CyberWire Daily - Daily: More of the customary cybercrime, but with additional warnings of new ransomware vectors. Dodgy apps and holiday shopping. Credential abuse. No pardon for Snowden, for now, anyway.
Episode Date: November 21, 2016In today's podcast, we talk about thinking twice before opening pictures received via Facebook Messenger. A recruiting site exposes GitHub profiles. Investigation of credential abuse in the Three Mobi...le upgrade fraud continues. Fortinet warns German users against an Android banking Trojan. Much advice on how to stay safe online during holiday shopping is out. Symantec plans to buy LifeLock, and Optiv is filing an IPO. President Obama says, while in Berlin, that he won't pardon Snowden. Rumors of DNI and SecDef discontent with Director NSA circulate. Markus Rauschecker from the University of MD Center for Health and Homeland Security reviews new automotive security guidelines from the feds. And no, Chinese cabinet ministers don't have a side gig recruiting for the Canadian Forces. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Think twice before you open that picture you got via Facebook Messenger.
A recruiting site exposes GitHub profiles.
Investigation of credential abuse
in the 3Mobile upgrade fraud continues. Fortinet warns German users against an Android banking
trojan. Much advice on how to stay safe online during holiday shopping is out. Symantec plans
to buy LifeLock. And Optiv is filing an IPO. President Obama says, while in Berlin, that he
won't pardon Snowden. Rumors of DNI and sec-def discontent
with Director NSA circulate. And no, Chinese cabinet ministers don't have a side gig recruiting
for the Canadian forces.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, November 21, 2016.
Facebook Messenger is being used as a vector for ransomware.
Criminals are distributing locky and malicious images shared over the service.
The Nimucod downloader is bypassing Facebook's whitelisting protections
by arriving in the form of an SVG file, so treat images you receive with circumspection.
GeekedIn, a recruiting site for tech jobs, scraped 8 million GitHub profiles,
but then left them exposed in an unsecured database.
GeekedIn regrets the misstep and says it's correcting it.
GitHub told HelpNet Security that it allows access to its data but not for commercial purposes, and it's not clear that GeekedIn's use of the data for resale to recruiters would be compliant
with GitHub's terms of use. Those with GitHub profiles should take steps to secure themselves.
Investigators continue to look into the upgrade fraud at 3. Some observers think onboarding and
offboarding practices may have contributed to compromising the credentials used in the scam.
The Cyber Wire heard from Christian Lees, CTO and CSO of security firm InfoArmor.
Quote,
As organizations continue to bolster their security postures at the perimeter,
it's logical for threat actors to migrate to and even expand internal lateral movement campaigns,
often fueled by compromised credentials.
End quote.
Lees points out that compromised credentials are often widely available, cost little,
and can be used by a threat actor with a relatively low likelihood of detection.
We also heard from Istvan Molnar, a compliance specialist at Ballybit.
He points out that while the way the three mobile hackers got
them remains unclear, using legitimate credentials is attractive for many reasons. Quote, hackers
tend to use this method as it is the easiest way to stay under the radar, end quote. Molnar added
that user account misuse has become the elephant in the room. In this case, the elephant put about
six million customers' personal data at risk.
Molnar also suggests that the episode indicates the insufficiency of passwords and associated authentication methods.
It's equally important, he says, to consider complementing those methods with continuous identification
that keeps an eye on what users authenticated with such credentials actually do while they're operating with them.
Quote, it's important to have real-time information on the user's behavior, so that is then compared to the already learned behaviors of known user profiles. In the case of 3Mobile,
the system would have recognized the differences in the user's typing pattern, use of command set,
and access network areas. This information would have appeared on the security analytic display, and if the situation got worse, the system would terminate the connection of the
suspicious user in real time, end quote. In hacktivism news, Terbium Labs tells us that
they're seeing some signs of contact information being leaked about banks thought to be involved
in funding the controversial Dakota pipeline.
Fortinet warns of an Android trojan that's afflicting German mobile customers.
It's a bogus email app that seeks administrative credentials,
which, if granted in a moment of inattention,
will send banking credentials to the criminal's command and control server.
On the subject of dodgy apps, it's worth noting that the holiday shopping season begins more or less officially this Friday,
and there's much advice out there on how to buy safely online.
Risk IQ this morning released a white paper on the topic.
