CyberWire Daily - Internecine phishing in the Palestinian Territories. What could Iran do in cyberspace? US Census 2020 and cybersecurity. Mobile voting. How to make bigger money in sextortion.
Episode Date: February 13, 2020Researchers report phishing campaigns underway in the Palestinian Territories. They appear to be a Hamas-linked effort targeting the rival Fatah organization. FireEye offers a summary of current Irani...an cyber capabilities. The GAO warns that the Census Bureau still has some cyber security work to do before this year’s count. Researchers call mobile voting into question. And some observations about why some extortion brings in a bigger haul than its rivals. Johannes Ullrich from SANS Technology Center on IoT threats. Guest is Darren Van Booven from Trustwave on how to know if the CCPA applies to your organization. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
FireEye offers a summary of current Iranian cyber capabilities.
The GAO warns that the Census Bureau still has some cybersecurity work to do before
this year's count. Researchers call mobile voting into question. And some observations about why
some extortion brings in a bigger haul than its rivals. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, February 20th, 2020.
Researchers and security firm CyberReason say that hackers associated with Hamas have been fishing rivals in the Palestinian Authority.
The lure is an attached PDF that carries a backdoor installer.
There are two distinct campaigns in progress. The first
deploys the Spark backdoor, a known threat in the past year. The other installs a previously
unremarked backdoor that Cyber Reason calls Pierogi. The campaign shows certain similarities
with those run by the Mole Rats since 2012. The fish bait was mostly topical news of interest to the region, including
stories about U.S. peace plans and the U.S. drone strike that killed the Iranian Quds Force
Commander Major General Soleimani. The targets appeared for the most part to be Fatah leaders.
Fatah is the principal rival of Hamas in the Palestinian territories. While cyber reasons
stop short of calling the hacking a Hamas operation,
they do draw attention to the similarities with Molrat's style,
and they do point to the loose affiliation of hackers
that have been called the Gaza Cyber Gang,
and which other researchers, CyberScoop points out, have linked to Hamas.
Cyber Reason's assessment of the quality of the campaigns
is that they show considerable thought and ability.
The attackers have learned from past mistakes,
and they've shown a sophisticated ability to use both homegrown and purchased tools.
With the U.S. and Iran on mutually high alert in cyberspace,
FireEye provides an overview of Iranian cyber capabilities.
If you are interested in the current state of APT-33,
also known as Refined Kitten,
Magnalium and Holmium, or APT-34,
that is Helix Kitten,
APT-35, or Rocket Kitten,
APT-39, Chafer, or any of Tehran's other operators,
check out their podcast.
They cover attacks, influence operations, and mitigations.
A U.S. Government Accountability Office assessment warns about aspects of the Census Bureau's preparation for the 2020 U.S. Census.
While the GAO found the Bureau to be working toward an effective count,
their study also found that the Census Bureau was having difficulty meeting milestones for IT testing and cybersecurity assessment. The GAO would like to see the Census
Bureau implement the cybersecurity recommendations it's received from the Department of Homeland
Security over the past two years. Of particular concern are the possible vulnerabilities of the
Census to both hacking and disinformation.
Federal News Network reports that these worries have prompted concerns in the U.S. House of Representatives that the census could prove to become the Iowa Democratic Caucus writ large.
Some of those concerns are probably overwrought. For example, the Census Bureau told Congress that
it's satisfied that the multiple cloud backups it's arranged lend it sufficient resilience to recover from an attack that affected the data it collects.
And the Bureau has certainly devoted far more time and attention to development, testing, and deployment
than the Iowa Democratic Party was able to bring to Shadow's Iowa Reporter app.
Nevertheless, Congress and the GAO seem likely to keep a close eye on the 2020 census.
CCPA, the California Consumer Privacy Act, went into effect earlier this year.
And much like GDPR before it extended beyond the EU, you don't have to be physically located in California to be subject to CCPA.
Darren Van Boeven is lead principal consultant at Trustwave. So right now, the
operative date for CCPA was January 1st of this year. However, the latest amendment to CCPA
gave the California Attorney General an extension to provide implementation guidance or implementation specifications on CCPA,
extended that deadline to July 1st, I believe it is, or the end of June. So we have this six-month
period of time where we have the regulation in place as an operative date. So technically,
that is the law of the land. However, the Attorney General, at least at this point in time,
that is the law of the land. However, the Attorney General, at least at this point in time,
has released some draft implementing regulations. However, it's still going through a public comment period and those have not yet been finalized. Attorney General has until the end of June to
release the final regulations or the final implementing regulations, but we don't know
for sure between now and then when those will occur.
