CyberWire Daily - ISIS claims Kabul massacre. Huawei gets a temporary break. Texas governments hit by ransomware. Hy-Vee warns of point-of-sale attack.
Episode Date: August 19, 2019ISIS claims responsibility for Kabul massacre. Huawei gets another temporary reprieve. Local governments in Texas sustain ransomware attacks. Georgia hopes to combat cyberattacks with training. Google... cuts a data sharing service. Bulletproof VPN services purchase residential IPs. Smartphones could be used to carry out acoustic side channel attacks. And Hy-Vee warns of a point-of-sale breach. Joe Carrigan from JHU ISI discusses corporate password policies. Guest is Ben Waugh from RedOx talks about bug bounties in healthcare. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ISIS claims responsibility for Kabul massacre.
Huawei gets another temporary reprieve.
Local governments in Texas sustain ransomware
attacks, Google cuts a data sharing service, smartphones could be used to carry out acoustic
side channel attacks, and Hy-Vee warns of a point-of-sale breach.
From the Cyber Wire studios at DataTribe, I'm T Tamika Smith sitting in for Dave Bittner with your Cyber Wire summary for Monday, August 19th, 2019.
ISIS claimed responsibility for a suicide massacre that killed 63 people at a wedding in Kabul on Saturday.
The attack targeted Shiites in the western part of the city and occurred just before
the country celebrated its 100th Independence Day on Monday. According to CBS News, the group posted
a statement on one of its websites saying the attack was carried out by a Pakistani IS fighter.
Huawei has been granted another 90-day reprieve to continue maintaining its equipment and providing
updates for its phones. U.S. Commerce
Secretary Wilbur Ross made the announcement Monday morning on Fox Business. He said the extension was
meant to allow rural companies in the U.S. to what he called wean themselves off. At the same time,
Ross also announced that the Commerce Department is adding 46 more Huawei subsidiaries to its
entity list. Officials in Texas announced that 23 state agencies
sustained a coordinated ransomware attack on Friday, August 16th.
ZDNet says the ransomware that was used does not have an official name,
but it's being called the.JSE ransomware.
After the file extension, it appends to encrypted files.
It's a relatively obscure strain of malware that
was first seen in August of 2018. The Dallas Morning News reports that the state is responding
with a multi-agency task force led by the Texas Department of Information Resources. The FBI and
the Department of Homeland Security are also involved. Authorities believe a single threat
actor is behind the attacks. Meanwhile, the state of Georgia is stepping up its efforts to train government employees
following numerous attempted ransomware attacks against government departments last month.
The Georgia Sun reports that Governor Kemp has added more members of his administration
to the state government's system's cybersecurity board,
which is tasked with creating mandatory cybersecurity training programs.
A major question many in the cybersecurity field would like answered is centered around bug
bounties. The Cyber Wire's Dave Bittner reports on the dynamics between the companies who are
offering them and the folks that are going after them. He talks with Ben Wah, who's the chief
security officer at Redox. I've probably been working
with bug bounties for about the last five to eight years. And I've definitely seen a change from
they were very much just in the technology scene. They were for small organizations,
startups and things like that. And now you're certainly starting to see larger organizations
or established organizations start to adopt these
types of practices, ones that would ordinarily have never thought about doing this type of
activity because they would have considered it far too risky. Folks in finance and now in healthcare
as well. We're definitely seeing more adoption and this becoming much more mainstream, I would say.
And also, we're actually starting to see the rewards more accurately reflect the type of value these
kinds of bugs have. You're seeing organizations offering rewards in the tens or in some cases,
even hundreds of thousands of dollars, which really makes it worth that investment on behalf
of a researcher to be spending the time to find these unique and interesting vulnerabilities in
software. Now, when you say that organizations previously would have found it too risky, what do you mean by that? There is always a level of risk that you're
exposing yourself to, depending on the type of data that your system is using or the type of
processing you're doing. I think a lot of folks are always hesitant sometimes to potentially expose
that. You don't want that information to be unnecessarily exposed, and you don't want even a well-meaning person
to accidentally break a system.
I think a lot of industries have kind of struggled
with figuring out the right balance
between supporting a program like this
and getting the security value from it
versus ensuring at the same time
that they're protecting the systems
from a potential, even accidental, failure or abuse.
