CyberWire Daily - US IC on cyber threats. Iran goes after PII. UAE surveillance described. Scanning for unpatched routers. Huawei’s possible fates. Scam exploits child. FaceTime disclosure. Facebook Research.
Episode Date: January 30, 2019In today’s CyberWire, we hear that US Intelligence Community leaders testify that the major cyber threat comes from Russia, China, North Korea, and Iran. Iran’s APT39 takes an interest in PII. A ...UAE surveillance program is revealed. Hackers scanning for unpatched Cisco routers. What Huawei faces, in addition to fines. The FaceTime bug and responsible disclosure. Facebook was paying people to pwn their phones. Scam artists exploit a small disabled girl. And the Government shutdown’s mixed effect on cybersecurity. Craig Williams from Cisco Talos on Pylocky, a ransomware strain they’ve been tracking. Guest is Mark Orlando from Raytheon on safeguarding online information. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
USIC leaders testify that the major cyber threat comes from Russia, China, North Korea, and Iran.
Iran's APTT39 takes an interest
in PII. A UAE surveillance program is revealed. Hackers scanning for unpatched Cisco routers.
What Huawei faces in addition to fines. The FaceTime bug and responsible disclosure.
Facebook was paying people to pwn their phones. Scam artists exploit a small disabled girl.
And the government
shutdowns mixed effect on cybersecurity.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, January 30th, 2019.
U.S. intelligence community leaders yesterday testified before the Senate
about the threat landscape.
Cyber threats figured prominently, the Washington Post says.
Russia, China, Iran, and North Korea were specifically singled out
as aggressive and dangerous,
and as having significantly increased their cyber capabilities.
Criminal or terrorist activity in cyberspace is a less serious problem,
although the testimony did note growing systematic and opportunistic collaboration
between nation-states and criminal groups.
A new report by FireEye on Iran's APT39
discerns a disturbing new interest of the Islamic Republic's hacking unit.
It's going after personally identifiable information.
This is said to be unusual for Iranian state-directed actors,
who've hitherto concentrated on other objectives,
like trade secrets, state secrets, and access to infrastructure.
Reuters reports on a UAE program to intercept iPhone traffic and to engage in other forms of aggressive surveillance.
The UAE security program, made possible by American civilians working under contract,
became more ambitious and intrusive in 2016,
after Emirati-owned Dark Matter assumed responsibility for security work previously performed by U.S. company CyberPoint.
Some of the information collected indicated that Emirati intelligence services were targeting journalists,
American citizens, and others who would have generally fallen outside the bounds of legitimate surveillance.
The more recent activity described in the report seems to go beyond what's normally characterized as lawful intercept technology,
and its scope appears to have been more extensive than had hitherto been thought.
Last week, Cisco issued patches for its small business RV320 and RV325 dual-gigabit WAN VPN routers.
Attackers are currently scanning actively for unpatched routers, SC Magazine reports.
Exploit code has been published and users should patch.
Huawei's indictment in the U.S. could prove crippling, Wired says, if it results in loss
of access to U.S. technology. That's the same stricture that brought ZTE to the brink last year.
It remains to be seen whether the U.S. will proffer the same sort of lifeline.
A FaceTime bug is now the subject of a lawsuit.
Ars Technica reports that a Texas attorney is suing Apple because the bug allowed a deposition to be recorded.
The plaintiff says he updated his phone to allow group FaceTime calls, but not unsolicited eavesdropping.
And of course, that he suffered damages, which indeed he might have done.
The listen-in before they pick up vulnerability was, as CNN and others note,
discovered by a 14-year-old gamer and subsequently disclosed to Apple by his mom.
Mom had trouble getting Apple to pay attention and busily woofed the
news at them through every channel, apparently, she could think of, including faxes on law firm
Letterhead. The process by which the vulnerability was discovered and disclosed is interesting,
especially insofar as it suggests that responsible disclosure might not be as simple as emailing a
company and telling them what you've noticed.
In this case, the bug was real, the disclosure both intelligent and responsible.
But it need not always be so.
Suppose you were contacted by the mother of a teenage gamer with the news that your product was an inadvertent piece of spyware.
How seriously would you take the disclosure?
And how often do companies get cranky disclosures?
Crowdsourcing bug hunts has certainly proved itself in practice, but suppose every PewDiePie enthusiast, those spiritual descendants of the Howard Stern fan who called in to live coverage
of O.J. Simpson's white Bronco slow-mo chase so he could riff on one of Mr. Stern's taglines,
suppose we ask as a thought experiment, that Mr. Pi's followers called in bug sightings with the persistence they devote to Tide Pod challenges.
We don't know the answer here.
Perhaps bug bounty specialists will weigh in with thoughts on quality control.
