CyberWire Daily - Iranian reconnaissance of critical infrastructure? Leaky banking apps. Microsoft's emergency patch. Ghosts of the Caliphate threaten, but have yet to deliver. New horizons in biometrics.
Episode Date: December 8, 2017In today's podcast we learn that FireEye is warning of patient reconnaissance on the part of the (probably) Iranian APT34. The Electronic Ghosts of the Caliphate have so far failed to say "boo," ...except maybe in South Jersey. Flaws discovered in mobile banking apps. Bike-sharing service leaked data. Bitcoin's bubble. Microsoft patches its Malware Protection Engine. Chris Poulin from BAH on closing the gap between IT and OT people in ICS. Adam Segal from the Council on Foreign Relations on the rollout of their cyber operations tracker. And biometrics have come to the beagles: your pet door can now recognize Rover or Boots, and let them on in. Their raccoon pals stay outside. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
FireEye warns of patient reconnaissance on the part of the probably Iranian APT-34.
The electronic ghosts of the caliphate have so far failed to say boo,
except maybe in South Jersey.
Flaws are discovered in mobile banking apps.
A bike-sharing service leaked data.
Bitcoin's bubble. Microsoft patches
its malware protection engine.
And biometrics have come to the beagles.
Your pet door can now recognize
Rover or Boots and let them on in.
The raccoon pals stay outside.
rover or boots and let them on in. Their raccoon pals stay outside.
I'm Dave Bittner with your CyberWire summary for Friday, December 8th, 2017.
Iranian threat groups, Charming Kitten among them, the group associated with hacking HBO,
have attracted more attention this week. More serious than hacking a television show are reports of Tehran's hackers having made quiet inroads into compromising Western infrastructure, especially the U.S.
No major attacks are reported, but security organizations have their eyes open.
FireEye has been tracking the Iranian threat group they call APT-34 since 2014.
Its activities have affected targets in the Middle East,
and it appears to be continuing its patient, quiet reconnaissance of infrastructure targets.
Iranian cyber operators are believed responsible for attacks on U.S. infrastructure in the past,
notably financial services targets, and far less serious in effect,
but arguably more disturbing in its implications,
the small Bowman Street flood control dam in Rye, New York.
FireEye says its attribution of APT34 to Iran is an assessment of moderate confidence.
The group has modified its approach to take advantage of new exploits and vulnerabilities
as they're discovered.
It has used malicious Excel macros and PowerShell exploits
to move within networks,
and it's also shown some extensive social engineering chops in social media,
where it's used bogus or compromised accounts
to get close to the organizations it's targeting.
FireEye says in its report that they are a capable group
that seems to have access to its own development resources.
FireEye concludes,
quote, We assess that APT34's efforts to continuously update their malware seems to have access to its own development resources. Bayerai concludes, There are other threat actors with Middle Eastern connections who don't show the capabilities
of the APTs that appear to be operating from Iran.
Prominent among these are the various hacktivist cells faithful to ISIS, who can be expected
to step up their threats as the caliphate's territory has now effectively vanished.
ISIS hacktivists and official online media have excelled at recruitment and inspiration,
and these have been dangerous and the source of much suffering.
But proper hacking hasn't advanced much beyond low-grade vandalism of poorly secured sites.
You've seen the sort of thing an online card catalog for a public library,
say in lower Crab Cake, Maryland,
is vandalized to show a gif of the White House in flames.
Stuff like that.
So today is the day ISIS promised to bring America to its knees with a massive cyber attack.
A video posted by adherents of the terrorist group promised,
we will face you with a massive cyber war, black days you will remember.
The specific group making the threat was the Electronic Ghosts of the Caliphate,
or the Caliphate's Cyber Ghosts.
But as we publish today, the only sign of ISIS hacking
appears to have been some defacement of the Gloucester Township website. We believe this is the Gloucester Township in southern New Jersey.
The Lions of the Caliphate will be at your door, is what Fleet Street's Daily Mail reported was
said. But when we looked, it all seemed in order. The mayor's picture was up, and he's smiling and
looking good. We can't even confirm what the Daily Mail reported, and if you're the Gloucester
Township at whom the Lions of the Caliphate roared, let us know. Researchers at the University of
Birmingham report finding flaws in a banking security app that exposed the data of millions
of bank customers to credential theft. It's a vulnerability that opens the apps to man-in-the-middle
attacks. The app's cryptographically signed certificate seems to have failed to verify the server's host name
when the app connected with it.
Man-in-the-middle attacks could intercept usernames and passwords
during online banking sessions,
and these could lead to account hijacking and, of course, theft.
