CyberWire Daily - Telnet may not be the backdoor you’re looking for. Large PII database left exposed by parties unknown. DHS has a Critical Functions List. ISIS inspiration is back.
Episode Date: April 30, 2019A backdoor turns out to be a familiar kind of Telnet implementation (and it was fixed seven years ago in any case). A large database of US household personally identifiable information was found expos...ed online, but who owned it remains unclear. The US Department of Homeland Security releases a Critical Functions List. ISIS’s sometime Caliph is back online. And piracy streaming is loaded with malware. Who knew? Craig Williams from Cisco Talos on their research into malware markets on Facebook. Guest is Dean Pipes from TetraVX on the root cause of shadow IT. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Vulnerable peer-to-peer software exposes consumer and small business IoT devices to compromise.
A hacker says he's hacked automotive GPS trackers, all for the good, of course,
and could even turn off a car's engine.
Not, you know, that he would.
Sri Lanka warns of the possibility of more violence,
and journalists wonder if prior restraint of certain speech might be worth considering.
Curating app stores for security,
and potty-mouthed scooters on Brisbane Street.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 30th, 2019.
A Bloomberg report of backdoors affecting Huawei-manufactured Vodafone equipment seems to point out at worst
carelessness and not the malice that backdoor has come to suggest. Huawei denies putting backdoors
into the gear, telling ZDNet that this isn't about backdoors at all, but rather about old
vulnerabilities that were fixed, as the Bloomberg piece mentions, when those vulnerabilities were
noticed back in 2011 and 2012.
The back door is apparently a familiar Telnet issue.
In fact, the Vodafone deployment seems to have been a fairly routine Telnet implementation.
Vodafone itself was quick to object that it hadn't been done wrong by Huawei.
Huawei pointed out in its own defense that not only were the vulnerabilities closed years ago, which would make this report more old news than news, but that it was Telnet and that every IT company has faced
these issues in one form or another. We'll quote the Register since their take on the story is clear
and memorable. Quote, characterizing Telnet as a backdoor is a bit like describing your cat flap
as an access portal with no physical security features that allows multiple species to pass We're not exactly sure what over-egging a pudding actually means.
We think it's probably an English thing, like having spotted dick with your buttered crumpets.
But we're pretty sure it involves exaggeration, like trying to sell someone a plastic spoon by calling it not just a
utensil, but an eating solution. So sure, we've heard stuff like that on trade show floors, so be on
the lookout for unnoticed telnet. We knew someone who once found that a local raccoon was using the
cat flap in her side door to backdoor the cat's food dish,
then wash his hands and go back about his business.
The raccoon didn't over-egg it either.
We think some algorithm let him in, but the raccoon's not talking either.
There's much eye-rolling and significant throat-clearing going on in the security sector's Twitterverse,
clearing going on in the security sector's Twitterverse,
with many of the cyber birdies tweeting that they're reminded of another Bloomberg story not so long ago about hardware backdoor spy devices
inserted into the global supply chain by Chinese manufacturers.
Except that time, no one could seem to find the Wii bugs.
But Telnet? Sure, that's a thing.
Only it's an old, familiar, known thing.
So while many remain deeply suspicious of Huawei,
this isn't evidence that the manufacturer is serving as cue for the Chinese intelligence and security services.
Forget it, Jake. It's Telnet.
The odd case of a large database holding PII affecting some 80 million U.S. households
prompts concerns that identity thieves have
already hit some kind of jackpot. BPN Mentor, whose researchers discovered the exposure,
says no one knows who owns the database, but the data suggest online commerce.
The database includes both geolocation and personal data. Among the items are street
addresses and latitude and longitude. It also includes full
names, ages, and dates of birth, and interestingly, the researchers couldn't find anyone under 40 in
the database. Gender, marital status, income, whether the individual described is a homeowner,
and what kind of home they live in. So whoever had the data had some fairly clear demographic
interests in a section of the American population.
Microsoft this morning said they'd taken down the database and notified its owner,
but they haven't said yet who that owner was.
Shadow IT is often described as employees of an organization taking on technical tasks on their own
in order to circumvent what they perceive as roadblocks or speed bumps
set up by the actual IT team in the name of security.
Shadow IT isn't necessarily malicious, but it does come from the inside,
which ups its potential for serious consequences.
Dean Pipes is chief innovation architect at Tetra VX, a provider of digital workspace collaboration tools.
Businesses want to be able to move their strategic initiatives forward faster. And more and more
people are coming into, even with a business focus in their education and career, they're also
bringing with them a large amount of technical expertise, whether it's through their own consumer
electronics, their own study. So when IT is not acting in an agile and responsive manner, when IT doesn't provide enough funding
to support all of the strategic initiatives, business tends to try to do things on their
own.
