CyberWire Daily - Magecart is back. Bad apps booted from Google Play. OilRig taken seriously. Election influence operations. Sending in the National Guard. ICO fines Equifax for last year's breach.
Episode Date: September 20, 2018In today's podcast, we hear that Magecart has hit a Philippine media conglomerate. Bogus (and malicious) financial apps are ejected from Google Play. Gulf states are taking warnings about Iran's Oi...lRig seriously. A cloud hosting service serves up phish. Taiwan believes China is preparing to meddle in its elections. Facebook sets up an anti-disinformation war room. Nebraska sends in the National Guard. The UK ICO fines Equifax for last year's breach. Craig Williams from Cisco Talos on distinguishing between features and bugs with regards to security. Guest is Roela Santos from Engility, describing the CyberWarrior scholarship for veterans. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_20.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete. Gulf states are taking warnings about Iran's oil rigs seriously.
A cloud hosting service serves up fish.
Taiwan believes China is preparing to meddle in its elections.
Facebook sets up an anti-disinformation war room.
Nebraska sends in the National Guard.
And the UK ICO fines Equifax for last year's breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 20th, 2018.
Magecart has struck again, this time in the Philippines, where it's hit the media conglomerate ABS-CBN.
The criminal group behind the operation, and there's a loose assembly of several gangs using Magecart,
is exfiltrating data to their servers in Russia.
Magecart attacks, which have recently infested Ticketmaster and British Airways, are generally thought to be criminal capers as opposed to state intelligence operations.
ESET researchers report an infestation of malicious financial apps in Google Play.
The apps have since been removed.
In operations since June of this year, they presented themselves as apps belonging to the Commonwealth Bank of Australia,
the Australia and New Zealand Banking Group Limited, the ASB Bank, the TSB Bank,
Post Finance, which is Swiss Post's financial services unit, the Polish bank Zaccadny WBK,
now rebranded as Santander Bank Polska, and Bitpanda. This last one is the more interesting
target. Bitpanda is an Austrian cryptocurrency exchange that doesn't even have an app.
Various Gulf states are taking seriously warnings from FireEye about an increase in Iranian government hacking.
Much of the recent activity has been associated with the actors involved with the oil rig attacks.
Zscaler notes that a cloud hosting service is being abused by hackers.
Kojiko Pier 1 is hosting domains used to serve a range of phishing attacks and attempts on cryptocurrency wallets.
According to Zscaler's blog, the problems have been around since February of this year.
See Zscaler's blog for details on the affected domains and be alert for social engineering staged through this particular hosting service.
China is in election influence mode. Beijing has opened a campaign to affect Taiwan's coming elections.
Since taking office in 2016, President Tsai Ing-wen and her Democratic Progressive Party
have starchily rejected China's claims to the island nation.
The Sydney Morning Herald
reports that the mainland would welcome a change in administration and a more tractable attitude
to its claims. Officials in Taiwan note that the country has long served as an attractive
proving ground for Chinese operations elsewhere. They're bracing for a coming wave of cyber attacks.
Determined to do better during this U.S. election cycle,
Facebook is offering bipartisan help to campaigns,
get-out-the-vote support, and an anti-disinformation war room.
The effort will inevitably be labor-intensive.
The sort of content moderation the war room aspires to
so far defies full automation.
In the U.S., we note for the benefit of our international audience and those Americans,
most of us alas, who snoozed through high school civics classes, elections are decentralized
affairs, with the several states constitutionally responsible for conducting them.
And the states are taking various measures to secure not only elections,
but other infrastructures as well.
California and New York have passed laws and regulations
in cyber matters of most concern to them.
New Jersey is working on infrastructure protection legislation.
And Connecticut does a little bit of chess beating
about the number of cyber attacks it fends off every day.
Good job, but don't get cocky there, Hartford.
The Center for Cyber Safety and Education has partnered with professional services provider
NGILITY to fund scholarship opportunities for U.S. military veterans in an effort to
help close the workforce gap while providing educational advancement for those who have
served.
Roella Santos is VP of Communications at Injility. We saw the need for more cyber talent. You've
seen the statistics about the cyber talent gap. Center for Cyber Safety and Education is predicting
a 1.8 million cybersecurity talent gap by 2022. So we think that veterans are a great source of
filling that talent gap. Also, agility, basically veterans is part of our DNA. 28% of our employees
and 45% of our new hires are veterans. So we have a long history of supporting veteran causes.
veterans. So we have a long history of supporting veteran causes. DOD is a huge customer of ours.
So we're committed and motivated to include veterans as part of the solution as we address this broader cyber challenge. So can you describe to us what the scholarship is all about, how you
engage with veterans, and basically how it all works. Sure. So we partner
with the center to promote and solicit applications from veterans. So we divide it up and have awards
four in the spring and then four in the fall. And we suggest that veterans submit their
applications online. And there's just a few questions that we
ask. We ask that they submit their resume and why they feel that this scholarship will help them
as they see the next phase in their cyber career. The cyber scholarship, which we call
Cyber Warrior Scholarship, actually provides training and testing so that they can be certified in cyber,
which the ISC squared organization provides.
So these are critical cyber certifications that are needed for people who want to get into a cyber career.
