CyberWire Daily - Pledging allegiance to ISIS, and then going forth to kill. Adware in Google Play. Context-aware phishbait. Facebook and the FTC. Server crash or exit scam?
Episode Date: April 25, 2019Sri Lanka’s investigation of the Easter massacres continues, with some ISIS video surfacing. Apps with aggressive adware found in Google Play. Context-aware phishbait may be bringing the Qbot bankin...g Trojan to an email thread near you. Facebook seems to think the FTC is about to hit it hard, and sets aside a rainy day fund. And the Wall Street Market, a contraband souk on the dark web, may be engaged in an exit scam.  Ben Yelin from UMD CHHS on the NSA recommending dropping the phone surveillance program. Guest is Jason Mical from Devo on the increasing importance of threat hunting. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sri Lanka's investigation of the Easter massacres continues,
with some ISIS videos surfacing.
Apps with aggressive adware are found in Google Play.
Context-aware fish bait may be bringing the Q-Bot banking trojan to an email thread near
you.
Facebook seems to think that the FTC is about to hit hard and sets money aside for a rainy
day.
And the Wall Street market, a contraband souk on the dark web, may be engaged in an exit
scam.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner.
And I'm Jack Bittner with your Cyber Wire summary for Thursday, April 25th, 2019.
Sri Lanka's investigation into the Easter massacre continues, as does the national state of emergency.
The jihadists seem to have achieved one victory in addition to the murders they intended.
The Catholic Church in Sri Lanka will suspend all services until the government can secure them.
There's video out online of figures allegedly associated with the bombing pledging allegiance to ISIS.
Sri Lankan authorities continue to investigate not only the bombing itself, and apparently there was an additional bomb found
that failed to be detonated, but also the issue of how they could have overlooked their own warnings
of an impending jihadist action. How the attacks came to be coordinated will be an important piece
of the puzzle. The Easter massacres do indeed appear to have been carefully arranged by a group of perpetrators.
This isn't a case of pure inspiration,
of some radicalized soul deciding to strike a blow of, say,
the pack at a mock howling in the hope of being heard by a lone wolf.
In any case, investigation continues as authorities in neighboring South Asia countries
look to their own intelligence about this class of threat.
Security firm Avast has found some aggressive adware apps in Google Play.
They're for the most part lifestyle apps,
and they've achieved some 30 million downloads.
Some of the apps in question are ProPikzu,
PhotoBlur Studio, MoveTracker, Magic Cutout, and Pro Photo Eraser.
They've been reported and many are now gone.
They were not only serving a lot of pop-ups, which is irritating in itself,
but in doing so they were also loading some potentially unwanted programs and draining phone batteries.
Researchers at JASC are describing some context-aware phishing that distributes the QBOT banking malware.
The payload is carried by an email that appears to be a reply to messages in one of the victim's existing email threads.
So don't assume that just because the email came in with a reply to something Betty in HR or Bob in Finance emailed you a couple of days ago,
that it must be legit. Think before you click.
that it must be legit.
Think before you click.
The Federal Trade Commission is increasingly looking at personal sanctions for Facebook CEO Mark Zuckerberg.
The FTC is investigating the company to see if it violated a 2011 consent decree
with the commission in which the social network agreed, among other things,
to both notify users and get their explicit permission
when information about them is shared in any way that exceeds the privacy settings the users have established.
The latest investigation was opened in 2018, shortly after the Cambridge Analytica scandal broke.
Regulators are examining Mr. Zuckerberg's past statements on privacy to determine if he can be held personally responsible for a breach of this agreement.
The thought of fining Mr. Zuckerberg himself has also gained support from some lawmakers,
with Senator Richard Blumenthal saying such a measure
would send a powerful message to business leaders across the country.
Facebook's recent record of privacy mishaps is having an impact on its reputation.
A ThreatPost poll found that 75% of security professionals express some degree of
mistrust in the company. Such mistrust extends to related philanthropic and educational endeavors.
An online learning platform called Summit, which was funded by Zuckerberg and his wife
and developed by Facebook engineers, is facing growing resistance in schools across the country
from students, parents, and teachers
who say the technology leads to health problems stemming from too much screen time and isolation from peers.
But so far, anyway, mistrust hasn't resulted in declining revenue.
Let's turn to our in-studio analyst on this Take Your Kid to Work Day.
What effect is all this having on Facebook as a business, Jack? You know all
about Facebook. I do, even though I prefer Instagram, which as you know, is a Facebook
property. Well, Dad, Facebook told its investors yesterday that it was setting aside three billion,
and that's billion with a capital B, against the likelihood that the Federal Trade Commission's
investigation of data abuse would go against the company.
