CyberWire Daily - Daily & Week in Review: Voter dbase compromises. How not to sell security.
Episode Date: April 22, 2016In today's Daily Podcast we hear about Mexican and Philippine authorities’ investigations into voting database compromises. Ransomware continues to circulate, and we learn something about the increa...sed sophistication of phishing. Point-of-sale crooks race against US EMV adoption. We take a look at the SecureWorks IPO and the long interest in some leading security stocks. Joseph Opacki from PhishLabs explains the growing sophistication of phishing schemes, and Benjamin Yelin from the University of Maryland Center for Health and Homeland Security tells us about mobile security and Stingrays. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K.
Voter information is exposed in Mexico, even as Philippine authorities make an arrest in their
own voter database hacking case. U.S. court rulings affect the interplay of security and privacy.
Reporters do the math.
On Director Comey's Q&A, they conclude the FBI spent something north of $1.3 million on a zero-day
used to unlock that jihadist iPhone.
Ransomware and point-of-sale hacks are this week's fashion and crime,
and we take a look at some industry trends.
week's Fashion and Crime, and we take a look at some industry trends.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, April 22,
2016. Authorities in both the Philippines and Mexico deal with exposed voter databases.
In the Philippines, the Commission on Elections was initially defaced on March 27, with personal information on about 55 million voters being posted online three days later.
The Manila Bulletin reports that police arrested a suspect at his home in Sampalic, Manila,
and that the National Bureau of Investigation is sifting through devices and other materials seized in the arrest.
The suspect is said to be a recent IT graduate who styled himself a white hat hacker,
committed to responsible disclosure.
If still unconfirmed reports are correct, that self-presentation isn't without justification,
as the suspect is said to have earned some bug bounties
and the thanks of the companies to whom he's disclosed his findings.
Obviously, however, hacking into and then exposing the personal information
of millions of registered voters means you've changed hats.
Philippine authorities apologize for the breach,
but say they'll continue to hold elections as planned.
In the Mexican case, Salted Hash reports that ChromTech researcher Chris Vickery
discovered a 132-gigabyte misconfigured MongoDB instance holding records
of more than 93 million voters. The compromise was discovered April 15 and disclosed the next day,
but the database seems to have been exposed on an Amazon Web Services account since September
of last year. Authorities pulled the data offline this morning. The FBI paid at least $1.3 million for a zero-day that helped
them access the San Bernardino jihadists' iPhone. The Bureau considers it a bargain at that price,
but the purchase is unlikely to mollify those uncomfortable with the investigation's
implications for privacy. There are, of course, many ways you can become infected with malware.
One of the vectors is the phishing attack. Some phishing, like the venerable Nigerian scam,
designed to induce the unwary to give up their bank account credentials,
is fairly obvious and easily recognized.
But phishers are upping their game.
We spoke with PhishLab's expert Joe Opaki about the growing sophistication of phishing schemes.
Spear phishing remains the primary infection vector for APT actors.
We all knew that. However, 22% of spear phishing schemes. Spear phishing remains the primary infection vector for APT actors. We all
knew that. However, 22% of spear phishing attacks analyzed in 2015 were motivated by financial fraud
or related crimes. The second thing is we noticed that there's a large upscale in the number of
business email compromised spear phishing attacks that we've seen in 2015, a significant more than we saw in 2014.
And the threat actors that are using these types of attack techniques are modifying their techniques to make the attack much more effective.
Opaki reminds users to remember that phishing is often a single component of a larger, more
sophisticated attack.
So there have been numerous incidents over the last couple years in which law
enforcement has actually arrested people who are known fishers. I think the bigger question is what
a lot of people understand is that fishing is also considered a gateway crime. We say a lot in
our office that 90 percent of all malware infections begins with a phishing attack. And also 95% of all corporate espionage attempts begins with a spear phishing attack.
So phishing is not a single crime.
It's actually tied to larger organized crime.
As time goes on, the phisher's techniques grow more and more sophisticated.
There's two types that we really focus on.
First on consumer-focused phishing, what we've seen is authors who are
creating what we call phish kits, which are basically sites that are posted on compromised
websites that represent a brand that they're trying to scam. What we've seen is we've seen
a lot of authors who have injected code that obfuscates data, will collect large amounts of
data from people who are going to these scam sites,
have specific countermeasures in place to prevent analysis,
have specific countermeasures in place to prevent specific users from going to even the fish kit.
