CyberWire Daily - ICEPick-3PC in the wild. Influence ops warning in Israel. Hackerangriff and a lone hacktivist. OXO and Magecart. The Dark Overlord wants you. Oversharing. Internet autarky. Kaspersky helped NSA?
Episode Date: January 9, 2019In today’s podcast, we hear that ICEPick-3PC is out in the wild and scooping up Android IP addresses. Shin Bet warns of influence operations threatening Israel’s April election—much predictable ...yelling and finger-pointing ensues. German authorities are pretty convinced Hackerangriff is the work of a lone, disgruntled student. OXO may have suffered a Magecart infestation. Dark Overlord’s labor market play. Facebook sharing. Internet autarky. And did Kaspersky finger an NSA contractor to NSA for mishandling secrets? Dr. Charles Clancy from VA Tech on security gaps in the 5G specification. Guest is Denis Cosgrove from Booz Allen Hamilton on the growing connectivity and autonomy in motor vehicles. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ice Pick 3 PC is out in the wild and scooping up Android IP addresses.
Shin Bet warns of influence operations threatening Israel's April election.
German authorities are pretty convinced their doxing situation is the work of a lone, disgruntled student.
OXO may have suffered a mage card infestation.
Dark Overlord's labor market play, Facebook sharing, Internet autarky,
and did Kaspersky finger an NSA contractor to NSA for mishandling secrets?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, January 9th, 2019. The Media Trust offers notes on IcePick 3 PC, a malware strain now circulating in the wild.
It targets Android devices mostly, and it's of particular concern to publishers and e-commerce
sites. The criminal innovation here, the Media Trust says, is that the malware automates pulling
affected devices' IP addresses from them, which facilitates further exploitation.
According to Haritz and other sources,
the head of Israel's Shin Bet intelligence service has warned that an unnamed foreign country
intends to interfere with the country's upcoming elections.
The country's unnamed, but the hooping and hollering that surged in response to the remarks,
made recently on TV, leave little doubt that Russia is the usual suspect.
Security firm Checkpoint has reviewed the various sorts of gambits to expect.
They're mostly influence operations,
and they follow the playbook used in other engagements with Western elections,
mostly in the U.S.
Fake Twitter accounts, bogus warnings that you won't be permitted to vote
so you may as well save yourself the trouble, and so on.
Authorities were quick to assert that Israel could take care of itself, thank you very much.
Their security service said in an unusual public statement,
quote,
The Shin Bet would like to make clear that the State of Israel and the intelligence community
have the tools and capabilities to identify, monitor, and thwart
foreign influence efforts, should there be any.
The Israeli defense apparatus is able to guarantee
democratic and free elections are held in Israel.
If you take these warnings as matters of a priori possibility,
then they might do some good.
After all, letting tweets or Facebook posts
determine your voting is to say the least unwise, as anyone who underwent Operation Birmingham in
the U.S. is likely to reflect. Sadder but wiser now. A positive bit of advice, beware of emails
bearing attachments. Just ask the DNC. It's also worth pointing out that while a priori possibility, even a priori probability,
can be a good source of healthy skepticism, it's an unsure guide to attribution,
as the arrest of that student in the German Land of Hessen in their doxing case illustrates.
Not everything that looks like a state-directed attack is necessarily a state-directed attack.
The BKA, Germany's federal criminal police,
told InfoSecurity magazine that the suspect isn't in custody,
but that's normal given the country's laws on pretrial confinement.
They do say that he's admitted the crimes he suspected of
and said that he acted alone.
Their investigation, the BKA says, leads them to the same conclusion.
We now return to ordinary cybercrime. The kitchenware company OXO's recent breach is
now being called a Magecart infestation. They issued a warning letter to customers late last
month. Magecart has been making a pest of itself on a number of sites in recent months.
If you've been shopping for a new car recently,
you may have been surprised to find the array of upgraded automated features
that are commonplace in the auto industry's offerings these days.
Active cruise control, lane departure warning systems, automatic braking systems,
all made possible by networked sensors and processing power within the car.
Dennis Cosgrove is a principal at Booz Allen Hamilton, all made possible by networked sensors and processing power within the car.
Dennis Cosgrove is a principal at Booz Allen Hamilton,
and he shares his views on what direction automotive automation is headed.
