CyberWire Daily - Don't get cozy with Cozy Bear. Code-signing issues stem from muddled documentation. Devices ship with inadvertent backdoor. Matryosha attack. Operation WireWire versus BEC scammers.
Episode Date: June 12, 2018In today's podcast we hear that the US Treasury Department has announced sanctions against Russian entities it says were too cyber-cozy with the FSB. Code-signing issue looks like what we have here... is a failure to communicate. Android devices are being shipped with ADB enabled, and cryptojackers enter by the backdoor. A layered criminal attack posing as emails from Samsung spearphishes Russian victims. Operation WireWire reels in seventy-four business email compromise suspects. Ben Yelin from UMD CHHS on the framing of the encryption debate. Guest is Steve Schult from LogMeIn and LastPass on best practices password security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Treasury Department announces sanctions against Russian entities.
It says we're too cyber-cozy with the FSB.
Code signing issues look like what
we have here is a failure to communicate. Android devices are being shipped with ADB enabled,
and cryptojackers enter by the back door. A layered criminal attack posing as emails from
Samsung spearfishes Russian victims, and Operation Wire Wire reels in 74 business email compromise suspects.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 12, 2018.
The U.S. Treasury Department yesterday announced sanctions against five Russian organizations and three individuals. It designated as being in violation of Executive Order 13694,
which authorizes measures against entities engaging in significant malicious cyber-enabled activities.
Here's the Treasury Department's brief summary of what the sanctioned entities have been up to.
Quote,
Examples of Russia's malign and destabilizing cyber activities
include the destructive
NotPetya cyber attack,
cyber intrusions
against the U.S. energy grid
to potentially enable
future offensive operations,
and global compromises
of network infrastructure devices,
including routers and switches,
also to potentially enable
disruptive cyber attacks.
Today's action also targets
the Russian government's underwater capabilities.
Russia has been active in tracking undersea communication cables,
which carry the bulk of the world's telecommunications data.
So, Treasury links the five organizations and three individuals to Russia's FSB.
The sanctioned organizations include Digital Security, ERP Scan, which Treasury says
is controlled by Digital Security, a claim ERP Scan denies. Embeddy, also said to be under Digital
Security's control, Kvant Scientific Research Institute, supervised by FSB, Treasury says,
and Dive Techno Services, suspected of undersea cable tapping.
The three named individuals, all sometime managers at Dive Techno Services,
are Alexander Lvovich Tribun, Oleg Sergeyevich Kirokov, and Vladimir Yakovlevich Kagansky.
Digital Security, which Treasury holds to be the owner or controller of both ERP-scanned and Embeddy, is familiar to many, since they do business in at least 35 countries as a business application security
provider. They have major offices in Palo Alto, Amsterdam, Prague, and Tel Aviv. As we mentioned,
ERP Scan strongly denies it's up to anything and also denies being owned by digital security.
The company said, quote, it would be superfluous to say this, but of course we have nothing to do
with the Russian Federal Security Service as well as other government agencies worldwide. We always tried to
avoid any political issues and were outside of political events, end quote. ERP's CEO, Alexander
Polyakov, says the company is being sanctioned only because he was born in Russia. Kvant is a
different kettle of fish.
It's a research institute the Russian government placed under the supervision of the FSB in 2010.
It provides material and technical support to that intelligence agency
and has recently served as the prime contractor on an FSB project.
Dive Techno Services has delivered various underwater equipment to the FSB since, Treasury says, 2007.
Dive Techno Services also produced a submersible craft for that intelligence agency.
One imagines their expertise contributed to Russia's ability to tap undersea cables.
That's been a matter of concern not only to the U.S., but to the United Kingdom as well.
Researchers at LogMeIn, makers of LastPass password management software,
recently studied the psychology of password use,
specifically the disconnect between what people know are best practices
and what they actually do.
Steve Schult is Senior Director of Project Management at LogMeIn.
Some people just think, it won't happen to me.
You know, I am not a nation state. I am not a CEO. I am not somebody that is necessarily going
to get targeted. You'd be surprised. You'd be surprised how easy it is either to breach that
device that you have there. Imagine if you have the same email address that gets caught up in
three or four different breaches and somebody has, you know, let's say they're using a pattern like,
you know, my password plus Facebook, if it's like my password plus Facebook, if it's for Facebook, and plus Netflix, if it's for Netflix.