Teenagers as a class are in the security news as well,
with the revelation by TechCrunch that Facebook paid them, a lot of them apparently,
$20 a month to let Facebook install an app on their phones that gave Facebook access
to essentially all the information that transited their devices.
And it wasn't just teens.
The offer was open to users up to the age of 35 and had been in effect quietly since 2016.
The software in question was the Facebook Research VPN.
It's now gone from iPhones,
removed by Facebook and blocked by Apple. For now, at least, it seems to remain available for Android devices. The data was attractive to Facebook for whatever insights it might offer
into its users, to whom, of course, it feeds advertising. This is a bad look for Facebook,
already in hot water over privacy, and looking
for indulgence in the form of the hiring of the Electronic Freedom Foundation's council
to come in and help them clean up data handling and privacy matters.
Several governments are raising their eyebrows over the program, and Apple is none too happy
either. The relationship between Facebook and Apple is likely to be strained in ways that will
affect Facebook adversely.
It's already revoked Facebook's enterprise certificates.
There's tension at play, of course, between the privacy implications of online social media platforms
and the legitimate benefits they provide for keeping in touch with friends and family
and staying informed about goings-on in our communities.
Mark Orlando is chief technology officer for Raytheon Cyber Protection Solutions,
and he worries about how easy it is to overshare online.
Unfortunately, as individuals and consumers and personal internet users
were sort of conditioned at this point to overshare about any number of things through
all of the various social media channels that are out there, communities like Facebook and Twitter.
But also increasingly, I think we've seen a lot of consumer services and other sites that
have social features and are using that social element and that sharing element
to expand their business model and have their customers interact with each other.
And now I think also what we're seeing is there's increasing interconnectivity between those communities.
So between Facebook, Twitter, and now Amazon, and like I said, some of these other e-commerce companies and apps,
e-commerce companies and apps adopting these social features and utilizing those communities to expand their brand awareness, expand their customer base, that sort of thing.
So, you know, I think, unfortunately, if you're doing anything over the internet these days,
whether it's emailing or browsing or shopping or selling goods and services yourself,
you're engaged in some sort of social activity.
And I think the tendency, unfortunately, is to overshare rather than try to control your information,
try to be mindful of what's out there.
So I think a lot of people do it without even realizing they're doing it.
What kind of advice do you have for folks to be more mindful of it?
I mean, I think a lot of what we enjoy about the internet involves sharing things and connecting with friends and family and so forth. So how do you
know what the right level is to dial in? Right. It's really tough to know where that line is.
And what I tell my friends and family is just, you know, assume that nothing is private. And while
it's always good to kind of maintain awareness of what you're sharing and what the privacy settings are on your social media accounts and on your e-commerce accounts and so forth,
you pretty much have to just assume that no matter what you set it to, that information is not going to remain private, even if that means it's being shared between different companies.
if that means it's being shared between different companies. And so, you know, really it's best to kind of err on the side of, you know, don't share anything that you wouldn't willingly post out in a
public forum, even if it's with a network that appears to you to be closed. Yeah. I remember,
you know, years ago, someone saying to me, you know, don't put anything in an email that you
wouldn't put on a postcard. Right. Exactly. And I think that still holds very much to be true. I think now we're kind of, I wouldn't say fooled, but I think we're sort of
led to believe that now that there are more granular and more obvious privacy controls
with some of these sites and services, I think that kind of makes people think that it's really
true privacy and that locking down their accounts or their profiles means that they're protecting their information.
And I think that's true to a certain extent.
But as we've seen with some of the recent news stories, the Quora breach and some of the other kind of big breaches that have happened recently involving sites that use Facebook and other sites for third-party authentication,
sites that use Facebook and other sites for third-party authentication,
even if you have set your privacy settings to where you think no one's going to be able to view your information,
it can still get out.
As users and consumers, we're not always aware of the value that our data has. So even seemingly innocuous data like high-level details about yourself, location,
information that can be gleaned from your mobile devices, for example,
or embedded devices, we're not always aware of the value that information has.
And unfortunately, that data, especially that data in aggregate, does have a lot of value to
various kind of nefarious groups and parties on the black market where that information is bought
and sold. So even if you don't think that a certain piece
of data that's collected from your profile or your device, for example, or your browsing history,
or your computer for that matter, even if you don't think that has a lot of value,
the fact remains that that data can still be a target and still does in fact hold value for a
variety of different parties that you wouldn't necessarily want to have access to that data.
That's Mark Orlando from Raytheon Cyber Protection Solutions.
Some scam artists set what may be a record for loathsomeness
by swiping the story and pictures of a brave little girl with cerebral palsy
to swindle sympathetic people into donating to a bogus charity
in support of medical care she doesn't need. girl with cerebral palsy to swindle sympathetic people into donating to a bogus charity in
support of medical care she doesn't need. The family shared the story of the Mighty Miss Maya,
her nickname, and her progress toward her first independent steps on Facebook and Instagram,
but for encouragement, inspiration, and joy, not for solicitation of donations.
