CyberWire Daily - More Elon Musk impersonators in social media. Cryptocurrency raided. Spearphishing in Palestine. BlackTech espionage group. Apple upgrades. Polar Flow fitness app and oversharing.
Episode Date: July 10, 2018In today's podcast, we hear that advance fee scams run by Elon Musk impersonators are using the recently rescued boys' soccer team as phishbait. Bancor wallet robbed of crytpocurrencies. Palestin...ian police spearphished. BlackTech espionage group using stolen certificates to sign malware. Apple's upgrades are out—one privacy enhancement has a workaround. Microsoft is in the process of patching. And another fitness app, Polar Flow, overshares.  Jonathan Katz from UMD on homomorphic encryption standards. Guests are Julie Bernard from Deloitte and John Carlson from the FS-ISAC with results from a recent FS-ISAC survey. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Advanced fee scams run by Elon Musk impersonators
use rescued boys' soccer team as fish bait.
Bancor wallets robbed of cryptocurrencies.
Palestinian police have been spearfished.
The Black Tech espionage group is using stolen certificates to sign malware.
Apple's upgrades are out.
One privacy enhancement has a workaround.
Microsoft is in the process of patching.
And another fitness app over shares.
And another fitness app over shares.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 10th, 2018.
If you've been following the saga of the boys trapped in a cave in Thailand,
you'll be happy to know that they're now all reported to be out and safe.
A happy ending, saddened by the accidental death of a volunteer diver who worked on the rescue.
You'll also no doubt be aware that Elon Musk offered the use of a mini-sub to get the boys out.
The sub was not in the end necessary, but of course the story has drawn scammers.
The usual impersonators have shown up on social media claiming to be Elon Musk and offering, in the midst of updates on the mini-sub,
a fortune in cryptocurrency to those who play ball.
It's the usual tired advanced fee scam.
If you incautiously navigate over to the scammer's webpage,
you'll learn that all you have to do is send between 0.1 and 5 Bitcoin in order to receive from 1 to 50 Bitcoin back.
If you find yourself tempted, lie down until the temptation goes away.
A wallet operated by Bancor, a cryptocurrency exchange that raised $150 million in a 2017 ICO has been compromised.
Thieves are said to have made off with $10 million in Bancor's own BNT, $12.5 million
in Ether, and $1 million in Pundi X's NPXS.
Bancor has frozen BNT but says it can't do much about the Ether or NPXS.
but says it can't do much about the Ether or NPXS.
A spearfishing campaign against Palestinian law enforcement officials is reported to be underway.
Its use of Micropsia malware and its development in Delphi leads security company Checkpoint to suspect that it's the work of the same group Cisco's Talos Labs and Palo Alto Network's Unit 42
found engaging in a similar campaign
last year. Checkpoint speculates that the group may be affiliated with Hamas.
Researchers at security firm ESET have found an espionage group, Black Tech, using certificates
stolen from Taiwanese firms D-Link and Changing Information Technology to sign plead backdoor
malware. Black Tech has been most active against East Asian targets. ESET assesses their work as
sophisticated, a cut above the usual. Apple issued security fixes and updates for many of its
products yesterday. The patches and upgrades affect macOS, watchOS, tvOS, Safari, iTunes for Windows, iCloud for
Windows, and iOS.
The iOS upgrade has attracted considerable attention.
Among other things, it offers USB Restricted Mode, which disables an iPhone or iPad lightning
port beginning one hour after the device was last locked.
or iPad lightning port beginning one hour after the device was last locked.
USB restricted mode prevents the port from transferring data until the device is properly unlocked.
Beyond its obvious value in lowering the risk of losing sensitive data should an iPhone or iPad be lost or stolen, the mode is particularly attractive to people who don't want police or other authorities rummaging their devices.
A workaround has already been found, however.
Researchers at security firm Elcomsoft found that if the police act quickly enough, they can prevent USB restricted mode from kicking in.
If they connect an iPhone they've seized to a compatible USB accessory within that one-hour window,
the phone won't enter USB restricted mode.
Where can you get such a compatible accessory?
As observers like Graham Cluley pointed out with customary cheerfulness,
Apple itself will sell it to you.
A lightning-to-USB camera adapter can be yours, officer, for the low, low price of $39.
