CyberWire Daily - A quick look back at the US midterms, and the cyber Pearl Harbor that wasn’t. Update Apache Struts. Smishing with the Play Store. Another advance fee scam.
Episode Date: November 7, 2018In today’s podcast we take a quick look back at the US midterm elections, and at what did and didn’t happen. Is Iran looking at waging cyber-enabled economic warfare? If you use Apache Struts, upd...ate now to avoid remote code execution. A spyware-delivering app is used to smish Spanish-speaking users of the Play Store. And, once again, people really seem to think that Elon Musk will return them their Bitcoin donations tenfold. (Enough people to make crime pay, anyway.) Justin Harvey from Accenture on notification laws and incident response. Guest is Christian Lees from InfoArmor with thoughts on what they’re seeing trafficked on the dark web. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A quick look back at U.S. midterm elections and at what did and didn't happen.
Is Iran looking at waging cyber-enabled economic warfare?
If you use Apache Struts,
update now to avoid remote code execution.
A spyware delivering app
is smishing Spanish-speaking users
of the Play Store.
And once again,
people really seem to think
that Elon Musk will return them
their Bitcoin donations tenfold.
Enough people to make crime pay, anyway.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 7th, 2018.
The U.S. midterms are over with, as the Wall Street Journal puts it, no significant foreign influence seen by either officials or private companies watching the vote for cyberattacks.
That is, there was no apparent wave of hacked databases, manipulated vote counts,
voter suppression by electronic alteration of records,
systematic fraudulent voting enabled by computer network attack, denial of service, and so on,
what we've had occasion to call hacking proper.
This is despite the various problems found in voting hardware around the country, no more than usual.
Most observers didn't even see a particularly large spike in election-targeting information operations.
Facebook did confirm that the coordinated inauthenticity they found
in about 100 accounts the social network suspended this week was connected to Russian operators.
Those operators included, unsurprisingly, the notorious St. Petersburg troll farm that calls
itself the Internet Research Agency. The various ongoing influence operations spotted seem to amount to a new normal and can
be expected to continue post-election. Some of that disinformation will seek to shake confidence
that the election was fairly conducted, as the U.S. Department of Homeland Security emphasized
in press briefings yesterday. All that matters to the adversaries is creating an impression that the vote was untrustworthy.
All of this is of course gratifying to see.
The apparent lack of hacking proper may remind older observers of what happened,
for the most part nothing really, at the end of the Y2K panic.
But it's also likely that, as Fifth Domain reflects,
that the relatively smooth election was the result of some intelligent preparation over the past two years.
There's surely more effective sharing of information
between federal agencies and state election bodies,
and the Department of Homeland Security seems to have been patiently working
to build some sensible consensus models.
What effect, if any, the barking about U.S. Cyber Command's ability
and willingness to rain virtual scunion down on foreign state,
that so much has looked sideways at the polling, is of course unknown.
The U.S. willingness to openly signal that it was prepared to cry havoc and release the dogs of the World Wide Web was interesting,
and will be worth watching in the future.
Those interested in nation-state threat actors and what might be expected of them
may find the Foundation for Defense of Democracies outline of Iran's cyber-enabled economic warfare interesting.
Their analysis suggests that Iran's willingness and ability to learn
have made it a more dangerous actor in cyberspace.
The study also concludes that re-imposition of sanctions against Iran for what the U.S.
considers Tehran's violations of the agreed framework to limit nuclear proliferation in
the region will embolden the regime to resume cyberattacks against economic targets in regional
rivals like Saudi Arabia and perennial adversaries like the U.S. and Israel.
In the aftermath of a data breach, it's become routine for observers to keep an eye on the dark web
to see if and how quickly the breached data makes its way into underground online markets.
Christian Lees is CISO, and he also heads up the intelligence team at InfoArmor,
where they spend a good amount of time
monitoring the dark web. The state of the dark web today is, in my humble opinion, could be
compared to any other major marketplace, right? It's driven by supply and demand, and it's much
like an organism. It moves, it corrects itself, and adapts. I see being in the dark web every day.