But grifters see a child's struggles as opportunity.
Some hoods went so far as to threaten the family
with further harassment and identity theft,
unless they paid $30,000 in protection.
The criminals remain at large, but we hope they're caught,
and when they are, may their names be forgotten.
As for the mighty Miss Maya,
we hope one day to see video of her dancing.
And when you see a touching appeal online, donate with due diligence. As for the mighty Miss Maya, we hope one day to see video of her dancing.
And when you see a touching appeal online, donate with due diligence.
Finally, what effect did the government shutdown have on cybersecurity?
Virginia's Senator Warner has asked Homeland Security Secretary Nielsen for an accounting,
and no doubt one will be forthcoming.
But Security Scorecard has issued a preliminary assessment and it's surprisingly mixed.
Sure, there were all the expiring certificates
and to be sure a full understanding of what went on
will await more extensive study,
but at least two important areas showed a distinct improvement.
Patching and application of endpoint protections
both rose noticeably and those are good things.
Why that happened is a matter of speculation,
but the Washington Post's informed guess is as good as any we can think of.
IT staffs were less distracted by urgent but unimportant requests from the people they answered to,
and so could devote time and attention to patching and upgrades.
So is this evidence that a lot of the GS-15s who stayed home
were in fact non-essential personnel in some more than formal sense?
Couldn't be. This isn't a Dilbert cartoon after all.
At any rate, bravo to the IT staffers who made hay while the sun shone.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's great to have you back.
Your team has been tracking something that you refer to as PyLocky.
Part of that sounds familiar to me.
What's going on here?
Well, PyLocky is basically another family of ransomware trying to masquerade itself off as a variant. Now, if you remember Locky, it was a piece of ransomware that was relatively popular,
probably around 2017. And so it basically lost its market share when NetGhost kind of went away.
And so now there's a new attacker out there trying to kind of cash in on that reputation, right? You've got to remember when it comes to
ransomware, there's this fundamental problem of can I trust the attacker? And so what we've seen
time and time again, even with things like as far back as Tesla Crypt, is the attacker will try to
masquerade themselves as a relatively, and I'm using air quotes here for those of you who can't see it, trustworthy piece of malware. And so in order to solicit that ransom,
there needs to be a reason for the victim to think they'll get their files back.
No one's going to go through the trouble of turning currency into Bitcoin or whatever the
ransom is and sending that across the internet without a reason to be paid. And so that's really, I think, why they're trying to piggyback on that Lockheed namesake.
And how are they doing that? Are they successful? Are people falling for the ruse?
You know, I would assume so, right? It's relatively popular these days.
And, you know, when we were looking at it, we immediately realized, hey, this is written in Python, right?
There's a few differences here that are important to note.
And so we were able to actually spot a few interesting things when we looked at it.
One of the most interesting things actually allowed us to write a decryptor.
And so, as you know, Talos has its overall goal.
For those of you with our t-shirts, you may notice on the back it says,
Pissing Off the Bad Guys in all capital letters.
t-shirts, you may notice on the back it says, Pissing Off the Bad Guys in all capital letters.
In pursuit of that protection, we've decided to release our decryption tool free on GitHub for the world to use. And so if you'd like, you can go to talusintelligence.com and pull down that tool.
And as I said, it's open source, so people can extend it, people can modify it.
But there is one caveat here. And unfortunately, it's a big one. So the problem with this tool is
that in order for the actual decryption to be successful, you've got to capture some of the
traffic that comes out of the box when the malware executes. So that really does shrink our
effectiveness. However, you know, we do have a solution that may work for some people. And so
I appreciate the opportunity to get out here and let people know that we have this tool.
And so if you do happen to have traffic capturing going on in your network, even if it's a small window, and you do have a Pylaki infection, well, we can help you out and you can hopefully resurrect the box.
So any indications who's behind this particular variant?
You know, not yet.
Attribution is always an interesting critter, right?
You know, not yet. Attribution is always an interesting critter, right? We've seen more and more, especially after Olympic Destroyer and some of the other more interesting samples where attribution based off of a software sample alone is a little bit hanky. At Talos, we're really cautious. how it had multiple false flags, how the attackers were intentionally including things to mislead researchers.
And so unless we have pretty conclusive data
and other types of intel to increase that confidence,
we're not going to go out and claim attribution
because we're not 100% about it.
We're very conservative with that intel,
and we just want to make sure that when we do tell our users something
that they can trust that it's the case.
Yeah, yeah, makes sense. All right, well, Craig Williams, thanks for tell us. And we just want to make sure that when we do tell our users something that they can trust that it's the case. Yeah. Yeah. Makes sense. All right. Well, Craig Williams,
thanks for joining us. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm
Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.