CyberWire Daily - Reactions to allegations in Georgia’s October cyber incidents. Commodification of spamming kit. Satellite vulnerabilities. Election security. FISA reauthorization? Mr. Assange’s extradition. RSAC 2020.
Episode Date: February 24, 2020The EU condemns Russian cyberattacks on Georgia, and Russia says Russia didn’t do it--it’s all propaganda. Skids can buy spamming tools for less than twenty bucks. Satellite constellations offer a...n expanding attack surface. Amid continuing worries about US election security, the question of Russian trolling or home-grown American vitriol arises in Nevada (but the smart money’s on the U S of A). FISA reauthorization is coming up. And hello from RSAC 2020. Joe Carrigan from JHU ISI on SIM swappers targeting carrier employees, guest is Erez Yalon from Checkmarx on the recently published OWASP API Security Top Ten list. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The EU condemns Russian cyber attacks on Georgia, and Russia says Russia didn't do it.
It's all propaganda.
Skids can buy scamming tools for less than 20 bucks. Satellite constellations offer an
expanding attack surface amid continuing worries about U.S. election security. The question of
Russian trolling or homegrown American vitriol arises in Nevada. The smart money's on the U.S.
of A. FISA reauthorization is coming up, Mr. Assange's extradition,
and hello from RSAC 2020.
Coming to you from Broadcast Alley at the RSA Conference in San Francisco,
I'm Dave Bittner with your CyberWire summary for Monday, February 24th, 2020.
The European Union has joined international condemnation of last October's cyber attack
on Georgian websites, according to Eurus's review. High representative of the European
Union for Foreign Affairs and Security Policy, Josep Borrell, the EU's top diplomat, on Friday said,
Georgia was the victim of a targeted cyber attack causing damage to their social and economic infrastructure.
Western intelligence services, notably those of the UK and the US,
have attributed the influence campaign to Russia's GRU.
Georgia's government has thanked the EU for the expression of solidarity.
Russia's foreign ministry has denied any involvement in the attack and puts the whole
matter down to a coordinated propaganda campaign run from Washington, London, Tbilisi, and an
unspecified elsewhere. The ministry goes on to deplore Georgia's decision to demonize Russia,
and just when relations between the two peoples were getting
so mutual. But many observers still see Fancy Bear's paw prints all over the caucuses. Note on
the apparent misuse of mutual. It's an old Russian trope for solidarity, good feeling, and so on.
The commodification of the spamming business continues apace. A digital shadows study suggests that minimally skilled criminals
are able to enroll in online phishing tutorials
for an average tuition of just under $25
and can buy the tools necessary to conduct phishing attacks for less than $20.
Criminal masterminds are more myth than reality,
but the dark web markets show the power of the black market,
its ability to turn a
couple of hackerweight of skids into functional Professor Moriarty's. An essay in Science Alert
offers some informed speculation about the attack surface the rapidly proliferating internet delivery
satellite constellations present. Of particular note are the mentions of supply chain issues.
As commodity components
continue to drive down satellite costs, making private sector constellations realistically
affordable, some are uneasy about the susceptibility of those components to compromise
before they even reach the point of final assembly, still less launch and Earth orbit.
Results from the Nevada Democratic Presidential Caucus are still being tabulated
and have been disputed by former South Bend Mayor Buttigieg's campaign, but Senator Sanders seems
the clear winner. The senator suggested twice last week, on grounds of a priori probability,
that online nastiness apparently emanated from his supporters might well have been the work of Russian bots.
Experts the Daily Beast polled think this is unlikely.
The nastiness that prompted the senator's speculation about Russian trolling involved an intra-party squabble over the Culinary Workers Union
and its decision not to endorse Senator Sanders' signature Medicare-for-all proposal.
Attribution is always difficult, but it's worth remembering that America
is great in lots of ways, including her ability to generate loudmouth invective at scale and in
quantity. On the question of general election security in the U.S., the Washington Post's
stable of experts comes down narrowly on the side of worry as opposed to reassurance. 57% of the Post's network
doubt that U.S., federal, state, and local election officials will be able to render the 2020 election
reasonably secure against manipulation or tampering. The New York Times notes that the
Justice Department IG's criticism of 2016's Operation Crossfire Hurricane make it likely
that the Foreign Intelligence Surveillance Act
will be significantly revised when key provisions expire in mid-March.