Yeah, it strikes me that I suspect a lot of shadow IT happens not out of bad intentions.
It's simply people are trying to get their work done and they
want to do it as quickly as possible. Absolutely. And sometimes they don't understand why an IT
department might take a little more time to figure things out. They just dive right into it. Today's
cloud-based platforms and technologies have become so much more user-friendly. There's a lot less
required technical skill set to set up a new environment.
So what do you suppose are the driving forces between this issue that we're facing here?
It's a conflict between IT governance. That means a variety of different things, right? That means data security or information security. It means controlling access to information, even within
your own organization. It can also mean the choice of technology being used to apply to a given platform.
There's a lot of technology sprawl that's happened in a lot of application environments.
So IT struggles with making sure that where we add this capability, it makes sense,
it's sustainable, it can grow. But then on the flip side, the business just wants to move forward.
People have initiatives that make sense, that actually will generate revenue or create a better
communication with their clients and retain clients and grow business with existing clients.
Therein, I think, lies the conflict. Yeah, I hear this notion that sometimes IT is considered
the department of no. If I go to IT, they're just going to tell me,
no, I've got work to do. So I'm going to try to solve this problem on my own.
IT is traditionally not out there in the market, understanding how quickly things can change and
how many disruptions can be occurring at a given time. Sometimes that answer of not right now or
not this year could mean the difference between profitability and growth for an entire organization. So the department of no has to figure out how to say,
wait, let's look at this. This could be the department of yes, but only within these
constraints. IT departments are also traditionally not big risk takers. Historically taking big risks
in IT has led to everything from system instability to pretty prominent data
breaches and regulatory violations depending on the industry they're in. IT is not going to say
fully 100% yes to something without having studied it. Where I'm going with this is there's a lighter
weight version of how you study this and how you enable a business initiative to move forward
without so much scrutiny, without
so much heavyweight governance. It's almost like you have to go through and rethink some of your
processes and figure out, is there a way we can fast track this? It's a two-way conversation,
though. A business has to come forward with a business case that doesn't have every bell and
whistle and every possible solution built into it. It's focused in on the core objectives,
the core outcomes that are being sought, so that IT can focus in on the key tools, technologies, or approaches that could
help the business get there more quickly. That's Dean Pipes from Tetra VX.
U.S. Secretary of State Pompeo said this week that defending U.S. elections against Russian
meddling will be a very long game. He warned that Russia will remain a threat to U.S. elections for decades.
The U.S. Department of Homeland Security has issued a critical functions list
describing 55 areas that must be protected from cyber attack.
It's a longer and much more comprehensive list
than the lists of critical infrastructure that preceded it.
But DHS says, plausibly, that it actually
represents an opportunity to focus attention on clearly prioritized risks and to see the
implications activities in one sector hold for other sectors. And it seems that both cyber attacks
narrowly conceived as hacking proper aren't the only cyber risks the new framework will consider.
Information operations are also clearly a matter of some concern.
ISIS leader Abu Bakr al-Baghdadi made a rare appearance in the terrorist group's Internet channels
to promise a worldwide wave of attacks in revenge for the caliphate's extinction in the territories it once controlled.
He praised the Sri Lanka murders as the first wave of reprisal.
It's noteworthy that it's territorial loss
and not the massacre of Muslims at prayer in New Zealand last month
that gave al-Baghdadi his pretext for reprisal.
This is thought to be al-Baghdadi's first appearance online since 2014.
He's reclusive, as he well might be,
given that he's wanted throughout the civilized
world. And finally, in a dog bites man story, Naked Security is pointing out that apps designed
to stream pirated content are positively teeming with malware. Among the most common varieties are
credential stealers and bot wranglers. Who knew? Well, you knew, right?
So, stay away from the pirates, mateys.
Arr.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco.
Craig, it's great to have you back. I wanted to catch up with you.
Not long ago, your team published some work that you titled Hiding in Plain Sight.
And this is about some stuff you found on Facebook with criminal groups using Facebook to communicate with each other.
Well, this is really the interesting thing about this specific campaign is that really, you know, Facebook's secret sauce,
I think a lot of people would agree, is its ability to bring communities together.
Now, normally, if that were like, hey, let's go exercise outside or let's go bake muffins,
right? People with those similar interests coming together would be a good thing,
right? Everybody wants better muffins and more dog parks and Frisbee games, right?
Now, the bad thing happens when we have these groups called like spam professionals
or learn to hack, right?
We've got a list of the 74 different groups that we tracked during our investigation in the post.
