CyberWire Daily - Notes on patching. Foreshadow speculative execution vulnerability. Influence operations. The FBI's new cyber chief. Are stickers a temptation to thieves, hackers, and customs officers?
Episode Date: August 15, 2018In today's podcast we hear some Patch Tuesday notes—both Microsoft and Adobe were busy yesterday. Foreshadow, a new speculative execution vulnerability, is reported. Malaysia gets attention from Chi...nese espionage services. Competition for jihadist mindshare. Influence operations as marketing. The US FBI gets a new cyber boss. The Kremlin thinks the BBC is biased in the crypto-wars. And laptop stickers: are they good, bad, or ugly? Zulfikar Ramzan from RSA on SOCs and IoT. Guest is Dimitris Maniatis from Upstream on Android ad fraud malware. For links to all of today's stories check out the CyberWire daily briefing: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_15.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
We've got some Patch Tuesday notes.
Both Microsoft and Adobe were busy yesterday.
Foreshadow, a new speculative execution vulnerability, has been
reported. Malaysia gets attention from Chinese espionage services. There's competition for
jihadist Mindshare. Influence operations are used as marketing. The US FBI gets a new cyber boss.
The Kremlin thinks the BBC is biased in the crypto wars.
And laptop stickers. Are they good, bad, or ugly?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 15, 2018.
Yesterday, of course, was Patch Tuesday for the month of August,
and both Microsoft and Adobe issued fixes for their products.
Microsoft addressed 60 flaws, two zero days among them, in August's Patch Tuesday.
The zero days were CVE-2018-84-14 and CVE-2018-83-73.
CVE-2018-84-14 involves the use of setting content-ms files. These are Windows 10 control
panel shortcuts, and they're used to distribute malware. Signs of this sort of exploitation began
to appear early last month, and Redmond has now upgraded Windows 10 so that Windows Shell now validates file paths when setting contents-ms files are executed.
CVE-2018-83-73 is a remote code execution vulnerability
that arises from the scripting engine's problematic handling of objects in memory in Internet Explorer.
Among the other vulnerabilities attracting considerable attention is CVE-2018-8340, discovered by researchers at security firm Okta.
This one is a security bypass exploit that's made possible when Active Directory Federation Services, that's ADFS, mishandles multi-factor authentication requests.
requests. Okta's account of the issue suggests that this vulnerability would be most easily used by a malicious insider interested in achieving elevated privileges or in spoofing another
legitimate user's account. Adobe also patched, fixing 11 problems in its products. The breakdown
is as follows. Five issues were fixed in Adobe Flash Player, three in Adobe Experience Manager, two in Adobe Acrobat and Adobe Reader, and one in the Adobe Creative Cloud desktop application.
The potential impact of unpatched systems exploitation includes information compromise, privilege escalation, arbitrary code execution, and unauthorized data manipulation or alteration.
code execution and unauthorized data manipulation or alteration.
There's also been a new speculative execution issue identified in Intel Central Processing Units.
A small set of flaws, three of them, are collectively called Foreshadow and join the well-known
family to which Spectre and Meltdown belong.
Foreshadow is in the process of being mitigated.
Microsoft addressed some Foreshadow issues in its monthly round of patches, for example.
In any case, there's no known instance of foreshadow exploitation in the wild,
and it would seem unlikely that hackers could easily make use of it to attack systems.
There's a company called Upstream that provides mobile device security platforms,
especially in fast-growing emerging markets.
As their software was being deployed,
they noticed some interesting data traffic that caught their attention.
Dimitris Minaitis is head of SecureD,
which is one of their mobile security platforms, and he shares what they found.
What was really peculiar is that we started seeing concentration of fraudulent attempts,
not on specific apps, but from specific devices, which became even more peculiar when we started
seeing a similar pattern in a second market that is totally unrelated to the first. So the first market where we saw that was Brazil.
Quite literally around the same time,
we saw a similar concentration of fraudulent attempts
in devices in an operator in Myanmar.
These two markets are typically very unrelated.
They don't share any commonalities whatsoever.
We went ahead and we purchased a few of those devices to try and get to the bottom of what
was happening. We put the first device that we bought in Brazil, we put it in a sandbox.
As soon as we powered on the device, quite literally just after unboxing it, we started seeing
communications to a third-party server sending information that we identified as being personally
identifiable information, like the IMEI or GPS location of the device, to a third-party
server in Singapore and operated by Gmobi.