What's changing now is the level of connectivity that's coming into the vehicle and what that enables,
and at the same time, autonomous features that we hear a lot about. So obviously there's a future of full autonomy,
autonomous features that we hear a lot about. So obviously there's a future of sort of full autonomy, but there are significant milestones along the way around driver assistance, collision
avoidance, and other autonomous features that are really important for the industry. There's an
interesting era that we're going to enter where there's going to be a mix of vehicles and
capabilities on the road. And so drivers are going to have to remind themselves, depending on what
vehicle they're in, that they don't have blindside assistance, right?
Or they don't have lane assist or other items that they might be used to in other vehicles.
And in a way, that's an analogy also for where the auto industry finds itself,
both with technology and securing that technology, is that there's a lot of current capability.
There's also legacy systems on the road.
And then there's vehicles that are in the design and early stages of production now
that are even more advanced. And somehow they need to not only present that as a coherent product
to customers, but then also figure out the right way to secure that range of technology
that they have responsibility for. Yeah, it's interesting to me that,
you know, the sort of, I guess what I would describe as leading edge vulnerabilities grab headlines, you know, people's ability to shut down a car or remotely control its steering or
shift it into a different gear or something like that. But I mean, beyond that, what do you think
are the actual real world concerns that people will have day to day as these vehicles become
more and more automated? Yeah, I think one of the challenges we've had in the vehicle cybersecurity conversation
is that it usually starts with someone like me describing cars being hacked and driven
off bridges or spontaneously combusting some other doomsday scenario.
In reality, and it's a little bit counterintuitive, but the more that the vehicle evolves and looks less like a traditional car, the more that we are passive passengers and increasingly autonomous vehicles, the more the security scenario and concerns look like conventional issues.
And what I mean by that is a lot of times we think about autonomy coming, advancing, and we consider things like spoofing, GPS, or
road signs, and so the sensor misreads them. That all kind of makes sense when you're thinking
about new features. But what autonomy actually does is has you sit in the vehicle and buy things,
right? So payment processing, it keeps a log of where you've been, where you're going, your pattern of life.
It may be sort of part of how messaging information sort of leads you and comes in and out of the vehicle.
You may have microphones, we'll have microphones in the vehicle that could potentially be vulnerable.
These are all more like the normal things that we worry about, payment information, privacy concerns in cybersecurity. And so autonomy is
going to change the landscape in automotive in a way to actually bring it more into the
mainstream from a security perspective. That's Dennis Cosgrove from Booz Allen Hamilton.
So you think it's just the good guys who are working hard to get that notoriously
scarce cybersecurity talent?
Think again.
These skids over at the Dark Overlord, who rose to a certain cheap level of fame by leaking spoilers to Orange is the New Black,
went on a recruiting binge recently, just before they undertook their latest caper,
doxing insurance companies in the service of a bogus conspiracy theory about the 9-11 terror attacks.
CyberScoop reports that for some months prior to its recent doxing of insurance firms for 9-11
claim information, the Dark Overlord was actively seeking both talent and attention.
Nothing in their recruiting pitches sheds light to the group's avowed financial motives.
Do you want to get rich? Come work for us.
That's the job posting the gang used in November on the Kick-Ass Forum, a kind of career builder
for cyber criminals. No high-minded appeals to the inner Robin Hood or even the inner Ed Snowden or
Julian Assange, who we must observe is nice to his cat and does not dye his white hair.
No, it's straight-up mercenary stuff.
Any marketer hopes that mindshare leads to market share,
and it's no different in the black market.
It seems that they were looking for the kind of notoriety that might lead to sales of the stolen,
and truth be told not very interesting, files they plan to offer this month.
The criminal gang's headcount was reduced in the spring of 2018
when Serbian police devoted some attention to the dark overlord's activities.
All labor markets face their distinctive pressures. If you find that one of those
pressures is the prospect of arrest, consider you might be the bad guys.
More concerns are being expressed about Facebook's access to data being overshared by some
apps. Privacy International found that more than half of the apps it tested shared usage data with
the social network. One might dismiss this as relatively unimportant SDK data, but in the
aggregate, as researchers point out, the data can tell interested parties a lot about a user,
including some information that shades into what's protected under GDPR.
Vietnam alleges that Facebook is in violation of that country's new, harsh, and autarkic Internet laws.
Facebook denies any wrongdoing, wrongdoing under Vietnamese law, one hastens to note.
