CyberWire Daily - US off-off-year elections go off OK, but don’t get cocky, kids. US charges three in Saudi spy case. Adware dropping apps removed from Google Play. Patch Confluence.
Episode Date: November 7, 2019The US off-off-year elections seem to have gone off largely free of interference, but officials caution that major foreign influence campaigns can be expected in 2020. Three former Twitter employees a...re charged with spying for Saudi Arabia. The website defacement campaign in Georgia remains unattributed. Google boots seven adware droppers from the Play Store. Phishers are using web analytics for better hauls. And nation-states are targeting unpatched Confluence. Johannes Ullrich from the SANS Technology Institute on encrypted SNI in TLS 1.3 and how that can be used for domain fronting. Guest is Kevin O’Brien from GreatHorn on managing email threats. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. off-off-year elections seem to have gone off largely free of interference,
but officials caution that major foreign influence campaigns can be expected in 2020. Three former Twitter employees are charged with spying for Saudi
Arabia, Google boots seven adware droppers from the Play Store, fishers are using web analytics
for better hauls, and nation-states are targeting unpatched confluence.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, November 7th, 2019.
The highly diversified and decentralized U.S. election system kept a close eye on Tuesday's off-off-year elections and has more or less declared success, as a joint announcement from several federal law enforcement and intelligence agencies asserted that election
security had been unprecedented. That announcement did, however, note that attempts to influence or
interfere with the 2020 elections, with Russia, China, and Iran likely to be particularly active.
The concerns officials are voicing continue to focus on influence operations,
as opposed to direct manipulation of vote totals or other attacks on voting machinery.
CISA Director Christopher Krebs told CBS News no one should get cocky.
Speaking of Russian operators in particular, Director Krebs said,
They're going to be back. They're trying to get into our heads.
They're trying to hack our brains, so to speak, and ultimately have us lose faith in our process.
End quote.
The U.S. has opened a case against three men for what's being called by the New York Times and others spying for Saudi Arabia.
In this case, the spying has been directed against individuals as opposed to state
secrets. The U.S. Justice Department has charged three men, two former Twitter employees and a
Saudi national who apparently acted as their controller, with acting as agents of a foreign
government without notice to the Attorney General and with the destruction, alteration or falsification
of records in a federal investigation.
The government accused Ahmad Abuamu, a U.S. citizen with snooping into three Twitter users' accounts,
Ali Azbara, a Saudi national who, like Mr. Abuamu, worked at Twitter,
allegedly accessed more than 6,000 Twitter accounts in 2015.
Their liaison with Riyadh is alleged to be Ahmed Al-Mutairi. Mr. Abuamu is in custody, but the other two are on the wing and thought likely to be in Saudi Arabia. The criminal
complaint ties their activities to Organization No. 1, led by Foreign Official No. 1, and Royal
Family Member 1, said to be the owner of the charity. The Washington Post identifies these
respectively as Badr el-Asakr, Misk, and Crown Prince Mohammed bin Salman. The Twitter accounts
of interest to the alleged spies were, the Wall Street Journal reports, critical of the Saudi
regime in general and the Crown Prince in particular. It seems that the two former Twitter
employees may have been placed in the company for the purpose of gaining access to such accounts.
Both men left Twitter in 2015.
The case opens concerns, obviously, about the security of social media companies
and their susceptibility to being penetrated by state-run agents.
Somewhat less obviously, it raises another question.
If the platforms can be penetrated to snoop on individual accounts,
might they not also be penetrated to facilitate the distribution of disinformation?
The lowly email box remains a prime target for baddies,
and as their sophistication grows, so too must our defenses.
That's the opinion of Kevin O'Brien,
CEO and co-founder at email security provider Great Horn.
Email is a really interesting piece of technology.
It's been around for about 50 years.
It is one of the technologies that we look at as being both venerable but vulnerable.
We're looking at a system that was architected, again, 50 years ago for academics to be able to exchange information on timeshare unix systems and it was
never meant to be a system that we built to be secure or to exchange messages with strong
authentication or encryption or any of the other things that you see in modern communication
platforms but its age gives it a certain degree of ubiquity that means that most serious business
communications, wire transfers, exchanges of information about intellectual property,
contracts, they occur over this platform. And although we've spent really the last 25 years
trying to add on functionality to make it a secure system.
It's fundamentally at odds with what that platform was designed to be. And so it's now the case that
we're in this moment when most cyber attacks start with an email in some fashion. And everything that
people have put out into the world to try to supplant email,
but the message-based systems, if you're of a certain age, then you think about IRC.