The FS-ISAC, that's the Financial Services Information Sharing and Analysis Center,
recently teamed up with Deloitte to survey cybersecurity professionals in financial
services. We'll hear first from John Carlson from the FSISAC, and he'll be joined by Julie
Bernard from Deloitte. Well, the survey actually was developed by Deloitte. We worked in partnership
with Julie Bernard and her team at Deloitte. We've had a long-standing relationship with Deloitte
in terms of working with our members to benchmark and understand how the changing cyber threat
environment is evolving and what sort of strategies are top of mind for chief information security officers?
This particular benchmark fills a bit of a gap. Many of the programs already assess themselves
on a NIST cybersecurity framework basis. We actually did not focus that many questions on the NIST CSF. We focused more on the inputs and the orchestration
of their programs and the profile of the companies themselves so that you actually could look at
peers. So if you are a multinational institution, whether you're a bank or an insurance company, you may have
some commonalities.
If you have assets under management over a trillion dollars, or if your revenue is over,
say, $2 billion, how do you look compared to the rest?
Things that may drive security spend beyond what we hear in some industry news around security spend as a
person of IT spend. I see. So sort of clustering like groups together so that the data is more
relevant for folks within those groups. Well, what were some of the key findings there?
It's still a little bit early, I think, in our survey process.
This is a bit of a linear study. However, what we did found, something kind of surprised us a
little bit, and some other things didn't quite. One of the surprises was how you are actually
orchestrated doesn't matter that much. Meaning whether you have a centralized program or a decentralized program,
to a certain extent, how much you spend does not necessarily equate to a maturity score on NIST.
Wasn't exactly surprising was, as looked at a couple of different denominators,
couple of different denominators, that smaller companies, for example, tend to spend a bit more on a per person basis than larger companies. And that, to me, kind of makes sense because there's
not as many people to amortize share costs if you're with a smaller company.
John, I think the financial services side of things certainly gets a lot of attention for the amount of regulation that it has.
And I think because of that, it is looked to as, when it comes to cybersecurity, as generally being organizations that are setting the standard, that have their, for lack of a better word, have their stuff together.
Does this survey reflect that?
a better word, to have their stuff together. Does this survey reflect that? And if so,
how does that allow the financial services side to be an example to folks in other industries who are looking at their own cybersecurity posture?
Well, yeah, I think it does, because the survey, to my mind, was really helpful in terms of
teasing out, I think, probably something that has been evolving over some time, but the survey, I think,
served a foot stomp in terms of underscoring the importance of chief information security officers
to be more strategic, to not only focus on the day-to-day operational issues of defending
networks, of protecting information, of implementing controls, but also helping the company think about how
it's going to defend itself in the future and how to integrate the security controls
into the full suite of products and services and efforts to educate their customers on
how to defend themselves against these types of cyber attacks.
I thought that was one of the key findings from the study
in terms of thinking more strategically,
in addition to all the good work and the hard work that's done
on a day-to-day basis to defend networks and protect information and customers.
That was John Carlson from the FSISAC.
He was joined by Julie Bernard from Deloitte.
You can find their report, The State of Cybersecurity at Financial Institutions, that's on the Deloitte website.
Today is, of course, Microsoft's Patch Tuesday.
Updates are issuing from Redmond now as we record this show.
Keep an eye on Microsoft's Security Tech Center for the fixes as they roll out.
center for the fixes as they roll out. The Polar Flow fitness app, popular among soldiers,
spooks, and other professionally devoted to staying fit in odd corners of the earth,
may be oversharing. According to researchers at the investigative shop Bellingcat and the Netherlands news outfit De Correspondent, what's at issue is Polar Flow's Explore feature,
which lets users find new routes and activities near them that other users have shared.
The researchers looked at sensitive locations and say they were able to identify 6,460 individuals who were busily keeping themselves fit.
They were able to find heart rates, routes, dates, times, duration, and pace of exercises.
routes, dates, times, duration, and pace of exercises.
That's not likely to be directly useful to a hostile intelligence service,
although one hesitates to rule out creative possibilities entirely,
but it does enable someone to gather a good indication of whether a particular installation is active,
how many people, roughly speaking, are there, the routes they tend to follow,
and of course the geolocation of the fitness buff's quarters.
Patterns of activity reveal, or at least confirm, the locations of sensitive sites,
and, because people tend to turn the tracker off when they get home, the residences of the users.