So what sort of recommendations are you making in terms of companies making sure that when things
really go into effect and start rolling, that they're going to be ready? What I do when looking
at compliance and requirements and regulations, I break it down into bite-sized chunks and
then work backwards from there. If an organization has to delete, for example,
any personal information upon requests going back the last 12 months, there are several things
behind that requirement. One is, do you know where all of your data sets are? I start there because that's something that a lot of organizations don't have a good handle on.
Are you able to identify where the data is that you're collecting,
be able to identify the specific data sets that apply?
And if you are able to do that, how do you know that when you receive the request to delete the data,
that the data is actually all deleted? How do you know the answers to those questions? And so
kind of from start to finish on that one, when the request comes in, you have to be able to
validate the identity of the individual requesting the deletion. And so there are some requirements
around that. How do you do that? How do you identify the data sets? How do you make sure
that they're deleted and whatnot? And same thing when it comes to just management of the
data, since organizations have to disclose the categories of information, business purpose,
all that good stuff about California consumer data. How do you know that you are disclosing
all of the information? You have to have a good handle on the data flow within your
organization. And so I start there because that's the most complicated piece is the data management
piece. Has California given any indications of how they're going to go about enforcing this?
How hard they're going to come down on people who aren't meeting the regulations? That's a good
question. And if we
look at other requirements that have come out, not necessarily at the state level, but perhaps
federal, the HIPAA privacy rule is an example of this, where when it first came out, there are
requirements for privacy and there were stated fines and whatnot. It took a little bit of time
for organizations, healthcare organizations, to learn how the government or HHS is going to
enforce HIPAA, how they're going to apply fines. And I think the same thing is going to happen
here is the actions that the Attorney General takes when it comes to enforcement and the fines
that get levied and under what circumstances are going to play out over time. When taking a look at this from a business perspective,
I would err on the side of the attorney general being more stringent
or more strict when it comes to enforcement rather than less.
That's always a safe assumption.
And so paying close attention to the attorney general's implementation guidance
will be very key here, making sure that you
capture all of those things so that if CCPA applies to you and let's say you experience
a major breach of personal information that you're able to prove to the attorney general
if he or she, I guess at the moment, so he comes knocking on your door and asks you,
hey, did you comply with CCPA before this breach happened, that you would be able to demonstrate that.
So I would definitely take the enforcement seriously.
And CCPA has some pretty significant fines called out in its verbiage for organizations that don't comply.
So the intent behind California lawmakers, I think, is definitely for organizations to take this seriously.
That's Darren Van Boeven from Trustwave.
Researchers at MIT conclude that votes, that's V-O-A-T-Z because of course it is,
a mobile voting application that's been adopted by some U.S. counties and one state, West Virginia,
especially for the purpose of
collecting absentee ballots, is vulnerable to attackers wishing to alter, stop, or expose a
user's vote. The researchers based their conclusions on reverse engineering of the application.
They write, quote, we find that votes has vulnerabilities that allow different kinds
of adversaries to alter, stop, or expose a user's vote,
including a side-channel attack in which a completely passive network adversary can potentially recover a user's secret ballot. We additionally find that Votes has a number
of privacy issues stemming from their use of third-party services for crucial app functionality.
Our findings serve as a concrete illustration of the common wisdom against internet voting
and of the importance of transparency to the legitimacy of elections.
The developers of the Votes app have strongly objected to the research,
saying the MIT team used an old version of its product,
an Android version that was at least 27 versions old.
The MIT researchers, ZDNet reports,
maintain that the version they used was still available on Google Play.
In any case, Votes offered two other specific objections.
The app the researchers used wasn't connected to the Votes servers,
and had it attempted to do so, would have failed to pass identity and security checks.
Finally, the researchers used a conjectured image of Vote's
servers and proceeded on the basis of false assumptions about the way the different components
of the company's system interacted. And finally, IBM X-Force researchers have been looking into
sextortion campaigns, and they found that Emotet's spam has eclipsed Nekor's in its intake of ransom.
