CyberWire Daily - FaceTime’s odd bug, and how to squash it. FormBook malware surges through a new hosting service. Some international law enforcement wins. International conflict in cyberspace.
Episode Date: January 29, 2019In today’s podcast, we hear that a FaceTime bug lets you listen to someone’s phone before they’ve even picked up. FormBook malware’s surge is abetted by a new hosting service. Compromised serv...er market xDedic has been taken down. Europol is looking for Webstressor users. Huawei faces new US criminal charges. Kim’s ambitious economic plan may augur ambitious North Korean hacking. EU foretells a surge in Iranian cyberattacks. Waiting for information operations around the Venezuelan crisis. Joe Carrigan from JHU ISI on legacy Twitter location data privacy issues. Guest is Jamil Jaffer from IronNet Cybersecurity with highlights from his recent Capital Hill briefing, “Nation-State Threats, Collective Defense, and Strategic Deterrence in Cyberspace: (How) Can We Get Better Fast?” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A FaceTime bug lets you listen to someone's phone before they've even picked up.
Formbook malware's surge is abetted by a new hosting service.
Compromised server market Xdetic has been taken down.
Europol is looking for web stressor users.
Huawei faces new U.S. criminal charges.
Kim's ambitious economic plan may augur ambitious North Korean hacking.
The EU foretells a surge in Iranian cyber attacks.
And waiting for information operations around the Venezuelan crisis.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, January 29th, 2019.
Do you use FaceTime and do you use an up-to-date
version of iOS? Do you FaceTime with other iOS devices? Here's some news you can use one way
or another. First, a way we recommend you not use the news. A FaceTime bug was disclosed late
yesterday. 9to5Mac reported last night that you can call someone using FaceTime and start
hearing audio from their phone before they even pick up. It's not exactly covert because the phone
will still ring, sing, buzz, or sullenly vibrate. But if the person on the other end is inattentive,
you'll be hearing their cries, shouts, whispers, imprecations, and so on before they've accepted
or rejected the call. The bug works like this.
First, you start a FaceTime video call with one of your iPhone contacts. While the phone's dialing,
and it doesn't literally dial, but you get the drift, go ahead and swipe up from the bottom of
the screen and tap add person. It's like a group chat, only it's not going to be an actual group
because the person you add is you, yourself, your
own phone number. The group FaceTime call will include you and the microphone of the unwitting
person, whether they've interacted with their phone or not. Your phone will show that the person
you call joined the chat, but their device will simply continue ringing away on the lock screen.
Of course, don't try this. It's rude, uncalled for, creepy, and be sure to tell any of
your creepy friends, because of course you wouldn't consider doing that yourself. Well,
tell those creepy friends, we say, who might be tempted along these lines to please restrain
themselves. But here's the other way you can use this news, and this you should definitely do.
Protect yourself from what would probably be a minor intrusion by locking down your phone.
NSA's Rob Joyce helpfully tweeted some instructions anyone can use, although if you're a fancy bear, charming
kitten, or the Lazarus group, take five, leave the room, and smoke them if you got them. Here's what
Rob Joyce recommends. He says, turn off FaceTime until Apple issues a patch for iOS and you install
it. Claims of major privacy issue discovered.
Go to Settings, scroll down to FaceTime,
it's the green icon with camera, and switch off.
See there? Twitter can be used for good.
The problem seems to affect iOS devices running iOS 12.1 or later.
Apple has made the group FaceTime server, where the bug is located,
temporarily unavailable until Cupertino comes up with a permanent fix, which they've promised sometime later this week.
Deep Instinct announced this morning that a new variant of information-stealing Formbook
is circulating in the wild. Formbook is a familiar commodity in dark web markets.
Its build is featuring both elaborate evasion cred and powerful credential harvesting capabilities, and it's offered at a fairly low price.
Formbook has been known since its discovery was announced in late 2017 by Arbor Networks and FireEye for its use in spam campaigns designed to fish up credentials.
Formbook has recently shown increased rates of usage.
