CyberWire Daily - An election database leaks. Phishing from Firebase. Shiny Hunters sell Mathway user records. COVID-19-themed scams. On that return to the office thing...
Episode Date: May 22, 2020Indonesia’s election database has leaked, and PII is for sale in the dark web. Phishing campaigns abuse Firebase. The Shiny Hunters are selling Mathway user records. US agencies warn of COVID-19-the...med criminal campaigns. Contact tracing technology hits a rough patch. Johannes Ullrich from SANS on phishing PDFs with incremental updates. Our guest is author Peter Singer on his new book, Burn-In. And what are you going to do when you return to the workplace? If, that is, you’ve left the workplace at all, and if you’re in fact ever going to return? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/100 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Indonesia's election database has leaked and PII is for sale in the dark web.
Phishing campaigns abuse Firebase.
The shiny hunters are selling Mathway user records.
U.S. agencies warn of COVID-19-themed criminal campaigns.
Contact tracing technology hits a rough patch.
Johannes Ulrich on phishing PDFs with incremental updates.
Our guest is author Peter Singer on his new book, Burn In.
And what are you going to do when you return to the workplace?
If, that is, you've left the workplace at all, and if you're in fact ever going to return.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
May 22, 2020. Indonesia's General Election Commission is investigating the release of voters' private information on a hacker website.
Reuters says that 2.3 million people's data have so far been released,
but that those claiming responsibility are threatening to expose data on 200 million Indonesians.
Authorities confirmed that the data were authentic
and that they included such items as home
addresses and national identification numbers.
The source of the leak is unknown, but the General Election Commission said that it didn't
happen in the Commission's own servers.
They suggest that it may have come from the presidential candidates or political parties
with whom the Commission is obligated by law to share such data.
Researchers at Trustwave Spider Labs have observed phishing campaigns abusing Firebase,
the Google-owned application development platform that offers users secure storage on the Google Cloud. The phishing emails are fairly routine, using commodity-level templates that misrepresent themselves as
coming from such well-known brands as Outlook, Office 365, or the Bank of America. But the use
of Firebase URLs in the phishing is significant, as many of those will pass through automated
screens established in email systems. The Shiny Hunters gang appears to be offering
stolen Mathway user records for sale.
Mathway is a highly rated Android and iOS calculator app.
Bleeping Computer reports that Mathway is currently investigating the incident.
ZeroFox has been tracking the Shiny Hunters in their other criminal activities.
The gang has been an unusually active player in the criminal market for data.
The gang has been an unusually active player in the criminal market for data.
Four U.S. federal agencies, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,
the Internal Revenue Service, the Department of the Treasury, and the U.S. Secret Service,
all warn that the government continues to encounter attempts by criminals to steal personal and banking information using COVID-19 fish bait to lure their victims.
Fifth Domain reports that many of these attempts involve drawing people in with proffers of assistance from the CARES Relief Act
and other programs established to help people during the economic stresses of the pandemic.
Computer Weekly reports that authorities in the UK acknowledge that the NHS contact tracing app won't make the June 1st deadline for a national rollout.
This is due in part to skittishness by the governments of Northern Ireland and Scotland about the privacy and efficacy of the system.
Northern Ireland, for example, doesn't want a system that will impede travel across the border with the Republic of Ireland.
system that will impede travel across the border with the Republic of Ireland, NHS Highland,
responsible for healthcare in Scotland, has undertaken development of its own system designed to protect residents, visitors and staff in care homes from the infection by creating virtual
geo-zones around the care home and particularly sensitive or quarantined areas to control access,
as well as dynamic personal two-metre geo-zones around everyone with the app.
It's also due in part to what's increasingly perceived
as an unacceptable degree of bugginess in the app's source code itself.
As Gizmodo UK put it, it's just getting silly now.
In any case, a June 1st rollout is now generally regarded as an impossibility.
a June 1st rollout is now generally regarded as an impossibility.
The U.S. federal government hasn't undertaken development of a national contact tracing app along British lines, but some of the states have. North and South Dakota have deployed Care19,
an app that collects geolocation data under conditions that require opt-in,
anonymization, and no sharing with third parties. But researchers at privacy
specialist shop Jumbo Privacy have looked at Care19 and report, as the Washington Post reports,
that one of the first contact tracing apps violates its own privacy policy. In particular,
Jumbo says that Care19 shares location data with Foursquare, best known for its offerings in
support of advertisers,
and also that the app's data aren't really as anonymous as one might think.
They include devices advertising identifiers.
Jumbo recommends that users not install the app until Care19's privacy policy is updated
for accuracy and until the app can assure users that their data won't be shared with
third parties.
There are other state-level projects under development. The Telegraph reports that British
tech company WeHo has contracted with eight states to develop a system for tracking the
movements of connected cars. The better to help the states ensure that people are following stay-at-home
orders, going out only for essentials like groceries,
and not simply gallivanting around like a bunch of Sunday drivers.
