CyberWire Daily - Fancy Bear in Czech government systems. Watering hole attacks. Quora breached. Marriott breach follow-up. Kubernetes privilege escalation flaw. Scams kicked out of Apple’s App Store.
Episode Date: December 4, 2018In today’s podcast we hear how Fancy Bears and free-range catphish have been disporting themselves in the Czech Republic. China reported to have used watering hole attacks to gain entry into Austr...alian institutions. Quora suffers a data breach. Marriott’s breach response earns mediocre marks. A Kubernetes privilege escalation flaw is found and patched. Two scammy apps are ejected from Apple’s App Store. An object lesson in the difficulty of controlling fake news—or at least fake op-eds. Jonathan Katz from UMD on SSD drive encryption security woes. Guest is Brian Egenrieder from SyncDog on the challenges of commingling work and personal mobile devices. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy bears and free-ranging catfish
disport themselves in the Czech Republic.
China's reported to have used watering hole attacks
to gain entry into Australian institutions.
Quora suffers a data breach.
Marriott's breach response earns mediocre marks.
A Kubernetes privilege escalation flaw is found and patched.
Two scammy apps are rejected from Apple's App Store.
And an object lesson in the difficulty of controlling fake news, or at least fake op-eds.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 4th, 2018.
Reuters reports that the Czech Republic's BISIS counterintelligence service yesterday attributed last year's cyberattacks on the foreign ministry to Russia's GRU, also known, of course, as Turla, Sofosi and Fancy Bear.
At the time, the ministry said the incidents appeared to be the work of a foreign intelligence service, but they were unsure which one.
The foreign ministry said no confidential material was compromised. BIS said that some 150 staff mailboxes were accessed, with the GRU
copying emails and attachments. The report sees this essentially as battle space preparation.
As BIS puts it, the GRU, quote, thus obtained data that may be used for future attacks, as well as a list of potential targets in virtually all the important state institutions, end quote.
Another recurrent warning that figured in the report, widespread use of undeclared intelligence officers operating under diplomatic cover.
operating under diplomatic cover.
In fairness to Fancy Bear,
Russia's not the only espionage power being name-checked.
Checked.
In the report, BIS also points out that the Chinese services are also quite active.
Their interest is characteristically industrial espionage.
The Sydney Morning Herald has, in this context,
an interesting account of how China used watering hole attacks
to gain a foothold in the various Australian institutions Beijing's intelligence services were interested in prospecting.
A visit to the watering holes provided the entry point for installation of malware tools
into a leading foreign policy think tank, the Lowy Institute, as well as the Australian National
University.
Last week, the big breach news, of course, was of the goings-on at Marriott.
This week, another large breach has been reported.
Quora, the widely used question-and-answer site, was hacked, and the attackers made away
with passwords, names, email addresses, and direct messages belonging to some 100 million users.
The stolen passwords are said somewhat vaguely to have been encrypted.
Ars Technica thinks this probably means that they were passed through a one-way hash function.
Which function matters? Some are relatively easily cracked with off-the-shelf tools.
Others are strongly resistant to breaking.
Quora discovered the breach Friday.
Causes remain under investigation.
Marriott is not drawing good reviews for its response to the breach it disclosed last week.
The hospitality chain is, for example, using the domain email-marriott.com
to send notifications to the half-billion or so affected customers.
But as TechCrunch points out, that domain is easily spoofed by typo squatters,
and several security firms working gratis and pro bono
have preemptively registered several of the more plausibly typo-squatting domains.
Observers see a string of breaches going back to 2015,
beginning shortly after Marriott's acquisition of Starwood's properties and reservation service.
The breaches mostly involved Starwood, with many missed opportunities to prevent the recent problem.
A lesson being drawn is that corporate mergers and acquisitions represent a clear cybersecurity danger point.
Google researchers found a privilege escalation flaw in Kubernetes.
It's now patched. Users should upgrade.
The issue will also be addressed in forthcoming releases.
This is believed to be the first significant vulnerability to be discovered in Kubernetes,
and it's serious enough to warrant a CVSS score of 9.8.
Exploitation of the bug could enable an attacker to obtain full administrative privilege
on any node running in a Kubernetes cluster.
Do you carry more than one mobile device?
Does your company insist on keeping your online personal and professional
lives physically separated? Or do you carry one device and carefully co-mingle the two?
