CyberWire Daily - Joint UK-US warning on COVID-19-themed cyber threats. Disinformation in the subcontinent. Public and private apps with privacy issues. A new IoT botnet. APT notes. Frontiers in biometrics.
Episode Date: April 8, 2020NCSC and CISA issue a joint warning on cyber threats during the COVID-19 pandemic. India’s government seeks to limit disinformation in social media. Zoom works on privacy issues, and government cont...act-tracking apps face their own problems. A new DDoS botnet, “dark_nexus,” is out. BGP hijack questions persist. Is a front company facilitating Chinese government RATs? Spies and spyware. And a biometric advance leads from the rear. Joe Carrigan from JHU ISI on how COVID-19 is reinforcing TLS 1.0, guest is Pedram Amini from InQuest on winning the Cyber Tank contest. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_08.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NCSC and CISA issue a joint warning on cyber threats during the COVID-19 pandemic.
India's government seeks to
limit disinformation on social media. Zoom works on privacy issues and government contact tracking
apps face their own problems. A new DDoS botnet is out. BGP hijack requests persist. Is a front
company facilitating Chinese government rats? Spies and spyware. and a biometric advance leads from the rear.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Wednesday, April 8th, 2020.
British and American cybersecurity agencies have issued some joint advice on cybersecurity.
The UK's National Cybersecurity Centre, the NCSC, and the US Cybersecurity and Infrastructure Security Agency, more familiarly known as CISA, have issued a joint public warning about ways in which the pandemic and the emergency measures put in place to contain it have given rise to a wave of cyber attacks.
The advisory introduces its warnings like this,
quote, both APT groups and cyber criminals are likely to continue to exploit the COVID-19 pandemic
over the coming weeks and months.
Threats observed include phishing using the subject of coronavirus or COVID-19 as a lure,
malware distribution using coronavirus or COVID-19 as a lure, malware distribution using coronavirus or COVID-19
themed lures, registration of new domain names containing wording related to coronavirus or
COVID-19, and attacks against newly and often rapidly deployed remote access and teleworking
infrastructure. Much of the malicious activity is being carried by email. CIS's Assistant Director for Cybersecurity, Brian Ware, said, in an email, as it happens,
As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business.
Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond.
NCSC and industry have played a critical role in our ability to track these threats and respond.
We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails,
and look to trusted sources for information and updates regarding COVID-19. We are all in this together, and collectively we can help defend against these threats. The NCSC's cover note
adds some sensible overarching cautionary advice.
This is a fast-moving situation, and this advisory does not seek to catalog all COVID-19-related malicious cyber activity.
You should remain alert to increasing activity related to COVID-19 and take proactive steps to protect yourself and your organization.
and your organization. So the advisory summarizes the threats the agencies are seeing, and it offers brief but useful guidance on how individuals and enterprises might deal with them. The full
advisory is online at the us-cert.gov website. Authorities in India are cautioning against
and prosecuting disinformation during the current state of emergency. Reuters reports that the Indian government has asked both Facebook and TikTok to remove users.
They determined to be spreading misinformation about COVID-19.
The authorities are particularly concerned about mis- or disinformation directed at Muslim audiences.
According to the Mumbai Mirror,
the authorities are serious about prosecuting those who promulgate fake news and hateful posts in social media.
132 cases are open and 35 arrests have been made so far.
ZDNet writes that Zoom, the teleconferencing service whose use exploded during the current pandemic emergency,
has brought in Alex Stamos, formerly Facebook's security chief and subsequently a
fellow at Stanford as an independent security consultant. Stamos emphasized in a blog post
that he's neither an employee nor an executive at Zoom, but that he's attracted to the challenge
of how a low-friction collaboration platform might scale without presenting hackers with an
equally low-friction opportunity. Taiwan has banned Zoom
entirely, largely because of the company's ties with Chinese enterprises, and because,
the register notes, Zoom sends much of its traffic through China.
Zoom is far from the only service struggling with privacy. Privacy concerns run neck-and-neck
with public health during the COVID-19 pandemic. Many governments are scrambling to find ways of tracking contacts at scale during the pandemic.
As Computing reports, there's a general search for tools that can do this in ways that don't compromise individual privacy.
But so far, the apps being deployed aren't inspiring confidence in this respect.
in this respect. Researchers at ZeroFox report that the governments of Italy, Colombia, and Iran have stumbled badly with respect to the privacy protections of the mobile apps they've pushed out.
