CyberWire Daily - VPNFilter takedown. Low-cost Android phones with preloaded adware. Alexa's selective attention. BMW patches connected cars. Cryptocurrency crimes. New swatting charges. GDPR is here.
Episode Date: May 25, 2018In today's podcast, we hear that the FBI's takedown of VPNFilter may have averted a major state-directed campaign. Some discount Android phones come with preloaded adware. Amazon's Echo echoed a lit...tle too much. BMW patches some potentially serious vulnerabilities in its connected cars. Cryptocurrency exchanges hit by a double-spending crook. The US Justice Department investigates crypto exchange price manipulation. New charges have been filed in the December Kansas swatting death. And GDPR is now with us. Let the lawsuits begin. Joe Carrigan from JHU ISI, comparing the security of iOS vs. Android. Guest is Mischel Kwon from MKACyber on the evolving role of SOCs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI takedown of VPN filter may have averted a major state-directed campaign,
but the story is still developing.
Some discount Android phones come with preloaded software.
Amazon's Echo echoed a little too much.
BMW patches some potentially serious vulnerabilities in its connected cars.
Cryptocurrency exchanges are hit by a double-spending crook.
The U.S. Justice Department investigates crypto exchange price manipulation.
New charges have been filed in the December Kansas swatting death.
And GDPR is now with us.
Let the lawsuits begin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 25, 2018.
I'm Dave Bittner with your CyberWire summary for Friday, May 25, 2018.
The U.S. FBI is generally being credited with having placed a significant impediment in front of a VPN filter attack. Widely regarded as the work of Fancy Bear, Russia's military intelligence
service, GRU, which goes by other names as well, including Sophocosi and APT28, VPN filter appeared poised for a major campaign against Ukraine.
The two suspected triggering events,
tomorrow's Football Champions League match in Kiev,
Real Madrid versus Liverpool,
and Ukraine's Constitution Day, June 28th,
remain in the future, so we'll see how well the Bureau did.
But so far, bravo, FBI.
Should such an attack materialize, it's unlikely to be easily contained within Ukraine.
The country has been patient zero for other attacks that have gone global,
notably NotPetya, also widely regarded as made in Russia.
VPN filter is regarded as capable of accomplishing the usual things a botnet can do,
so the case will bear watching.
Security firm Avast warns that it's found a number of discount Android phones
that ship from factory to customer with malware already installed in their firmware.
It's Adware, and it's called Kosaloon.
It's the work of a criminal group that was uncovered in 2016 by researchers at the security company Dr. Web.
They're back in, or still in, business.
It's the same Cosaloon code, unchanged since it first appeared.
According to Avast, this time around, the affected phones are from manufacturers including ZTE, Arcos, and MyPhone. The majority of the infected devices aren't,
according to Avast, certified by Google, which is pursuing various mitigations and talking to
the firmware vendors. Most of the problematic phones are in Russia, Italy, Germany, and the UK,
with some in the US as well. This case is interesting because the infection point seems so far to be unidentified.
Someone, however, has clearly managed to compromise a supply chain.
Amazon acknowledges that Alexa's Echo was reporting ambient conversations to third-party contacts.
The company is working on a fix. Here's Amazon's account of what happened as they explained it to
Wired. Quote, Echo woke up due to a word in a background conversation sounding like Alexa.
Then the subsequent conversation was heard as a send message request,
at which point Alexa said out loud, to whom?
At which point the background conversation was interpreted as a name in the customer's contact list.
Alexa then asked aloud, Contact name, right?
Alexa then interpreted background conversation as,
Right, end quote.
What's the lesson?
We're building AI along the lines of a selectively attentive teenager.
We hope that teenager grows up to be okay.
You parents out there will understand.
And we'll leave Google's Eric Schmidt to argue
over AI with Elon Musk about whether AI will be a force for good or for bad. Probably both,
but then we're just betting on form because we know people. Not any special people, just
people in general. We kind of like Alexa. When our editors hear Alexa read the daily summary,
the editor finds himself convinced of the accuracy of our copy
by the conviction with which Alexa reads it.
BMW has patched 14 bugs in its connected car models.
They were discovered and disclosed by Tencent's Keen Security Lab.
Some of them could have affected control systems.
The attack surfaces include, according to Tencent's Keen Security Lab, some of them could have affected control systems. The attack surfaces include, according to Tencent, GSM communication, BMW remote service,
BMW connected drive service, UDS remote diagnosis, NGTP protocol, and Bluetooth protocol.
It's possible to work through these individually individually or in various combinations, to reach some vehicle's CAN bus, the controller area network, and that's the serious part.
No thinking person would regard inability to use Bluetooth to tell the car radio to tune into Howard Stern as a serious vulnerability.
It might even be regarded as a feature.
Baba booey.
But when you've got the CAN bus, you're close to having pwned the car.
With the CAN bus compromised, it's possible in some models
to interfere with steering, brakes, accelerator, and other controls,
so this is more serious than changing radio stations
or turning on the windshield wipers.
