CyberWire Daily - Cryptojacking and ransomware news. The black market in zero-days looks like a bear market. Google budges (a little) on Chrome login. Senate hearings on privacy. Political campaign cybersecurity.
Episode Date: September 26, 2018In today's podcast, we hear that cryptojacking apps have reappeared in Google Play. A brewer's experience with ransomware shows that victims needn't be helpless in the face of extortion. A look at t...he black market finds that zero-day vendors have grown a lot scarcer on the ground. Google responds—a little—to concerns about privacy in Chrome login. The US Senate is holding hearings on privacy. Big Tech will be there. And are political campaigns slipping into learned helplessness about cybersecurity? Dr. Charles Clancy from VA Tech’s Hume Center on university spin-offs and partnerships. Guest is Dinah Davis from Code Like a Girl on how men can help increase diversity through mentorship. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cryptojacking apps reappear in Google Play.
A brewer's experience with ransomware shows that victims needn't be helpless in the face of extortion.
A look at the black market finds that zero-day vendors have grown a lot scarcer on the ground.
Google responds, a little, to concerns about privacy and Chrome login.
The U.S. Senate is holding hearings on privacy. Big tech will be there.
And are political campaigns slipping into learned helplessness about cybersecurity?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 26, 2018.
Cryptojacking continues to preoccupy cyber criminals. They've succeeded in restocking Google Play with at least
25 crypto mining apps, according to researchers at security firm Sophos. Google has ejected some
of the cryptojackers, but not all, and when they finish the purge, others are likely to take their
place. Most of the apps use embedded CoinHive code to mine Monero and use the CoinHive servers as well,
HackRead reports.
But there's some variation.
At least one of the unwanted apps uses XMRig,
and a few of the CoinHive varieties
use other servers,
probably to avoid tripping warnings.
There are other measures that seem designed
to let this malware fly under the detection radar.
They limit CPU usage, for one thing,
which helps keep the infected device from overheating
its battery from losing its charge suspiciously rapidly.
The malicious apps are also observed
not to degrade the device's responsiveness too much,
which is another sign that might alert a user
to a cryptojacking infection.
A lot of the crypto mining apps masquerade as games.
Others represent themselves as test prep tools.
If you're preparing for the LSAT, the SAT, the ACT, the GRE, the MCAT, or even the PSAT,
seekest thou else wither, friend.
The runner-up in cybercrime remains ransomware.
Scotland's Iran Brewery was hit with a targeted version of Dharma BIP ransomware last week.
They declined to pay the ransom and have, they say, recovered.
The infection vector was an emailed cover letter accompanying a job application,
which is the kind of thing that might happen to any organization and implies no particular negligence.
that might happen to any organization and implies no particular negligence.
Iran's determination not to pay ransomware was good,
as was their evident preparation for resilience in the face of this sort of threat.
A significant part of their response seems to have involved bringing in security consultants to come up with a decryptor.
Of course, the first step in preparing to survive ransomware is regular, secure backup.
Iran did better than the city of Atlanta, Georgia, which needed some six months to recover,
and has even so left its citizens largely in the dark about what happened and what the remediation cost them.
It's worth noting that the cyber-black market functions like a market,
responsive to the pressures of supply
and demand that operate in legitimate markets. Consider the black market in zero days, once a
thriving trade. But security firm FireEye told Fifth Domain that it's now seeing only a handful
of black marketeers selling zero days in black markets. Two causes seem to lie behind this
encouraging development.
Bug bounties are inducing black hats and gray hats
to put on white hats and enter the legitimate market.
If you can find a zero-day and get paid for disclosing it
to the vendor or the user,
that's a better and more honest way to make a buck
than selling to the Russian mob.
And police and prosecutors are getting better
at squeezing the black hats.
Unscrupulous malware vendors are finding themselves caught, convicted, and jailed at higher rates.
In response to user backlash, Google has decided to offer an opt-out for its automatic Chrome login.
The incident looks like a misreading of the public mood and a partial walkback.
They're offering opt-out, not opt-in.
The controversial update to Chrome 64 automatically logs users into the browser
whenever they're logged into any other Google service.
TechCrunch notes that concerns are that a user's browser history
would be automatically folded in with other aspects of a user's Google identity.
Google says that won't happen, but people have not been happy.
Dinah Davis is Vice President of Research and Development at Arctic Wolf Networks,
and she's founder of CodeLikeAGirl.io.
She joins me to discuss a recently published CodeLikeAGirl article written by Glenn Block titled,
Men, Want to Increase Diversity in Tech? Be a Mentor.
You know, reaching out and actively trying to be a mentor for women, women of color,
all kinds of people. And he talks in this article about how he's done that and how it's benefited
him. And, you know, it talks to some of the women who have like
benefited from it as well. Yeah. I mean, I think it's a really interesting point. And I think
maybe one that we don't think of very often, certainly there's no shortage of stories about,
you know, the women who sort of were the trailblazers when it comes to women in tech
and have been, and the importance of mentoring, they talk about how important it was for them to have
good mentors. But then also, I think, you know, women mentoring other women, those stories you
hear pretty often, but not so much the stories of men intentionally mentoring women.
Exactly. I love that he just puts in this side note in his article that it's like, it's also vital for women to mentor men as covered
in this post, which is another, a separate post from, uh, Rachel FL. Um, so he, he, he's bringing
that aspect into, right? Like that changes diversity as well. If you're, you know, if you're
having men look to women, um, in a, in a place of leadership and mentorship, it changes the dynamic.
in a place of leadership and mentorship, it changes the dynamic. And it also like, you know,
if you see that other people see that, that's like, oh, yeah, that that should be the norm. We could men can mentor women, women can mentor men and do it, you know, within the same sex,
it doesn't matter. But like making those things the norm is what's so important, right?
