CyberWire Daily - Spyware for states and spouses. Election hacking demos. New ransomware strains, and a clipper for Android. Airline Wi-Fi is not only irritating, but insecure as well.
Episode Date: August 13, 2018In today's podcast, we hear about spyware in the guise of a missile attack warning app. New Dharma variant out. Android.Clipper redirects transactions to crooks' cryptowallets. DLink exploits rob... Brazilian banking customers. Utilities prepare for grid hacks, but researchers say an appliance botnet could cycle demand enough to induce blackouts. Vulnerabilities in airline Wi-Fi and SATCOM connectivity. Election hacking demos may or may not be realistic. Family spy ware proves vulnerable to data exfiltration. Ben Yelin from UMD CHHS on police using facial recognition software to nab a suspect. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. There's a new Dharma variant out. Android Clipper redirects transactions to Crook's crypto wallets.
D-Link exploits raw Brazilian banking customers.
Utilities prepare for grid hacks, but researchers say an appliance botnet could cycle demand enough to induce blackouts.
Vulnerabilities in airline Wi-Fi and SATCOM connectivity.
Election hacking demos may or may not be realistic,
and family spyware proves vulnerable to data exfiltration.
From the CyberWire studios at DataTribe, there's no place like home.
I'm Dave Bittner with your CyberWire summary for Monday, August 13, 2018.
I'm Dave Bittner with your CyberWire summary for Monday, August 13, 2018.
The Jerusalem Post reports that security company ClearSky says Hamas has been trying to install a bogus version of a missile warning app on Israeli smartphones.
The app is a multifunctional one designed to record conversations, take pictures, send texts, and geolocate the infected phone. ClearSky doesn't think this is a one-off attempt, but rather represents a coming
trend, and it urges smartphone users likely to be targeted to remain alert. A new variant of
Dharma ransomware is now circulating in the wild. It appends a.CMB extension to the files
it encrypts. Like other strains of Dharma, this is installed manually by exploiting remote desktop
protocol. There's no decryptor available yet, and as always, the first defense against a ransomware
attack is secure, reliable, regular backup. Security firm Dr. Webb reports that a version of Clipper for Android is
in circulation. As its name suggests, the malware replaces crypto wallet addresses in the victim's
clipboard with addresses that redirect to the criminal's wallets. Dr. Webb says that Android
Clipper is being actively hawked in the usual dark web markets, and that the criminals who purchase it package and distribute it under the guise of a legitimate app.
The good news is that the Clipper Trojan is readily detectable,
but one needs the right tools to do so.
Radware reports that vulnerable D-Link routers are being exploited by criminals
to send people to bogus Brazilian banks where they're defrauded of their cash.
This particular scam is being operated largely against victims in Brazil itself.
The caper depends upon the criminal's ability to induce remote,
unauthenticated changes to some D-Link modems and routers
so that their DNS settings point to a DNS server under criminal control.
It's an insidious form of attack because it doesn't rely on, for example, phishing emails
that an alert user might spot.
The exploit is in the modem or router, and the end user might be quite unaware that it's
taken place at all.
The users are redirected to spoof banking sites that are said in general to be quite convincing
Utilities remain on alert for expected cyber attacks
In the U.S., the Tennessee Valley Authority, a large power provider, is taking steps to secure itself against hacking
Such attacks may not be as direct as expected
Princeton University researchers report results
that suggest a botnet of home water heaters and air conditioners could cycle power demand
rapidly enough to disrupt a significant portion of the grid.
An IOACTIV researcher has demonstrated the ability to hack not just in-flight airline Wi-Fi,
but the satellite communications network they and other aircraft systems depend on.
When initially performed in November of last year,
the demonstration did not succeed in compromising any aircraft avionics or safety systems,
which were prudently and properly isolated from onboard Wi-Fi.
But the proof of concept did show that an attacker could access personal devices connected to the Wi-Fi. But the proof of concept did show that an attacker could access personal devices connected
to the Wi-Fi network. It also showed that a botnet was capable of brute-forcing a SATCOM router,
and this is the issue with more immediately disturbing potential.
Last week's Black Hat and DEF CON conferences saw a number of reports on proof-of-concept hacks.
These are demonstrations
and not attacks found in the wild, so how likely they are to appear in the wild you may judge for
yourself. One of the proofs of concept presented by Nuix looked at five vendors of widely used
police body cameras. They all had vulnerabilities, but all except one had a particularly disturbing potential for remote
access and manipulation of the images the cameras capture. Thus, it would be possible for criminals
to either alter or delete body camera footage to suit their purposes. All five devices tested were
found susceptible to many of the usual sorts of vulnerabilities found in mobile devices,
sorts of vulnerabilities found in mobile devices, especially vulnerability to geolocation.
Also at DEFCON was a hacker village that challenged young students to hack a voting machine.
It was a demonstration voting machine, not an actual article, but the DEFCON types who constructed it behind the wall of sheep say that it was a representative copy.
