CyberWire Daily - A big Patch Tuesday. Honda ransomware update. Facebook helped the FBI with a zero-day. Cloud service outages. Breach settlements. BellTroX explains itself, sort of.
Episode Date: June 10, 2020Notes on Patch Tuesday--it was a fairly big one this time. Honda continues its investigation of the incident it sustained over the weekend, and outsiders see it as a ransomware attack. Facebook is sai...d to have developed a Tails zero-day to help the FBI with a notorious case. Crooks are turning to search engine optimization. IBM and Google cloud services recovered quickly from outages. You’re unlikely to get rich from a breach settlement. Joe Carrigan describes free online courseware aimed at Community College students. Our guest is Dennis Toomey from BAE on how financial institutions need to enact stronger cyber protocols as employees migrate to working from home. And BellTroX says, hey, it was just helping some private eyes. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/112 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notes on a fairly big patch Tuesday.
Honda continues its investigation of the incident it sustained over the weekend.
Facebook is said to have developed a Tales Zero day to help the FBI with a notorious case.
Crooks are turning to search engine optimization.
IBM and Google cloud services recovered quickly from outages.
You're unlikely to get rich from a breach settlement.
Joe Kerrigan describes free online courses aimed at community college students.
Our guest is Dennis Toomey from BAE on how financial institutions need to enact stronger cyber protocols as employees migrate to working from home.
And Beltrock says, hey, it was just helping some private eyes.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 10, 2020.
Yesterday's Patch Tuesday was a heavy one.
Intel fixed 22 bugs, two of which, in its active management technology, are rated critical.
Bleeping Computer says that Microsoft's patches amounted to the largest set ever, a total of 129 fixes.
Krebs on Security assesses three issues with Microsoft's server message block as among the most troubling.
Sophos points out that a majority of the issues Microsoft addressed, a whopping 69, involved the risk of escalation of privilege exploitation.
Adobe was the other prominent participant in Patch Tuesday.
The company fixed problems with FrameMaker, Experience Manager, and FlashPlayer.
Honda continues its investigation of the incident it sustained over the weekend.
The Japan Times reports that domestic production has resumed,
but that as of yesterday, the company had advised its employees in Tokyo
and some other Japanese offices
to avoid using Honda's internal network.
According to TechCrunch and other outlets,
the incident was an attack
using the snake strain of ransomware,
also called ECANS.
Honda tweeted that some of its customer-facing operations
were affected.
Quote,
At this time, Honda customer service and Honda financial services are experiencing technical difficulties and are unavailable, the tweet said, adding,
We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.
Investigation continues, but Honda has said that as far as it knows,
no data were exfiltrated. Motherboard this morning reported that Facebook helped the FBI
track down one Buster Hernandez, a man wanted for harassing, threatening, and abusing young girls.
The company did so by working with an unidentified security firm to develop a zero-day in TAILS,
the Privacy-Focused Tor-Using Operating System,
to give the Bureau the ability to unmask Mr. Hernandez's IP address,
a hack that eventually led to his arrest.
This is the only known case in which Facebook has provided this kind of assistance.
Menlo Park thought the case was too heinous to pass on helping law
enforcement. Also factoring in was the company's judgment that providing the assistance posed no
threat to privacy and no prospect of use against anyone other than Mr. Hernandez.
Avast describes a criminal campaign that uses search engine optimization tools
to draw victims to malicious sites using promises
of prizes. In general, the tactic has been to use the same techniques SEO consultants advise
their clients to employ to bring their pages to the top. All the major search engines are affected,
Google, Bing, Yahoo, Yandex, and Baidu. The operators use fixed code to create the appearance of positive Google product reviews
in rich search results, Avast says. Should you follow the link, you'll be taken to a variety
of pages that eventually, usually after a show of calculating results to determine a winner,
tell the searcher that they, in fact, are the lucky one. The scammers also tune the language
to one that fits the visitor's IP
address. The examples of asked shares are in German, French, English, or Czech,
and the researchers say that the grammar and usage aren't bad.
The promises we've noticed have been festooned with images of falling confetti and congratulations
on just having done the billionth, or maybe it was the five billionth, search.
We didn't bite, and you shouldn't either.
Two major cloud services, IBM's and Google's, suffered outages earlier this week.
According to Vice, Google's service went down Sunday afternoon, but was resolved within an hour.
