CyberWire Daily - Huawei spits the hook? CISA warns about the risk of Iranian cyberattack. Power grid security. Cryptocurrency and fraud. Content moderation. Senators like Hack the Pentagon.
Episode Date: July 1, 2019Huawei gets to buy some products from US companies, again. CISA reiterates warnings about the risk of cyberattack from Iran. Considerations about power grid security. Cryptocurrencies draw criminals, ...and some of the scammers are looking ahead. Australia and New Zealand will conduct a simulation to study ways of removing “abhorrent content” from the Web. The Senate likes Hack the Pentagon. And tech enthusiasm or voyeurism? You decide. Justin Harvey from Accenture on ways attackers are bypassing 2-factor authentication on mobile devices. Guest is Gretel Egan from Proofpoint on the shift toward human-centric security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Huawei gets to buy some products from U.S. companies again.
CISA reiterates warnings about the risk of cyber attack from Iran,
considerations about power grid security, cryptocurrencies
draw criminals, and some of the scammers
are looking ahead. Australia
and New Zealand will conduct a simulation
to study ways of removing abhorrent
content from the web, the Senate
likes hack the Pentagon, and
tech enthusiasm or voyeurism.
You decide.
and tech enthusiasm or voyeurism.
You decide.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 1st, 2019.
President Trump has agreed to permit Huawei to buy some U.S. products.
They'll be allowed to buy the Boring Kit, as CRN puts it, the stuff not
deemed to present a threat to national security. Included in that boring kit would be, for one big
example, Google's Android operating system. The White House says this doesn't mean the U.S.
intends to go squishy on Huawei and that it remains very much alive to the risks the company poses.
and that it remains very much alive to the risks the company poses.
For its part, Huawei says it welcomes what the company calls a U-turn in U.S. security policy.
The case reminds many observers of ZTE's experience when the company was pulled back from the brink by a U.S. decision to permit ZTE
to continue to buy some of the U.S. products it depended on to keep its business going.
The Huawei decision is about U.S. products it depended on to keep its business going.
The Huawei decision is about U.S. exports to the company,
not about permitting Huawei products general access to U.S. markets.
The decision has drawn decidedly mixed reviews,
but Big Tech will probably be pleased by any relaxation of export controls.
In an interview with Ars Technica, U.S. CISA Director Krebs repeated his agency's warnings of expected Iranian cyberattacks against U.S. targets. It's more
than a regional matter, he said, alluding to tensions around the Arabian Gulf. And he again
warned that enterprises should consider destructive wiper attacks a real possibility.
There's been a great deal of recent concern about cyber attacks against power grids,
with the U.S. warning of both Russian and Iranian hostile interest in the North American grid,
and with Russia complaining that the U.S. had staged malware in Russia's own grid,
presumably as either a deterrent or as battle space preparation.
An example of power disruption in Japan that came to light last week wasn't a cyber attack,
but it was worth considering as a cautionary tale in the light of such worries about the vulnerability of power generation and distribution.
Western Digital disclosed that a 13-minute power failure at its partner Toshiba Memory disrupted flash memory production.
The accident is said to have destroyed some six exabytes of product.
Production is expected to return to normal in the middle of July,
and there may be a noticeable economic effect.
Significant fluctuations in flash prices are expected, the disclosure suggests.
Another incident, and this one was an attack,
is the ransomware infestation at aviation components manufacturer ASCO. That attack
remains only partially remediated. Things are said to be improving, but ASCO doesn't yet have
a projected time for full recovery. Australia is leading a voluntary international agreement in which
governments would swiftly take down abhorrent content posted online. Along with partners from
New Zealand, the government intends to hold a major simulation to determine how such a takedown
might be managed. As Australian officials put it at the G20, quote, the commitments from the
Australian task force to combat terrorist and extreme violent material online the government quoted at the G20, quote, Altcoins are drawing scammers for familiar Willie Sutton-esque reasons.
That's where the money is.
Iran has taken down two big cryptocurrency mining farms run from disused factories.
Authorities say the activity was sufficiently power-hungry
to have rendered portion of the grid unstable,
with consumers of electricity noticing problems.