Fixes are, for the most part, in,
accompanied by much tut-tutting from the security industry
about slipshod app development.
It's not just gig economy ride-sharing outfits who have to deal with leaks.
It's bike-sharing operations, too.
O-Bike, the widely used bicycle-sharing app, is investigating a leak that may have affected
users in some 14 countries.
This one appears to have come from a gap in O-Bike's API, one intended to allow users
to refer friends to the service. The information exposed was relatively benign, as such information
goes. Names and ride locations, not passwords or credit card numbers. But the exposure is still
unsettling. Bitcoin and other cryptocurrency prices are way up in a major speculative bubble,
and criminal attention is enthusiastically keeping pace.
Why are people saying bubble?
Because the price of Bitcoin jumped from $12,000 to $15,000 this week,
with comparisons being made to the tulip bubble of 1636,
which crashed spectacularly in February of 1637.
If you're one of those who takes historical lessons seriously,
get a copy of Extraordinary Popular Delusions and the Madness of Crowds from your library.
If you're one of those who thinks history is bunk,
well, perhaps you'd be interested in an investment in Voppercoin,
available at most of the Burger Kings in Greater Moscow.
Microsoft has issued an emergency out-of-band patch to its malware protection Engine. It's a remote code execution flaw present in Windows Defender, Microsoft Security Essentials, Endpoint Protection, Forefront Endpoint Protection,
and Exchange Server 2013 and 2016. A memory corruption error in the malware scanner is
what opens the door to exploitation. And finally, biometrics has come to the beagles.
If you've been worried about some random animal walking in and out of your house
via the unsecured pet door without so much as a buy-your-leave,
Redmond may have a solution for you,
a pet door that acts like a bouncer on a Studio 54 rope line.
The Microsoft solution recognizes your pet's face,
letting in Snoopy and Garfield,
but keeping out Tom, Jerry, Marmaduke, raccoons, possums, squirrels, wombats, mongooses, and so on.
We're a BYOD shop here, bring your own dog, so naturally this caught our eye. There's an emphasis,
an over-emphasis we might say, on cats, but we assume that the system works with other pets as well.
Dogs, iguanas, rabbits, skunks, chameleons, hamsters, ferrets, hermit crabs, the whole arc full.
Why shouldn't it?
You'd think that Microsoft's experience with Tay the Teenage AI's misspent adolescence would have taught them to be properly inclusive.
Hold the door open for your companion chuckwalla or pet periwinkle.
Hold the door open for your companion chuckwalla or pet periwinkle. way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Chris Poulin.
He's a principal and director for Booz Allen's Dark Labs,
where they focus on IoT security and machine intelligence. Chris, welcome back. You know, our editor here
at the CyberWire, John Petrick, recently came back from an ICS conference, I believe it was in
Atlanta, and he made the observation that the IT people seem to be optimistic about security,
but the operational people seem to be pessimistic about security. What's your
insight on that? So it is interesting because another trend that we've been seeing is that
IT and OT has been converging for a while. So, you know, five, 10 years ago, it was let's separate
these things and have an air gap. And interestingly, the CISO, who's traditionally overseeing the IT side, is now being given the purview over the OT side as well.
However, not necessarily the authority, because if you think about it, the OT side in many businesses is where the money is made.
And so any downtime on the OT side often means direct impact on revenue.
direct impact on revenue. And so what ends up happening is that the CISO doesn't necessarily have authority, even though he or she has purview over it. But the thing that the plant operators
know is that those systems on the OT side of the house are fairly fragile. You can't just go in
with an IT vulnerability scanner and scan the whole thing. In fact, you can't even ping the
whole, you can't ping those things.
Many cases, they'll just plain old fall over.
And so, you know, to some extent, that's one of the fears is that the IT side is going
to come in and just sort of tromp through the living room with muddy boots.
You know, they don't really understand OT.
And one of the things that's kind of interesting about it is that there's, the language is
not the same either.
So, for example, in IT, we talk about cybersecurity,
we all know what we mean. And it's important and we take it seriously. And that's taken some years,
by the way, to get to where we are now. On the OT side, they don't talk about cyber in that sense,
because the most important things are availability, so having continuous uptime,
and safety. And then tertiary is compliance, regulatory compliance.
So when you start talking about cyber, they don't necessarily make it sounds like an IT term to a lot of the plant operators.
And they don't necessarily equate that with what's important to them, which is availability and safety.
And so I think that's one of the things that needs to happen is that the IT side needs to become a little bit more familiar with what happens on the OT side and start speaking the same language.
