CyberWire Daily - Patch Magento soon. Toyota hacked again. Exodus spyware hits app stores. Moscow seeks to corral VPN providers. Facebook wants regulation. Swatting sentence. Phishing tackle in Nigeria.
Episode Date: April 1, 2019In today’s podcast, we hear that Magento users are being  urged to patch as risk of exploitation rises. Toyota experiences another cyber attack, and some observers blame, on grounds of motive, oppo...rtunity, and track record, OceanLotus. Exodus spyware in the Google Play store looks like a case of lawful intercept tools getting loose. Moscow seeks to control and limit VPN providers. Mr. Zuckerberg wants regulation. Mr. Barriss gets twenty years for swatting. And, hey, there’s phishing tackle on the Nigerian National Assembly’s site. Joe Carrigan from JHU ISI on a spying a leaving unsecured data online. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Magento users are urged to patch as risk of exploitation rises.
Toyota experiences another cyber attack and some observers blame,
on grounds of motive, opportunity and track record, Ocean Lotus.
Exodus spyware in the Google Play Store looks like a case of lawful intercept tools getting loose.
Moscow seeks to control and limit VPN providers.
Mr. Zuckerberg wants regulation.
Mr. Barris gets 20 years for swatting.
And hey, there's fishing tackle on the Nigerian National Assembly's site.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 1st, 2019.
Summary for Monday, April 1, 2019.
As the risk of Magento e-commerce software exploitation rises, experts recommend immediate patching.
Magento has made patches available, and users of its products should apply them.
We note that last Friday we carelessly referred to Magento as Magneto, which of course it is not.
Magento is an e-commerce platform. Magneto is a mutant supervillain and founder of Factor 3, as Professor Charles Xavier would have told our e-commerce desk
had they asked him. Toyota disclosed Friday that attackers had accessed customer sales data on its
servers in Japan. There's no attribution yet, but speculation has turned
toward Vietnamese threat group APT32, also known as Ocean Lotus. There have been multiple reports
since February that Vietnam's government has been engaged in a campaign of industrial espionage
aimed at giving its incipient domestic automobile industry a leg up. Toyota's operations in Vietnam may also have been hit in this most
recent wave of attacks. The carmaker's Australian subsidiary sustained an attack earlier in March.
We heard from Lucy Securities CEO Colin Bastable about the latest incident. He said,
I expect that Toyota's Japanese customers are collateral damage in an attempt to steal Toyota's intellectual property, end quote.
Noting how widespread industrial espionage has become, Bastable added, quote,
all businesses which hold valuable IP should assume that they will be attacked.
Unfortunately, businesses seem incapable of learning from others' experiences and must become victims in order to adapt, end quote.
others' experiences, and must become victims in order to adapt.
Independent security researchers posting their results to Security Without Borders say they've found more Android apps fronting for spyware.
The apps represent themselves as mobile operators' service applications,
and they appear to have been written in and probably largely for an Italian market.
The researchers perceive connections between the intercept agent,
which they're calling Exodus, and Italian company eServe,
which is based in the southern Italian city of Cantanzaro
and specializes in video management and analytics.
The spyware's command and control server is apparently identical
to one used to manage eServe surveillance cameras.
Motherboard calls Exodus a case of lawful intercept gone wrong, and they think eServe
may have developed it for Italian police, but neither the company nor the police have responded
to their inquiries. It's worth noting that there is such a thing as a lawful intercept tool.
It's spyware used, ideally,
in a carefully restricted and overseen law enforcement investigation.
Think of it as a legal wiretap,
only done over the Internet and mobile telecom networks,
a modern version of getting a court order to put a bug on a phone.
The problem here is that if indeed Exodus is the lawful intercept tool many say it appears to be,
it's scooping up a lot of quite innocent people's devices and data.
There's other issues here as well.
The difficulty of controlling what gets into even the walled garden of official app stores.
We heard from Will LaSala of OneSpan, who emailed to point out that,
quote, this underscores that relying on Google or Apple to detect malicious apps is not a safe idea. Customers should look to protect their own apps with app shielding
rather than look toward the platform vendors for increased security, end quote. It's easy,
he said, for platform vendors to err on the side of convenience, quote, as such, app developers
and companies deploying apps really need to take that they have 30 days to connect their services
to a government blacklist of forbidden sites or cease operations.
