CyberWire Daily - Disclosure, patching, and warning. Norway takes on “out-of-control” data sharing by dating apps. Ransomware all-in on doxing. What to do about Huawei.
Episode Date: January 15, 2020NSA gives Microsoft a heads-up about a Windows vulnerability, and CISA is right behind them with instructions for Federal civilian agencies and advice for everyone else. Norway’s Consumer Council fi...nds that dating apps are “out of control” with the way they share data. Ransomware goes all-in for doxing. The US pushes the UK on Huawei as Washington prepares further restrictions on the Chinese companies. And think twice before you book that alt-coin conference in Pyongyang. Johannes Ullrich from SANS Technology on malicious AutoCAD files. Guest is Chris Duvall from Chertoff Group with an overview of the current state of ransomware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
NSA gives Microsoft a heads up about a Windows vulnerability,
and CISA is right behind them with instructions for federal civilian agencies and advice for everyone else.
Norway's Consumer Council finds that dating apps are out of control with the way they
share data, ransomware goes all-in for doxing, the US pushes the UK on Huawei as Washington
prepares further restrictions on the Chinese companies, and think twice before you book
that altcoin conference in
Pyongyang. Back at our CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Wednesday, January 15th, 2020. It's good to be home. Federal agencies are expected to patch promptly in accordance with Emergency Directive 20-02,
so the U.S. government is clearly putting its money where its disclosures are.
As CISA blogged yesterday morning,
quote,
CISA looks after, roughly speaking, the.gov domain,
with responsibility for federal agencies other than the Department of Defense,
which has the.mil domain, and certain national security systems.
Affected agencies have 10 days to apply the patch,
and the statutory boilerplate surrounding the emergency directive
should be sufficiently intimidating
to spur even the most laggard agency CIO into action. CISA says that it hopes state and local
governments, private sector organizations, and the general public will also patch quickly,
although of course it has no jurisdiction over them. The Washington Post sees NSA's disclosure
as representing a departure in policy
and indeed the agency's cybersecurity directorate head, Ann Neuberger,
did say that it was a change in approach.
A number of observers have commented to the effect that NSA was now on its best behavior,
playing nice by disclosing bugs rather than weaponizing them.
But the real change in approach was NSA's decision to allow its disclosure to be made public.
It has disclosed vulnerabilities before, but there's a new openness to its process.
CISA was ready with its own warnings and directions on the vulnerabilities patched yesterday,
which suggests that the cross-agency coordination between NSA's Cybersecurity Directorate
and their counterparts in the
Department of Homeland Security is functioning in this early test case. Both organizations are
young, CISA having been established on November 16, 2018, and NSA's Cybersecurity Directorate at
the beginning of this past October, so the way cooperation between them evolves will be worth
watching. The Norwegian Consumer Council determined that several dating apps are collecting users' personal data
and sharing them with various advertising networks.
The Telegraph says the dating apps include Tinder, Grindr, and OkCupid.
Among the advertising outfits are Google, Facebook, and Twitter.
The Norwegian Consumer Council is filing formal complaints against Grindr and five companies with whom the dating app was oversharing.
Twitter's Mopub, AT&T's AppNexus, OpenX, AdColony, and Smato.
The action is being taken under the European General Data Protection Regulation, GDPR,
which prohibits collection of personal data without the affected person's explicit consent.
Reports suggest that the data collected
include such sensitive categories as sexual preference and ethnicity
and that Grindr, at least, was also sharing geolocation,
the better for its commercial partners to serve up advertising,
piping hot.
The companies named in the Consumer Council's action appear to represent the more egregious
data abusers, but the Council is not at all measured in the way it characterizes the problem.
It's out of control, they say, and given the companies involved, it seems a lead-pipe cinch
that data are flowing through some unanticipated and probably little-tracked advertising channels.
Ransomware operators are increasingly showing a disposition to turn to doxing
as an incentive to get victims to pony up.
If data are simply encrypted, then well-prepared victims who've backed their files up securely
in places inaccessible to the attackers can, at some relatively small trouble and expense,
restore their systems and plug the holes that let the attackers in, and then of course they
can cheerfully thumb their nose at the extortionist.
Things are more complicated when the attackers take the trouble to steal data before they
encrypt it, and that's recently become the norm in this corner of the underworld.
The gang behind Nemty Ransomware intends, according to
Bleeping Computer, to follow the example of Mays and Sodinokibi by setting up a site on which it
can dump files stolen from victims who are laggard in paying the ransom. It's also interesting to see
the criminal-to-criminal market behaving in ways that mimic legitimate markets. Nemty's basically
put out a launch announcement.
