CyberWire Daily - Follow-up to terror attack in Iran. UN data exposure. Kodi and cryptojacking. SHEIN retail breach. Atlanta's ransomware remediation. Payroll phishing. Quantum strategy.
Episode Date: September 25, 2018In today's podcast, we hear that Iran has accused Saudi Arabia, UAE, and the US of running Saturday's terror attack "from the shadows." Data exposure at the UN. Kodi platform exploited for cryptoja...cking. SHEIN retail breach affects more than six million. Atlanta says its ransomware incident is now "over." FBI warns of payroll phishing. A US strategy for quantum technology is offered. A look at sports and cybersecurity. Has the Riemann hypothesis been proved?  Johannes Ullrich from the SANS ISC Stormcast podcast with warnings of post-hurricane scams. Our UK correspondent Carole Theriault explores overly complex online terms and conditions, and speaks with a company that’s chosen a different way. Jeremy Forsberg is CMO at Axel. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran accuses Saudi Arabia, the UAE, and the U.S. of running Saturday's terror attack from the shadows.
There's been data exposure at the U.S. of running Saturday's terror attack from the shadows. There's been data exposure at the U.N.
The COTI platform's exploited for cryptojacking.
The Shine retail breach affects more than 6 million.
Atlanta says its ransomware incident is now over.
The FBI warns of payroll phishing.
A U.S. strategy for quantum technology is offered.
We've got a look at sports and cybersecurity.
And has the Ryman hypothesis been proved?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 25th, 2018.
Tuesday, September 25th, 2018.
According to reports in Deutsche Welle,
Iran accused Saudi Arabia, the United Arab Emirates,
and the United States of complicity in Saturday's terrorist attack on a military parade.
The UAE called the allegations baseless.
The U.S. said Iran should look to itself for the explanation, and Saudi Arabia said nothing.
So far, the responses to this awful
attack have been hard words, but Iran's international adversaries should look to their cyber defenses.
The United Nations has suffered a data exposure incident. Last month, a researcher found ways of
accessing the UN's Trello tool, where he found ways into the UN's Google Docs and Jira
pages. A range of sensitive information was exposed. The researcher disclosed his findings
to the UN, but the world body took notice only after the intercept broke the story.
It's now six months since the city of Atlanta was hit with ransomware, and the city says the incident is now over.
But there's a sour taste in Georgia mouths.
The local CBS affiliate reports that the city doesn't know who hit them,
what they hit them with, or how much they've had to spend to fix things.
The Shine fashion retailer sustained a data breach
in which records belonging to some 6.4 million customers were exposed.
The incident happened in June, but Shine discovered it only late last month.
It happens pretty much every time we install a new bit of software.
We find ourselves staring down a EULA, an End User License Agreement.
It's most often an interminable laundry list of terms and conditions cloaked in
impenetrable legalese. Not only is it frustrating, but it defeats its own legitimate purpose,
to explain the expectations and agreements between the maker of the software and the user.
Users generally dislike this style of EULA, and now some companies are responding,
and trying to make things a whole lot easier to understand.
From our CyberWire UK desk, Carol Terrio has the story.
Security professionals keep reminding us to read the terms and conditions
before we sign up for an app or an online service or even on a website.
They tell us this because this is where companies have to disclose how they plan to manage your privacy.
This is where you find out what the information they're going to take from you, how they might
track you, or whether they send information to third parties. The problem is that many of these
agreements are confusing. To most of us, it can seem like just a bunch of legal mumbo jumbo.
And recent research shows that over time, users split into two groups. Those that
become what they call acceptors, these are people who felt their online access was more important
than any of their privacy concerns. Or managers, people who strategically control information to
reduce their vulnerability online. I went on the hunt for companies that simplify their terms to make
them more accessible for the non-Eagle Eagles out there. And in my search, I found this company
called Axel. They create file sharing tools and their terms start with this statement.
These are our terms of use. We have tried to state them clearly and simply. By using Axel,
you are agreeing to these terms of use.
If you don't like what you read, please don't use Axel.
It's that simple.
Pretty refreshing, right?
So I got in touch with Jeremy Forsberg.
He's the CMO at Axel.
To ask him what made him decide to take this approach.
Our founders have this at their core.
