CyberWire Daily - No more Iranian cyberattacks since the minor weekend vandalism, but the US Government advises all to look to their defenses. Fancy Bear is the usual suspect in Austria. A guilty plea by an insider threat.
Episode Date: January 7, 2020The kittens haven’t scratched much so far, but the US Government and others are warning organizations to be alert to the likelihood of Iranian cyberattacks in retaliation for the combat death, by US... missile, of Quds Force commander Soleimani. Fancy Bear is the usual suspect in the case of the Austrian Foreign Ministry hack. Patch your Pulse Secure VPN servers if you’ve got ‘em. ToTok is back in the Play Store. And there’s an executive who turned out to be an insider threat. Robert M. Lee from Dragos with a look back at 2019 ICS security issues. Guest is Tom Tovar from AppDome on mobile API security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The kittens haven't scratched much so far,
but the U.S. government and others are warning organizations
to be alert to the likelihood of Iranian cyberattacks and retaliation for the combat death by U.S. missile of Quds Force Commander Soleimani.
Fancy Bear is the usual suspect in the case of the Austrian foreign ministry hack.
Hatch your pulse-secure VPN servers if you got them.
Tutok is back in the Play Store, and there's an executive who turned out to be an insider threat.
and there's an executive who turned out to be an insider threat.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, January 7th, 2020.
So far, no Iranian cyber operations more serious than the defacement of the Federal Depository library program have come to public knowledge. As the New York Times points out, that action amounted to picking some pretty low-hanging
fruit, more target of opportunity than high-value target, more nuisance fire than fire for serious
effect. The group that claimed responsibility calls itself the Iran Cybersecurity Group hackers,
but even people disposed to look for the hand of Tehran
aren't concluding that this crew is actually working for Iran.
They're at least as likely to amount to nothing more than sympathetic hacktivists.
It's certainly possible for an organization to play well below its usual game,
either deliberately as a way of preserving deniability,
or inadvertently, just because they came out flat.
But the U.S. government continues to warn that Iran's cyber capabilities are far from negligible
and to assess the risk of Iranian cyber attack as high.
The Chertoff Group outlines the likeliest forms Iranian cyber attacks might take.
These include destructive wiperware, ransomware, distributed denial of service,
supply chain attacks, and actions against operational technology. CISA, the U.S. Department of
Homeland Security's Cybersecurity and Infrastructure Security Agency, has released a
terse warning not to underestimate Tehran's capabilities. In a follow-up to its director's
tweeted advice to take a look at what Iran's cyber operators have attempted and accomplished in cyberspace during recent years,
CISA singles out four incidents as particularly worthy of study as sources of lessons learned.
They are, in chronological order,
first, distributed denial of service actions against the U.S. financial sector from late 2011 through mid-2013.
Second, unauthorized access to control systems at
the Bowman Street Dam in Rye, New York, in August and September of 2013, a curious incident we've
had occasion to mention before. Third, a whack at the Sands Las Vegas Corporation in February 2014,
during which customer data were stolen and other information was wiped. Why the sands?
Well, owner Sheldon Adelson had made some bellicose public remarks
about what might be done to restrain Iran's nuclear ambitions.
And as Casino.org reminds us this week, Tehran took exception.
And fourth, a long-running operation by the Mabna Institute,
Tehran's favorite cyber contractor from 2013 through 2017,
during which academic data, intellectual property, and credentials were stolen for the benefit of the Islamic Revolutionary Guard Corps.
According to the U.S. Department of Justice, this effort affected 144 U.S. universities, 176 universities across 21 foreign countries,
47 domestic and foreign private sector companies,
the U.S. Department of Labor, the Federal Energy Regulatory Commission,
the State of Hawaii, the State of Indiana, the United Nations,
and the United Nations Children's Fund.
All of these represent capabilities Iran demonstrably has.
CISA recommends five steps every enterprise
should take to harden its cyber defense posture. Disable all unnecessary ports and protocols.
Step up monitoring of network and email traffic. Review network signatures and indicators for
focused operations activities. Monitor for new phishing themes and adjust email rules accordingly.
And follow best practices of restricting attachments via email or other mechanisms.
Patch externally facing equipment,
focusing attention first on critical and high vulnerabilities
that allow for remote code execution or denial of service on externally facing equipment.
Keep track of PowerShell usage and limit it to those users who actually need it.
And finally, ensure the backups are current and stored in an accessible location Keep track of PowerShell usage and limit it to those users who actually need it.
And finally, ensure the backups are current and stored in an accessible location that's air-gapped from the enterprise network.
CyberScoop reports that the Multi-State Information Sharing and Analysis Center,
that's the MS-ISAC, has also quietly warned its members to beware of Iranian cyberattacks.
