CyberWire Daily - FSB contractor hacked. Pegasus now able to rummage clouds? Iranian cyber ops spike. Fraudulent student profiles. Judgement in Equifax FTC case. NSA hoarder gets nine years.
Episode Date: July 22, 2019A contractor for Russia’s FSB security agency was apparently breached. NSO Group says its Pegasus software can now obtain access to private messages held in major cloud services. Iranian cyber opera...tions are said to be spiking, and Tehran is paying particular attention to LinkedIn. Colleges and universities are experiencing ERP issues, and a minor wave of bogus student applications. Equifax receives its judgment. And there’s a sentence in the case of the NSA hoarder. Joe Carrigan from JHU ISI on Android apps circumventing privacy permission settings. Guest is David Brumley from ForAllSecure on autonomous security and DevSecOps. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A contractor for Russia's FSB security agency was apparently breached.
NSO Group says its Pegasus software can now obtain access to private messages held in major cloud services.
Iranian cyber operations are said to be spiking,
and Tehran is paying particular attention to LinkedIn.
Colleges and universities are experiencing ERP issues
and a minor wave of bogus student applications.
Equifax receives its judgment,
and there's a sentence in the case of the NSA hoarder.
From the CyberWire studios at Datatribe, I'm Dave Bittner with your CyberWire summary for Monday, July 22, 2019.
The BBC's Russian language service reported late Friday that Cytek, a Moscow-based IT firm, had been successfully hacked.
The company's website was defaced with a yearning Yoba face, and the attackers claim to have stolen some 7.5 terabytes of data.
Scitech is generally thought to be an FSB contractor.
Among the data the attackers obtained and shared with hacktivist group Digital Revolution were screenshots of the target company's internal interface, including some employees' names and notes on the projects they were working on.
The SciTech projects exposed included social media monitoring solutions and Tor de-anonymization tools.
tools. The Financial Times reports that the controversial Lawful Intercept Shop NSO Group says it can access private messages held in major cloud services, including those provided by Apple,
Amazon, Google, and Facebook. The claims are found in marketing pitches for an enhanced version of
NSO Group's Pegasus tool. The ability to get information from clouds that are normally thought secure, notably Apple's iCloud, is new for Pegasus.
Reports suggest that smishing is one possible attack vector for the spyware.
This isn't a commodity attack tool. Pegasus is pricey.
BGR says the price tag for Pegasus is in the range of millions of dollars. This effectively limits its market to
government customers, and these indeed seem to have been NSO Group's principal buyers.
CBS News and others report that Microsoft has observed a spike in Iranian cyberattacks
since nuclear non-proliferation agreements collapsed. FireEye warned last week that APT34,
also known as Helix Kitten, is undertaking a large catfishing campaign via LinkedIn.
Its apparent goal is espionage directed against the financial and energy sectors.
Government agencies are also targeted.
Catfishing, you will recall, is the creation of a fictitious online persona used to induce a victim to connect in some way.
In this case, they are seeking to induce a victim to connect in some way.
In this case, they are seeking to establish a connection over LinkedIn.
Late last week, the U.S. Department of Education warned that there had been active and ongoing exploitation of the Ellucian Banner system.
Banner is an enterprise resource planning solution widely used by colleges and universities
to manage student services,
registration, grade reporting, and financial aid. Modules also offer academic institutions tools
for human resources and financial operations. 62 colleges and universities are believed to
have been affected. The attackers are using administrative privileges to create fraudulent
student accounts. As many as 600 bogus accounts have been created in a single day,
with totals over several days running into the thousands.
The Department of Education says the phony accounts
are almost immediately being put to unspecified criminal use.
Ellucian, which Education Dive says had patched the vulnerability back in mid-May,
said in a statement Friday that there are really two issues here.
First, of course, is the now-fixed bug.
The second is the creation of fraudulent applications.
The issue, Ellucian says, is unrelated to the vulnerability in Banner.
The company believes the criminals are, quote,
utilizing bots to submit fraudulent admissions applications
and obtain
institution email addresses through admission application portals, end quote. That's not an
issue specific to Banner. Ellucian recommends that schools adopt safeguards like ReCAPTCHA
to better secure their information. Dr. David Brumley is co-founder and CEO of For All Secure and a professor at Carnegie Mellon University, where he's also faculty advisor to the Plaid Parliament of Poning, CMU's competitive security team.
He's got some thoughts on DevSecOps, specifically his belief that autonomous security is the key to fixing what he says is a broken system.
is the key to fixing what he says is a broken system.
What we're talking about in DevSecOps is making all sorts of security testing part of normal development.
