CyberWire Daily - Operation Sharpshooter. Canada begins extradition process. Huawei will sue the US. Facebook’s global lobbying practices revealed. Visitor management systems are vulnerable.
Episode Date: March 4, 2019In today’s podcast, we hear that Operation Sharpshooter is linked to North Korea. Canada begins the extradition process for Meng Wanzhou. Huawei is planning to sue the US for banning its equipment f...rom government use. Facebook may have used questionable tactics to lobby against stricter data protection laws. Thailand passes a controversial cybersecurity law. And IBM interns discover a host of vulnerabilities in visitor management systems. Joe Carrigan from JHU ISI with details on a Ring Doorbell vulnerability. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Operation Sharpshooter is linked to North Korea.
Canada begins the extradition process for Meng Wanzhou.
Huawei is planning to sue the U.S. for banning its equipment from government use.
Facebook may have used questionable tactics to lobby against stricter data protection laws.
Thailand passes a controversial cybersecurity law.
And IBM interns discover a host of vulnerabilities in visitor management systems.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 4th, 2019.
McAfee disclosed yesterday that Operation Sharpshooter, a cyber reconnaissance campaign
discovered in December,
exhibits striking similarities with multiple other attacks attributed to North Korea's Lazarus Group.
A government entity gave the researchers code and data from a command and control server
used to manage the campaign, which gave them a deeper insight into the group's behavior.
The researchers had originally declined to link Operation Sharpshooter to the North Korean group,
based on code overlap, because the technical links were obvious enough to suggest a potential false flag.
The new evidence also shows that the ongoing campaign is,
quote, more extensive in complexity, scope, and duration of operations, end quote, than previously thought.
McAfee researchers told the New York Times that they observed the group launching attacks
against more than 100 companies.
Its recent attacks have focused primarily on financial services, government and critical
infrastructure targets in Germany, Turkey, the United Kingdom and the United States.
The Canadian government has approved the extradition hearing
of Huawei's CFO Meng Wanzhou. A date for the hearing will be decided this Wednesday, although
it could be years before she sets foot on American soil due to Canada's slow-paced judicial process.
Previous extradition cases in the country have been known to take more than a decade to reach their conclusions.
Reuters says China is seething over the decision.
Charles Burton, a former counselor at the Canadian embassy in Beijing, told the Canadian Broadcasting Corporation that Canada should expect to face retaliation from China.
Ms. Meng is also suing the Canadian government, police force and border agency
on the grounds that the circumstances of her arrest violated her civil rights, according to ZDNet.
The lawsuit alleges that Meng was searched and interrogated for three hours before being told she was under arrest.
It claims that a Royal Canadian Mounted Police officer and three border agency officials
carried out this search and interrogation under the false pretense of a routine border check. The New York Times and Reuters report
that Huawei will file a lawsuit against the U.S. government later this week for banning its
products from use by federal agencies. The suit is expected to challenge an addition to the U.S.
National Defense Authorization Act, the NDAA, which barred U.S. government agencies and their contractors
from using certain equipment from Chinese companies.
When the provision was added last year, Huawei called it unconstitutional,
and the Times says the lawsuit will argue that the act amounts to a bill of attainder.
That particular approach has been tried before.
It's essentially the argument Kaspersky used last year when it challenged the U.S. federal government-wide ban on its security products.
It didn't work that time around, but each case is different.
Computer Week and The Guardian have seen court documents detailing Facebook's global lobbying efforts against tighter data protection legislation.
detailing Facebook's global lobbying efforts against tighter data protection legislation.
Among various other revelations,
Facebook reportedly threatened to withdraw investments from Europe and Canada if legislators refused to meet the company's demands.
Perhaps most notably, the documents claim that the former Prime Minister of Ireland,
Enda Kenny, offered to use the significant influence of Ireland's EU presidency.
Ireland's current and former data protection commissioner said yesterday
that Mr. Kenney never tried to influence their decisions regarding Facebook or data protection regulations.
A Facebook spokesperson told The Guardian that the documents were cherry-picked to tell one side of a story.
Thailand's parliament unanimously passed a controversial cybersecurity law that critics
say will give the country's military government sweeping powers to monitor or seize data without
a court order.
The Asia Internet Coalition, which represents major technology companies such as Google
and Facebook, said in a statement that the law's ambiguously defined scope, vague language, and lack of safeguards
raises serious privacy concerns for both individuals and businesses.
The law bears similarities to Vietnam's cybersecurity legislation,
which went into effect at the beginning of this year.
That law outlawed criticism of the government and gave the government
the ability to seize data from Internet companies without a warrant.
Unlike Vietnam's law, however, Thailand's legislation doesn't require foreign technology companies to open local offices and store data in-country.