And unfortunately, when someone joins one of these groups,
that same core algorithm that would recommend like, say, other banking groups recommends other groups involved in criminal activity.
Of course it does.
Right.
And so, you know, it led from people going from, like, a hacking forum, then it would
suggest a carding forum where people can buy and sell stolen credit cards or stolen accounts
or even fake IDs.
stolen credit cards or stolen accounts or even fake IDs. We even saw people conspiring to,
well, seemingly conspiring to exchange money, presumably from some sort of criminal enterprise from one country to the other. Those are really fascinating, especially around the fees involved.
You know, people would talk about 30, 40%. And we even had a screenshot, I believe,
in the blog of someone offering to do up to a million dollars
of, I guess, effectively money laundering.
Now, when I think of these sorts of groups, I immediately go to the dark web.
And so I think it sort of raises eyebrows that this was out in the open so front and center.
I mean, were these private groups?
Was this
something that anybody could find with a search on Facebook? Yeah, so that's a great question.
You know, unfortunately, this appears to be a movement away from the dark web, you know,
and when you think about it, if you're a bad guy trying to sell your hacking tools to unsophisticated
users, are they going to be able to find those tools
on the dark web?
Right?
I think chances are no, right?
They're not going to know what the dark web is.
They're not going to know how to get there.
But what everyone can really do is use Facebook, right?
The very intuitive, anyone can pick it up and use it.
People seem to like the interface.
And so when they realize that, you know, Hey, this is the number one social media tool in
the world potentially, and it's got billions and billions of users. Well, that gives them a lot of room
to hide in plain sight. You know, the reality is, even if one-tenth of 1% of the users on Facebook
are, you know, up to criminal activities, that's still going to be a much higher number than we're
comfortable with, just simply due to the size of the site. And it's going to make it that much harder for them to be discovered. You know, and I want to be clear here, this isn't
just a Facebook problem. You know, we see this on every major social media site, right? You know,
think back historically, we've seen people doing things like running botnets out of social media
sites, you know, using them for C2. And so what it really comes down to is if something's free on the Internet, bad guys are going to find a way to abuse it.
And the reason they're moving to Facebook to facilitate these criminal enterprises is due to the way that the algorithm works,
that it brings people together, that it will bring them people who want to buy their hacking tools,
that will bring them the people who want to buy those credit card numbers and those account numbers.
Now, what about Facebook's responsibility for oversight here?
If I spin up a new group, is there no one looking for what's going on in there?
I mean, it seems to me like, you know, some things,
Facebook wouldn't allow me to spin up a group, you know, full of porn or something like that.
So there are some filters in place.
Right. And, you know, I think every major social media site runs into this problem.
And what it really comes down to, you know, if you look at like, say, Reddit, Twitter, Facebook,
all of them have a reporting functionality. Now, I think the problem is a lot of people
aren't reporting these type of groups. They see them and they just kind of keep going,
walking the other way. Right. It really comes down to if you see something, say something.
You know, click on that report button.
Let Facebook know that these groups are up to criminal activity so that they can be taken down.
And one of the things I was discussing with some of my teammates was like, you know, imagine if you were a kid in this day and age, right?
You know, the way I got into this business was basically wanting to hack at video games, right?
wanting to hack at video games, right?
And so, you know, you can imagine the line between a video game hacking forum and a criminal hacking forum is a very thin one.
And it's one that Facebook's algorithms could easily confuse.
And so one of the things that concerned me as I looked into this
was what would happen to the impressionable 13-year-old
who wanted to cheat at Fortnite,
and then all of a sudden had a system to send out spam campaigns.
Right.
I mean, those, at that age, you don't have the best judgment.
Right.
And that Facebook, through its algorithms, is sort of laying out this yellow brick road
in front of that kid to say, hey, we see you're interested in Fortnite hacks.
Have you considered going into a credit card thievery?
Right. And so that's why it was so important to us that we take action, that we reached out to
Facebook's security team to make sure that these groups were taken down so quickly. And they were
very responsive. They worked with us. So overall, it was a very successful operation. I think this
is just something that people need to be aware of. I think if we asked the majority of people
who use Facebook, do you think there are criminal users? Most of them would say no. But unfortunately,
that's not the world we live in. You know, social media sites are going to be abused, just like any
other free service on the internet. And so you need to talk to your kids, you need to talk to
your family and make sure that they realize, you know, online crime is a real crime. You know,
it can have a detrimental impact to your know, it can have a detrimental impact
to your career. It can have an impact to your education. And so you need to be careful online.
You need to be aware of your surroundings and what you're doing. Well, the report is titled
Hiding in Plain Sight. It's on the Cisco Talos blog. Craig Williams, thanks for joining us.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.