Now, wouldn't it have been the case that regardless of whether or not the organizations
were supporting bug bounties, there were going to be folks poking around anyway out of curiosity,
and I suppose those folks might not have had an avenue to report things if they wanted to do so
in a proper manner. Absolutely. And that's probably been my personal opinion for the longest time. I believe that
regardless of what you say, people are going to put it in your application. And I do think that
the real value that a bug bounty brings is it gives those people a safe way to do that. And
they're not opening themselves up to legal prosecution. And so you end up ultimately
being more informed about security problems because you don't have people afraid to report issues and at
the same time they're able to do a testing and follow instructions in a
certain way that the reduces that risk of something going wrong for example
within our bug bounty we ensure that we give researchers explicit instructions
about how to go about testing safely so that they are only
interacting with parts of the system that can't, if things go wrong, actually impact a real
production hospital or things like that. So you have the opportunity there for the bug bounty
itself to incentivize the folks who are out there looking for these things to do so in a safe and
responsible way.
Absolutely. Especially if they follow the instructions that you put together. And that's why it's critical that you spend the time working on what your scope is and what your instructions
are to these researchers to ultimately help them ensure that they don't end up putting themselves
or yourself in hot water. Now, what are some of the specific issues that folks are up against
when it comes to bug bounties in the healthcare sector?
In healthcare, we deal with PHI.
And so there are a significant number of regulations around dealing with that type of data.
And for good reasons, in my personal opinion as well.
One of the examples that I like to use is when it comes to my information, my data, if my banking credentials are exposed, even if I lose money because someone
steals out of my bank account, I can recover that fund. I can potentially change out those
credentials. With this healthcare data or PHI, I can't change that. If that data is exposed,
it's out there forever. I can't go and change that. And that's why this type of data within
the black market has such a value attached to it.
Now, what are your recommendations for organizations that may want to start implementing a bug
bounty program?
How do they get started?
How do they go about it?
The first thing is to be ready.
Even if you're working with an outsourced provider like HackerOne or BugCrowd, there
is a lot of overhead that you need to be prepared for.
I'd probably say,
and I'd say this is consistent with everyone who I speak to who's run one of these programs,
the signal to noise ratio is very large. You're probably going to be dealing with, I'd say,
95% of the issues that are filed are just noise or they're duplicates or they're minor things
that have been called out. So it takes a lot of time to work through all of that noise
and figure out what is actually, what's the signal?
What are the real issues that we need to investigate and be aware of?
And I think that's the same across all industries.
The second thing I would say is, again, spend the time working out what your scope is
and how you're providing instructions and details to researchers
about how they should go about testing your platform.
We're also not a SaaS, your standard kind of SaaS application.
And so that means that it's not just throwing the basic sort of like web application tests
at us, which is, I'd say the same for a lot of companies out there.
And so you need to really help folks understand what the platform is, how it works, what are the nuances with your particular application or system that will give you more meaningful tests from these folks.
That was Ben Waugh, who's the chief security officer at Redox.
Reuters says that Google terminated a service it had offered mobile carriers as a means of testing their network coverage.
it had offered mobile carriers as a means of testing their network coverage.
The company's Mobile Network Insights service had since 2017 offered carriers data collected from Android users
who'd opted in to sharing location and performance data.
Although the program was organized on a transparent opt-in basis
and the data it collected were both anonymized and aggregated,
Google apparently decided that Mobile Networks Ins insights exposed the company to more regulatory risk than it wished to accept.
Krebson Security describes how cybercriminals hide their tracks by renting out bulletproof residential VPN services.
Residential IP addresses are ideal for criminal activities because they're usually trusted by businesses and they periodically rotate between users.
The use of residential connections to anonymize traffic is nothing new, but it's usually achieved by hacking a device on a residential network and using it as a proxy.
In this case, Krebs discovered an intranet provider that rented out these addresses for primarily fraudulent use.
The Maryland-based company called Residential Networking Solutions, or ResNet,
maintained a block of nearly 70,000 IP addresses.
ResNet and several affiliated websites sold access to residential proxies for a monthly fee.
They also advertised various types of spamming and botting services.
About 7,000 of these IPs belonged to AT&T until late last year. Krebs discovered that the
nonprofit that administered these addresses had apparently been tricked by someone posing as AT&T
into transferring control of the IP block over to ResNet. It's not clear if AT&T had any connection
to ResNet, but the mobile provider told Krebs it had referred the incident to ResNet. It's not clear if AT&T had any connection to ResNet, but the mobile provider
told Krebs it had referred the incident to law enforcement. Science Daily and other sources say
that researchers at Southern Methodist University have developed a proof of concept in which
smartphone sensors could record the sounds of keystrokes on nearby laptops, enabling eavesdroppers
to capture and interpret those keystrokes.
