CyberWire Daily - French media recover from DDoS. XaverAd infests Android ecosystem. Zero-days patched, but exploited in the wild. Mother's day giftcard hacking. Telephonic harassment.
Episode Date: May 11, 2017In today's podcast, we hear that French media sites are recovering from a massive, successful DDoS attack whose source is still under investigation. Android adware harvests and reports PII. Microsoft'...s quick patching of zero-days included three that are being exploited in the wild by state and criminal actors. Ben Yelin from UMD CHHS reviews the first 100 (cyber) days of President Trump. Ken Spinner from Varonis on their latest data risk report. Advice on Mother's Day gift cards, and some news about skids and harassing phone calls. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K. attack, Android adware harvests and reports PII, Microsoft's quick patching of zero days
includes three that are being exploited in the wild by state and criminal actors, advice
on Mother's Day gift cards, and some news about skids and harassing phone calls.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 11, 2017.
Sodexus, a Paris-based provider of cloud and network services that operates internationally,
was taken offline by a large distributed denial-of-service attack yesterday.
Many media companies are Sodexus customers,
and the hardest hit in the incident were French media outlets, including Le Monde and Figaro.
Services have been restored, investigation is in progress,
but the source of the attacks is, for now, at least, unknown.
Sophos describes Android Xavirad, an adware library recently found infesting Google's Play Store.
The adware strain is particularly objectionable in that it improperly
collects personal information after users have specifically declined to provide their data to
the ads Zaverad serves up. The app introduces itself with a high-minded privacy policy that
disclaims any collection of personal information, but of course that's exactly what it goes on to
do, sending the data off to its controllers. It's noteworthy that the adware employs a variety of evasive techniques,
including sandbox detection.
Microsoft is getting some good reviews for its quick patching of zero days.
That's good, because of course those vulnerabilities have been swiftly exploited in the wild.
ESET and FireEye report on the use in the wild of three Zero Days Microsoft patch this Tuesday.
They say the Zero Days were all exploited by the Russian cyber espionage group Turla,
also known as Krypton, Snake, Ouroboros, Waterbug, or Venomous Bear,
presumably from the same litter as Sisters Cozy and Fancy.
Some of the flaws were also exploited by some financially motivated gangs in Russia,
perhaps another
instance of the familiar interpenetration of security services and the underworld.
Just how at risk is your company's data? According to security platform vendor Varonis,
perhaps more than you think. They recently released the 2017 Varonis data risk report.
Ken Spinner is their VP of Global Field Engineering.
What we found after doing the assessments that we've been doing for our customers for the last
two to three years is we found that there was interesting information contained within the
assessments. And what we decided to do is we decided to mine the data that we were collecting
from all the different customers that we were performing these assessments for. And the reason we did that was we felt there was value in combining
this information, extrapolating it out, and providing the information back to the industry
so that people within the security industry and the IT industry could get a better understanding
of what the issues were in terms of protecting data. And what we found, you know, in terms of results
is that people are using this information to go back to boards and to go back to financial people
and say, here's quantified risk, and these are the things that we need to do about it.
So take me through some of the key findings in the report.
The data that we collected came from a number of different organizations, a number of different countries.
I think the companies that were represented in here were from somewhere in the neighborhood of around 12 countries, 33 industries,
and they had between about 50,000 and 10,000 employees.
And what we found was that roughly 20% of the folders that were analyzed were open to everybody in the company.
20% of the folders that were analyzed were open to everybody in the company.
And what that means is that any time somebody got access to a corporate network,
roughly 20% of their data was potentially exposed to that person who came in there.
And that person could be, let's say, anywhere from a senior-level executive to somebody who's purely there to visit, let's say, one of their coworkers
or one of their colleagues from a know, from a different company.
So certainly concerning.
And another key data point that we found was that almost half of the assessments that we performed found over 1,000 sensitive files that were open to everybody.
Once again, what that means is that this data, which could contain proprietary information for the company
or sensitive employee information or sensitive medical information,
everybody who got access to that network could access that information.
And one of the things that the report shed light on was risks associated with stale data.
Can you explain to me what that means?
Sure. Well, in any organization, people have been gathering and collecting data and creating data and modifying data for years and years and years. And the one
thing that really doesn't happen in any organization is people don't really go back and look at the
data that they have and figure out which data is actually being used and which data is not being
used. And what we found in terms of statistics was that for data that was analyzed over a six-month period,
roughly 71% of all folders in the sample were stale.
And what that means is that there's a significant opportunity for companies to save money
and to reduce risk purely looking at their stale data and reacting to these types of statistics.
That's Ken Spinner from Varonis.
