.S. President Trump yesterday signed an executive order
setting up a process whereby election interference by foreign actors would trigger sanctions.
Interference covered by the order includes both hacking and propaganda.
The U.S. Congress continues to work on its own measures
for dealing with election security.
There are at least three bills pending before the Senate,
and the House has more than one of its own under consideration.
Facebook founder Mark Zuckerberg,
stung by criticism of the centralizing tendencies of Facebook
and the success various actors have had in using it for their political purposes,
has just published a long account of how he proposes to go about fixing things.
He follows, to a significant extent, the line expressed by Facebook CEO Sandberg at the Senate hearings last week.
The key to making things better is solve the problem of inauthenticity by requiring users to be themselves.
That is, really be themselves, be who they represent themselves to be. He also thinks that those centralizing tendencies aren't a bad thing,
and here he may find a sympathetic audience.
Facebook can do a better job of making things better if it's not broken up,
and if it gets to hang on to WhatsApp and Instagram.
That way, if it finds a particular bad actor in one place, it can remove that bad actor from the
others. This is unlikely to mollify those in Congress thinking about asking for antitrust
action. He also defended Facebook's taking of political ads as a moral rather than a commercial
consideration.
Ad buys are an important way in which people engage in political discourse,
and he's loathe to impede free speech.
This is unlikely to mollify critics that Facebook's fact-checkers tend to display an unseemly and unacknowledged set of biases.
Again, in fairness to Facebook, content moderation is an inherently difficult task, even with considerable resources and the best of intentions.
Even Soviet power, to take a historical example, couldn't suppress Samizdat, the copying and distribution of literature banned by the state.
Zuckerberg's essay is posted, where else? On Facebook.
essay is posted, where else? On Facebook. Read the whole thing, but know that it's 3,200 words long.
It reads a bit like an essay by a disillusioned Candide. Mr. Zuckerberg says that, quote, One of the important lessons I've learned is that when you build services that connect
billions of people across countries and cultures, you're going to see all of the good humanity is
capable of, and you're also going to see people try to abuse
those services in every way possible. End, innovation isn't a buzzword. It's a way
of life. You'll be solving
customer challenges faster with agents,
winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We saw some interesting news come by
that the District Court of Appeals in Florida has some decisions out about warrantless use
of stingrays. Can you unpack it for us? What's going on here? Sure. So this is a case at the
Florida appeals court level. So it's a state court case in Florida, and the state of Florida ended up catching a murderer, a first-degree murderer, partially based on evidence obtained through a cell site simulator or a stingray device.
The murderer sought to suppress that evidence, which was not the only piece of evidence in the case, but one of the key pieces of evidence.
And the district court did suppress that evidence. Government appealed to
the appellate court and the appellate court upheld that motion to dismiss. And they did so
talking about the privacy concerns inherent in cell site simulators. We've seen other cases on
the subject. In Maryland, we had a state court case that held that the government does need to obtain a warrant for using a stingray device or cell site simulator.
What's interesting to me is the reasoning in this case.
It's really a fascinating decision, but the judge goes over a number of different relevant legal doctrines that seem to imply that these types
of simulators are offensive to our notions of Fourth Amendment privacy.
And in the decision, he talks about how courts have held the government can't use technology
to view information not visible to the naked eye, a longstanding Supreme Court precedent.
They can't attach a device to property to monitor your location.
That's from a very famous case, United States v. Jones from 2012. They can't search a cell phone
in your possession without a warrant. That's Riley v. California, 2014. And they can't get
real-time location information from a cellular carrier. That's from United States v. Carpenter,
which was decided this year. And what they're saying is, to a certain extent, a cell site simulator does all of those things.
And so it would be incongruent to say that the government doesn't need a warrant to use this device when that device encapsulates a bunch of these other scenarios where the Supreme Court has declared that we do need a warrant.
And part of it is just the extent of the information that's being revealed.
This isn't a simple third-party records case where your phone calls are tracked
because the telecommunications company wants to keep billing records.
I mean, as the judge says, this is the government surreptitiously intercepting a signal
that the user intends to send to their cell phone carrier. And it intercepts
that same device intercepts all different types of other private data. And based on an extensive
record of Supreme Court cases, we know that this runs afoul of many Fourth Amendment principles.
And it's interesting that the decision from Carpenter, which held that the government
needs a warrant to obtain cell site location information, is already trickling down to state
court decisions in the area of digital privacy. These things happen quickly.
So how does this inform what law enforcement may do going forward from here?
So obviously, for now, the decision only applies in the state of Florida.
So at this point, it's still a state-by-state issue.
As I said, in Maryland, we've determined that the government needs a warrant.
There are other ways that the government could use these devices without getting a warrant
if they're able to justify it under another warrant exception.
So, for example, if there were exigent circumstances or some sort of threat to public safety, I think the government could still justify using these devices to conduct
searches without running afoul of the Fourth Amendment, even in the absence of a warrant.
But I think we're starting to see at least a mini consensus emerge that because of the threat
these devices are to personal privacy and digital privacy,
the government is going to have to go through the formal process of going in front of a judge,
making the case that they're going to find evidence that's relevant to an ongoing criminal investigation and get a warrant to do the surveillance work. And, you know, that's how
it works with most forms of surveillance. You have to get a warrant to wiretap. You have to get a warrant to enter a person's house.
I think because of the invasiveness of this type of search,
this type of device,
it makes sense that a similar warrant requirement would be the case here.
Ben Yellen, thanks for joining us.
Thank you.
Thank you. Be safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.