It's very easy, if you're looking at the individual level, to start to break those down,
if you get even just one, or maybe more than one, and be able to do targeted attacks
at individual websites. Now, there are so many credentials out there that for the average user,
you're not going
to necessarily have hackers going at that level for just your average Joe. But especially if you
do happen to be an individual who's likely to be targeted, that type of a system definitely won't
keep you safe. And as things like machine learning get more and more prevalent, and hackers become
more sophisticated, even those basic systems are going to be at risk. Now, you all have done some research on the psychology of passwords.
Can you share some of the findings from that work?
Absolutely.
So despite individuals and businesses facing these major global cyber threats, people don't
seem to be changing their password too much with password use.
Now, I'm sure that many people listening may have used the same password for multiple accounts.
91% in our survey, 91% know that using that same password for multiple accounts is a security risk,
but 59% mostly are always use the same password. So even though people know this is a bad practice,
they still haven't changed their behavior. We haven't seen that behavior shift yet.
they still haven't changed their behavior. We haven't seen that behavior shift yet.
Same thing for information that's posted on social media. 56% of people believe that there's no way a hacker could guess one of their passwords from information posted on social media.
But if you look at some of the password lists of the most commonly used passwords out there,
you see some basic things like people's names, family members' names, pets, birthdays,
just some of the basics.
And there is a lot of public information out there about people. The hackers can certainly,
even if you may, most people do not think that it's possible to guess that. People still aren't
changing the behavior of how they're creating secure passwords. Now, where do you all stand
right now on the notion of how frequently a password should be changed? I've heard some
people say that too much frequency can actually be trouble and that really the length and strength
of the password is the key factor there. Is that the current thinking still? It's not just about
frequency of passwords. So there was an old school of thought back to the oldness guidelines of you
should be changing, rotating your passwords every 90 days.
And we saw that go into the corporate world in terms of password reset requirements.
And the latest NIST guidelines that came out last year are less about how often are you rotating
your password and how secure is that password itself. Now, if you work in an environment where you need to frequently rotate passwords, odds are people are just
incrementing it by one or changing one letter or doing
behavior that doesn't really make the organization more secure.
Businesses are now realizing that complexity of password, length
of password, it's less about replacing E's with 3's
and L's with 1's or any of those basic patterns
there. It's more about creating a long, strong, and unique password
that really drives strong security behavior.
The old behavior of, let me just figure out some password so I can get by,
it's not really how humans work. Humans aren't going to create
memorable passwords all the time.
And that's why in LastPass, we encourage people to create long, strong, and unique passwords for
every website. And it's not uncommon for our users to have 100 character passwords in there.
Honestly, what's preventing that more is the inputs on the website side. Some websites,
even secure websites, still say, enter in an eight-character password
and you can't use any special characters. And I'd like to think that as a digital society,
we're starting to get beyond that. But for the average user, almost more important is putting
a second factor in there. And many websites, many services are starting to allow that.
People are starting to go beyond just the use SMS as a second factor and starting to allow things
like LastPass
as our own authenticator.
Google Authenticator is a very common Microsoft authenticator.
Just some of the basics for two-factor, because if you do have a situation where somebody
does get that credential, and this is the old adage of something you know and something
you have, so that something you have is really what will stop the hacker there, not something
that you're rotating passwords every 30, 60, 90 days.
That's Steve Schult from LogMeIn.
Security firm Okta reports a long-standing third-party code signing issue
in macOS signature checks.
The fault isn't in Apple code itself.
It lies, rather, in unclear documentation
that led developers to use the API incorrectly.
The documentation has since been clarified.
Okta's report on the issue is interesting in a number of respects.
Their disclosure timeline is particularly worth a look.
They began the process back in February and were able to go public just today.
Vendors are said to have been shipping Android devices with an enabled ADB, that's Android Debug Bridge, effectively leaving an open back door.
Security firm Kihu360 reported the problem in February, but there seem to be few signs that it's abated.
Most of the manufacturers whose devices are affected are located in Asia.
ADB is a legitimate tool, but it's supposed to be
disabled before a device is shipped. Some researchers are observing the ADB exploited
to cryptojack victim devices. A wave of spear phishing is hitting Russian IT device service
centers, according to Fortinet researchers. The emails, which have the clumsy look of machine
translation as opposed to
native or even non-native speakers of Russian, purport to be from Samsung. The exploit uses an
old and patched vulnerability in Microsoft Office documents, CVE-2017-11882. There's no attribution
being reported, but it has the look of a criminal campaign. The attacks use a multi-layer payload, a non-Russian matryoshka,
as security firm Fortinet calls the technique,
alluding to the nested matryoshka dolls familiar in Russian curio shops.
