CyberWire Daily - OpenSSL patched today. The risk of misconfiguration. Cyberespionage (and the risk of mixing the personal with the official). Assistance for Ukraine's cyber defense., And a quick look at DNS threats.
Episode Date: November 1, 2022OpenSSL is patched today. The misconfiguration risk to US government networks' security and compliance. Hacking Ms Truss's phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the late...st round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/210 Selected reading. Effectively Preparing for the OpenSSL 3.x Vulnerability (Akamai) O How The OpenSSL 3 Vulnerability Will Really Affect Your Environment (Nucleus Security) New Critical Flaw in OpenSSL: How to Know if You're at Risk (Rezilion) Experts warn of critical security vulnerability discovered in OpenSSL (Application Security Blog) The impact of exploitable misconfigurations on network security within US Federal organizations (Titania) Liz Truss's personal phone hacked by Putin's spies (Mail Online) O Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters) Liz Truss phone hack claim prompts calls for investigation (BBC News) Russian spies hacked Truss's personal phone (Computing) Government urged to investigate report Liz Truss’s phone was hacked (the Guardian) Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian) Suella Braverman admits sending official documents to personal email six times (The Telegraph) Ukraine War: UK reveals £6m package for cyber defence (BBC News) DNS Threat Report — Q3 2022 (Akamai) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Today, the misconfiguration risk to U.S. government network security and compliance,
hacking mistrusts phone, assistance for Ukraine's cyber defense.
Joe Kerrigan looks at the latest round of apps pulled from the Google Play Store.
Our guest is Matthias Madau of Secure Code Warrior on why cultivating a positive culture
among security and developer teams continues to fall short.
And a quick look at DNS threats.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, November 1st, 2022.
Today, November 1st, OpenSSL is releasing a patch for a critical vulnerability in OpenSSL versions 3.0 and above.
OpenSSL appears widely throughout the software supply chain,
and a number of experts are comparing the vulnerability, which is rated critical, to Log4Shell and Heartbleed, both of which affected a wide range of products and their users.
While the OpenSSL project hasn't released details about the flaw, Akamai notes that
observers are taking it very seriously due to the rarity of a critical flaw in OpenSSL.
Akamai sees an analogy with Heartbleed, stating,
This vulnerability has caused concern in the security community because it is unusual for
the OpenSSL team to
rate a vulnerability as critical. There has only been one in the past, in 2014, Heartbleed. When
exploited, Heartbleed led to a memory leak from the server to the client or the other way around.
Researchers at Nucleus point out that while the vulnerability may be severe,
the threat may not be as widespread as some headlines suggest, since most organizations are still running OpenSSL versions 1 or 2.
And, as is so often the case with patches,
one can expect threat actors to step up exploitation as they too become aware of the issue,
and before users apply upgrades and mitigations.
So look for vulnerability instances and get patching. Misconfiguration remains a source
of trouble for organizations of all kinds, and the U.S. federal government would seem to be
not that different from the rest of us. Titania has released a study on U.S. federal security practices titled
The Impact of Exploitable Misconfigurations on the Security of Agencies' Networks
and Current Approaches to Mitigating Risks in the U.S. Federal Government.
The research shows that network professionals report that they're meeting their security and
compliance requirements, but the data suggests that this self-reporting is optimistic. Federal agencies have a larger number of devices on their network,
with over 1,000 on average. 59% of respondents say that they assess the configuration of network
devices every year, with 12% doing it on a bimonthly cycle. 71% report the effectiveness of their network security tools
in categorizing and prioritizing compliance risks,
which contrasts with the 81% to respondents
that reported that the inability to prioritize remediation based on risk is a top issue.
Respondents reported an average of 51 misconfigurations in the past year, with 83% reporting at least one critical configuration issue in the past two years.
Turning to the hybrid war Russia is waging against Ukraine and the cyber espionage that surrounds it,
Moscow has dismissed reports that its intelligence services hacked former British Prime Minister Liz Truss's phone
while she served as Foreign Secretary in her predecessor's government.
Reuters reports that Kremlin spokesman Dmitry Peskov dismissed the incident as Fleet Street sensationalist nonsense.
