CyberWire Daily - Louisiana works to recover from Monday’s ransomware attack. Gekko Group sustains a massive data exposure. US student charged with coding for ISIS.
Episode Date: November 20, 2019Louisiana works to recover from Monday’s ransomware attack. The HydSeven criminal group is delivering Trojans via spearphishing. A hotel reservation company sustained a massive data exposure. India�...��s government says it’s legally permitted to surveil citizens’ devices when it’s deemed necessary. Google, Facebook, Apple, and Amazon answer questions for Congress’s antitrust inquiry. A Chicago student is charged with coding for ISIS. And the National Security Agency offers advice for implementing TLSI. David Dufour from Webroot with findings from their midyear threat report . Guest is Bill Harrod from MobileIron on biometric data in the federal space. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Louisiana works to recover from Monday's ransomware attack.
The Hyde 7 criminal group is delivering Trojans via spear phishing.
A hotel reservation company sustained a massive data exposure.
India's government says it's legally permitted to surveil citizens' devices when it's deemed necessary.
Google, Facebook, Apple, and Amazon answer questions for Congress's antitrust inquiry.
A Chicago student is charged with coding for ISIS.
And the National Security Agency offers advice for implementing TLSI.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
November 20th, 2019. Louisiana continues its recovery from the ransomware attack it sustained Monday. Many services have been restored, but all 79 of the state's Office of Motor Vehicle locations
remain closed throughout Tuesday, despite earlier estimates that they would reopen by midday.
The delay is due to the fact that all of the OMV's computers have to be re-imaged.
The attack reportedly involved the Ryuk ransomware,
and the infestation originated with an unauthorized download
on a state computer, which is no surprise at all.
Prevalion warns that it's found a clever spearfishing campaign
conducted by the Hyde 7 criminal group.
The campaign, which Prevalion calls Operation Blockchain Gang,
is distributing Linux and Windows versions of the macOS trojan Hide7,
used against Cambridge University over the summer.
Hide7 has also been spotted fishing around Coinbase.
Prevalion calls them a sophisticated threat actor,
and one that pays close attention to organizations that hold unusually valuable information.
attention to organizations that hold unusually valuable information.
Hotel reservation company Gecko Group exposed more than a terabyte of customer information in an unsecured Elastisearch database, CNET reports.
The number of people affected is estimated to be in the hundreds of thousands.
The data included names, home addresses, personally identifiable information of children as well
as adults, credit card numbers, email addresses, and aifiable information of children as well as adults,
credit card numbers, email addresses, and a variety of travel details.
Also among the data were plain-text usernames and passwords to accounts on Gecko Group's platforms,
including the credentials to the World Health Organization's travel reservation account.
The database was discovered by two independent researchers
working alongside VPN mentor who've notified the company of the breach.
Gecko Group and its parent company, French hospitality giant Accor Hotels, were initially unresponsive to VPN Mentor's attempts to make contact,
but they promptly secured the database after the researchers notified CNIL, France's data protection regulator.
VPN Mentor notes that most of the affected customers were European,
so the companies should expect to see legal action under GDPR.
Trustwave is tracking a spam campaign that uses a phony Windows update notification
to distribute a malicious attachment that carries cyborg ransomware.
notification to distribute a malicious attachment that carries cyborg ransomware.
Cyborg, unfortunately, is easily used by anyone who gets a hold of the cyborg builder,
which has been available on GitHub.
TechCrunch reports that India's Minister of State for Home Affairs, G. Kishan Reddy,
said on Tuesday that the Indian government is legally empowered to intercept and decrypt any digital
information if such interception is deemed to be in the interest of national security
or to maintain public order and friendly relations with foreign states. He noted that each of these
cases was to be approved by either the union home secretary or the home secretary of the state.
Reddy was responding to a member of Parliament who asked whether the
government had used NSO Group's Pegasus spyware to target WhatsApp users in the country.
As we come to rely more and more on biometrics to provide access and identity verification,
we need to maintain vigilance when it comes to privacy and baked-in bias.