Yeah. And I think also just the notion of having someone
with authority, someone with your status within a company, being able to lead that new person
around, introduce them, make connections. I think it has an amplification factor to it.
It totally does. So I'll share one story article, you can you can read the article for
more details. But one day he he got this message from a lady that he'd been mentoring. And she said
have some news. I was extended a job offer and accepted it for product manager manager position.
Our calls definitely helped me influence landing that offer. And about four months before they met on a Slack channel,
I think there's like a mentorship chat Slack channel that he's part of. And they chatted on
Slack, they chatted on zoom, they never met in person, but they talked about product management
and her goals and product management that gave her helped her give more confidence when looking for a job and knowing
what to do um it made a huge difference for her so that there's like one thing where like even if
that was the only person he mentored he made it an impact but he's doing this with multiple women
the other great part of this article is he talks about how to get started right so you might want
to help and you just like have no idea you don't just walk up to some random woman and say hey can i mentor you right because that wouldn't be awkward at all right so he's
like so here's you know there's like there's groups right you can join women who code mind
the product slack channels they're they're out there code like a girl has a slack channel
we also have a facebook group you can join and find
people and just, you know, when people are asking questions, you start answering them and building
relationships with them, right? So I like that he didn't just say, hey, you should do this,
but he said, hey, you should do this and here's some tips on how you can.
Right. All right. Well, the article, it's on codelikeagirl.io and it's men want to increase
diversity in tech, Be a Mentor.
Check it out. As always, Dinah Davis, thanks for joining us.
The U.S. Senate is holding hearings today on privacy, and big tech, which fears an American
GDPR, is taking them seriously. Google, represented by an empty chair at the last round of hearings
where the senators heard from both Facebook and Twitter,
will be there this time,
and a sufficiently senior executive will be there to represent Mountain View.
The company's chief privacy officer, Keith Enright, will appear.
In a prepared statement released in advance of the Senate Commerce Committee,
Enright said, in part,
quote,
We acknowledge that we have made mistakes in the past,
from which we have learned, and improved our robust privacy program, end quote.
He also said, CRN reports, quote, with advertising, as with all our products, users trust us to keep their personal information confidential and under their control.
We do not sell personal information, period, end quote.
Other companies testifying include Amazon, AT&T, and Apple.
Amazon intends to make it clear that regulation comes with costs.
Their prepared remarks note that GDPR, quote, required us to divert significant resources
to administrative and record-keeping tasks and away from inventing new features for customers,
end quote. and record-keeping tasks and away from inventing new features for customers. Twitter will be there too, urging that we get together to develop a robust privacy framework
that protects individual rights while preserving the freedom to innovate.
Concerns about a U.S. version of GDPR aren't idle.
Breaches, extensive data collection, and privacy concerns have increased congressional appetite for regulation.
As Senate Commerce Committee Chair John Thune, a Republican of South Dakota, told The Hill,
the lawmakers are interested in seeing how consumer protection might best be made a matter of law,
especially since it seems that industry may be proving itself incapable of self-regulation.
The executive departments are
also looking in that direction. Commerce in particular is looking into lessons that GDPR
might hold for privacy regulation on this side of the Atlantic. Justice is also holding its own
listening campaign with a view to formulating a position on consumer protection online.
As U.S. midterm elections approach, state and federal officials are talking and seem
to be doing a great deal about securing voting systems.
The political campaigns themselves, however, seem to be a different kettle of fish, according
to a story in The Olympian.
A lot of them appear to be sliding into learned helplessness about their own data and communications.
It's difficult and expensive to secure things, so maybe they should hope for the best.
Expect some doxing, unwelcome enforced transparency, at least as the campaigns enter their endgames.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the executive director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
I saw a story come by recently about Virginia Tech partnering with a startup called DeepSig
and involved with protecting wireless devices.
Can you sort of walk us through how does a company that spins off from a university like Virginia Tech,
how does that process work?
So this particular company was based around the PhD dissertation of one of my students.
And it's some really interesting research.
Basically what he showed in his dissertation is that the whole concept of
software-defined radio, where you essentially take the different functions of a wireless device and
map them into software blocks and wire them together, much in the same way that you would
wire together analog circuits in an analog radio, was sort of unnecessarily constraining.
And basically, what he showed is that you could train a deep learning neural network to do that same task. And not only
would it perform the task better, but it would do so with significantly increased efficiency
over the traditional algorithms. And the applications in this space are significant, from sophisticated
spectrum sensing technologies to building
wireless communication systems on the fly that are uniquely tailored for their RF environment.
This particular project that we're collaborating on now is focused on using these same techniques
to recognize anomalies in the wireless environment and being able to use that to inform some
sort of cybersecurity sensor.
use that to inform some sort of cybersecurity sensor. And so can you describe to us the importance for the university to support these startups? I mean, as part of the overall ecosystem,
this is a nurturing function that the university has? Exactly. So there's a couple different ways
to think about university research. Oftentimes, university research will just end in the publication of a paper at a conference or a journal. We often try to find
other customers for that technology, whether it's the government agencies that may have
funded the work or identify ways that we can spin those off into startup companies.
It's not so much about potential royalties for the university, because pretty much every university loses money on their licensing arm.
But it's about getting that technology out in the world
and having it make a difference, both in terms of impacting the field,
but also supporting economic development for the region.
Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
lot. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.