We checked in with the Chertoff Group's Chris Duvall for his insights on the state of ransomware.
We're thinking 2020 is going to be, you know, another banner year for ransomware,
you know, potentially even worse than previous for a couple of different reasons.
The bad guys are discovering that it's a lot easier just to fire and forget.
You can put in a string of IP address ranges to look for vulnerabilities. You can do automated sort of phishing tests. And so being able to do that kind of high output automation is just going
to increase the number of potential vulnerabilities they discover and then can be exploited is one
factor. The other factor is while there's been improvements in kind of not only the attention paid to ransomware due to, you know,
media reporting and just general, you know, folks trying to lock down better security procedures,
it's making the sort of the adversary more wary and so almost more desperate.
So, you know, those that may see this sort of lucrative stream potentially drying up are going to try even harder to sort of find, you know, those vulnerabilities
and those big fish and exploit them. In the conversations that you're having,
do you feel as though the word is getting out that people are starting to implement things like
multi-factor authentication and doing their backups? Are you getting that feedback from
them that that message is reaching them?
It is.
It is.
I mean, but it's a, you know, as you know, it's a constant challenge.
As the saying goes, the bad guys only have to get it right once.
The good guys have to get it right every time.
And so being able to lock down both any potential vulnerabilities
across your entire kind of landscape,
making sure that your employees are knowledgeable about what to look for
and what not to look for and what links to click on and not to click on. All of those
things are, it's a constant sort of exponential problem depending on how large your organization
is. How about in the boardroom? Are those folks at those levels in organizations,
what's their relationship to this? Or are they seeing this as the hazard that perhaps it is?
That's a great question.
I think that is one of the biggest improvements that we've seen, particularly in 2019, is end of 18, end of 19.
And we're hoping we'll continue into 2020, which is the attention that the board is playing to security and to cybersecurity.
And so it's no longer, or at least it seems to be less so, a conversation about, okay, do we have things locked down?
And if not, what new tool do you need?
But really more of an honest conversation with the chief information security officer about what types of breaches or what types of attempts of breaches have we seen?
What have we been doing about them?
What's our return on investment?
And so that conversation at the board level appears to be increasing, which is very encouraging.
What about the human side of this? I'm thinking of security awareness training
in organizations, getting beyond the necessary technical elements that an organization should
have, but also helping your employees to recognize things like phishing campaigns.
It's crucial. I mean, it's one of those things that any organization has to have.
If you just think about it mathematically, if you have a 2,000-person organization and if you have a 20% click rate,
I mean, that's 200 folks that have clicked on a potentially malicious link that may have access to the system.
So being able to reduce or being able to educate your workforce to sort of recognize when something seems fishy and to notify is key.
And employees are the first line of defense.
If you don't have that, then most of the other security procedures you're going to take are just kind of putting your fingers in the holes in the dam.
Right, right.
Yeah, it's an interesting thing because simultaneous to that,
the availability of sophisticated tools for perhaps less sophisticated users,
and then you put that up against the idea that we've heard a lot about,
that the targeting has grown much more sophisticated,
that there are a lot of actors out there who are doing their homework when it comes to ransomware,
particularly with things like phishing campaigns.
It's not so much of a shotgun sort of spray and pray approach perhaps as it was in the past.
Does that align with what you're seeing?
Absolutely.
No, there probably isn't a day that doesn't go by where we don't, in our cyber practice area,
get together and sort of have printed out, you know, an email that we receive that looks genuine, like from our CEO, Chad Sweet, or from
the secretary. So the sophistication and the targeting is really, really increased over the
last year in particular. That's Chris Duvall from the Chertoff Group. As the UK nears a decision on
Huawei and its potential role in the nation's 5G,
The Guardian reports that Her Majesty's government has already taken into account the most recent US revelations,
and that it seems likely to conclude that any risk associated with Huawei is manageable.
The US has warned that too much Huawei in the infrastructure
could force the American services to constrain the way they share intelligence
with their British counterparts.
But the head of MI5, Andrew Parker, has told the Financial Times that he thinks the special relationship is too long-standing,
too close, and too special for matters to go that far.
That said, there's no denying that the U.S. has been both assertive and consistent on the risks posed by Huawei.
U.S. has been both assertive and consistent on the risks posed by Huawei.
Back on this side of the Atlantic, the U.S. Federal Communications Commission seems ready to expand its ban on both Huawei and ZTE gear, J.D. Supra says.
That's a demand-side measure, and according to CNBC,
the U.S. Commerce Department is considering stronger supply-side measures
against the Chinese firms,
with tighter export controls against them under consideration.
