CyberWire Daily - Social engineering and the power of brands. Insecure check-ins? APT10 is quiet but not gone. MacOS Keychain bug. Assessment of Chinese device manufacturers continues.
Episode Date: February 7, 2019In today’s podcast, we hear about social engineering, with a few new twists. Some airlines may be exposing passenger data with insecure check-in links. APT10 may be lying low, for now, but the US De...partment of Homeland Security expects the cyber spies to be back. A researcher finds a macOS Keychain bug, but would rather not tell Apple about it. Governments in Europe and North America continue to assess risks associated with Huawei and ZTE. And a Trojan hides in The Sims 4. Awais Rashid from Bristol University with thoughts on the challenges of securing smart phones. Carole Theriault explores recent concerns over popular video app VLC Player security issues with Sophos’ Paul Ducklin. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Social engineering with a few twists.
Some airlines may be exposing passenger data with insecure check-in links.
APT 10 may be lying low for now, but the U.S. Department of Homeland Security expects the
cyber spies to be back.
A researcher finds a macOS keychain bug, but would rather not tell Apple about it.
Governments in Europe and North America continue to assess risks associated with Huawei and
ZTE.
Carol Terrio reports on the security of a popular video player's update mechanism,
and a Trojan hides in The Sims 4.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 7th, 2019.
CyberWire summary for Thursday, February 7th, 2019.
There are a few fresh, or at least not yet entirely stale, approaches to social engineering out in the wild.
We'll begin with a variation on the familiar tech support scheme.
Security firm Symantec has found one in circulation that does a moderately good job of mimicking
Symantec's own Norton security software's conduct of a system scan.
If you're watching, it casually goes through its paces.
It looks more or less like the genuine article,
but instead of scanning for problems, it's installing them.
Whoever's behind the spoofed approach is using it to trick people into downloading malware,
or at the very least, the sort of junk we've all come to call potentially unwanted programs.
Researchers at Akamai have reported finding a phishing campaign
that uses Google Translate to obtain Facebook and Google credentials.
It's convincing in the way it spoofs two well-known brands to build up the victim's trust.
It also uses Google Translate to hide what it's up to behind the gibberish.
The scam runs something like this.
The victim receives an email that purports to be a notification from Google
that a device somewhere has newly logged into the victim's account
and that they sure hope it's you, the victim.
You're then invited to follow a link to verify that the login is legitimate.
If you do this, the malicious domain of a credential harvesting page
is loaded via Google Translate.
You will, of course, be invited to sign into your Google account.
It may not stop there.
There's a good chance you'll subsequently be wafted over
to a bogus Facebook login page,
because, of course, you'll want to keep that account secure as well, no?
Be careful of such alerts.
Akamai says the fraud looks pretty good
on a mobile device, but it's much less convincing on a laptop or desktop. A well-known video player
software package recently raised eyebrows with how they've chosen to implement updates. Our UK
correspondent Carol Terrio has the story. Well, developers at the popular open source video player VLC
have defended a decision not to use HTTPS for software updates. This has upset some of their
users. I reached out to Paul Ducklin of Sophos' Naked Security to find out if they're actually
doing security properly. Duck, thanks so much for taking the time to chat with me today for The Daily.
Now, according to Edward Kovacs' article from Security Week, the VLC open source video player
communicates with its server over HTTP, not HTTPS. And some people are in a big hoo-ha about this.
So what's going on here?
Oh, is it the end of the world?
Shouldn't we all be using HTTPS now?
Well, there are kind of three parts to this.
There's the whole idea of using HTTPS
is not just that you encrypt the transaction
so no one knows what it is you're looking at
and people can't,
but also that it's authenticated
so that nobody can tamper with it along the way.
So that's great. When you're viewing a website, you want to see the padlock, you want to think,
get a fighting chance of knowing you're on the right site, and you want to be sure that what
you're seeing wasn't fiddled with along the way. So the news you're reading is as it was served up.
Okay.
So obviously, when you're doing a web download for an update, it would be nice to use HTTPS because you get those properties.
However, it seems that what VLC are doing is another step that if they weren't doing but were using HTTPS kind of would get forgotten about.
They have a digital signature in the file you actually download. And in a way,
if you could only pick that or HTTPS, I'd take the digital signature in the file because it
stays with the file after it's downloaded. Okay, explain to us how that works.
Well, the idea is when you do an HTTPS connection, basically your browser and the web server do a kind of cryptographic dance to agree a security key, to check the certificates out, figure out, yes, I'm probably on the right site.
And then what you get is basically a network connection that is scrambulated, encrypted.
Gotcha.
