CyberWire Daily - BlueLeaks hacktivists dump police files online. NSO Group back in the news. COVID-19 apps and databases versus privacy. Cyber conflict: China versus India and Australia. An alt-coin baron’s story.
Episode Date: June 22, 2020BlueLeaks dumps stolen police files online. A report of spyware delivered via network injection. COVID-19 apps and databases are reported to have indifferent privacy safeguards, and there’s been one... big recent leak. India and Australia both on alert for Chinese cyberattacks. Our own Rick Howard on intelligence operations. It’s cybersecurity Canon Week, our guest is Todd Fitzgerald, author of CISO Compass. And New Zealand piles on in the case of a Russian alt-coin baron. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/120 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Blue Leaks dumps stolen police files online.
A report of spyware delivered via network injection.
COVID-19 apps and databases are reported to have indifferent privacy safeguards.
And there's been one big recent leak.
India and Australia are both on alert for Chinese cyber attacks.
Our own Rick Howard on intelligence operations.
It's Cybersecurity Cannon Week,
our guest is Todd Fitzgerald, author of CISO Compass, and New Zealand piles on in the case
of a Russian altcoin baron.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, June 22nd, 2020.
I'm Dave Bittner with your CyberW police and FBI reports, bulletins, guides, and more. The files are available,
Krebs on Security reports, in a searchable database. The National Fusion Center Association,
in an internal June 20th assessment, confirmed that the data were indeed valid and that the
files in the leak were compiled between August 1996 through June 19, 2020, which covers almost 16 more years than the 10 DDoS secrets claimed
in their tweeted communique. The data include names, email addresses, phone numbers, PDF documents,
images, and large number of text, video, CSV, and zip files.
The NFCA said in its internal alert,
Additionally, the data dump contains emails and associated attachments.
Our initial analysis revealed that some of these files contain highly sensitive information,
such as ACH routing numbers, international bank account numbers, and other financial data, as well as personally identifiable
information and images of suspects listed in requests for information and other law enforcement
and government agency reports. The incident appears to be a case of damage inflicted through
a third party. NCFA believes the data were probably taken from NetCentral, a contractor
widely used by state fusion centers, by a threat actor who
used compromised Netcentral credentials to facilitate data exfiltration. The data are
thought unlikely to contain much, if any, information about police misconduct, but they
will probably include a great deal that organized crime will find interesting and useful, including information about protected witnesses, investigations, and so on.
Moroccan journalist Omar Radiz's phone was infected with spyware
in a network injection attack that Amnesty International says
looks like an application of NSO Group intercept technology.
Amnesty says it had seen the technique,
which requires the attacker to either use a rogue cell tower, like a stingray, or to exploit access to the mobile carrier's internal infrastructure, used against at least one other Moroccan journalist.
Amnesty believes the spyware installed was NSO Group's Pegasus. The group notes with displeasure that the incident with Raddy's phone occurred just some three days after NSO Group announced a new policy designed to control abuse of its lawful intercept technology by authoritarian regimes.
Researchers at Guard Square conclude that many of the contact tracing apps being deployed by governments fall short in terms of privacy safeguards. They examined 17 Android apps used in 17 different countries and found that most lacked root detection, name obfuscation, string encryption, emulator detection, asset and resource encryption, or class encryption.
Only one of the 17 was fully obfuscated and encrypted.
The International Digital Accountability Council, while acknowledging that most of the contact
tracing apps were developed with the best intentions, found that eight apps they studied
tend to overshare data with third parties. Some of that sharing is with companies like Branch,
Crashlytics, and Facebook, and seems intended, the Washington
Post notes, to optimize performance.
Other sharing is less obviously related to performance optimization.
The symptom logging apps Kencore COVID-19 and Care19, as well as the smart thermometer
app Kinsa, seem to be sharing data of the sort normally used for marketing. And there's been one significant breach of PII from a COVID-19 test database
maintained by the Indonesian government.
An unknown hacker going by the name Database Shopping
is selling personally identifiable information of Indonesians who've been tested for COVID-19.
The data are being offered on the RAID forum.
Asia One reports that the information leaked from a government database and that more than 200,000 individuals are affected.
India remains jittery over the prospect of Chinese cyber attacks, ETCIO reports.
Police sources tell the outlet that last week saw a surge in Chinese attacks against public and private infrastructure
in India. More are expected. The attacks have tended to fall into two categories. One is
redirection of traffic through China, where it can be analyzed for information of intelligence value.