Formbook has recently shown increased rates of usage.
Deep Instinct says that its own prevention work has been largely in North American retail and hospitality sectors,
but that they have reason to believe the attack wave isn't limited geographically.
Jamil Jaffer is VP for Strategy and Partnerships at IronNet Cybersecurity.
He runs a think tank at George Mason's law school called the National Security Institute, and he's a visiting fellow at the Hoover Institution.
He recently briefed congressional staffers on Capitol Hill on nation-state threats,
collective defense, and strategic deterrence in cyberspace.
There's often this tendency to think in the United States that, well,
you know, the government defends itself and private sector defends itself.
And so in cyberspace, we assume that every company in our
economy, whether it's Walmart or Target or Marriott Corporation, they're going to defend
themselves against all attackers, whether they are script keys in their basement all the way to
nation states. But of course, in no other context do we expect that. We don't expect Target or
Walmart to have surface-to-air missiles on the roofs of their warehouses to defend against
Russian bear bombers. Yet in cyberspace, we do, and that's an odd construct. And so if we're going to have that
expectation of private industry, well, the industry's got to come together, work with
one another, because you can't expect a single company to defend against a committed nation
state. They have to come together as an industry, come together across industries, and frankly,
come together with the government to really create a collective defense system where they're
sharing information, constantly creating almost a radar picture of the U.S. cyber environment,
and then figure out if and when the government has information,
it can take its own action to both stop the activity but also deter that activity going forward.
And that's the really hard part of this calculus because we're not used to thinking about
a government industry working this tightly together.
But given these new expectations, we almost have to do that and change our construct.
Now, what about from a global leadership point of view? What role should the United States take
in setting norms for these sorts of things?
No, that's a great question. I mean, look, there is really a divide when it comes to
cyberspace about how to address, whether it's cyber warfare activities or the like.
Sort of the Western nations have one
perspective. They say, look, there are nation state behaviors that we've always engaged in,
surveillance and the like. We understand that every nation is going to do that.
That's fine. And everyone will sort of, the chips will fall where they may. But when it
comes to destructive activity, we should think about how to work together to limit those things,
like we have done in the warfare space. But then you look at totalitarian states or,
you know, somewhat totalitarian states like China and Russia, and you see what they're looking to do with cybersecurity norms
and the like is really to suppress internal dissent rather than address these external
activities. In fact, they're happy to engage in external activities. And so how you bridge that
divide, I think, is a hard one. The US has to leave that space, but it's going to be a tough
place for us to get real consensus. In the absence of a consensus on norms, though, we still do have
to deter bad cyber activity. A lot of people said, well, deterrence doesn't work in cyberspace. I
don't believe that. I think we simply don't practice deterrence in cyberspace today. We
don't talk about our capabilities. We don't talk about our red lines. And frankly, when bad things
happen to us, we don't take action and respond in a way that will make people really understand the consequences of their actions and not take action in the future.
So that's a challenge.
Yeah, I mean, it strikes me that in terms of defense or even offensive capabilities, there's a reticence to tip your hand to allow the other folks to know what you may have.
the other folks to know what you may have. And to me, this strikes me as being different than,
you know, in the kinetic world, where if you're a member of the Nuclear Weapons Club,
well, everybody knows what your capabilities are. That's exactly right. And, you know, I mean, if you recall back in the back in the sort of 80s and 90s, when we were really engaged in that sort
of mano a mano fight with the Russians, right, the Cold War, we made it very clear what our
capabilities were, what our red lines were, and what if Russia did this to us or to our allies, we would do in response.
Today in cyberspace, we don't talk about capabilities, as you just pointed out, right?
We sort of keep them very close to the vest, in part because they came out of originally
out of the intelligence community. And so we're used to in the intelligence community holding
those secrets very tight. But the reality is that you can't deter someone if they don't know what
your capabilities are. They don't know what you're willing to do.
They don't know what line, if they crossed, you would respond.