If you're a bit newer, maybe you're thinking about Slack or Teams. They're not equivalent
technologies. They're attention distractors. They're real time. Email has a certain elegance to it because it allows you to not have an instantaneous
exchange of information, but rather to think for a moment about what you might say.
And so that's well suited to corporate communications, business communications.
If we're going to secure the system, if we're going to make it something that is safe for communication,
it has to also be easy because that's one of the foundational principles of email.
I type in a subject line and a message and a two and I'm done. When I started GreatHorn,
so four years ago, the average adoption rate of things like Office 365 or G Suite, the two most well-adopted cloud email
platforms for professional use, were 17% and 7% in the global 2000 respectively.
Today, that combination has a nearly 90% adoption rate. And that's happened over the last 24 months,
give or take. So there's a real change that's possible when you deal with semantic
analysis and looking at all of the related relationship information that no legacy product
is capable of doing. That's what you should be thinking about if you're responsible for securing
email in 2019 and 2020, is how can I go find cloud-native email security systems that are
really, and not just from
a marketing buzzword perspective, leveraging the evolutions in artificial intelligence
and machine learning technologies to give us a better way to stop these threats.
So if I'm using something like G Suite or Office 365 or something like that, isn't there
a certain amount of protection going on behind the scenes from those providers themselves?
There is.
And both Microsoft and Google do a really good job at stopping what we describe as volumetric threat.
You probably don't see a whole lot of spam.
I mean, you might see some marketing email you don't want.
But the real thing that we described as spam in the 1990s and the early 2000s, the Nigerian prince who's going to send you a million dollars and just needs your social security number and last name, that stuff kind of doesn't get caught anymore, right?
And those are examples of volumetric attacks.
So you will get pretty good fundamental protection.
And for some organizations, that's enough. But when you're talking about targeted email attacks, what the industry has classified as business email compromise, that is the impersonation of an executive, fraud attempts that are often polymorphic, that is they change based on the recipient and their role.
that the basic protections that are available, regardless of how they're marketed, from your email provider are going to catch. Like any other part of a security program, those are the concerns
that an enterprise will have. And they require enterprise-grade controls that have a certain
degree of customization and a certain degree of flexibility and the ability to articulate a
response that is in line with your security
posture. And one size fits all basic protections from your email provider just aren't designed to
do that, nor is that their business, right? They'll stop the volumetric stuff all day long,
and that's good. But you don't need to worry about, as your primary concern, the problems
that you might
have worried about 20 years ago.
It's not spam, and it's not even things like data loss prevention, where you're trying
to keep someone from inadvertently sending a credit card out.
You can do that by default in those platforms.
The concern today has shifted.
The locus of concern has shifted to advanced targeted attacks.
And you need advanced third-party technology if you're
going to combat that. And maybe you don't worry about that if you're a 10-person or 20-person
small company, because you can literally turn around and say, hey, just send me this email.
But once you're at hundreds or thousands or tens of thousands of employees and global,
it's time to step up to an enterprise-grade control set to give you that level of protection
and scalability. That's Kevin O'Brien from Great Horn.
Google has booted seven badly behaved apps from the Play Store, and they urge you to
kick them out if you've already downloaded them onto your device.
The apps are Alarm Clock, Calculator, and Free Magnifying Glass, all from iSoft LLC.
Two apps produced by Lizat Mitis,
the attractively named
Magnifier, magnifying glass with
flashlight, and Super Bright Flashlight.
And finally, two produced
by Pump App, magnifying
glass, and, another good name,
Super Bright LED Flashlight.
Give them all the heave-ho.
Security firm
Wandera found the Maleficent 7, and how the app
worked is interesting. There are dropper apps that pull files in from outside the Google Play ecosystem,
in this case from GitHub, and that therefore avoid the usual security checks that might detect them.
There's other obfuscation in place as well. Wondera told Forbes that there's some good news and some bad news.
The bad news is the obfuscation in the aggressive back door that opens
subjects devices to further attack.
The good news is that so far the payloads have been nuisance malware
and that the number of downloads is relatively small,
numbering in the thousands and not in the millions.
Web analytics platforms have many legitimate uses,
like seeing where users come from
and how long they spend on various pages.
We use them, and you may use them too.
It's thought that somewhat more than half the world's websites use analytics.
The biggest of these services is Google Analytics.