So they have GOIP blocking.
They use specific technologies to prevent IP address spaces from visiting.
From a spear phishing side, we've seen a lot more
sophistication around these business email compromise scams. There's more and more targeting
by the phishers against the enterprise. The business email compromise attacks not only
grew in sophistication over the last year, but the actual attack techniques by the phishers changed
since what we've seen in 2014 what we've also seen is we
saw a modification recently that preys upon privacy so we've seen a lot of
emails that have gone out in with the scam that uses some type of mergers and
acquisitions boy to reinforce the needs of first secrecy so not only they're
saying is this timely do you need to do this because I'm the CEO but also you
can't tell anyone that you're doing this.
And so we're seeing a lot much more social engineering sophistication going into these types of attacks.
According to Joseph Opaki, there's no silver bullet to protect your organization against phishing.
It requires a combination of employee training, reporting and automated monitoring.
Phishing is 100% of social
engineering attack. And essentially, it preys upon the fact that people want to believe what they
read. There's no technical implementation that you can utilize that's going to 100% completely
combat phishing. It's important for you to provide security awareness training, or what we call
employee defense training
to educate your user base to identify what the attack looks like and further build this mentality
within your company to provide reporting. Reporting absolutely is an important part of this process
because not only does it need to be identified, but it also needs to be analyzed and it helps
drive the response
to the attack. There's lots of technical solutions that you can implement that will assist you with
doing a lot of this. But as the attack methodologies change, and also as the adversary
threat vectors change, there's always going to be fish that are going to make it through any
solution we put in place in the enterprise level,
which is also why we need to reinforce that the security awareness training or employee defense training is important for your user base,
and then constant testing to ensure that they know how to identify the attack or the attack factor.
Joseph Opaki is head of threat research analysis and intelligence at FishLabs. Their website is fishlabs.com.
right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Benjamin Yellen is a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security,
one of our academic and research partners.
Ben, I think we all have a certain expectation of privacy on our mobile devices,
but there's a device called a Stingray that comes up in stories about law enforcement investigations and mobile devices.
Can you describe for our audience what exactly is a Stingray? Sure. So a Stingray, and there's another brand name that's used called Hailstorm,
is a device that acts as a cell site simulator. So it tricks your cell phones into transmitting
information that they would normally transmit to a cell tower. So it's actually identifying information and information that can reveal your exact location.
And these devices have been used by law enforcement as a way to track potential criminals.
And law enforcement has tried to use evidence gleaned from these searches by Stingray devices
in courts of law.
Now, there was a case that just came up in Maryland regarding a Stingray device, yes?
Yes, there is. So the Court of Special Appeals just heard a case by the name of the State of
Maryland v. Andrews. A background for your listeners, the Court of Special Appeals is
an intermediate court in Maryland, so we'll see if this case makes it up to the highest court in
Maryland, the Court of Appeals. But that court, the intermediate court, held that searches under
Hailstorm, which is a version of the Stingray device, are unconstitutional, are violations
of the Fourth Amendment, and any evidence gleaned from the use of these devices cannot be used in
court. It has to be excluded. And the reasoning is that people have a reasonable
expectation of privacy that their cell phone will not be used as sort of a real-time tracking device.
There's this legal concept called the third-party doctrine in which if you voluntarily submit
information to third parties, such as a cell phone company, then you lose your reasonable
expectation of
privacy and there's thus no search for Fourth Amendment purposes. But I think what the court
was saying here is that you are not voluntarily submitting any information. This is an active
device that seeks out your information, that actually penetrates your device to get identifying
information. So the court was saying that the third-party device to get identifying information.
So the court was saying that the third-party doctrine doesn't apply here.
That means we have a search.
People do have a reasonable expectation of privacy,
and because it's a search, the Fourth Amendment applies.
You either need a warrant or an exception to a warrant,
and in this case, law enforcement did not have a warrant.
So at least for the time
being, the case has been thrown out and they'll need to try the case with new evidence.