IBM underwent its own disruption late yesterday afternoon
and had been restored by
early evening computing reports. Both of the outages had effects that cascaded into other
services. In IBM's case, it affected cloud object storage, AppConnect, Kubernetes service,
continuous delivery, identity and access management, VPN for V vpc and watson ai cloud services the google outage affected among others
shopify snapchat discord and rocket league game servers some of apple's cloud-based services also
felt the effects these included icloud mail icloud drive and imessage the causes of both outages
remain under investigation neither is thought to be the result of a cyber attack.
The lesson that computing draws from the Google incident, and the same could no doubt be said
of the IBM case as well, is that the outages show the risk of a growing general dependency
on a small number of cloud providers.
There might be another lesson worth drawing as well.
The outages were relatively swiftly mitigated
and resolved, which might indicate the value the automation layer brings.
Dennis Toomey is Global Director of Counter-Fraud Analytics at BAE Systems Applied Intelligence.
He joins us with insights on how financial institutions need to enact stronger cyber
protocols as employees continue to work from home.
I think it's probably important to note that during the global lockdowns and the border
closures, restrictions on movement and the rest of the stuff that's going on during the pandemic,
we are seeing the ethically challenged or criminally motivated, if you will,
individuals or groups who would usually operate in that physical world, they're moving to the online or cyber world, if you will. And since February
of this year, the BAE Systems Applied Intelligence Threat Intelligence Team has tracked numerous
threat actors across the globe, ramping up their attempts to steal data and secure information
from institutions through phishing attempts via email and other activities.
Some of these attempts made users believe they were receiving the latest information from the CDC, Center for Disease Control, or the World Health Organization.
But in reality, they were just attempting to transmit malware, spyware to uncover and prey on the vulnerabilities from a cyber perspective.
You know, it's been my perception that financial institutions have often been on the leading edge
of things like fraud detection, you know, being able to have automated systems that can detect
when something is amiss. Has that given them an advantage here during this shift as more people have shifted to working from home?
Do they have a little bit of a leg up?
Yeah, it's a really, really good point because technology is not driven by social distance and guidelines.
The companies that have fraud detection systems or automated systems to identify suspicious activity, they can still look at the data.
The data is still there. Everything relates to the data. And if they have the right systems in
place, then they're able to identify that suspicious activity within the data. The
companies that are thinking about cutting back on that technology or not investing into that
technology in the future, they're the ones
that are going to be on the outside looking in. The criminals are smart. These guys that are doing
attempting fraud or committing fraud across the financial institution, they know which
institutions resist it and which institutions don't resist it. The ones that don't resist it,
you know, it's an easy target. They're going to go for them and they're not going to go for the ones that are resisting it. So technology does
play a deterrent factor as well. What sort of things are financial institutions learning as
a result of this shift to work from home and the social distancing and all those sorts of things?
Are there lessons they're going to take with them when we come out on the other side?
Yeah, I do think there's a lot of lessons
that they're going to be,
that's going to drive us into the future.
I think, you know, working from home
is going to consistently be a more efficient way
for organizations to do business.
And, you know, that would be one of my recommendations
for anybody out there is to redo your risk assessment.
If you haven't
done one, you definitely need to do one. But if you have done one and you haven't done it in the
past six months, you need to redo it because you need to really look to see what other risks are
out there from people working at home. And it's not just the technology, it's the human factor as
well. And one of the other things is surveillance. You know, I think financial institutions have to put into place some surveillance technology to monitor the emails, monitor where the data is going, and be able to block it right away through some type of mitigation process.
That's Dennis Toomey from BAE Systems.
The Wall Street Journal reports that the latest settlement in Equifax's 2017 breach, $30.5 million,
will mostly go toward a requirement that Equifax invest $25 million in upgrading its own security.
So an adverse judgment can punish a company, but it's unlikely that any affected individuals are going to get rich from this kind of settlement.
And finally, Sumit Gupta, founder of Beltrox, the Indian company Citizen Lab named in its report on
hackers for hire, has told Reuters he did nothing wrong. All Beltrox did was help private investigators
access email accounts when Beltrox was given credentials to those accounts. The snooping
around environmental activist groups the Citizen Lab
reported has gained a great deal of attention, but among the tasks Bell Trucks allegedly received
from his customers was assistance in seeing what law firms, investment firms, short sellers,
and private litigants were up to. That's a pretty wide net. So who were the gumshoes and peepers who
Mr. Gupta worked for? Well, if they did divorce
work, they wouldn't be Philip Marlowe. Beyond that, well, there are a million stories in the naked city.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute.
