CyberWire Daily - Daily: Bug hunters turn shorts. Cyber frame-ups, election fraud, spearphishing, whalephishing, and more.
Episode Date: August 30, 2016In today's podcast we follow concerns about US election hacking brought on by an FBI warning that someone (the Russians, IC and industry sources say) has hacked into Illinois and Arizona voter databas...es. Lawful intercept vendors receive more scrutiny in the wake of the Trident iPhone zero-day revelations. Analysts raise concerns about data manipulation in both elections and criminal investigations. St. Jude Medical disputes allegations that its pacemakers are hackable, and the security sector does some ethical introspection about disclosure. The IoT is beginning to exploited in DDoS campaigns. Malicious EMV cards are implicated in Thailand's ATM skimming crime wave. University of Maryland CHHS' Ben Yelin weighs in on the legal issues surrounding the Muddy Waters Capital story, and Security Mentor's Dan Lohrmann explains sophisticated attacks on the C-Suite. And Angry Birds join Pokémon on various enterprise blacklists. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash n2k and enter code n2k at checkout.
That's joindelete me.com slash n2k code n2k.
Election hacking fears rise with an FBI warning.
Trident iPhone zero days and the Pegasus tool that exploited them bring scrutiny to lawful intercept vendors.
St. Jude Medical disputes allegations that its pacemakers are hackable,
and the security sector does some ethical introspection about disclosure.
The IoT is beginning to be exploited in DDoS campaigns,
malicious EMV cards are implicated in Thailand's ATM skimming crime wave,
and angry birds join Pokemon in the Enterprise penalty box.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 30, 2016.
The FBI two weeks ago quietly issued an alert to warn various concerned parties
that an unknown actor was targeting state election systems. Yahoo News learned of the warning and
broke the story yesterday. In essence, foreign hackers last month penetrated two election
databases by consensus in Illinois and Arizona. And for foreign hackers, most observers are reading Russian
intelligence services. The attackers used SQL injection attacks and employed commonly available
off-the-shelf tools, including SQL Map, DIR Buster, and Acunetix. The Multi-State Information
Sharing and Analysis Center, MS-ISAC, has also warned of incidents involving state election
services.
ThreatConnect told Yahoo News that at least one of the IP addresses implicated in the attacks has appeared before in Russian criminal hacking fora.
Wired reports that sources inside the U.S. intelligence community have, on background,
attributed the attacks to Russian intelligence services.
Offering some useful perspective, Motherboard points out that state election databases have
not only been hacked before, but the information they contain is often made readily available
by state officials themselves.
Besides, the number of records effective was relatively small, about 200,000 in Illinois,
reports say, and data were simply exfiltrated, not, as far as is known, destroyed or manipulated.
What's troubling is not so much the breach itself, but the foreign involvement and foreign interest,
the context provided by other recent hacks of political parties and campaigns,
and the fears of data manipulation.
The data themselves are not particularly valuable,
but the contribution the incidents make toward increasing distrust of U.S. elections
would be an information operations coup.
St. Jude Medical strongly disputes the pacemaker vulnerabilities disclosed in the course of short-selling by Muddy Waters Capital and MedSec.
The device manufacturer says the exploits as described aren't possible.
Several observers find things to dispute in both Muddy Waters' charges and St. Jude's rebuttal,
but the disclosure of vulnerabilities in the cause of shorting a stock hasn't generally met with much approval.
We spoke with the University of Maryland's Ben Yellen about the implications of this turn
to stock speculation for the security industry, and we'll hear from him after the break.
And of course, the disclosure of allegedly serious and exploitable pacemaker bugs
has contributed to increased concerns about life-threatening IoT hacks.
Researchers from Level 3 Communications describe another risk in the Internet of Things,
the growing possibility and likelihood of IoT-based distributed denial-of-service campaigns.
The company has been working with Flashpoint to track the rise of DDoS botnets exploiting IoT devices.
Criminal groups including Lizard Squad and Poodle Corps are investing in IoT malware,
and a large fraction of the bots observed engaging in these attacks are located in Taiwan,
Colombia, and Brazil. The Ripper ATM malware FireEye found in Thailand appears to use a rogue
EMV chip. A specially crafted and malicious chipped card may
have been used to introduce the skimming malware into the ATMs. Criminals are believed to have
stolen roughly $378,000 from ATMs in Thailand last week. Senior executives represent a vulnerable
attack surface at their own companies. We spoke with Dan Lorman, Chief Security Officer at Security Mentor,
about preventing C-suite fraud.
The phishing attacks, you know, the links,
the different ways people get you to click
and, you know, download malware
or go to bad sites or give information up.
You know, spear phishing was kind of the 2.0
where you've had, you know,
a little bit more targeted.
They know a little bit more about you,
maybe done some research.
And then we've kind of gone to a new level now lately. This industry is calling whaling
now, going after the big fish, if you will. That involves large sums of money. It may or may not
involve clicking on links. It may just be, I mean, the goal of the bad guys is to build your trust
and then get you to take actions, whether that be transfer money, whether that be give them information, which they can then,
you know, use. Whaling is really fraud. They're committed against businesses,
and it's really rampant right now. And so take me through the process. I'm someone,
you know, sitting in my office. Maybe I'm someone on the financial side of the business, and how are these people
going to target me? First of all, their goal is to get your trust and to build that trust. And
we've seen a wide variety of ways they do that. They get to know you or they come in as a customer.
