CyberWire Daily - Australia’s Federal Parliament has a cyber incident. DHS warns of third-party spying. Legit privacy app tampered with. Credit Union phishing. Bezos vs. Pecker. FaceTime bounty. Seal scat.
Episode Date: February 8, 2019In today’s podcast, we hear that Australia is investigating an attempted hack of its Federal Parliament. The US Department of Homeland Security warns that spies are working through third parties to ...get to their targets. Spyware is bundled in a legitimate privacy app. Credit unions get spearphished. Mr. Bezos says, “No thanks, Mr. Pecker.” Apple will pay a FaceTime bug bounty. Microsoft says don’t use IE as a browser. And what they found in that seal scat. Justin Harvey from Accenture on credential stuffing. Guest is Sandi Roddy from Johns Hopkins APL on secure key management. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Australia investigates an attempted hack of its federal parliament.
The U.S. Department of Homeland Security warns that spies are working through third parties to get to their targets. Spyware is bundled in a legitimate privacy app.
Credit unions get spearfished. Mr. Bezos says, no thanks, Mr. Pecker. Sandy Roddy is chief scientist
for cyber warfare operations at Johns Hopkins University Applied Physics Lab. She joins us to
talk key management. Apple will pay a FaceTime bug bounty.
Microsoft says don't use IE as a browser.
And what they found in that seal scat.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, February 8th, 2019.
The Australian Federal Parliament was subjected to a cyber attack that seems to have been largely unsuccessful.
It's thought to be a foreign operation, but there's no evidence it was directed at influencing upcoming elections.
The Australian Broadcasting Corporation says the Australian Signals Directorate is investigating.
The inquiry is in its early stages and no attribution is expected in the near term.
A number of observers, however, are speculating that the incident was a Chinese operation.
China's intelligence services have targeted the federal parliament before.
The U.S. Department of Homeland Security has added its voice to a report on Chinese cyber espionage by Recorded Future and Rapid7 from earlier this week. DHS warns that there's a trend of APT10
and other state-directed threat actors to approach their targets through third parties.
Security firm Bitdefender warns that tryout spyware has been bundled with altered copies of the legitimate Android privacy app, Syphon. The company's researchers had first observed and sounded
an alert about Tryout last August. In that round of infection, the spyware was bundled with an
adult content app. This time, the packaging is much more innocent in appearance. Once installed
in an Android device, Tryout records calls,
logs incoming texts, records videos, takes pictures, and collects GPS coordinates.
And of course, it reports back to whoever's running it, currently via a server located in
France. Bitdefender thinks the combination of high capability and low infection rate
suggests that the spyware's masters are using it against carefully selected
targets. The clean version of Syphon is the one sold through Google Play. As usual, it's better
to stick to large, official, well-known app stores. They're imperfect, of course, and everything's
imperfect, but they're far better than buying from some opportunistic market. And, of course,
to install a pirated version of anything is just asking for
trouble in more ways than one can easily count. Krebs on Security reports that there's been a
recent phishing campaign targeting officers at credit unions who are responsible for anti-money
laundering measures. The email told the credit union that the National Credit Union Administration,
the NCUA, had noticed
transactions that looked like money laundering and then encouraged the recipient to open an
attached PDF for more details. The PDF, of course, carried the malicious payload. The text of the
email was fortunately marred by the uncertain command of English usage that so often betrays
phishing attempts for what they are, and it's not clear
that any of the recipients, whom one would expect to be a wary bunch, actually opened the attachment.
But the credit unions have a queasy feeling that someone somewhere might have. One of the credit
unions, all of them are speaking to Krebs on security on background, not for attribution,
says that its IT staff traced one of the emails back to a Ukrainian source,
so the campaign may be the work of an Eastern European criminal gang.
The specificity of the phishing is interesting.
It was first observed on January 30th, when National Credit Union Administration
anti-money laundering points of contact at various individual credit unions
received emails that purported to be from the NCUA.
