CyberWire Daily - Hybrid war and tactical influence operations. Separ lives off the land. NoRelationship attacks get past email filters. Responsible disclosure. Man-in-the-room bug. Ship hacking. Password managers.
Episode Date: February 21, 2019In today’s podcast we hear about a test of influencing soldiers through their social media: Instagram works best, Twitter not so much. Separ credential-stealing malware successfully lives off the la...nd. NoRelationship attacks get past some email filters. Spamming users to get your point across may not be the best form of disclosure. University researchers find a man-in-the-room bug. Other researchers think they could capsize a ship. Britain’s NCSC continues its dance with Huawei. Password managers remain a good idea. Emily Wilson from Terbium Labs discussing law enforcement on the dark web. UK correspondent Carole Theriault returns with the story of surveillance and facial recognition in London. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, Twitter not so much. Sipar credential-stealing malware successfully lives off the land.
No relationship attacks get past some email filters.
Spamming users to get your point across may not be the best form of disclosure.
University researchers find a man-in-the-room bug.
Other researchers think they could capsize a ship.
And password managers remain a good idea.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 21, 2019.
Social media posed enough operational security problems for Russian forces operating against
Ukraine that the Russian army cracked down on their soldiers' online presence.
It was revealing information about units' operations,
including such matters as their very presence in Ukraine,
a presence Russian hybrid war doctrine would have preferred to cover
with the fig leaf of Green Men militia, plausible deniability, and also general opsec.
It's a general problem, certainly not confined to the Russian army. During a recent exercise, NATO red team operators ran various
fishing trawls and honeypots against NATO soldiers. The results were discouraging.
Military personnel put enough personal information online to render them vulnerable to influence and
social engineering. Troops also
discuss matters better left undiscussed, of course, but the NATO exercise is interesting
in that it showed that the personal data overshared online enabled the Red Team to,
as NATO puts it, induce certain behaviors such as leaving their positions, not fulfilling duties,
etc. More specific than that, the report doesn't get.
There are some interesting sidelights on which social networks were most easily used to exert a malign influence over the troops.
Twitter was basically a waste of time.
Instagram and Facebook were a different matter altogether.
Blue forces during the exercise did succeed in recognizing
and blocking some bogus Facebook pages, but others got through.
And Joe and Jane Troop were suckers for Instagram.
Security firm Deep Instinct says it's observing new instances
of SEPAR credential-stealing malware.
A maliciously crafted Adobe file is the typical infection vector.
Once installed in a victim's system,
SEPAR lives off the land by abusing
legitimate files and tools. The attack is simple but effective. The malicious script is short and
easily overlooked, and the dual-use software it takes advantage of makes it relatively quiet,
even without elaborate obfuscation, and it's said to bypass many legacy antivirus products.
Another attack in circulation is evading exchange online protection URL filters.
According to researchers at security firm Avanon,
no-relationship attacks are evading the link parsers that many filters use
to screen email for malicious links.
When link parsers don't scan the full document,
instead consulting a relationship file
for a list of links that a document attached to an email contains. If a malicious link is removed
from the xml.rels file that accompanies the document, the link is simply not noticed by many
parsers. As you go about your day minding your own business, have you ever stopped to consider how many times a day you're being recorded by some sort of video camera or other security surveillance device?
Our UK correspondent Carol Terrio did, and she files this report.
Did you guys know that London is ranked by some as the most spied upon city in the world ahead of China?
The estimate count of 2018 CCTV cameras in London? 500,000. For a city
of 9.2 million, that's a camera for every 18 people. So for context, Chicago is touted as the
U.S. city with the most surveillance, and it has an estimated 4,000 cameras, which pales in comparison
to London's half a million. So maybe we shouldn't be surprised that London's Met Police
got the thumbs up to try out a live facial recognition system.
Now, of course, not everyone is on side with these trials,
including Big Brother Watch, a privacy group
who pooh-poohs the idea of mass surveillance.
First, you've got to understand how the Met's
automated facial recognition system works.
So the Met load up a watch list.
These are pics of offenders that have fallen foul of the police or the courts.
These pics are analyzed by the software to measure the structure of each face,
the distance between the eyes, the nose, the mouth, the jaw, the eyebrow shape, etc.
The surveillance system is placed in a van to monitor an area of London.