And New York State's Department of Financial Services
has also advised the banks and other institutions it regulates
that they may well receive the attentions of Iranian hackers.
So the warnings are out.
Whether you're a mobile API provider or an app developer,
you know that cyber criminals are increasingly targeting mobile APIs.
Tom Tovar is CEO at mobile integration as a service company AppDome,
and he offers helpful insights on mobile app API security.
As we evolve and as our expectations grow with the technologies around us,
there's more and more appetite and more and more demand for mobile APIs
to provide the data and the demand for mobile APIs to provide
the data and the services that mobile apps need to consume to give us all that great stuff.
Can you give us an example or two of how in our day-to-day we'd be interacting with these things?
Yeah, every time we use a mobile app, the app has to do a number of things in order to give us that content. It has to access our location.
In some of that, it can get from the device itself, but then it has to provide recommendations
based on our location or answers to the questions that we ask based on our location, and that
those answers and those recommendations often come from external sources, which are driven by APIs.
So what are the security implications that we run into then because of these interactions?
Yeah, well, there are a lot of things, actually.
So if you can imagine an application on your phone and a set of systems out in the cloud, as it were,
a set of systems out in the cloud, as it were. And it could be dozens, it could be hundreds of systems within a single mobile application. And the one mobile app is accessing all of those.
One can imagine that there's a lot of information going to and fro between the mobile app and those
systems about us, about our purchases, about our preferences, about our whereabouts.
And that information is useful, obviously, to us as consumers,
but it's also useful to the bad guys who want to use that for nefarious purposes.
I can't help thinking of, of my own life in the past, growing up, that on electronic
devices you had things like your UL listing, that this device has been certified to meet
a certain set of standards, it's been tested.
Is there anything like that in the works where you can put a badge on something that says
that there's been agreed upon standards and there's a certain level of security in this interaction that everyone has agreed to and met?
Yeah, well, I mean, the OWASP top 10 are great benchmarks.
You know, the OWASP top 10 for mobile app security and the OWASP top 10 for API security
kind of go hand in hand.
And any security professional will tell you that a proper security model is always a layered security model.
You know, we always advocate defense in depth.
You know, you'll hear security professionals talk all the time about how there's not a silver bullet.
There's not one thing you can do that you've got to do a lot of things right in order to create a proper security model.
things right in order to create a proper security model. So I think the reality of it is there are best practices out in the world that, you know, API providers and mobile developers can follow.
And if you'd like, I can kind of share with your listeners kind of what those things are.
Yeah, let's go through a few of them. What are some of the suggestions that you have?
Yeah, yeah. So at a minimum, what you need to do is fundamentally four things. You need to secure the access
mechanisms between the app and the API. So all of the keys, the secrets, the URLs, etc. that the app
uses to access the relevant API need to be encrypted, need to be protected within the application itself.
You need to also protect the payload, i.e. the data that the API delivers to the app.
And in a lot of cases, that data could be customer banking information. It could be
account balances. It could be all kinds of information that the API delivers.
So you need to protect that application data, that API data within the mobile app itself,
again, either through encryption or other mechanisms.
Encryption would be the preferred.
The third thing that you need to do is you need to make sure that the mobile app itself
cannot be unpacked or hacked using dynamic or static analysis. So, you know, usually what we
recommend are things like anti-tampering, anti-reversing methodologies, or code obfuscation
would be the fourth mechanism to basically obfuscate the entire code base so that the
hacker can't know, you know, where to attack and get at that information. These are the four methods that really comprise
the golden rules of API security within mobile apps. And as long as developers follow these rules,
API should be protected within mobile apps. There's still a ton of work that needs to go on
within the API backend itself, i.e. within the cloud. And for that, we would point all API providers
to the OWASP's top 10 for API security.
That's Tom Tovar from AppDome.
More observers are willing to speculate
that the recent cyber espionage incident
at Austria's foreign ministry is the work of Russia.
We should caution that the evidence for this is circumstantial,
almost to the point of being a matter of a priori probability,
along the lines of who else is likely to be stirring up trouble in Central European ministries.
But the word on the street, as summarized by InfoSecurity magazine,
is that it looks like the work of Fancy Bear.
Researcher Kevin Beaumont warns that R-Evil ransomware,
also known as Sodinokibi,
is exploiting unpatched pulse-secure VPN servers
as it prospects larger enterprises.
The lesson is a familiar one.
For heaven's sake, patch.
Vice reports that Google has restored the widely mistrusted Tutok app,
thought to be an Emirati surveillance tool, to the Play Store.
Tutok has denied allegations that it amounts to spyware and denies any connection to Dark
Matter, a company widely believed to work for UAE security services.
Finally, executives can be insider threats, too.
