CyberWire Daily - Privacy, Fort Meade style. Interpol looks at cybercrime. Oilrig gets DNSExfiltrator. Please move on from Windows 7. Updates on the Twitter hack.
Episode Date: August 5, 2020NSA, yes, NSA, has some privacy advice. Interpol offers its take on where cybercrime is going during the time of the pandemic. Iran’s Oilrig is getting clever with its data exfiltration. The FBI wou...ld like to know when you’re finally going to move on from Windows 7--like, c’mon people. Joe Carrigan looks at pesky ads from the Google Play store. Our guest is Bobby McLernon from Axonius on how federal cybersecurity is particularly vulnerable during the shutdown. And a not-guilty plea from one of the three alleged Twitter hackers, along with some notes on how whoever dunnit dunnit. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/151 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. where cybercrime is going during the time of the pandemic. Iran's oil rig is getting clever with its data exfiltration.
The FBI would like to know when you're finally going to move on from Windows 7.
Like, come on, people.
Joe Kerrigan looks at pesky ads from the Google Play Store.
Our guest is Bobby McClernand from Axonius
on how federal cybersecurity is particularly vulnerable during the shutdown.
And a not-guilty plea from one of the three alleged Twitter hackers,
along with some notes on how whoever done it, done it.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 5th, 2020.
The U.S. National Security Agency has released an advisory on the risks associated with the geolocation data many systems and apps routinely collect.
Quote,
Location data can be extremely valuable and must be protected.
users in a location, user and supply movements, daily routines, user and organizational,
and can expose otherwise unknown associations between users and locations.
The agency's recommendations are addressed in the first instance to government personnel, but they're presented as applicable to anyone concerned about privacy,
turning off location-sharing services, give apps minimal privileges,
set browser options to prevent use of location data,
turn off advertising permissions, and even disenabling features that track lost devices.
Plain-text usernames, passwords, and IP addresses for more than 900 Pulse Secure VPN Enterprise servers are being shared on a Russian-language hacker forum,
a ZDNet investigation has found. All the compromised servers were running firmware vulnerable to CVE-2019-11510. The forum to which the data were posted is frequented by ransomware
gangs. Those gangs include, ZDNet says, without any fees attached. Organizations using Pulse Secure VPNs should update their systems.
Since VPNs are especially useful in remote work,
they should also look to the security
of their sheltered at-home workforce.
Interpol yesterday released a report
on cybercrime trends observed during the COVID-19 pandemic.
There's been a shift in targeting.
Initially, individuals and smaller
organizations were the preferred targets, but more recently, large companies, government agencies,
and infrastructure have been the focus of threat actors. Interpol makes three predictions with
respect to cybersecurity during the pandemic. First, we should expect the increase in cybercrime
to continue, at least for the near term.
Criminals will continue to work against the expanded attack surface a remote distributed workforce inevitably presents.
Second, as long as the public remains worried about the pandemic, COVID-19 phishing scams will retain their popularity.
Interpol expects such phishing to go hand-in-hand with a corresponding increase in business email compromise.
In both ordinary phishing and BEC attempts,
the criminals can be expected to improve their social engineering game and produce increasingly plausible phish bait.
And finally, once a vaccine is available against this strain of coronavirus,
expect a big spike in vaccine-themed phishing, as well as industrial espionage aimed at biomedical research and production.
As always, we should also expect public concern to breed plenty of misinformation.
Interpol doesn't say so, but it's reasonable to assume
that a large fraction of that misinformation will simply be the madness of crowds.
But some smaller fraction will no doubt be deliberate, opportunistic disinformation.
All right, so fess up.
You're not still running Windows 7, are you?
After all, it's beyond its end of life,
and the FBI this week staged a mild intervention
for the benefit of its more laggard private sector partners.
Quote,
The FBI has observed cybercriminals
targeting computer network infrastructure
after an operating system achieves end-of-life status,
the Bureau cautioned in a private industry notification.
Continuing to use Windows 7 within an enterprise
may provide cybercriminals access into computer systems.
As time passes,
Windows 7 becomes more vulnerable to exploitation due to lack of security updates We know. We know.
It's like a public service announcement.
Buckle up for safety. Stay in school, kids.
But that's all good advice, too, and it's none the worse for its earnest familiarity.