A hacker so far unidentified has for the past week
been hitting Bitcoin exchanges with a double-spend campaign.
As the attack type's name implies, he, she, or they were spending the same Bitcoin gold coins twice, pulling in about $18 million in the cryptocurrency.
The immature and overheated cryptocurrency market has predictably spawned a great deal of fraud.
The U.S. Justice Department, working with the Commodity Futures Trading Commission,
has opened a wide-ranging criminal probe of market manipulation.
They're concentrating on such fraudulent practices as spoofing,
placing bogus orders to goose prices, pump-and-dump schemes, and so forth.
There's enough here to keep justice
busy and happy for a good long investigatory run. Good hunting, counselors. And finally,
GDPR is in effect today, with its expected worldwide implications. Microsoft, for example,
is going to treat essentially everyone in the world as if they're covered by the regulation.
And right on cue, the first legal complaints of GDPR violations have been filed.
One long-term Facebook critic has entered a complaint that Facebook and other platforms
take it or leave it, Hobson's choice approach to obtaining consent amounts to improper coercion.
How GDPR will affect people and enterprises generally remains to be seen.
The advocacy group Privacy International has begun its own investigation of what it characterizes as shadowy, non-customer-facing data companies that accumulate large quantities of personal information.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigrigan he's from the johns hopkins university information
security institute joe welcome back hi dave so uh had an article come by this was on bleeping
computer and the article was malware found in the firmware of 141 low-cost android devices yep
and i wanted to use this sort of as a launching point,
a discussion about mobile device security
and wade into the waters of iOS versus Android.
Now, I am...
We're going to have a fight.
I know.
Hopefully it won't come to blows.
But I am on the iOS side, and you are on the Android side.
And I think one thing that leaves us iOS people
scratching our heads is that when
we see all these security stories about Android, we wonder, are you guys nuts for using Android
devices? But there are plenty of good reasons for using Android. But I wanted to touch on the
security side. I mean, how do you approach it? Obviously, security is important to you.
Knowing what you know, how do you make sure
that your Android device doesn't have these problems? Okay, so first off, I will say that
Apple does a very good job of security. A lot of staff at the Institute use Apple for just that
reason. They have always taken security very seriously. Google also takes security pretty
seriously as well. The difference here is that Apple is a very locked
in and proprietary system where they maintain a lot of control over their hardware and their
software, not only their software, but everybody else's software that goes in there. And Android
is a lot less so. It's more of an open development platform. The operating system is actually open
source, so anybody can install it if they want. That is not the case with Apple.
So from a security standpoint, particularly with this article here,
you're looking at these low-cost manufacturers.
It harkens back to nobody knows where this is getting installed.
They don't know where in the supply chain it's coming into the phones.
That's because these supply chains are not well managed
as other major manufacturers.
Now, what's missing from the list are major manufacturers like Motorola, Samsung, HTC, LG.
They're not on the list.
So most of our listeners probably don't need to worry about it.
But if you're looking at a low-cost Android device, yeah, chances are you're running a risk there.
Of course, on the iOS side, there are no low-cost iOS devices.
That's exactly right. that's exactly right.
That's exactly right.
And maybe perhaps you could say on the Android side, there are no secure low-cost options for Android.
What about just general app hygiene?
I mean, since you don't have to go through Google's walled garden, you can sideload apps.
Is that something you avoid?
Yeah, you should not do that.
But again, because the operating system is a little more avoid? Yeah, you should not do that. But again,
because the operating system is a little more open, you have the capability of doing that.
You know, it's like having a swimming pool. You know, it's one of the most dangerous things you
can do to your house, but you can just walk out back and take a swim anytime you want.
Right. It's the only recreational activity where you have a full-time person standing
by to make sure you don't die. Right. Right. I will say this, though. My next Android phone will be the Google device.
And I'm going to do my best to stick with those Google devices
because they're in more control over the environment
than, say, a third-party developer like Samsung, LG, or HTC is.
So you're going to get those updates more quickly from Google.
And you're going to have less of a configuration management problem.
Like, for example, when the stage fright
vulnerability came out,
Samsung had no idea,
and I had a Samsung phone
at the time,
Samsung was really
lagging behind
because they had
five or six different
models of the phone
that they supported
across four or five
different carriers.
I see.
Well, that's a real
problem for them.
But Google doesn't have that.
Google makes one model
of the phone,
one or two models
because they have two different
technologies for cell phone networks,
and they support those.
It's the same thing that Apple does
with the iPhone. They have
one or two models, and then
they will end-of-life them, which you have to do
with these phones for security reasons.
Right, so they're not orphaned out there. Correct.
Alright, good information as always. Joe, are we still
friends? Yes, of course. Alright, terrific. As always, thanks for coming. Correct. All right, good information as always. Joe, are we still friends? Yes, of course.
All right, terrific.
All right, well, as always, thanks for coming, Joe.
It's my pleasure.
Good talking to you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Michelle Kwan.
My guest today is Michelle Kwan.
She's the founder and CEO of MKA Cyber, and she has more than 35 years of experience in IT and security.