Brian Egenreiter is from mobile device security company SyncDog,
and he joins us with some perspective. We're kind of in an imbalance or an interesting
intersection in the market where, you know, a lot of people are out there carrying two phones around a work phone and a personal phone. In fact, we often see, you know, the people's
work phones are like an iPhone six, for example, and their personal phone is an iPhone 10. And,
you know, you have that disparity of like, why am I using this older technology when I'm carrying
something right beside it? That's, that's much better. Or conversely, people that are allowed
to use their personal phones for work often have to sign documents that say,
if you leave the company, that company has the right to wipe your entire device,
which creates kind of this big brother aspect or lack of trust between the employee and the company.
The reason they're all being done is that companies are simply apprehensive or concerned about where that data is and how they can control it.
Now, part of this is practical as well.
As the price of these mobile devices goes up, you can understand where the whole notion of people bringing their own devices could be attractive to a company who might not want to foot the bill for that.
You're absolutely right.
And we all see, too, that people don't treat their work devices the same they would with their personal device. You know,
when you've shelled out, you know, $1,000 on your own or, you know, $1,200 now with some of these
newer iPhones, if not more, you know, you take care of that. You're concerned about it breaking
and losing. When it's a work device, you're like, whoops, I dropped it. No big deal. They'll just
have to get me another one. Yes, companies are becoming more and more apprehensive about this because everybody is now using a smartphone for their personal device. So
you can't get away anymore with handing somebody an iPhone six or an older technology. It becomes
a deterrent. You know, it used to be, hey, we're going to give you an iPhone for work. And it was,
you know, it was a selling appeal for a company to bring somebody on. Now,
if it's not the latest and greatest, it's actually hurting their reputation versus helping.
Yeah, it's interesting. I think as those mobile devices become more a primary device in our lives, it seems like that has shifted quite a bit.
Absolutely. And the work world's changed. The nine to five job doesn't seem to exist anymore. I always say the yabba
dabba doo time where the bell rings and you slide down the back of the dinosaur and your day is done
and you don't think about work anymore is long done. So people are working certainly not 24
hours a day, but throughout all times of the day and travel and just the world has definitely
become more mobile. So being constrained to the four walls of the corporation
and only being able to access, you know, sensitive data while you're there is just unrealistic.
And so you have to find a solution that enables people to get the job done
while they're outside the four walls of the company.
Yeah, it strikes me also as interesting that there hasn't been more of a response
for this sort of thing from the manufacturers themselves, from Apple and Android. Clearly, there's a need for this. You know,
we have multiple logins on our desktop computers. It seems like there's a market opportunity here
to be able to segregate your personal from your professional life on a single mobile device. And
yet that isn't really being filled by the manufacturers themselves.
Yeah, you know, and some have tried and some even have products out there right now.
But as you're probably not surprised by, you know, Samsung, for example, has a product,
but it's Android only and it's Samsung Android only and only on some of the devices of Samsung.
So they have something, but obviously they're like, hey, we're not going to give anybody an excuse to not buy a Samsung.
So they completely focus on that environment alone.
And that's just not realistic.
You're going to have Android and iOS users across the board in any company of any size, really.
They're definitely users of both technologies anywhere you go.
That's Brian Egenreiter from SyncDog.
Fingerprint ID, like the Touch ID system featured on iOS devices,
is attractive for many reasons as an authentication measure.
It's difficult to spoof, for one thing,
the hot epoxy gummy bear hack featured in the first Ant-Man movie aside.
But it needn't be spoofed if a user
can be induced to let their finger do the walking through a couple of payment approvals. That's been
the case with two scam, or at least scammy, apps, Fitness Balance app and Calories Tracker app,
both of which Apple has now booted from the walled garden of the App Store. The two apps displayed a
message telling people to keep their finger on the iOS Touch ID feature,
meanwhile flashing a quick payment window, likely to be unnoticed because it was for
most intents and purposes in the background, and only up for at most two seconds.
Keeping your finger on the pad, of course, authorized a payment, whose authorization
was acknowledged in another flashed pop-up that
also probably would go unnoticed. Even if you did notice it, that hundred bucks or so was already
gone baby gone. So farewell to fitness balance and calorie tracker. We hardly knew you.
Robin Sage, please meet Tatyana Horikova. You two should really talk about trolling for catfish.
Sure, your personae are entirely fictive,
but in this day, who would be so narrow-minded
as to dismiss someone's life experiences
and the voice they contribute to our mosaic of discourse
on the legalistic grounds and pedantic grounds
that such a person doesn't exist?
Take a broader view.
Don't view Robin Sage and Tatyana Horikova as names,
but rather as definite descriptions, like the present king of France. Bertrand Russell would
get it, and so can we, right? Anywho, you'll remember that Robin Sage was the name of a
fictitious person used in an experiment in gullibility conducted in 2009.
She was socially constructed in social media as a 25-year-old cyber threat analyst for Naval Network War Command with a degree from MIT and 10 years work experience.