The persons being spearfished were the Bank Secrecy Act officers
the Patriot Act requires credit unions to carry.
NCUA is the independent federal agency
responsible for insuring deposits at credit unions.
The phishing campaign has been sufficiently well informed
to lead credit unions to suspect
that the attackers have somehow obtained non-public information from the NCUA.
NCUA is not really talking about the incident, but the Treasury Department had said it's aware of the attempts and has asked that all credit unions disregard emails of this kind.
The Duty of Care campaign in the UK has apparently persuaded Instagram,
which has announced that it will take content that shows or advocates self-harming down from its service.
The policy change was prompted by the very sad case of a young teenage girl who took her own life.
Her family fairly convincingly blames content on Instagram for prompting her to commit suicide.
Amazon founder and Washington Post owner Jeff Bezos says in a blog post on Medium that AMI,
the National Enquirer's corporate parent, is trying to blackmail him into calling the post off stories AMI would prefer it didn't run, mostly pertaining to either Saudi Arabia or to the current U.S. administration.
AMI seems to have told Mr. Bezos they have and will publish intimate selfies.
He's responded by preemptively telling everyone what's in those selfies and he's declined the offer to keep things quiet in exchange for certain considerations.
No thank you, Mr. Pecker, as his post is titled,
effectively telling AMI to publish and be damned, and he asks rhetorically,
if in my position I can't stand up to this kind of extortion, how many people can?
Mr. Pecker is David Pecker, head of AMI.
How the Inquirer got the below-the-belt selfies is unclear, TechCrunch says,
and it also notes that the Inquirer is an old hand at getting
embarrassing pictures. AMI, according to The Independent, The Washington Post, and other
sources, is conducting its own internal investigation to see if it might have done
something wrong in the way it got a hold of the pictures, which it doesn't think it did,
but which it says it's going to get to the bottom of.
Good news for the teenager who found and reported the privacy bug in FaceTime
with a lot of persistent help from his mom.
Apple will pay him a bug bounty.
Maybe you thought Internet Explorer was a browser.
We sure tended to think of IE that way.
But think again.
Microsoft says it's a compatibility solution
that should be used
selectively and not as your primary browser. As Redmond puts it, quote, we're not supporting new
web standards for it, and while many sites work fine, developers by and large just aren't testing
for Internet Explorer these days. They're testing on modern browsers, end quote. So, for your browsing needs, look elsewhere.
Finally, here's a little cautionary tale about the physical destruction and disposal of electronic media.
Don't just fling the stuff overboard and expect your data to vanish for good.
Wildlife veterinarians in New Zealand were running a check of seal scat,
which is a standard way of monitoring the health of various animals.
As they were doing so, they found in the scat a USB drive that the animal had apparently swallowed and subsequently pooped out.
We stress apparently because not only was the data on the drives easily recovered,
it held videos of seals disporting themselves off the bow of a kayak.
But the owner has come forward.
A seal enthusiast herself, she says she has interest in all matters otterine or focine,
down to and including their scat.
She thinks she accidentally dropped the dongle in some seal droppings she was checking out on a beach.
Anywho, if a drive can survive whatever happened there, it will surely survive being just tossed
out.
Dispose of electronics securely and properly, and keep them out of the mouths of children
and animals.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back. I wanted to touch base with you today on credential stuffing
and how folks can protect themselves against it.
Can we just start off at the beginning here?
What are we talking about when we say credential stuffing?
Credential stuffing is where an attack group, typically cyber criminals,
want to steal identity information or even in some cases, credit cards or create fraudulent transactions on e-commerce sites. And the way that they do this is they go out on the public internet, and in some
cases, even the dark web, and they download huge files of email address and password combinations.
And these files exist out there through intentional dumps from other attack groups,
and they're freely available out there. In fact, there are even some websites that advertise
enter in your email address and we can tell you how many times you've been compromised on these
e-commerce sites because these dumps become the public domain essentially when they hit the
internet a lot of times. So these adversaries grab those large files and then they write scripts to try each of these username and password combinations against your e-commerce site.
