CyberWire Daily - Cobalt Dickens, coming to a university library near you. UNICEF data exposure. Election security notes. Operation reWired arrests 281 alleged BEC scammers.
Episode Date: September 11, 2019Cobalt Dickens is back, and phishing in universities’ ponds. UNICEF scores a security own-goal. Patch Tuesday notes. A look at US election security offers bad news, but with some hope for improvemen...t. The US extends its state of national emergency with respect to foreign meddling in elections. And an international police sweep draws in 281 alleged BEC scammers. Ben Yelin from UMD CHHS on the privacy implications of geofencing. Guest is Drew Kilbourne from Synopsys with result of their report, The State of Software Security in the Financial Services Industry. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cobalt Dickens is back and fishing in universities' ponds.
UNICEF scores a security-owned goal.
We've got some Patch Tuesday notes. A look at U.S.
election security offers bad news, but with some hope for improvement. The U.S. extends its state
of national emergency with respect to foreign meddling in elections. And an international
police sweep draws in 281 alleged BEC scammers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 11, 2019.
Researchers at SecureWorks report a resurgence of activity by the Iranian threat group they call Cobalt Dickens. This particular threat actor has been associated with the Mabna
group and others indicted by the U.S. Department of Justice back in 2018. Those indictments were
for crimes connected with cyber espionage that the Justice Department said was conducted on behalf of
Iran's Islamic Revolutionary Guard Corps. SecureWorks says the latest activity consists of a phishing campaign directed against
American and British universities. The fish bait in the emails is, as SecureWorks put it,
library-themed. The recipient is told that, quote, your library access has been suspended due to
inactivity, end quote, and is given a link to follow in order to ensure that their library
privileges might be restored.
Cobalt Dickens' earlier campaigns had used shortened URLs in such links,
the better to obscure what was going on.
But this latest round dispenses with that coy gesture,
and simply leaves the full URL out there, displayed in all of its implausibility.
Some 60 universities have experienced Cobbalt dickens fishing. Those affected schools are located in Australia, the United States, the United Kingdom, Canada, Hong Kong,
and Switzerland. UNICEF, the United Nations Children's Organization, knows it's a small world
and they inadvertently made it a little bit smaller by inadvertently emailing around a list of over 8,000 users of its online educational platform, Agora.
This appears to be purely a case of operator headspace and timing, not hacking.
So here again, the human factor contributes the dominant share of the risk.
In yesterday's round of Patch Tuesday releases, Microsoft fixed 79 bugs, 17 of which Redmond classified as critical.
Adobe addressed critical vulnerabilities in Flash Player.
Norm Shield has looked at U.S. election security and found it wanting.
The results of two risk assessments the company conducted showed, they say, that outdated systems remain in widespread use.
showed, they say, that outdated systems remain in widespread use.
More than half of the election systems used Windows Server 2008, release 2, and Microsoft 2S 7.5.
Four of the election commissions were still using Windows 2003, which reached its end of life some time ago.
They also concluded that election authorities remain susceptible to phishing attacks. 59% of the election commissions were missing DMARC records,
and more than 40% of them had at least one website with an invalid or expired SSL certificate.
And finally, about a third of the election commissions have, Norm Shield says,
at least one asset that is reported by blacklist databases.
That is, at least one asset that has been herded
into a botnet. Norm Shield conducted two scans, one in July, the second in August. The first one
concluded that an average hacker, as Axios put it, would be able to breach 27 states' election
systems. The company disclosed its findings to the election commissions and secretaries of state,
and then repeated their scan a month later.
The August results were noticeably better.
Only 13 states were found to remain vulnerable to the average attacker.
The Synopsys Software Integrity Group recently published a report titled
The State of Software Security in the Financial Services Industry.
Drew Kilbourne is Man director of security consulting at
Synopsys. He joins us to share their findings. You know, one of the stats in the report was
56% of the FIs that we surveyed were still experiencing attacks that were resulting in
system failure or downtime. That's a little shocking to me because the biggest banks we work with, many of those banks have pushed cyber fraud down the scale from number one to number two or number three in their fraud list.
So we kind of felt like they that the bigger banks had really gotten their arms around it.
There are other findings I get to in a second that I think leads to this.
The other interesting finding was that 38% reported being victims of
ransomware. And I was a little shocked that the FIs would be that impacted by ransomware and that
they would have solved that problem a long time ago. But apparently it's still out there,
it's prevalent, and it's growing. So what are some of the other indicators that you think contributes to those findings?