It seems reasonable to assume that this is more a general problem. ZeroFox doesn't attribute the
privacy issues to bad intent, not even, we observe in fairness, in the case of Iran.
It's just a difficult problem to solve.
Bitdefender researchers today reported their discovery and assessment of a major Internet of Things botnet. They call it Dark Nexus, after a string it prints in its banner. They add that
while the new botnet incorporates some code from both Qubot and Mirai, it's significantly more
capable than these and other competitors.
Intended for distributed denial of service, Dark Nexus is regularly updated and designed to be unusually persistent. Bitdefender thinks it's the work of a known botnet wrangler,
who goes by the name Greek.Helios, who advertises DDoS services in various social media.
The team at venture capital firm Blue Ventures recently
held a funding competition called CyberTank, modeled after the popular TV reality show
Shark Tank. In this case, four entrepreneurs made their pitch to a group of CISOs and VCs.
At the end of the day, it was threat hunting platform Inquest that caught the judge's eyes.
Pedram Amini is chief technology officer at Inquest.
Apparently this is the first time they had it in this format. I mean, quite literally,
we walked out to the Shark Tank music. So that was kind of a unique experience.
You know, both my co-founder and I have a lot of friends in the area.
One of our advisors happened to be involved with the Blue Ventures group. So he
brought it up. And then we had another contact who also brought it up. And then a third time,
I saw it on LinkedIn. So at that point, we got interested and wanted to get involved.
Well, take us through that process then. How did you prepare to tell the story of what you're up to
there at Inquest to this panel of judges? Yeah, you know, generally when you're pitching an idea,
you've got 30 minutes to an hour.
In this case, we had just a few minutes.
So we really just went with the story.
My background is very much in the shoes of an offensive security researcher,
and my business partner has very much a defensive background.
You know, I ran one of the biggest computer hacking teams on the planet, and he was playing
defense for, you know, one of the largest and most attacked offices on the planet. And so between the
two of us, you know, we kind of have a full spectrum view of the whole thing. And when we
came to build a product, we bring both sides of the team to the equation.
So we just went with the story, you know, how we met, what fuels our passion,
and how that resulted in Inquest being founded, and then fell into the Q&A session from there.
Yeah, that's interesting. What sort of questions were they asking you? You know, this is one of the other reasons why we thought this event would be interesting.
It was really neat. You know, they had essentially three sharks. And so ours was Rongula, you know, an absolute,
he's a well-known name in the industry, someone that I've looked up to when I first got into
the game. And then you also have a sea sole that's paired with you. You know, ours was a sea sole of
Unisys. So each group had one shark and one seaO that was paired with them in the sense that anybody could ask questions, but that specific pairing had done some homework beforehand and came prepared with some tough questions.
So that was highly valuable for us.
Anytime we can glean insights from a practitioner that's a CISO from a large corporation, that's good for us.
Now, you all, you won the day. You were the winners of the
competition. What happens next? You know, the Blue Ventures group is a pretty unique,
I guess they're an angel group. You know, it's a large collection of folks and mostly in the
Beltway area. We will follow up with an official pitch to that group. You know, Inquest as a
company has been profitable from day one. So we're not exactly in a position where we're looking for outside investment. But as they say, the best time to ask
is when you're not looking. So we look forward to pitching to that group and hearing their questions
and having some more time to dive into what we do. What sort of recommendations or advice would
you have for other organizations who may be in a similar situation and are considering a competition like this one?
Sure. I mean, the best advice I can give is
at the end of the day, you have to put yourself out there.
You know, whether nothing is too big or too small,
no event should be seen as not providing potential value.
You know, just get out there.
Put the time in and good things will come of it.
That's Pedram Amini from Inquest.
One of the more interesting features of yesterday's BlackBerry silence report
on a decade-long record of rat herding by five related threat groups
working on behalf of the Chinese government
is its identification of a possible front company.
WorldWired Labs is the purveyor of the nominally legitimate administrative,
incident response, and parental monitoring tool NetWire. The researchers assess NetWire as a
remote-access Trojan. Legitimate tools can certainly be abused, but WorldWired Labs seems
curiously elusive, with suspiciously vague contact information. It's based, for example,
suspiciously vague contact information.
It's based, for example, as the researchers put it, somewhere in Belize.
NSO Group, in its ongoing litigation with Facebook,
claims basically that spyware doesn't spy, spies do.
The Guardian reports the company doesn't operate the technology it sells.
That's fair enough, maybe, but the matter raises some questions about lawful intercept tools in general.