They set up this company because they did
not believe that we should compromise our data, our privacy for the sake of convenience. You know,
we were basically told you get one or the other. And we're like, no, no, no, no, that doesn't have
to be the case. You can have convenience, but you also can maintain your privacy and greater control
over your data. And so that's the approach that we take. So it really compels us and motivates us to kind of
be better for our users. And we shouldn't be manipulating people into signing up to terms
and conditions that may be unfair to them without their full knowledge, because look, there will be
a backlash at some point. And you know, that's what it feels like. It feels like manipulation
when the agreement is overly complex. There's this other bit in the Axel agreement that says,
everything that you save in using Axel stays yours.
We realize that's a crazy concept.
Axel only does the things you ask it to do with your consent.
You are in control.
See our Privacy Bill of Rights.
And I like this too.
I studied law and I struggle to understand the terms and conditions
and what it genuinely
means for me. And I think the key thing is, is we want to build a little bit more trust and
transparency with our users. And, you know, and we noticed the failings that other companies,
big companies, you know, load up with in their terms of service. And it's just felt unfair for
people to tick a box when they don't really understand what's going on. Maybe you can tell us and other companies out there that might be flirting with the idea of
simplifying their agreements, what the benefits are, like how does it improve your relationship
with your customers, improve your business? Well, I think it makes it more focused on our
users, which allows us to connect with our users a little bit more and actually build up a relationship and build up a dialogue. Ultimately, you know, what you want to do is you
can't necessarily speak to every person one by one, especially if you're in a growing company.
Okay, but here is an issue, right? So nobody really wants to have more regulation. Companies
kind of don't want to have to comply with it all. And it can
be complex. I mean, just look at GDPR, right? So if we think about how do individuals, users fight
back, if we go back to that idea of acceptors and managers, how do we make people shift over
from acceptors to managers?
If they need to use a platform for some reason, they're just going to have to weight that up with their data and what they feel like they're compromising.
A lot of the big social platforms and search platforms are asking a lot of people. They're asking people to give up a lot and people don't realize it.
And that really frustrates me.
It really frustrates me that people are being asked to compromise so much about their
identities, their digital identities, without really understanding.
You know, I like what Jeremy is saying there. Maybe we just need to reprioritize our interests
and we need to think carefully about the services we sign up for. Instead of accepting
tracking and data collection willy-nilly, we should make the time to review the privacy policy.
And if we don't understand what the words mean or find the policy, well, a bit creepy,
shouldn't we exercise our right to say no way? Tell you what, my privacy boots are certainly
made for walking. It's not just a legal
or moral decision. It's a business decision. This was Carol Terrio for the Cyber Wire.
And of course, you can hear more of Carol Terrio on the Smashing Security podcast,
along with her co-host, Graham Cluley. The US FBI has issued a warning that criminals are actively fishing for payroll login credentials.
These are the sorts of accounts organizations use to enable their employees to check when and how much they've been paid.
They also often enable employees to change direct deposit accounts or request prepaid debit cards.
Those last two possibilities are the ones that criminals find attractive,
since they give them away to loot bank accounts. There are two general lessons to be drawn from
this trend in online crime. First, criminals are moving to the cloud, just as enterprises are.
Compromising this sort of payroll service usually doesn't involve any intrusion into
an organization's networks, still less the compromise of any
endpoints.
If an employee gives up his or her credentials, the crooks will cheerfully precipitate cash
from the cloud.
Second, organizations teach by the way they communicate.
If your organization is in the habit of sending employees emails with links to click, if this
is the way you handle communication about accounts and credentials,
you're teaching your employees some dangerous security habits.
The U.S. has announced a national strategy for quantum information science.
Major companies meeting at the White House to discuss the strategy
include JPMorgan Chase, IBM, Honeywell, Lockheed Martin, Goldman Sachs, AT&T, Intel,
Northrop Grumman, and Google. The strategy includes, but isn't confined to, quantum computing
and its implications for cryptography and security generally. It extends to most aspects of
information technology and, according to some reports, to the prospect of advancing work on materials by design.
Something about quantum theory has long troubled our physics desk.
You've heard of Schrodinger's cat, the unobserved cat in the closed box that's neither alive nor dead until somebody looks in.
That's always struck our experts as a gratuitously cruel thought experiment.
They prefer Schrodinger's dog. They prefer Schrodinger's dog.
