CyberWire Daily - Fancy Bear fingered, again. Warnings for travelers. Political parties get a cybersecurity grade. Updates on US restrictions on Chinese companies.
Episode Date: May 22, 2019Fancy Bear’s latest campaign is using malware reported to Virus Total by US Cyber Command. IBM’s X-Force looks at cybersecurity for travelers, and shares a bunch of horror stories. Security Scorec...ard looks at the online security of political parties in the US and Europe: some are better than others, but all could use some help. Updates on Huawei and other Chinese companies facing US sanctions. And if you’re listening to this in the US, you may believe you know more than you in fact do. Johannes Ullrich from SANS and the ISC Stormcast podcast on website vulnerabilities due to third party tools. Guest is Inga Goddijn from Risk Based Security on their Q1 Data Breach Report and cyber insurance issues. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear's latest campaign is using malware reported to VirusTotal by U.S. Cyber Command.
IBM's X-Force looks at cybersecurity for travelers
and shares a bunch of horror stories.
Security Scorecard looks at the online security
of political parties in the U.S. and Europe.
Some are better than others, but all could use some help.
Updates on Huawei and other Chinese companies
facing U.S. sanctions.
And if you're listening to this in the U.S.,
you may believe you know more than in fact you do.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 22, 2019.
Fancy Bear, Russia's GRU, is actively exploiting malware U.S. Cyber Command reported to VirusTotal last week.
CyberScoop says many found the warning useful and welcomed CyberCom's heads up.
Kaspersky Lab and Checkpoint's Zone Alarm have been tracking the attacks
and say that the malware in use looks like the X-Tunnel tool Fancy Bear used against the U.S. Democratic National Committee in early 2016.
The malware comes in a big and noisy package, a bit more than 3 megabytes in size.
U.S. Cyber Command did not attribute the malware to a Russian intelligence service
or indeed to any other threat actor, but lots of other people have,
and in general Cyber Command has enjoyed good notices for posting the malware to VirusTotal.
Forewarned is, or at least can be, forearmed.
And some hope that such reporting might serve a useful deterrent purpose.
An IBM X-Force study of cybersecurity for travelers features a flurry of make-your-flesh-creep tales
that amount to a cyberspace version of Gan Wilson's classic Paranoid Abroad.
You know, the old cartoon series where the paranoid orders the national dish in some foreign land
and is served rats in white cream sauce,
or where rude stevedores defile the paranoid's luggage.
Anyhoo, vacation season approaches,
and so people are reading the X-Force piece and considering where they might safely travel.
Forbes takes away the lesson that you'd have to be out of your mind to use an airport USB charging station,
and also the lesson that criminals are in avid pursuit of your travel reward points.
Airline miles, hotel loyalty points, any of that stuff.
So where might you safely travel?
Well, the joke's on you,
traveler. Apparently, nowhere. Thanks, IBM. We'll take a staycation this year.
But actually, Big Blue does have some practical tips for both businesses and holiday travelers.
First, keep an eye on your loyalty rewards. They're easy for criminals to monetize,
so watch for any use that you can't quite account
for. Second, do choose your Wi-Fi with caution. Setting up a Wi-Fi network in a public place
is easy for criminals to accomplish, and even legitimate Wi-Fi services are easy enough to
compromise for eavesdropping. Consider using a VPN. Third, those helpful USB charging stations
around airports and similar transit points?
They can be easily finagled to download your data or install malware on a device.
IBM suggests carrying your own spare battery pack and, if you must charge, use a traditional wall plug.
Fourth, turn off any connectivity you don't need.
If you don't need Bluetooth, for example, turn it off.
Fifth,
remember that your physical spore can also be useful to bad actors. So shred tickets,
boarding passes, luggage tags, and so forth. Don't just chuck them in the trash intact.
Finally, don't use debit cards in dodgy places. That is, don't use them at establishments that may not have good point-of-sale protections.
Mom and pop may be as honest as the day is long, but who knows what's lurking in their card reader.
And if you use an ATM, find one in a relatively well-observed location, like a bank or the interior of an airport. Not one out back of Leon's house of tire chains.