Akamai has taken a look at the ways in which these tools can be used for evil.
Phishing, in particular, seems able to benefit from web analytics.
Implausible spray-and-pray campaigns, while still common enough,
are giving way to more closely targeted and therefore more likely to succeed phishing.
Much of that newfound plausibility, Akamai concludes,
can be chalked up to criminal use of analytics.
They use the analytics much the way legitimate users do, quote, to improve kits and gather stats on campaign
effectiveness, quote. In short, to make their bait more attractive to the fish they hope to reel in.
Attackers are exploiting Atlassian's widely used Confluence collaboration platform,
exploiting Atlassian's widely used Confluence collaboration platform,
hitting a vulnerability, CVE-2019-3396,
that Confluence disclosed and patched this past spring.
NSA's Cybersecurity Directorate publicly warned that nation-state services were likely to attack unpatched Confluence instances,
and various cybersecurity companies have since confirmed
an uptick of activity against Confluence users.
The warning is significant in itself, but it's also noteworthy
as an example of the sort of relatively quick public disclosure
NSA's young cybersecurity directorate has promised.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by johannes ulrich he's the dean of research at
the sands technology institute and he's also the host of the isc stormcast podcast johannes it's
always great to have you back um you have been working on uh some information about encrypted
sni in tls 1.3 and how that can be used for domain fronting. Let's dig in here.
What do you have to share with us today?
Yeah, this actually worked.
It was mostly done by Bojan Strznia.
He's one of our Storm Center handlers.
Now, he looked into how sort of that entire DNS over HTTPS and TLS 1.3 ecosystem can be
used for new attacks.
Now, domain fronting itself is not a new attack,
has been done a lot,
and cloud providers have done a lot to defend against it.
The way it sort of works is,
simplistically speaking,
I'm inside a corporate network.
For example, I'm malware.
I'm trying to connect to my command control server.
But the infrastructure within the corporate network prevents me from connecting to it.
For example, at some TLS gateway or via DNS, the host name I'm trying to reach is blocked.
So what I'm doing is I'm setting up my command control server to be behind a public cloud
provider like Cloudflare. Then I'm going
to connect to Cloudflare pretending that I'm going to connect to a different host name, a valid host
name that's not blocked. I can do that. I can do the DNS lockup. And then the tricky part here is
in a TLS connection. In a TLS connection, there are two parts that really determine
which host name I'm connecting to.
There's one part that's in the clear
that's visible,
and that's called server name indicator.
The first packet of data
that I'm sending to the server
includes that basis.
Hey, I want to connect
to this particular server.
And this would be now in my attack,
a server that's valid, that's not blocked.
But then as part of the encrypted part, I'm sending a host header that is pointing to the
malicious website. So what cloud providers did is that if the server name indicator and the host
header doesn't match, they would block it. But with the encrypted server name indicator and the host header doesn't match, they would block it.
But with the encrypted server name indicator that is available now in TLS 1.3, that first part is also encrypted.
So now the cloud provider has a much harder time figuring out what side I'm actually connecting to.
what side I'm actually connecting to.
And as Boyan found out that this is still sort of one hole that Cloudflare, which supports TLS 1.3,
supports server name indicator,
it actually is falling for this
and it's still able to do domain fronting
using this specific technique.
Is there a way to prevent this yet
or is it something that's yet to be
addressed? It's really a bit of an open question here, how this can be addressed. Now, in part,
of course, it has to be addressed and can be addressed at the proxy providers like Cloudflare.
They have to make sure that they are able to decrypt that server name indicator, or maybe
they're just not going to accept encrypted server name indicator,
which of course violates a little bit their privacy mission.
They support this feature on purpose because it does provide some privacy.
Now, in a corporate network that would be infected with malware,
take advantage of this.
There are specific DNS records that are being used
in order to exchange encryption keys for this feature.
And one thing that you could possibly do is block these DNS records.
Now, Boyan took a look at how popular these DNS records are.
Right now, there are only a few dozens of them that appear to be in use across the Internet.
So the feature isn't used officially yet at this point.
Interestingly, a lot of them
he found in Russia, but
not necessarily, it's always with particular types
of sites.
So this is one option
right now to just block it,
but as the feature becomes more
popular, if you are worried about
privacy,
that may no longer be an option. And then it's really
just up to the cloud providers and not really clear yet what they can do really to prevent that.
All right. It's interesting and certainly one to watch. Johannes Ulrich, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and
adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.