CyberWire Daily - Phishing campaign targets Israeli scientists. Low-level contract phishing in China's hinterlands? Apps with privacy flaws. Cisco patches ASA products. Cryptocurrency speculation and fraud.
Episode Date: January 31, 2018In today's podcast we hear about a possible Charming Kitten sighting. Phishing in Tibet shows just how successful cheap skid labor can be. Cisco patches a serious flaw in VPN products. Fitness app St...rava says it will work to close privacy holes. Experts say you're just a tap away from giving yourself away, and it's not just Strava, not by a long shot. South Korea considers how cryptocurrency might be regulated. The US SEC shuts down an allegedly fraudulent ICO. Yossi Oren from BGU on insecure mobile device cases. Guest is JT Keating from Zimperium on the effects of Meltdown and Spectre on mobile devices. And what do you call an ICO that steals the price of a cheap seat? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
There are possible charming kitten sightings.
Fishing in Tibet shows just how successful cheap skid labor can be.
Cisco patches a serious flaw in its VPN products.
The fitness app Strava says it will work to close privacy holes.
Experts say you're just a tap away from giving yourself away,
and it's not just Strava, not by a long shot.
South Korea considers how cryptocurrency might be regulated.
The US SEC shuts down an allegedly fraudulent ICO.
And what do you call an ICO that steals the price of a cheap seat?
I'm Dave Bittner with your CyberWire summary for Wednesday, January 31, 2018.
Hackers thought to be associated with Iran have been phishing Israeli nuclear scientists.
The bait consists of links to bogus British news sites. Hackers thought to be associated with Iran have been phishing Israeli nuclear scientists.
The bait consists of links to bogus British news sites.
The links were to the fictitious British News Agency,
a false flag that hitherto been flown in phishing expeditions against Iranian dissidents,
human rights activists, academics with a scholarly interest in Iran, media personalities, and the like.
Researchers at the Israeli cybersecurity company Clear Sky attributed those earlier efforts to the threat actor called Charming Kitten, which Clear Sky said was Iranian and state-sanctioned.
The latest round of phishing that targeted Israeli scientists is also being attributed
to Charming Kitten, but of course this is early, and attribution is notoriously both circumstantial and difficult.
A quick taxonomic note, threat groups associated with Iran tend to have feline names, presumably
by association with Persian cats.
Those associated with Russia are bears, those with China are often pandas.
Fishing in the interest of state security can be done cheaply and without much skill.
The University of Toronto's Citizen Lab has a report on a campaign directed against members
of the Tibetan community. For just a little more than a thousand bucks and some pretty ordinary
web development and sysadmin tools, the fishers successfully spied for 19 months.
Citizen Lab, with commendable modesty and reticence,
doesn't offer any attribution,
but it's been easy for observers to connect the dots
and speculate on the basis of the campaign's target list.
The targets include Tibetans, to be sure,
but also members of China's minority Muslim population
and adherents of the Falun Gong religious movement,
a movement not in good odor with the government in Beijing.
All of this suggests a Chinese government operation, or at least one closely aligned with the government's interests.
Citizen lab suggests the actors may be low-level contractors, but it's unclear who gave them the targets
or how that hypothetical customer consumed the information the contractors delivered.
how that hypothetical customer consumed the information the contractors delivered.
It's a cautionary tale of phishing.
The attackers spent just over $1,000 on infrastructure and another $190 to rent some servers. But with this, they were able to compromise enough email accounts to successfully phish
for more than a year and a half.
Cisco has patched serious vulnerabilities in its VPN offerings, specifically in 10 products that run Cisco ASA.
Users are advised to apply the patches as soon as possible to avoid the possibility of remote code execution.
The flaw is a dangerous one. It received the most severe CVSS score possible, that's the Common Vulnerability Score System rating, 10 out of a possible
10.
Successful exploitation could result not only in remote code execution, but in denial of
service as well.
It seems like it might take a while for things to calm down with regard to the Meltdown and
Spectre vulnerabilities, with patches being released and pulled for desktop operating
systems.
There's less talk on the mobile side, so we checked in with J.T. Keating from Zimperium,
a company that specializes in protecting mobile devices, for his take on where things stand.
On the iOS side of things, Apple has released patches specifically for Meltdown.
They were in the process of sending out updates to Safari,
which was going to be their solution to how to handle Spectre. Google pretty much followed suit when it came to the exact same thing. But of course, you know, with Google, we've got the
challenges associated with how changes actually make their way through the Android ecosystem. Pretty consistently, when we do our global threat data,
we see that well over two-thirds, if not sometimes, depending on timing,
80% of Android devices are running out-of-date operating systems,
whereas it's about a third, 25% to a third for iOS.