They draw particular attention to the risks apps pose during the season and suggest specific points of skepticism,
and they emphasize the importance of knowing you're on the site where you intend to shop, not on a spoofed page. Beware of downloading apps from the virtual equivalent
of the trunk of some random guy's car. The official app stores of, for example, Google and Apple
aren't perfect, but they're a whole lot better than some app scalper you've never heard of before.
Be skeptical of rave reviews. Those can be, and often are, sock puppetry.
Be very cautious if an offer arrives via some free email service. And as always, bad spelling,
sloppy grammar, malapropisms, and loose syntactic control should warn you off,
when there are more of those, that is, than usual. In industry news, Symantec indeed is ready to acquire identity protection shop LifeLock for $2.3 billion.
Security company Optiv is moving forward with its plan to go public in an IPO.
President Obama, wrapping up his European farewell tour, told Der Spiegel that he can't pardon NSA leaker and current Moscow resident Edward Snowden
on the grounds that Snowden has so far
declined to face the music in a U.S. court. Failure to appear in court hasn't in the past
necessarily served as a barrier to receiving a presidential pardon. After all, President Ford
pardoned his predecessor, Richard Nixon, without it, so it would seem that in this case, can't
should actually be heard as won't. Rumors circulating in Washington over the weekend suggest DNI Clapper and Secretary of Defense Carter
want NSA Director Rogers removed, ostensibly over dissatisfaction with NSA security
and U.S. Cyber Command operations against ISIS.
Republican congressional leadership sharply disagrees and says it's considering hearings into the matter.
Admiral Rogers is said to have met with President-elect Trump last week, purportedly, say the rumors,
to discuss possible service as director of National Intelligence Clapper's successor.
Finally, if you were considering joining the Canadian forces late last week,
you may have found your interactions with their recruiting site redirected to a Chinese site featuring news and photos of various government
functionaries in the People's Republic. Canadian authorities say it's a serious matter and they're
investigating. It seems very improbable that the redirection was the work of the Chinese government.
Hacktivists or simple vandals motivated by the lulls are the likelier suspects.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Joining me once again is Marcus Roshecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus saw a story come by recently that the feds are proposing voluntary automotive cybersecurity standards.
What are the feds looking to do here when it comes to cybersecurity with our cars? I think over the past few years, we've seen that cars are essentially becoming computers.
We see a lot of technology being built into these cars that we as consumers, as drivers, really like.
We can listen to music. We can connect our phones to the car.
But the car itself has a lot of built-in technology, too, to make it more efficient.
And the problem is that as these new technologies are being built into cars, the car makers haven't really been thinking about security all that much.
There's a rush to market, so to speak, with the latest and greatest new technologies being built into cars. So now we have cars that can drive themselves, which is, for consumers, a really cool idea.
But it poses a lot of security problems as well, because security oftentimes is an afterthought
when these new technologies are being developed. So the Department of Transportation,
National Highway Traffic Safety Administration recently came out with cybersecurity best
practices for modern vehicles. Basically, these are guidelines that car makers should follow
when they are developing these new technologies that they're building into cars. Problem, of
course, is that these are only guidelines, which means that car makers can choose to ignore them.
Car makers are not required to implement any of these guidelines. So that's where we are now.
There's a certain recognition that cars are certainly vulnerable, the technology within
cars are vulnerable, and that something needs to be done to increase security here and stop any kind of cyber threat from actualizing itself against these vehicles,
which, of course, could have dramatic consequences when we're thinking about cars going at top speeds.
So these are voluntary guidelines. Why guidelines and not actual regulations?
and not actual regulations? We've seen this approach over and over again, where federal government is proposing guidelines rather than passing regulations or passing laws to actually
force any kind of security measures to be implemented. I think it gets down to a very
core belief here, which is that regulations and laws are generally opposed by industry because they're seen as stifling
innovation, as being burdensome, as instituting significant costs on a developer of technologies.
The idea is that we don't really want to stifle that innovation, right? We want those new
technologies to come on the market. Certainly consumers want new technologies, and the industry itself wants to be able to not be burdened by all these additional regulations.
So this is the approach that is often taken by the federal government, where best practices are recommended or guidelines are recommended, but no actual regulation or laws adopted yet.
So I guess then if the guidelines prove in the long term to not be
sufficient, then that's when perhaps regulations are explored.
Yeah, I think that's true. I think the hope is that manufacturers will implement the guidelines
to make their technologies more secure. But if that
doesn't end up happening and society sees a need for greater security measures, then I think at
some point we will see actual regulations or laws being passed that will mandate the implementation
of additional security measures. All right, we'll keep an eye on it. Marcus Roshecker, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.