CyberWire Daily - GPS jamming. Jihadist account hijacking. ISIS on Wickr? Magecart exposed. Cathay Pacific breach. Paris Call for Trust and Security in Cyberspace.
Episode Date: November 13, 2018In today’s podcast, we hear that Finland is investigating GPS signal jamming during NATO exercises. Russia’s the usual suspect, as usual Russia feels picked on and ill-used. Jihadists seem to ...be feeling the effects of social media screening, and may turn to account hijacking. Indian intelligence services look at ISIS use of Wickr. A look at Magecart. Cathay Pacific’s breach now believed to be worse than originally thought. The “Paris Call for Trust and Security in Cyberspace” expresses eight aspirations. Joe Carrigan from JHU ISI with a report on the NICE conference, and a presentation on including psychologists in cyber security decision making. Guest is Rich Bolstridge from Akamai with credential stuffing info from their latest State of Internet Security report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Finland investigates GPS signal jamming during NATO exercises.
Russia's the usual suspect.
As usual, Russia feels picked on.
Jihadists seem to be feeling the effects of social media screening
and may turn to account hijacking.
Indian intelligence services look at ISIS use of wicker,
a look at mage cart,
Cathay Pacific's breach now believed to be worse than originally thought,
and the Paris call for trust and security in cyberspace expresses eight aspirations.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, November 13th, 2018.
According to the Times of London, NATO's large Trident Juncture exercises conducted in and around Norway last week
saw some apparent Russian jamming of GPS signals with the evident intent of disrupting the war games.
Russia had objected to the exercises, said to be the largest since the Cold War era's Autumn Forge annual exercises.
They called them saber-rattling.
Trident Juncture opened on October 25th and wrapped up November 7th.
GPS, of course, was born as a U.S. military technology,
but has since come to pervade civilian life.
In this case, GPS denial presented an apparent safety issue.
A Norwegian airline said that its flights lost GPS signal
while inbound to airports in northern Norway and Finland,
and Finnish air control warned of widespread GPS disruption
in the northern part of the country.
Deutsche Welle says that Finland is investigating.
Finland's Prime Minister Juha Sipila said,
Technology-wise, it's relatively easy to disturb a radio signal,
and it's possible that Russia was behind it.
We will investigate and then we will respond.
This is not a joke. It threatened the air security of ordinary people.
That it did. Indiscriminate GPS jamming is a clear threat to safety of navigation.
In statements today, Russia denied any involvement.
Spokesman Dmitry Peskov said,
We know nothing of any Russian involvement in the disruption of the GPS system.
You will have to ask the experts at the Ministry of Defense.
But you know there is a tendency nowadays to accuse Russia of all sins, mortal or otherwise.
As a rule, these accusations are baseless.
This alleged sin, if you're keeping score at home, while not as bad as murdering people with
nerve agent, would still seem pretty close to mortal. And we have to admit, for all the Russian
sense that the rest of the world is picking on them, the GPS outages do look suspicious.
The GPS outages do look suspicious.
Jihadist groups, pushed by social media and in temporary online hiding,
advise its members to spread malign inspiration through hijacked accounts.
Facebook reads this as an indication that its efforts to purge terrorist content from its platform are working.
The social network has been under increased pressure, especially from the European Union, to clean out terrorist material.
The effect of this will be to motivate ISIS and its allies to attempt more account hijacking, perhaps.
The terrorist group's online bark has been worse than its online bite,
but insofar as the barking constitutes howling at the disaffected lone wolves out there, it's been troublesome enough.
Howling at the Disaffected Lone Wolves Out There, It's Been Troublesome Enough.
Authorities in India are keeping an eye on a shift in ISIS tactics in the state of Kerala.
The Counter-Terror National Investigation Agency and the Intelligence Bureau, Domestic Intelligence Service,
are watching the terrorist organization's increasing use of the instant messaging service Wicker for command, control,
and communications. Wicker, we stress, is a perfectly legitimate service. It's attractive
to the Islamic State for its encryption, for its ability to strip metadata from messages,
and for the ability it gives its users to set expiration dates for their messages,
at which point expiring messages are erased.
Researchers at Akamai recently published the latest edition of their State of the Internet Security Report, focusing on web attacks such as bot-driven credential stuffing in the financial
services industry.
Rich Bolstridge is chief strategist for financial services with Akamai.
