CyberWire Daily - Potentially malicious SDKs draw cease-and-desist letters. Nursing homes get ransom demands. A look back at the Sony Pictures hack. CISA offers advice on safe online shopping.
Episode Date: November 26, 2019Twitter and Facebook warn of potentially malicious software development kits being used by app developers to, potentially, harvest and monetize users’ data. Nursing homes affected by a third-party r...ansomware incident receive extortion demands that amount to some $14 million. THe Hollywood Reporter retails skeptical musings about the Sony Pictures hack on the fifth anniversary of the North Korean attack. And CISA offers advice for safe holiday shopping. Justin Harvey from Accenture with thoughts on smart cities. Guest is Sam Bakken from OneSpan on mobile app developers protecting against jailbreaking. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitter and Facebook warn of potentially malicious software development kits
being used by app developers to potentially harvest and monetize users' data.
Nursing homes affected by a third-party ransomware incident receive extortion demands that amount to some $14 million.
The Hollywood Reporter retails skeptical musings about the Sony Pictures hack on the fifth anniversary of the North Korean attack.
And CISA offers advice for safe holiday shopping.
And CISA offers advice for safe holiday shopping.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 26, 2019.
Facebook and Twitter warned yesterday that users may have unwittingly compromised personal information to two data harvesting apps downloaded from Google Play. Giant Square and Photofy by developers One Audience and Mobiburn, reports CNBC.
Facebook ejected the apps from its platform and issued appropriate cease and desist letters.
The social network says the companies encouraged developers to use malicious software developer kits.
Mobiburn has said that it didn't collect, share, or monetize data collected from Facebook.
It did, the company said, facilitate the process by introducing app developers to companies that monetize data.
Mobiburn says that while it doesn't regard this as problematic, it stopped doing so.
says that while it doesn't regard this as problematic, it stopped doing so.
Twitter calls out one audience as having used a potentially malicious software development kit.
The platform says it's notifying users whose data may have been harvested,
and that it's told both Google and Apple about the likelihood that this SDK has found its way into apps available in their respective stores.
Nursing homes affected by a ransomware attack against Virtual Care Provider,
a company that provides the care facilities with a range of IT and security services,
have received their ransom demands.
Those demands, CBS News says, amount to a total of $14 million.
The infection vector appears to have been a protracted series of phishing emails
carrying malicious attachments.
The U.S. Department of Energy has released its Inspector General's unclassified evaluation of the department's cybersecurity program.
The inspectors found a variety of familiar recurring issues at energy installations,
including several facilities managed by the National Nuclear Security Administration.
Among those issues is a persistent failure to patch, a vulnerability management system
that struggles to address high-risk, high-priority vulnerabilities, and unsupported software
being run on endpoints and in networks.
In sum, the IG recommended 54 improvements that the department should undertake to improve
its cybersecurity posture, and the department's leaders agreed with all of them.
Sony Pictures was hacked five years ago this week. Principal responsibility for the attack
was widely and convincingly attributed by the U.S. government and others to the North Korean
government. But the Hollywood Reporter recounts skepticism from film business people who were
around Sony Pictures at the time, who continue to wonder what happened. The U.S. Department of
Justice issued a statement about accused Lazarus Group figure Park Jing-hyuk for his role in the
Sony attack and other capers. Big targets may attract a lot of people's attention, but the
skepticism about North Korean involvement in the Sony Pictures hack seems mostly a priori. It's really tough to prove a negative, but there seems little reason to think
the U.S. Department of Justice got this one wrong. Apple's iOS mobile operating system generally has
a good reputation when it comes to security, and part of that comes from Apple's limiting what
users are able to do and see on the OS.
For those who want to see and do more, there's jailbreaking, circumventing Apple's access limitations.
Sam Bakken is from security company OneSpan, and he says app developers need to be mindful of jailbreaks.
Really what jailbreaking your device is, is it's essentially you're compromising your device, right? You are sort of sidestepping some built-in security functionalities built into iOS that keep users safe.