Sure, the Bureau says there are
troubles whenever you migrate to a new operating system, but those shrink to the irritation level
when you compare them to the risks of staying with the old, the creaky, the leaky, the vulnerable,
and the unpatched. So do yourself a favor and upgrade. We're pulling for you.
Bobby McClernan heads up the Federal division at cybersecurity asset management company Exonius.
He joins us to discuss how during the shutdown, federal cybersecurity is more vulnerable than ever.
Today, I think the C-level executives are thinking much more dynamically and outside of that box as it relates to cost.
Cost today is a big consideration because everyone's been working from home.
Government employees are looking for some type of recompense or some type of stipend for the use of their home as it relates to work.
They are utilizing assets that they've purchased with
their own personal resources. So reclamation, if they're called back to work as a concern for a
C-level exec. And I think as well, production. The C-level executives are starting to look at
themselves more like an industry, like a big company? How do I get production from people to accomplish my goals
in the same manner as when they were working on-prem? What are some of the specific adjustments
they've had to make on the cybersecurity side of things? So as it relates to cyber, with employees
going out and purchasing their own assets, I think it's an extraordinary challenge for the C-level execs now to manage those assets.
In other words, which assets are out there without the appropriate agents?
Which assets are out there without the appropriate software reps on their equipment and patching and so forth?
and patching and so forth. So as it relates to locking down the endpoint and yet keeping continuity with the workforce, I think this brings a lot of new issues to the table for cyber.
As we settle into this and we start to look towards what things might look like on the other
side, how do you suppose these folks are preparing for that, for the notion of people
coming back to work and this new reality? I can tell you that social distancing is a big concern.
From what I understand, they are looking to re-architect workspaces to put the appropriate
distance between employees. I've also heard that in many cases, the air filtration systems are being looked
at to try and put some type of biohazard, the same type of apparatus that goes into a home HVAC to
keep mold down, things of that nature, something to purify the air and make the work environment safer. Yeah, yeah, absolutely.
So those are two examples.
But I heard them from a couple of different sources. And I think that the social distancing thing is going to be, or that type of approach,
is going to be significant going forward.
Because from what I understand, COVID may reoccur in the fall.
From what I understand, COVID may reoccur in the fall.
And I've read several times in the paper that there may be the advent of swine flu crossing borders here in the coming months.
So I really believe that people are going to be in a different work environment than they have in the past.
That's Bobby McLernan from Exonius. And finally, the AP says that 17-year-old Graham Ivan Clark,
the youth accused of participating in the Twitter hack
and its attendant altcoin scam scheme,
was arraigned Monday in Florida on state charges of fraud.
He pled not guilty and, of course, is entitled to the customary presumption of innocence.
The Wall Street Journal has the story the prosecutors told of how Master Clark allegedly did it.
He started with a SIM swap to get access to a plausible phone number.
He also set up a few bogus sites as landing places for his phishing pages
and then collected the right logos and text to make them plausible.
One of the pages was designed to look like Twitter's Okta login portal,
through which employees securely enter Twitter's systems.
The journal points out that Okta itself was uncompromised.
The sites were pure imposture.
And then he called Twitter admins,
some of the roughly 3,000 who have access to Twitter's account control panels.
He said he was from IT, directed them to the phishing pages,
and convinced enough of them to cough up their credentials
to give him the ability for an hour or so
to wrench control of more than 100 accounts,
mostly high-value and high-profile accounts.
An interesting aspect of the story is the connection to online gaming.
According to the Wall Street Journal,
quote, the tactics that Mr. Clark allegedly used have been honed in recent years with remarkable
tenacity by a community of teenagers and young adults. The practitioners cut their teeth in the
antics of online gaming, where stealing one another's Xbox or PlayStation gaming accounts
is counted as a harmless prank, according to investigators and security experts.
End quote.
So, the Internet's notorious disinhibition misdirects another youth.
In cyberspace, it can seem as if sufficiently artful wishing makes it so.
Until that is, you forget that cyberspace eventually meets real life.
In real life, you have liberty, but within the framework of physical possibility.
And in real life, you have rights.
In this case, unfortunately,
one of them is the right to remain silent.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us. Do you know the status of your compliance
controls right now? Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Got an interesting bit of research that was shared with us.