The Vietnam News Agency, an official outlet,
cited a finding of that country's Ministry of Information and Communication, saying that,
Facebook had reportedly not responded to a request to remove fan pages provoking activities
against the state. The violations of the cybersecurity law, which the ministry characterized
as serious, included allowing
personal accounts to post slanderous content, anti-government sentiment, and defamation of
individuals and organizations. Facebook said it didn't do it. A representative said, quote,
We have a clear process for governments to report illegal content to us,
and we review all those requests against our terms of service and local
law. We are transparent about the content restrictions we make in accordance with local
law in our transparency report. Three things are worth noting. First, the Vietnamese cyber
security law deals prominently with censorship and content moderation. Second, Facebook seems
to be saying not that the content is out of its hands,
but rather that the content it permits doesn't necessarily violate Vietnamese law.
Admittedly, the company's response amounts to a kind of non-denial denial,
but it's not a clarion defense of free expression either. Facebook's in a tough spot here.
And third, we can probably expect more of this, as the internet seems to
be on its way to splintering into a set of national autarkic preserves. It's not just
Facebook in Vietnam, either. TechCrunch reports that LinkedIn is bringing its Chinese operations
into compliance with that country's user identification laws. Finally, Politico has
an exclusive out on the increasingly strange story of alleged NSA leaker and classified data pack rat Hal Martin.
That's a pack rat to the tune of an alleged 50 terabytes of secrets, which is a lot to keep in a Glen Burnie shed.
Kaspersky is said to have fingered Mr. Martin to NSA after the Russian security firm received some odd tweets from the former contractor.
Ironists have noted, and there's no shortage of ironists on the internet,
that Kaspersky did this bit of good citizenship while plenty of U.S. government officials
were busy getting the Russian security company kicked out of their networks.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the executive director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, it's great to have you back.
We saw a story come by. This was on the Tech Explore website, and it was about researchers uncovering security gaps in the 5G mobile communication standard.
What's going on here? What do we need to know?
So within 5G, there's been a major overhaul of the entire security underpinnings.
They've cleaned up a lot of the vulnerabilities that plagued the earlier generations of cellular technologies.
plagued the earlier generations of cellular technologies. And researchers in Europe essentially took the new design for authentication and key agreement in 5G and built a formal model out of
what was in the standard. They then took that formal model and put it into a model verification
tool that then was able to spit out essentially things that you may be able to do with the standard as currently written
that don't adhere to some of the standard's design objectives.
Now, where do we sit in terms of deployment?
Are we at a stage where they can take this feedback and use it, or is it too late?
It's not necessarily too late.
Some of the standards are still in development. For
example, the AKA protocol is currently going through final review within the Internet Engineering
Task Force. They may elect to include some of the countermeasures. But if you look at the two
vulnerabilities that were discovered, neither one is that significant, in my opinion.
Essentially, the two new things that they discovered, one is that if you replay an authentication request to a phone and you reuse an old counter, then the phone will respond back and the phone will use the same numeric response as long as you ask the same numeric question. And so while you don't necessarily know the identity of the phone, you may be able to track that it is the same phone.
So if you had a rogue cell tower that was able to implement this, it might be able to tell that the same phone was in the area, but it wouldn't necessarily know whose phone that belonged to.
was in the area, but it wouldn't necessarily know whose phone that belonged to.
The second vulnerability that they discovered is that again, depending on how you define a vulnerability, the key agreement protocol
uses what's known as an implicit confirmation.
There is no message that goes from the phone to the network
and back to the phone that says, I have
affirmatively computed the correct key,
and here is my proof of that,
and then a response message coming back.
Instead, they basically just take the key that was derived
and start encrypting messages with it,
start securing your data session to the network with it.
And if you, for some reason,
the key was not properly derived, or you were a hacker who was trying to spoof, for some reason, the key was not properly derived or you were a
hacker who was trying to spoof, you wouldn't know the key and then therefore those messages would
fail and not be delivered to the network. So there's the potential for someone to try and
overwhelm the network with a bunch of false authentications and make it believe that there
are phones that are there that really are not there.
But again, it doesn't lead to the compromise of any individual user's privacy or security.
Yeah, so it seems like while significant, these are sort of nipping around the edges, I suppose?
Correct. These are the sorts of vulnerabilities that are commonly found in cryptographic protocols.
And in many cases, they're acknowledged.
They're known as observed as a limitation, but there's typically not a proactive set of objectives to necessarily fix them.
None of them are fatal flaws that are going to lead to the downfall of the system, much like we saw with Wi-Fi in the early days.
I see.
Dr. Charles Clancy, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.