And so developers really need to consider the fact that there may be some number of jailbroken iOS devices accessing their apps. And so, you know, there's a couple of different
ways that their apps might be affected by this. For one, attackers will use a jailbroken device
because it gives them a little bit more access into the internals of iOS and could allow them
to kind of poke and prod apps in a way that they're not capable of on a non-jailbroken app.
And so developers need to take steps to make sure that they're kind of obfuscating their code.
They're using white box cryptography and a number of technologies to make sure that
attackers are slowed down in trying to analyze their apps and potentially find vulnerabilities within them. So that's one.
You know, secondarily, they may have consumers, you know, regular users,
they're sort of power users of iOS that still jailbreak their phone.
And this is a little bit more common in markets sort of outside of the United States.
Jailbreaking phones in the U.S. just isn't quite as popular as it is elsewhere.
But, you know, in, you know, APAC, it's a little bit more popular. And so banks want to actually provide some services
to people that have jailbroken their phone, because otherwise those people might go to another bank
that does allow them to use the mobile banking app. Really what it boils down to, to simplify,
is developers should kind of assume that their app will be installed in sort of potentially hostile environments. So,
you know, whatever the prevalence of that is, you know, who knows? It depends on your market. But
just, you know, start from the beginning thinking, hey, this app could be put on a bad device that's
jailbroken and could be at risk. So let me apply security protection,
such as what's called in-app protection, also called app shielding, which kind of monitors
the runtime of the app itself so that if there's anything malicious going on, if there's any kind
of odd seeming sort of poking and prodding of that app, it monitors for that. It detects it,
and then it can take action on it. So it can say, I don't like the looks of this. This might be fraud. So let me shut that down.
And so you might shut down the app in total, or you might limit some of the functionality
that's available. So there are ways as a developer that I can sort of test to see if
perhaps the device I'm running on has been jailbroken? Yes, there are multiple sort of ways to go about deciding whether or not the app is executing
on a jailbroken device.
Some more sort of involved than others, but there's any sort of number of clues that this
might be happening.
But yes, there are tools that can be integrated into the app that say,
hey, is this running on a jailbroken device, which is a potentially hostile environment,
and then it's a business decision whether or not you let the app actually execute on those devices.
That's Sam Bakken from OneSpan.
It's just two days before the more or less official beginning of the holiday season,
marked by the U.S. holiday of Thanksgiving this Thursday. The holiday season is also the shopping season,
and the more or less official beginning of that season is this Friday, Black Friday,
which is used to denote the day the Great Depression started in 1929, but now ironically names a day of big sales, bargains galore, doorbuster specials, and so on.
Anywho, the U.S. Cybersecurity and Infrastructure Security Agency has issued some advice on how to shop safely during the holiday season.
It's good advice, short advice, and grouped under three convenient headings.
First, check your devices, make sure the software on them is up to date, and check the accounts on them.
Do you have strong passwords? You should.
And you shouldn't reuse those passwords.
If the accounts offer multi-factor authentication, use it.
Second, shop through trustworthy sources, the sites you know that are reputable.
Not, let's say, Crazy Joe's Nuthouse site of huge online bargains, which you've never heard of,
but hey, just popped up, and that looks pretty good.
Steer clear of the dodgy and the unfamiliar,
and be aware that crooks will spoof legitimate sites.
Look at the URL.
That's not foolproof, but it's not a bad practice.
And remember that fishing con artists
will be sending out special offers during this season, too.
Don't follow the links and emails
unless you're sure of where they go.
And don't provide personal information, especially credentials or pay card data.
Third and finally, use safe methods of payment.
Credit cards are always better than debit cards and much, much better than using wire transfers.
Keep an eye on your credit card statements and alert your card provider at once if you suspect fraud.
So there's CISA's advice for holiday shopping.
Check it out at cisa.gov slash shop hyphen safely.
Have you noticed a sad fact of holiday creep?
We have.
We're ashamed to say that right here in Greater Baltimore,
our shopping desk noticed that Halloween candy went on sale
at a local supermarket during the first week of August.
And that's just not right.
And there's forward creep as well as backward creep.