Michelle served as the Deputy Director for IT Security Staff at the United States Department of Justice,
where she built the first Justice Security Operations Center, JSOC, to monitor and defend the DOJ network against cyber threats.
Michelle previously served as Vice President of Public Sector Security for RSA Security and as the Director for the United States Computer Emergency Readiness Team at the U.S. CERT.
I asked her where she thinks we stand today when it comes to security operations centers or SOCs? I think we're in a unique position. I think we
have had a lot of, over the past, we can almost say 20 years, but more recently, even five years,
we've had a lot of scary things happen. And I think a lot of our SO socks are being driven by scary things because some of the attacks that we have
had or most of the attacks are kind of hard to understand from a technical aspect and definitely
hard to understand how to detect them. We've created this culture of a hero, of a highly
technical person who detects something and understands it. And therefore, we put a lot
of trust into that hero. And we allow that hero to run our SOC. And what we've realized as of late
is that may not be the best solution. Though we need that hero to do the detection, that hero may not know the business. That hero may not be good atically, not just the things that interest the analysts, but the things that need to be done. fail because of lack of business organization and lack of an ability to manage. You hear a lot of
people befuddled with, how do I come up with SOC metrics? Well, you can only come up with SOC
metrics if you have a process and you gather statistics from that process so that you can
measure. That is sorely lacking in most SOCs today because we
allow an organic process because we're afraid to manage the smart people. We're beginning to
realize the smart people like us to be more organized and they like it when they have more
money and more tools. So if we can come to some kind of a good arrangement where we have a good SOC process,
we have the data that the analysts actually need, we organize it in a good way,
we document our processes and make the things we find repeatable so that other people can
monitor the repeatable things and the smart people can continue hunting and finding new things,
then we've made everybody happy.
We've made the smart people happy and we can measure and improve and report out how well we're doing things.
That's really important.
And I'm really happy that we're moving
to this place in SOC. And part of what drives us to this new place is many people are moving
towards a managed service solution because the other is just too difficult to articulate the benefit and the cost, whereas moving to an MSSP model, the onus is on the MSSP
to then articulate its worth. Do you think it's a matter of people perhaps not
knowing the right questions to ask when they're out there shopping around?
Oh, absolutely. We see a lot of questions around SLAs and around buzzwords without a lot of
understanding. A lot of companies don't understand what their threat model is
and what types of attacks they should be looking to have detected. And I think those two pieces
are critical and important when shopping for an outsourced stock. I also think it's important
to understand what your security architecture looks like, what your assets are, your high value
targets, understanding something about what you are and what you're made of and what could possibly
be attacked and articulating that to the vendors so that they can then articulate back how
they can detect and help you and what their capability would be based on the data you would
give them. I don't think that's where the discussion is today. I think the discussion is still back on
tier one, tier two, tier three, 24 by 7, how many bodies?
And that's not the same discussion as I have this problem, how do you solve it?
We're still pretty far apart in those discussions. And I think that's where we're going to see a lot of growth in the next coming years is looking at how do you articulate your needs from a SOC?
And then how does that outsourced SOC meet that need.
I want to switch gears a little bit and discuss your career.
You've been in the business for a while now in IT and cybersecurity,
and I'm curious what your views are on diversity.
Having come up through the business a while ago.
Where do you see us standing today when it comes to making sure that we have the diversity that
we need? We're a long way from there. Having just come back from the RSA conference and
watching the sea of white male faces coming out of the conference doors. We're a long way from
there. And I think it's important to look at this situation because it's really hard to get good,
broad answers when everyone looks the same. It's really easy to have conversation when everyone is
the same and thinks alike and has the same belief structures
and brings the same way of thinking to the table. The conversations are easy.
When the conversations are hard is when we get a better result. There's a natural tension there
though because it makes sense that human nature would be to shy away from having those hard discussions.
Absolutely.
And human nature makes us pick people like we are.
And human nature gives us unconscious bias.
And we have to move to being aware of that.
We have to put things in place that allow us to push back on that unconscious bias.
And that's hard because, you know, it's unconscious.
We're not thinking about it.
So putting some safeguards in place so that we think more broadly, it's a hard thing to
do.
We really have to move in those directions.
We do it at our company in our hiring process.
We have it wrapped into our corporate docs that for our C
level and our board, we have to interview at least one person of diversity when filling those
positions. And that seems so simple and seems so light, but in the end, we have a very diverse
board and a very diverse C level. That's critical and important. We do what we call anonymous hiring.
We take every piece of information that would tell us anything about the person's
race, religion, sex out of the resume so that when we hire people, we're at least going through the
first few screening steps, not knowing anything about the person's diversity. We have found that that
has created a very diverse workforce and allowed us to put away unconscious bias and hire people
based on technical competency. And it's been hard for some managers. We've had actually some
senior managers leave us not wanting to hire that way.
And that's okay.
In accepting diversity, we accept those challenges because it brings us a better workforce.
That's Michelle Kwan from MKA Cyber.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow.
Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.