CyberWire Daily - Iran linked to DNS hijacking campaign. Smart doorbells not smart enough about security. Fuze cards are convenient for crooks, too. Huawei espionage arrest in Poland. Russian sympathy for NSA.
Episode Date: January 11, 2019In today’s podcast, we hear that FireEye has called out Iran “with moderate confidence” for a long-running DNS-hijacking campaign. Smart doorbells may not be smart enough for their users’ comf...ort, if reports of video sharing are to be credited. Crooks are finding Fuze cards as handy as good-guy consumers do. Poland makes two arrests in an espionage case linked to Huawei. And the Russian media are happy to offer sympathy to NSA for some alleged security lapses at Fort Meade. Craig Williams from Cisco Talos with details on Persian Stalker targeting secure messaging apps. Guest is Rajiv Dholakia from Nok Nok Labs on the security pros and cons of biometrics. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FireEye calls out Iran with moderate confidence for a long-running DNS hijacking campaign.
Smart doorbells may not be smart enough for their users' comfort if reports of video sharing are to be credited, crooks are finding fuse cards as handy as consumers do, Poland makes two arrests in an espionage case linked to Huawei, and the Russian media are happy to offer sympathy for NSA for some alleged security lapses at Fort Meade.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
January 11th, 2019. Researchers at security firm FireEye's Mandiant division are connecting a long-running DNS hijacking campaign
that's affected enterprises worldwide, many of them private sector infrastructure companies
and Middle Eastern governments, to Iran, according to Security Week. The attribution is tentative and,
as usual, circumstantial, and FireEye notes that there may be more than one threat group at work,
but their report concludes with moderate confidence
that the operation is, quote,
conducted by persons based in Iran
and that the activity aligns with Iranian government interests, end quote.
It's worth noting that moderate confidence is based on IP addresses
and alignment with government policy.
It's enough to cue further investigation and to inform defensive measures.
FireEye says they've seen three ways the attackers have worked.
In the first, the attackers create a Let's Encrypt certificate
and change the A record.
FireEye points out that Cisco Talos researchers
have earlier reported the same approach.
A second tactic involves altering the DNS-NS record, and the
third method uses DNS redirection. The attackers aren't likely to go away anytime soon. If they
are, as FireEye maintains, operating under the sponsorship and direction of the Iranian government,
then Iranian cyber operators are showing continuing growth in sophistication and effectiveness.
Cyber operators are showing continuing growth in sophistication and effectiveness.
Alexa, could you get that?
Unless, you know, someone's circulating a petition to save the leprechauns or something like that.
Amazon's Ring smart doorbell and security system seems to involve more natural intelligence than users might have expected. The Intercept reports that video feeds from Ring's home cameras are being watched,
analyzed, and possibly shared by human watchstanders
and the company executives in mostly Ukrainian developer shops.
Ring told TechCrunch that this mischaracterizes what happened
and that Ring only uses less private neighborhood watch video for training purposes.
And TechCrunch does observe that Ring seems to have grown more security conscious since its acquisition by Amazon.
However the story develops, it again suggests the backward striking potential of network security devices.
Krebs on Security passes on a warning from the U.S. Secret Service.
Krebs on Security passes on a warning from the U.S. Secret Service.
Street hoods who use stolen credit cards are turning to fuse cards as a convenient way of holding a large number of cards on a single, well, card.
The fuse card, which seems like a nice, convenient, and entirely legitimate idea,
is a storage device the size and shape of a credit card
on which the user can load multiple cards on a single fuse.
There are no numbers printed on the card itself, in shape of a credit card, on which the user can load multiple cards on a single fuse.
There are no numbers printed on the card itself, which should alleviate worries about shoulder surfing, capturing numbers with a phone camera, and so on.
Unfortunately, crooks have also figured out the advantages.
You look suspicious if you're shuffling through a bunch of stolen cards at a terminal.
With a fuse card, it's easier to look legit.
Polish authorities have made two arrests in an espionage case linked to Huawei.
The Wall Street Journal reports that the suspects, who haven't been publicly identified,
are Huawei's sales director for Poland, a Chinese national, and a former deputy head of IT security
for Poland's internal security agency, a Polish citizen.
While Polish authorities haven't named the Huawei executive they've arrested, the state media have said he's Wai-Shing Wang, who's known by his colleagues, associates, and customers
in Poland as Stanislaw Wang.
One informant told the Journal, quote, he was a really well-known Chinese guy in Poland
and was always around, end quote, sounding more like a Damon Runyon character than he probably intended.
Anyway, this well-known guy, this Stan Wong, who was always around,
is said to be a graduate of a Chinese intelligence school
and to have served in that country's consulate in the port city of Gdansk.
