CyberWire Daily - Criminal connections. The risky business of acquisition. Joker is back, and it’s not funny. Most dangerous celebrities. Notes from SecurityWeek’s ICS Cyber Security Conference.
Episode Date: October 23, 2019Magecart Group 5 is linked to the Carbanak gang. Another recently acquired reservation systems brings a headache to hospitality. Another app is found to carry the Joker malware. Some more notes from S...ecurityWeek’s ICS Cyber Security Conference in Atlanta, where the emphasis remains on attention to detail and taking care of first things first. And a list of the most dangerous celebrities offers a peek into the bad actors’ tackle box. Ben Yelin from UMD CHHS on a federal injunction against a company scraping user profiles from LinkedIn. Guest is Mandy Rogers from Northrop Grumman, on her own professional journey and the importance of diversity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Magecart Group 5 is linked to the Carbonac gang.
Another reservation system brings a headache to hospitality.
Another app is found to carry the Joker malware.
Some more notes from Security Week's ICS Cybersecurity Conference in Atlanta,
where the emphasis remains on attention to detail and taking care of first things first.
And a list of the most dangerous celebrities offers a peek into the bad actor's tackle box.
Actors Tacklebox.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 23, 2019.
Malwarebytes continues its study of the relationship among Magecart, and in this case it's specifically Magecart Group 5, the Drydex Banking Trojan, with which Magecart Group 5 appears to share some domains,
and the Carbonac Crime Gang that seems to be behind both of them.
Of interest in their current study is the conclusion that Magecart Group 5
represents an advance in sophistication over its predecessors.
This criminal activity goes after bigger scores,
and it compromises third-party
suppliers the better to propagate itself downstream. VPN mentor discovered data exposed
by Best Western's recently acquired auto clerk reservation system. It appears to be another case
of a misconfigured database. This one has drawn attention because U.S. government personnel,
personal information, and travel itineraries were among the information open to inspection.
It's probable that too much is being made of this. Truly sensitive military travel, for example,
is unlikely to be conducted over a commercial reservation system. It's also worth noting that
Best Western apparently inherited this issue when it acquired Autoclerk.
VPN Mentor says they noticed the database a few weeks after Best Western made the acquisition.
Comparisons are inevitably being drawn to Marriott's acquisition of Starwood,
which enmeshed the hospitality firm in a messy incident also involving inherited vulnerabilities.
Due diligence in acquisition is important, and that's a good
lesson to learn, but it's also harder to do that than it seems to outsiders, which should also be
noted, lest those staying in glass hotels throw too many stones. Prodio warns that it's found
Joker malware in another app that's being offered in Google Play. The app in question is IntAppLock,
which is intended to enable users to lock certain data behind a PIN.
Thus, not every app that promises a measure of security
or privacy delivers as advertised.
Let the downloader beware.
We've still got CyberWire team members down in Atlanta
at Security Week's 2019 ICS Cybersecurity Conference.
Touring the event floor, they are hearing some familiar observations.
Industrial firms, the buyers of security,
can find it difficult to distinguish among the products and solutions the vendors have on offer.
And we continue to hear calls for better hygiene, for attention to the basics.
In these respects, the OT space will sound familiar
to those who are used to thinking of security for the IT space. Several of the lessons Thomas Pope
of Dragos drew in his presentation this morning were of that variety. He advised his session
on the importance of locking down permissions and that being able to see and understand
data in the systems are paramount. He also urged the importance of harmonizing traditional IT
and process data. Several presentations have made similar points. They've also noted areas where
traditional IT and OT security tend to diverge. Where the differences emerge are the points where
industrial systems raise issues of safety and where matters of process integrity become matters
of physics,
as operators concern themselves in particular with issues of sensor reliability and with the ways in which manual recovery may itself be rendered problematic.
The conference program this morning took up the difficulties of blindness
with respect to both programs and supply chains.
Eric Byers, CEO of Adalys, offered a moderately encouraging view
of the challenges of developing a software bill of materials
suitable for securing the supply chain.
Robert Dyson, Global OT Security Services Business Leader at IBM,
delivered a plea for attention to detail in the OT space
and for applying the security lessons learned in IT environments
to control systems.
and for applying the security lessons learned in IT environments to control systems.
As you may know, tomorrow is the CyberWire's 6th Annual Women in Cybersecurity Reception.
The reception highlights and celebrates the value and successes of women in the cybersecurity industry.
We're grateful to our sponsors who helped make this event possible.
During the event, our guests will have an opportunity to hear perspectives on diversity in our industry Thank you. We're grateful to all of our sponsors for making this year's Women in Cybersecurity reception possible, and we're looking forward to seeing many of you there tomorrow night.
As our Women in Cybersecurity event approaches, we've been highlighting the successes of women in our industry.