There aren't great established processes for inventorying and managing open source.
And the other is there aren't great processes for managing third-party supply chain.
So what you see in the largest FIs is they still buy a lot of software.
They either buy it or they outsource
having it developed. And they all use open source. In the mid-tier FIs, it's more prevalent for them
to be buying third-party software than it is for them to be building software. If anything,
they integrate. When you look at those two findings, I think this is kind of where the
problems stem. Only 43% had an established process for inventory and managing open source.
Only 15% had any tools deployed to help and aid in that.
Given that open source is so prevalent in the industry, that gets a little eyebrow raising
that they're not taking care of that part of the problem as well as maybe they should.
And they're probably introducing a lot of errors in the open source side of the house.
The other interesting finding was that no one has a great process for managing supply chain
of software that comes in outside of open source. Just any third party software you might buy or
have built for you. And I think that's another weakness as well. Maybe there's a pen test of that software, but not many companies are looking at how the software is built and the
processes and the secure SDLC that those companies are undertaking as they build software. The other
interesting finding that came out of this is people still tend to rely heavily on manual
ethical hacking or penetration testing at the end of the process. In fact, 65% of the
respondents said they felt pen testing was the most effective way to find security vulnerabilities.
Actually, it's probably the least most effective way because it's at the very end of the cycle,
right? So it's extremely costly to find your defects there. Secondly, pen testing is very
time-boxed. Usually it's a one or two-week test.
You can only cover so much stuff, and so it's not very thorough. And then when you started to look
deeper beyond that finding, you found out that only 40% of the respondents were using automated
tools in their secure SDLC to do more finding of defects earlier on. Things like static analysis or dynamic analysis
or interactive application security testing. There's other mechanisms, tools you could put
into that SDLC that would automate the finding throughout versus waiting to the tail end.
If you add that up, you add up that only 19% of the respondents do mandatory development training for the developers,
you start to say, okay, we're not training our developers so they're not getting smarter about
the problem. You're not finding things earlier in the life cycle, and you've limited the size
of the test at the end, under which you will find any vulnerabilities. You find out that,
in my opinion, you're pretty inefficient actually discovering defects in your SDLC.
Automation, it provides several things.
It provides consistency, which is great.
It provides speed, which is really good as well.
And it allows you to provide governance.
So now you can create some governance in the SDLC to say, if you don't cross a bar that's so high, you don't move forward.
And I have a tool that's going to consistently test the same way every time to measure if you
cross that bar. To me, those are the things that have to take place. And as companies move to DevOps
and what they'll call DevSecOps and are moving faster at building and releasing software
automation, it's going to become even more and more important in my mind.
That's Drew Kilbourne from Synopsys Software Integrity Group.
The report is titled The State of Software Security in the Financial Services Industry.
U.S. President Trump yesterday extended the national emergency with respect to foreign
interference in or undermining public confidence in U.S. elections for one year.
The note announcing the extension says,
Although there has been no evidence of a foreign power altering the outcomes
or vote tabulation in any United States election,
foreign powers have historically sought to exploit America's free and open political system.
End quote.
It goes on to discuss the proliferation of online devices and communication channels
and concludes that both unauthorized accessing of election and campaign infrastructure
and covert distribution of propaganda and disinformation warrant continuing the state of emergency.
The extension maintains the provisions of Executive Order 13848 issued on September 12, 2018.
Executive Order 13848, issued on September 12, 2018.
That executive order prominently includes provisions for sanctioning foreign individuals and institutions attempting to meddle in U.S. elections.
Charles Kupperman, Fox News reports, will serve as interim national security advisor
to the U.S. president.
Kupperman had been serving as deputy to the now-departed John Bolton.
A search for a permanent replacement is in progress.
Today is, of course, the anniversary of the 9-11 terrorist attacks. We spare a thought for those
who were lost, injured, or bereaved in the terror, and for those whose health continues to be
affected by the effects of the attacks. The government has taken the occasion to announce tighter sanctions
against those who support and finance terror.
Any foreign financial institution found to be engaged in such support
risks losing access to the U.S. dollar and to the world financial system.
Expect online investigations into money laundering and fund transfers
on behalf of sanctioned groups.
And finally, the U.S. Justice Department has announced the results of Operation Rewired,
a roundup of business email compromise crooks that collared 281 alleged scammers in 10 countries.
