CyberWire Daily - Independence day cyberattack worries in Ukraine. US Navy eliminating possibility of cyberattack on USS McCain. More malicious apps in Google Play. US state cyber regs. ISIS still works to inspire online.
Episode Date: August 23, 2017In today's podcast, we hear that Ukraine is worried about cyberattacks in conjunction with tomorrow's independence day holiday. The US Navy investigates the possibility of cyberattack in this wee...k's Malacca Straits collision, but that possibility may be fading. Zscaler finds more malicious apps in Google Play. New York State's Department of Financial Services' cyber regulations begin to take effect Monday. Delaware is also stepping up data security regulations. Johannes Ulrich from the SANS Technology Institute and the ISC Stormcast podcast on hacks to Uber driver accounts. Tony Dahbura from JHU promotes their upcoming Cyber Security Conference for Executives. And ISIS continues its inspiration online as police in many countries scramble to follow the Caliphate's messaging. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine worries about cyberattacks in conjunction with tomorrow's Independence Day holiday.
The U.S. Navy investigates the possibility of cyber attack in this week's Malacca Straits collision.
Zscaler finds more malicious apps in Google Play.
New York State's Department of Financial Services cyber regulations begin to take effect Monday.
Delaware is also stepping up data security regulations.
And ISIS continues its inspiration online as police in many countries scramble to follow the caliphate's messaging.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, August 23, 2017.
Ukrainian security firm ISSP adds its voice to those warning that it sees signs of an impending wave of cyberattacks on that country.
Ukraine's Independence Day will be celebrated tomorrow, August 24th,
and politically motivated or state-directed cyberattacks have in the past coincided with major holidays.
The U.S. Navy's investigations into this week's collision between the destroyer USS John S. McCain continue,
as does the sad work of recovering the sailors who lost their lives in the incident.
Much talk centers on issues of basic seamanship,
China's Navy suggesting that the Americans are too overstretched to be good sailors,
but U.S. Navy officials say they haven't ruled out the possibility of cyberattack.
Note possibility.
It's early in the investigation, and consideration of cyberattack is a sensible measure.
There are some anonymous reports circulating that discount the possibility of a cyberattack,
but these are preliminary and lightly sourced.
We'll continue to follow this aspect of the developing story.
The past two weeks have seen a flurry of problematic apps
discovered in Google's Play Store
and then ejected by Google once researchers identify the threats.
Security firm Zscaler today announced that on August 21st
it found two more malicious apps in Google Play.
The first one they uncovered was an app called
Earn Real Money Gift Cards,
which, as one might suspect from the grifter's come-on of a
name the author gave it, was a variant of the familiar BankBot. So Zscaler's researchers went
a bit further and looked for some of the Earn Real Money Gift Cards author's other work. They found
one which promised not easy money, but easy fun. Bubble Shooter Wildlife. It looks like a kid's
game with a cute cartoon bluebird beckoning players in.
In fact, of course, it's malware.
When you download and start the game after about 20 minutes,
it shows what appears to be a legitimate Android system alert.
For applications to work properly, enable Google Service.
Should you click OK, you'll be taken to a series of screens that mimic a Google menu,
including a convincing copy of Google Terms and Conditions.
Should you agree to enable the bogus but plausible Google service,
you will find you've allowed the malware to abuse Google's legitimate accessibility service
to download other programs at will.
Zscaler calls this abuse of accessibility service unique,
which of course is a large
claim, but the researchers do seem to have found something unusual and dangerous.
Accessibility service is intended for use only to help users with disabilities use Android
devices and apps.
Users should be wary, and researchers might be on the lookout for similar tactics used
by other malware authors. Taking a quick look at our CyberWire
event tracker, the fourth annual Cybersecurity Conference for Executives is coming up September
19th. It's co-sponsored by Compass Cybersecurity and the Johns Hopkins University Information
Security Institute. The CyberWire is proud to be a media sponsor of the event. Tony DeBura is from
the Johns Hopkins University, and he joins us to tell us about the event. Tony DeBura is from the Johns Hopkins University, and he joins us to tell
us about the event. The theme this year is Emerging Global Cyber Threats. We're hosting the one-day
conference on the campus of the Johns Hopkins University at Homewood here in Baltimore.
What we hope to do is give our attendees a broad overview of what's going on in cybersecurity
and things that they should be paying attention to from the point of view of their enterprise
and just give them some useful information, opportunities to network with experts in the field,
with researchers and kind of be their radar for
what might lie ahead in the cybersecurity terrain. Give us a quick overview of about
some of the speakers that you have lined up. Our keynotes are retired Brigadier General Guy Walsh,
who's an advisor to the Deputy Commander of U.S. Cyber Command at Fort Meade. And our other keynote speaker is Stephanie Real,
who's the chief information officer for Johns Hopkins University and Health Systems.
She's going to talk about managing an enterprise where there are mixed cultures, which is all too
common out there. In the case of Johns Hopkins, it's the cultures of a healthcare system
with all of the regulatory environment, healthcare aspects, as well as a research university.
So she's going to be describing the challenges associated with providing the IT infrastructure
and how Johns Hopkins deals with that.
And then we have a number of other speakers in all kinds of areas.
The agenda is far-reaching over the course of the day.