The companies who got the letter were NordVPN, HideMyAss, OlaVPN, OpenVPN, ViperVPN, ExpressVPN, Torgard, IPVanish, Kaspersky Secure Connection, and VPN Unlimited.
Four of these, Torgard, ViperVPN, OpenVPN, and NordVPN, have already stated their intention of exiting the Russian market rather than comply.
have already stated their intention of exiting the Russian market rather than comply.
The Russian government had earlier put the strong arm on search engines to align their results with official policy.
Moscow says that they're simply trying to secure the freedom of the Internet
and not censor it, but that explanation finds few takers.
Facebook CEO Zuckerberg has an op-ed in the Washington Post in which he asks governments
to regulate him. First, he'd like to be told what content he needs to block. Second, he wants
election laws to be more broadly applied and to regulate content about issues as well as content
about candidates. Third, he likes GDPR and thinks it might serve as a model for a global system of
privacy enforcement. Finally, he wants data portability guaranteed. If users put data on
one service, they ought to be able to move it to another. His proposal isn't really rent-seeking,
but it's obvious how laws like this would be good for Facebook. They would certainly shift
regulatory and reputational risk
from Facebook to the government.
It's less obvious how such regulation would be received
by those with strong First Amendment sensibilities,
but then that's not really big tech's concern.
Tyler Barris has been sentenced to 20 years in a U.S. federal prison
for his admitted role in Andrew Finch's December 2017 swatting death.
Barris' two alleged conspirators, Shane Gaskill and Casey Viner, will have their own fate decided later.
They have both protested their innocence.
This was an unusually repellent case that put all the Internet's sadly familiar disinhibition and disconnection from reality on display.
It's worth reviewing what happened.
Mr. Viner, 18 years old at the time, allegedly asked Mr. Barris to swat Mr. Gaskill,
then age 19, in his Wichita, Kansas home.
Viner and Gaskill were engaged at the time in an online squabble prompted by their play of Call of Duty.
Mr. Gaskill provided the wrong address and then, the government alleges,
goaded Mr. Barris into swatting him.
So Mr. Barris called 911 from his home in California,
pretending to be an armed man holding his family hostage,
and gave police the address he'd received.
When the police showed up, the door was answered by the man who lived there with his
family, Andrew Finch, and who had no acquaintance with and no connection to any of the three
involved in the Call of Duty affair of honor. Police shot Finch in the mistaken belief that
he was armed and going for his gun, which of course he wasn't. Mr. Barris said he was sorry
in court Friday, but that remorse seems both late and thin,
especially given what he did last April when he gained Internet access from jail,
broadcasting, you are about to get swatted.
And finally, bleeping computer may have called it ironic, but it somehow seems inevitable.
The website of the Nigerian National Assembly for about two weeks was serving up a landing page
for phishing attacks that were after DHL credentials.
Needless to say, it wasn't government policy
to host this phishing tackle.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins
University Information Security Institute.
He is also my co-host on the Hacking Humans podcast. Joe, it's great to have you back.
Hi, Dave.
A story came by recently about an app that turned out up to no good. Describe to us what's going on here.
The app was called MobiSpy.
And it's one of these apps that ostensibly is for users to install on their children's phones to monitor where they are,
possibly for an employer to install on their phones to monitor the location of their phones. But in actuality, what these apps are usually used for is by abusive spouses to track the location and the activity on the phones of their partners.
I see.
Okay.
So this MobiSpy app would store data in the cloud,
and it left 95,000 images and more than 25,000 audio recordings
of presumably phone calls accessible to anybody who knew where they were.
So no login, no this is an unlocked bucket of information that was just hung out there.
No security whatsoever.
No authentication.
And the location of the database was hard-coded into the app.
Wow.
So you could extract it and then start looking at the data on the website,
on the cloud, on the database.
Now, there's a story here about the attempts for a responsible disclosure with this.