If they find anyone that matches one of the offender pics,
the system sends an alert to
a nearby officer who can review and verify the match and then make the decision on what next
steps to take. Ivan Balhachet, strategic lead for this technology, had this to say,
quote, the technology being tested in this trial is developing all the time and has the potential
to be invaluable to day-to-day policing, unquote. Now, the system
has been criticized for its unreliability. According to information released under the
Freedom of Information laws last May, the Met's automated facial recognition system has a false
positive rate in the 90% range. So that means for every 10 people that it matches to an identity of
an offender on the system, only one is correct.
Even so, this technology must seem like a godsend to the London Met, who have been facing
serious budget cuts. So imagine the allure of facial recognition technology. It's like a bag
of pollen to an overworked bee. But the Met need to keep the public on side for this to work.
It's a delicate balance between improving safety and respecting the privacy of the people the cops are paid to protect.
Now last week, we saw the ninth trial of this facial recognition technology.
It took place in the London borough of Romsford, and a minor altercation did not help matters.
Okay, let me walk you through it.
Okay, let me walk you through it.
So this man finds out that there's an active facial surveillance trial in the area and pulls up the top of his sweater to cover the bottom of his face,
puts down his head to walk past.
But a plain-clothed police officer stops him and asks him to show his ID.
He did, but then he told the officer to piss off,
which is basically the British equivalent of a salty go-away-now-please.
The cop handed this man a £90 fine after he protested angrily at being stopped.
But this tête-à-tête has ruffled quite a few feathers,
because the Met's official page on these facial recognition trials clearly states,
it's not an offence or considered obstruction to actively avoid being scanned, unquote.
So what the Met Police are
saying on their website and what the Met Police are actually doing are not aligned. And the concern
is it will add to the frustrations and tensions around the use of facial recognition technology
in the most spied upon city in the world. Now, we wait for the full independent evaluation of
this facial recognition technology. And as we wait, Big Brother Watch announced its legal challenge against the UK's mass
surveillance technologies will be heard in Europe's highest human rights court.
I cannot but think that in these unique political times, Big Brother Watch better get its skates
on.
This was Carol Theriault for the Cyber Wire.
Don't forget, you can check out Carol Th Terrio on the Smashing Security podcast with her co-host
Graham Cluley. Their guest this week is Joe Kerrigan, my co-host on the Hacking Humans podcast.
It's a small little world. Do check it out. It's a fun show.
A fuck-un-talked-ya hack suggests where the limits of responsible disclosure may lie,
and as Naked Security suggests, the line should probably be drawn on this side of spamming thousands of people to make a point.
App developer Bogosi found an issue with Russian social network Fokontaktia,
then decided to turn it loose when Bogosi judged that Fokontaktia wasn't paying sufficient attention.
Bogosi claimed the Valentine's Day spam it induced was a harmless and necessary attention-getting caper.
ZDNet says Focantaccio was not amused
and shut down much of Bogosi's presence on its platform.
Two other interesting potential hacks are in the news this week.
One is a proof of concept, the other more of a thought experiment.
The proof of concept comes from researchers at the University of New Haven.
They found it possible to eavesdrop on users of the popular virtual reality program,
Big Screen. Big Screen is described as a virtual living room used for entertainment,
communication, and collaboration. Since the University of New Haven researchers were able to do such things as turn on user
microphones and enter big screen sessions without the user's knowledge, they call their
proof of concept a man-in-the-room attack.
The researchers disclosed their findings to big screen, and the company fixed the vulnerabilities
last week.
So good on all of you for responsible disclosure and responsible patching.
The other potential hack we'll call a thought experiment, because actually doing it would be
pretty devastating. Pentest partners, who've been noodling some maritime system vulnerabilities
recently, were wondering whether it might be possible to send a ship to Davy Jones' locker
and leave no easy-to-get-at evidence to tell any tales.
After thinking it through, they concluded that it could be done
through NMEA 0183 messaging.
GPS devices and other shipboard systems use such messaging to communicate.
So, suppose you got into a ship's network.
It's a little like hacking a car.
Many ships' devices use Windows XP or
Windows NT, and Pentest Partners thinks, reasonably enough, that a lot of those devices still have
their default credentials installed. Even if they don't, they're likely to be susceptible to a
firmware downgrade compromise that the researchers think is a relatively trivial hack. Once an
attacker is in, he or she could meddle with the ship's ballast,
render the ship unstable, and capsize it.
An IoT vulnerability with uniquely maritime implications.
Don't try this at home. Or at sea.
And if you're operating a vessel, take a look at the claimed vulnerability.
A report this week from Independent Security Evaluators
called out password managers as being potentially leaky.