The technique does not seem to represent an immediate threat, but the researchers suggest
it should raise awareness of the risk inherent in always-on sensors like those in smartphones.
ZDNet reports that the Midwestern supermarket chain Hy-Vee is warning its customers to keep
an eye on their bank accounts after the company discovered
unauthorized activity on some of its point-of-sale systems. The activity affected some of Hy-Vee's
fuel pumps, drive-through coffee shops and restaurants. The company did not specify which
locations were involved, but says the activity has been stopped. Hy-Vee does not believe its
grocery stores, drug stores or convenience stores were impacted.
The company notes that its investigation has just begun and more information will be forthcoming.
And finally, TASS is authorized to disclose that Russia's sport minister sees a good chance that cybersports will be added to the Olympics in 15 to 20 years.
Minister Kolobkov appears to have video games in mind,
not capture the flag competitions.
Olympians, this is the moment you've been waiting on.
Get ready to practice your Fortnite dance.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Last week, you and I spoke about my musings about whether or not organizations should basically force their users to use a password manager,
but also not allow them to choose their own passwords.
Correct.
Have those passwords be generated so that they are strong and random.
Yes.
Right.
And we both sort of joked about how we would likely receive feedback from our listeners, and they came through.
Right.
Did not disappoint.
No, no.
So I want to read part of what one listener sent in.
This is a particularly good one.
This is from someone who goes by the name Jay,
and he says, Dave and Joe had a great conversation about password managers and not allowing corporate
users to choose their own passwords anymore. It's a great idea, but I'd like to offer another
viewpoint. To stop users from choosing their own passwords, you need to do a lot more than
enforce rules in the password manager. You need to be able to enforce that password policy on each of the identity stores slash
authentication mechanisms the user is connected to.
Turns out this is really tough.
So let's address that part here.
I think he's got a good point here.
Right.
Because there's no way for me to know that the user is actually using a password from
a password manager from the authentication
mechanism in question.
Right.
Right.
So if your user wants to go rogue and use their own password, it's hard for you to control
that.
Right.
Exactly.
You can't really mitigate that.
Mm-hmm.
So he goes on and writes, I think the better approach is to invest the energy in true SSO, that's single sign-on.
Right.
It's matured a lot in recent years.
Enforce MFA to log into the endpoint or at least have risk-based step-up authentication.
SSO using those credentials so the users only have to remember one long complex password to log into the endpoint and then SSO to everywhere.
Hmm. Okay. Hmm.
Okay.
So this is true.
First off, you're 100% correct about multi-factor authentication.
Enforce that.
Mm-hmm.
Do that, and that actually is what my number one suggestion is now.
Password managers are my number two suggestion.
If you're going to do one thing to improve your security, use multi-factor authentication.
Mm-hmm.
If you're going to do two things, use multi-factor and a password manager.
Single sign-on is great because it does a couple of things.
One, it allows the user to frictionlessly move throughout their services that they need to move through.
They don't have to continually log in.
And coming from a perspective where I am not really in a domain right now at my
job, I have to log into everything manually, it's still kind of a pain.
Yeah, little speed bumps in your day.
Yeah, little speed bumps here and there.
Right.
The other point that I would like to make about this is single sign-on is not going
to be a full solution for this.
There are going to be other places that are not going to integrate with your single sign-on
solution that your users need to go to.
And I'm thinking in particular like third-party websites where your users may need to go to
look things up or to use software that's necessary for their job, or even cloud services
that may integrate with your SSO or may not.
They may not integrate with it.
In that case, what do you do?
You have to make sure that their passwords are good and that they're using multi-factor
authentication. And in order to make sure their passwords are good and that they're using multi-factor authentication.
And in order to make sure their passwords are good,
you have to use a password manager.
So I think his
suggestions here are right on.
And he has in this thing, he says
passwords needed to be killed
a long time ago. And
as much as I talk about passwords, I couldn't
agree more with that statement.
I don't think we're going to be stuck with passwords forever.
I think it's getting closer to the time where we're going to be able to get rid of them, like Jay says.
And I welcome that time because I'll tell you, just having a simple password on any account is just asking to be hacked.
Yeah.
All right.
Well, thanks to Jay for writing this in.
A very thoughtful response and made us think a little more about this. Yeah, Jay right. Well, thanks to Jay for writing this in a very thoughtful response
and made us think a little more about this. Good suggestions. Thanks. All right. Well,
Joe, thanks for joining us. It's my pleasure.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is
proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.