This is from the Satori Threat Intelligence and Research Team over at White Ops Security.
team over at White Ops Security. Joe, they have found some chicanery, some bad stuff going on over on the Google Play Store. Can you describe to us, what does their research delve into here?
Right. So they have discovered 29 apps with code that facilitates what they call out-of-context
ads. And these are ads that will pop up on your phone
when you're not in some app.
It's just like you'll be looking at your home screen
and then bam, you get an ad on your phone.
Let me stop you right there, Joe,
because one of my favorite pastimes
is giving you a hard time about Android
because I'm an iPhone user.
I know.
And I was looking at the animation
that they posted here in their research
of how these ads work.
And it's just someone sort of browsing
through their list of apps.
And all of a sudden, this ad pops up.
And I'm thinking to myself,
you're okay with this?
Right.
Why is this even a thing that can be done
on the Android platform?
If my phone did this,
I would throw it out the window.
Right.
And no app should do this.
And actually, that's a good point, Dave.
I don't think that the operating system
should allow this to occur.
There may be some legitimate use case
where this is a good idea,
but I can't think of it right now.
So if somebody can come up with a legitimate use case,
let me know.
I would love to hear it.
Getting rid of that functionality from the operating system would stop a lot of this from happening.
But there are still other means of pushing ads that actually do represent legitimate use cases like push notifications.
You might want push notifications for, say, incoming weather that may affect you.
There's an easy-to-ident identify legitimate use case for those. But
those can still be abused for ads. But what's interesting is that these apps had 3.5 million
downloads among them. That's an average of about 120,000 downloads per app. And many of these apps
were purporting to be a blur app, which is a photo editing app that will let you blur out portions of a photo.
So let's say you take a picture of your new car.
You want to blur out the license plate.
This is what you would use, something like this.
But these apps don't do that.
They have very minimal functionality that's just enough to get past the automated tests for the Google Play Store.
And then they do a lot of hinky things.
store. And then they do a lot of hinky things. Like, for example, the very first paragraph of this article says, if the app you just downloaded is playing hide and seek with you, like the icons
disappearing from your home screen, it might be bogus. If the only way you can open this app is
by going to your settings menu and finding it in the long list of apps, it might be bogus. And if
after you download this app, your phone starts to give you these out-of-context ads, it might be bogus, right?
Another interesting telltale sign, and this is one of the things I've said before,
but they talk about this in the reviews. These reviews have what they call a C-shaped distribution,
right? Which means that if you look at the distribution, there's a lot of five stars,
very few four, three, and two-star ratings, and then a lot of five stars, very few four, three, and two star ratings,
and then a lot of one star ratings. So it kind of looks like the letter C, right? That is indicative
of a malicious app or an app that's just going to serve ads. Because? Because these people go out
and they buy reviews. And when you buy reviews, you don't buy two star, three star, or four star
reviews. You buy five star reviews. Right. And these guys have bought a bunch of five star reviews. And when you buy reviews, you don't buy two-star, three-star, or four-star reviews.
You buy five-star reviews. And these guys have bought a bunch of five-star reviews.
And when you produce a piece of software that is just a nuisance, it creates a bunch of angry
people who then go in and give you a bunch of one-star reviews. So that's what you're going
to see. You're going to see the five-star reviews that they've purchased and the one-star reviews
that they've earned. So if you see that, let that be a message, a warning to see. You're going to see the five-star reviews that they've purchased and the one-star reviews that they've earned. So if you see that, let that be a message, a warning to you.
It makes me wonder, could you put an app, how many downloads would you get if you just stuck
an app, somehow got an app in the Google Play Store or any of these online stores? And if the
app was called, this app does nothing, right? You still get over a
hundred thousand downloads just because I, I mean, I guess there are people out there who just
download anything, right? Yeah. I mean, that is a mystery to me. Yeah. You know, I, I don't go out
and just download any app. I, I, I go with a specific purpose for looking for a functionality that I want to have.
And then I read the reviews before I install it.
And then finally, if I do choose to install it,
I check the permissions that it requests.
So think about these things.
Think about the permissions you're giving away.
Read the reviews and look for that C-shaped distribution.
Yeah, yeah.
All right.
Well, again, this is from the Satori Threat Intelligence and Research team over at White
Ops.
The research is called Bringing Blur Apps into Focus.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com