Mandy Rogers is one of those women.
She's an operations manager at Northrop Grumman.
We're proud to say Northrop Grumman is one of the sponsors of our event.
My unintentional cyber journey actually began when I was quite young.
I grew up in a farm town in, I'll say, southern northern Virginia.
My mother, who worked at Vent Hill in the Signals Intelligence Office,
was a rental vehicle car dispatcher for that Vent Hill respective arm.
And she would sometimes bring me to work or to her nighttime cybersecurity college classes
that actually took place in a barn. So that was kind of those touch points that really early on,
probably before I was even 10 years old, got me exposed to cyber. So your mother had that interest
of her own and you saw that and thought that sparked your own interest. Exactly. So I was always a technologically savvy child just because of us growing up in the age where
we were starting to beak on computers and starting to have personal home computers.
Not quite young enough, I'll say, to have grown up with cell phones, but I was definitely
playing video games from a young age booted from floppy disks. And that was very exciting to me.
So fast forward 10 years from those young days and I was in high school, still not really understanding the implications of cyber and technology just yet.
And I go to enroll my senior year in this fashion marketing class.
And it was the really cool elective that people took because we got to take field trips from our rural farm town to go see the Versace and the Louis Vuitton stores. And that was really
kind of a cool interest of mine growing up. Fast forward, I get my curriculum for the year and my
fashion marketing class is not on there. I instead have this computer math course I've never heard
of. Nobody's ever taken before at my high school. And I go to my guidance counselor and I'm like,
hey, what is this?
My elective is supposed to be fun.
This doesn't sound fun.
You know, I already am really good at math and I'm taking the advanced courses in English and math.
I want to transfer out of this.
She told me, nope, the class is full.
You're good with computers.
You're good with math.
Stick through it and get the easy A.
That course ended up being the history of computers and also an introduction to programming.
I found out I was really passionate about solving hard problems and learning how to do things a little bit more differently.
And my male professor, my male teacher actually encouraged me to pursue STEM.
And then my grandfather, also part of the cyber DNA that I didn't realize I had until much later in life,
a career Navy cryptologist told me that I was going to be an engineer.
Now, in retrospect, as you look back,
do you think that that guidance counselor was actually sort of looking out for your best interest by placing, insisting you be in that class rather than the fashion class you had your heart set on?
Absolutely.
I think that there are a couple pivotal points in my life,
and that might have been one of them. Actually, it definitely was one of them where someone nudged me to go into an area that I wasn't really familiar with or what the grander impact really had on my life.
they did. I wouldn't even know what computer programming really was, despite growing up in the days where we all had MySpace pages and we were coding in HTML and didn't even know it, right?
So it was really curious to be able to take that non-traditional path and have those people who
intentionally engaged in my career. So you finish up school and you head off into the workforce.
Where did you begin there? I was lucky enough to have multiple internships,
one of which was with Northrop Grumman, where I worked as a software engineer in the intelligence
domain. So I was able to firsthand very early in my career get that experience and that exposure
into what it means to support mission very early on and how I can translate my technical skills to
the workforce and mission. In the past 10 years since joining
as an intern, Northrop Grumman has offered me opportunities to be a software engineer,
test engineer, a program manager in cyber analytics, as well as even an innovator,
right? My job coming into work every day was to innovate and look at how we do things a little
bit differently. Currently, I'm an operations manager, and that means that I support our gigantic portfolio of amazing talent on anything strategic and tactical around people and performance.
And that includes helping our cyber workforce think about things a little bit differently on how we recruit and retain our talent.
environment where you hear of people hopping from company to company a lot that Northrop Grumman has provided you the opportunities within to stay there, to feel challenged, to have new opportunities
for growth. And you've been there, you say, around a decade. Yeah. So, I mean, it's no secret, Dave,
that there's a huge shortage of cybersecurity talent within our country and even globally.
By 2021, the estimates at a global scale is that we'll have a 3.5 million role shortage,
people shortage of talent to be able to help us tackle our nation's hardest problems.
The greatest thing about Northrop Grumman is that we do have this big portfolio of really
exciting domains that we support.
And cyber is really at the heart of all of that.
Some of the really great things we're doing is to help bring in people
who may not have a cyber background and help upskill them
if they're curious about the domain or if they feel that they might need it
to help support their job.
We have an in-house cyber academy that helps upskill our talent
and brings in some of the professionals who live in this world
and are constantly upping their game to help us help our talent really bring it up that skill
set. So about four years into my career, I really enjoyed mentoring and I took on a young male
mentee fresh out of college. And we were working together day in, day out, trying to help show him
how we utilize technology and in support of mission. And he actually stopped me one day and
said, Hey, look, you're capable. I think you need to look up this thing called imposter syndrome.
