CyberWire Daily - Elections, influence operations, and hacking. How clever phishing succeeds. Chipotle's point-of-sale breach. Hacking in Fast and Furious 8.
Episode Date: April 26, 2017In today's podcast, we follow the story of Fancy Bear (a.k.a. Pawn Storm, a.k.a. APT28) and France's elections. Why clever phishing continues to succeed, and what's up with 0Auth abuse. Information op...erations distinguished from simple "hacking." Another point-of-sale compromise suggests identity management issues. The University of Maryland's Jonathan Katz explains a JSON encryption vulnerability. Stan Black from Citrix explains the pros and cons of the IoT. And can hackers really blow up a submarine by driving their car fast and furiously? You be the judge. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear and France's elections.
Why clever phishing continues to succeed and what's up with zero-auth abuse.
Information operations distinguished from
simple hacking? Another point-of-sale compromise suggests identity management issues. And can
hackers really blow up a submarine by driving their car fast and furious? You be the judge.
I'm Dave Bittner with your CyberWire summary for Wednesday, April 26, 2017.
Observers continue to digest Trend Micro's report that PondStorm, that is Fancy Bear,
in all probability Russia's GRU military intelligence service,
intruded into networks associated with French presidential candidate Emmanuel Macron.
Trend Micro researchers are at pains to point out that the sort of phishing Pondstorm conducts is unusually resistant to the sorts of sound, commonsensical best practices
organizations take to protect themselves.
It dupes victims into giving up not only passwords, but access tokens, too.
It sends a plausible-looking email to the target,
pretending to be from Google,
warning the marks that your account is in danger and inviting them to install a bogus security app
called Google Defender.
If you fall for it, you're redirected to an actual Google page
that invites you, in effect, to allow Pondstorm
to view and manage your email.
If you click Allow, you're handing them your OAuth token,
which gives them what they're after. Google says it's on the lookout for OAuth abuse and reminds everyone
that they should download their apps only from the Play Store. Phishing, of course, is a general
problem and not one confined to political targets. NTT Security's recent study of the problem
concludes that around three-quarters of all malware is distributed by
phishing. Robert Capps of New Data Security told us that, quote, phishing schemes have become
extremely sophisticated, with nearly all modern attacks aimed at stripping end-users of their
authentication credentials and other sensitive information, end quote. He notes that an IBM study
found that some 70% of the credentials that are stolen by phishing are collected within an hour of the onset of the attack.
He argues that there's a need to get beyond identity validation techniques
that can be stolen and reused,
and he sees the way forward as lying in passive biometrics and behavioral analysis.
It's worth noting that the kind of hacking going on in recent political campaigns
seems to be done in the service of information operations,
influence that would formerly have been achieved through leaflets, planted stories in newspapers, radio broadcasts, blackmail, and so on,
the armamentarium of traditional propaganda and compromise.
Since today, information operations are generally carried out online, The Cyber Wire has taken an expansive view of them.
Cyber operations are things people do to other people using IT and OT as a means to some end.
It's worth, however, distinguishing information operations from such activities as destructive attacks
or takeovers of victim systems, the sorts of attacks seen, for example, in Stuxnet or Shamoon.
the sorts of attacks seen, for example, in Stuxnet or Shamoon.
As C4ISRNet reports,
panelists at a recent Carnegie Endowment symposium wanted people to understand the distinction.
Christopher Painter, coordinator for cyber issues at the U.S. State Department,
called cyber the vector by which information was extracted, but how and why such information is used by the adversary is, quote,
not necessarily a cyber issue, end quote.
Former U.S. Homeland Security Secretary Michael Chertoff cautioned against being too quick to weaponize information in ways that could easily lead to censorship.
He advised instead that attention be devoted to counter-messaging.
The U.S. has had relatively few counter-messaging successes in recent history.
The U.S. has had relatively few counter-messaging successes in recent history.
IronNet's Brett Williams, retired Major General and former Director of Operations for U.S. Cyber Command,
is similarly frustrated by the too-easy focus on the hacking aspects of information operations.
He argues in a C4ISRNet op-ed that victims of information operations need to spend at least as much time on telling a persuasive story as they do slamming the network security barn after the informational horse has already been stolen.
The IoT continues to provide both challenges and opportunities for consumers and security professionals alike.
We heard from Stan Black, chief security officer at Citrix, for his take on the IoT.
There's a tremendous amount of technology that we're adding into the now
that was never connected to the Internet.
Programmable logic controllers for nuclear plants, dams, power grids, etc.
And then there are a significant number of customers who are producing consumer-based technology,
and their primary goal is to be the only player in the space,
whether it's a Wi-Fi doorbell or a refrigerator or something you add to your car.