It's part of this movement to shift left from doing security testing at the end of application development to really making it part of the entire development lifecycle.
This insertion of the SEC into DevOps, what's been the practical implications of that?
I think the practical implications are you get two things.
First, you get actually higher reliable software.
A lot of security tests are about how can you crash an application or take it over,
which kind of sounds like security.
But the business impact is often you have unavailability of your service.
So I think that's really the primary impact of putting the SEC second is you get higher quality software in addition to, of course,
more secure. And this realization across the industry that this is a better way to go than
doing your security testing at the tail end, is that pretty much an accepted practice these days?
I think everyone accepts the notion and they're trying to figure out how to implement it right
now. And so how's that going? I think that it's going well, but it's not without its
trouble points. What we're finding is a lot of security teams start with applications already
developed, and that's really their bread and butter. And so this idea of pushing it back to
developers really requires you move from security teams to the developers themselves.
So we're talking about just sort of an ongoing collaboration between the teams and embedding
the security teams in with the developers?
I think so.
I think there's really two ways we see it.
First you can embed security team inside the development team, or second, you can give
developers better tools and better training about what security is going to check for. I'm curious with your role as a teacher, as a professor, how much of this is embedding
that philosophy in with the students who are learning to be developers?
I think it's a huge part. I mean, at Carnegie Mellon, we started maybe 10 years ago starting
to teach our sophomores about computer security. but I think we're one of the few.
And the thing that's really interesting is when you start teaching developers about security,
they just become better developers. They see all the different ways they can get things wrong.
Humans are absolutely awful at assessing security, especially at the end. And we also know that
they're under-resourced. And so what we want to do is build autonomous systems that help take the load off a human,
but also turn everything really into a more data-driven rubric,
as opposed to just a gut feel on whether something's secure enough or not.
Can you walk me through that?
Can you give me an example of how that would play out?
When you go out and you, let's say you're doing a penetration test at the end of the
application lifecycle, a lot of times you're just scanning for known vulnerabilities. And I tell you what,
like when a hacker is trying to break into your system, they're not just scanning for
known vulnerabilities, at least not the good ones who are trying to get into your system.
And so what we're starting to do is add in tools that help build in security checks as you build
and ship software. And a lot of that's actually about security testing. How do you, when a
developer builds an application autonomously, take that application and give it to something that's
going to help almost like a penetration test and do that every time you release the software.
And does that increase any significant friction? Does it slow the process down?
I think it's one of those things of cost benefit. So some people will say it slows it down just the
way software testing slows down anything,
right? Like there's this short-term pain of, oh man, writing a test case or ingesting it into
that autonomous system, that's extra work. But once you do it, it's absolutely beautiful because
then the system does all those things that you used to have to do manually.
One of the cool things about this tech, and it was really pioneered in the lab,
is that as you learn more
and more about the security of your app, you actually create an automated regression suite
to make sure that you continue to check those things. And that also bootstraps the process
next time you have a release. So when you add new code, it checks all the old things and then tries
to find new things in the new code. That's Dr. David Brumley from For All Secure.
That's Dr. David Brumley from For All Secure.
The U.S. Federal Trade Commission announced today that Equifax will pay $575 million in its settlement over the credit bureau's 2017 breach.
The agreed settlement doesn't address only the FTC's complaint, but figures in a global settlement with the Federal Trade Commission,
the Consumer Financial Protection Bureau, and 50 U.S. states and territories.
The allegations hold that Equifax's failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.
Some $300 million will go into a fund that will provide affected consumers with identity
protection.
It will also compensate people who bought credit monitoring or identity theft protection from Equifax
or who sustained other out-of-pocket expenses as a direct result of the breach.
If $300 million isn't enough to cover such compensation,
Equifax is on the hook to pony up an additional $125 million if necessary.
The remainder of the amount will be distributed as follows.
$175 million will go to 48 states, the District of Columbia and Puerto Rico.
The remaining $100 million will be paid to the Consumer Financial Protection Board in civil penalties.
Former NSA contractor Hal Martin was sentenced to nine years' imprisonment on Friday
for theft of classified information.
As ZDNet observes, the government did not establish that Martin was the source of the shadow broker's leaks.
That had been widely believed, at least in the more speculative precincts of the online world, but it wasn't borne out in court.
Martin had taken a guilty plea in federal court, admitting to theft of classified documents.
Nine years is a stiff enough sentence, especially when compared to the maximum of ten years he faced,
for each of the twenty counts against him.
It is, however, in line with the expectations set in his plea agreement.
Martin's defense attorneys had presented him as a hoarder, a pack rat, and not a traitor.
And after the sentence was passed,
they pointed out that the government had not demonstrated treason or treasonous intent.