So says Bill Herod, federal CTO at enterprise security firm MobileIron.
There are a number of implicit biases, part of it in the code base
and part of it simply in the way it's been deployed and tested over time.
And in fact, this past week, I believe there was a legislation that's been introduced to limit the ability to use facial recognition, particularly for law enforcement, fighting terrorism and so on and so forth.
But you walk up against that challenge of being able to do that, but also respecting people's privacy, their constitutional rights to privacy. That's right and and Dave one of the things that's really interesting is that we have to in some cases
Protect people against themselves
So as we enter the the busy travel season with Thanksgiving and and the Christmas holidays coming up
We find that people
voluntarily
give up a certain amount of that privacy when they enroll in things like global
entry and clear and TSA pre-check. But it's not always clear that they're well-informed
and understand what it means that they're giving up that information, fingerprints and facial
recognition and even iris scans. The use of that information then becomes a concern around how people's privacy is used.
And certainly we've seen large scale breaches into things like the Office of Personnel Management
and Equifax.
Where do you suppose we're headed with this sort of thing?
Is more regulation inevitable? I think more regulation is inevitable.
And I think where we're really headed is that enterprise biometric technology
will become more commonplace. So we'll see biometrics being used. It is today for unlocking
a laptop or a smartphone or a device.
I think we'll see biometrics being used and tied to identity for agencies and organizations.
I do think there'll be some regulation and some privacy controls put in place.
Privacy Act and GDPR about how people have the right to be forgotten and control their privacy and their data. And I think biometrics is going to fall into that same area of controls.
Using fingerprint data is an interactive process. Using facial recognition and capture, the individual
may never know that it's happened. And so I think there's there really is a
difference, particularly when it comes to facial recognition. Do you have any
recommendations for organizations that are thinking about implementing some
sort of biometric factors for authentication into their own security workflow?
Anything they should know before they head down that path?
So, Dave, I think it's important when we talk about leveraging biometrics.
So certainly we want to move away from user ID and password.
That's a framework that's been broken for a long time. Using multi-factor
authentication, including some biometrics, is a much stronger way of being able to tie a user
to an identity. And if the user and the identity and the fingerprint or the biometric, the facial
recognition is done on an endpoint on a device where it's captured there
and not stored across the entire enterprise, that seems like a really good method of being able to
provide a new way of doing authentication for the user. And it's certainly something that we're
doing at MobileIron around zero sign-on, and it becomes a part of the larger
zero trust framework for enterprises. Collecting all of the biometrics in a central repository
is an area that's going to be particularly fraught and vulnerable for a data breach and have lasting impact to the user, to the employee.
That's Bill Harrod from MobileIron.
Reuters summarizes the answers the U.S. House Judiciary Committee has received so far
in its antitrust inquiry into big tech.
Facebook, Apple, Amazon, and Google were the companies who went under scrutiny.
Google argued that it didn't favor its own services over its competitors,
but failed to present much of the data requested by the committee.
Apple's responses to the committee mostly involved things that are already publicly known.
Facebook acknowledged that it blocks apps such as Vine from its developer platform
if those apps replicate core aspects of Facebook's products,
but the company offered vague answers when the committee pressed for specific details
relating to those decisions.
Amazon said that it uses data from merchants for business purposes,
but that it doesn't use this data to source private label products.
Thomas Odzedzinski, a computer science student at Chicago's DePaul University,
was arrested by the FBI and charged with writing code for ISIS.
Specifically, according to ZDNet, he's alleged to have been working on a Gen2 Linux distro
intended to help the terrorist organization better handle their multimedia propaganda accounts.
He also wrote a Python script to facilitate sharing ISIS propaganda
on social media. At least two of his online ISIS contacts turned out to be undercover FBI agents.
Cyberscoop noted that Ozadinsky's LinkedIn page indicated that he had worked at BlackBerry
Silance for two months as a software tester. This doesn't seem to be the case, however.
A BlackBerry Silance spokesperson said that,
according to our records, this individual has never been an employee or contractor for Cylance.