Mr. Peskov said,
Unfortunately, there is a shortage of material in the British media that can be perceived as serious, however, being taken lightly in the UK,
where, according to The Independent,
Tories have joined the opposition MPs in calling for a full investigation of the incident.
the opposition MPs in calling for a full investigation of the incident.
There are other issues tangential to the possible compromise of Ms. Truss's phone by spyware that are also arousing concern over in the UK.
They notably include the tendency of officeholders to handle official information on personal
devices.
Soella Braverman, who had been Home Secretary in the Trust government before her
resignation two weeks ago, admitted to sending a small number of official documents to her personal
email, The Telegraph reports. She says the material wasn't sensitive and posed no security risk.
The personal is the political, as the new left used to say, but really it's not a good maxim for cyberspace.
Sure, officeholder, Mr. and Ms. Government official, you've got your own email and your
own stuff at home, and you've maybe got a life outside work too, for all we know,
but official business shouldn't wind up commingled with that life. Reserve those personal systems for
arranging to test your dog's ancestry with a
convenient DNA swab, or for buying tickets to the game, or... you get the picture. It's like Vegas,
as the Rat Pack might tell you, what goes on in the government network should stay in the
government network. The BBC reports that the British government has revealed the extent of
cyber assistance it's rendered Ukraine.
Aid amounting to some six million pounds has been delivered.
In the course of discussing the assistance,
the government offered a brief appreciation of the state of cyber conflict in Russia's hybrid war.
In brief, cyberspace remains heavily contested,
even as waves of Russian cyberattacks have not achieved the
disruption widely expected at the beginning of the war. Foreign Secretary James Cleverley said,
Together, we will ensure that the Kremlin is defeated in every sphere, on land, in the air,
and in cyberspace. The UK's support to Ukraine is not limited to military aid. We are drawing on Britain's world-leading expertise
to support Ukraine's cyber defenses. Lindy Cameron, chief executive of GCHQ's National
Cybersecurity Center, said, the threat remains real and the UK's support package is undoubtedly
bolstering Ukraine's defenses further. The SVR, FSB, and GRU have all been active against Ukraine in cyberspace,
and of the three Russian intelligence agencies, the GRU has been the most active.
Akamai's DNS threat report for the third quarter of 2022 has found that 14% of devices connected
with a malicious destination at least once during the quarter.
The researchers state, breaking down these potentially compromised devices further,
59% of the devices communicated with malware or ransomware domains, 35% communicated with phishing domains, and 6% communicated with command and control domains. Akamai also notes
that phishing campaigns
will increase as the holiday season approaches,
so this unfortunate trend will in all likelihood
see a seasonal upturn.
Coming up after the break,
Joe Kerrigan looks at the latest round of apps pulled from the Google Play Store.
Our guest, Matthias Maddow of Secure Code Warrior, looks at why cultivating a positive culture among security and developer teams continues to fall short.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Think about your average team of developers.
Now, imagine your security team.
Do these two teams get along?
Do they collaborate constructively?
Is there tension?
Mathias Madu is co-founder and CTO at SecureCodeWarrior. And he shares his thoughts on why cultivating a positive culture
among security and developer teams continues to fall short.
So the highlights of why we're falling short today
is really that developers and security are not really talking.
It has improved over the last 10 years,
but we need to do better. Security really needs
to help developers in today's world. 10 years ago, security could just find problems in code,
throw them over the wall, and it was up to the developers to fix them. Today, we really have to
help the developers. The developers are the people that write the code, and we really need to help them.
So security really needs to figure out ways on how they can actually empower and help developers in writing secure code.
Is there a historical element to this?
I mean, in the past when coders were being brought up and taught their craft, was security not a priority or was it an afterthought?
It does have a history here.
10 years ago, there was really a security department and all they had to do was find problems in code. That was their job. Their goal was not to make the code better. The goal was not
to ship code faster. Their job was really to find problems in code. So that is really the historical element over here
that 10 years ago, it was not their job.
You know, priorities didn't align
because the goal of an organization,
the goal of a company is to really make a product
that developers love.
And to do so, we need to really make sure
that we have code that is shipped fast without problems.