Then you just talk regular old HTTP over that encrypted connection and nobody can see inside.
So they don't actually, if they're sniffing the traffic, they don't even know whether you're talking HTTP or whether you're sending email or what you're doing.
So in other words, TLS is short for transport layer security.
And it's about securing the network pipe during the time that you're connected to a website and during the download. It doesn't say
anything about the integrity of the stuff you download after it arrives.
So, of course, I could get something bad but delivered to me securely.
Yes. And indeed, you'll find these days now that HTTPS certificates are easy to get through a
service like Let's Encrypt,
that an ever-increasing proportion of phishing sites will set up a temporary web server.
They'll go and get a free certificate.
Now, those certificates only last three months, just for safety's sake.
But, you know, a phisher needs, what, three hours, three days, three minutes?
So increasingly, phishing sites have the padlock.
They have the certificate. The
certificate says, yes, this site really is called you've never heard of me before.com.
So just looking for the padlock alone is not enough. Although what we usually recommend people
do is if there isn't a padlock, steer clear of the site, because who knows what's going on?
And who knows whether what you're seeing is actually
what you're supposed to see. In the case of downloading an update, however, you download
the file. If someone tampers with it along the way, then there's a secondary check done by the
update process. And in an ideal world for software updates, you want both.
Yes. So what we're basically saying, and I think we agree, VLC, good job that you're checking
the file, but maybe also implement HTTPS because it's just good for all of us.
Agreed.
HTTPS alone would not be enough.
Right.
The absence of HTTPS just draws attention to them and raises a whole load of questions
that I think it would be much easier
for them if they didn't have to answer. Yeah, and they wouldn't have to be dealing with this
little nightmare on Twitter at the moment. Yeah, and going, oh, well, she'll be right,
folks. It's really not too bad. You know, are you sitting comfortably? Here's the explanation.
Best defense, not be there. I couldn't have said that better myself. Thank you, Paul Ducklin
from Naked Security at Sophos.
This was Carol Terrio for the Cyber Wire.
Don't forget you can catch Carol Terrio on her podcast Smashing Security,
along with her second banana sidekick, Graham something or other.
Check it out.
Air travelers, take note.
Lynx Airlines' send for online check-in may be insecure.
Security firm Wanderer has published a study of some 40 global air carriers
and found that eight of them put passenger data at risk by using unencrypted Lynx.
The U.S. Department of Homeland Security commented that China's APT-10 has been quieter
since two of its alleged operators were indicted late last year. But DHS is pretty confident APT10 hasn't gone away and will be heard from again.
Among APT10's more prominent activities last year,
according to Recorded Future and Rapid7,
was a campaign against Norwegian managed service provider Visma.
Microsoft Security thinks otherwise,
and that the threat actor in this case was APT31, also known as Zirconium.
A researcher has found a macOS keychain zero day, but he won't share it with Apple until Cupertino sets up a proper bug bounty program.
The researcher says he's not greedy, nor is he angling for a big payout, but he thinks bug bounties are the proper way to handle disclosure of vulnerabilities researchers uncover.
Huawei seems likely to be excluded from Canada's 5G.
It seems, the South China Morning Post reports, more a matter of when than if.
In Germany, it's still looking like an if, but trending conditionally toward when.
Deutsche Welle says that Berlin is taking its time
and that a decision to use Huawei gear would amount to an act of faith.
Chancellor Merkel wants assurances from Beijing
that the sort of intelligence and security collaboration Chinese law enjoins
wouldn't, in fact, be required,
should Huawei be permitted to play a major role in
Germany's telecommunications infrastructure. Huawei's smaller counterpart ZTE has also come
in for its share of hostile scrutiny. Czech cyber officials said earlier this week that the company
was unlikely to be invited to participate in Prague's build-out of the nation's telecoms
infrastructure. And some U.S. senators, notably Senator Rubio, Republican of Florida,
have been making noises about the potential security threat ZTE represents.
The Chinese companies, and Huawei in particular,
are undertaking various measures to mollify their critics.
They are receiving some support in this effort from various telecommunications providers
who would like to continue to use equipment they find affordable and reliable.
The latest European telco to side with Huawei is Turkey's Turkcell,
which says that while security is of course an important concern,
it's unfair to punish a company for uncorroborated allegations.
In Poland, where a Huawei representative has been accused of spying,
the company has offered to establish a security center
that would allay fears that the device manufacturer
was a reliable collaborator with Chinese intelligence.
In the UK, where a widely reported but as yet unreleased report
from the GCHQ office, charged with monitoring Huawei as a security risk, is expected
to be harsh. Huawei has written a letter to Parliament in an attempt to manage expectations.