A new cryptocurrency, Luno, which is Esperanto for moon,
has already become the fish bait in a social engineering campaign.
The usual cautions apply, but in this case note that Luno fishing
is marked by fewer linguistic stigmata than normally appear in fishing emails.
And Facebook's much-ballyhooed Libra cryptocurrency, greeted as everything from
a new era of trade and remittances outside the stranglehold of central banks, to the mark of
the beast and inter alia something like an Illuminati plot to control everyone's identity.
Anyway, Libra, as we say, is already the occasion of a competitive criminal scramble to register
domains that look or sound
sort of the way the scammers imagine a Libra domain would. So prepare yourself in advance.
The fishers of coin are already baiting their trawl lines. Security firm Proofpoint recently
shared warnings that bad actors are increasingly targeting specific individuals within organizations,
making use of techniques like social engineering to gain access.
With this in mind, they say it's important for organizations to focus on the human side of cybersecurity.
Gretel Egan is security awareness and training strategist at Proofpoint.
First being to look at the threat intelligence that you have.
Most people are monitoring email.
Most people have threat detection tools in place. So great idea to take a look at what is coming into your
organization and who is receiving, who is the intended recipient if things are being blocked,
you know, of those types of attacks and how those attacks are being structured. What type of messages are
in these emails? Are there malicious attachments? Are there malicious links? How are they being
structured? And then really kind of taking a look at who and what departments and what roles
are cyber attackers valuing that maybe is a little different than my perception of who I think cyber attackers
might be going after.
We do see a lot of organizations kind of assuming that those VIPs are the very visible C-level
executives, that these are the people that cyber attackers are going to go after.
And certainly they are.
However, we see attackers looking up and down org charts to find their points of
compromise. Important to really know how your organization in specific is being attacked.
Another way, a second way to figure that out is to use some security awareness and training tools,
things like phishing simulations, phishing tests, where you send out simulated phishing attacks, different types, different structures, you know, and look at the people within your organization who are vulnerable and susceptible to those types of attacks.
Who's clicking, who's engaging, who is being tricked into providing credentials or being tricked into going to, you know, a malicious
website based on the way you've structured your test. Now, when you're testing your employees
for phishing, is it better to take a carrot or a stick approach? If someone does click through
on that link, it seems to me like that's a moment for education rather than perhaps punishment.
It certainly is what we advocate. Really, basically, it comes down to the fact that
organizations are allowing their technology to fail.
We have these purpose-built technical tools
that are not 100% capable of stopping everything that's coming in.
But at the same time, these same organizations are sometimes looking to their users
to be right 100% of the
time. That's just not going to happen. We really advocate for making it a positive learning
experience for the user at that moment, rather than a quote unquote punishing experience,
if you will. You don't really want to turn that moment into a point where an employee feels not only
vulnerable because they've exhibited potentially a susceptible behavior that's a dangerous behavior
but then also to feel kind of attacked by their organization in that same moment so really a great
idea what we advocate for is much more of a carrot approach, taking
that as a learning moment, a teachable moment, and moving ahead in a positive direction to
try to positively influence future behavior.
The human factor, in our opinion, will always be at play when you have people making decisions,
posting to social media, taking actions on mobile devices,
on downloading apps, and interacting with things. I don't see a point where technical safeguards
are going to catch up enough to stop all threats. That's Gretel Egan from Proofpoint.
The just-passed Senate version of the National Defense Authorization Act for 2020
includes strong encouragement for defense and security agencies to use crowdsourced security testing. The report
that accompanies the act specifically calls out the Defense Department's Hack the Pentagon program
as a model. And finally, in a bit of good news, the creator of the AI-powered app Deep Nude has taken down and stopped selling his invention.
Deep Nude was an app that would transform ordinary photos of women,
and tellingly, it only worked on women,
and automatically transform the photo into an apparent nude.
So, yeah. Horrifying.
Many consider it a sign of what's to come in the deep fake field,
but for now, at least this one is gone.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back. I wanted to touch base with you today about
two-factor authentication, particularly on
mobile devices and ways that some of the bad guys have figured out how to bypass that. Yeah, Dave,
just like a car with brakes, we tell everyone your car must have brakes, but if you don't take
care of them or if you don't understand how and why and where to use them, you're probably going to crash.