And by the way, you know, we have these sort of weird hiccups about cyberspace where we think oftentimes we think, well, if it happens to be in cyberspace, I've got to respond in cyberspace.
No reason why that's true, right?
We also have these hiccups where we say, well, because cyberspace is built of zeros and ones and is built on binary systems, well, then we have to have attribution that's perfect.
We've never expected that in the real world. We didn't need to have the audio of Muammar
Gaddafi saying, I ordered the bombing of that Berlin discotheque to take direct kinetic action
against him back in the 1980s. And yet today in cyberspace, we have this sort of almost a fetish
about cyberspace that we have to say, well, attribution has to be perfect. The weaponry has to be in cyberspace. None of those things are true.
And those all go to, in my mind at least, the sort of reasons why we don't actually
have deterrence in cyberspace. It's not because it doesn't work. It's because we don't really
practice it. That's Jamil Jaffer from IronNet Cybersecurity.
Exdedic, the online marketplace that traded in hacked servers, has been taken down.
The FBI announced that the illicit services site had been seized pursuant to a U.S. federal warrant.
The Bureau estimates that the site facilitated some $68 million in fraud during the time it was in operation.
The takedown was an international operation featuring substantial European support and cooperation.
In the U.S., the FBI and IRS led the investigation,
with assistance from U.S. Immigration and Customs Enforcement's Homeland Security Investigations
and the Florida Department of Law Enforcement.
The Department of Justice's Office of International Affairs
and the Criminal Division's Computer Crime and Intellectual Property Section also helped.
and the Criminal Division's Computer Crime and Intellectual Property Section also helped.
In Europe, the lead effort was a Belgian-Ukrainian operation by Belgium's Federal Prosecutor's Office and the Federal Computer Crime Unit
and by the National Police and the Prosecutor General's Office of Ukraine.
Europol rendered significant assistance as well,
and Germany's Bundeskriminalamt helped seize Exdedix infrastructure.
We list the agencies to say bravo, and Germany's Bundeskriminalamt helped seize ex-DEDEC's infrastructure.
We list the agencies to say bravo and also for the pleasure of seeing so much effective cooperation.
Ex-DEDEC's infrastructure had been located mostly in Belgium and Ukraine.
Its proprietors are unlikely to go unscathed.
Cyber police Ukraine tweeted that they already have three suspects in custody.
The ex-dedic takedown is an example of supply-side action against the criminal economy,
but users of illicit services shouldn't feel they've got to pass.
Europol is pursuing users of booter services,
the DDoS for Hire service WebStressor having been taken down.
The authorities are now tackling the demand side of this criminal market and are very interested in getting to know the people who used Webstressor's services.
Webstressor, like most other DDoS-for-hire outfits, covered its shame with the fig leaf of security testing.
But few should be deceived by such a flimsy excuse.
It didn't work in Eden, and it's not working now.
The U.S. has filed more charges against Huawei. Thirteen counts, the New York Law Journal and many others report. They involve fraud
and money laundering, with some of that fraud serving theft of intellectual property. China's
government continues to object that Huawei didn't do nothing, nothing we tell you, and has urged Canada and the U.S. to drop the extradition proceedings
that would send Huawei CFO Meng Wanzhou to face the music in American court.
Ms. Meng, who also, fun fact, goes by Sabrina or Kathy,
which is in itself an entirely innocent concession
to dealing with tenured North American anglophones,
well, she remains in Vancouver.
Canadian Prime Minister
Trudeau fired his ambassador to China over the weekend because the envoy made remarks to the
effect that Ms. Meng maybe should be released, that there might be sound political or even legal
reasons for doing so. Trudeau was having none of it, and the wheels of Canadian justice will
continue to grind. Finally, a few notes on international flashpoints
that seem to have a good chance of sparking into hacking,
or at least information campaigns.
North Korean ruler Kim has announced ambitious financial goals for the year,
and CyberScoop says many observers think these goals
are likely to prompt a surge in DPRK hacking.
North Korean hacking has long had a strong, perhaps dominant strain of theft in it.