Leon's House of Tire Chains. Cyber risk analytics and vulnerability assessment firm Risk-Based Security recently published their Q1 data breach report. Inga Godin is executive vice president at
Risk-Based Security, and she joins us to share their findings. One of my biggest takeaways is
that despite all of the effort and all of the resources that have been dedicated to protecting our systems,
protecting our most valuable data, we're still losing the fight, I think.
You know, we're still losing a lot of sensitive information really at an alarming rate.
You know, we hit a new high for Q1 of 2019 with the most disclosed breach events for a first quarter
since we've been tracking
such events.
So it's a little unsettling to see that we continuously have more and more breaches
happening.
What I'd like to also share is that, you know, one of my other observations that I
take away from the report is that, you know, as much as we like to focus on things like, you know, the ever-changing threat landscape, which is important because, you know, actors do change their methods quite a bit.
I think what I see quarter after quarter, year after year, is that really the tried and true methods for getting at sensitive information
just keep happening over and over again, right?
You know, if we can fish a user, if we can get them to give up some credentials,
that's going to get us access into the system,
and we can poke around, maneuver around, escalate from there, see what we can get.
And we just see these same patterns repeating, you know, month after month, year after year.
So, you know, I think the fundamentals still apply is one of my biggest takeaways.
Yeah.
You know, from our perspective, when we look at, you know, the broad strokes of what's
happening breach-wise and security-wise, really taking a step back from the weeds
and really thinking about
what are my most likely threats to the risks that I have?
Where am I vulnerable?
And what's most likely to cause me pain?
And working your processes around
what's really truly your highest risks,
that's what's going to produce the best results for you in the long run,
the best security outcomes for you in the long run.
Do you find that there are some common misperceptions
or things that folks don't think to ask about?
The first question that I think most buyers ask is,
what does this cover?
And I would almost flip that on its head and ask, all right, I see
that you're covering X, Y, and Z. Under what circumstances does that not apply? When might
that insurance policy not respond to a specific situation? So I think that can shed a little more
light on the pros and cons of the individual policies being evaluated.
Yeah, it's interesting because it strikes me that insurance is part of the spectrum of defenses that you have for your organization,
of managing risk and dialing it in.
You have technical solutions.
You have things with personnel, with training and so forth.
But this is another tool
that you have at your disposal to make sure you're protecting your assets. Oh, absolutely. And it is
a phenomenal tool. I am a big believer in working an insurance policy, a cyber insurance policy,
into that whole risk management mix, because it really does bring a lot of value
to offsetting the financial losses
that can come along with a data security event.
And it covers, the policies can cover
everything from that immediate out-of-pocket expense
about, oh gosh, I need to pay for a forensic investigator,
I need to set up credit monitoring for the
impacted individuals. I need to comply with all these different state reporting requirements.
And the insurance policy can step in immediately and start to help pay for the hard costs of that
immediate response. And it can travel with you throughout the life cycle of that breach event all the way through
to its resolution, even ending up with if you have lost income. It's a key component of managing the
financial downside. I do think it's important to put it in perspective, though, and what the
insurance policy does is manage that financial downside. There's a lot of other downside that can come along with a breach event
that the insurance policy is really not equipped or there to handle or respond to.
And that's going to be things like your reputation in the industry,
shaken customer confidence.
Maybe your revenues fall because new customers aren't coming on board or new clients aren't signing up with your service.
So there are boundaries there for what a policy can do for you, but what it provides is much greater than what it doesn't.
That's Inga Godin from Risk-Based Security. They just published their Q1 data breach report.
has published their Q1 data breach report.
Security Scorecard has a review of major U.S. and European political parties' cybersecurity posture.
There's room for improvement across the board,
but for some reason the U.S. Democrats continue to present hackers with low-hanging fruit.
In any case, they lag the Republicans in security preparation,
but at least they score higher than the Libertarians, which might surprise some. Considered nation by nation, French political parties came with the lowest overall scores and also led the race to the bottom in application security and DNS health.
Poland ranked at the bottom in network security, and Spain brought up the rear in patching cadence.