There are ways to prevent this.
And in some cases, maybe if not prevent it, then slow it down to a manageable level so that you can take action.
So the first and the best course of action is to
implement multi-factor for your customers. Now, I know that there may be some revenue people out
there that are going to be saying, well, Justin, that's going to affect the customer experience.
And we're going to see a certain percentage of lost revenue because our customers can't figure
out multi-factor. And I'm going to say
there's two ways to go about this. The first way is, yes, you can take that little bit of
customer experience hit, or you can wait until your site has become a victim of this and it becomes
newsworthy and you take the brand damage or you take the hit of that. And in some cases, take the EU, for example, there could be a GDPR violation by not taking appropriate steps.
So multi-factor is the best course of action.
It doesn't matter if it's an SMS, Google Authenticator, or CAPTCHA or image selection.
or CAPTCHA or image selection, but there's got to be some way to verify the next step of identity after you put your email address and password. One really effective way to seeing how many of
your users have been affected by this is to essentially crack your own passwords. And what
I mean by that, the way to go about this is to talk to
your threat intelligence provider. I know we do this at iDefense at Accenture, where our customers
will ask for the latest dump files out there, the millions of usernames and password combinations,
and they'll put that into their system and essentially run the same encryption protocol on the dump file.
And then they take each encrypted password and compare it against the valid encrypted
passwords on their own site. And that way, if there's a match, you know that that user
has reused a password somewhere else on the internet where it's been publicly available.
And then you can do a few things.
You can lock that user account, you can send them a helpful email,
or you can reset their password and send them an email
that they need to essentially reset or unlock that account.
Now what about things like rate limiting,
just not letting people pound that login with attempt after attempt.
You know, it's funny you say that. I literally just worked the case on that last month. And
there are products out there in the market that could do that. I think that this client was
working with Akamai. They have something called the Bot Manager, which looks for anomalous patterns in traffic in order to identify that.
But one way to get around that, and it takes a little more time,
and it takes a bigger swath of hosts that the adversary has access to,
but they can do this in a low and slow manner.
In fact, there's also ways to do this through using human beings instead of a script you could
even farm this out to 10 20 100 people perhaps in low-wage countries in order to run the attack
yourself so so rate limiting is definitely recommended it is effective but it is not
quite as effective as multi-factor and i wouldn't put all your eggs in that basket
yeah all right well justin harvey thanks for joining us thank you very much but it is not quite as effective as multi-factor. And I wouldn't put all your eggs in that basket. Yeah.
All right.
Well, Justin Harvey, thanks for joining us.
Thank you very much.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Sandy Roddy.
My guest today is Sandy Roddy. She's Chief Scientist for Cyber Warfare Operations at Johns Hopkins University Applied Physics Lab. She joins us to share her expertise on the proper management of encryption keys and the importance of understanding the key lifecycle.
We all seem to be very, very comfortable with the fact that, oh, click this button, invoke this thing, and your data
will be encrypted. But the missing piece in my mind is the lifecycle approach to say,
when I need to do encryption, what are the entire set of concepts and ideas that I need to make sure
that I understand so that I don't unintentionally brick my data.
One of the analogies that I think is I have one of those locks on my front door where I can set different key codes for the different people who are coming into and out of my house when I'm not
here. And that allows me the ability to manage my key to my front door. And it starts with the fact
that I knew I needed to be able to
allow different things to happen. I knew the purpose of ingress and egress of my house.
And I knew that there were periods within which certain keys would be active and certain keys
would then become deactivated. So that's a beginning piece of trying to understand key
management. Well, let's dig in some here.
Can you describe to us what are you talking about when you're putting out this notion of the life cycle of these keys?
So the first thing you need to understand is what kind of information do I need to encrypt?
