CyberWire Daily - Wi-Fi access point zero-day reported. US Cyber Command on the offensive. Transparency is tougher than it looks. GandCrab not paying out as much—good. PIPEDA takes effect. Soulmate spyware.
Episode Date: November 1, 2018In today's podcast, we hear that Bleeding Bit flaws leave Wi-Fi access points open to war drivers and other malefactors within a hundred meters of your equipment. US Cyber Command continues its attemp...ts to dissuade foreign influence operations against midterm elections. Social networks have difficulty identifying who's buying ads. Canada's data privacy law takes effect today. GandCrab crooks take a million-dollar bath. And if you go to Soulmates in Google Play, you're looking for love in all the wrong places. Johannes Ullrich from the ISC Stormcast podcast on hiding malware in benign files. Guest is Tara Combs from Alfresco on coming US cyber regulations. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bleeding bit flaws leave Wi-Fi access points open to war drivers
and other malefactors within 100 meters of your equipment.
U.S. Cyber Command continues its attempts to dissuade foreign influence operations points open to war drivers and other malefactors within 100 meters of your equipment.
U.S. Cyber Command continues its attempts to dissuade foreign influence operations against midterm elections.
Social networks have difficulty identifying who's buying ads.
Canada's data privacy law takes effect today.
Gandcrab crooks take a million-dollar bath. And if you go to Soulmates in Google Play, you're looking for love in all the wrong places. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your
Cyber Wire summary for Thursday, November 1st, 2018. A major flaw in Wi-Fi chips has been discovered.
A major flaw in Wi-Fi chips has been discovered.
The Israeli security firm Armis reports finding two zero-day flaws in Texas Instruments' Bluetooth low-energy chips.
These are widely used in Wi-Fi access points, including enterprise access points like those manufactured by Aruba, Cisco, and Meraki.
Armis is calling the issue Bleeding Bit.
The first of the two flaws involves flipping the highest bit in a Bluetooth packet,
thus causing a memory overflow, causing the memory to bleed.
Once the device is in that condition,
it's possible for an attacker to run malicious code on an affected device.
This problem affects Cisco and Meraki equipment.
The other bug exploits the device's failure to properly authenticate apparent trusted firmware updates.
This problem affects Aruba devices.
The absence of proper checks could enable an attacker to install malicious firmware.
This sounds like and has been characterized as a remote code execution vulnerability, but as TechCrunch points out, technically that's not true,
since it can't be exploited over the Internet.
An attacker would have to be within Wi-Fi range,
which is typically 100 meters or less.
That's roughly 300 feet for those of us who continue to bucket along
with the English system of weights and measures.
The range can be greater with a good directional antenna,
but 100 meters is plenty range for a war driver parked outside your office building.
Once connected, an attacker can gain access to any network using the Wi-Fi access point.
Texas Instruments and the device manufacturers have issued patches since the vulnerability was
disclosed to them in July. Texas Instruments has criticized Armis, which hasn't published exploit code,
for allegedly exaggerating and misrepresenting the issue,
but Texas Instruments has nonetheless patched.
The chips are used in a wide variety of devices, not just Wi-Fi access points,
so expect further alerts and updates.
With midterm elections set for next week and early voting having been in progress for some weeks,
U.S. National Security Advisor Bolton acknowledged that the U.S. was engaged in offensive cyber operations
designed to deter information operations directed against the electorate.
According to the Washington Post, Bolton characterized the operations as falling below the level of armed conflict,
that is, it isn't producing kinetic effects,
and so did not require the sort of high-level authorization
the use of military force or declaration of war would need.
It's been widely reported that U.S. Cyber Command
continues to reach out to individual Russian trolls
to deter more extensive information operations aimed at U.S. elections.
This direct, unconcealed approach is thought to be disconcerting enough
to give individual operators, if not the Russian government, pause.
The U.S. government knows you and where you are and what you do, and it won't forget.
How effective the approach will prove remains to be
seen, but it's clear that the U.S. government wants hackers to know that they're on the radar.
Dueling bots and fake news sites continue to push rival versions of the murder of Jamal Khashoggi,
journalist and frequent critic of the Saudi regime. Turkish prosecutors have released more information on the killing,
although the victim's body has yet to be found.
The killing has strained relations between Saudi Arabia
and its many allies of convenience.