And what specifically do veterans bring to the table here? What are the experiences
that you all find they've gained from their time serving the country? Absolutely. I think three
things, three reasons why we think veterans are ideally suited in cyber careers. First,
they already have the mindset to be a cyber warrior. They have the grit and determination because our cyber adversaries are tenacious. So they already have that mindset. Second, they're very patriotic and protective by nature. They're protective of our country, our people and our economy.
people in our economy. And third, cybersecurity gives veterans a lot of flexibility in their careers. So they can continue serving our country as a government employee or as a contractor,
like working for companies like Injility, or they can move into the private sector
where everybody from small to large companies to nonprofits all could use cyber expertise.
That's Roella Santos from Injility.
You can learn more about the Cyber Warrior Scholarships
at the Center for Cyber Safety and Education website.
That is imcybersafe.org.
Don't delay.
There's a deadline for an upcoming round of scholarship awards.
It's coming up in just a few days.
There's an interesting story unfolding in Nebraska.
The town of Beatrice has come under some form of cyber attack.
Details aren't being widely shared, but what is being shared,
beyond the town's disconnection and reversion to manual backups,
is that the FBI is investigating and that the Nebraska National Guard
has dispatched cyber incident response teams to help.
The use of the Guard in this manner has long been discussed,
and Nebraska's employment of the reservist's cyber capabilities will be worth watching.
It's now been a little more than a year since Equifax disclosed its data breach,
and many have commented on what they take to be a surprising lack of enforcement actions.
But here's one. The UK's Information Commissioner's Office, the ICO, will fine the credit bureau
£500,000 for last year's data breach. Some 15 million individuals are believed to have
been affected in the UK.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by craig williams he's the director of talos outreach at
cisco craig welcome back um you know there's that old joke uh that's not a bug that's a feature
but then also i suppose you could add design flaw uh take us through what's the difference here and
why does it matter so this is a really common thing and believe it or not we ask ourselves
this very often you know as you know we do a lot of vulnerability research.
I think when the fiscal year ended, we were over 350 vulnerabilities, which is amazing.
It's more than one per business day.
And so we deal with this a lot.
The way it works on our end is if it's a bug and it's considered a security issue, well,
the vendor magically gets 90 days to fix it, right?
And hopefully they can fix it by then.
And if not, we'll have some conversations and sort it out.
But on the other hand, if the vendor says that, no, no, no, it's supposed to work that way,
that's a feature or no, no, no, that's just a design flaw.
The software is fine.
Then a lot of the times they don't want to fix it, which can put us in a weird situation
because on one hand, we want to try and get the issue fixed.
But on the other hand, if that's the way that it's supposed to work and the attackers are taking advantage somehow,
it puts us in a really difficult situation.
Now, let's move away from the abstract and talk about a real-world example of this.
One of the most recent cases we found this was with some of the MDM research we published.
So if you weren't familiar with the MDM research we published,
basically what would happen is an adversary would craft a really clever email saying,
hey, go to this server on, say, your iPhone and install the managed certificate
and you'll get something out of it.
You'll get free antivirus or you'll get your phone managed by us and we'll patch it for free.
Something no reasonable user should do, right?
I want to be very clear.
Apple has this locked down pretty well.
On enterprise phones, you shouldn't be able to do this
because there should already be a certificate on there,
and that certificate should be locked in place with a password that the user doesn't have.
Now, the problem is, home users, on the other hand, they don't have a managed device.
So when they see these, you know, effectively almost a phishing email,
and they fall for it and they click on it, and it says,
hey, would you like to install the certificate?
And they're like, yes.
And your iPhone's like, no, seriously, are you really, really sure
you want to install the certificate?
And, you know, it's like highlighting no and flashing at you,
and they're like, sure, yes.
Well, that can get you in a tricky situation, right?
Because then what happens is the attacker has basically taken control of your phone.
Now, the question there is, is that a bug?
Well, no, that's how a managed device works, right?
Is it a feature?
No, that's just how it works.
Is it a design flaw?
Well, the user's warned about nine times.
What else are they supposed to do?
Like make the phone vibrate and blink, and then would that do anything different?
And so when it comes down to these type of bugs, it's a really difficult thing to fix
because you're basically forced to figure out, how can I work around the user's willingness
to be compromised?
Now, when you're dealing with a vendor who claims that something is working the way it's supposed to, how often
is it them denying that there's an actual security problem? Are they being willfully
ignorant or do they not want to put the effort into doing the fix?
No, I don't think that's it. I think some of the time in order for things to work as
designed, you know, they have to have certain functionality, right?
You know, for example, on an enterprise network,
you're using the same username and login for your Wi-Fi
as you are for your Exchange server sometimes.
It's a convenience factor.
Well, so what happens if a user clones a Wi-Fi access point
and sets up a rogue one?
Well, conceivably, they could steal your password,
and that would be the same password used everywhere, right?
Not a security issue. It's more of a design flaw because of credential reuse and the fact that you
allowed the laptop to connect to a cloned access point. But things like that are things where you
really have to sit down and think about how everything's engineered and how bad guys could
manipulate the system. And that's why this is so important to think about when you're designing a
product or when you're designing a way a protocol should work.
And it's also something that needs to be kept in mind when you start, you know, expanding the protocol or revising it to the next revision.
Right. Craig Williams, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your