More likely, they're building a relationship. So they're getting background. They're trying
to learn about you, your likes. And they really are going after, first of all, they're targeting.
It could be a CEO in a company, a COO, or someone who has authority to make transfers, wire transfers, that kind of a thing.
After they've built up the trust, maybe they're just kind of a normal relationship, maybe doing different types of things for weeks or months.
Usually something out of the ordinary happens. For example,
there's been a case where they actually built a relationship up with an accountant,
and then they were able to get the information about the CEO. He actually was on a trip,
a vacation. They compromised the CEO's personal account, and not via normal channels, an email came into the account
and saying, hey, I'm on this trip, I'm out
I believe it was phishing, but I'm out
can't process this, I'll get you the paperwork tomorrow
kind of thing, but please transfer this
information to this partner it was
a block of social security numbers and names it was a file it wasn't
necessarily just a financial transfer but the person thought this was
legitimate it thought it was from the CEO the person was gone that day you
know they had a relationship with this other person that they knew of so it
seemed like it made sense although it was out of the ordinary. They went ahead and did the transfer and they only really
uncovered it later when fraudulent IRS tax returns were coming in and they traced it back to the fact
that this individual had given up that sensitive information on their clients. What are the things
that people can do to protect themselves? How do we defend against these sort of attacks?
You know, I think people need to be trained. They need to know what the processes are. They need to be retrained.
They need to understand the threat environment that's always changing. The bad guys are always adjusting their techniques to try and get in.
And then lastly, I think you really need to have executives that understand and have executive buy-in.
I mean, getting that executive buy-in
overlaying this, they need to understand this is a really serious issue. They can't wait till the
horses get out of the barn before they, you know, fix the barn door. I mean, it's too late at that
point. That's Dan Lorman from Security Mentor. In Australia, you can bring your own device to
work, but you'd better not bring your own birds,
if the trend watchers at Mobile Iron are to be believed.
At least not if the birds are ill-tempered.
Angry Birds is the most commonly blacklisted app in the lucky country.
This kind of makes sense to us.
If you think of emus or cassowaries, we wouldn't want them around the shop either,
although the geese around the Cyber Wire World Headquarters fencing themselves little velociraptors, too. Niantic Labs, the wildly successful if harried
purveyors of Pokemon Go, earlier this month threatened players who downloaded unauthorized
apps that enabled cheating with a lifetime ban, but they're relenting a bit. If you didn't really
know what you were doing was wrong, you downloading cheaters,
Niantic will overlook it just this once. But if you do it again, no Pikachu for you. Ever.
Got that? Hope so. And finally, France's education minister wants Pokemon Go out of the schools,
for a host of good reasons, not the least of which is the sensible desire to keep dodgy
outsiders away from the students.
At least the rarer Pokémon should stay away, the minister says,
thereby reducing what the lawyers would call an attractive nuisance.
As always, there are collateral consequences, and we'd like to point out some of them to our many younger French listeners.
Nicolas, Clotaire, Alceste, Louisiette. You're on notice. When your homework's missing,
the excuse, tiens, les charmandres, Laurent, du manger, is no longer going to fly. So,
sois sage, nos copains. Do you know our podcast is actually really big in France?
Well, it used to be anyway.
Well, it used to be anyway.
Miller Lite.
The light beer brewed for people who love the taste of beer and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time. Learn more at MillerLite.ca. Must be legal drinking age.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Joining me is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security.
Ben, I wanted to follow up with you on this story about Muddy Waters Capital and these medical devices, the short selling of stocks.
What is your take on this?
Well, I think we have both legal and ethical problems here. I'll start with the legal problems.
The hacking itself is actually not illegal.
with the legal problems. The hacking itself is actually not illegal. The U.S. Copyright Office last year approved an exception to the relevant copyright laws that says that hackers, if they
are acting in good faith, can attempt to discover the security flaws in medical devices. That
exception has been in place since last October. And in terms of MedSec emailing this information to the investment firm,
so far there's no illegal activity in that. The SEC may look into this issue, but it's certainly
not something like insider trading, at least in the definition as we understand it.
You use the word good faith. I mean, I think people would question good faith motivations here.
I mean, I think people would question good faith motivations here.
Absolutely.
I mean, I think you certainly question good faith when it seems that the purpose of discovering this flaw was to enter into some sort of financial arrangement where the investment firm is shorting
the stock and MedSec itself is benefiting financially.
MedSec would argue that they have acted in good faith, that they are trying to
have the market correct for St. Jude's failure in securing the product. But again, that presents
major ethical issues. And I think that there might be a decent argument that the good faith
standard here has not been met. So where do you think this will go from here?
I think the SEC will look at, from a market perspective, whether this is something that will be legal.
I think this is such a novel question that they just haven't had a chance to look at it yet.
In terms of whether the hacking will continue, I think that's the biggest potential for trouble.
If cybersecurity organizations see that they can turn a profit by discovering information and essentially selling
it to investment firms, they would have incentive to continue doing that. And by doing that,
it creates a significant risk. I mean, now you have the potential that hackers or bad actors will
use these vulnerabilities to try and hack into these medical devices. And obviously,
when we're talking about pacemakers,
that can have extremely serious consequences. I mean, you and I were talking before we came on
here about what if somebody did some sort of ransomware attack and demanded, you know,
a million dollars, or I will use my hacking capability to shut down your pacemaker. I think
that has very, very dangerous implications. All right, we'll keep an eye on it. Ben Yellen, thanks for joining us.
Thank you, Dave.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.