But the patches, allegedly, for both of those are out.
It's now a matter of
whether or not the users upgrade and whether or not on the Android side of things that it actually
percolated all the way through their ecosystem. Yeah. And, you know, I think part of what's been
puzzling for people is there's been a lot of uncertainty. You know, on the desktop side,
the patches are released and then pulled back and and they've said upgrade or update, and then they've said no, hold back on updating.
So do things seem a little more settled on the mobile side?
You know, they are from a perception standpoint.
And one of the biggest differences between mobile and traditional endpoints is that there's no such thing as a patch management system,
right? So when enterprise security guys, it's funny, you talk to any enterprise security guy,
they'll tell you that the single greatest security risk to a company is a carbon-based life form.
You know, it's a human being, right? Well, in traditional endpoints, you've got a patch
management system like BigFix or something, and then you've got centrally managed antivirus, and you've got centrally managed network firewalls and everything
like that. But now you take this user that makes bad enough mistakes as it is with all of those
precautions, and you give them a supercomputer, and you say, okay, now you're the admin for it.
You're responsible for deciding what networks you're going to go in and out of. You're responsible
for deciding what apps you're going to download. And oh of. You're responsible for deciding what apps you're going to download.
And oh, by the way, I'm totally beholden to you to update your devices, right?
So whereas advice like, well, push the patch out.
No, no, no, let's roll it back because we found that there might be some issues of performance, for instance, on the traditional endpoint side.
You don't really get that on the mobile side.
traditional endpoint side, you don't really get that on the mobile side. So even though it's probably, there might be some situations where they're like, maybe we need to push out another
version of the patch. They don't have that ability to play the push me, pull you that you were
discussing on the traditional endpoints. So we see a lot of times is they just won't say anything at
all. They'll just wait and then just do another patch. So for instance, Apple came out with another patch this week, a couple of days ago.
One of those included some stuff for Meltdown. So that's what they do is they'll just push out
another patch as opposed to say, well, let's roll that one back because they have no ability to roll
it back. On the mobile side, is there any indication of what we might expect to see
in terms of performance hits?
You know, we've seen a lot of estimates on it, but the estimates on mobile seem to be
significantly less than some of the predictions we've heard in some of the other places. It seems that the biggest hits from people I've been talking to have been in larger
processing environments, cloud environments, server farms, server farms, things on those lines.
The percentages we've heard have been relatively low.
And we're talking like single digit, 1%, 2% type stuff.
It hasn't seemed to have been a major issue.
There was a lot of thought about it right off the bat.
But in terms of any testing, and we've been doing some testing, we haven't seen any significant, truly significant performance impacts on the mobile devices that we're playing
with. Now, I'm sure if you're dealing with really older versions, it'd probably be more noticeable.
But the little supercomputers today, it hasn't seemed to have been that big of a deal.
That's J.T. Keating from Zimperium.
The CEO of Strava promises to work with the U.S. military and government to better keep
sensitive data secure.
The company's fitness app generated a publicly accessible heat map of user activity that
could be readily correlated with the location of sensitive U.S. bases.
Even anonymized and aggregated data can yield interesting intelligence. An opinion piece in Technology Review argues that when it comes to user privacy, you're probably on your own.
A report in The Guardian seconds that conclusion, noting that Strava isn't the only app tracking you.
You're just a tap away from giving yourself away.
Look closely at the permissions you give your apps.
Look closely at the permissions you give your apps.
In cryptocurrency news, South Korean authorities report that recent fraudulent coin speculation and theft has produced some $600 million in fraud.
They will permit trading to continue, however, as they work through how they might better regulate that country's thriving, early-adop adopting cryptocurrency market. And the U.S. Securities and Exchange Commission last week alleged fraud and shut down Arise
Bank's initial coin offering.
It's not just the alleged fraud, the SEC said, but also Arise Bank's failure to properly
register what it was selling as a security.
This continues the SEC's pattern of regarding many cryptocurrency offers and instruments
as securities.
And finally, we're used to thinking of larceny as being either grand or petty.
But what comes below petty?
Bite-sized?
Teeny?
Nano?
We're not sure, so we'll call this one malyuchki, because the amount scammed in this one seems
to warrant its own category.
This Lithuanian outfit, calling itself Prodeum,
came out a couple of days ago looking like the usual frothy but implausible blockchain startup.