So we have a combination or a risk associated with legacy,
and we have a risk associated with time to market
and cost of goods sold. If you only sell something for $20 or $30, probably you're not going to put
$100,000 worth of security testing in it before you release it.
When people reference that, I've heard a lot of people wonder if there needs to be some sort of
regulatory solution, since neither the manufacturers or the
consumers are really going to have much motivation to push for better security. What's your take on
that? Well, if we apply regulation, then we get into a situation where we have multiple companies
and multiple countries. So if we look at some of the vulnerabilities and issues that have been associated with IoT devices and technology,
frankly, the primary issue is that good security coding practices were not adhered to.
So I don't know if that needs to be regulated.
If we had a regulation for every vulnerability that we had, we would never get anything done.
Let's talk about some of the upside.
What do you see as some of the positives with the explosion of IoT in the workplace?
Things that required an individual to do an activity can now be integrated and potentially automated.
Plus, since there aren't as many people in the mix,
potentially automated. Plus, since there aren't as many people in the mix, some of the inherent challenges that you have with inconsistencies of personnel go away very quickly. I mean,
look at automated warehouses as an example by combining RFID, whether it be dust or chips or what have you, full robotics, etc. That's pretty darn
impressive technology. And the value to the companies that use that is incredibly high.
I think that we need to recognize one simple fact. They are still dependent upon technologies
that we can secure. As an example, if you'd like to connect them to an internet,
that we can secure. As an example, if you'd like to connect them to an internet,
you can encrypt that tunnel. So I think that many of the practices that we use prior to the IoT explosion are still incredibly relevant and have been at the cost associated with performing the
due diligence and due care on software and connectivity, etc., has come down dramatically.
So a company can be competitive and can be secure at the same time.
That's Stan Black from Citrix.
The restaurant chain Chipotle Mexican Grill reports a point-of-sale breach
that lasted between March 24th and April 18th of this year.
It affected credit card payments.
And finally, have you seen Fast and Furious 8, Fate of the Furious, yet? Neither have we,
but Robert Graham has watched it for all of us and posted a hacker-centric review over at
Erata Securities' blog. He pretty much reigns on the parade led by Vin Diesel and Dwayne
The Rock Johnson, finding the movie's depiction of hacks implausible, to say the least,
with a couple of the hardware MacGuffins particularly objectionable,
including a Cyber Mastermind's airplane that flies only where satellites can't observe it,
and a device called God's Eye that accesses absolutely every camera in the world
to show you absolutely everything that's going on everywhere.
But Mr. Graham concludes his review with a tolerant shrug
and a nod toward the willing suspension of disbelief
Aristotle thought necessary to proper appreciation of drama.
As Graham points out, quote,
In the movie, the hero uses his extraordinary driving skills to blow up a submarine.
Given this level of willing disbelief,
the exaggerated hacking is actually the least implausible bit of the movie.
Indeed, as technology changes, making some of this more plausible, the movie might be seen as predicting the future.
Of course, predicting is one thing, accurate predicting another.
But check out Arata's review, and then save us an aisle seat.
and aisle seat.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe
and compliant. Joining me once again is Jonathan Katz. He's a professor of computer science at the
University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan saw an
article come by on InfoWorld with a sort of breathless headline.
It said, critical flaw alert!
Stop using JSON encryption.
What's going on here?
Well, basically what researchers found
is that a classical attack,
actually one that researchers have known about
for quite a while,
was actually possible against the encryption scheme
being used in the JSON libraries.
And it's really interesting, again, as one of these examples of, again, something that
people had known for a while and had been pointed out repeatedly in research papers,
but nevertheless was still something that programmers were not aware of, apparently,
when they implemented the system.
And so it turns out that it's vulnerable to that attack.
And this is referred to as an invalid curve attack. What is that?
Yeah, so basically what this involves is the fact that an attacker can pick certain parameters.
And in this case, those are parameters that define a particular elliptic curve.
And it turns out that those parameters need to be validated by the honest party before being used.
And if they're not validated, then what an attacker can do is basically pick parameters that define an insecure elliptic curve.
And, you know, luckily, from at least a theoretical point of view, it is possible to distinguish between this class of insecure curves and ones that are, say, standardized by NIST and are considered more
secure. But the point is that this validation was not happening. So attackers could basically
replace a secure elliptic curve with an insecure one and then get the honest party or fool them
essentially into using an insecure curve. So what happens next? Is there a patch in the future?
Is there a solution to this problem? Yeah, so this is the kind of thing that would be relatively
easy to patch. And so I don't know exactly what the plans are going forward, but it seems like it
would not be very difficult to do and they should be pushing out a patch relatively quickly. It
would have a small effect on efficiency, but one that's not too bad. And of course, anyway,
it's very important to take care of. Otherwise, the system could be completely insecure.
All right, Jonathan Katz, thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.