You're here. You're amazing. You're competent. You're intelligent. And that was really a pivotal
moment because I realized that I was capable, but I was too scared sometimes to raise my hand.
And sometimes the mentee is the one that's bringing out that confidence, right, and trying to build up our confidence and reflecting on that.
So that was really interesting.
And I think that men and just everyone in general trying to figure out where we can build up confidence and maybe our hesitant and scientists and engineers is an important factor of us trying to build a more robust and diverse workforce.
That's Mandy Rogers from Northrop Grumman.
And again, we are grateful for Northrop Grumman's sponsorship
of our Women in Cybersecurity reception.
And finally, are you a fan of celebrity news?
You know who you are.
Anywho, McAfee has offered its annual study
of the most dangerous celebrities to search for online,
the ones the Google turns up results
that are likeliest to
send the curious over to questionable sites. This year, the shiniest lure in the hacker's
tackle box is Alexis Bledel, formerly of the Gilmore Girls, now of The Handmaid's Tale.
The others in the top ten were the talk show host James Corden, followed by Sophie Turner
from Game of Thrones, Anna Kendrick of the Twilight Saga,
Jimmy Fallon, that other late-night talk show guy,
the redoubtable Jackie Chan, who needs no introduction,
rap artists Lil Wayne and Nicki Minaj,
and finally, Tessa Thompson,
everybody's favorite Valkyrie from that Thor movie.
So stick to the tabloids in the supermarket checkout line,
fangirls and fanboys.
Oh, here's a point McAfee quietly makes.
Searching for Alexis Bledel and Sophie Turner is strongly correlated with including the word torrent in the search.
Far be it from us to pass judgment, but if you want to watch Handmaid's Tale or Game of Thrones,
subscribe to them like a decent consumer.
There's no such thing as a free lunch,
we hear, or free premium content. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's the Program Director for Public Policy and External Affairs
at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
Had an interesting ruling come down from the U.S. Court of Appeals for the Ninth Circuit. This had to do with a company who was trying to gather some information from LinkedIn profiles.
Unpack what's going on here.
So this company, HiQ, scrapes information that LinkedIn users have included on public
profiles. So those profiles where users haven't included privacy settings to keep their profiles
private. LinkedIn is alleging that this violates the Computer Fraud and Abuse Act, a federal law
that prohibits unauthorized access to a network.
And they sent a cease and desist letter to Haiku demanding that Haiku stop scraping these
public profiles.
Obviously, this dispute went into federal court and a district judge granted a preliminary
injunction stopping LinkedIn from prohibiting Haiku from accessing these public profiles.
So I think it merits a little bit of background as to what a court considers when it grants a
preliminary injunction. So the main prong of that test for our purposes is there has to be a
substantial likelihood of success on the merits of the case. And I'm going to get to that in a moment because I think LinkedIn's case is rather weak. But another key prong of that test is that HiQ would face
irreparable harm if the injunction is not granted. And what the court here is saying is HiQ's entire
business is aggregating data from these LinkedIn profiles. So if the court were to not
grant this injunction, stopping LinkedIn from prohibiting access, then Haikyuu's entire business
would be destroyed. And I think that's one of the key reasons that a preliminary injunction was
granted even beyond the actual merits of the case. Now, because this is just an injunction,
we don't have a definitive ruling on whether Haikyuu is actually violating the Computer Fraud and Abuse Act.
The court sort of got into the details just for the purposes of evaluating Haikyuu's case
to determine if they have any likelihood of succeeding on the merits.
And the dispute seems to center around the word unauthorized access.
And this court seems to believe that Haikyuu's technology does not consist of unauthorized access. And this court seems to believe that HiQ's technology does not
consist of unauthorized access for the purposes of the Computer Fraud and Abuse Act, because they
are simply aggregating data that is already public that can be scraped without accessing
any secret algorithms, any private protected information,
any internal LinkedIn documents or communication.
Right. So if I wanted to take this to the extreme,
if I were someone just anonymously surfing the web, I could go to LinkedIn with a pad of paper and a pencil,
write down all the information here that's publicly facing.
It would take me a lot longer than their bots, but I could do it.
Good luck with that.
Yeah. But in other words, LinkedIn is not attempting to restrict access to this information
to the general public.
Right. And I think that's where they're really going to struggle on the merits of the case.
a struggle on the merits of the case.
Pai Q is basically just doing what any average Joe could do just in an extremely condensed time period.
I think this is definitely a dispute to watch going forward.
And it shows how when we're in this world of preliminary injunctions, the courts will
consider the potential business impacts on these technology companies
of some of these legal decisions. All right, well, we'll keep an eye on it. Ben Yellen,
thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow. Thank you.