Their stated mission was the tracking of every piece of food on the internet.
What, you say? Why would anyone want this?
And in what sense can food be said to be on the internet outside of, you know, Minecraft or SimCity?
Well, never mind, granny, you just don't get it. It's blockchain.
Maybe it's like for sustainable harvesting or non-GMO or something like that.
Wasn't there this iced tea company that blockchained itself?
And let's not forget Voppercoin, the cryptocurrency that's letting Muscovites eat themselves into a fortune.
Anywho, Grandpa, Prodeum came up with a typical-looking initial coin offering,
with tokens offered and tokens promised.
But then, after a short and happy life of scamming people,
Prodeum replaced its site with one that displayed just one word,
a two-syllable word for an intermittent organ,
which we will euphemize our way around because we're a family show.
And what did the scammers get?
Estimates differ, but one that seems right to us puts the take at $11.
That's 11, count them, 11 Yankee Greenbacks,
which will get you one upper-deck seat at some Orioles ballgames
with nothing left over for a hot dog or a natty bow.
Wired says this shows that ICO scams are now just straight-up trolling. What do we say? Just this. Seriously,
people.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to be joined once again by Dr. Yossi Oren. He's a senior
lecturer at the Department of Software and Information Systems Engineering at Ben-Gurion University, and he's also a member of BGU's
Cybersecurity Research Center. Yossi, welcome back. Today we wanted to talk about some research
that you all have done about some vulnerabilities with mobile device cases. What do we need to know
here? Let's assume you're a really security conscious person and you don't install anything
on your phone that you don't trust. And you buy, you do all the repairs in the Apple store and you
only install visual software and so on. But let's say that somebody gave you a nice present. It's a
phone case. It's a little piece of plastic you put around your phone. Right. And what possibly
could go wrong with that? Nothing. Right. Nothing. Nothing. It's just a piece of plastic. It doesn't
connect to your phone in any way. Right. Doesn't touch it. Right. It's just a piece of plastic. It doesn't connect to
your phone in any way, right? It doesn't touch it. It just surrounds it. So we were looking at a way,
this is research which was done together with a graduate student called Tomer Glick and jointly
supervised by myself and by Dr. Asaf Shabtai. So we were trying to think, what if we could build
a key logger which didn't actually need to touch
the phone? So Tomer built something we call the Curious Case. It's a phone case which actually
records all your touches. And how it does that is very, very interesting. So remember, it doesn't
touch the phone, it doesn't touch your finger, and doesn't connect to the phone in any way.
So from the outside, it just looks like a regular plastic or rubberized case.
Exactly.
All right.
So there is a phenomenon called capacitive sensing or capacitive sensing, which is actually used in some kind of touchscreen.
I think in ATMs it's used.
And it's built by – it's designed on the principle that your finger actually changes the capacitance of the
thing that's close to so if you I'm not going to do you know 201 electrical
engineering here but if you charge and discharge a capacitor very quickly
you're gonna get the capacitor is going to smooth out this was charging and
discharging and make it into a very very smoothed out wave. The better the capacitor is, the smoother the wave is. And if you put your
finger between the two plates of the capacitor, it's going to ruin this
capacitor's capacitance and then the wave is going to become very sharp. It's
going to lose its smoothness. And there's actually a way to build the touch
screen using this method. How do you do it? You take two pieces of conductive
metal. In our case, Tomo actually bought a cigarette pack, and he threw away all the
cigarettes because smoking is bad for you. And he took the aluminum foil wrapper inside the cigarette
box, and he cut it into five strips. And again, you can see pictures on our website.
He put four strips around the perimeter of the phone.
Again, this is inside the case,
and one large plate on the back.
And what actually he did,
we treated this as a set of four capacitors,
and we charged and discharged them very quickly,
and using some signal processing,
Tomei was able to discover where the user's finger is.
Again, the finger is not touching the case.
It's touching the phone screen.
But we actually did a nice experiment where we did some machine learning
and discovered the user's unlock pattern.
So we had several unlock patterns
which were being drawn on the screen.
And this curious case was able to discover which one of these patterns was being used.
Wow.
Be cautious of those free devices you get at trade shows.
Yes.
So let's say you don't think that something which touches your phone could be dangerous
only if it connects to your phone.
But obviously, yes, there's no such thing as a free lunch.
So if you're working for the NSA and somebody gives you like a phone case that says, I love the NSA.
So maybe they don't really love the NSA.
Right. Right. All right. Fascinating stuff as always.
Dr. Yossi Oren, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you.