There are two reasons for this. Emotet tends to hitclipsed Nekors in its intake of ransom. There are two reasons for this.
Emotet tends to hit victims through their work email,
whereas Nekors affected mostly webmail accounts.
And Emotet users charge their victims in Bitcoin,
not the less valuable Dashcoin favored by Nekors using hoods.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's the Dean of Research at the SANS Technology
Institute, also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
I wanted to touch today on some IoT threats.
There's some things going on here folks should be aware of,
and it goes beyond passwords.
Right.
A lot of the home IoT security has focused on security devices themselves.
I guess it has become a holiday tradition by now that after you unwrap your devices, you set a strong password,
maybe you try to figure out how to patch them. But overall, the devices, yes, there are a lot
of problems with devices. We have seen botnets like Mirai and so take advantage of them. But many of these home devices are behind firewalls and behind NAT.
So that makes them a little bit more difficult to attack.
A couple of years ago, I went to Home Depot and saw one of these cloud-controlled thermostats.
It was one of the sort of cheap Nest knockoffs.
And first I thought, hey, cloud-controlled thermostat makes perfect sense.
More clouds, I need less AC. But that's not really how it worked. Because these devices have the same
problem with NAT and such. So when I'm on the road and I would like to check on my thermostat,
I'm not actually connecting directly to the thermostat. I'm
connecting to some kind of cloud service. The thermostat is connecting to some cloud service.
And then we use that to sort of exchange messages. Or with cameras, you often have like these S-ton
servers that are sort of used for the mobile app and the camera to sort of meet up in some cloud
servers. And then they negotiate how they can connect directly to each other.
And lately, these cloud services have really sort of become a big target.
Because, first of all, as a user, you have less control over these cloud services.
Yes, you can set up a password, but with my cloud-controlled thermostat,
well, it looked good.
I had to set up a password to log in with the mobile app.
I never had to enter the same password to my thermostat.
And the thermostat doesn't even have a keyboard for that.
Turns out the thermostat pretty much just used the serial number to authenticate itself to that cloud service.
Oh, interesting.
So with cameras, of course, it has become a huge issue with Ring lately.
become a huge issue with Ring lately and these cameras where attackers use just simple brute forcing of passwords to connect to the cloud components of these cameras and then we're able
to connect to the camera itself. It doesn't really matter what password you set up on the camera
itself. Well, of course, you have to secure your account too. But again, there's much less
you can do about this.
You know, with Ring, for example,
not protecting you very well
against some of these brute forcing
or eventual stuffing attempts.
You can't really do anything about it
or not just to hit on Ring.
Another camera manufacturer
that's quite popular, Ubiquiti or Unify,
they're also known under.
What's actually nice about them is they rely less on cloud service in the sense that
you can buy a fairly cheap little device that you install in your house and they should call
it cloud key. So all the data is stored on a device on your premises, which is nice. So you
don't have any issues with your video footage being stored somewhere else. But you still have
that problem of having to connect to that camera from the outside.
So again, they have some S-TAN server in here to facilitate this.
And lately, actually, for their wireless access points,
they started sending performance data from the wireless access point to their cloud service.
Now, you may want to block this.
You may not necessarily want things like, you know, what SIDs you're using, how many
devices you have and such being reported back to them.
Their advice was, well, just block the connection to Firewall.
You can do that.
It sounded like a great idea.
But once you do that, that little process they have running on the access point that
tried to reach out to their cloud service
actually sort of went crazy
and chewed up all of the CPU cycles on the access point.
So that wasn't really a valid solution either.
So a lot of these IoT devices have these components
where they are reporting back to the cloud,
but they're allowing access via a cloud service.
And as a user, you have very
little control over this. You may not even realize in many cases what data is, for example, being
exfiltrated. And is this a situation of just sort of buyer beware that you need to do your homework
before you purchase one of these to make sure you know what you're getting yourself into?
Yes, it's definitely a buyer beware thing. And I always recommend that if you have a
device like this, we just bought it, you realize some of these things just don't look right. Return
it to the manufacturer. That's really, I think the only thing that's going to change things here is
if it costs them too much money to sell crap, then maybe they'll fix it and sell a little bit
better device and fix it on their backend. All right. Here's hoping.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.