Minimally, the app would seem to have some potential as a doxing or harassment tool.
One of the Bellingcat researchers explained, quote, tracing all of this information is very simple through the site. Find a military
base, select an exercise published there to identify the attached profile, and see where
else this person has exercised. As people tend to turn their fitness trackers on or off when
leaving or entering their homes, they unwittingly mark
their houses on the map, end quote. Polar, the manufacturer of the app, points out that it was
not breached, but it also wants to offer better privacy, and so it's temporarily suspended the
Explore API until it comes up with some better approaches. The episode is reminiscent of one from last year when fitness app Strava's
similar heat map exhibited oversharing. So, if you must exercise, consider OPSEC.
And doesn't all that self-inspection smell faintly, at least of narcissism?
Here's an OPSEC tip from an unexpected source. Robert Maynard Hutchins, the long-serving mid-20th century president of the University of Chicago,
is famous for having said, as he was de-emphasizing athletics and taking his university out of the Big Ten Conference,
quote, when I feel like exercising, I just lie down until the feeling goes away, end quote.
So how about it, you rangers, you SE you seals, you SAS types, you spetsnas?
Take a tip from the great bookie himself and fly down.
Maybe read some of the classics like Epictetus.
No, seriously.
Do keep running and enjoy the parkours.
parkours. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
I saw an interesting article come back on Microsoft's research blog,
and they were sort of celebrating that the second homomorphic encryption standardization
workshop had delivered the goods. What are these standards we're talking about here? And why is
homomorphic encryption something that we should be happy about? Fully homomorphic encryption was
one of these things that for a long time was kind of a pipe dream of cryptographers. And only
relatively recently, less than 10 years ago,
were the first proposals for fully homomorphic encryption came out.
And what's been amazing since then is how quickly the idea of fully homomorphic encryption
has gone from being something that was completely infeasible,
namely because it was very inefficient,
to something that is still very slow, very inefficient,
but has now been implemented, has now been used for several toy projects, and like you
mentioned, has now even been standardized by a group of researchers at Microsoft and
other institutions.
So for those who don't know, fully homomorphic encryption is a technology that allows computation
to be done on encrypted data.
Essentially, that means that somebody can encrypt some data, send it to somebody else, and that second party can then process the data
without even seeing it, without learning anything about it, and then send it back to the first party
who can decrypt and get the result. So it's really a fabulous idea. It would have a lot of applications.
And the standardization workshop that you mentioned was trying to develop a set of standard schemes and security parameters for these fully homomorphic encryption schemes.
Now, is this a matter of the algorithms or the underlying technology improving over time?
I mean, I remember when I was a kid and the first Rubik's Cubes came out, there were solutions published.
But in the decades since then, those solutions have gotten more efficient.
And, you know, you see people solving Rubik's Cubes practically instantaneously these days.
Is it a similar sort of march of progress where over time people come up with clever ways to have this be more practical?
Oh, yeah, absolutely.
I mean, the initial ideas, like I said, were extremely slow.
But then people built on them.
People came up with all kinds of different improvements, different underlying assumptions they could use to build schemes, different ways of optimizing them, better ways of implementing them.
And have really been able to improve the performance by several orders of magnitude.
Now, it doesn't mean that we're going to be seeing widespread application of a fully homomorphic encryption anytime soon.
Like I said, it's still relatively slow.
It's still unclear what kind of the killer application for this will be, where that kind of a slowdown is going to be acceptable.
And also, this standardization workshop, it's not clear that it has any force, per se.
It was done, like I said, by Microsoft and several academic researchers. It wasn't done by a traditional standardization body or organization like NIST or one of the IEEE organizations.
And so they really just put it out there kind of as a benchmark for people to follow,
but we'll see whether anybody ends up adopting it.
So take me through, what are the advantages of having these sort of standardization
drafts out there?
Well, the one
thing that's very helpful is that it gives people, like I said, a benchmark. It gives them something
to base further improvements on. It tells people what the current best schemes are. So it gives
people a target if they want to look for further improvements. And it also spent a fair bit of time
coming up with security estimates for the existing schemes.
So this basically means looking at what the best known attacks are on the existing schemes. And again, that just provides some kind of a common benchmark for people if they're looking to develop
improvements on those attacks. All right. Well, it's interesting stuff as always. Jonathan Katz,
thanks for joining us. Great. Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.