The U.S. Department of Justice has announced that one Hisham Khabez, formerly a senior manager working for Manhattan for a global Internet company,
copped a guilty plea Friday in which he admitted to one count of wire fraud
before a U.S. magistrate, Judge Stuart D. Aaron.
The Justice Department primly refers to Mr. Khabez's former employer only as Company One,
but Bleeping Computer identifies it as Rakuten Marketing.
Within four months of joining Rakuten,
Mr. Kabaj began sending himself bogus invoices
on behalf of a shell company, Interactive Systems,
requesting payment for firewalls and various other services,
none of which were apparently delivered.
He sent some 52 invoices between August 2015 and
April 2019. The money Rakuten paid went quickly from Interactive Systems to Mr. Kabaj's personal
bank account. How did they catch him? At least some of the invoices were submitted as Word documents,
and IRS investigators noticed that their metadata showed Mr. Kabaj as the author.
This raised some obvious red flags.
So, hey, you can learn a thing or two from looking at the metadata.
He'll be sentenced shortly by the U.S. District Court for the Southern District of New York,
and he could receive up to 20 years as a special guest of Club Fed.
Mr. Kabaj's LinkedIn profile says that one of the things he does is
transform business processes and streamline them with technology solutions that deliver rapid ROI.
That's one way of looking at it.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it is a new year here,
and I thought it'd be a good opportunity for you and I
to take a look back at 2019,
some of the things that caught your attention
that were on your radar.
How was 2019 from your point of view?
Yeah, I always love these, like,
look at 2019 review or whatever else.
And they're always like, cyber attacks are bad and people are good.
And it's always like so high level.
So I like to have a little bit more metrics with them.
And we've been hard at work on the Dragos year in review as it relates to industrial control.
These are things we just about the community that talks about what were the actual, you know, vulnerabilities and everything else, right?
And so, you know, as we were starting to compile these
and actually have an answer here in the new year,
I think one of the things that stands out to me
with regards to the industrial control system community,
and then I'll talk about the enterprise and IT community,
but the industrial control system community is,
I think we've reached a critical turning point or inflection point, I should say, in the industrial control system community where there's an executive level awareness that this is going to require an actual strategy for industrial security that's different than the enterprise.
And why I say that is, 2018, I did a lot of board presentations at these companies.
It was very endearing and it was lot of board presentations at these companies. It was very
endearing and it was exciting to see them having these conversations. But I probably did, I don't
know, 15 to 20 of them. And this year, this past year, I have started to see all of the board
members that talk to board members who should spread and network and similar. I'm seeing the
CSOs have the same kind of talking points. I'm seeing an executive level
buy-in. We've always had kind of this practitioner level awareness, but executive level buy-in that
this is something that needs to be done and can be done. I would like to think that 2019 is going
to be that inflection point of the buy-in. Not necessarily we've got everything figured out,
but actually in the industrial control system community at large, especially in electric, oil and gas, and some subsectors of manufacturing, and actually I'm
starting to see it in rail now a little bit as well, but we're starting to really see a better
community-wide understanding. And so I think we'll move past kind of my 2020 predictions,
if you will, which I hate predictions, but move past the let's do the standard and framework and checklist and moving towards let's think about this critically. Now,
is every company going to get it right? Of course not. But I think as a community,
we're starting to see that awareness. Now, I mean, personally for you at Dragos,
2019 was certainly a year of a lot of growth for you, which, I mean, can we look at that as being
that there's a lot of demand out there for the types of work
that you all are doing from Dragos and other companies in the space?
Yeah, and so this is where in my day-to-day, I'm such a
hyper-competitive person. If you were in my staff meetings, you would hear me be like,
cool, what are we doing against them and how do we do this? I'm truly hyper-competitive. But if I step back
for a second, I'm just so damn proud of the fact that there's multiple
ICS security vendors, there's multiple vendors going through massive growth, like, it's just a
good things at to your point, that the demand is there, the market is moving, which means the
community is growing, which means work is getting done. And even though there's different views on
what work needs to get done, those will relate to lessons learned to figure out whose views are better accurate for
different environments. And, and I think we're going to get a much better place for it. And yeah,
for us, we still do like 300% growth every year. I mean, I have over 170 employees now. And this
time last year, I think it was at like 60 or something. It's just every year is this massive growth.
I'm excited.
I don't know.
I've always been kind of an optimist.
There's plenty of things that scare me or make me upset.
And, you know, I think some people have listened to me before go, you have all this optimism,
but look at all these bad things like, no, no, no.
The reason I say this, though, is I've always been intimately aware of the bad things, but I'm seeing the good things.
And that's something to get excited about.
It's not my underappreciation for how terrible some of these things are, including threats that could literally kill people.
But it's my appreciation that our community is just amazing and it's growing and it's good for everybody.
Yeah. All right. Well, a good look back and happy new year to you.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.