Otherwise, the customers will not be happy.
And so how do you recommend that we do that? I mean, how do we make the security process
not be an anchor around their necks, if you will?
So first of all, security is outnumbered. If you look at security people per developers,
well, there's roughly two security people per 100 developers, which means that they are hugely outnumbered.
So the way that we can actually move forward is to bring the developers on the journey.
We have to make sure that developers understand that writing secure code will actually be beneficial for themselves in the long run as well.
They will have to do less rework.
They will have to do less rework. They will have to fix less production issues.
So in the long run, it's better for everybody to write secure code.
To security people, per 100 developers, security needs to essentially empower developers with
tools, with training, with knowledge on how to do that.
And they can do that through training, for example,
where it really has to be training that is relevant
to what they're doing on a day-to-day basis.
So they need to work on code that is relatable
to what they're doing in the real world.
And what about the cultural element here?
I mean, how do you ensure that the security folks
are collaborating with the developers
and that it doesn't become adversarial?
From a cultural perspective, it's actually important that security understands that they are outnumbered and they do not have access to the code.
So even if they want to do something, they actually can't.
It's the developers. It's the developers that are writing the code.
So security has all the benefit to make it work with the developers. It's the developers that are writing the code. So security has all the benefit to make
it work with the developers. How do you recommend that organizations get started with this? I mean,
I'm imagining for some companies who've been around for a while, this represents a bit of a shift.
Oh, absolutely. And the way to get started is to make it a little bit more fun and engaging. If we talk about training and if we talk about security, well, that's not always sexy, you know.
And the way we can actually start is by throwing a tournament where developers and security come together and together they try and resolve problems and they try and fix problems.
But in a way that is a little bit gamified and we can actually throw some prizes in there so that ultimately the developers have a good feeling like, hey, you know what, security can be interesting and it can help the organization. And security, from their perspective,
they can collaborate with the developers and they can be seen as people that can help the developers.
I'm curious, in your experience, has there been a recognition of this? I'm wondering,
are new companies, do startups have an advantage here that they don't have some of that
legacy thinking that they can come at this with a fresh approach?
Yeah, I really like that.
So in general, it is good to take languages and frameworks that are hardened and that contain features and functionality to create secure code from the start.
That's a way better approach.
start. That's a way better approach. So absolutely, if you start with coding, take a framework,
take a language that already contains a lot of good security behavior in it. The unfortunate truth is, even if you do that, you quite often rely on open source applications, on the open
source libraries, and you do not know who created them, when they were created, and what the security
status is of something like that. So newer companies, they definitely have an edge. Unfortunately,
there's still a lot of old software laying around, and we're building on top of old stuff. We're
building new stuff on top of old stuff, and we never go back and fix the old stuff. So the unfortunate
truth is there's plenty of software laying around that maybe was
not even intended to be connected over the internet, right? So unfortunately, not everything
is developed with security in mind, and we still rely a lot on legacy software.
That's Mathias Madu from Secure Code Warrior.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute
and also Harbor Labs.
Joe, it is great to have you back.
Thanks, Dave. It's good to be back.
So over on the Hacking Humans podcast, we talk about a lot of scams,
and this is one that caught my attention.
This is from the folks over at ZDNet, article written by Danny Palmer.
And this is about some Android apps with over 20 million downloads
that have been pulled from the Google Play Store.
What's going on here, Joe? So it's about 15 apps, 15, 20 apps that have been pulled from the Google Play Store. What's going on here, Joe?
So it's about 15 apps, 15, 20 apps
that have been pulled down.
And in total, they have 20 million downloads.
We'll talk about the most downloaded one in a minute.
But what's happening here is that these are ads
that have a malware package in them
that is adware fraud.
So I'm sure everybody who owns a smartphone,
this is an Android phone and I'm an Android user.
You've downloaded an app that has ads based in it, right?
Sure.
And you keep getting shown the ads.
Well, when you see the ad,
the person who wrote the app gets a little cut of money.
And if you click the ad,
the person who wrote the app gets a little bit more money, right?
So some entrepreneurial malware writer said,
well, why don't I just click for the user?