This has led to concerns about the enforcement of Thailand's law internationally,
since it will apply to all companies around the world that collect or
use the personal data of Thai citizens. Critics assert that Thailand has a history of censoring
websites and imprisoning citizens for comments they've posted online. Two years ago, in a widely
cited case, a 33-year-old man was sentenced to 35 years in prison for making Facebook posts that were deemed insulting to
Thailand's royal family. IBM's X-Force Red earlier today disclosed 19 vulnerabilities in five popular
visitor management systems, which could allow an attacker to gain physical access to an organization
or establish a foothold within the organization's network. Some of the vulnerabilities also allowed for data exfiltration,
which could expose sensitive information on customers.
The gravity of the vulnerabilities depends on what the systems are used for,
how they're configured within an organization's network, and what data they collect.
Daniel Crowley, IBM X-Force Red's research director, told ThreatPost that,
quote,
Rowley, IBM X-Force Red's research director, told ThreatPost that, quote,
depending on how each of these systems are deployed, these vulnerabilities represent a serious to high-impact risk for companies, end quote.
Student researchers with X-Force Red discovered the vulnerabilities and reported them to the vendors.
Some patches have been rolled out already, and others are still in progress. One of the vendors, Jolly Technologies,
did not issue patches for the seven vulnerabilities identified in its Lobby Track desktop. The company
told Wired that the product is intentionally shipped in kiosk mode so that buyers can
customize the software to meet their needs. This default configuration is meant to be changed by
the owner before setting it up for public use.
Finally, we've got a crew out in the city by the other bay, that is, San Francisco.
This is the week of the 2019 RSA Conference, and things are just getting started.
The Innovation Sandbox is in progress now, and we'll have notes on it in tomorrow's podcast.
Why tomorrow? Well, the Chesapeake is three hours ahead
and we don't want to keep you waiting
until well into the evening.
But we'll have the story tomorrow.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies,
like Atlassian and Quora, have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
It's good to be back, Dave.
We had a story come by.
This is from Threat Post, and it's about an interesting vulnerability
some researchers discovered with the popular ring doorbells.
The ring doorbell flaw.
Yeah.
Basically what it is, the older versions of these doorbells, this is owned by Amazon.
Right.
These doorbells would transmit the data from the ring device to the user's phone in the clear.
So the video and audio streams.
Would be in the clear.
Oh, okay.
And it was possible not only to intercept it, but also to spoof it.
That was an interesting aspect of this.
It looks like it's easier to execute this attack if you're on the same Wi-Fi network
as the user's phone.
So walk me through what happens here.
I have a Ring device looking at my front porch.
Right.
Let's say you're at home.
Yeah.
Right.
And you don't have very good network security on your home network.
So I am outside with a device, and I can connect to your network because either you don't have
a password on it or you're using WEP or using a weak password, and I've broken into your
network.
Connected to my Wi-Fi.
Right.
My home Wi-Fi.
All right.
So now your doorbell rings, and you are interacting with the doorbell.
If I'm sitting out in my car in the front or anywhere nearby with a long-range antenna,
I can monitor the traffic between your doorbell, your smart doorbell, and your phone.
And then I can also save it, of course, and maybe play it back at a later point in time.
Oh, I see.
So one of the features of these systems is they can remotely unlock the door, right?
Right.
So if I wanted to get into your house, it's possible for me to
spoof it, right? Play back some video of your buddy coming over and then you unlock the door.
Or like the babysitter. Right, the babysitter. The babysitter comes to watch the kids while I'm
at work after school. I record that. Yeah. I don't know if that would be a good attack vector. I
think you have to be on the same Wi-Fi network as the phone.
Yeah, but I'm getting to the part where, you know, if I can record that video of the babysitter,
then I could use that to play back to you to trick you into thinking that it's the babysitter at the door.
Correct.
And then you unlock the door.
Right.
Huh.
Yeah, that's an interesting way in, isn't it?
Yeah.
So what is Ring's response to this?
Well, Ring has actually issued a patch to the vulnerability in the latest version of the app, which is 3.4.7.
So if you have a Ring device, you should go out and update right now, and it will update the device and everything and secure the traffic.
Just make sure you have the latest version.
Correct.
And that's one of the things I always harp on.
Make sure your software is up to date.
Yeah.
And I think it's particularly interesting with some of these devices that you kind of set and forget.
You know, they're hanging around in your house, these sort of remote devices.
Right.
Because that ring doorbell is going to be doing its job 24-7, and you don't really think about it.
It's not, it ain't broke, don't fix it.
Yeah, but it is broke.
Well, yeah, right, right, right. It's not, it ain't broke, don't fix it. Yeah, but it is broke. Well, yeah, right, right, right.
It's time to fix it.
Yeah, yeah.
But yeah, you're right.
People say if it isn't broken, don't fix it,
but that statement has always kind of frustrated me.
Because just because something is working good enough doesn't mean it's working properly.
Right.
You know, it could be working better.
It might have a problem that you don't know about, like this, that's causing you harm.
Yeah, I suppose it's like, you know, I don't drive with seatbelts.
I haven't crashed so far.
Right, exactly.
Same kind of thinking.
Right, right.
All right.
Well, if you have a ring, check and make sure that you're updated to the latest version.
Joe Kerrigan, thanks for joining us.
It's my pleasure. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey
Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Thank you.