The police also made a search of both the Chinese national's home and the local Huawei
offices. They are said to have seized documents and electronic data thought relevant to the case.
Both men have entered a plea of not guilty. The espionage charges could bring a sentence of up to
10 years. The case is significant in that it's a spying beef. The Huawei CFO arrested in Vancouver on a U.S. complaint
is being held on suspicion of evading sanctions.
Not so with the arrest in Poland.
This directly concerns espionage,
and one of the things Huawei has offered in its defense
as it faces suspicion of being a security risk
is that none of its people are being charged with espionage.
That's now no longer true.
Those interested in the Russian media's take on Kaspersky's role in the Hal Martin case
may consult RT and Sputnik. Mr. Martin, you will recall, is the former NSA contractor
arrested in 2016 on charges of mishandling and misappropriating classified information.
The executive summary?
Moscow's press is looking at the whole affair with understandable schadenfreude.
NSA security is sorry,
not what's to be expected from a world-class intelligence service.
And Fort Meade owes Kaspersky its thanks and maybe an apology.
The concern for NSA's professional standards is touching, even if somewhat tongue-in-cheek,
but it's a legitimate observation.
How do you let terabytes of secret material walk out of a secure facility?
Perhaps some explanation will be forthcoming should Mr. Martin enter the guilty plea
the government expects later this month.
Details of the allocution could be instructive.
this month. Details of the allocution could be instructive. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco.
Craig, it's great to have you back. Your team has been working on an attack that you call Persian Stalker.
And we want to dig into that today.
Give us the background here.
What are you all looking at?
Well, Persian Stalker is probably one of the longest posts we've done in a while.
I actually got a hard time for some of my coworkers for putting out a 35-page blog post.
But one of the things that I thought was so interesting about this was the fact that it
targeted secure messaging apps.
You know, if you think back to some of the research we've done prior in the year,
you may remember, you know, when we did the MDM research on iOS devices, we saw people
intercepting these same type of apps and, you know, pilfering out the contents of what were
thought to be secure messaging. And so when we saw something similar, again, being exploited in
the wild, yet through a different means,
it naturally shot to the top of our mind. And so what's going on here? What are they doing
and who are they targeting? Well, it looks like they're targeting the people in Iran and they're
basically spying on them. It's one of the cases of the government trying to find ways to monitor
the people. That's our current moderate confidence
guess, I'd say. And to do that, they have a number of ways of actually getting apps onto the phone
and looking at those, what were thought to be encrypted communications.
Now, is this a case where they're taking a legitimate app and replacing it with a version
that's been modified? In some cases, yes. You know, I think one of the more interesting things here is that
it's a case of state-sponsored actors basically deploying surveillance mechanisms,
right? And there are several described in the paper, you know, specific ones around Telegram
and Instagram, and even things like manipulating BGP to actually, you know, modify the way that
traffic is routed in the country. It's a lot of interesting things. It's a lot of
insidious ways to monitor the population. And I think this is the type of thing we're going to
see more of, right? This type of software and these type of techniques, they're not going to
go away. We're going to continue to see them. And I think that's why it's so important that we
document these so that users can be aware that not only is it happening, but know what to look
for so that they can tell
if it's happening to them. Yeah. And it seems to me like if nothing else, it also injects a certain
amount of uncertainty into the mix of people who are relying on these sorts of apps to not be 100%
sure that they're safe. Well, and especially if you happen to unfortunately be in a country that's attempted to ban the apps, right? And a lot of those cases, people can't turn to like the trusted Google app
store, right? Or the trusted Apple app store and download those apps because they've been banned.
And as a result, they're forced to use, you know, let's call it gray area app stores where the
software may or may not be legitimate. And even if it appears to be legitimate, it may be tampered with to allow people to monitor your communications.
Yeah. The research is on the Talos website and it's called Persian Stalker. So check it out.
Craig Williams, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
My guest today is Rajiv Dholakia.
He's VP of Products and Business Development at Knock Knock Labs, a company focused on making authentication simple, strong, and scalable in modern computing environments.
Our conversation focused on biometric authentication,
especially the emerging field of behavioral biometrics.
Obviously, biometric measures have been with us for a long time. You know, we used thumbprints
on paper, for example, for a long time to try and match people up when they presented themselves.
