CyberWire Daily - Daily & Week in Review: Sorry, kids, it's back-to-school. What you should know, fellow youths, and more.
Episode Date: August 26, 2016In today's podcast, we hear about a spyware case connected to Pegasus, a tool that can jailbreak an iPhone (they say) with a single click. Apple issues an out-of-band patch for the three iOS zero-days... Pegasus exploits. Shadow Brokers leaks remain under investigation. Phishlabs and TrapX release anti-ransomware tools. Ramnit and Dreambot are after bank accounts (and Dreambot spreads over Tor). NIST has a de-identification standard out for comment. AT&T's Bindu Sundaresan looks at academic networks as students head back to school. Johns Hopkins' Joe Carrigan discusses option for safely backing up your photos. Industry news includes some interesting short-selling. And Russia isn't feeling the love in cyberspace. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me. Fish Labs and TrapX release anti-ransom tools. Ramnet and DreamBot are after bank accounts, and DreamBot spreads over Tor.
NIST has a de-identification standard out for comment. AT&T looks at academic networks as
students head back to school. Industry news includes some cyber-fud-enabled short-selling,
and Russia isn't feeling the love in cyberspace.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, August 26,
2016. Apple has issued an out-of-band patch for three vulnerabilities in iOS. These were discovered and disclosed by the University of Toronto's Citizen Lab and security company Lookout. The vulnerabilities, which are being
called Trident, are associated with an intercept toolkit called Pegasus sold by NSO Group.
Apple addressed three vulnerabilities in its patch, an information leak in the kernel,
a kernel memory corruption leading to jailbreak, and a memory corruption in WebKit.
Users of iOS devices are, of course, advised to apply the patches as soon as possible.
Citizen Lab began its investigation after receiving a phone from Ahmed Mansour, a dissident
and human rights activist from the United Arab Emirates.
On August 10th and 11th, Mansour received SMS messages he suspected were fish bait,
and he sought help from Citizen Lab.
Citizen Lab cooperated with Lookout, the well-known mobile security company.
They found Pegasus, which Lookout calls, quote,
the most sophisticated attack we've seen on any endpoint, end quote.
The link in the phishing message essentially jailbreaks the phone in one click and installs persistent spyware.
Pegasus, Citizen Lab says,
collects and exfiltrates calls, messages, and a range of personal information, things like contact
lists, calendar entries, and passwords. NSO Group describes itself as a vendor of lawful intercept
tools. Their customer is unknown, but circumstantial evidence points strongly toward the government of
the United Arab Emirates. What the customer may have paid for Pegasus is also unknown, but observers think it was a lot.
Citizen Lab calls Mansour the million-dollar dissident. Foreign policy notes that the
zero-day vendor Zerodium offered a bounty of $1 million for an exploitable iOS bug,
which communicates some sense of the market. Whatever the market may be, it's likely to fall short of the half billion the shadow brokers say they want
for a bunch of alleged NSA attack code they've come by through obscure means.
As far as we know, the bidding on their online auction has remained orders of magnitude below their asking price.
The U.S. intelligence community continues to investigate as Cisco, Hayway, and Juniper networks
are said to be downplaying the impact of the shadow broker's leaked exploits. There's some good news on the
ransomware front. Fish Labs has released a decrypter for the recently discovered Alma
Locker ransomware strain, and TrapX has released a product called CryptoTrap,
said to be effective at diverting the Tesla Crypt, Locky, and Seven families of ransomware
away from organizations' more valuable assets.
CryptoTrap is being marketed to healthcare organizations.
Of course, backing up files securely remains the single most important measure
one can take for protecting against the effects of ransomware.
A bit later, we'll hear from Johns Hopkins' Joe Kerrigan
about the ins and outs of backing up your photos.
In other cybercrime news, Zscaler's Threat Lab Z today reported finding a cyber-squatting
campaign that's delivering the Agent Tesla keylogger.
Zscaler's director of research, Deepen Desai, told the Cyber Wire that Agent Tesla is a
criminal tool, not one typically used by state security services.
The crooks use the keylogger typosquat on legitimate domains.
The malicious site's URL is crafted to be one character different from that of a legitimate site,
and hence easy to blunder into through a simple typographical error.
The payloads carried by the vector include seven modules,
a USB spreader, melt functionality that can uninstall the malware from a victim machine,
a webcam hack, a screenshot exfiltration capability, a keylogger, a password stealer,
and an anti-analysis function that can detect sandboxes and virtualization,
and that disables a variety of security programs.
Two familiar banking trojans are causing fresh trouble.
Ramnet is back, and it's said to be afflicting six major British banks.