What kind of keys do I want to apply to it? Who's going to have access to those
keys? And who's actually going to manage the keys? We are very, very comfortable with NIST has done
a phenomenal job with the FIPS 140 criteria by which when you go buy an appliance that's going
to generate your key for you, we know that it's good. But what we don't
know is how many people are going to use that key, where's the appliance going to be stored,
what are the administrators going to be doing, and how are you going to be auditing those
administrator functions. So it really is sort of a, it's a circular life cycle. Things come around in sort of a natural transition from step to step.
Exactly.
Everything is cyclical in the approach that one generally, if you're doing this properly,
you don't create a key that you use in perpetuity.
Because as we all watch academics push further and further into how do I break key.
I mean, it's an active challenge for academics and mathematicians to be able to say,
oh, I can factor the next whatever key size of RSA is out there,
because they spend their lives doing that.
So if you're still using key material that is smaller than whatever's being factored today,
you're essentially wasting your time. So you have to have this cyclical approach that allows you to iteratively improve
the mechanisms that you're using and the way that you're approaching key. And what are some of the
areas where folks fall short on this? Where do they drop the ball? The tendency is to say, oh, I need key to encrypt
this kind of data. And so I'm going to go buy that product and bring it in without stepping back and
saying, what's the full range of technologies that I'm using? And are the decisions that I'm making
for applying cryptographic solutions consistent with what my IT environment
looks like. The other piece where I see is that looking at the hierarchy of what is the most
secure set of solutions that you can apply, and then how do you work your way down into
picking a set of solutions. For example, I think that one of the things
that people generally do is they pick one solution
and say, oh, that's going to work for everything.
But if you've got storage area networks
and you've got file encryption and you've got hard drives,
you have to understand exactly how your IT environment works
and what you've got and then what are those solutions
that you can bring in
and replace. I think folks have a natural tendency to want to sort of set it and forget it.
I suspect in this case that can lead to some real problems. Yes, and the first piece of it that I
had mentioned earlier about the life cycle of the key is keys do age off and keys don't retain the security functions
that one expects them to do when you do day one initialization of key. So that's a big part of it.
And then adjusting where your data is and the priority of who has access to that data.
of who has access to that data. For example, if you have administrators that are able to get to your unprotected key material and they leave, you want to have processes in place that can adapt and
adjust for that. And again, I'm not picking on administrators as being nefarious in any stretch
of the imagination, but you have to understand who has access to
the crown jewels, and that's what keys are, and then what are your plans before you give them
access to those keys for adjusting and responding to the fact that they may leave and they may move
on. You want to be able to say, I have mechanisms in place so that when my administrators move on
or I need to replace them, I can also
replace the key. Now, what about the protection of the key itself, the security of the key itself?
I'm thinking of sort of a real world analogy of having a lock on your front door. And it's one
thing to leave the key under the mat. It's another thing to put a sign on the front door that says
the key is under the mat. Yes, and that's absolutely true.
And what we find is that vendors don't always tell you where the key is when it's stored.
I am a huge fan of hardware security modules, especially some of the ones that have proven time and time again that they do protect the key while the key is in there.
again, that they do protect the key while the key is in there. So again, your security technologists and architects need to understand where the key is during the information lifecycle
and the encrypt-decrypt lifecycle. It has to be unencrypted in memory. That's just the nature
of the way using key is. But do you have audit processes in place to be able to understand
which applications are pulling the key out of memory? So you look where it is at rest,
you look where it is in motion, and then you understand the protections, whether they're
actually, here we're getting into onions of keys, encrypting the key, or is it the fact that it's in a protected process when it's being used so it's
it can get very complicated and i think that's why most people want to have somebody else tell
them here's your solution and here's what you should do just push my easy button and then and
and you're all good but i think we all owe it to ourselves to just dive into it a little bit deeper and have some sense of assurance that it is functioning as intended.
That's Sandy Roddy. She's from the Johns Hopkins University Applied Physics Lab.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.