Gmobi is a Taiwanese-slash-Chinese provider of services in the wireless industry in general,
but more specifically, they operate an ad network and they operate a firmware over-the-air updater. It made us really concerned
to see that without having accepted any user agreement, without having opted in to use a
service by Gmobi, we were observing data from the device being transmitted to that server
and then seeing communications coming back.
Now, let me ask you, does it seem as though they're specifically targeting inexpensive phones?
For sure, there is a correlation between the two.
In general, we're really used to the term ad fraud, advertising fraud, especially over digital marketing and we kind of picture advertisers
paying more than they would have had to essentially part of their investment part of the impressions
or the clicks that they buy are served or are being clicked by non-humans, either a click farm somewhere obscure,
or some weird place,
or a bot network might be just generating impressions and clicks
to kind of consume the investment that advertisers are making.
What we see here is that in this scenario,
the end user is actually being defrauded.
So it's ad fraud taken one step further
to charge users only after a single click.
If that click is generated by a bot,
that means that the user,
without having ever given their consent,
is being charged for a service or some digital service
that they never wanted to buy or never intended to buy.
Now, this is essentially an extension of ad fraud that is impacting the end consumer
and actually defrauding the end consumer from their prepaid airtime or credits.
It is from what you would see as ad fraud now moving into payment fraud or even financial fraud,
because it is depleting the prepaid credits of consumers.
That's Dimitris Maniatis. He's from Upstream.
You can read more about their research into Android smartphones being sold with pre-installed malicious software.
That's on their website.
being sold with pre-installed malicious software.
That's on their website.
Regional influence and economic advantage appear to drive renewed Chinese espionage
against Malaysian companies and governmental organizations.
A United Nations report suggests increasing Iranian prominence in al-Qaeda networks.
This appears to be an emerging trend
as Sunni and Shiite strains of jihadist
influencers struggle for inspirational mindshare online. You will recall Facebook's removal of
some 32 pages that were engaged in what the social medium called inauthentic behavior.
They were essentially accounts created with bogus or at least dubious persona that were heavily involved in pushing various inflammatory political memes.
Facebook didn't say it was a Russian trolling operation,
but it strongly hinted in that direction.
The AP talked about this with various academic experts in communications and marketing
and concluded that the Facebook pages the social medium recently expunged were following typical advertising playbooks,
with affinity marketing supplemented by a heavy dose of moralistic aversion.
The goal is discord, the method rumor, and the amplification is all on the regular people clicking, sharing, and liking.
So nothing new here, but the skills shown by the presumably Russian persuaders is striking.
They've also shown a solid understanding of their market, accurately addressing American social fissures.
The endgame is mistrust.
It's not so much that they want you to vote one way as opposed to another.
They'd apparently rather you just stayed home, going out only to riot,
because elections are, as the troll farmers would suggest,
nothing more than a Potemkin village, a puppet show for the goobers.
In a generally well-reviewed move, the FBI appoints Amy Hess,
Executive Assistant Director of the Criminal, Cyber Response and Services Branch.
Hess, a veteran of the FBI's science and technology side,
is among other things regarded as a crypto war's dove, at least by bureau standards.
Elsewhere in the crypto wars, the pro-encryption side has a new champion,
or at least someone willing to fly their flag of convenience. Sputnik, one of Russia's Putinist
news services, slugging on behalf of the little guy, accuses the BBC of committing fake news by cherry-picking encryption experts who will tow Her Majesty's government's pro-snooping line.
And finally, do you have stickers on your laptop? Maybe one of the attractive CyberWire ones we give away to patrons and friends of the show.
We give away to patrons and friends of the show.
Motherboard has an article in which they argue that putting a sticker on your device could lead authorities at border crossing sites or airport security checks, for example, to single you out for more attention than you'd like.
What's that? Your laptop sticker says TSA stands for Touching Stuff Always?
Why, step over here to the slow line and please remove your shoes.
Or maybe it's got a Macedonian flag on it and the customs officer at Thessaloniki
takes exception and wishes you to answer some questions
at greater length.