There are certainly technologies that seem to have legitimate markets, but that need to be sold to a restricted set of buyers.
Military weapons in general would seem to fall into this category, as do many articles of police equipment.
Perhaps that's the sort of model that might be applied to lawful intercept tools.
Bugging the mob is one thing. Bugging a political opponent is another.
And finally, hey everybody, researchers at Stanford have just discovered and operationalized
a new biometric modality, which is being characterized as anodermal.
What's the deuce?
Well, that's all we've got to say on this one.
We are a family show after all.
Look it up.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
It's good to be back, Dave.
Interesting article.
This is from the folks over doing the Naked Security blog by Sophos,
and it's titled COVID-19 Forces Browser Makers to Continue Supporting TLS 1.0.
That's right.
What's going on here, Joe?
Okay, so TLS 1.0 and 1.1 are older now, and they have been deprecated by browsers already.
And TLS stands for?
Excellent question, Dave.
I'm making the assumption everybody understands what this is.
It stands for transport layer security, and it is a way of encrypting information within the network stack so that the data
is encrypted at the transport layer.
Now, what that means is it's not encrypted at the IP layer.
So as far as IP is concerned, the data is plain text.
But one layer up at the transport layer, it is encrypted, which means that further up
for the user, it's encrypted.
And this is how your web
page, your web traffic is encrypted as well. Okay. So anytime you see that little lock and you know
that you're communicating securely with a server, you're communicating over TLS. The old version
before TLS 1.0 was SSL, and that is completely not supported anymore. It's not viewed as secure.
These older protocols have been around
long enough that they're now less secure to the point where people don't even view them as secure.
And you can be out of PCI compliance if you're using one of these older versions. Also, there's
a concern that some of the web services may stop functioning if you're using these older versions
because they're not being supported. So what these browser companies are doing, browser makers like Google and Microsoft and Mozilla,
they're saying, well, we were going to stop supporting TLS 1.0 and 1.1 in 2020, which is now, right?
So sometime this year they're going to do that.
But they're pushing that back.
And one of the reasons they're saying is Mozilla said in their release that
they're reverting the change for an undetermined amount of time to better enable access to critical
government sites sharing COVID-19 information. Now, you and I just did a little poking around.
We can't find any government sites that are running TLS 1.0 or 1.1. Everything we found was
at least running 1.2. And we looked at West Virginia's
site. We looked at Maryland's site, the federal government sites, even a county site in rural
Maryland. They were all running at least TLS 1.2, but that wasn't an exhaustive search. We didn't,
you know, we had 10 minutes beforehand, so we didn't search every single county website in the
country. So it could be valid. But also think about companies that may
be in the process of upgrading from an older TLS version to either 1.2 or 1.3,
and the people making this transition now are not working together. It's going to be a slower
process for them. Yeah, it's an interesting compromise to ponder that the potential
security issues of maintaining support for these, I suppose they've concluded,
are less important than the ability for people to get information about things like
health with COVID-19. That's correct. I think that's exactly what's going on here,
is there's an assessment that's been made that the bigger risk is denying people information.
I think that's accurate because there's nothing stopping somebody
from going ahead and going to version 1.2 or 1.3 of TLS.
You can still do that and not impact older versions.
And you should be doing that, by the way.
You absolutely should be doing that.
If your website is running TLS 1.0 or 1.1, that's not good.
You should be upgrading as soon as possible.
Yeah, it's interesting that we've seen several companies say that throughout this global
emergency that they have shifted their focus away from things like new features toward security,
that they're laser focused on, you know, updates are going to be about this one thing and it's
going to be about making everyone safe. And it's going to be about making everyone safe.
And we can all agree that we're going to wait on some new features for a while.
Yeah.
Yeah, that's a good outcome of this, I guess, if you could say that.
In the development world, security is not really one of the drivers of the development effort because it doesn't really present a very clear benefit to the user.
To us, absolutely, it's a clear benefit,
right? To people who think about these kind of things, it's a clear benefit. Right. But if the
user wants a new feature, that's really what they're focused on. I think the basic assumption
of the user is that the security is built in already and that I'm trusting you to build it.
So don't tell me about the security, but I expect it to be secure.
Yeah, and it's those new features that tend to make the cash register ring, right?
That is exactly correct.
Unfortunately, I think this is changing,
but it's not, hey, our product's the most secure product
you can buy on the internet for whatever purpose it is.
It's what's the coolest feature that you have.
Right, right, exactly.
All right, well, Joe Kerrigan, as always, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.