CyberWire Daily - BEC attack pulls millions from car parts company. Wikipedia DDoS. NERC and FERC on grid hacking. Trolling Pyongyang. Mike Hammer goes to the DMV.
Episode Date: September 9, 2019A big BEC extracts more than $37 million from a major automotive parts supplier. Wikipedia suffers a DDoS attack in Europe and the Middle East. NERC and FERC get to work. Thrip may really be Billbug, ...and that’s attribution, not etymology. Was US Cyber Command trolling North Korea on the DPRK’s national day? And what does the Department of Motor Vehicles do with all the data they collect on drivers? In some US states, it seems, they sell it to private eyes. Joe Carrigan from JHU ISI on a GMail update for iOS which enables the blocking of tracking pixels. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A big email scam extracts more than $37 million from a major automotive parts supplier.
Wikipedia suffers a DDoS attack in Europe and the Middle East.
NERC and FERC get to work.
Thrip may really be billbug and that's attribution, not etymology.
Was U.S. Cyber Command trolling North Korea on the DPRK's National Day?
And what does the Department of Motor Vehicles do
with all the data they collect on drivers?
In some U.S. states, it seems, they sell it to private eyes.
From the CyberWire studios at DataTribe, I'm Dave Bittner
with your CyberWire summary for Monday, September 9th, 2019.
At the end of last week, Toyota Boshuku Corporation,
an automobile component manufacturer and a member of the Toyota Group, disclosed that a European subsidiary lost more than $37 million when it fell for a business email compromise attack.
The incident itself took place on August 14th. Toyota Boshuku has said in its disclosure that the loss occurred when the company followed, quote, fraudulent payment directions from a malicious third party, end quote.
The loss was a heavy one, and it highlights the risk of business email compromise, even to well-established companies that can be expected to have sound procedures in place.
Little more than these bare facts are known at this time.
more than these bare facts are known at this time,
Toyota Boshuku says it's inhibited from saying more because of its participation in the ongoing police investigations.
It does say it's working to recover the funds its subsidiary lost,
and it asks for everyone's understanding its decision
not to offer more information at this time.
Also, over the weekend, Wikipedia sustained a cyber attack that took it offline in several countries.
Computing caused the outage the result of a large distributed denial-of-service attack
affecting Europe and the Middle East.
The Wikimedia Foundation said Saturday that bad-faith actors,
of the sort it tends to attract, were responsible.
Wikipedia is working to restore normal operations.
The Foundation declined in its post to speculate about attribution.
The North American Electric Reliability Corporation, NERC, an industry group,
has released a report on the March 5, 2019 incident that affected the U.S. power grid.
According to E&E News, this cyber attack generated the first formal report of a cyber
incident from the utilities to the Department of Energy. NERC's report of lessons learned
downplays the severity of the attack as affecting a low-impact control center, and it cites
a basic lapse in cyber hygiene, namely failure to patch a firewall, as the enabling cause.
namely failure to patch a firewall, as the enabling cause.
NERC recommends that utilities follow a set of familiar best practices,
patch management, network segmentation, network monitoring, and so on.
Coincidentally or not, the Wall Street Journal observes that the Federal Energy Regulatory Commission,
FERC, a U.S. government regulatory body,
is considering revising its rules to include public identification of electric utilities that fail to follow rules designed to ensure the grid's physical and cyber security.
CyberScoop reports that Symantec thinks a recently discovered Chinese government hacking group, Thrip,
may actually be another manifestation of the long-active billbug or lotus blossom unit.
Thrip, like lotus blossom, has concentrated on military organizations.
It's also particularly interested in satellite communications, media, and education targets.
The geographical focus has been Southeast Asia.
What is trolling?
It's a word with a complicated history.
Its root meaning is a technique of fishing from a slow-moving boat, often with multiple hooks.
It came to be used in the 1990s as a description of certain forms of online behavior
designed to elicit a response from people looking at the Internet.
Soon, people who trolled, that is, people who tried to engage others with distracting,
often off-topics posts or comments, came to be known as trolls because trolling sounded like
something mythical Scandinavian beings might do, maybe from beneath a bridge. So would trolling
count as a kind of information operation? Well, sure, why not? U.S. Cyber Command seems to have been trolling Pyongyang by releasing
samples of DPRK malware on North Korea's national holiday. Axios thinks so, anyway. September 9th,
which is today on the Baltimore side of the international dateline, but yesterday on the
Sunanju side, is the day of the foundation of the republic. It's a big day in the DPRK,
like the 4th of July in the United States, only with more flag teams and rhythmic applause than
fireworks and grilled hot dogs. We should note that the North Korean government has been telling
the rest of the world that, contrary to the slanders being mouthed by the Yankee puppets
on the UN Security Council, they don't hack stuff or rob banks or jackpot ATMs or any of that stuff.
At any rate, between midnight and one in the morning yesterday,
Cyber Command released some hidden Cobra code for the benefit of researchers.