So credential stuffing is kind of the second step of this fraud
cycle, if you look at the life cycle of it. So the beginning step is a data breach. These breaches
many times involve usernames and passwords. Now the passwords are hashed or encrypted in some
type in many ways, but there have been many of these in the past.
And by the millions and by the billions, secondly, what will happen is those breached credentials will be made available to criminals or other bad actors on the web for attempts at logging in to a variety of websites with those username password pairs. This is called the
credential stuffing step. Now, there's a lot of people that have, you know, your username is your
email address, and a lot of people use the same password across websites. This credential stuffing
leads to a set of validated usernames and passwords against commerce sites and financial sites or other shopping sites.
And that leads to the third step, which is really kind of the weaponization.
It's the account takeover.
So what Akamai is doing is trying to move upstream from the actual account takeover and stop it at this credential stuffing phase.
And the numbers are staggering. So take us through, what did you see? What are some of the
particularly interesting insights from the report? What we're seeing with the report,
first of all, there is an uptick in the volume of credential stuffing attacks.
So across our platform over the last year,
we've averaged about 3 billion malicious logins
over the platform.
We actually see these and handle these.
So what we saw with the latest study,
the metrics for May and June of this year
had an uptick to 4 billion malicious login attempts
across our platform. So this was noteworthy,
of course, as things are stepping up. But we also highlighted in the report attacks against two
financial institutions. And what's interesting is we looked at first was a credit union and second
was a large financial institution. So it's from the biggest to
kind of the smaller financial institutions that we're trying to highlight that, you know,
the guidance here is financial institutions of all sizes need to pay attention to this,
keep up to date with it, and consider the gaps in their security defenses to be able to be prepared in case they
are targeted with a credential stuffing attack. Are there misperceptions that people have about
what are some of the best ways to deal with this sort of thing? You know, I think it's still
emerging. It's companies and firms, they're coming to grips with this. It's not a problem
until it's a problem. So five, six years ago,
during the Operation Ababil, what they call the Qassam cyber fighters, the big attacks by the
Iranian bank, the state of Iran against U.S. banks, the big DDoS attacks from 2012 and 2013.
You know, DDoS was a very rare thing against banks prior to that. And suddenly, banks were being targeted and taken out 20 at a time in some of those weeks.
So the industry as a whole got on board, raised their defenses, and the DDoS defenses across the industry now are very, very good for the most part.
We're kind of at that stage here, I think, again, with credential stuffing. A lot of firms feel, oh, we're too small or,
oh, we don't have anything of value or we haven't seen this, so we don't think we're targeted.
So we're in kind of this state where it's still emerging. But yet, many, many firms have had this
problem. And when it's a problem, it's a real problem because the resulting losses and, of course, what you see, the volume of these hundreds of thousands of login attempts can slow down your website, slow down your mobile apps, impact your real users, and in some cases cause availability problems.
That's particularly bad in investment sites with the Dow dropping in some cases hundreds and hundreds of points a day.
Everybody's pulling out their phone and checking their portfolio multiple times a day.
So just handling your traffic for your real users on some of these volatile market days is challenging enough, let alone being attacked by some large botnets with credential stuffing.
So this is really an alert, a call to arms here for the industry to be ready for this.
That's Rich Bolstridge from Akamai.
You can find the latest edition of their State of Internet Security report on the Akamai website.
Risk IQ and Flashpoint this morning issued a joint report on Magecart,
the family of carting campaigns against e-commerce sites.
The researchers identify six criminal groups as responsible for Magecart activity,
and they trace the threat from its modest origins as the Cart32 online shopping cart backdoor,
discovered in 2000, to the present threat responsible for large-scale attacks on large enterprises,
including Ticketmaster and British Airways.
Magecart Proper emerged in 2015.
The criminals monetized their theft of paycard data,
either by selling it to other pettier crooks in carding fora,
or by enlisting mostly unwitting mules to buy goods and ship them to the gang.
The six groups involved in Magecart have recently shown themselves increasingly active in their
aggressive, successful attacks on e-commerce. Cathay Pacific Airlines has told Hong Kong's
Legislative Council data regulators that the breach it sustained was sophisticated and lasted for several months,
as the airline sought with difficulty to parry the attacks. The attacks were discovered in March,
the airline struggled at considerable effort and expense with containment until August,
at which time it began to be able to assess the extent of customer data loss.
Far worse than thought, as the Star summarizes,
the attack seems to have been unusually determined and difficult to root out.
Cathay Pacific has established a customer-facing website
where concerned passengers can check to see if their data is affected.