And then with the advent of the iPhone, biometrics started to flow
into mobile devices. And the iPhone Touch ID was one of the first widespread, where you could use
biometric initially to unlock your phone instead of using a pin, for example. And by the way, obviously, I should say
that mobile biometrics have been a huge hit. If you've ever used a device that has one of these
capabilities, whether it's a face or a finger or hopefully someday voice, etc., you're never going
to go back to a device without that convenience because it is just so natural and it's not something that taxes you
cognitively. And this is what users like. And if you can build in the right security behind it,
which people like Apple and Samsung and the Fido Alliance have done, then you have high assurance
that this is going to respect your privacy, that it's going to be secure, and that you're going to be protected from what we call scalable attacks. This third wave of biometrics has to do with behavior.
One of the nice things about the mobile device is that it comes with a lot of sensors
that are packed into the device, whether that's a GPS sensor or a gyroscope or other kinds of
things that indicate angle, temperature sensing.
There's lots of interesting sensors in that phone that are used for a variety of different
purposes.
As it turns out, you can use software to monitor these various sensors and try to create a
composite picture of the person that is supposedly using the device.
of the person that is supposedly using the device.
And this composite picture, for example,
may indicate that you, David,
are someone that holds the phone at a certain angle fairly consistently,
that your typing speed is something predictable,
that you tend to make the same kinds of mistakes
and erase things when you type,
that your locations are typically within a certain geo fence, if you will.
So it's the collection of all of these different signals that together create this probabilistic view
that it's probably David that's holding the phone.
This new wave is called behavioral biometrics. And we are still in the early days of this
technology today. Typically, these behavioral biometrics are not used as the primary mode
of authentication. So a good way to think about the user journey is that when you want to onboard someone for the very first time, then at that point, you have to go through a proofing process.
So David has to prove to a bank that he's David by virtue of whatever the bank has set up as an identity proofing process, whether that's government ID, whether that's being present
in person, presenting maybe a utility bill and a driver's license or a passport or a birth
certificate. Identity-proofing is a whole competence in itself. So once you've proofed
someone, then typically you hand them a credential of some kind. And whether that credential is a
password, a token of some kind, the usage of biometrics on their phone, which you've enrolled
them to use like Touch ID, enrolling a user and giving them that credential, you basically tell
them, please present this credential to me when you wish to access my services. And that is
typically called authentication.
Once you've authenticated someone, you start a session with them. And for reasons of convenience, sometimes, particularly because the old ways of doing authentication, the non-biometric ways of
doing authentication were kind of clumsy, like passwords or, you know, fiddly tokens that you carried around with you, like OTP tokens,
you wanted to try and maintain long lived sessions without having to go back and ask the user
to prove who they are over again. And so in this strong session management, we've typically used
what I call risk signals in order to figure out whether it's the same person still or has
something changed. And it's in that session management that things like behavioral biometrics
fit best. And then when, for some reason, the collection of your risk and your behavioral
biometrics, which in our view are simply a part of the risk management spectrum, indicate that
maybe the user changed or something
didn't match or, you know, something about the sensors is indicating that something's off,
then you can go back and you can say, hey, would you please swipe your finger?
Would you please present your password or your token or whatever it is that you originally
authenticated with? And so that is what we think the right scope for behavioral biometrics is. It's an
augmentation to the primary authentication and proofing that has already been done.
So it's not a substitute for proofing or for authentication. But once you've
proofed someone and authenticated someone, if you want to maintain a long-lived session
with lower risk, then behavioral biometrics may be something for you to consider.
And is there any data that's been gathered on the effectiveness of this in terms of,
you know, do the users like it and is it helping with security?
Well, that's a great question. So I think these are very, very early days.
So obviously there are vendor proprietary claims about the effectiveness of this technology.
There are no objective standards.
So even for basic biometrics like mobile biometrics now, there are well-established standards that measure the
efficacy of the biometric sensor on your phone, like the fingerprint sensor or the facial
recognition. And there is a well-studied range of practice about how you would attack these systems,
how you would defend them, what kind of attacks are possible, cetera. We are in very early days of biometrics.
It's sort of an unproven technology.
So there are a lot of vendor claims about the relative effectiveness of this.
But a lot of the effectiveness may be coming from things like device ID rather than from
the behavioral techniques themselves.
However, behavioral techniques are very promising.
techniques themselves. However, behavioral techniques are very promising. And I suspect that over the next decade, people like NIST and others will start to take a harder look
at what the actual effectiveness of the behavioral techniques happens to be and how you would start
to incorporate them in a more consistent way. And so I think to me, these things are by themselves in isolation,
never replacements for each other. You need to use these techniques all coupled together. So
strong proofing, strong authentication, strong risk signals, and then things like behavioral biometrics to augment those risk assessments
if you feel like you need really long-lived sessions with the user.
That's Rajiv Dholakia from Knock Knock Labs.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.