CyberWire Daily - Facebook breach updates. Bogus Zoho Office Suite. Brazil's big botnet. Vulnerable router firmware. Patch news. A DGSI officer arrested for dark web collusion with the mob. Bad Fortnite cheats.
Episode Date: October 3, 2018In today's podcast, we hear that Facebook continues to investigate its breach, and says it's not found any evidence of apps compromised through Facebook Login. Irish authorities open a GDPR investigat...ion of Facebook. Bogus offers of Zoho Office Suite are malicious. A big botnet hits Brazil's banking customers. Home routers found vulnerable. Google and Adobe patch. A DGSI officer is arrested in France for dark web trafficking. FEMA tests its emergency text system. Fortnite cheats are bad news. David Dufour from Webroot on security issues in video games as they become social networks. Guest is Michael Feiertag from tCell with results from their Q2 incident report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2 Zoho Office Suite are malicious.
A big botnet hits Brazil's banking customers. Home routers are found vulnerable. Google and
Adobe patch. A DGSI officer is arrested in France for dark web trafficking.
FEMA tests its emergency text system. And Fortnite cheats are bad news.
And Fortnite cheats are bad news.
From the CyberWire studios at Datatribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 3rd, 2018.
Facebook says that so far it's seen no evidence of illicit sign-ons to third-party apps. There have been concerns that the social media platform's Facebook login feature would expose applications to fraud or hijacking.
Irish authorities, the one-stop shop for Facebook with respect to GDPR enforcement,
are proceeding with their investigation of the breach. Speculation in Europe and elsewhere is
trending toward thinking that the fine,
and most seem to expect a fine, will be a stiff one despite Facebook's quick compliance with
disclosure rules. A quick note on the EU's one-stop-shop principle with respect to its
general data protection regulation. In brief, it means that when there's cross-border processing
of personal information covered by GDPR,
organizations doing that processing, in this case Facebook, but it applies generally,
will deal with one supervisory authority.
That lead supervisory authority, in this case Ireland's government,
doesn't completely preclude other data protection authorities from involving themselves,
but the one-stop shop is at least the first shop you have
to stop in. While Facebook is getting credit for quick disclosure, that quick disclosure is giving
many second thoughts about whether the tight 72-hour GDPR standard is entirely wise. Investigation is
still far from complete, and many observers think that coming out publicly so swiftly hasn't been good
for the quality of incident response. Security company Cofence warns users of the free Zoho
Office Suite that they're at risk of data exfiltration attacks. Criminals have opened
multiple keylogging campaigns that exploit the product. The crooks are, for the most part,
setting up bogus sites with equally bogus free
offers of the product, so classify this one as social engineering. High-profile Instagram users,
influencers, are being subject to an account hijacking campaign in which criminals are
holding the victim's accounts for ransom. It seems, according to Naked Security, that the
root problem is failure to enable two-factor
authentication. Instagram recommends you do so, whether you're a high-profile influencer or just
a regular type. Security firm T-Cell provides cloud-based web application firewall services,
and that provides them with some interesting insights into app security. They recently gathered up some of those findings and published a security report for web applications.
Michael Feiertag is CEO at T-Cell.
Last year, we did an analysis of how often attacks were successful.
And what we found is that if an attacker tried 100,000 different things against the average application, they might find one vulnerability.
We found that that's actually stayed consistent over the year.
But then we decided to dig a little bit deeper to figure out what are the sources of those vulnerabilities that people are finding.
What we found most striking was that when we looked at the various applications we were protecting,
particularly when we were first installed, where it's kind of a clean data,
sort of clean view of the world, we found that literally 90%
of the active applications, 90% of the apps that we saw expose the outside world
were running with third-party libraries that
had known vulnerabilities.
So running an app with a vulnerability was not the exception.
It was the absolute rule.
And spitballing, roughly a third of those were actually high-priority or critical CVEs.
So we're not talking about minor little things.
We're talking about very significant vulnerabilities introduced into the application from third-party
content. And we found that really, really interesting.