Bots and fake accounts remain the principal matters of concern
to those who fear the corrosive effects of disinformation on civil societies.
Despite efforts to screen accounts for coordinated inauthenticity,
social networks continue to find that denying information operations
and their bots' access to social media is harder than it looks.
Vice News tested Facebook's new commitment to transparency
by sending them political ads that falsely represented themselves
as being paid for by 100 U.S. senators. That's all the senators there are, for those of you
unfamiliar with the American constitutional system of two senators per state. There are 50 states,
which makes, let's see, 10, 20, 50, and even 100 senators. And most of them aren't even up for
re-election anyway. They do serve a six-year term.
At any rate, Facebook approved all of the ads,
despite its attempt to see through phony accounts and ad buys.
This doesn't necessarily mean that Facebook is either negligent or uncaring.
It does mean that this kind of screening presents an inherently hard problem.
Privacy and data breach regulations are an evolving area of public policy,
with the EU's GDPR having a major impact on the industry.
Here in the U.S., several states have implemented privacy regulations,
and there's much speculation as to how this will make its way across the country
or take hold at the federal level.
Tara Combs is information governance specialist
for Alfresco. Well, all 50 states have actually passed data breach notification laws, so they have
to notify constituents or people if there's been a data breach notification. And so Uber actually
was just fined $148 million because they had a breach back in 2016 and they paid basically the hackers $100,000 to delete the data that they got and keep the breach quiet rather than report the incident.
The fact that all 50 states have passed that this year, Alabama being the last one to do that, shows you that people are now taking it seriously.
California has just now enacted a Data Privacy Act that's very similar to the General Data Protection Regulation over in Europe.
That goes in effect in 2020.
So people are taking this very, very seriously now. Now, one of the points that you make is that this notion of having immutable records can be helpful with organizations trying to get a handle on this.
First of all, can you describe to us what are we talking about when we say immutable records?
Well, the first thing when you're managing privacy data is you actually have to understand where that data is stored.
So most organizations have, I call it data in the wild, right? You have various systems in your
organization and you have to understand, do you have privacy data in those systems? So the first
thing that you'd have to do is what I call a data analysis because you have records in every one of those systems and those
records could contain privacy data immutable records are the concepts of records that can't be
altered and that's where blockchain is coming in these days so at a state level what we're seeing
is states like Delaware when businesses are being incorporated there, they're actually
registering those on the blockchain. So they become an imbutable record. And the way the
blockchain works is there's several servers and they actually register those articles of
incorporation across all of those servers. And as each article is registered, until there's a
consensus among those servers that all of them are registering the same transaction,
it's not agreed upon that it's a transaction. So let's say that we had seven servers and we
registered that article on all seven of them. When there's an agreement that it's registered
on all seven, then you have
your immutable record of incorporation. Now, what are your recommendations for companies
to prepare themselves for this? If there's general agreement that there is going to be some sort of
regulatory change coming, how can organizations be prepared? So the first thing you need to do is you need to have a plan.
So you have to understand what privacy obligations your organization is subject to.
Do you have existing privacy risks?
So understanding what systems you have in place and do those consistent systems contain privacy data.
Most organizations are actually appointing a data privacy officer now
so that they've got someone in place that can actually put policies in place
on how that data is going to be handled,
who should in the organization should have access to that data.
You need to implement those policies. You need to measure
how your program's performance against those policies are doing. And then you also have to
be able to respond to those requests because part of all of these act is if a consumer makes a
request to know what type of data that you have on them or to opt out of you having their data, so it's called the right to delete, you have to be able to respond to all of that.
And you have to be able to measure how well you're responding because typically for California, it's 45 days.
GDPR also has a date set on that as well.
So you need to have a program in place that addresses all of this.
That's Tara Combs from Alfresco.
Today marks the day Canada's data privacy law goes into effect.
The Personal Information Protection and Electronic Documents Act,
three years in the making and known by its acronym PAPEDA, is now in force.
It imposes a requirement on private sector organizations to disclose breaches and potential
exposure of personal information to unauthorized parties. Violators of the act could be fined up
to $100,000 per affected individual, so in principle the penalties could be very heavy indeed.
individual, so in principle the penalties could be very heavy indeed.
CTV News, however, reports a widespread belief up north of the border that vague language,
poorly resourced enforcement, and a suspected disinclination to take action against offenders will combine to render the law less severe than it seems to be.
