CyberWire Daily - Bouncing bad adware apps from Google Play. More on WannaCry attribution. Voter data exposed on an Amazon S3 account. Assessment of Russian influence on UK elections: they didn't do it. (Didn't need to?) Hackers sentenced.
Episode Date: June 19, 2017In today's podcast, we hear that Google is in an "uphill battle" against adware infestation of the PlayStore. GCHQ seems to agree with NSA, which seems to think WannaCry was a North Korean caper. Big ...data firm leaves voter data exposed on an Amazon S3 account. GCHQ says the Russians didn't disrupt the recent UK elections. Dr. Charles Clancy from VA Tech's Hume Center describes methods for preventing another Dyn-style attack. Two hackers sentenced, one in Pennsylvania, the other in East Anglia, one for the vengeance and one for the lulz. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Dragos and ESET bring clarity and bad news
to investigation of December 2016's Ukrainian power grid hack.
Qatar and its neighbors try to sort out hack-induced diplomatic troubles,
double-switch social media malware hijacks dissidents' accounts,
CertLock impedes removal of unwanted programs by security software,
MacSpy and MacRansom appear as malware-as-a-service offerings,
AMT vulnerability is exploited in the wild,
and China arrests 22 for trading in stolen iOS user data.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 19, 2017.
Bouncers have their place, right? That is, it's good to have some way of ejecting bad behaviors
without calling down the full weight and majesty of the law, right? So too with adware. You'd like to keep it out or kick it
out quickly, but the Android bouncers standing at the door of the Google Play Store seem to be
having trouble lately, and that trouble seems to be passed on with interest to Android users.
Google's struggle is with adware infestations in the Play Store. Over the past
week, the UK-based security firm Sophos identified 47 adware-infected apps that together have been
downloaded more than 6 million times. The ads Sophos are studying were particularly irritating
because they continue to appear even after users take action that ought to have caused the apps to quit.
The pop-ups are triggered from a third-party library, AppMarsDayA.
Another security company, Trend Micro, is tracking a different third-party ad library,
Xavier, which holds about 800 apps.
Google has booted a few more than 70 of them,
but most continue to sit on the Play Store unmolested by the bouncer.
Xavier escapes detection and ejection by going quiet when it detects sandboxing or emulation.
So dodgy apps, at best unwanted, at worst malicious, continue to trouble Google's Play Store. Ars Technica calls it an uphill battle, HelpNet Security calls it whack-a-mole. There's
a lot on offer in the Play Store, and all things being equal, maybe a lot is better than a little,
but experts advise exercising some discretion.
If you're an Android user, what should you do?
First of all, don't download apps from third-party stores.
As we've seen, just because an app appears in Google's Play Store
is no guarantee that it's clean, but still, your odds are better if you stay there.
Second, if it's a free app that displays still, your odds are better if you stay there.
Second, if it's a free app that displays pop-ups, think twice before you download it.
And finally, of course, do look closely at the permissions you're asked to give an app.
The fewer privileges the better, especially if it's unclear why the app would need what it's asking for.
Last week ended with another intelligence service linking WannaCry to the North Korean government.
On Friday, the BBC reported that the United Kingdom's GCHQ said,
yes, the ransomware does indeed come from the DPRK, and it's connected with the Lazarus Group.
North Korea is unusual in that its intelligence services tend to self-fund through cybercrime.
GCHQ's National Cybersecurity Center hasn't discussed the evidence that leads it to that conclusion,
but most observers believe that evidence probably lies
in overlaps with earlier code.
Both BAE Systems and SecureWorks have told the BBC
and The Guardian, respectively,
that the telltale code is a module that goes by Bramble,
which has appeared in earlier Lazarus group capers.
Some researchers expect to see another worm-borne attack in the wild. The technique may be
attractive to others who've witnessed WannaCry's surprisingly quick havoc. WannaCry itself may be
undergoing adaptation to fresh campaigns. It appears that WannaCry was released prematurely,
leaked carelessly, perhaps by mistake, as its developers failed to contain it, left its Bitcoin wallets poorly crafted, and kept an exposed kill switch.
This carelessness strikes some as evidence the North Koreans weren't behind the incident after all.
Security firm Cyber Reason has an op-ed in SC Magazine that argues the DPRK is better than that, more careful.
But mistakes happen, even in the most careful organizations, and recorded future cautions
against concluding that this sort of carelessness is evidence that the threat actors behind
WannaCry are just stumblebums.
If they indeed are, as most evidence suggests, North Korean government hackers, they've simply
got a risk-reward calculus that leads them to a more indiscriminate style of operation.
News media in India harumph and point with concern to what they regard as their government's
downplaying of the scope of WannaCry infestations in that country.
Researcher Chris Vickery reports finding 198 million US voter records exposed in an unsecured
Amazon S3 account.
The data, which have since been secured, were left exposed by Deep Root Analytics,
a political big data consulting firm that has worked for the most part on behalf of the U.S. Republican Party.
