CyberWire Daily - Lone wolves howl to each other over WhatsApp? Industry yawns at WikiLeaks zero-days. How online gamers cheat. America's JobLink breach update. Ukrainian artillery hack notes. April 7 deadlines.
Episode Date: March 27, 2017In today's podcast, we hear that British police think ISIS not-so-lone wolves may have been howling over WhatsApp. WikiLeaks still disgruntled over its disclosure offer's cool reception. March-Madness... is also phishing season. How and why online gamers cheat. GiftGhostBot drains gift-card balances. States mull next steps after the America's JobLink breach. CrowdStrike walks back some claims in its Ukrainian artillery hacking report, but insists the hack was real, and that signs point to Fancy Bear. Lancaster University's Awais Rashid warns of the use of open source intel in social engineering. Wall Street Journal tech reporter Sarah Needleman explains the esports cheating arms race. April 7 marks two deadlines for cyber actions; observers hope for two fizzles. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
British police think ISIS's not-so-lone wolves may have been howling over WhatsApp.
WikiLeaks is still disgruntled over its disclosure offer's cool reception.
March Madness is also fishing season.
How and why online gamers
cheat? Gift Ghostbot drains
gift card balances. States
mull next steps after the America's
JobLink breach. CrowdStrike
walks back some claims in its Ukrainian
artillery hacking report, but insists
the hack was real and that signs point
to Fancy Bear.
April 7th marks two deadlines for cyber actions. Observers hope for two fizzles.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 27th, 2017.
After the attacks in London, ISIS makes large-scale and predictable use of online video as recruiting and inspiration tools. British police investigate the possibility that a
cell which may have supported the attacker made use of encrypted messaging apps. The authorities
have one man still in custody who they believe was in communication with the attacker by WhatsApp.
It's worth noting in this context, as so often with ISIS,
that the sense in which an attacker is a lone wolf is often attenuated.
At the very least, they're responding to recruitment and inspiration,
even if there's no immediately directing command and control.
The Westminster attack may have involved some coordination with at least one collaborator,
and perhaps with a larger organization.
WikiLeaks continues, largely in vain, to persuade tech vendors they ought to play ball
in remediating the vulnerabilities suggested by the Vault 7 leaks.
Consensus now seems to run toward Apple's early conclusion.
The zero days alluded to in the files are old news, for the most part patched long ago.
Zscaler and others warn of a spike in March Madness-themed fishing.
March Madness is shorthand for the annual U.S. University basketball playoffs,
much followed by gamblers, enthusiasts, and Subway alumni.
Not that any of you would do this, but some people actually bet money on these teams.
Shocking, we know.
Shocking, too, is the sheer amount of cheating that goes on with online gaming,
even when it doesn't involve gambling,
as any parent of a child who's been booted out of Pokemon Go
for downloading a teleportation app can tell you.
The video game industry is big business,
with about $91 billion in revenue in 2016.
A fast-growing piece of that pie is eSports, where gamers compete for prizes and glory,
and there's a growing audience of spectators who like to watch them play.
All this activity is attracting investors, TV executives, and advertisers,
but it also attracts cheaters.
Sarah Needleman is a tech writer for the Wall Street Journal,
and her recent article outlines the challenges video game companies face.
Players are looking to get an edge by using unapproved software
and exploiting bugs to win at competitions.
It's a problem for the industry because right now e-sports is a rising area,
and when there's rampant cheating, it affects the integrity of games and people lose
interest in playing them and lose interest in watching them. So companies are going out of
their way to stop or at least fight cheating because it's actually impossible to stop it
outright. But they're working really hard to minimize it as much as possible.
One of the things that struck me in your article was how much third-party help there is on both sides of this.
I mean, there are companies who are selling the cheats,
and there are companies who are helping the game manufacturers try to fight the cheats.
The ones that are selling the cheats, I don't know if I would call them companies in the traditional sense.
I think a lot of these are individuals that are coming up with it and selling it online.
In some foreign countries, they are coming up with it and selling it online. In some foreign countries,
they are setting up businesses. But I think for the most part, it's individuals who are very tech
savvy, who come up with these cheat codes, and then sell them online to like an underground
network of players that are, you know, very tech savvy and very interested in getting an edge.
I mean, what you're doing is using software so
that every time you fire your weapon, for example, you have perfect aim or you can see through walls.
It's not like a one-time movement where you skip ahead of a level. This is affecting the entire
gameplay. And we're also talking about games that are played competitively. You're not playing by
yourself in your basement. You are playing online against other people. In some cases,
part of a tournament, and you're trying to win prize money. The landscape is a little bit
different than it used to be back in the day. One of the things that struck me, I was surprised to
find out the scale that this was running at. We're not just talking about a handful of people
who are cheating at these games. Right.
For example, with Ubisoft's Tom Clancy's The Division,
that game has been out for about a year,
and the company has banned something like 40,000 players from it.
In the first week that Overwatch without the Activision Blizzard game,
they also banned thousands of players.
These games have several millions of players overall.