Comments on the story generally evince a negative reaction to this kind of tracking,
as well as some expression of relief that, thank heaven,
the commenter drives a primitive rattletrap without newfangled internet gizmos.
Remote work appears likely to remain widespread even after the pandemic abates. Facebook is the most prominent corporation to announce that it's all in on a
teleworking future. The Wall Street Journal reports that Menlo Park sees many advantages
in terms of cost savings, productivity, and employee quality of life when its people won't
actually have to show up in Menlo Park.
And of course, Mr. Zuckerberg foresees more geographical and ideological diversity if the company's workers can live anywhere and not remain so closely tied to the San Francisco
Bay Area. The U.S. federal government has also found that many of its jobs can be done from home.
Federal Times reports that the U.S. federal CIO Suzette Kent says the government has been able to rethink its ways of doing business
and now has a better grip of the sorts of work that in fact require physical presence to accomplish.
This is good news for vendors who specialize in remote collaboration tools, as the Wall Street Journal also observes.
The effects on individual workers will vary
depending on their home circumstances. They may also have to accept lower salaries. Few places
have a higher cost of living than Silicon Valley, and that will surely factor into compensation
plans. There are some downsides to both returning to the office and continuing to work from home.
Police in the UK are concerned that businesses take proper precautions
to ensure that the offices they've abandoned during the pandemic
are clear of cyber threats when people return.
SC Magazine quotes Peter Goodman, Chief Constable for the Derbyshire Constabulary,
National Lead for Cybercrime and for Serious and Organized Crime,
National Police Chiefs Council,
as saying, quote,
Imagine an infestation of evil maids if you must, but at least take a look at security upon your return.
Another issue that might be easily overlooked by organizations continuing to work remotely,
does your cyber insurance cover risks of telework?
J.D. Supra advises you to check your policies.
And finally, Monday is Memorial Day in the United States,
and we'll be observing the federal holiday with a break from publication.
We'll be back as usual on Tuesday, May 26th.
In the meantime, spare a thought and a memory for the fallen, for their families, and for those alongside whom they served.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
P.W. Singer is author of a number of noteworthy books, including Like War, The Weaponization of Social Media, and Ghost Fleet, which he co-authored with August Cole.
Their latest effort is the techno-thriller Burn In, a novel of the real robotic revolution.
P.W. Singer joined me to discuss the book.
Singer joined me to discuss the book. What we did with Burn In is that we designed into it from the very start the idea that it could be a blend of both storytelling, but also that people would
learn from it. So it's a new kind of book. It's a mix of novel and nonfiction. So it's a techno thriller. It follows a character, an FBI agent,
20 years from now, set in Washington, D.C., as she's on the hunt for a new kind of terrorist
who's using new cyber means, relevant to what you and I are gathered to talk about,
to conduct the types of attacks that weren't possible before, in effect to hold an entire city hostage.
But along the way, baked into the story are some 300 explanations and predictions that are drawn from nonfiction style research.
And literally they've got the footnotes in the text. So it might be
anything from when two characters are talking, and in the distance, a delivery drone with six
rotors flies overhead. It'll then have a footnote to show that's not what, you know, Singer dreamed
up. It actually has to be Amazon patent for that specific design. You know, you mentioned the extensive end notes for the
book, and it really is sort of a hybrid. I don't know that I've ever seen a work of fiction that
is so well documented the way that you and your co-author have done here. And I'm wondering,
can you give us some insights on these boundaries that you set up for yourselves? It's, it's almost like you, you,
you put a certain set of rules like a puzzle that you had to solve by not
allowing yourself the sort of hand-waving that you'll see with,
with many books that deal with the future, that deal with technology.
Yeah, it's certainly a heck of a lot more challenging.
It'd be a lot easier if you could just say, oh, and then the good guy pulled out his XYZ thing and solved it or the way some of the TV shows are. And now we hack the system. Clickety clack. Okay, we're in.
But again, it goes back to this concept of a cross between a novel and nonfiction.
For some people, it's just hopefully going to be a great summer read.
Now, I don't know whether it's going to be a read while they're still stuck at home or maybe they'll be allowed to go out to the beach.
But some people just enjoy it that way for other people they're going to go oh and and maybe look at that footnote and um that's
because i we spent literally years on this double track uh one which is you know building up the
characters and the scenes but sometimes as you you hit that idea of a puzzle,
it's a character faces a certain challenge.
How do I cause this bad thing to happen?
Okay, what would a real world bad guy do?
Or the bad guy has just done X.
How would a real world FBI agent or a Marine respond?
Yeah, well, the book is certainly very entertaining. It's quite a page turner, FBI agent or a Marine respond. Yeah.
Well, the book is certainly very entertaining.
It's quite a page turner.
But beyond that, what are the things you want people to know? You're going to have to have that quote out there and blast it out to everyone.