I see it absolutely growing.
It's growing massive very quickly.
We see marketing messages certainly towards consumers that it's this scary thing, this bad neighborhood that you don't want to accidentally wander into or find your information in there.
How does that compare to what you see?
It's actually a great question. You know, I mean, again, I think that when, you know,
consumers, when we think of the dark web, we automatically think of that guy with the hoodie
and, you know, he has like no face. And in my humble opinion, I really think that what's going
on in the dark web is, again, of course,, we have this kind of elite closed area, kind of
like what you alluded to, right? Almost like a speakeasy, right? It's like two knocks and a
whistle and they open the door and you get in. There's certainly that kind of environment,
you know, very closed marketplace. But this is really for the elite threat actor. And I think
what we are seeing today is, is these elite threat actors that are very difficult to get to are more willing to kind of engage third-party brokers.
And that's where we kind of see the dark web absolutely expanding, right?
So let's let these third-party brokers resell in the more kind of open environment.
So for organizations that are out there trying to protect themselves, how do they,
what's an appropriate way for them to dial in the amount of concern and attention they should pay
to the dark web? That's a very difficult question, right? Because we are doing nothing. We as
consumers and we as organizations, we are doing nothing but increasing our digital identity every single day.
And that's what fuels the underground economy, right?
For example, compromised credentials, which is largely commodity-based data within the underground economy.
within the underground economy.
But we are so willing to go use our credentials,
oftentimes, unfortunately, our corporate credentials for these third-party websites.
This is where the suppliers gets their goods, right?
Compromising these third-party websites
and that fuels the underground economy.
So I think that many organizations, you know, they have a sophistication level that they can monitor open source environments and check for their data.
But for the, you know, small to medium businesses, it's pretty difficult, right, to understand the dark web.
And, you know, obviously, I recommend that they partner with an organization that helps them hunt the hunter within the underground economy.
I speak all over the world.
I speak to the InfoSec community.
And something that I find a little disappointing is I hear this constant trend or this constant comment in the InfoSecurity world of it's not a matter of if, it's a matter
of when. And it just drives me insane. So I would just like to take one minute and acknowledge the
amazing work that the good people do, the info security. We protect every day. We do a really
great job. So I think it's really worthwhile just to acknowledge that.
However, having said that, something that has that we are currently researching in the underground economy is, you know, threat actors.
They are, like I said, the underground economy. It's it's an organism. It adapts. It moves.
They are in recognition at how well organizations do protect. For example,
you know, it was not long ago that you could simply go to your bank with your username and
password, right? So threat actors were regularly selling a username and a password and a URL to
log into and a threat actor could have a heyday with that. However, today, these organizations tend to protect with variables, system variables.
So threat actors today are actually not only selling the credentials, they're also selling the variables of your environment, of your machine itself.
So, for example, if I were to go to my financial institution, they're going to look at perhaps my browser or an MD5 hash in my browser.
They're going to look at perhaps maybe cookies that I have on my system or patching level or the resolution of my screen. And they're going to make kind of like this pre-decision about me prior to ever successfully putting in these uh underground economy you know dark markets
they're actually selling not only the credentials but they're selling the users environments uh the
variables uh along with it the cookies the you know all of the settings and they package it up
in just a a small uh web browser extension that you load. Therefore, you can bypass the Step-Up Challenge,
which to me is absolutely mind-blowing. That's Christian Lees from InfoArmor.
The Apache Software Foundations urge users of Struts 2.3.36 to update the Commons File
Upload Library to avoid a remote code execution flaw.
Struts is widely used and the recommendation should be taken seriously.
Security firm Trend Micro warns that a malicious app in Google Play
is appearing in Spanish-language smishing attacks.
At the end of October, Trend Lab's researchers found an app,
Movil Secure, available in the Play Store.