He is also my co-host on the Hacking
Humans podcast. Joe, always great to have you back. Hi, Dave. Wanted to congratulate you. You
recently had a paper published. Yes. Share with us what's going on here. So the paper is written
by me and the principal investigator was Dr. Anton DeBora, my boss, Tony.
And he and I worked on developing a distributable cybersecurity course
for community college students.
And the goal of this course is to expose students at the community college level
to a sampling of topics in cybersecurity.
In this course, the course is divided into four modules.
The first module is offensive security and forensics. And we talk about, we have Dr. Leschke,
who is our forensics instructor, gives a really good overview lecture of forensics. I do a lecture on passwords and the history of passwords and how to crack passwords.
Dr. Lanier Watkins does two lectures, one of which is about how he brings down UAVs or drones,
commodity UAVs and drones. Very interesting stuff. The next module that we have is an Internet of Things module. We discuss what an embedded system is, and then we do Internet of
Things security for commodity Internet of Things. And then again, Dr. Watkins does a talk on SCADA and ICS devices, which are part of the Internet of
Things, even though they're kind of separate. They're kind of very similar to Internet of
Things devices and embedded systems. And then we have two modules, one on cryptography, which
provides a good background of cryptography from Drs. Matt Green and Abhishek Jain, and then another module on blockchain, where Abhishek Jain,
again, Dr. Jain walks you through the idea behind blockchain, the idea behind distributed consensus,
and essentially how Bitcoin works from soup to nuts. And then one of our PhD students,
who's now actually a doctor,
Gabriel Kapchuk, walks the students through other uses for blockchain technology, things like
auditing and microblogging. So what's in it for Hopkins here to provide this sort of stuff to
community colleges broadly? What motivates you all to do that? Well, of course, we'd like to see more people come into our ISI program.
I see.
Okay.
That's really what we'd like.
So it's not completely unselfish.
No, no.
I mean, but generally, there is a consensus that there's a problem with getting people into the field.
I've talked here about how that problem may not be as big as it seems,
but we do need to get people interested
in this field of cybersecurity,
and we do need to make it available
to as many people as possible.
And that was really the goal,
was to expose as many people as possible
to these underlying theories
or this broad sampling of topics in the field
and hopefully show people
that there are some interesting fields
that they might enjoy.
Yeah. Now, can you give me some insights? So what's your experience with folks coming up through
the community college pipeline versus state schools or private schools? Are we getting
quality folks coming up through the community colleges? Absolutely. We get quality folks coming
up through the community college. My son started with a community college. He started here with Howard Community College, which is here in Howard County, Maryland, and now has progressed on to a four-year institution where he'll get his degree, hopefully, at the end of next year.
as well, because a lot of these community colleges have enrollment agreements with other four-year institutions. So if you're a senior in high school or a junior in high school, actually,
you should probably be thinking about this in your sophomore or junior year, look at the community
colleges and ask where they have transfer agreements to and see if you would like to go to
some of those schools as well. Then enroll with the community college and target with the target
of going to that school,
that four-year school. Because when you graduate from that four-year school,
you just get a degree from that four-year school, right? Right. Nobody really knows or cares that
you went to community college for two years. Right. Nobody cares where you started. They
care where you finished. Right. Exactly. Right. right. And then once you have your four-year degree,
give us a call here at Hopkins or come apply to the ISI program.
Or heck, you know, Joe, we sell ads, Joe.
Right.
I believe we buy ads, right?
You do, you do.
All right.
Well, before my boss comes at me,
I suppose it's probably a good time
to wrap up this segment.
Joe Kerrigan?
Can I plug the website?
Sure.
Why not?
Yeah, well, I mean,
I want people to have this course.
If you want to check it out,
go to cybercourse, all one word,
.isi.jhu.edu,
and you can sign up for an account there and immediately
download the course package, course material as one zip file. Yeah, that's a great opportunity
because these are some high-level people offering their insights and, you know, teaching you some
of these topics. That's right, Dave. A lot of our faculty are involved in this. I deliver a couple
of lectures. We even have some people from the Applied Physics Laboratory talking. That's right, Dave. A lot of our faculty are involved in this. I deliver a couple of lectures. We even have some people from the Applied Physics Laboratory talking. That's right.
That's right. All right. Well, Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.