And then I believe that this trend will start to temper out a little bit, right?
And then they'll start to come together, which is, hey, if you go in as an IT person and say, we understand what you're doing, we understand how important it is to the business, and we understand availability and safety.
what you're doing, understand how important it is to the business, and we understand availability and safety, and we want to help you because cyber actually impacts those things, then I think that's
when we'll all sort of come together and OT and IT will finally converge and everybody will become
one. Kumbaya. We can all hope, right? If only it're that easy. Chris Pullen, thanks for joining us.
Yeah, thank you once again.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. My guest today is Adam Siegel. He's director of the Digital and Cyberspace Policy
Program at the Council on Foreign Relations, where they've recently launched an
online cyber operations tracker. The Council is a non-partisan, independent foreign policy
think tank. We take no official positions and no government money. And our mission is to
educate the American people about foreign policy issues that will affect them and
hopefully help create better policies to pursue American interests. So you all have taken on this
task of tracking state-sponsored cyber operations. What led you to taking this on? So I think we
felt like there was growth and interest in state operations just because of all the reporting about hacking.
But there was a lot of, I think, confusion about what states were doing, why they were doing it, who was involved, just because of some of the inconsistencies in reporting across events.
And so what is your approach to this tracking system?
We have tried to collect every publicly reported operation
that has sort of multiple sources,
both media and cybersecurity and other governments.
We've tried to find more than one report for an event
and then publicly list them.
We realized the data is going to be incomplete.
Probably lots of operations have happened
but have not been either tracked by companies or governments
or haven't been reported.
And so actually on the website,
we also have a reporting function so people in the industry or
others can help us point out things that we've missed what do you see taking place in terms of
the evolution of the role of cyber security in geopolitics looking at the timeline we see the
vast majority of attacks are espionage. And so states were using cyber operations primarily to collect information on adversaries,
on activists, on civil rights groups.
And then a huge chunk of that was also Chinese threat actors collecting intellectual property
or business secrets for competitive
advantage of Chinese firms.
As you move through the timeline, in particular over the last two or three years, you start
seeing a decline of the Chinese operations, in part driven by the agreement between the
United States and China, but also a slow uptick on more disruptive and destructive
attacks, data destruction, ransomware, and other operations.
Do you see this being a situation where ultimately we're going to have to have things like treaties
that will take care or address cybersecurity issues?
Yeah, so there's been a large push driven in part by the United States to develop norms or
rules of the road for cyberspace. I don't think treaties are very likely, just because, you know,
most of our arms control treaties are based on some forms of control and verification.
We can count how many nuclear missiles there are, how many ICBMs there are.
We can inspect factories.
None of that's going to be available in the malware space.
You can't really inspect and make sure people are not developing weapons.
So we're going to have to come up with some kind of shared agreements upon what is considered legitimate behavior. I think that's going to be very, very hard to do for everything
under a use of force or an armed attack. So right now, it would be fairly clear to the response if
a cyber attack caused physical destruction or death. The United States has stated that it would act like it would for any other type of physical attack that caused destruction or death. The United States has stated that it would act like it would for any other type
of physical attack that caused destruction or death. So we might get some agreements with the
Russians or the Chinese in that space because neither of those countries really want a cyber
engagement to escalate to physical conflict. We may decide that certain types of critical
infrastructure should be off limits or at least have some greater understanding of what a threshold for use of force might be.
The problem is that everything below that line, espionage, DDoS attacks, doxing, information
operations, all those other areas where states are most active, that's going to be very, very
difficult to get any type of agreement. I think it's very unlikely. Yeah, it strikes me that
nations have been reticent, the United States in particular, has been reticent to
draw any lines in the sand when it comes to those flavors of cyber attacks. Yeah, I think that's
right. I think states have been pretty reluctant generally because
nobody's really sure how the capacities are going to develop and how important they're going to be.
And so nobody wants to restrain themselves before they know. But I think also, you know,
for the U.S., the Snowden revelation certainly suggests that the U.S. is pretty good at espionage and conducting
these operations. And so it has not been interested in having a broader treaty. The Russians and
Chinese have said, well, this is a new technology. We need to have new treaties. And their definition
of cybersecurity is more expansive. It includes what the Chinese and Russians would call
information security. So the concern about content and the free flow of information.
And so it's been very hard for the U.S. to come up with some shared definitions below the threshold of an armed attack.
That's Adam Siegel from the Council on Foreign Relations.
You can learn more about their cyber operations tracker by visiting their website, cfr.org, and searching for cyber.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.