You can find the data risk report
on their website. A public service announcement. Sunday is Mother's Day in the U.S., the second
biggest holiday minefield in North America. If you've put off gift buying to the last minute,
think twice before settling for the lowest common denominator present of them all,
the gift card. Not only is it impersonal, unlike the clay candy
dish you probably made and gave her when you were in kindergarten, but gift cards have themselves
recently become a favorite target of cybercriminals. Automated bots are scanning for cards and scooping
up their unused balances, which then can be resold on the dark web. We heard from the media trust's
Chris Olson, who pointed out this kind of theft not only hurts customers, but the brands that issue gift cards too.
He urges businesses to take a holistic approach to security, privacy, and user experience, and he thinks they can do it.
Quote, you can effectively balance revenue objectives and compliance with the company's policies and regulatory requirements.
End quote.
We'll add this, Flowers are almost always appreciated.
And finally, phishing phone calls are one thing.
The Microsoft help desk scam is well known to you, our audience.
Those scam calls are motivated by the same thing that drives phishing emails,
basically credential theft and privilege escalation.
But what about calls where the motive is less clear?
We've all gotten prank phone calls, and we'll bet that some of your tastes are low enough that,
let's be honest here, girls and boys, we're looking mostly at you boys.
You've yucked it up over calls advertising books written by the well-known author
Ignaz Porterhouse Freely, who usually uses just the initials of his first and middle name,
or even inquiries about whether a store has Prince Albert in a can.
Right, you better let him out.
We endorse none of this and discourage it,
even when it doesn't rise beyond the nuisance level of a day-before-Halloween ding-dong ditch
or a call to Moe Sislak's bar.
We are, after all, a family show and members of the security community.
But there are other more
irritating and even dangerous forms of harassment, and these are no joke at all.
Flashpoint describes an apparently motiveless telephone harassment campaign. The skids used
phone cord, a telephonic bot service. Among the recipients of the prank calls are police
organizations, including Britain's NCA and the US FBI, and also pizza chains,
who saw that coming, hotels, and ordinary people whose personally identifiable information has
been exposed in earlier breaches. Phone cord has been used for both DDoS and swatting.
The effect of DDoS is well known, and while the UK's National Crime Authority and the US FBI can
cope with it, it's harder if you're
Mamma Mia Chicago-style pies or the dew drop in. It can be even scarier if you're just some
ordinary citizen whose PII have been swept up and dumped in a breach. And swatting, of course,
when the police are called to your house by a prankster who says you've got a gun and are
cooking tar heroin, are the scariest of all. It's one more reason for
legitimate businesses and government agencies to look to the security of their customer databases.
And one more reason to hate operations like Zavirad.
We doubt they've got the security of their marks at heart.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. It's been all
over the news that we, not too long ago, passed the first 100 days in the Trump administration,
everything that comes with that.
So I thought it'd be a good opportunity for us to look back in terms of cybersecurity.
What have we seen in the first 100 days or so with President Trump?
So we haven't seen much.
Certainly, he hasn't produced the sort of policies that he's promised.
The president, during the campaign and during the transition,
promised the American people that he would release an executive order on cybersecurity. And as of this recording, he has still not
produced that executive order. The one hint we do have about his cybersecurity priorities
is that he has requested through his budget director, Mick Mulvaney, additional funding
to protect federal networks in his budget proposal. Mick Mulvaney, additional funding to protect federal networks
in his budget proposal. And that's particularly notable because besides the areas of defense and
national security, pretty much every other discretionary government function, domestic
function has been targeted for cuts. So if we want sort of an idea of whether the president
is prioritizing cyber defenses for government networks, then I think it's a particularly encouraging sign that he has proposed this funding increase.
And in terms of ability to enact policy, to put things in place, is it a matter that the president and his staff have simply been busy with other things, with health care, with trying to get a budget passed and so forth?
Well, I will say that this isn't the only promise that has been broken.
If you actually look at in the last in the waning 14 days of the campaign, the president listed his official legislative agenda for the first 100 days.
I don't think he's been able to enact a single one of them.
So it's not that cybersecurity in particular has fallen by the wayside. I think through a
combination of maybe a learning curve and having to deal with some of his other priorities, a lot
of his both legislative and regulatory initiatives have gone on the back burner. Another major
problem for him, and this certainly affects cybersecurity as well as all other federal policy, is that he's vastly behind on appointments. I think compared to the
two or three previous administrations, he's made 25% of all the confirmable cabinet position
appointments. And that means that many of these federal agencies, including the ones that
implicate cybersecurity, are drastically understaffed at this point.
And the staff that is there, I think, are sort of waiting for some sort of policy direction.
That's what an executive order would produce.
It would give some of these career staff members in government agencies like NIST
at least some guidance as to what the policy is going to be.
But so far, I think they're sort of as in the
dark as we are about what the priorities are. All right. Time will tell. As always,
Ben Yellen, thanks for joining us. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio or shake up your mood with an
iced brown sugar oat shaken espresso.
Whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.