Who did well? Swedish political parties did, tops overall,
and best in show for application security, DNS health, and patching cadence.
Huawei has a temporary 90-day reprieve from some of the consequences of its placement on the U.S. entity list,
but U.S. officials suggest that neither the company nor the Chinese government should misread this as a sign of softening.
Commerce Secretary Ross says it's just breathing space to give U.S. firms an opportunity to make alternative arrangements.
Other Chinese companies may be in line for the Huawei treatment.
The Verge suggests drone maker DJI is likely to come under a lot of scrutiny for the way its flying machines report back to China.
The New York Times thinks surveillance vendor Hikvision could be next.
In Hikvision's case, the primary issues involve concerns about human rights.
The Chinese government is believed to be making heavy use of Hikvision cameras
for surveillance and attendant repression of the country's Muslim Uyghur minority.
Hikvision has said it takes U.S. rights concerns very seriously.
And finally, in Dog Bites Man news, a Google Harris poll survey shows that Americans think
they know a lot more about online security than in fact they do.
We'll refrain from saying that our brothers and sisters over here in the Great Republic
think that about roughly any topic you might name.
And we'll just leave it at dog bites man.
Bad dog.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research for the SANS Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, we've seen so many stories about things like Magecart, people's websites being vulnerable, being compromised.
How do folks keep track of what is on their websites?
Yeah, the problem we had is, in particular with groups like Magecart and such,
is they actually not so much attack your specific website.
They attack these libraries and such
that you're using in your website
and that you may include in your site,
but actually you don't host these libraries.
They're hosted at some vendors,
so the vendor gets compromised,
the library gets altered on the vendor system, and then you're just blindly including the code.
And if you go to your average website and pull up sort of the developer view in your
browser, you often can see that there is like dozens of different websites that your browser
connects to in order to load all these libraries.
So if you ask the owner,
and I've done this in some cases when we're teaching,
how many libraries do you actually include?
They often have no idea that they're including that many.
They may be able to tell you that they're
using something like jQuery and such.
They usually get the top three or four,
but anything beyond that,
they often don't even remember that they included that code.
And so how do you go about auditing those things that are being run by third parties?
So as a very first step, you should get a list of what's there and why it's there. What I've
sometimes seen is that there's sort of this thing with developers.
You put the particular feature on, some marketing person asked for it to count visitors better.
A year later, you see that code, you don't remember what it does, but you leave it there
just because it may break something if you remove it.
So first inventory what you have and make sure it's actually still required.
Now the second thing you should do
is host as much of it as you can in-house. So on your servers that way becomes your responsibility
keep it secure and all the other things that you do for your own source code sort of source code
pick in and you can use that to protect this particular code that doesn't get altered. Now, there will be a small handful of libraries and such that you cannot host themselves.
There are sometimes these marketing libraries and so that the vendor actually makes some custom modifications for each user for better user tracking.
Now, again, you can decide, do I really want to do this?
Is it worth the risk to track my users a little bit better than I already do?
But then what you can do is there's a little trick that may help and doesn't always work.
But browsers include a feature called SRI or sub resource integrity. What this does is in
the script tag that you're using to load this library from this vendor, you actually also
include a hash, a checksum for this particular library. So if
it now gets altered, then the browser will refuse to load it.
This is a great trick if you don't want to host it yourself.
But be aware if now the vendor modifies the library they have to
coordinate that with you now one thing of course you can do is have some script that keeps down
on these libraries let's say once an hour and make sure that these check sums are still right
if they're not right then you know contact the vendor check if it's a legitimate change or
maybe you may help out your vendor here by notifying
them that they just got breached. Yeah, I mean, I guess as always, I mean, sort of constant vigilance
is in your best interest. Yes, and it's really hard to sort of come up with good signatures
for this malicious JavaScript. It keeps changing all the time. So I wouldn't really rely too much
on antivirus and the like. Probably good change management is really important here, vetting
your vendors. And I think in the end, you really have to look carefully at is it worth the trouble
to include all that code? Or is it maybe just better not to do business with companies that
don't allow you to host the code yourself? All right. Well, it's a good insight as always.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.