Or the guy in the cargo shorts
sees a sticker that says
I break for deep packet inspection
and decides he'll make a run at
you over the onboard Wi-Fi. You can tell he's a bad guy because his laptop says,
my other computer is your computer. On the other hand, Motherboard does cite some evidence that
common criminals tend to leave heavily stickered laptops alone when they break into cars,
whether that's because they think they're likely to be encrypted or because they think the stickers drive down the retail value,
is unclear.
So what do you think?
Is this a problem unique to laptops?
Or is it like the ordinary risk you run
of having your car keyed by someone who disapproves of the candidate
whose name is on your bumper sticker?
Let us know.
To stick or not to stick?
That is the question. isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Zulfikar Ramzan. He is the Chief Technology
Officer at RSA. They are a Dell Technologies business. Zulfikar, welcome back. We wanted
to touch today about SOX, Security Operations Centers, and particularly some of the challenges they face when it comes to IoT.
What can you share with us today?
Yeah, you know, so I'm reminded here of a movie that came out a number of years ago called Airplane 2.
And if you remember, William Shatner, obviously everybody knows on this podcast from his role in Star Trek, played the role of Commander Buck Murdoch in that movie. And there's a scene in the movie where he's looking at all the switches
and controls and knobs and lights that are going off and on
inside of his operations center.
And in trademark William Shatner histrionics,
he has this virtual nervous breakdown
about all the events that are hitting him at once.
We've all got our switches, lights, and knobs to deal with, Stryker.
I mean, down here, there are literally hundreds and thousands
of blinking, beeping beeping and flashing lights blinking and beeping and flashing they're flashing and
they're beeping i can't stand it anymore they're blinking and beeping and flashing
i'm all right i'm all right and that to me personifies what happens in the security
operation center already where people are dealing with events constantly, where they're deluged with a barrage of noise, if you will.
And when you think about things like IoT coming into the fold, all these new devices, they can all generate their own sets of alerts.
I think organizations can quickly find themselves in a world where they can no longer begin to reason about what's happening in their environment. And we have to take a really quick set of actions and meaningful and intelligent actions
to be able to address that problem before it becomes too much of an issue.
So what do you suppose the solution is?
Are we talking about automation?
How do you filter that firehose of information coming in at you?
Yes, I think there's a multi-part plan that people have to engage in.
The first part of that plan is, first of all, just pre-process your data.
The reality is if you just collect data and try to use it later without thinking about pre-processing it and identifying the most salient elements, there's a good chance
you're no longer going to be able to make any kind of meaningful insight out of that data.
The reality is you don't want to just stockpile a bunch of food only to have it go rotten while
you're hungry trying to find something. The same thing applies to your data. The second thing is to apply analytics to your data so you can group all these different alerts around attack
campaigns. The reality is when attacks happen in organizations, a bunch of alerts are generated.
Those alerts are related to a common campaign. If we don't tie those alerts together, there's a good
chance that your security analysts will be off in different directions investigating different parts of an incident without realizing there's a common big picture that they need
to be considering.
And then the third thing is to really focus not just on looking at what's happening in
one part of your environment, be able to pivot across what's happening in different elements.
So for example, be able to look at what's happening on the network core and be able
to then translate that to what's happening at the edge in terms of endpoint devices or IoT or what have you. And even beyond that, can you look at
what's happening with your cloud services? Proper security incident response requires being able to
trace an incident end to end, which in turn means that you have to be able to look at all the
different elements that are involved in one common orientation. And the fourth piece of advice I have
is to really take a risk orientation. Don't just look at the underlying probability that something is going
wrong. Figure out what the impact is in the organization. So for example, if you do see two
alerts and one alert happens to be on a critical production server and the other alert happens to
be on a system whose only piece of important information is the lunch menu for the cafeteria,
clearly you should focus on the production server. And as silly as that example sounds,
most organizations don't distinguish between incidents. They treat every incident like it's
the same. If you can pull in business context into your security operations center to make
that intelligent determination about what's really critical, you can go a long way.
And then finally, I do recommend automation that you mentioned earlier.
I think to me, the linchpin for automation being successful is getting the first few pieces of
that equation right. If you can get the first elements correct, then you can start to employ
automation technologies that take care of many of the simpler cases, the more obvious cases and
whatnot. But to me, the key to making automation successful is to have that inventory upfront,
to have the right incident response plan initially, so that your automation capabilities are designed in a way that are going to produce results in a
very meaningful fashion. Zulfiqar Ramzan, thanks for joining us. My pleasure as always.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.