And finally, the U.S. National Security Agency issued an advisory
offering advice for enterprises that implement Transport Layer Security Inspection, or TLSI.
Organizations use TLSI to decrypt traffic that enters or exits their corporate network
so the traffic can be inspected before being sent on to its destination.
The process is meant to prevent the infiltration of malware or the exfiltration of sensitive data,
as well as identify encrypted command and control channels.
However, NSA notes that TLSI brings risks of its own if it's not implemented properly.
The agency recommends that TLSI only be performed once within an organization, and the device
that performs the decrypting should be isolated and well-protected.
Organizations should monitor and analyze their logs to identify insider threats and misrouted traffic,
and they should use TLSI products that are validated by the National Information Assurance Partnership.
Do you know the status of your compliance controls right now? Like, right now?
know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore. He's the Vice President of Engineering and Cybersecurity at Webroot. David, it's always great to have you back. You and your team at
Webroot recently published a mid-year threat report for 2019. Can you take us through what
were some of the key findings there? Oh, David, as always, great to be back.
Some things that we're really seeing, they're kind of continuations and some maybe, oh yeah,
that's right. Just we're trying to put some exclamation marks and underscore some things.
One of the first things we saw is trusted domains. You know, the HTTPS in your browser,
everybody sees the green lock in all the major browsers that shows that you're on a secure
connection. Well, just because you're on a secure connection doesn't mean you're on a secure site.
So a lot of hackers are starting to really use HTTPS heavily. I mean, it's been in use by
malicious folks for a while, but it's becoming
more and more prominent. And so basically, I like to kid, but just to put it out there, people are
securing through HTTPS the hacks that they're implementing on you. So you're getting securely
hacked, which I don't know if that makes you feel better or not. Right. While the hack's going on,
your data is safe in transit. Exactly. You can be
rest assured that the hacker is making sure your data can't be compromised. Right, right.
But what we saw, nearly 25% of malicious URLs, you know, the domain is the davidbittner.com
or daviddufour.com. That's the domain. We saw that 25% of malicious URLs, which are like that.com
slash sports slash video games, those 25% of malicious URLs are hosted on trusted domains.
So you can actually look at the domain and believe the website is good, but a hacker has actually
accessed the back end of that domain and deployed malicious
software there that if you click on that, it's going to infect your machine. So it's something
you've really got to be aware of. Not all trusted domains equate to trusted URLs.
Now, you were also tracking some stuff here with Windows 7.
Oh, yeah. Windows 7. Look, Windows 7 was a great operating system. It's just very antiquated.
Lots of malware on Windows 7.
It's really time for folks to start thinking about upgrading to Windows 10.
It's a great operating system as well.
I'm not advocating for Microsoft, but we are talking about the Windows platforms here.
The exploits in Windows 7 have grown over 75%, and we continue to see malware taking advantage of those vulnerabilities in Windows 7.
What do you say to those folks who are in a situation where it's not necessarily easy to upgrade?
I'm thinking of people in industrial situations, those kinds of things where that Windows machine may be tied to other devices.
Yeah, that is always a great and tricky question, David,
because if it is an industrial machine that potentially can't be upgraded
because of the fact that it's running equipment,
you have to evaluate your risk allowance.
Can you take it off of a public network so that people can't get to it
through the internet or through your network and
some other mechanism and make those determinations. Maybe you have to work with your vendor to get it
upgraded because you are exposed because it does need to be online. But you need to evaluate that
and be very knowledgeable of the risk that you're open to. And that's a point I want to make there.
A lot of times people just kind of put their head in the sand. Okay, so you've got a Windows machine.
It's running Windows 7.
There's potential for exploits, but you've got a business decision because you've got to run your business that you're going to let that potential sit there.
Well, maybe you need to invest in some tools that monitor that machine at a higher level to make sure it's not being exploited.
So there's things you can do, but the number one thing is evaluate your situation.
All right. Well, it's the Mid-Year Threat Report. You can find it on the WebRoot website.
David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.