We'll cut out the middleman.
We'll cut out the middleman.
Why waste time waiting for them to click on ads so I can get more money?
We'll just click on it for them.
Sure.
And this is some really clever malware.
First off, it doesn't do anything for like an hour, right?
So you install it and nothing happens.
It doesn't do anything bad for an hour.
For an hour, right, yeah.
Okay.
So if there's an app, and there are apps in here.
One is like a task manager.
One is a photo manager, a photo vault or something.
Another is a QR code reader, camera enhancers.
The usual suspects.
Yeah, right.
A flashlight app.
A flashlight app.
That's another one.
Yeah.
Modern Android operating systems have flashlights included.
You don't need a flashlight app anymore.
But maybe you have an older phone where it works.
But the other thing that's interesting is that not only did it wait an hour,
but when you were using the phone, it didn't run.
It would detect that you were using the phone
maybe through like the gyroscopic sensor or something.
I don't know how it doesn't,
the McAfee report might go into that.
But if you're using the phone,
it would stop clicking on ads for you,
which is probably to make your phone more usable.
So it's not really all that intrusive for you.
But when you put your phone down,
it starts clicking on the ads again
and making a bunch of revenue for the manufacturer
or the app writer.
So in the background, it's doing this.
You don't know it's doing this.
Right.
And this has two impacts for the user.
Number one, it sucks up your battery life.
Right.
And number two, it uses data.
So if you have a data
cap, uh, and like you go over that data cap and your, your phone company charges you per gigabit
of, of data that you use, uh, you could wind up paying data usage fees for this app. Right. And
one of the, one of the, uh, apps, in fact, the most downloaded app that I promised we get to
has 5 million downloads and promises to tell you which apps
are using the data. So I'm sure it doesn't say that, hey, I'm the biggest defender here.
Yeah. Chef's kiss.
Right.
Touché. Oh, wow. Interesting.
It's, you know, so you can look at this list of, this full list of apps that McAfee has posted
and go out and uninstall them immediately. They're no longer
available in the Google Play Store. Google took them out. You know, I don't know what ad network
they were using. It wouldn't surprise me if they were using Google's ad network, in which case
Google would also be profiting from this. But I don't know if that's the case.
There are plenty of ad networks out there, varying degrees of legitimacy.
Correct. Yeah. They may have been using one of the shady ones, right?
Mm-hmm.
Yeah.
I'm curious, on Android, is there built-in functionality that you can look at your list of apps and it'll tell you what apps are using your battery or using a lot of data?
There is the, yes, both of those exist.
Okay.
Correct, and it is in the operating system.
Yeah.
Yeah. So a good idea to maybe check in on that from time to time
and see if your flashlight app is chewing up a lot of both battery and data
that perhaps something is amiss.
Yeah, one of the most annoying things,
I don't know that this is the same kind of thing,
but I used to get push notifications from apps
and I wouldn't know where they were coming from.
Oh.
But now Android has improved to the point where I was getting –
I made the mistake of installing Slice because I ordered pizza once with Slice.
Okay.
And I love pizza.
Anybody that looks at me goes, that guy eats a lot of pizza.
Okay.
But Slice started giving me push notifications,
and I went into my permissions and just stopped that from happening.
Android has gotten a lot better with that.
Yeah, yeah.
I think they all have.
I know certainly on iOS as well,
there's been a lot of cracking down on that sort of thing.
And I think the legit ad networks don't want this to happen as well.
No, they don't.
Because what's happening there is they're not – what will happen there is somebody will do the analysis on the effectiveness of ad clicks to sales.
Right.
Right?
Right.
And they'll say that, okay, this ad network doesn't have the same effectiveness of ad clicks to sales as this network does.
So I'm going to buy over here.
Yeah.
They're not delivering value.
And that is the metric that the people who buy ads look at. Yeah. Right.
Is what percentage of, it's called conversion. Yeah. What, what can, what's my conversion?
Yep. Yep. All right. Well, uh, this again is, uh, from the folks over at ZDNet,
article written by Danny Palmer. Uh, Joe Kerrigan, thanks for joining us. My pleasure.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Varmatsis, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.