And DreamBot, a variant of the familiar Ersniff or Gozi malware,
is also out again in the wild.
Proofpoint warns that this time DreamBot is spreading over Tor networks.
Protection of personal information, especially in systems that collect a lot of it,
remains a difficult challenge.
In the U.S., NIST, the proudly non-regulatory, as they call themselves,
National Institute of Standards and Technology,
has issued a draft publication on de-identifying personal data in government systems.
NIST invites comments on this special publication 800-188.
The goal of the proposed standard is to find ways of de-identifying personal data
so that they may be made safely and innocently available for various public purposes.
If you're an Australian kid and you're interested in a more palatable educational experience than tradition and cliché might lead you to expect in the classroom, well, good on you.
Westpac, Deloitte and other tech leaders are sponsoring a life journey day of STEM down under on September 5th.
In industry news, the cybersecurity sector has seen speculation about an optive IPO.
Chinese security firm Qihu has taken itself private.
Dragos has raised $1.2 million in a seed fund round.
And BlackBerry continues to work toward its reinvention as a security company.
The Financial Times reports an unusual bit of apparent market moving. fund round, and BlackBerry continues to work toward its reinvention as a security company.
The Financial Times reports an unusual bit of apparent market moving. The paper says a short-selling hedge fund called Muddy Waters has publicly alleged cyber vulnerabilities
in a pacemaker manufacturer's products in an apparent attempt to put downward pressure
on the manufacturer's stock price. A U.S. federal court in Seattle has convicted Roman Seleznev of crimes
related to a large-scale carding operation. Seleznev is son of a prominent member of the
Russian Duma. He was spirited to U.S. territory Guam from a vacation in the Maldives back in July
of 2014. Russian authorities grumbled about kidnapping, etc., but the extradition stood and Seleznev now faces a sabbatical somewhere in the Bureau of Prisons.
Finally, Russia feels it's more sinned against than sinning in cyberspace.
Influential Russians say they're more typically the victim than the perpetrator of cybercrime,
and they point accusatory fingers in the general direction of Beijing.
Who knows? To be sure, there's a lot of
cybercrime in Russia, although its source and direction can be tough to assess. The world
would welcome clarification, perhaps from the Seleznevs. Miller Lite. The light beer brewed for people who love the taste of beer and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time.
Learn more at MillerLite.ca.
Must be legal drinking age.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, a friend of mine, she recently lost her phone.
This was troubling to her because she had about two years' worth of photos on that phone that she had not backed up.
Those photos were gone.
There's that old joke about if there's a fire in your house, the first thing you should grab are the photo albums because those are your precious family memories.
Well, our precious family memories are on our mobile devices now.
That's right.
Yeah.
My wife actually has a very similar situation.
She takes a lot of pictures.
Just yesterday, I bought a new SD card for her to put into her phone that's twice the size of the one she had because she's filled it up with pictures.
Take a lot of pictures.
A lot of people do this.
I personally don't.
It's just not in my nature.
But there are ways to prevent what happened to your friend from happening.
There are a number of services out there, cloud backup services.
There's Dropbox.
There's OneDrive from Microsoft.
And there's the Google product.
I think it's called Picasa.
There's Google Photos.
Google Photos.
It's the latest one from Google.
Yeah, I actually use that one.
Okay.
And what happens is when you take a picture of anything on your phone,
it is uploaded either across your data connection through your wireless provider,
or you can actually set a setting that says,
I don't want to use my data for this, but next time I'm connected to Wi-Fi, go ahead and upload
the photos. And then these photos are stored in the cloud for you on these service providers'
sites. And of course, the security angle is you're gaining the benefit of backing up your
photos. But on the other hand, now someone else has your photos. Correct. Yeah, exactly.
And you have to make the decision of what the tradeoff is.
And you also need to understand the terms of use.
Of course.
Right?
You need to read the end user license.
Yeah, because we all do that.
Right.
Absolutely.
Yeah.
I mean, the thing that's impressed me about Google Photos are the search capabilities are absolutely amazing.
I have family photos in there.
I can say, show me all the photos of people in the snow who are sledding.
And they all pop up.
It's like magic.
It's amazing.
I haven't played with Google Photos,
but I'm going to have to take a look at that.
That sounds like an amazing capability.
And the thing, too, I think is that if you can use one of these services that's effortless,
where you don't have to do anything but install the app or make it happen,
that's a great way to ensure that these precious memories are actually getting backed up.
Right.
So it's a good way to protect your photo data.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Here in the U.S., it's back-to-school time,
with kids of all ages grabbing their backpacks, laptops, and mobile devices and heading to class.