Correct. The researcher was Cain Heasley, who found the server, and he reached out to MobiSpy
to try to get them to seal up the breach and got no response from their CEO and founder.
Nothing. And then he reached out to Motherboard, and Motherboard was like, well, how else can we
address this?
They reached out to GoDaddy and to Codero, who was a cloud hoster.
Codero was a cloud hoster.
Yeah.
Who said they couldn't do anything.
So Motherboard did the next responsible step, and they publicized the information.
Now, they did not publicize the name of the app because that would represent too much of a risk
to the people whose data was exposed.
Okay.
But they did name Codera and GoDaddy in the original app.
And then, guess what?
Codera said, oh, maybe we can't help you.
So the hosting provider.
Right, the hosting provider who initially said,
no, we can't do anything about it.
Well, now that you've talked about us in the public,
okay, we're going to do something about it.
They sort of got shamed into it, I guess.
Right, exactly.
Yeah.
They issued a letter to Moby Spy with a deadline of hours, not days,
and Moby Spy did not respond.
They eventually took the content down and made it no longer accessible.
Huh.
The Moby Spy app is no longer, I can't find it in the Google Play Store at all.
According to the Motherboard article, the website's gone
and everything. But this irritates me. It's closed home for you, right? Yeah. There is a
number of issues going on here. Number one, you don't need these kind of apps. If I want to know
where the location of my family is, I share my location on Google Maps with my family. In fact,
I do that. So I can tell where my family is
and they can tell where I am.
But they're aware that they're sharing that information.
Not only are they aware of it,
but every six months or three months,
Google sends you an email
to let you know who you're sharing your information with.
Right, so you've got consent there.
So you've got not just consent, but continual consent.
Okay.
So there is no need for this kind of a tracking app on a phone.
You're covered in other ways by both of the popular operating systems.
The only reason for these apps to exist is for people to be abusive to other people.
This is my opinion, but I really don't think that these apps have a legitimate purpose.
Right. So not a fan.
Not a fan. The other thing in here, and this is
something I find very frustrating. One of my roles is a vulnerability disclosure manager at the
Information Security Institute. At Johns Hopkins. At Johns Hopkins. Okay. And frequently when we
disclose vulnerabilities, I send a package over to a lot of these companies and I've sent packages
to companies and I have said, who do I disclose software vulnerabilities to? And they go, I don't know.
So you're the guy who has to send this out and try to give them the good news, bad news.
Right, right.
Bad news, we found a vulnerability.
Good news, here's how you fix it.
We're coming to you first.
Right.
We're coming to you first because we're going to responsibly disclose this, just like Cain did here.
Yeah.
I like the process that Cain kane hazley and motherboard did right
but frequently when i disclose vulnerabilities to people we tell them you have 14 days
to respond or we're going to go public with it uh and the reason we tell them you have 14 days
is because the first time first couple times we did it we said you have a 90 day
window in which to fix this and we will disclose it after that and we heard nothing back.
So we tell people 14 days so that- So you're using a little social engineering here to turn up the heat.
Exactly. We tell people 14 days and they go, whoa, whoa, we can't fix this in 14 days. Then
we say, oh, good. Okay. How long do you need? How long do you need? Let's discuss it.
You get a response from them because you inject that sense of urgency.
Right. We give them an artificial time constraint.
Although it's not really artificial.
We will release the data in 14 days if we don't hear back from them.
I see.
But I do want to reiterate that if they so much as respond to us during that 14-day period,
then we start a conversation immediately.
And if they ask for any amount of time, we'll grant it.
Yeah.
I mean, we're not going to give you two years.
Right.
But you're going to be reasonable about it.
Yeah, we're going to be reasonable.
If you say, we need 90 days to fix this, we need six months to fix it, okay, that's fine.
As long as we're accredited with finding the bug, we're fine with that.
Yeah.
Just don't stick your head in the sand.
Yeah, don't stick your head in the sand.
All right.
Well, another one of those sad stories we see playing out here with people's personal information just being hung out there and maybe a lesson about using these types of apps.
It seems the only way to get these companies to do something is to publicly shame them.
Yeah, it's a shame.
It is a shame. It is a shame.
All right. Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
...
...... Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.