We also saw that the applications
over the course, even just over this narrow period of time that we were observing,
which is roughly a month or so,
they evolved very rapidly. So people are really adopting DevOps
and Agile and so forth. But there's a side effect of that, which is that the surface area
of the application, so basically how the apps could be attacked, it doesn't
just change. They seem to keep expanding. And we think that's a source of great
vulnerability out there that maybe hasn't been focused on
enough. So, you know, we'll see,
you know, an average application with literally 2,900, what we call orphaned routes, which is
basically, you know, API endpoints or webpages or things that the application can do with actual
code behind them that are not actually being used, right? That we see no traffic against them,
but we know that
they can be exercised by the outside world, which means an attacker could hit that, and those tend
to be the most vulnerable untested functions of the application. So, you know, 2,900 different
functions of the application exposed generally untested and not being used. And what's the
disconnect there?
I mean, obviously people aren't introducing these vulnerabilities intentionally.
So where's the oversight?
What's the process by which they're included?
Every app is being built on third-party content, right?
There are third-party libraries and so forth.
So this isn't intentional.
But what happens is, you know, there's a few things and this is more anecdotal.
You know, once you get something working, you know, developers, they're, you know, they're focusing on functionality.
And so you kind of move on to the next thing.
Vulnerabilities are discovered very often after the fact.
And so if you have an app that's been running for a couple of years, maybe when it was first shipped there, it didn't have any known vulnerabilities because the third-party libraries were fresh
and nothing had been discovered yet, but they were there.
Then over time, the world finds out about these. Think of a struts2 as
sort of the extreme example of that. You realize,
I'm running this application. It's built on a library
that either a day ago or a
year ago, we discovered some high priority CVEs against that. People don't have visibility into
that without additional tooling. That's not very common. T-cell provides that. But, you know,
as I mentioned, when people first implement, they get kind of the first view of it, which is, oh,
man, I've been running this for a year. And it turns out that this library I was using does have a huge hole in it.
And I really wouldn't have known that otherwise.
And so if I'm not actively patching everything on an almost daily basis, you run a lot of risk.
And then the other side, the source of this is, again, people are trying to move faster.
The goal is ultimately to ship better software with more functionality. So they're iterating quickly.
But then what that translates to is you see what
ultimately becomes cruft in the background. Those are those ARFN routes.
And again, without visibility into that where you can actually
measure it, it just falls to the wayside. If you don't see it,
you don't think about it. If you don't think about it, you don't address it. And so, you know, to answer your question directly,
I think that the real source of a lot of these problems is lack of visibility into risk of the
running applications, whether it's understanding what attacks are happening, and so you know how
people are trying to compromise you.
Or just understanding the underlying structure of your applications as they're changing from a security perspective and knowing what to do about them.
That's Michael Feiertag from T-Cell.
If you want to dig into their security report for web applications, you can find it on the T-Cell website.
You can find it on the T-Cell website.
Security firms Radware and Kihu360 are independently tracking a very large botnet that's intercepting traffic destined for Brazilian banks.
More than 100,000 routers have seen their DNS settings altered
to redirect users to watering hole pages.
Most of the routers affected, 88% of them according to ZDNet, are located in Brazil.
As one might expect, the goal of the redirection is credential theft.
Tenable, the Maryland-based security company, warns that widely used TP-Link TL-WR841N consumer routers
are susceptible to attacks that concatenate a series of flaws
to obtain control over the devices.
TP-Link has yet to fix the vulnerable firmware.
Unfortunately, there seems to be no mitigation.
If you own one of the routers,
Tenable suggests you call the vendor to complain to light a fire under them
and accelerate patching.
Several companies have patched their widely used products.
Adobe has fixed 85 issues, 47 of them critical, in Acrobat and Reader.
Google has addressed six critical remote code execution vulnerabilities
in the Android operating system.
Mountain View has also put measures in place
to introduce more privacy and security into app development.
A dirty cop has been arrested in France. He worked for the DGSI, that's the General Directorate for
Internal Security. They work on counter-espionage, counter-terrorism, counter-cybercrime, and
surveillance of potential threats. Its functions would be similar to those of the U.S. FBI,
although DGSI is more an intelligence and security service than it is a law enforcement agency.
The unnamed officer is accused of selling confidential information to mobsters on the Blackhand dark web market.
He went by the hacker name Horus, and he's thought to have sold material that aided and abetted forgery.
and he's thought to have sold material that aided and abetted forgery.
He also is said to have hawked a service that would tell clients whether they were being tracked by the French police and what the police had on them.