Since GCHQ is expected to say that Huawei has delivered on few to none of the promises it made
to address security concerns, Huawei has preemptively answered by telling Westminster
that it will really need three to five years to do everything the security watchdogs expect of it.
And finally, there's a story of an electrical provider breach in South Africa.
Johannesburg-based Escom, which says it provides 95% of the electricity consumed in South Africa, has sustained a breach that has two causes.
electricity consumed in South Africa, has sustained a breach that has two causes.
The first is a familiar one, an unsecured database holding customer information.
The second issue has to do with an Azerolt Trojan on a company computer.
Azerolt is an information stealer. How did it get there?
Well, according to Bleeping Computer, the malware was misrepresenting itself as a downloader for the Sims 4 game.
Presumably somebody needed a break.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant
to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, welcome back.
We wanted to talk today about some thoughts you have on some of the challenges folks are facing when it comes to securing their smartphones.
What do you want to share with us today?
So the challenges of smartphone security and privacy are highlighted by a lot of people over the years.
highlighted by a lot of people over the years.
We know that, you know, often users struggle to set up their smartphones to keep their data private when they don't necessarily want it to be shared.
There is also analysis that, for example, you know,
third-party applications on smartphones can potentially also leak information.
I think one thing that has not been studied very well to date
is as to what is the impact of the default features that
manufacturers often provide.
So, you know, the examples of these would be default location services, things like
iCloud, Google Assistant, you know, or ad tracking, for instance.
And some of the recent work that we have done actually shows that the users find it really,
really hard to understand the features that actually even manufacturers build into the
phones,
and what is the impact on their privacy from using these features.
And so what are the solutions here?
Is this a matter of education, awareness, or do governments have to get involved?
So I think there are multiple solutions.
We can't always push the burden onto the users, because as a user, what you want to do is you want to get your phone, you want to enjoy it. And for instance, you know, when you are setting up your new phone, you're quite tempted to skip, you know, all those settings
that you are being asked about because you want to now use your new device that you bought and
you want to start using its functionality. But also, you know, a lot of the times, it is not particularly clear to users as to what happens when they are utilizing a feature.
So, for instance, let's take Apple as an example.
When you get a new smartphone, you are told that you ought to be signing into iCloud and so on and so forth.
And now, increasingly over the years, Apple has started to make the implications of that much clearer.
But still, it's not really very, very clear to users
as to what the opt-out necessarily means for them,
what may happen when they opt in.
But also, if you don't set it up,
then you keep getting these reminders that you ought to set it up.
And it's very, very hard for users to actually understand
how much information to give up to gain the benefits that they ought to be gaining. And in
fact, we don't really provide enough of that information. Regulation is one possible way of
doing it. But, you know, it has been shown that, for example, consent and so on alone does not
actually really empower users. A lot of, I'm not just suggesting mobile manufacturers,
a lot of services use opt-out mechanisms,
which are a really poor way of actually encouraging users to give consent
because you basically go, do you want to opt out?
If no, you can carry on.
And the easiest path is to carry on.
So there's a lot of scientific research around this to highlight
as to what are the implications of these kind of
mechanisms that then almost guide users towards making a choice which is not necessarily
best informed and is not necessarily empowering. It seems to me like some of the app developers
in particular take advantage of that anticipation. You want to get to using that app as quickly as
possible, but then there's a kind of a set it and forget it problem where you may give permission
once for that moment when you want to use that app, but that setting is there for the rest of
the time you have that app installed on your device. Absolutely. And many times users would
agree to an initial default setting, thinking they will go back and change it. But then over time,
you just simply forget you're going to have to change it. Similarly, in some cases, for example, devices would show
that even manufacturers would show that your device setup is not complete because you haven't
signed into a particular service. But you don't actually need that service to continue to use
the device properly. However, there is this kind of mental burden on you to
say, well, actually, you haven't finished yet. You need to come back and finish it.
And the only way you can get rid of that message is by going and signing in when you don't
necessarily need to sign in. And many times, actually, it's not even app developers. It's
how we present permissions to users. So for instance, you might download an app and it says
it needs access to your photos, for instance. And it may and it says it needs access to your photos, for instance.
And it may not be that it needs access to your photos. It needs access to some storage, which
requires it to store maybe some images in your device. But as a user, it's not clear to you why
should it really have access to that storage? Why does it need access to that storage?
And I think the ecosystem is very complicated. There is a lot of value in it. But equally,
we don't necessarily make it easy for users to understand what they are giving up, how much they ought to be giving up, and what's the benefit do they get.
It's going to be interesting to see how this plays out over time.
Weiss Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com