So it is still a small percentage that is getting banned,
but it is definitely higher than you might think.
It's a constant battle.
One person put it to me as an arms race,
and that it's impossible to make it impossible to cheat.
So they're constantly working to stop the problem.
That's Sarah Needleman from The Wall Street Journal.
If you're using gift cards online,
beware. Distill Networks warns businesses and consumers of a threat to gift cards.
Gift Ghostbot uses nearly 1,000 infected sites to inspect and drain gift cards of their balances.
The U.S. state of Vermont, at least, is contemplating legal action against America's
JobLink
for what appears to be its loss of significant personal information belonging to job seekers.
Nine other states were also affected.
One of them was Maine, which was using JobLink to help process unemployment claims.
We heard from Ebba Blitz, CEO of encryption-as-a-service firm AlertSec,
who sees the case as another unfortunate reminder of the seriousness of third-as-a-service firm AlertSec, who sees the case as another unfortunate reminder
of the seriousness of third-party risk.
He thinks New York State's recent adoption
of more stringent cybersecurity regulations
may provide other states with a model for third-party compliance.
We also heard about New York's new requirements from Brad Keller,
who directs third-party strategy
at the New Jersey-based security company Prevalent.
While much of what New York now requires has already been recognized as best practice,
the regulations go farther in requiring companies licensed for banking, insurance, or financial
services to maintain comprehensive cyber risk management programs that address cyber risk
at the sea level and board level, and that specifically address third-party risk.
CrowdStrike retracts some aspects of its Ukrainian artillery hacking report,
but not its core findings concerning Agent X malware.
The retractions generally walked back claims of heavy losses sustained by Ukrainian D-30 gun batteries
during fighting with Russian forces in the Donbass,
unsurprising given the
notorious difficulty of battle damage assessment. They also clarified misunderstandings about claims
that Ukrainian units had been forced to fire on one another. That didn't happen. But they do stand
by their claim that a fire direction app was compromised to reveal general position information
about Ukrainian fire units, and that the malware was a fancy bear production.
Finally, two deadlines expire April 7th, which is less than two weeks away.
The Turkish crime family says it's going to wipe hundreds of millions of iOS devices
unless Apple pays ransom.
Apple says the threat's a lot of hooey, and pretty much everyone agrees.
And Anonymous will run its annual Op Israel against various online targets in the Jewish state.
Op Israel has traditionally been a fizzle that fails to rise beyond the level of low-grade nuisance,
but Israeli authorities warn people to be on their guard nonetheless.
So be on the alert, but hope to be pleasantly disappointed.
be on the alert, but hope to be pleasantly disappointed.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Avas Rashid. He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back.
I know today you wanted to touch on some things with social engineering and open source intelligence.
Thank you very much. The key challenge at the moment is that a lot of us use social media, online social media,
so the likes of Facebook, Twitter, Google+, and so on.
so the likes of Facebook, Twitter, Google+, and so on.
And inadvertently, people expose a lot of information online, which can make it a lot easier for attackers to craft social engineering attacks,
so, for example, very targeted spear phishing attacks.
What can normally happen is that an attacker can harvest an employee's information and use that as a basis
to craft a very targeted attack. Things that, for example, provide the interesting hooks which
would encourage someone to click on an embedded link or an attachment that will enable download
of malware. Yeah, I saw a story not too long ago about someone who got hit because he had
an interest in classic cars. And the bad guys were able to craft a message that hit him exactly where
his interest was and get him to click through to something. Absolutely. And that's how, for example,
RSA were breached. It was a very simple social engineering email. But the interesting thing is that with the power of computational
tools that we now have at our disposal, we can do positive things, but they can also be used by
attackers. So we have recently, for instance, done some work where we've actually demonstrated that
you can automatically identify the employees of an organization using only information which is
visible to a remote attacker as a member of the
public. So you don't need to be listed on the organization's website for you to be detected
as a member of that organization. For example, most employees would tend to follow the organization
that they are part of on Twitter or another social network. But then what you can do is you can
actually potentially link the profiles of such people across different
social networks. So you can extract further information about them to make your attacks
really, really sophisticated and providing those really good hooks that will encourage someone to
click on embedded links or download malware. So how do people find the balance between,
you know, going on leading their day-to-day lives and enjoying all the benefits of social media, but also
protecting themselves and their organizations? I think there are multiple ways that this can be
done. Individuals can be more cautious and vigilant about it themselves as to what kind
of information do they expose. Very often, keeping separate accounts for personal and professional
use can be a very useful thing.
But also organizations themselves can take active measures by trying to identify what kind of information about them or their employees is visible outside.
This is not in terms of any punitive measures against employees.
It's more about trying to understand what kind of information can be out there that can potentially be targeted and in some ways use that information to, for example,
educate employees about not revealing certain types of information
that may make them more prone to such attacks.
Professor Avas Rashid, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. and that's the cyber wire we are proudly produced in maryland by our talented team
of editors and producers i'm dave bittner thanks for listening Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.