One of the things that puzzles me when I see these stories about stingray devices is that
the FCC seems to be turning a blind eye when it comes to law enforcement pretending to be
cell phone towers. Yeah, it's very interesting. So last year, Senator Bill Nelson from Florida
sent a letter to the FCC and its chairman, Tom Wheeler, asking about the use of these Stingray
devices. And the FCC said that they have certified these devices. The only condition for their use
is that they can only be sold to law enforcement officials. Basically, the commission
said it had no information about the extent to which or conditions under which law enforcement
has obtained authority to use these devices. So they've been pretty hands-off about it,
which I agree that it's surprising, especially something that has sort of limitless potential
to identify people's locations and personal information. So I'm surprised that they haven't taken a closer look at it.
I know the ACLU and other groups have raised concerns about these devices,
and they're basically operating as remote cell phone towers that are gathering metadata on all the phones in their vicinity,
and that's a pretty significant intrusion on people's privacy.
Well, time will tell, and we'll continue to keep an eye on it. Ben Yellen, thanks for joining us.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Looking back at the week, we find some recent U.S. court decisions affecting privacy and security.
Senior United States District Judge Susan Ilston of the United States District Court for the Northern District of California has ruled that
changes to law and policy have now rendered national security letters constitutional.
National security letters are demands for personal information accompanied by a gag order
prohibiting disclosure of the demand. The judgment was unsealed yesterday. Judge Ilston had
earlier ruled national security letters unconstitutional. The Electronic Frontier
Foundation plans to appeal. In a quite different case with a markedly different outcome, Judge
William G. Young of the U.S. District Court of Massachusetts ruled inadmissible evidence in a
child abuse imagery case. The FBI had obtained the image by using network investigative techniques
to plant spyware on a suspect's device.
The investigation was conducted with a warrant,
but Judge Young found that the warrant had been granted without proper jurisdiction.
Point-of-sale attacks spiked this week.
Much of this appears to represent a criminal scramble to take advantage of legacy card swiping systems before their imminent replacement in the big U.S. retail market
by the, one hopes, more secure EMV systems. Commonly called chip card, EMV point-of-sale
systems are the ones in which you insert rather than swipe your card. They're clearly coming to
U.S. stores, but merchants are dissatisfied with the
way they're being pushed out. Retailers began assuming liability for pay card fraud about six
months ago, and they're unhappy with the confusion customers experience at checkout. They blame card
companies for the problems. The card companies, retailers complain, have been too slow in
certifying EMV software. The week also saw the continuing rise of ransomware,
including the newly discovered CryptXXX.
Researchers are finding that the criminal proprietors
of the well-known nuclear exploit kit are profiting from the trend.
Their product has become a popular adjunct to ransomware campaigns.
And of course, the most important protection any enterprise or user
can adopt against the effects of ransomware is regular, secure backup. The week saw some patching. Cisco patched, among other issues,
a denial of service vulnerability in its wireless LAN controllers, and Oracle issued 138 fixes to
products that include Oracle Database Server, eBusiness Suite, Fusion Middleware, Oracle Sun
Products, Java, and MySQL.
A significant change to Oracle's patching practices is the company's adoption of Common Vulnerability Scoring System, or CVSS, version 3.0,
which caused more of its patches to be scored high or critical.
And in industry news, Dell SecureWorks priced its initial public offering late Thursday.
news. Dell SecureWorks priced its initial public offering late Thursday. In the IPO,
some 8 million shares were sold, lowered by a million from what was expected, and the price was $14 per share, also a bit lower than the estimated $15.50 to $17.50 range. SecureWorks
will trade under the SCWX ticker symbol. Other security stocks exhibited mixed performance in trading.
IBM's disappointing earnings brought its shares down, but a number of analysts think the company's
repositioning of itself, especially its repositioning as a player in the security market,
make it a long-term bargain. Another company attracting favorable reviews from analysts is
Palo Alto Networks. Morgan Stanley thinks underappreciated free cash
justifies continuing its positive overweight rating. And finally, have you ever received
emails from security vendors urging you to act now or warning you that this is your last chance?
We have. Sometimes they even address us by our first name. When we were out at Signet Itsef,
if we heard about one big burr under everyone's saddle,
it was the last chance cold call or email.
So we close with this advice
to security company sales staff everywhere.
Act now.
Stop the nagging and learn something about your prospects.
Act now.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.