The inspector general concluded that the FBI's requests for wiretaps during Crossfire Hurricane
were flawed and that had the Bureau presented what it knew and ought to have known to the FISA
court, it's unlikely that it would have received the warrants it eventually did.
It's unlikely that it would have received the warrants it eventually did.
The team at security firm Checkmarks recently published their latest OWASP API security top 10 list.
Erez Yelon is director of security research at Checkmarks.
So API stands for application programming interface.
It's basically an interface or communication protocol between client and server. And we love APIs. APIs make things simpler for us. So when we talk about API security,
what we actually mean is the security of API-based apps, or you can even say modern
application security, because there is no modern application without APIs.
So regarding this specific project of API security top 10,
we started to see here in Checkmarks where I work,
we see a lot of, let's say, mistakes
that are happening in code and insecurities in software out there.
And together with the migration to modern application
from traditional applications,
we see the area of vulnerabilities kind of migrating.
So we see client devices that are becoming more varied and stronger.
So the logic moves from the back end to
front end. If in the past we knew that clients would be probably a web browser, now it can be
a browser, it can be a mobile device, it can be a smart watch, a smart car, it can be a bot,
it can be some sort of business microservice, it can be a smart toaster. Whatever you can think of, someone probably invented it,
and it can be the client of your application. So there is no single action happening on the
server side and sending a prepared page to the client. Now the servers act more as a proxy of
sending a lot of raw data to the clients
and making sure that the clients know how to present it to the user according to their abilities.
And there are consequences to that.
The consequences are that the user state is maintained and monitored by the client.
Clients consume raw data and more parameters are sent in each HTTP request.
We can see object IDs and values and filters
and many other things that in the past
we did not see passing between server and client
in the raw condition.
And NPI's expose the underlying implementation
of application security.
And the current standards, including the OWASP top 10, are very relevant to more of a traditional applications,
but there is a gap when we're looking at modern and API-based applications.
modern and API-based applications. And this is the gap that we wanted to bridge when we decided to start this specific project for API security. That's Erez Yalan from Checkmarks.
WikiLeaks impresario Julian Assange's extradition hearings in London continue,
as the US seeks to persuade the U.K.
to send him stateside for trial on charges related to his alleged role in helping then-U.S. Army
Specialist Bradley Manning obtain and leak classified information. Mr. Assange is not,
the U.S. emphasizes, charged with WikiLeaks' role as a conduit for U.S. Democratic Party emails
the U.S. intelligence community concluded were
stolen by Russian intelligence services. And of course, RSAC 2020 is now underway in San Francisco.
We'll have updates from the city by the other bay as we receive them, and yours truly will be
podcasting from Broadcast Alley all week. If you're in the neighborhood, stop by, say hello.
We've got some stickers, and it'd be great to meet you in person. Before the conference opened, it felt the effects
of concerns about COVID-19, the coronavirus strain that continues to spread from its point of origin
in China. 14 companies, six of them from China, withdrew from the conference, Tech Republic
observed. The three highest profile cancellations
were IBM, AT&T, and Verizon.
There have been a small number of cases reported
in Northern California,
according to the San Francisco Chronicle.
The San Francisco Department of Public Health
is providing updates on its website.
Assessing the risk as low,
RSAC intends to operate this year,
much as it always has. The conference's first
big event will, as usual, be the Innovation Sandbox, the doors to which will open at 1.30
p.m. Pacific time today. The finalists in this year's sandbox are AppOmni, Blue Bracket,
Elevate Security, For All Secure, Inky, Obsidian, Security.ai, Screen, Talus Security, and Vulcan Cyber.
Good luck to them all.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting article came by, this is Motherboard on the Vice website, and it's titled,
Sim Swappers are Phishing Telecom Company Employees to Access Internal Tools. Are the Sim Swappers upping their game here? What's going on?
Dave, we have to have some empathy for these Sim Swappers.
Let's look at it from their perspective. Right. Okay. Yeah. Let's say I want to swap a SIM.
Okay. Well, why would you want to do that? Well, I may want to do that to gain access to someone's
cryptocurrency wallet, to gain access to someone's social media accounts, or maybe to intercept
their SMS-based two-factor authentication.
Okay.
So basically you're taking over someone's phone number.
Right.
And the way I do that is with something called a SIM swap,
which is where I change the SIM in the company system
so that the SIM I have is what the company thinks is the legitimate SIM.
Associated with a particular phone number.
Right.
Associated with the account, actually.
Yeah.
Okay.
And the phone number.
That's right.