She attracted dinner invitations and job interviews from at least two large and famous corporations,
whom we won't name because at this point shaming would just be piling on. Not everyone was taken in, since some people bothered to check the phone
number provided in contact information or looked into MIT alumni records, or simply found the idea
that anyone could have accomplished by the age of 25 what Ms. Sage claimed. In any case,
experimenter Thomas Ryan blew the gaff
with a presentation at Black Hat in July 2010,
so Robin's run lasted less than seven months.
Ms. Horikova has had an even longer, more illustrious career,
and she's successfully trolled, among others,
the Prime Minister of the Czech Republic.
Ms., or perhaps more appropriately, Dr. Horikova,
has a knockout resume,
founder and director of a medical not-for-profit
that sends physicians into conflict zones.
She arranged the release of Bulgarian nurses
held by the late Libyan leader Muammar Gaddafi.
She offered herself in exchange for a hostage
held by FARC guerrillas in Colombia.
She turned down no less than three Nobel Peace Prize nominations,
got a big humanitarian grant from the Vatican,
and lots of other good stuff, too.
She's also a frequent contributor of high-minded op-eds to Czech media outlets.
Foreign Policy pedantically objects that there's no evidence Tatyana Horikova exists.
Says you, foreign policy.
If she doesn't exist, how has she succeeded in showing up in Czech newspapers for more than ten years?
Explain that.
Actually, there probably is an explanation.
Reporter Prokop Vodraska of the skeptical paper Novi Denik
thinks it's just someone sitting in a flat laughing at everybody.
It's like a character straight out of The Good Soldier Shwayek.
If you want a serious take on the difficulty of controlling for fake news, however,
look no farther than Tatyana Horikova.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, it's great to have you back.
We had a story come by.
This is from TechCrunch, but it certainly made the rounds in the press
about some security researchers who found fundamental weaknesses
in the encryption on several crucial and Samsung SSD drives.
These are our storage devices.
What's going on here?
Yeah, these researchers were looking at hardware-based encryption.
That's encryption that's being done at the hardware level,
done by the disk drive itself that a user might buy.
And the findings of these researchers were actually pretty scary.
Basically, when they looked at what was actually going on,
when they physically examined these hard drives,
they found that in many cases it would be very easy for an attacker
to bypass the encryption that had been done and recover a user's files.
And that's exactly the sort of thing that these encrypted hard drives
are supposed to protect against.
So what was going on here?
Was this a flaw in the implementation of the encryption in the hard drive's actual hardware?
Yeah, it was a flaw, not so much in the implementation of the encryption itself,
but in the way that the keys were being managed.
So just as an example, on many of these hard drives,
there would be a default password that was set at the time of manufacture.
And if the user didn't go ahead and change that, then that default password would allow an attacker to have access to the contents of the encrypted drive.
So you can be using the best encryption in the world, but if there's a default password that everybody knows about that's being used, you're not going to get any protection from that. Yeah, it's interesting that on the software side, that I suppose many systems were just
taking the security of this encryption for granted. If the hard drive said, or the SSD
drive said this was encrypted, then the system would say that's good enough for us.
That was a very interesting part of this attack, actually. So I guess exactly what you said,
people who are using software
encryption, those software encryption schemes would basically trust the underlying hardware.
And if the hardware would tell them, yes, you know, don't worry, we're encrypting stuff,
then the software would not go ahead and encrypt. And, you know, really what you have here,
you can think of the hard drive as lying, right? It's telling the software that it's doing proper
encryption when it's really not. And so I think that the software encryption algorithms are now going to be updated
to encrypt anyway, even if the drive tells them that it's doing encryption.
Now, what about some of the developments? For example, I know Apple has made a lot out of
their T2 chip. They've taken that encryption onto a dedicated piece of hardware, you know, a secure enclave off of the hard drive and separate from taking that workload off of the main processor from the computer itself.
They say that increases security and speed.
Right. So the devices that are put out by Apple were not affected by this particular line of research.
Of course, you know, until somebody actually looks at what's going on, we can't really say much about the security of those devices. But I think in
general, Apple has a pretty good track record of building secure devices. I think the global
message here really is that the algorithms that are being used need to be open source so that
they can be evaluated by security researchers. One of the problems in this example here is that the Samsung drives, for example,
were not revealing exactly what algorithm they were using for their encryption,
and so there was no way really for anybody to analyze it,
short of going in and actually physically trying to attack these drives.
And I think Apple has done a pretty good job of at least releasing the high-level details of their design,
even if they don't release all the details of what they're doing. No, it's interesting. All right, Jonathan Katz, thanks for joining us.
Great, thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.