Axios asked them if the timing was deliberate,
if they were messing with Mr. Kim's head.
Cyber Command said, in effect, no comment.
Quote, we do not discuss details about the malware samples in CNMF team posts.
End quote, is how their public affairs representative put it.
In a statement that doesn't even amount to a non-denial denial.
As one tweeter observed, it's old stuff,
and at this point, on this day, Cyber Command is just being
mean. On the other hand, couldn't happen to a nicer guy. Right, Mr. Kim? And finally, what do
departments of motor vehicles do with all that information they collect about drivers? In the
U.S. and elsewhere, driver's licenses can amount to a de facto national identification system,
driver's licenses can amount to a de facto national identification system,
and the DMV asks a lot of questions about you.
A recent visit by one of our people to the DMV on the north side of Baltimore this weekend required birth certificates, marriage licenses, W-2 tax forms,
a recent credit card statement, and a recent utility bill,
which is quite a grab bag of PII.
So what do they do with all that stuff?
Make sure you're you, of course, for one thing.
But according to an investigation published by Vice,
a lot of state DMVs are selling the data to third parties for some serious dough,
enriching the state coffers to the tune of tens of millions of dollars.
Who's buying?
Some of the purchasers strike Vice as more or less legit,
like towing outfits and insurance companies.
Others, however, seem, as Vice puts it, more nefarious, notably private investigators.
And, unlike Philip Marlowe, these gumshoes are happy to do divorce work.
Several of the DMVs told reporters that they drew the line at selling the photos on the licenses.
So we've got that going for us, I guess.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll be right back. or shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Got an interesting story from The Verge, and this is about an update that Google made to Gmail for iOS users.
Right.
What's going on here?
So what they've done is they've finally given Gmail users on iOS the option of blocking images from being loaded when you open an email.
Hmm.
Okay.
Right.
You're an Android user.
I am an Android user.
Is this something you could,
already had that capability over on Planet Android?
It would seem so.
Okay.
Although until this story came across,
I didn't change the settings.
Uh-huh.
But I was able to go in and quickly change
the settings for all my accounts.
Now it's account per account basis.
So the setting is attached to the account,
not to your Gmail client in general.
I see. So I have like five Gmail accounts
on my phone. Right.
What was interesting is in the article, it says
that iOS
for Gmail users will
now let you do it, but if you use G Suite,
you cannot block images from loading.
Right. So the corporate users
can't do it. Can't do it, the corporate users can't do it.
Can't do it.
But corporate users can do it on Android
because I have a corporate email account from G Suite on my phone.
I was able to change the setting for loading images on loading the email.
Now let's review here.
What's the significance of being able to turn off loading images?
Okay, so there's actually a privacy and security risk with this.
Somebody can attach or put in, embed in the HTML of an email,
because for years now, for decades now, email has been using HTML.
I can create a unique file name for every email I send out
and have that file loaded when someone opens the email
and the HTML engine of either the email client or the webpage notices that there is a link for
an image. It goes and it requests the image, but because it requested an image with a unique
name, I know who has opened that email, when they opened the email,
and I may actually know where they are.
So this is the whole tracking pixels thing.
Right.
It's a tracking pixel, essentially.
Right.
It can be a very small white image that you'll never see.
And I look at, I open an email in my email client, this tracking pixel gets summoned.
Right.
And you know that I've opened the email.
Correct.
Right.
Right.
And you know that I've opened the email.
Correct.
Right.
Now, I actually have a plug-in for Chrome that I use.
Right.
That blocks tracking pixels.
It's called Ugly Email.
Ugly Email.
Ugly Email.
And one of the things I like about it is that it puts up a little icon next to messages that contain tracking pixels.
So it knows before you open it.
Correct.
Ah.
Correct.
And one of the things I like about this is that it just lets me know who's trying to track me.
That's good information to have, I think.
It is.
It is.
And it's very interesting.
I mean, obviously, here at the Cyber Wire, we get lots of email from PR folks.
PR folks love to know if you've opened their emails or not.
Yes, yes, they do.
So, you know, and this also blocks that, so they don't know if you've opened their emails or not.
So, you know, that can be helpful.
So, yeah, interesting.
It's a good third-party solution on your web browser, but what about your phone?
Now Google is allowing you to do this on your Google account,
your Gmail accounts, but not on your G Suite accounts.
I think they need to go ahead and allow G Suite users to do this as well.
All right, well, it's a good capability.
I guess I could say, what took you so long? Right.
I'll say that for you, Dave.
Why haven't you done it for G Suite users?
That's what I'd like to know on iOS. I mean, I can do it on my Android phone, but it seems like it's a fairly simple fix.
Yeah. All right. Well, good to know. And if this is something you think concerns you,
definitely worth going in and checking those settings. Maybe it's something you want to turn
on. Yep. All right. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of Thank you. and I approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.