While many enterprises have been seeing security advantages in moving to the cloud,
there are risks, too, as this and the recent exposure by a
contractor of sensitive National Geospatial Agency information indicate. The NGA data was also left
out on an S3 service. It's perhaps worth noting that failure to secure data properly is a failure
on the part of the user, not on the part of Amazon. Britain's National Cyber Security Centre declares the UK's recent elections
to have been free of Russian influence,
specifically that there were no signs of fraud,
no outright manipulation of results.
Some observers think the Russians just weren't interested.
As one expert, Thomas Ridd of King's College London put it,
he's quoted in US News and World Report,
if the Russian aim in the election meddling is to serve as a chaos agent,
quote, it's already chaotic enough here.
There's no need for Russian meddling in the U.K.
Basically, it's messed up enough on its own, end quote.
That's one way of looking at it.
It's hard to tell from our perch on the other side of the Atlantic,
but it would seem unwise to grow blasé about the matter.
U.S. investigations haven't withdrawn their teeth from the various inquiries into Russian
influence operations, and NATO's front line in the Baltic states remains on alert.
Two hackers have received jail time. One was motivated by revenge, the other apparently by
the lulz. The revenge hacker is Adam Flanagan of Ballas Synod,
that's the Ballas Synod in Pennsylvania, not the one in Wales,
who was sentenced to a year and a day in the joint
after pleading guilty to two counts of unauthorized access
to a protected computer that recklessly caused damage.
Fired from his job with a company that makes water meter readers,
he hacked his former employee's network and disabled
the meters. He was arrested last November. The other case is that of a British gentleman,
one Daniel Devereaux, who will be a guest of Her Majesty's government for 32 weeks as a reward for
hacking websites belonging to the Norfolk and Norwich University Hospital and Norwich International
Airport. That's the Norwich in East Anglia, not the one in Vermont.
Mr. Devereaux was caught after posting videos of his hacking prowess online.
He says his victims blew off his warnings that their sites were insecure, and he wanted
to make a point about the importance of security.
The effects of his hacking weren't negligible.
The airport says it lost the equivalent of $47,000 in the
incident. Mr. Devereaux, who goes by the nom du hack of his royal gingerness, is said to suffer
from mental health issues. At the time of his sentencing, he was already in custody for another
unrelated offense.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting-edge Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back. You know, the Dynattack from last year was really a wake-up call for a lot of organizations,
and you wanted to talk today about some of the actions that people are taking to try to keep
something like that from happening again. Of course, the Dynattack, which happened in October
of 2016, resulted in a three-hour outage of Internet service on the east coast of the United States and was the largest distributed denial of service attack ever witnessed on the Internet and, interestingly, leveraged a lot of consumer electronic devices as part of that attack.
This, as you mentioned, was a wake-up call to much of the industry that is now getting serious, or at least seeking to get serious, about IoT security. And the challenge we have with IoT is
that the business model really doesn't lend itself towards security. The goal is to mass
manufacture inexpensive electronic devices for consumer markets that happen to have an internet
connection in them. Really, security is not a driving factor in the manufacture of these devices.
So if I go online and purchase some consumer electronic device from a manufacturer in China,
for example, what motivation do they have to implement appropriate cybersecurity protections
in that product?
Right now, they really have none.
cybersecurity protections in that product. Right now, they really have none. And this has led to a range of things to include the Dyn outage that we saw last October. So if you look at how you
would try and address this, one of the proposals on the table is to create the underwriters
laboratory equivalent for cybersecurity. And this has been talked about on and off over the years.
Can we have this notion
of cybersecurity UL, where just as an example right now, if you go to the store and buy a toaster,
it's likely going to be tested by UL and make sure that when you plug it in, it doesn't catch on fire.
The challenge is how do we achieve something similar in the IoT space to ensure that if you
plug that new internet connected toaster in, it's going to have the appropriate cybersecurity
safeguards to prevent it from getting hacked. So if you look at the approaches
that are being considered, one is this notion that we need managed ecosystems, standalone IoT
devices that are not managed and have no way of receiving firmware upgrades or software updates
or the ability to have a strong enrollment process, i.e. they just have default passwords on them.
These are all major challenges for the long-term security of the Internet.
So there's this drive, I think, towards trying to ensure that every IoT device is connected up to some cloud service
that is responsible for provisioning it and managing it, ensuring its long-term security.
But there's a lot of unanswered questions about how that would work in practice.
So, for example, what if the vendor of that IoT device goes out of business and they shut down their cloud service?
Does that mean that the IoT device stops functioning?
Who's responsible for continued software updates?
And if the company goes out of business, the source code from which you could even build the patches is now no longer available.
code from which you could even build the patches is now no longer available.
So currently, some of the research that we're doing is looking at how you could begin to establish some sort of functional testing program that would provide this certification
and accreditation of these devices, that they at least meet some basic cybersecurity fundamental
principles like not having default
passwords and preferably having mechanisms to do software update.
Although, as I mentioned, that's a non-trivial thing to accomplish in practice.
All right, Dr. Charles Clancy, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.