I really appreciate that.
But I'm curious, beyond just the entertainment factor, what are the things that you hope
people take away from it?
A couple of things.
One is this challenge of understanding the world that's changing around us.
We have a certain irony playing out right now where the technologies of science fiction, they're coming true. And yet science
fiction hasn't well equipped us for them. Either it's something that is never going to happen
in the distant future. You know, the Secretary of Treasury said that automation is not something we
have to think about for, quote, 50 to 100 years, end quote. And that's why
it's, quote, not even on my radar screen, end quote, is how he talked about it.
We're already seeing the effect of automation and everything from critical infrastructure systems,
be it a regular business, be it at a power system, be it at a hospital,
we see automation playing out in our homes. And we're only at the start of this. So you have that
one, it's way off in the distance. And then you have the other that it's all about, well, you
know, the only risk factor to think about is, you know, one day they might kill us all. The killer
robot narrative that's gotten so much attention. No, we've got all of these issues we have to think about, everything
from how it changes our economy, how it changes our politics, how it changes our security. So
the book raises these issues, but also it helps share the basics of them for people that don't
want to read, you know, an academic white paper. And I'm
an academic and I get most people don't want to read it. So, you know, we explain through the
story, everything from how AI works to some of the issues we have to figure out, like the concept of
algorithmic bias, what happens when the machines train the wrong way and it gives you a bum steer.
We explain that, but in a way that you don't feel like you're being spoon-fed the yucky vegetables.
So I hope it's helpful to people in understanding what looms and giving them sort of the basic
terms and concepts. And then maybe we also steer towards certain things that, hey,
you have to fix this if we want to be a lot safer. That's P.W. Singer. The book is titled
Burn In. There's much more to our conversation, and you can check that out when you sign up for Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
can keep your company safe and compliant.
And I am pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute,
and he is also host of the ISC Stormcast podcast.
Johannes, always great to have you back.
You all have been tracking some reflective DNS DDoS attacks.
Fill us in here.
What's going on?
Yeah, so we just want to know what's happening with these attacks.
They used to be really big like a few years ago when they hit some large banks,
but hadn't really heard much about these attacks.
So what we did is we set up a little honeypot that basically acted as a reflective DNS server. So basically, it could be used to amplify these attacks. We put, of course,
some controls around it that wouldn't cause any damage. But then we just looked, how is it going
to be used? And we did see actually quite a number of reflective attacks being launched.
quite a number of reflective attacks being launched.
What we sort of noticed is a couple things.
First of all, the targets were all small businesses or hobby sites and things like that.
It looks like the banks, the large targets
that used to be in the news like a few years ago,
well, they found workarounds for this.
As I usually say, they managed to buy their way out of it.
That's what you usually do with a lot of service attack.
You hire some service, you buy more bandwidth to block these attacks.
These small companies, they don't really have the option to do that.
Can you give us a little bit of the background of what's going on
when we're talking about a reflective DNS DDoS attack?
Yeah, so the way they essentially work is that an attacker will spoof a query.
So they'll claim to be like that small business, and they'll ask a question.
And the question is very small.
Like, hey, tell me everything you know about this particular domain name or this particular host name.
And then the DNS server that's badly configured in this case will respond with a very large
response.
Now, this response will go to the victim that the attacker claimed to represent.
And this can lead to amplifications of sort of in the order of 20 to 100.
Since it's DNS, it's also kind of difficult to defend against.
You can't just easily block DNS.
You have to be a little bit more selective in how you filter this.
And so the amplification, plus the fact that these responses come from valid,
innocent bystander DNS servers, really makes it difficult to defend against.
And also, the attack can be quite massive.
They can be gigabytes per second,
which, again, for a smaller website is difficult to defend,
can be quite expensive.
Do you have any insights as to why these small businesses
and hobby sites end up being targets?
That's sometimes a little bit hard to tell, but one thing we noticed is a lot of IRC servers,
and yes, IRC is still around.
IRC has historically been sort of a favorite target for these sort of nuisance denial of
service hit hacks, kids getting angry at each other.
I remember way back when I started this business, it was like around 2000,
there was this game of IRC jousting
where basically two people sort of gave each other
their IP address and then launched
an aisle of service attack against each other
and whoever dropped off the IRC channel first lost.
In the process, they took down, of course,
a couple of ISPs and such.
It's all for the fun of it.
Right, yeah.
Sort of an interesting little side note on this. I noticed that a lot of.gov domains are being
abused here. And the reason for this is that.gov mandates the use of DNSSEC. Now, DNSSEC is
security technology. So you would think, hey, it's a good thing. But it does make DNS response a lot
larger because now you have to include all these keys and such. Of all websites, Peace Corps.gov is like one of the top targets we have seen there.
Wow.
There's a small irony there, I suppose.
Yeah.
All right.
Interesting, as always.
Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.