In contrast with the better-known GDPR, for example, which places sharp deadlines
on disclosure requirements, Canada's law is full of language that vaguely requires disclosure
as soon as feasible when there's real risk of significant harm. Maybe as soon as feasible
might be in a decade or so. And who's to say what risks are realer than others, eh?
be in a decade or so. And who's to say what risks are realer than others, eh? All questions aside,
however, the law is another sign that governments are increasingly inclined to regulate data privacy.
Some good news on the ransomware front. Bitdefender's free decryptor for Gantcrab ransomware is thought to have deprived the crooks of about a million dollars in ill-gotten revenue.
is thought to have deprived the crooks of about a million dollars in ill-gotten revenue.
That's not a death blow to Gancrab, of course, but nonetheless, bravo Bitdefender.
And finally, all of you who hope to find love online, there's another reason to beware.
Zscaler has found that the matchmaking app Soulmates, found on Google Play, is actually spyware.
Maybe you'll meet someone nice.
Maybe.
But for sure, you'll be installing spyware.
Soulmate listens in on incoming and outgoing calls.
It intercepts SMS messages.
It rifles through your contacts, and it tracks your current and last location.
There's more, but that's enough for us.
We've lost that loving feeling.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's from the SANS Institute, and he's also the host of the ISC Stormcast podcast.
Johannes, there is something that I have to admit leaves me scratching my head,
and that is seemingly benign files,
things like image files, you know, JPEG images, things like that, and the ability for folks to
hide malware in those sorts of files. Can you take us through and explain what's going on here?
Yeah, there are really sort of a couple of interesting parts to this, but what it comes
down to is that the bad guys are getting very creative in
how they deliver malware to a system without necessarily delivering an executable file to you.
So one example is that they're using an HTML archive. In an explorer, for example, you have
the option to save a web page as a file if you want to review it later.
Now, what InXplorer does is essentially creates one file with the HTML content,
all the JavaScript files and images that can then be easily loaded into InXplorer again.
These files are often not considered as malicious by your antivirus filter,
so they're not really scanned for anything.
So it's very easy for an attacker, for example,
then to hide malicious JavaScript inside these files,
trick the user into opening it,
and then, of course, the malicious JavaScript is executed
and infects the system.
Now, images, on the other hand,
there are a couple of ways we have seen them being used.
In a simple case, they basically just attach the malware to the image.
So you have a normal image file, but then as part of the file, at the end of the file, you do have the malware.
This will not run, but what then happens is that you, for example, have some fairly standard benign JavaScript that downloads an image,
and then the JavaScript will strip off that image part and just save the executable.
But again, anti-malware may not consider the image malicious,
so it will not look at it, will not scan it.
So these are some of the options that attackers have to essentially sneak malicious
content by anti-malware, in particular if you're using, for example, web proxies and such to do
filtering before the malware actually hits the system. Now, what about hiding code within images,
using the actual image content to hide your own content within?
There are a couple options for that.
And the way this is usually done is, for example, JPEG images,
they have something called EXIF data.
EXIF data are comments, essentially.
And you may have seen this, for example, mobile phones use that quite a bit, where they embed things like coordinates and such in the image.
But you can embed whatever text you would like in the image. So this is often used to embed code.
The way this can be used maliciously is, and that's sort of a really interesting effect here,
where one file could be recognized as different file types depending on what software looks at it.
be recognized as different file types depending on what software looks at it.
So if you use an image viewing program to look at this file, well, it's recognized as an image because it sees the normal image header.
But let's say you're loading this in a PDF reader.
PDF signatures don't really have to start at the beginning of the file.
They can be somewhere in the middle of the file.
So inside the image, I can then embed
a PDF, and that PDF may be malicious. And if you're loading this image file in a PDF reader,
it pretty much ignores that there's supposed to be an image. It just pulls out that PDF content,
and again, may run then malicious code. Now, are there effective ways to protect
yourself against this?
Well, better scanning for these artifacts, but it's really tricky to protect yourself against this because as far as the JPEG standard, for example, is concerned, these may be 100% valid
images. They just happen to have an odd comment in there. There is software that can strip out
all of these comments. But then again,
in some cases, you may actually won't need these comments for your image processing.
Right, right. All right. Well, it's good information as always. Johannes Ulrich,
thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.