They said his problems amounted to an extenuating mental health issue.
The prosecutors didn't buy it, according to CyberScoop.
This is not a case of hoarding, this is stealing, the government argued.
And they noted that the 50 terabytes of information Martin had squirreled away in his Glen Burnie shed
was not squirreled away in a disorganized manner.
The presiding judge also observed that, for a hoarder,
Hal Martin seemed pretty well organized.
So, don't be a hoarder.
But it may look better on Judgment Day
if your house looks like the digs you see
on the reality TV show Hoarders. Bad TV, but maybe not so bad in the courtroom.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
A story here from CNET, and it's titled,
More than 1,000 Android apps harvest data even after you deny permissions.
How is this even possible?
That's what I want you to explain.
What's going on here? So these app developers are being very creative with how they gather
your information. Okay. This article talks about one app in particular from Shutterfly. Photo app,
yeah. It's a photo app, and I think they sell books of your photos and all that stuff, right?
So the app will ask you for permission to use your location data. Okay. Right. And you can deny the app permission
from the location data, but they're still getting your location data because you have to give it
access to your photos in order for it to work. And if your photos have the geotagging information in
it, there's the same information from another source. So when you deny them access to the location data in the operating system,
that essentially denies them access to the GPS receiver.
Right.
So what's happening is if you're geotagging your pictures,
then your camera has access to the GPS receiver.
Your camera writes that GPS information into the photo.
Your Shutterfly app has access to the photo, and
lo and behold, there's the GPS permission right there in the metadata.
So essentially, they get the data anyway.
Even though you said, yeah, it's one of those funny distinction without a difference things.
Like I said, I didn't want you to know where I am.
Right.
No fair going around that way.
A Shutterfly spokeswoman said the company would only gather the information with explicit
permission from the user, right, despite what the researchers found.
You know, it's funny.
There are other companies in here that are using this.
They're piggybacking on other apps to get access to the information that the user might
not want them to have.
And these are big-name companies like Baidu's Hong Kong Disneyland Park app.
Right?
They found a bunch of apps that are doing this, more than 1,300 of them.
And there's going to be, this paper is going to be presented at USENIC's security conference
next month.
You specifically say, no, I don't want you to do this, and they find a workaround.
Right.
I know, overall, you're not a big fan of regulations, but boy, this makes me
wonder, do we need a bigger stick here to tell them they can't do this?
Well, Google is going to fix this in the next release of their operating system.
Okay.
I don't know how they're going to do that, but it's not going to be available until Android
Q.
I guess this demonstrates that we can't trust the app developers to do the right thing in good
faith. Right. One of the things that the researchers have done is they did notify the FTC of these
apps. They sent this information to the FTC as well as to Google. So they disclosed the
vulnerability to Google, and then they told the FTC about it. All right. Well, maybe that's a good
solution. Yeah, maybe there is some regulation coming or at least some fines or some penalties.
Now, what's interesting is that this is only research on Android apps.
I'd like to see if this is being done in the Apple marketplace because I think Google approached this problem in good faith, right?
Google says, all right, we're going to give users the ability to block apps from getting their location information.
And I could very easily see this becoming something that, oh, you know what?
We didn't think about that.
We didn't think that apps could look at the photos and get the location information from
the photos.
Right.
Or we didn't think that apps could look at some other app and get the unique identifier
for the phone out of that other app.
Mm-hmm.
We need to lock that down.
And Google is taking care of it in the next release of Android.
Unfortunately, it's going to be a couple months before that's out.
Yeah.
Yeah. I outlined it over on a recent episode of Grumpy Old Geeks where I ran into something
with, and this is on iOS, I ran into something with an app tracking the food that I was eating,
trying to lose a few pounds.
Right.
And I started seeing ads for the foods I was tracking on Twitter.
Huh.
And despite having disabled tracking explicitly
from this app, the only
food ads that were showing up in Twitter
were foods that I was tracking
in my weight tracking app.
So it could be a coincidence,
may very well be a coincidence, but
I don't trust that it is a coincidence
anymore. Because you have to enter that
food data into that app, right? Right.
So you know they have the information. Exactly. Which is more likely, that the ad engine is so good,
which actually it's pretty likely. Yeah, well, that's the thing, right? Or that they just took
your information and said, Dave likes to eat Eggos. Eggos. Eggo waffles. Yeah, that's what
it was. Eggo waffles. Really? Yeah, Eggo waffles. Big hit in my family. Yeah, yeah. So I just, it's this erosion of trust that I find troubling,
and hopefully we will evolve past this and come up with some system
where we can feel like we can trust these apps and these devices again.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.