The other is the familiar blunt instrument of the distributed denial-of-service attack.
Track.in reports that some of the attacks have afflicted rail transport in India.
Sources tell the outlet that both Chinese operators and Pakistani threat groups APT36,
also known as Mythic Leopard, were involved.
And, judging from stories in the Australian Financial Review and elsewhere, Australia
remains in high dudgeon over Chinese
government hacking. There's still some uncertainty over the origins and extent of the hacking,
especially given Prime Minister Morrison's refusal last week to offer an official attribution.
But essentially, everyone who's commented on the wave of cyber espionage and distributed
denial of service sees it as China's work. Everyone, of course, except the Chinese government,
which has said it's shocked, shocked to learn that hacking is going on and that it had nothing
to do with it. The U.S. has joined Australia in its outrage. Secretary of State Pompeo denounced
Chinese cyber operations, especially the attack on Parliament House, as coercive.
And finally, New Zealand has weighed in on the
case of Russian alt-coin baron Alexander Vinnick. Freezing $140 million of Mr. Vinnick's funds,
Radio New Zealand reports, Mr. Vinnick, currently in French custody on fraud charges,
also faces 21 U.S. charges that range, according to the Moscow Times, from identity theft and facilitating drug
trafficking to money laundering. He's also wanted in Russia on lesser fraud charges.
Mr. Vinnick's troubles with law enforcement actually began in Greece, where he was snapped
up while on holiday at the northern Greek tourist resort of Halkidiki. The Russians,
Americans, and French all wanted a piece of him,
but France will get the first bite.
There must be a lesson here for big-time criminals.
If vacation you must,
check out the extradition treaties
in force at your destination.
Club Med could get you a stay
in Club Fed.
And now, a message from our sponsor, Zscaler. Thank you. increase in ransomware attacks and a $75 million record payout in 2024, these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating
lateral movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
Today, get 20% off your Delete.me plan when you go to joindelete.me.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindelete.me.com slash N2K and enter code N2K at checkout.
That's joindelete me.com slash N2K code N2K.
And joining the program once again is our own Rick Howard, the CyberWire's chief analyst and
chief security officer. Rick, great to have you back.
Thank you, sir.
I wanted to touch base with you today on a couple of things.
First of all, a little preview of your CSO Perspectives podcast.
We're talking intelligence operations this week.
Yeah, we've been creating a cybersecurity strategy over the last eight or nine weeks
about what kind of things should you have
in place. And we did talk about cyber threat intelligence this week. And you know, Dave,
I've been a cyber intelligence guy my whole career. I've done it in the military and I've
done it in the commercial space. And when you think about what any kind of InfoSec program needs,
okay, if you know you're trying to stop known adversaries out there, how do you find out
what the bad guys do? Well, you need a cyber threat intelligence team to kind of put that
together for you. And how do you decide if you're a big enough organization to have your own team or
to contract that out with somebody else? You know, that's a real big question because, you know,
if you do it right, I mean, you could spend a lot of money on an intelligence team.
I know my previous job, you know, we had a giant threat intelligence team, lots of resources.
And, you know, hey, most people don't have that.
If you're a small to medium-sized company, you know, how do you leverage cyber threat intelligence to improve your program?
And there's ways to do that, right?
What you should do is seek vendors when you have your
own security stack, seek vendors that agree with your philosophy. If you're trying to put prevention
controls in place for every known adversary along the intrusion kill chain, seek a vendor who already
is doing that. You know, they already resourced a big cyber intelligence group. So find those that
do that for you, right? And then
find those vendors also that kind of collaborate with other vendors so that they don't have to do
it all themselves. So my point is that even if you are a very small organization, you could tap into
the whole thing and get it done for you. What is your take on the difference between,
say, just information and actual intelligence?
Yeah, I have that discussion a lot with a bunch of intel teams.
You know, a lot of people get lost in the mud.
They just kind of review blogs and read white papers and things,
and they just kind of collect that information.
But you're not really an intelligence shop unless you can provide possible decisions for leadership.
Okay, the reason you're collecting it is so they can make a decision.
And it's really interesting because a lot of the functions that a cyber threat analyst does
is very similar to a newspaper reporter.
They collect information, they synthesize it, and they tell people about what they know.
A cyber threat intel analyst does all of those things.