Of course, under the theme of emerging global threats,
we will have talks on social engineering, cloud security,
and some of the threats that people should be aware of.
We're going to have a talk on the Internet of Things. We're going to have a talk on
legal aspects of privacy, building a cybersecurity program, and a panel session on emerging
regulations. So it's going to be an exciting day. And the way we've designed it is so that people can get a lot of information in a relatively short period of time.
That's Tony DiBura from the Johns Hopkins University.
You can find out more about the fourth annual Cybersecurity Conference for Executives,
co-sponsored by the Johns Hopkins University Information Security Institute and Compass Cybersecurity,
at thecyberwire.com slash jhu-compass.
You can find out how to get your event listed on our CyberWire event tracker
at thecyberwire.com slash events.
U.S. state governments are continuing to fill gaps in cybersecurity standards of care.
Where California had led with privacy protections,
two other states are moving into other regulatory areas. New York State's Department of Financial Services on March 1st of this year promulgated
a set of cybersecurity regulations, 23 NYCRR Part 500. The regulations were released with
an announced set of phases for implementation. The first phase becomes effective this Monday,
August 28, 2017, on which day affected
companies will be expected to be in compliance. Full compliance will be required by March 1,
2018, coincidentally just two months before GDPR takes effect. In the first phase of the New York
Regulations implementation, non-exempt organizations will be expected to have seven mandated measures in effect.
The sections that go live Monday include a cybersecurity program in which organizations
must create a program related to the risk assessment that will become effective in phase two.
Second, organizations must have and maintain policies and procedures relevant to certain
specified cybersecurity practices, including incident response and network monitoring.
Third, if you haven't got one, you'll need a CISO. Interestingly, that person could be provided by a
third party, to whom the CISO must report will be established in Phase 2. The fourth measure deals
with access privileges. It requires that the enterprise be able to establish a privileged
access management system. The next section deals with cybersecurity
personnel and intelligence. It requires putting trained personnel in place, as was the case with
the CISO. Such personnel could come from a third party, a managed security services provider,
for example. Next is an incident response plan, an obvious requirement designed to foster resilience
and recovery. And finally, affected organizations must alert the superintendent
of financial services within 72 hours when it suffers a cyber event that affects normal
business operations or requires the organization to alert any other regulatory body. New York law
and regulation are particularly important to the financial sector. Delaware law is important to U.S.
corporations generally. That state has enacted tighter data privacy protection rules.
Effective now, anyone doing business in Delaware who maintains personal information must safeguard it.
A breach of security is now defined as including the unauthorized access, use, modification, or disclosure of personal information
and the information that is included in the definition of personal information. The law legally defines encryption and creates a safe harbor if data
exposed in a breach is encrypted. It also strengthens consumer protections in privacy matters.
Expect more such legislation and regulation from these and other states.
The Cyber Wire is in Palo Alto today for the Chertoff Group's event
Security in the Boardroom. We expect to learn from the experts presenting more about how evolving
concepts of risk management and security responsibility are playing out in corporate boards.
Investigation into jihadist attacks in Spain continue as ISIS and, coincidentally, the Taliban
step up their
efforts at recruitment and inspiration. Indonesian authorities are working to counter an increased
use of social media in radicalization. The U.S. is pressuring Pakistan to pull back with the
U.S. sees as the quasi-official support for extremism emanating from that country.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Johannes Ulrich. He's Dean of Research at the SANS Technology Institute,
and he also hosts the ISC Stormcast podcast.
Welcome back.
Thanks for having me.
So today we wanted to talk about some attacks against Uber driver accounts.
Tell us what we need to know about here.
What we are seeing is that social engineering is used in order to get passwords from Uber drivers and train their accounts.
The way this works is that the criminal will ask for a ride with Uber. And when you do that,
you have the ability to contact a driver via the app, essentially keeping your own caller ID and
such anonymous. Now, they use this to then call the driver, claim that they're actually
working for Uber and that they're going to send them a text message to then identify the driver.
Now that text message is actually a password reset text message typically sent from an email account like gmail and that is then used to take
over the driver's email account which in turn then allows the hacker to reset the driver's
uber password and train their earnings into a different account so not highly technical this
attack but what we see a lot really is that these social engineering attacks always work and are really difficult to defend against.
And so how would an Uber driver protect themselves against something like this?
It's really just up to the Uber driver to recognize that this is not a valid call from Uber itself.
And that's the hard part. There is really no technical
defense against these type of attacks. They actually do bypass two-factor authentication
in some way because Google does send that text message, but the Uber driver doesn't recognize
the text message as coming from Google and expects it to come from Uber. Is there anything that Uber could do on their side
to help better protect the driver's identity?
Uber could probably better identify and educate drivers
how to recognize calls coming from Uber.
Also, whenever a significant change is made to the account,
like in this case, I believe in some countries,
it's even possible to
redirect the earnings to a prepaid credit card. So if a significant change is made like this
to notify the driver, and maybe also hold off on the change for a day or two to allow the driver
to intervene if they don't really want this change to be made.
All right. It's an interesting story.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. of Eve. Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly
escapes all the way to five-star luxury. Yes, you heard correctly. Budget and luxury all in one
place. So instead of ice scraping and teeth chattering, choose coconut sipping and pool
splashing. Oh, and book by February 16th with your local travel advisor or at And that's the Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.