We confidently predict that after the New Year celebrations have succeeded Hanukkah and Christmas,
we're going to be prepped for Valentine's Day with a short detour
around the hemidemisemiofficial American civic holiday of the Super Bowl.
But there's a silver lining to all of this.
Go back to Sisa's advice on shopping safely.
It applies 24-7, 365 days a year,
366 during leap year.
So shop if you must, and you know you will,
but please, shop safely.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back. I wanted to touch base today about smart cities and how making our cities smarter might mean that we also need to up our cybersecurity game as well.
That's exactly right. There are many new types of services that are being developed, whether it be
advanced traffic light signaling and the ability to control traffic lights on a citywide basis.
There's water and power, jail systems, public transportation. And what has been discovered within the last decade is the Internet protocol, maybe it's not so bad when it's controlling other types of operations.
It's a great signaling and transportation protocol.
What's happened is all of these new types of services that are being developed and management systems that are using the Internet protocol, many times people don't realize that, A, it does eventually connect up to the Internet. And, B, they are susceptible to attack from adversaries, regardless if it is an air-gapped network or not.
Many of my clients say, well, we have a great air-gapped system.
And then, of course, we run our red team operations.
And in about 80% of the cases, they find a way in through the air-gap,
sometimes through maintenance connections,
sometimes through engineers that connect up to that air-gap network.
So there are paths to access those.
Something that strikes me is,
you know, say, for example, I have all of my city's lighting is automated and hooked up to
some sort of smart city system. In that case, if I want to take my city dark, I don't have to knock
out the power generation facilities. I may be able to just throw the switch and turn off all the lights.
That's exactly right. And any time that a digital system can affect the kinetic or affect the real
world, there is susceptibility to tampering and to inciting chaos or inciting real world physical
damage. So it's important that when cities consider this,
they consider two things. The first is, I think that they should build up to this iteratively,
which means having a very strong core, which means developing defense-in-depth techniques
with their own non-kinetic digital systems, accounting, tax revenue generation, digital
records for their criminal justice system, and really work up to that. Because we've seen, Dave,
I think we even mentioned this a few weeks ago, about more and more cities and states that are
being held for ransom through ransomware. So it's important that you start with a firm base
and you work up to that. In fact, I think probably the first
kinetic system that cities should probably start to take a look at is the smart grid.
And the reason I say smart grid is that there are already utility providers doing this. It's proven
there are mature security standards, mature systems, and they could also probably see some
additional funding avenues
through working in partnership with a commercial organization like a utility provider. The second
thing that they need to think about is having proper funding. I cannot stress this enough.
There needs to be proper funding around not only the technology and the telemetry and the
transportation and setup of this, but these are very large operations that will be probably in
place for decades. So it's important to have proper funding. And many times that does mean
going back to the public who are voting with their wallets and saying, we want to do this,
to the public who are voting with their wallets and saying, we want to do this,
and this is going to be the tax implications. This is how much tax revenue we need to do that,
which will, of course, fund properly trained people, a security operations center,
and additional technology and telemetry that will be necessary to do this in a safe and responsible manner. Yeah, it's a really interesting insight that this requires the input from so many different
departments around the city.
In other words, it's not just facilities people putting up new streetlights.
Suddenly, you've got data flowing that could be connected to all sorts of other parts of
the city.
That's exactly right, Dave.
Recently, I was in New York City for
the Aspen Cyber Summit, and Jeff Brown, who is the CISO and head of the New York City Cyber Command,
made some great points in saying that New York City in particular is all digital, and it is all
about safeguarding these digital systems, or his department is safeguarding these digital systems or his department is safeguarding these digital systems that are susceptible to attack. And I think that New York City has a great attitude and idea about
this in the sense that it's all about managing the threat and providing these key services and
key uptimes to their citizens. But the only way that they are able to do this successfully is through building
a strong base, creating a security operations center, working closely with law enforcement,
and then, of course, having adequate funding in order to roll these services out on an iterative
basis. So my hat's off to Jeff Brown in New York City on this one. All right. Well, Justin Harvey,
thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecy cyberwire.com. And for professionals and cybersecurity
leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.