Computer crime is an attractive way of redressing the pariah state's perennial,
sanctions-induced financial straits.
European officials warn that rising tensions between Iran, its regional rivals,
and those global powers that disapprove of the Islamic Republic's policies,
are likely to prompt a spur of hacking by Iran's increasingly capable and resourceful cyber operators.
Finally, since Russia has for obscure reasons,
having mainly to do with yanking the Yankees' chain in the Western Hemisphere,
decided to nail its flag to the mast of Chavismo in Venezuela,
one might expect various cyber campaigns in support of embattled decided to nail its flag to the mast of Chavismo in Venezuela,
one might expect various cyber campaigns in support of embattled and now officially illegitimate President Maduro.
The U.S. has tightened sanctions on Venezuela to even more crippling levels,
and the EU says it will recognize the head of the country's National Assembly
as the legitimate acting president unless elections are promptly held. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information
Security Institute, and he's also my
co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave. An interesting article came by from Wired,
and this is about tweets that give away more location data than you think.
This is an article from Izzy Lepowski.
What's going on here?
What's the location data that they're revealing here?
Some time ago, Twitter thought it would be a great idea
to allow you to geotag your tweets
with your location, like I'm in New York City or something like that. And you had to opt into it.
Right. And their rationale for this was that it will provide you a better personalized experience.
Okay. This is what we always hear from these social media companies, a better personalized experience.
I will applaud Twitter here
for making this something that people had to opt into.
However,
they weren't just
storing the general location.
They were actually storing the
specific GPS coordinates
of the person's device
when they sent the tweet.
This information was not available to the user in a readily visible format,
nor available to Twitter users, the standard Twitter users.
But if you use the API, you can extract this information.
So let me make sure I'm clear here.
So I would say I'm in New York City.
Right.
But in doing so, Twitter behind the scenes would also log my precise GPS coordinates. Right. You're at the corner of 5th Avenue and 26th Street. Right. But in doing so, Twitter behind the scenes would also log my precise GPS coordinates.
Right.
You're at the corner of 5th Avenue and 26th Street.
Right.
Okay.
I don't know what's there, Dave.
Yeah, my favorite adult theater.
Right.
Yeah.
Okay, go on.
Just picking numbers out of random.
Right.
So there were some researchers who found out that this information was available.
And they're going to be publishing a paper in the Network and Distributed Systems Security Symposium coming up.
Okay.
And they have developed a tool that goes through the Twitter API, finds this information, and can identify your home and your place of business and other things with like 80% accuracy.
Huh.
So they're taking the information that was logged behind the scenes.
Right.
So you opted in but maybe did not know the precision with which you were opting in.
Correct.
So they go in and they sort of sift through this and they figure, I suppose, based on repetition.
So they correlate those bits of information.
Maybe you tweeted, I'm home, and then they look at the GPS tag.
Right.
Yeah, okay.
If you're tweeting from this location at 10 o'clock at night and you're regularly tweeting
from that location 10 o'clock at night, that's probably your house.
Right.
So fortunately, if you go to
the Twitter app and you have this
turned on, you can turn it off right now by going
into your privacy and safety settings
and Twitter also provides
you with an easy way to delete your
location information from old tweets.
Right. Now Twitter also changed the way that they handle this.
I think back in 2016, they made it a little more overt that you have to opt into this
degree of tagging.
Right.
And that's the problem with it was that in 2009, when they started it, they didn't really
tell you that you were opting into a really precise version of this tagging.
Yeah.
And I guess the other criticism is that when they changed that in 2016
to make it more of an overt opt-in,
they also didn't make it any harder to get the historical data.
Right.
Yeah.
The historical data is still there right now for tweets
that were stored between 2009 and 2016.
Yeah.
All right, so if this is something that concerns you,
you can go into your Twitter settings
and you can scrub that data, right?
Right.
You go to your settings, privacy and safety,
and there's a big red button under privacy
that says delete location information.
Click that button.
All right.
All right, good enough.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. see you back here tomorrow. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.