And the same is true a little bit for multi-factor authentication. For years now, we've been saying
get MFA, use it on everything you've got, but we're starting to see adversaries really take
advantage of that through a few ways. The first is mobile SIM number rerouting. So this is where,
mobile SIM number rerouting. So this is where, let's say that you're with a large mobile carrier,
your phone has been working for years, but the adversary can look up your phone number and figure out which provider you're with. Then they will call the provider up and social engineer them
to essentially reset the password. And then they'll log in as you and reroute your SIM card or the
number going to their SIM card to their SIM card. So essentially they're hijacking your phone number
and then it's as easy as the adversary going in, starting the two-factor and it sends them an SMS,
but instead of sending the real owner the code, it's going to the adversary. I think the best way to guard
yourself against these types of attacks is figuring out and determining what sort of
customer identification process your mobile phone provider has and making sure that your answers
are strong. That actually leads us into the second type of multi-factor override, which is abusing the recovery process. Most
multi-factor platforms have the capability so that if you lose your phone, you lose the device
that creates that code, you can answer a few questions and get a temporary code back.
And I've been talking to my adversary simulation team today and they said yes,
the majority of the questions and answers are relatively simple and even in some cases it said like what's the name of your first, your eldest sibling or your youngest sibling or your
first sibling and all of that information can be obtained via background questions or background
checks. It's highly advised to guard yourself
against these two types of attacks by picking really strong questions and answers and not who
your first dog was. And in fact, when I get those types where I have to pick from a drop down and
some of them are the most simple questions to answer, sometimes I think of a fake answer and
put it in there. The best course of action
is to use the Microsoft Authenticator, the Google Authenticator, real apps within your phone,
or even in some cases, go back to hard token. And then on top of that, if you are, let's say,
a CIO, CISO, or someone who has control over these platforms, really look to strengthen your recovery process so that it's
not as easy to get a new code without having the token, essentially. But it seems like, to me,
SMS-based texting is probably the lowest form of multi-factor and has the highest degree of
risk associated with it. But I suppose still better than nothing. Absolutely. When it comes to telephone or SMS-based two-factor,
there's even some different types of attacks like the SS7 intercept capability.
So SS7 is more of a nation-state style attack
where you can set up your own cell tower in essence,
and you can intercept traffic coming through there.
And I want to at least point out in most five-ice countries,
those are all illegal to use and set up, but it has happened out in the wild. It's more of a
nation state style attack, but it's worth mentioning there. There's malware intercept.
So creating a piece of malware that goes on a phone, typically Android, since they don't have a
walled garden app type of approach like Apple does. But malware has
been seen out there in the wild that reads texts and looks for two factors and sends them to a
centralized repository. You've got your standard social engineering types of attacks where, Dave,
if I wanted to get access to the CyberWire platform itself, maybe I call you as a Bank of America representative
and said, hi, this is Justin with Bank of America. Dave, there's a problem with your account. I'd
like to prove that it's you. I'm going to send you a code. Could you read it back to me? And I
actually go to your platform and I create a login request and then you get it and you're like,
is this Bank of America or is this my own CyberW wire? It's very hard to tell in some cases. And then the final type that we are seeing quite a bit of is using the Modlishka
proxy platform, which is essentially you're going to create a login page, just like the login page
that you want to get access to. You send the user through a phishing email to have them go
enter their credentials in. It's very much like a business email compromise style of attack where you have your own website
and you're mimicking the two-factor login of the victim.
The victim goes there.
They're not really paying attention.
They enter in their credentials.
You steal those credentials and proxy it back to the real two-factor, which gives you the
challenge, which allows the user to enter it in
because you're running the platform.
You can see everything going in
and essentially you grab that
and log in right behind them.
Actually, not even behind them,
you're logging in for them.
They might see an error code
and then they're, boom, you're in.
Yeah, it's a lot to look out for,
but at the same time,
it seems like there are some good solutions out there.
Yeah, I would say try to stay away from SMS-based multi-factor and really focus on using Google Authenticator and Microsoft Authenticator.
All right. Well, as always, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.