Those controls would have an impact on third countries as well.
We've just returned from a trip to a conference in Seattle,
and like many of you, we're now looking ahead to a trip to San Francisco,
since the RSA conference is just around the corner.
But let's say you, friend,
are interested in mixing it up. You've heard about those cryptocurrencies, sister, and those
blockchains, brother, and you're ready to learn from the best and swap some ideas with other
movers and shakers in the fast-moving world of altcoins and the wallets they flow through.
Well, ever been to Pyongyang? Neither have we, but the 2020 Pyongyang
Blockchain and Cryptocurrency Conference will meet at the SciTech Complex between February 22nd and
29th, ending on Leap Day, and how often can that happen? We know, every four years, but how can you
pass this one up? The answer to that would be yes, yes, yes, yes, indeed. No matter how much
you've always wanted to party with the Lazarus Group, do pass this one up. But don't just take
our word for it. Listen to the UN's own experts who tell Reuters that attending the conference
would constitute a violation of international sanctions the civilized world has imposed on
the DPRK. There are plenty of other things to do in
late February. You could stay home and watch TV, for example. The XFL will be playing, and that
weekend you could watch the Los Angeles Wildcats take on the New York Guardians, or see the St.
Louis Battlehawks go toe-to-toe with the Seattle Dragons. Sure, it's not that Super Bowl thing we
hear about, which, by the way, we completely lost interest in
around 11 p.m. Eastern time this past Saturday.
But you can take this to the bank.
It'll be better than a visit to the gift shop
at the Victorious Fatherland Liberation War Museum.
And it'll be legal, too.
Calling all sellers. Salesforce is hiring account executives 2. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
IO.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute,
also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
We wanted to touch today on something that you all are looking into.
This has to do with some AutoCAD files and some vulnerabilities that have been popping up there.
What do you have to share with us today?
Yeah, so the bad guys, they're always getting creative and finding new document types to hide malware,
typically to bypass filters and your mail servers.
So you have filters inspect, for example, Word documents to make sure there are no macros in them and such. But turns out that AutoCAD files, these are usually using a.dwg extension.
Well, they're actually the same OLE standard files as Microsoft Office documents,
and they can contain pretty much the same Visual Basic for Application macros
that you find in Word and Excel. So we have seen a couple of these AutoCAD
files being used to attack users. And what's a little bit tricky here is, first of all, you know,
AutoCAD is not a commonly installed desktop application. So your targets are a lot more
sparse here, but it's usually people in your company that work sort of on your latest, greatest designs, on proprietary data that you're trying to protect.
So it's certainly a very important target.
And I think that's where these AutoCAD files are really becoming an issue.
You may say, hey, I can just filter for AutoCAD files.
Yes, you can do that.
And definitely that's something that you should do.
It's also a little bit different than,
you may have heard occasionally about like, you know,
executable code being added to images and such.
That's usually just done to infiltrate the code into the organization.
You still need some special, usually malicious software to parse
this code out of these images. With AutoCAD files, well, if you have AutoCAD already installed,
no real malware needed other than this malicious AutoCAD document.
Now, in terms of getting these AutoCAD files to the folks who would then launch them,
is this just straightforward
kind of phishing sorts of things? Yep. What we have seen so far is pretty much,
you know, spare phishing emails. Someone receives an email with an attachment telling them, hey,
this is new design I'm working on or whatever. So this is sort of how they usually appear to
be distributed. Of course, they could also arrive as a link to a
website. Maybe if someone sort of finds some open repository of AutoCAD drawings, like of parts and
such, they could, of course, use them. Haven't seen that part yet, but this would be, it's a
little bit similar to, from a developer's point of view, when you're including libraries and such, a lot of AutoCAD users are using part libraries and such that, of course, may also include these malicious macros.
And I suppose there's an educational component to this as well.
If you've got folks on your staff that are using AutoCAD, put the word out that perhaps disabling macros or at the very least being on the lookout for this sort of thing? Certainly, that's a real good idea. I'm not actually sure if you can disable macros like
you can do in Vert with AutoCAD, but definitely be on the lookout for it. And make sure on your
mail servers, in your web proxies and such, that you don't forget to inspect those AutoCAD documents.
web proxies and such, that you don't forget to inspect those AutoCAD documents.
In general, whenever you receive an attachment with an odd extension, it's probably a good idea to quarantine them and look at it later from a security point of view.
Yeah.
All right.
Well, Johannes Ulrich, as always, thanks for joining us.
Thank you.
As always, thanks for joining us.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.