CyberWire Daily - Industrial firms disclose cyber incidents. US DHS to check airliner cybersecurity. RCMP security case update. Bulletproof host taken down. Gnosticplayers. Royal phish.
Episode Date: September 30, 2019Rheinmetall and DCC have disclosed sustaining cyber attacks. The US Government is looking at airliner cyber vulnerabilities. SimJacker is real, but recent phones seem unaffected. RCMP data misappropri...ation case update. German police raid a bulletproof host. Gnosticplayers may be back. And someone is sending phishing snail mail that claims the British Crown needs your help to ease the economic fallout of Brexit--a Bitcoin wallet is helpfully made available. Malek Ben Salem from Accenture labs with an overview of five threat factors influencing the cyber security landscape. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ryan Mattal and DCC have disclosed sustaining cyber attacks.
The U.S. government is looking at airliner cyber vulnerabilities.
SimJacker is real, but recent phones seem unaffected. An update on the RCMP data
misappropriation case. German police raid a bulletproof host. Gnostic players may be back.
And someone is sending fishing snail mail that claims the British crown
needs your help to ease the economic fallout of Brexit.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 30th, 2019.
In two apparently unrelated incidents, Rheinmetall and Defense Construction Canada sustained attacks on their IT infrastructure.
In Rheinmetall's case, the attack, whose precise nature the company didn't specify,
disrupted automotive production in Brazil, Mexico, and the U.S. Defense Construction Canada has been able to maintain operations in the face of what the Ottawa Sun reports may have been a ransomware attack.
The U.S. government is giving fresh impetus to a program that would look for cyber vulnerabilities in commercial aircraft.
The program is led by the Department of Homeland Security,
with participation by the Departments of Transportation and Defense.
DHS had acquired a used Boeing 757 airliner back in 2016 and used it to research potential vulnerabilities.
The program had slowed down in the wake of controversies over the way some of the initial findings were disclosed,
but DHS now intends to resume the work.
The U.S. Air Force is also conducting its own complementary review of commercial aircraft cybersecurity.
That research will address flight systems.
Airline hacks have tended to hit reservation systems for the usual criminal reasons.
The data stolen from such systems can be monetized.
But this research program will look for ways in which aircraft safety and availability could be compromised.
The Air Force flies some aircraft that are basically commercial models,
and there's considerable overlap between military and civilian avionics,
which explains the service's interest.
Air Force Assistant Secretary for Acquisition Technology and Logistics, Roper,
told the Wall Street Journal,
If we don't probe first, our adversaries will.
We've been a way of determining
whether devices are vulnerable to SIM jacker and similar exploits.
These are the ones Adaptive Mobile recently warned about,
in which an attacker could pwn your phone by sending you an SMS message.
They've also run their checks against a representative sample of susceptible devices.
SimJacker and the related WIB attack could apparently be used against about 9% of Android and iOS devices,
SR Labs concludes.
That's still a lot of phones, given that there are some 7 billion phones kicking around these days.
But SR Labs thinks the likelihood you'll be affected
is still pretty low, and the good news is that none of the more recent models seem to be in danger.
Anonymous sources have told the Canadian Broadcasting Corporation that the raid on
Mr. Cameron Ortis' Ottawa condo turned up dozens of encrypted devices that police may not be able
to break. Mr. Ortiz is the RCMP
intelligence director who's been arrested on charges related to alleged violations of the
Information Security Act. Reporters say that he may have intended to pass sensitive information
to either organized crime groups, like the Sinaloa cartel, or to unspecified foreign governments.
The CBC does note that encryption isn't illegal,
but that it does make the investigators' lives more difficult. They also found at least one
interesting piece of paper in Mr. Ortiz's quarters, a handwritten note that says,
the project, which words were underlined and followed with, John Lemon's blog removing your
PDF metadata. The blog post mentioned offers a step-by-step guide to removing metadata from a PDF.
The CBC says that a scan of some of Mr. Ortiz's accessible devices
indicated that between September 8th and 9th, some 25 documents or more
had been processed and sanitized to remove identifying information.
The RCMP announced Mr. Ortis' arrest on September 13th,
so the PDFs were scrubbed less than a week before he was taken into custody.
Mr. Ortis' bail hearing is set for this Friday.
In other news of crime and punishment,
police in the German Land of Rheinfels have raided and shut down
a bulletproof hosting data center in Traben-Trabach, the AP reports.
The action crossed both Lant and international boundaries,
with arrests near Frankfurt and other police action in the Netherlands, Luxembourg and Poland.
The data center, located in a surplus NATO facility acquired by a Dutch national in 2013,
is thought to have been involved in both contraband markets
and in the 2016
distributed denial-of-service attack on Deutsche Telekom.
Hosting contraband trading websites isn't a crime under German law, at least provided
you don't really know that's what the sites are up to.
But the authorities think the people running the show at Trabantrabach knew perfectly well
what was going on, and they themselves were mobbed up.
Allegedly, we hasten to add. Allegedly.
Gnostic players may be back.
Online game company Zynga disclosed a breach on September 12th,
and now the Hacker News says that Gnostic players claims that he or she or they
has counted coup against Zynga, attaining access to some 218 million Words with Friends accounts.
Gnostic Players is neither a greyhat nor a gadfly.
Earlier this year, they gained notoriety for offering 747 million records
culled from 24 popular sites.