But the very next thing
he does, and he tells the boss, here are three things you can do with that information, and
that's the difference. All right. Well, the podcast is CSO Perspectives. It is part of CyberWire Pro.
You can find that, of course, on our website, thecyberwire.com. The other thing I want to touch
base with you on is the cybersecurity canon.
Now, this is something you and I talked about many times before you joined us here at the Cyber Wire, back when you were still at Palo Alto Networks.
This is a real passion project for you.
Yeah, we started doing it about six years ago.
We set it up like the Rock and Roll Hall of Fame for the purpose of identifying cybersecurity books.
Hall of Fame for the purpose of identifying cybersecurity books. Because if you wanted to read something new this year, and you went out to Amazon, and you looked up cybersecurity books,
you would get about 3,000 books to choose from. So how do you decide which ones to do? So what
we did is we set up a committee of outside practitioners, and they read the books,
and they made recommendations about which books the entire
community should read. So we've been doing it now for about six years. There's about 500 books that
have been reviewed, and the committee has recommended over 30 for the Hall of Fame. So if
you were going to start anywhere, I would start there in the Hall of Fame books. Well, and this
week, we're celebrating the cybersecurity canon. You're interviewing some authors all week long.
Who do we have today?
Well, what we're doing is we've had to modify the Hall of Fame award ceremony.
Okay, this season is the 2019-2020 season.
The committee has selected the new authors for winning or being inducted into the Hall of Fame.
And so the modification is that we're going to interview the winning authors
one book a day in the entire week.
And it's kind of like our shark week.
It's the cybersecurity cannon week for the Cyber Wire.
So I'm looking forward to all those interviews.
And so this will be the official announcement of the winners for that season.
All right.
Well, we're starting off with your interview with Todd Fitzgerald.
Let's have a listen.
The Cyber Wire is celebrating the Cybersecurity Canon Project this week.
It is in its sixth year identifying the must-read books for all network defenders.
This week, the Canon Committee announced the Hall of Fame inductees for the 2019-2020 season.
And I am pleased to have on the show one of the winning authors for his book called
CISO Compass, Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.
Todd Fitzgerald, welcome to the show.
Well, thank you very much. Thanks for having me.
So why did you write the book?
Well, you know, I was looking at the industry and I've been
a CISO for a long time and I didn't see any reference that you could go to that would be
a roadmap for CISOs. You know, we go to conferences, we talk about all the issues,
but where is all this stuff? And so I wanted to put together a roadmap for CISOs that was comprehensive enough
that would also not be theoretical, that would be based on practical experience.
And so I put the book together,
but I also didn't want it just to be Todd Fitzgerald's view of the world.
And so I invited 75 other CISOs to write a one-page gray box to talk about an experience.
So think of it like a job interview where you go into the job interview and they say,
you know, tell me about a situation, you know, that you had a major
challenge, and what did you do about it, and what was the result, and what were the lessons learned,
what would you do differently next time? And so I challenged some of our top CISOs in the country
and cybersecurity leaders to write those gray boxes about a security issue.
And then I infuse those into the book, into the roadmap. And so it's a very comprehensive text that gives you actually about 80 different perspectives on security,
but not just a book that smashed together 80 different perspectives.
It actually weaves the story for the CISO to follow.
So because of the pandemic, this interview is kind of a proxy for your acceptance speech
of the Cannon Hall of Fame Award. Any last words along those lines?
Receiving the award is just an awesome honor and something I never expected. And when you write a book, and this is my fourth book,
and I'm part of about a dozen other books,
and I've been writing for quite a while,
and when you write something, you want it to sell,
but it's never about wanting to sell a lot of books.
It's about you want to write something that people see as
valuable and something that people can use to make their lives better. And that was really my
passion behind it. Because this wasn't my first book, I didn't just want to write a book to get
published. I wanted to write a book that people really wanted, and I was so happy to see that so many people have benefited from it.
And it's quite an honor to have this award.
You know, it would have been great to have the ceremony and do all of that.
But I certainly understand our lives have significantly changed.
And it's really nice that you're doing this and awarding
the award. It means a lot to me. The book is CISO Compass, Navigating Cybersecurity Leadership
Challenges with Insights from Pioneers. It is now officially inducted into the Cybersecurity
Hall of Fame. Congratulations, Todd, and thanks for being on the show. Well, thank you very much. It's really been a privilege to serve the CISO community, and I'm extremely excited about it.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.