Fortinet sees this more complex and layered approach growing more common.
They speculate that this trend is due to greater user awareness.
It's not as easy as it once was to trick someone into opening a simple executable file.
A multinational sweep picked up a large ring of business email scammers.
The U.S. Justice Department counts 74 callers.
The Justice Department's announcement notes that a number of the victims were senior citizens,
particularly vulnerable to this form of wire fraud, capable, as it is, of wiping out a lifetime of savings.
The arrests were part of Operation Wire Wire, which brought the U.S. Department of Justice, Homeland Security, and Treasury, as well as the U.S. Postal Inspection Service, into partnership with authorities in Nigeria, Poland, Canada, Mauritius,
Indonesia, and Malaysia. U.S. state and local police also rendered assistance.
Operation Wire Wire was conducted over six months. Most of the arrests were made in the United States,
but Nigerian police bagged 29, and Canadian, Mauritian, and Polish authorities nabbed one apiece. WireWire seized about $2.4 million in funds
and disrupted and recovered some $14 million in fraudulent wire transfers.
Bravo to all the investigators who worked on the case.
The Kim-Trump summit went off in Singapore yesterday, as planned.
It focused, as expected, on nuclear issues.
Cyber conflict between the U.S. and the DPRK
is expected to resume, or continue,
its now familiar course.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back. We had an interesting article come by from Lawfare, and the title is,
The Encryption Debate Isn't About Stopping Terrorists, It's About Solving Crime.
What are they getting at here?
So when you see congressional testimony from members of law enforcement,
and we saw it most recently with the head of the FBI, Christopher Wray, they always frame this encryption problem in terms of the war on terrorism or the war against foreign adversaries.
And they say that it's very hard for the government to piece together a puzzle to catch terrorists, to conduct a war on terror, if they're not allowed or if they're not
able to encroach on these encrypted devices. And I think this article makes a very good point that
in the vast majority of circumstances, the full weight of law enforcement, the full resources of
all of our law enforcement agencies will probably be able to find something, whether it's technological expertise, some sort of
hacking service, hacking software. They'll usually be able to get into those devices. They have the
resources. There aren't that many terrorists relative to the number of law enforcement agents.
You don't see that in the criminal context. Here, we're not talking about the FBI and the federal
government and the entire national security apparatus. We're not talking about the FBI and the federal government and the entire national
security apparatus. We're probably talking about a local police department or the state police or
a state agency. And when we're talking about state-level criminal offenses, the numbers are
reversed. The number of agents pales in comparison to the number of crimes. So if we give the
government the power and the tools to break
some of these stringent encryption methods, yes, we could say we'd be doing it to protect us
against terrorism. But really, that would be a slippery slope to sort of cut corners at the
state and local level and make it much easier to decrypt the devices of your standard criminals who aren't involved in
terrorism or espionage. I think what this author is trying to say is that it's misleading to claim
that we're only trying to have encryption-breaking technology to fight the war on terror. Eventually,
these techniques are going to be available to law enforcement, even though normally they don't
necessarily have the resources to use them.
And does this author think that's a good thing?
This author does not think that's a good thing. I think this author thinks that it's sort of
misleading that, you know, we make arguments about the policy of encryption on false pretenses,
and that we should have a more honest conversation. If we actually want law enforcement to have the vast power to decrypt untold number of devices
from criminals and potentially people falsely accused of crimes in your garden variety state or local prosecution,
then that's very problematic.
That's a debate we could be having, but that's not the debate we are having.
When we see congressional testimony, they always frame it in terms of catching terrorists. If that were really the case,
if that was the only intention of law enforcement, they probably wouldn't need to purchase
hacking software. With their level of expertise and resources relative to the number of terrorists
they're trying to track down, what this author is claiming is they would be able to decrypt those devices.
So I think in this author's view, it's just misleading to frame the problem as something that's going to be applied in terrorism cases, when it's something that could also apply to
garden variety criminal prosecution cases. I see. All right. As always, Ben Yellen,
thanks for joining us. Thank you.
always, Ben Ye data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. Thank you. next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.