So the House of Zuckerberg seems to think that the FTC is not going to let them skate,
and so they've priced in the cost of the next consent decree.
People think the total settlement could rise as high as $5 billion,
and that's $5 billion with a big, big B.
But for all that, Facebook's stock prices hasn't suffered.
It's even gone up because the company is reporting good revenue numbers.
So, Dad, I think this shows how much money is sloshing around in Silicon Valley.
It's like they found $3 billion that fell out of their pockets when they were sitting on their couch or something.
If Facebook is hit with penalties in the $3 to $5 billion range,
that will exceed by two orders of magnitude the old record the FTC set back in 2012,
when it levied a $22.5 million fine against Google for an earlier set of privacy issues.
When it comes to protecting their enterprises, many organizations have come to the conclusion
that detection isn't enough, and they need to implement threat hunting to seek out bad actors in their networks.
Jason Michael is from Devo, a company that provides data analytics, and he advocates not
only being able to hunt through your network, but being able to move through time as well.
If you look at the statistics of cyber breaches and what they call dwell time.
Dwell time is, you know, how long is this threat actually in an environment before it gets detected.
Unfortunately, those dwell time statistics are still astronomically high.
Even though we've got the sharing going on, we've got all of, you know, this latest and greatest technology that's available to the industry, the dwell
time gets higher and higher and higher for me.
So I'm sitting here to where it could be a month before I am aware that this threat was
even inside my organization.
That's why it's critical to have the capability to ingest the threat intelligence arm your technologies with it for real time but also have
a solution in place that enables you to go back in time in a large scope not just 30 days not just
you know three weeks or whatever i need to have a solution a centralized or enterprise-type log management solution to where I can keep all of
my cyber data, all of my data in a centralized location for a year, right? To where I could say,
no matter what information that gets provided to me, I could immediately arm my solution
with this intelligence and go back a year ago to see,
has there ever been any traces of this threat in my organization?
So forgive me, perhaps an awkward or a simplistic metaphor here,
but I'm kind of imagining, you know, if I have the lobby of my building and I come into work one day
and I notice that, you know, someone has stolen a painting off the wall,
and I'm not sure when they did it, the first thing I would do is go to my security cameras
and rewind and see when somebody came and took that painting off the wall.
Is that the sort of thing you're talking about here with the ability to go back in time and see when things happened?
It absolutely is.
So I love that scenario you just brought up because it's
very applicable to the cyber world as well, because that's why there's technologies out
there that do packet capture, as they call them. So it records all the activity that is happening
on the network. Also, you know, very stringent logging capabilities. So anything that's happening
on the endpoints or in the systems, it's being logged and saved and historically retained.
So yes, from a physical environment, someone stole that painting.
I'm going to go and look at all my CCTV cameras and hit the rewind button and see who walked in the door, who actually went into that part of the room? Who touched the painting?
And where did they go out?
You know, what door did they leave it with?
I mean, we have that same kind of thing in the cyber world.
We have our doors, right?
Whether it's our firewalls or the locks on the doors, the packet captures and the surveillance systems.
I mean, the data is there.
And, you know, surveillance systems, I mean, the data is there.
So if you're looking at it from a physical or a virtual type of environment, the approach is exactly the same.
It's just do you have the tools in place to accomplish the goal?
And then I suppose part of it is dialing in how much storage you want to throw at this situation, how far back you want to be able to go back.
Exactly. So that's obviously a critical business decision that always has to be looked at was how important is this data to me? How long do I need to retain these specific data? Some data you
might want to keep longer than the others. Some organizations, depending on what their roles and
responsibilities are, by regulatory or legal requirements, they have to keep things,
you know, for certain time periods just to, you know, to be legal and compliant. So, yes,
it all depends on what your business is, what your models are, and what regulatory requirements
you have in your organization. That's Jason Michael from Devo.
Honor among thieves?
Proverbially, there is none.
And so the proprietors of the dark web contraband market Wall Street Market seem to have scampered.
Info Security Magazine and others are calling it an exit scam.
Here's what raised people's eyebrows.
An official moderator of the Wall Street Market posted a notice saying that a server crash had made it impossible,
for a while anyway, to synchronize blockchains and wallets,
but that they were working on it.
Here's what the moderator said.
Quote,
Due to this incident, we were forced to send crypto assets manually to the waiting list Bitcoin wallet,
as we have to wait for this process to complete,
so that coins can be sent to the appropriate matching escrow wallet.