And finally, thanks to Mr. Paul Ridden of Skillweb,
a firm in the UK that provides a range of business services.
He shared an interesting little item that appeared in his mailbox with those of us who hang around LinkedIn.
A snail mail letter purporting to be from Her Majesty's household asks recipients to help Queen Elizabeth save Britain's economy from Brexit, with Bitcoin, of course.
save Britain's economy from Brexit, with Bitcoin, of course.
If you get one of these, you'll no doubt want to hop to it,
because in exchange for your patriotic or nostalgic or anglophilic gesture,
you'll get your very own self a membership of the Royal Warrant Holders Association.
We consulted our palace desk, and they tell us that royal warrants are actually a thing,
or more properly, they're actually things,
things by which purveyors of goods and services to the royal family might be recognized.
For example, Bluebird buses and Fortnum & Mason groceries have got the royal warrant, so does Schweppes, no surprises there, but so does Samsung.
Thus, if Her Majesty actually listened to the cyberwire, who knows?
We might qualify for a royal warrant.
But on the other hand, the palace desk tells us not to get our hopes up,
especially inasmuch as we're only Americans.
Poor things.
And also because the editors over the years have developed ways about them that, well, just aren't right.
Alas, no one seems to have taken her majesty up on the call for help,
so we may never know if easing the pain of Brexit would earn a royal warrant.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Ben-Salem. She's the Senior R&D Manager for
Security at Accenture Labs. Malek, it's great to have you back. I wanted to highlight some of the
work that you and your team are doing there at Accenture,
your cyber threat group, highlighting some of the factors that are involved with security.
What can you share with us today?
Yeah, thanks, Dave.
So Accenture's iDefense group, which is our threat intelligence group,
has published its annual cyber threat report,
has published its annual cyber threat report, and it highlights five different threat factors that are influencing the cyber threat landscape.
The first of those factors are compromising geopolitics and new threats that emerge from disinformation and technology evolution. So we know, obviously, disinformation has been a concern,
and many entities continue to warn of cyber threats related to upcoming elections.
What our analysts noted is that many of the threat factors are focusing on other types of global political and geopolitical events, such as international
summits, you know, evolving international tensions and sporting events like the Olympics,
etc.
So what are some of the other factors you're tracking?
The second factor is how cybercriminals are adapting and working together, diversifying
their strategies, and looking more like states.
So despite the high-profile law enforcement actions that we've seen against criminal
communities and syndicates in 2018, the ability of threat factors to remain operational shows
an increase in maturity and resilience of criminal networks.
This has been noticed in 2019.
Our analysis indicates that conventional cybercrime and financially motivated targeted attacks
will continue to pose a significant threat for users and businesses.
However, the criminal operations will likely continue to shift their
tactics to reduce risks of detection and disruption. Another trend that our analysts have noticed
was that localized underground economies continue to emerge and grow in non-english-speaking countries such as
China and Brazil and they tend to target their domestic populations due to
familiarity with their own societies and cultures. The third thing we've noticed
is the selling and buying of direct access to networks for ransomware
delivery rather than carrying out advanced intrusions.
So there has been a marked increase in the sale of remote access to compromised networks
and to commodity malware to conducting intrusions for financial gain on underground forums and
marketplaces. The grouping all of these trends, we expect that cyber criminals will work together more and more, more like, you know, as I mentioned, more like in communities and syndicates and more like states. this trend I think that the availability of tools continues to expand which seems
to make it easier for these folks to cooperate and collaborate exactly so the
commoditization of these tools and and the markets that are being created to
sell and buy these tools yeah it can I can't help wondering if that requires more collaboration
on the good guy's side to fight this.
Absolutely.
We definitely need more collaboration on the defensive side.
What we're noticing more recently is that some of these actors
actually may have hybrid motives, whether financial,
ideological, or political. For instance, we've seen that some ransomware appears to have been
deployed to destroy information on a target rather than to efficiently make money. An example of this is the Goga ransomware that paralyzed a Scandinavian
aluminum company in March 2019. It involved a variant that made it difficult to pay the ransom,
which suggests that its real target may have been the victim company's share price and not
companies share price and not financial gain.
The fourth factor is that improved ecosystem hygiene is pushing threats to the supply chain,
turning friends into frenemies.
So as companies are improving their security posture,
as they are adopting the traditional industry cyber threat countermeasures.
This is making it difficult for cyber actors to target them directly and
the easier way to attack them becomes through, you know, their partners or their
vendors. And then the final factor is
the hardware vulnerabilities like Meltdown and Spectre that were initially discovered in early 2018.
Many cloud providers have deployed countermeasures to those vulnerabilities, which consisted in slowing down the processors.
the processors. However, businesses, based on their size, may decide that it makes more sense for them to own or to build on-prem clouds in order to have more control about whether those
countermeasures should be deployed or not. Because we know that those updates slow down the processor. If certain companies,
bigger companies have higher workloads, they may want to consider building their own on-prem cloud
instead of, you know, relying on the more conventional clouds to run their workloads.
Now, I mean, looking at this list of five elements,
I mean, is there a common thread throughout them?
Is there sort of a take-home message that folks should be thinking of?
The one big message is that the cyber threat landscapes continues to evolve.
So companies have to be resilient and have to continue working with their cyber threat intelligence groups to update their, you know, security mitigation strategies.
Well, Malik bin Salim, thanks for joining us.
Thank you, Dave.
us. Thank you, Dave. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.