There will be a lot of them.
Some 9 million people appear to have been affected.
Yesterday, French President Emmanuel Macron
sought to advance international norms for conduct in cyberspace.
He issued Paris Call for Trust and Security in Cyberspace
at the UNESCO Internet Governance Forum.
The measurement amounts to a declaration of principles.
About 50 countries signed on, but not China, Russia, or the United States.
And it found favor with
big tech, as both Microsoft and Google figured prominently among private sector supporters.
The signatories commit to cooperation in eight areas. First, increase prevention against and
resilience to malicious online activity. Second, protect the accessibility and integrity of the
internet. Third, cooperate in order to prevent interference in electoral processes. Second, protect the accessibility and integrity of the internet. Third, cooperate in
order to prevent interference in electoral processes. Fourth, work together to combat
intellectual property violations via the internet. Fifth, prevent the proliferation of malicious
online programs and techniques. Sixth, improve the security of digital products and services
as well as everybody's cyber hygiene.
Seventh, clamp down on online mercenary activities and offensive action by non-state actors.
And eighth, work together to strengthen the relevant international standards.
It's seen as a framework within which nations can achieve a mutually satisfactory agreement
in cyberspace, but obviously there's a lot of work left to be
done beyond this statement of good intentions. Finally, as people wonder about data abuse,
The Telegraph asked UK Information Commissioner Elizabeth Denham if there will be another
Cambridge Analytica scandal. She bets on form, saying, quote, I suspect there will. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. You attended a conference and came back with some interesting things to share. Tell us in here. I attended the NICE conference, which is from the National Institutes of Standards and Technology.
And NICE stands for the National Initiative for Cybersecurity Education.
Okay.
Being in cybersecurity education, it's kind of an important conference for me to attend, I think.
Sure.
And one of the presentations I saw was from Dr. Calvin Nobles, who is a professor over at University of Maryland, University College, among other places.
Right.
And his topic was the inclusion of psychology-based professionals in cybersecurity.
Hmm.
And we've kind of been talking about this here and there and at the Information Security Institute as well about how important these things are.
But let me read what Dr. No Noble says is the quote of the presentation.
Okay.
And he says, a human factors psychologist said,
as researchers and educators, we must address all the many different roles that we humans play in cybersecurity.
Beyond just the security practitioner who administers firewalls, tunes intrusion detection systems, and monitors networks,
we must also educate the software developer, lawyer, policymaker,
and all of us users who are unwitting accomplices of the attacker.
And he says that there is a real position for psychology majors
to be taking a role in cybersecurity and says that the
multidisciplinary domain of cybersecurity includes computer science, of course, mathematics,
right?
Yeah.
Economics, which we talk about frequently on Hacking Humans.
Right.
Law, psychology, and engineering.
Yeah.
I think this is a really important point, and it's one I've heard at several trade shows.
Right.
This need, because there's so many jobs available.
Correct.
On the cyber side of things, but it's not just the people from the STEM backgrounds.
Right.
We need people in all those positions.
We do, and we really need people who are behavioral scientists and people who understand how other people think to really be involved,
and people who understand how other people think,
to really be involved, not just in the obvious point of where these attacks are coming from,
but also in the design of the tools.
You should have a human factors engineer or psychologist looking at your tools to make sure that this tool is telling me what I think it's telling me.
Right, right.
Yeah, you need those artists as well as the tech people.
It's on us to help spread that word, to get out there to the high schools and the middle schools and say, look, you don't have to be a math whiz or a science whiz
to have a place within the cybersecurity ecosystem.
Since you brought that up, I will tell you there was another presentation I went to.
I don't remember which one it was.
But the teacher was saying, if you're good at math, maybe you can take a look at the cybersecurity field.
And the very first thing she said was, you don't need to be good at math to get involved in cybersecurity.
And it was a Girl Scout event that she was talking to.
And a couple of Girl Scouts came up with their parents afterwards and said,
thank you, that was life-changing.
So that's an important point, is that no, you don't necessarily need to be good at math
or be an engineer to get into cybersecurity.
There are plenty of fields out there, plenty of subfields within this discipline
that don't necessarily require a heavy math background.
Yeah, and it touches every part of the organizations now.
It's touching every part of our society.
Yeah.
It's a great part of what we are.
Yeah. All right. Well, it's good information. And I think it is an important thing. Like I say,
I think it's on all of us to help spread that word. So thanks for bringing that message back.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.