Our technical advisors said that the platform will soon shift to the maintenance mode in order
to prevent sending more bitcoins, and they estimated the synchronization process to be
successfully completed yesterday. End quote. Many disgruntled traders are woofing about this
on Reddit and Dread, Dread being a dark web service a lot like Reddit. They think
Wall Street Market is about to vamoose with the coin they picked up when the old Dream Market
closed. Jack, what do you think? Dad, I think it sounds like hocus pocus misdirection to distract
people while these guys bubble away all the altcoin and then hit the road. So you're not
buying the server crash excuse, Jack? Nope. It's like when old people
like you were my age and they said the dog ate my homework. You don't say that anymore. Nope.
Now we say the algorithm erased it. It's kind of like a server crash or a bad dog.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the university
of maryland center for health and homeland security ben it's great to have you back um
time to revisit a story that you and i have chatted about before uh this is about the nsa
and they're saying uh publicly this time that it may be time to drop their phone surveillance
program bring us up to date here. So the call detail
records program, the extent of it was uncovered in the 2013 Edward Snowden disclosures. We found out
that most domestic phone carriers were routinely submitting the call detail records, so the
metadata phone calls, to the National Security Agency. Obviously, it was a huge scandal.
to the National Security Agency. Obviously, it was a huge scandal. Congress, in response to the scandal, reformed the program so that the data now is retained within those telecommunications
companies, although the government can request it from the FISA court. But even with that reform,
there have been questions raised both in Congress and in the Trump and Obama administrations about both the efficacy of the program and its
legality and constitutionality. Due to those concerns, the NSA took the remarkable step
yesterday of recommending that the Call Detail Records Program be shut down. This doesn't
necessarily mean it will shut down. It's ultimately the choice of the president. He is in charge of the executive branch.
But to have this recommendation from the very agency that was carrying out the program is
hugely significant and a major win for advocates of civil liberties and opponents of electronic
surveillance. And now we've heard rumblings that this might be coming for the past few months here.
Ultimately, what's going on? Why does NSA
determine that this may not be worth the effort? Well, for one, they were exposing themselves to
significant legal liability, although the Supreme Court has not weighed in on this issue. Lower
courts at various points over the past several years have determined that the program not only
does not comply with the original authorizing statute, Section 215 of the
USA Patriot Act, but it also presents significant constitutional concerns because we have a right
against unreasonable searches and seizures. The government generally does not have any,
at least as the program existed prior to the reform, did not have any suspicion
prior to collecting those phone calls. So that was a
major Fourth Amendment concern. So the government didn't want to get into a situation where the
program was shut down. We were not adequately prepared for a court-mandated shutdown, and it
caused a disruption. I think the more responsible way to do it is to anticipate a legal problem
and shut the program down gradually.
The other big issues are efficacy and compliance.
On the efficacy side, pretty much everybody who's reviewed this program has determined that it really has not been an effective counterterrorism tool,
particularly as technology has changed.
Quite frankly, terrorists aren't really making phone calls anymore.
They're using encrypted applications.
So it's just not that effective of a tool. And then compliance-wise, there were these news stories last year about how
the NSA admitted to collecting millions of records that they were not authorized to correct. They
were forced to purge those records to comply with the law. And that was obviously a major
blemish on the program. So you have those three issues, the legal liability, the efficacy, and the compliance.
And when you combine those, it's just not worth it for the National Security Agency to continue the program.
Now, what about members of Congress?
I saw a report that recently Senator Richard Burr from North Carolina, he's the Republican chairman of the Senate Intelligence Committee.
He seemed to still be lending some support to this program.
Yeah, there is a lot of institutional support, particularly from Republicans in Congress and certain members of the intelligence apparatus.
I mean, Dan Coats is the national intelligence director.
He's been supportive of this program in the past.
been supportive of this program in the past. We've seen in other contexts outside of surveillance,
even when a department itself says a program isn't necessary, Congress is the ultimate arbiter. I mean, I can't tell you how many times the Defense Department has told Congress,
we don't need any more of this type of military bomber. We have enough. It's not worth it to
provide funding. And for whatever reason, Congress is like, no, we're going to give you the money anyway.
That certainly happens with surveillance programs.
The NSA is an agency that's beholden to both the executive branch and the legislative branch.
The one thing that works in the favor of those who are opposed to this program is that the reform package, the USA Freedom Act that passed in 2015,
is due to expire at the end of this year. So there is this natural leverage point for opponents of
the program to say, why should we reauthorize this in Congress if the NSA itself is telling us
that this program is unnecessary and ineffective and it should be shut down? If it was just about
maintaining the status quo and
there wasn't this leverage point, then I think the views of Congress would matter more. Will there be
sufficient congressional majorities to extend this now that the NSA has recommended ending
the program? I tend to doubt it, especially in the House of Representatives, which is,
as you know, controlled by Democrats. All right. Well, time will tell. I guess we'll see how the White House weighs in and ultimately how it lands.
But certainly an interesting development.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.