Right. Associated with the account, actually. Yeah. Okay. And the phone number. That's right. Right. So now let's say I log into my financial website and I get a text
message sent with a code. That code doesn't go to me any longer. It goes to the holder of the new
SIM. Right. Right. Okay. Yep. So as a bad guy, I can call the phone company and I can socially
engineer my way into someone's account and say, okay, well, I've got a new SIM card.
Here's all the information.
Please set it up.
Right.
But then if I want to do that again, I have to start the process all over.
Who has time for that?
That's very labor intensive, and who has time for that?
So what these guys have realized is that it's much more efficient
just to gain direct access to the systems that these telecom providers use.
One of the systems that Verizon uses is called Omni.
Omni is a customer service tool that helps you manage your customers.
But if you have access to an Omni system, you can effectively change the SIM information for any of the customers at Verizon.
And the access to these systems isn't just, for example, at a Verizon store.
Right.
So their third-party providers would have access to this.
There are third-party providers out there that have access to the system.
Right.
And that's kind of important for the business, right?
Because Verizon may not want to put locations all over the place.
They may not want to incur that expense.
So they say, you can be a Verizon reseller.
Right.
Right?
And we'll give you some cut of whatever revenue and everybody's happy, right?
Yeah.
It's good American business.
And you need to be able to activate devices.
Right.
So you need access to the SIM information.
Correct.
And you may need to help customers when they come in and they've lost their phone and you need to give them a new phone or a new SIM.
Yep.
Something's happened. So there are absolutely legitimate business cases that are
essential to the operation of these telecoms. So they're phishing the resellers and actually
the telecoms themselves trying to gain access to these systems so they can make these changes
whenever they feel like it. And they're trying to be persistent with their access as well.
So I know somebody works for one of these companies.
I phish them in order to get access to this system
that allows me to basically do as many SIM swaps as I want to.
Right.
Because I'm in the house, right?
You're in the house.
Inside.
Yeah.
Yeah.
I also wonder, I mean, is this,
could this be as simple as going to one of these third-party
providers, finding somebody who works there who's not exactly on the up and up, perhaps has the
moral flexibility that by slipping them a few bucks, they can, you know, take a lunch break,
walk away, and give me access to that terminal. Yeah, we've seen stories about insider threats
on these before as well. And the insider threat is a lot more difficult to protect against.
There is a very simple way to protect against this,
and that is for all of these companies to use a hardware token
for two-factor authentication.
That way, an attacker who fishes one of your reps
or maybe a third party's rep, just require everybody,
even third party reps, if they access this system,
the system that can change the internal system of our operations,
then you need to have a two-factor that is based on a hardware token.
I imagine a lot of this has to do with the acceptable risk
and the velocity of business being done.
Because if I require all my third-party folks
to use some kind of two-factor on their own use,
that could slow things down.
It could cause lines at the stand at the mall.
People are unhappy.
My resellers are unhappy.
And it's harder for me to do business.
Yeah, well, the two-factor authentication with the token is remarkably fast.
It's not a big overhead.
Right, but I could see if I lose that token,
and now I can't sell any phones for the rest of the day until I get a new token.
That's an issue.
That is an issue.
That's correct.
Right.
We're going to see which companies value the customer more by putting this requirement on the system.
Yeah.
I think it's pretty obvious that that needs to be done.
This is big, and the damage to the individual customers is going to be devastating.
Yeah.
It can be devastating.
Now, how can individual customers protect themselves? Obviously, use a password manager. That's always my number two piece of
advice. Use some factor of two-factor authentication is my number one advice. But my number two advice
is use a password manager so that you have complex and different passwords for everything.
If one of your accounts does get compromised, it's not going to be a huge problem that spreads for you.
Also, use a two-factor authentication on all your accounts and try to make that either a
software token or a physical key. Yeah, yeah. Well, in this article, they point out that a
spokesperson from Verizon said in an email, they said, we're aware of recent fraud campaigns
that target some employees and
others using social engineering. Verizon is fully engaged in these issues. We're continually working
to improve our security controls and are implementing enhancements in response to
activities like this. Yeah. Verizon generally does a good job with security. Yeah. They're a security
leader in the telecom industry. They actually publish a report that is one of the leading
reports. So when Verizon says we're on it, I kind of think they're on it. Yeah, given the benefit
of the doubt. Yeah, I do. Yeah. All right. Well, it's an interesting development here. Joe Kerrigan,
thanks for joining us. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.