Did you get your text alert from FEMA today, U.S. listeners?
We did. It came in a little after 2 p.m. Eastern time.
It wasn't at all distracting or disruptive and it looked like a practice alert, a drill, and not the real thing.
Emergency alert, it said.
This is a test, in all caps, of the National Wireless Emergency Alert System.
No action is needed.
That's plain enough to us.
If you're confused, then shame on you,
and go back to your basement to hide from those Martian tripods
we hear just landed in South Jersey.
and go back to your basement to hide from those Martian tripods we hear just landed in South Jersey.
Finally, there are Fortnite cheats circulating in instructional videos posted to YouTube.
Players who attempt to use them are likely to be infected with malware for their troubles.
There's similar stuff on offer through Instagram posts.
Don't cheat.
Besides, the cheats wouldn't improve your dance anyway.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at WebRoot.
David, welcome back.
You know, the video game market is huge.
It is a giant market.
And, of course, with that comes security issues. What do we need to know about that?
Yeah. You know, when we talk about video game safety, there is a small niche market that not a lot of people talk about.
When you get mad at your computer and you jump around, you throw it around, it might fall on your foot.
But that's not what we're talking about today, Dave. We're talking about, you know, like cybersecurity, things like that. One of the big
things that we've seen in a shift in the industry is that video games basically have become social
networks. And I don't think a lot of people realize that. To call one out that I'm guilty
of playing multiple hours a day is Fortnite. And when I play...
My 12-year-old plays a lot of Fortnite. I don't know. I'm not making any connections there,
but go on. Yes, that's been pointed out to me quite often. Thank you.
But with Fortnite, when I'm playing, I actually can be dropped in with two, three, four other
people I don't know. And I'm able to talk to them, not just chat,
but actually talk with them. And now, you know, you think on the surface, well, that sounds good.
And it's pretty nice. It's good community. But there's things that we need to consider. One,
to your point, if we have our children playing these games, we need to make sure they're aware
of strangers and be conscious of the people they're talking to.
These are real people.
And just be aware of that community.
And then there are things they need to pay attention to.
That's one component.
The other would be there's a lot of in-game purchases now, both on mobile apps, on large games like Fortnite, even other games that are, you know, solo games. And so a lot of
these games have our credit card information, have our addresses, have personal information about us.
And so we need to also be aware that if these games get hacked, that it's possible someone
could get our information and use it in ways we don't want or charge something up and change our account.
And next thing you know, we got a thousand dollar charge we didn't expect.
So we've got to be conscious of that as well as, you know, there's a lot more selling going on in these environments.
Yeah, I think it's easy to think, particularly when you think about these gaming platforms, that they're kind of walled gardens.
But when it is a functional social network, well, you've got to be worried about things like social engineering.
That's exactly right.
And again, it's just about being conscious of it.
You know, it's great.
Social networks aren't inherently bad.
It's just be aware that you're talking to strangers.
And one last thing we see quite a bit
and in here, you know, at WebRoot, we make antivirus software. We see a lot of gamers
turn off their antivirus while they're playing games and potentially forget to turn it back on.
And so if you do that, you know, you're opening yourself up to risk. I highly recommend you find
something that works while you're playing a game and doesn't affect it because you do want that optimal
performance. But you also need to be aware of making things run better. Sometimes you turn
things off and you're taking that risk or maybe you're opening up ports on a firewall because you
want to play a game with your friends and you're doing a peer-to-peer network. You just got to keep
in mind the stuff you're doing and not expose yourself to security risks you wouldn't normally do.
No, it's a great point. I remember when my oldest son was a teenager, I sat down at our family
computer one day and noticed that some ports had been opened up. And I was like, wait, what's going
on here? And my son said, oh, I just needed to play a game.
Whoa, hold on here, cowboy.
No.
That's exactly right.
And honestly, the gaming industry has spent a ton of time, energy and money.
And I got to tip my hat to them in securing these networks and making it so you don't have to do that.
But, you know, there's still flaws.
But more than most industries, they really do look at security and take it seriously. don't have to do that. But, you know, there's still flaws. But more than most industries,
they really do look at security and take it seriously.
No, it's interesting.
David DeFore, thanks for joining us.
Thanks for having me, David.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.