AT&T just released a white paper titled,
Helping to Secure Education Networks,
which outlines the ways in which schools and colleges are particularly vulnerable to cyber criminals.
The hacker community out there knows the value of higher educational data.
Bindu Sundarasan is Strategic Security Services Practice Lead with AT&T Security
Consulting. So hackers can gain access to information about students, the staff, the
alumni's social security numbers, financial information, intellectual property, padded
information held by universities' research staff. So, you know, clearly, you know, the type of data
that an educational
institution houses makes them a truly attractive target for the hacking community. All of this
information that they do glean, they sell it in the black market to potentially create, you know,
fake identities, you know, leading to identity theft. So think about this, you know, for the
future generation, you know, these are our kids whose information is stolen today.
Ten years from now, when they have to apply for a job, when they have to get a car,
those are the times that we would find out that, you know, their credit history has been manipulated,
their identity has been stolen.
So, you know, this information is hot in the marketplace for being able to use against creating fake identities. Yeah, I'd never really considered that part of it, that I suppose a child's identity might
be more pure.
It doesn't have as much attached to it, which may make it valuable.
Is that logical?
Sure.
And we don't keep track of it, right?
As an adult, we monitor our credit history.
We really don't do that for our children.
We don't really look at their personal information being manipulated,
and we try to keep the innocence of it.
Are educational institutions generally underprotected?
I would say yes, just because of the nature of the networks that they house.
It's an open network. It's about information sharing.
Although we are seeing a trend in which educational institutions of the networks that they house. It's an open network. It's about information sharing. Although
we are seeing a trend in which educational institutions are making a more conscious
choice in terms of security investments, traditionally, because of the way networks
within educational institutions have been architected, it's about being open, but at
the same time needing to be secure. So are they lagging behind in terms of other industries?
I would say yes, but is the growing trend to make those conscious investments?
They are on the right path to be able to invest in this.
Their growing trend is that they're doing a better job of it.
You know, I think of my own child who is a high school student,
and I think of his relationship to the network in his school, and I can't help wondering, how much are students part of the problem?
You know, is there any sort of adversarial relationship between the students themselves
and those who are trying to protect them and protect the school's network?
Sure.
You know, again, security is not just a technology problem.
At the end of the day, it is a human interaction, user-related problem, right?
So, you know, as I have a child of my own, you know, most of the time it is a human interaction user related problem right so you know as i have a
child of my own you know most of the time is spent online you know who they interact with how they
connect to the network you know what is their perception in terms of the big picture you know
how how is it relevant to them so when we have those cyber security conversations with our kids
we want to make it more realistic for them, you know, give them examples of how
information that is taken from them or what they share online, you know, how it could be used
maliciously, you know, give them that big picture, have that talk with them about cyber safety and,
you know, talk to them about why we want to install parental controls. Why do we want to,
you know, ask them for information on which sites they're on, what are they doing
on Snapchat or Instagram for that matter? How all of this information can be weaved
together to create a social profile of them by some malicious user.
And so what kinds of attacks are most common against educational institutions?
So, for the larger universities and the larger educational institutions? So, you know, from the larger universities
and, you know, the larger educational institutions, we've seen the DDoS and the ransomware to be
one of the most prevalent types of attacks. You know, we're seeing that, you know, at the end of
the day, the exploitation is done so that, you know, you get the bandwidth of a larger institution
and you're able to use them against a DDoS attack that you
want to perform for another organization. It's also about collecting this valuable research
information. So we see nation state actors as part of an organized crime ring going in to see,
you know, how they can get access to research data, whether it's nuclear research, you know,
whether it is, you know, cancer research, all of these, all of these patent information that they want to gain from.
So DDoS and ransomware would be the top attacks.
We're also seeing a growing trend with phishing scams,
as well as web application and mobile apps-related attacks as well.
And then for the enterprises themselves, what kinds of things should they be looking out for?
I think the concept of layered security protection,
so the defense in-depth approach, back to the basics in terms of making sure that you're
securing at each layer, the network layer, the endpoints, the application layer, as well as
have a risk-oriented security strategy in place. You cannot protect everything equally. So
understand where you're collecting the sensitive information, how it's being housed, you know, what are some of the basic steps that you can take to educate
your user community. Make sure that security awareness and training is part of that initiative
because ultimately you can invest all the tools and the technologies, but then the end user,
you know, would be the weakest link. So make sure that you train your users as well.
That's Bindu Sundarasan from AT&T Security Consulting.
Their new white paper is Helping to Secure Education Networks.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.