The researchers said that the password managers they tested
stored either a master password or user credentials
in a device's insecure memory while the managers were in use.
They said there was no insecure condition while the managers were not in use.
The researchers also said they still recommended that people use password managers
and that those services made a substantial contribution to security.
They wished, however, that the password manager vendors would improve application memory management.
Many of the password manager vendors took issue with the report.
Dashlane said that the insecurity the report described arose when an entire system was compromised, and that there's effectively no
way of preventing an attacker with that sort of access from getting anything that's on the
compromised system. LastPass said that in their recent releases, they've already mitigated the
vulnerability. LastPass shuts down and clears memory when a user logs out. 1Password thinks that any cure for the issue would make matters worse.
KeePass says something similar.
But everyone, vendors and researchers alike, agree on this.
For heaven's sake, use a password manager.
And don't set every account you use to Ninja or Camaro,
just because it's easy for you to remember.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the VP of Research at Terbium Labs.
We want to focus today on what you are seeing in terms of law enforcement and dark web activity.
You've seen some things shifting around lately?
I have. I have.
And I know we're all very tired of hearing 2019 predictions.
So instead I will call this something I'm watching.
Okay.
Something I'm watching this year.
So I'm keeping an eye on the kind of shifting attention that law enforcement is paying toward the different
dark web communities. When we think about law enforcement takedowns or activity when it comes
to the dark web, we're thinking mostly about heavy hitters like drugs or weapons or child abuse.
That's what we think of historically. When you go after these major markets, that's what all of the
indictments or all of the attention is going toward. We have to
get the guns off of the street and we have to win the war on drugs. What I'm curious to see,
though, with some precedent that was set last year, is how law enforcement attention shifts
toward cybercrime that's related to fraud activity. So last year, we saw a couple of things that got my attention.
Early last year, we saw the indictment come down against the InFraud organization.
So a prolific group with scores of individuals who were operating fraud schemes.
And of course, you know, the InFraud website and network itself.
Then a few months later, in kind of midsummer, we saw the FIN7 indictment come
down, right? And so we saw, again, law enforcement, international coordinated law enforcement
attention toward cybercrime using fraud, stolen payment cards, these criminal networks that are
more involved in financial fraud than they are in guns or drugs or other kinds of violence. And so I'm watching to see
what happens this year for a couple of reasons. One, we've obviously seen a lot of attention for
many months now about, you know, the efforts of Magecart. Seems like every other day there's a new
Magecart victim that we're talking about. The other thing, as we all know, unfortunately,
very well, is that we are entering another election cycle.
And so there's going to be more attention around cybercrime activity as related to disinformation, as related to election security.
And I think that we are going to see fraud come up in that payment card fraud, money laundering.
I think we're going to see that come up more and more.
We've already seen it come up in the individuals that were indicted for the DNC hacks, right? There was money laundering there.
We know we know about Facebook ads that are being purchased to spread propaganda. That's going to
continue. That's something we now have to expect from our elections going forward. And so what does
that shifting attention look like? How do we see dark web fraud communities, dark web payment card communities potentially being caught up in that? It's a very effective way to launder money using stolen payment cards. They're readily available. It's easy to get lost in the noise of all of the fraud that's happening in the payment card networks.
payment card networks. So it's a useful tool. And organized crime syndicates know that, so they're going to keep using them. It's a good way to pay for all of the work that they're doing, and it's
a good way to move money around. Now, how much of this do you think is politically motivated? I
guess what I'm getting at is, what do you suspect has caused this shift to occur? The shift in
payment card usage or the shift in law enforcement?
I think it's a combination of having opportunities, getting tips, getting a break in a case and being able to go after an organization.
And the fact that we are seeing things like this get caught up in sexier topics that would warrant budget effectively.
You know, one of the things about fraud that's kept it sort of out of the limelight and in the dark web takedowns of the past is that fraud isn't sexy fraud. No one really cares. People care about guns. They care about drugs. They care about children. You can put
names and faces toward that. You can create a sense of urgency there. But fraud is sort of
an acceptable part of doing business until you put it in the terms of election hacking or until
you put it into the terms of broader data security issues as you have with mage card until you start
seeing uh grouped victims in the hundreds of millions or you talk about state security or
propaganda that's when we start to see attention going toward those and i think people know to
expect it now they're going to be looking for it and i think we're going to see attention going toward those. And I think people know to expect it now. They're going
to be looking for it. And I think we're going to see some fallout from that as a result.
All right. Well, time will tell. Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.