It represents itself as a mobile token service, but was in fact spyware.
The developers, who've succeeded in getting other malicious wares into the chain-link-fenced garden of Google Play,
were unusually slick and persuasive in offering a professional-looking impersonation of a legitimate app.
But, of course, you don't really need to even be that persuasive.
For example, nobody falls for advanced fee scams anymore, right?
I mean, really, right?
I mean, you know, who's going to believe that someone would actually marry you if you sent them some money?
After all, that scam was exposed as far back as the Three Stooges' Crash Goes the Hash,
Opus 77, 1944, when the society matron was saved by freelance reporters from the bogus married
proposal of a crook who styled himself the Prince Sham of Ubi Darn. By the way, if you don't know
Mr. Howard and Fine's Opus 77, our film criticism desk recommends it highly.
A film of novelistic complexity, they say.
Going on to call it a ringing affirmation of journalistic integrity
and a rejection of the bald cynicism of Citizen Kane.
Two thumbs way, way up, and it makes last year at Marion Bad
look like an 8mm knockoff of It's a Wonderful Life.
And for sure, no one would think that Elon
Musk is actually, like, giving away 10 times the amount of Bitcoin you send over to him
just to establish your identity, right? Wrong. It seems that a relatively convincing set of
hijacked Twitter accounts, up for only about a day, convinced people to send in 392
Bitcoin payments, amounting to about $180,000. Let that sink in. People were convinced enough
to act 392 times and give the bogus Elon a nice $180,000 payday. But what's that, you ask?
Weren't people looking for the blue check seal of
authenticity? They were looking, and the blue check was there for all to see. They overlooked
usage errors and bad grammar to swallow the fish bait, hook, line, and sinker. So those who live by
the blue check die by the blue check, figuratively, of course. So if you're asked to send some money in advance, just don't.
And if you slip up and do, then lawyer up.
May we recommend someone like iCheatum,
the attorney featured in the Stooges' fine opus 83,
Pests in a Mess.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
I wanted to touch today on breach notification laws and the impact that they have on incident response.
What can you share with us?
Well, I've been seeing a trend that companies are rushing to notify regulators of a data breach.
And the startling aspect is how they revise their numbers.
And I'm not going to call anyone out specifically,
but you see some organizations that are reporting the tens of millions
or the hundreds of millions identities that they have been suspected to have been stolen.
And that sets off a firestorm of activity. People are getting worried. They don't know really yet if they've
been affected. And many times these organizations can actually do themselves a disservice or harm
by alerting the regulators and being so public because the adversaries are now aware that there has been a breach and or that they have been found.
And I think that a more pragmatic approach has to be adopted by our industry, by organizations, and by regulators to have a time period for investigation.
and by regulators to have a time period for investigation.
My team frequently responds to these large-scale incidents and breaches.
It's really quite startling being on the inside and not exactly knowing the extent, and then organizations go public.
There's still a little bit of revising that has to happen in the public sense. So I think
that regulators really need to give that time period to companies in order to get their facts
straight, to understand the scope of the impact, and be able to articulate that in a very clear way
to the public before rushing to judgment.
So do you envision this being something where the organization could perhaps contact the regulators and say, hey, we've had a breach, and then allow them to make their case?
This is why we think it's in everyone's best interest to wait a little while before we go public with this? Yes, I think that there is a graded
or there's a gradient approach
that should be adopted by regulators
so that the first level would be
we have an incident,
we think it's of this scope,
but give us some time
and be able to have a dialogue
with regulators saying
it's going to take us two weeks
to do the forensics on these 30 machines.
And then after those two weeks, we will report back on what we know.
And if there's some empirical data to support the initial compromise vector
and the initial compromise numbers,
then the regulator can then help them go public from that.
But right now, it seems to be more of a Boolean,
a black and white decision point by regulators. All right. Interesting. Justin Harvey,
thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.