It was especially representative in terms of the
vulnerabilities it had. The National Association of Secretaries of State, the NASS, applauded the
wall of sheep village for its interest in election security, but said that they really should be
aware of all the security enhancements its members have performed. Secretaries of State, for our
non-U.S. listeners and for those U.S. listeners who snoozed through high school civics class,
you know who you are.
Well, they're state officials whose responsibilities include administering voting.
They're not to be confused with the U.S. Secretary of State,
whose responsibility is foreign policy.
The NASS also deplored creation of mock websites, trials on specially created
demonstration equipment, and failures to appreciate the difference between preliminary results,
which are more hackable, and actual counts, which are less hackable. But the group does
invite the white hat community to contribute their expertise, if not their sixth graders,
to the work of keeping elections secure.
And finally, one would think that the practice of taking risque selfies
might have gone into eclipse after the exposure and arrest
of former U.S. Representative Anthony Weiner.
He is, you recall, the Democrat of New York,
who so disported himself behind the inadequately anonymized nom de mort, Carlos Danger.
Alas, think again.
DEFCON saw a presentation by researchers from Germany's Fraunhofer Institute for Secure Information Technology,
who delivered a presentation called,
All Your Family Secrets Belong to Us, Worrisome Security Issues in Tracker Apps.
They looked in particular at one app, CoupleVal, designed to enable partners to keep tabs on one another
without the expense and embarrassment of hiring a private eye.
They found that making a simple GET request of the app server was enough to serve up user information.
simple GET request of the app server was enough to serve up user information.
The information the researchers accessed included not only intimate pictures best shared between couples who trust one another enough to not use CoupleVal, but 1.7 million passwords, too.
The app is available on Google Play, and the researchers are awaiting a reply to their
inquiries from Google.
Maybe they could hire a private eye.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen.
He's the Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
Interesting story came by about driver's license photos being used by police for identification with facial recognition software.
This was right in our backyard in Hagerstown, Maryland.
What's going on here?
Yes, this is a fascinating incident.
So what happened in Hagerstown, a woman was a victim of a robbery. She didn't have any information on the individual who robbed her
except his first name and the fact that they had communicated on Instagram. So she had the
Instagram profile. She provided that picture to law enforcement. Law enforcement cross-checked
that photograph with the state's driver's license database and using their facial recognition
software were able to identify the perpetrator.
He has been arrested and charged.
And this is a legal law enforcement procedure.
It's legal in 31 states within the United States.
The Georgetown Center for Privacy and Technology estimates that in 2016, there were facial images of 117 million U.S. adults within our law enforcement database.
Just to give you some context, I would guess that's about half of all of American adults.
That's probably pretty problematic for some people to hear.
From a legal perspective, I think this is on very solid constitutional ground.
You and I have talked a million times about the third party doctrine, the legal principle that says that
if you voluntarily submit information to a third party, you have forfeited your reasonable
expectation of privacy for that information. And even though the Supreme Court decision we talked
about last week in Carpenter cut against the third party doctrine in some ways, the core of the
doctrine is still a good law is still in existence.
And this is sort of the textbook case. I think one of the law enforcement officials who's worked with facial recognition software says, look, when you go into the DMV, or as we call it here in
Maryland, the MVA, and take that driver's license picture, you know, darn well that that's going to
go into a state database. They're going to have
that photograph. You lose your expectation of privacy in that image. And whatever happens with
that image, whether it's cross-checked against an Instagram post or, you know, used in some other
way to identify you as the perpetrator of a crime, once you take that photograph, it's out in the public sphere.
Whether that's fair or not, I think, is an interesting question.
We all have to drive to get to our work,
to go about our personal affairs,
and to drive, we need a driver's license.
And to get a driver's license, we need to have our picture taken.
But the logic is that if you really wanted to stay off the grid
and you really wanted your face not to be in this facial recognition system,
then you do have the option of not getting a driver's license.
You could take the bus.
So that's the logic there.
Exactly.
Take the bus, live off the grid, move into the woods.
But once you're on the grid, once you're part of this system,
this is sort of, you know, the consequence of making that visit to the DMV.
So I think it's on solid legal footing,
even if it seems like a pretty big invasion of privacy.
So I guess what's particularly interesting here
is that cross-referencing with a social media source to the state database. Yeah, be careful who you communicate
with on Instagram if you decide to commit robberies. I mean, the facial software recognition
is stronger than it's ever been. It's more effective than it's ever been. It can identify
square millimeters on your face. It's become more of an exact science.
So a person really is making a series of choices that leads them to be eligible for prosecution based on facial recognition.
The first choice is to go to the MVA, to go to the DMV and get one's picture taken for a driver's license.
And the second choice is to have your picture available on social media websites. If you're sharing your information there, that information is bound to
become public. It's really a note of caution. If you don't want your image to be widely available,
then look at that social media's platform's privacy policies and restrict that image as best you can. But if it's out there,
it's certainly fair game for law enforcement, especially when the victim of the crime was able
to identify the perpetrator. Yeah. All right, Ben Yellen, thanks for joining us. Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.