They prefer Schrodinger's dog.
The dog is unobserved, neither standing cheekily on top of the dining room table nor staying dutifully on the floor.
Consider the dog to be in a state of quantum superimposition until mom walks in,
sees what's up, and vigorously collapses his wave packet for him.
That's better, right?
Anyway, we've always been a BYOD shop.
That's bring your own dog here at the Cyber Wire.
Security firm Panerais has taken a look at American professional football
to see which National Football League teams have the most secure websites.
They conclude that the top five are, counting down to the most secure,
the Pittsburgh Steelers, as the Yinzers would pronounce it,
the Los Angeles Rams, the Miami Dolphins, the New York Jets,
and coming in at number one, the Kansas City Chiefs.
The study is obviously flawed, since it completely overlooks the Baltimore Ravens,
the only team to our knowledge who ever had a lineman on the roster, the now-retired John Urschel,
who was invited to deliver papers on applied mathematics to NSA at Fort Meade.
So fooey.
On the other hand, our sports desk has long been a hotbed of admiration for Kansas City defensive coordinator Bob Sutton,
so maybe there could be something to the study after all.
And finally, at a conference in Heidelberg,
mathematician Michael Attia says he's proved the Ryman hypothesis,
but stops short of offering the proof itself.
He can say what he wants, but will believe it when John Urschel tells us it's so.
what he wants, but we'll believe it when John Urschel tells us it's so. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Institute. He's also the host of the ISC Stormcast podcast. Johannes, welcome back. We wanted to touch today about
hurricane and disaster-related scams. We recently had Hurricane Florence came at the east coast of the U.S.,
and with that comes people who are trying to profit off of that.
What can you share with us?
Yeah, thanks for having me.
So with these hurricanes, it's sort of an annual reminder, really,
that whenever there is a large disaster
that, of course, gets people interested, makes the news,
and also makes people want to help,
that there are people that take advantage of it.
And what we have seen in the past is, for example, fake charities that are all of a sudden springing up and that register host names or web addresses that are then being used to advertise their services.
Also, a lot of lawyers lately that sort of jump in and essentially do ambulance chasing,
I guess it's called, trying to get cases lined up.
So really, it's more of my sort of be aware, don't necessarily trust anybody that you haven't
done business with before, whether that's a charity, whether
that's a lawyer, whether that's a contractor.
Yeah, we saw a couple of stories come by.
One of them was people were actually, the scammers were actually going door to door
telling people that they had to evacuate.
And the notion was that they were basically casing the joints to see who was home, who
was planning on staying, who was planning on going,
so they could come back later and presumably rob the place.
Yeah, and that's another sort of issue.
So the cyber component of this is if you, for example,
advertise on Facebook or such that you evacuated,
this may be used by criminals then to target your residents for burglary.
Yeah, and of course the phishing campaigns come through used by criminals then to target your residents for burglary.
Yeah, and of course the phishing campaigns come through with the targeted attacks.
We saw another one that people were saying that they were trying to gather information by saying in order to be eligible for disaster relief funds after the fact,
we need all of your personal information now.
Yes, and that's actually something I saw last year when Hurricane I moved through Jacksonville, where I live.
A couple of my neighbors a couple months later got letters from FEMA telling them that they applied for disaster assistance.
And essentially, without them ever doing so. So essentially what's happening is that people use stolen credit, stolen data they either
got via targeted phishing emails like this or from other breaches to apply for disaster relief.
And then of course the money is actually paid pretty quickly, but then later FEMA or whoever
paid the money comes back to actually verify the information. And at that point, of course,
they're now contacting the victim of the scam that whose information's
got got stolen yeah and i think it's also an important point that you know for those of us
who are in the business we kind of we're tuned to recognize these things but i think it's important
to reach out to other family members particularly if you have elderly family members who may be more
susceptible to these yes that's very important because people are under distress when they're receiving
these emails.
They worry about evacuating and they're necessarily not verifying all of these emails and these
messages they're getting very carefully.
Yeah.
All right.
Well, it's certainly a cautionary tale.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who
want to stay abreast of this rapidly evolving field sign up for cyberwire pro it'll save you
time and keep you informed listen for us on your alexa smart speaker too the cyberwire podcast is
proudly produced in maryland out of the startup studios of data tribe where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. But also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.