It was a multinational, multi-agency sweep. Authorities in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya,
Malaysia, and the United Kingdom participated, as did the U.S. Departments of Justice,
Homeland Security, State, and Treasury, along with the U.S. Postal Inspection Service.
$3.7 million were also seized at the conclusion of the four-month investigation.
The largest haul of alleged perpetrators was in Nigeria, where 164 were
arrested. 74 were picked up in the United States, 18 in Turkey, and 15 in Ghana. The remaining 10
were scooped up in various other countries. Congratulations to those who organized and
conducted this cooperative effort against international crime.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security.
Ben, it's always great to have you back.
I had a couple of articles come by that dealt with this notion of geofencing and the privacy implications there.
There was an article from ThinkProgress. This was about some Catholics in Iowa who went to church.
And Steve Bannon, of all people, was tracking their phones.
There's another article from the New York Times about New York City
possibly banning the sale of cell phone location data.
Can you unwrap what's going on here for us?
Sure. So this isn't as much of a Steve Bannon story as it is about many political campaigns
and many private corporations that use geofencing as a technique to promote their own advertising.
So how it works is you either collect from app makers or the telecommunications companies themselves information on which individuals were at a given location at a given time.
So what the Steve Bannon article mentions is his political organization collected the
metadata, so the phone numbers of people who were at a Catholic church service on a Sunday
prior to the 2018 midterm elections, and people who were at that church ended up receiving
targeted advertisements on their smart devices and on their apps.
This is something that's actually been done.
It's a very common tactic among political campaigns to engage in what's called micro-targeting.
who's in a Catholic church or who's at a particular community meeting or who's at potentially a political rally, that information is incredibly valuable to campaigns and political organizations.
And they are happy to buy that information so they can target their advertisements. They can
micro-target based on what they already know about those voters. They go to Catholic church on Sunday.
New York City, interestingly, its city
council is considering a measure that would ban companies from selling this geofencing data to
all firms, political firms, and all other private entities. I think the chances of passage of this
in New York are relatively small. There's been a lot of opposition
from the telecommunications companies themselves, who think that this law is going to create an
undue burden for them, because they're going to have to figure out how to comply with New York
City law, which is a limited jurisdiction, even though it's the biggest jurisdiction in the
country, as opposed to only having to follow some sort of national standard. So I think the telecommunications companies and the app makers might actually be okay with some sort of regulation on selling this data,
but they like it to come from the national level, at the national level, so there could be some sort of uniform standard.
Now, this data can come from multiple places. There's the actual telecommunications firms.
They sell it.
But then also apps that you install on your device.
We've heard stories of, you know, buried in the EULA is permission for them to share your location every minute or so or something like that.
Yeah, I recently read an article about the the weather channel app which there was a controversy
in los angeles they were collecting location data from their users uh on what was alleged to be
somewhat of a fraudulent basis they said that um users who were checking local weather forecasts
would not have their data sold to private advertisers. It turns out it was sold.
There was an investigation by the Los Angeles district attorney.
And I mean, on any given smartphone, there are probably going to be 10 to 15 apps that
make use of your location at one point or another.
And we're almost so mindless about it that we just click the accept button as soon as
we want to agree to that app.
It's like, yeah, I don't want to read the legalese when i'm trying to send my snapchat uh the result
of that is that um you've probably agreed to as a user uh for this app to sell your geolocation data
and until there's some sort of regulation in place, it's up to both the users to look closely at those license agreements and to put pressure on the technology companies themselves.
I think as we've seen more stories about geofencing, the telecommunications companies have been forced to respond and to voluntarily limit how much data they are actually selling to
companies and political organizations.
And I should also mention, you know, the uses we've talked about for this technology seem
kind of benign.
But if you take geofencing to its logical extension, it could potentially be pretty
scary.
You know, if we were conducting
some investigation in the war on terror and collected geolocation data for every single
mosque in the country, for example, I mean, that could have both a major chilling effect on free
speech and the free practice of religion, but it would really be a massive invasion
of personal privacy. So you can see how this would be just a major
civil liberties violation. So in some ways, I think it's admirable that New York City
is trying to address this problem. But I also think even for a city as large as New York,
the problem is at too large of a scale for them to really have a big impact.
All right. Well, Ben Yellen, thanks for joining us.
Thank you. we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay Thanks for having me. of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.