CyberWire Daily - Ransomware in Spain. Pegasus in India. TikTok on the Huawei highway? Booz Allen predicts! And good dogs sniff out bad data.
Episode Date: November 5, 2019Ransomware hits Spanish companies. Pegasus continues to excite controversy in India. TikTok applies for Big Tech’s good-citizen club, but has apparently so far been blackballed. Booz Allen offers ni...ne predictions for 2020: balkanization, supply chain threats, automotive data theft, war-droning, satellite hacks, tougher attribution, election interference, missiles against malware, and Olympic interference. And good dogs go after bad guys’ data storage devices. Ben Yelin from UMD CHHS on AT&T’s claims that they cannot be sued for selling location data to bounty hunters. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ransomware hits Spanish companies.
Pegasus continues to excite controversy in India.
TikTok applies for Big Tech's Good Citizen Club,
but has apparently so far been blackballed.
Booz Allen offers nine predictions for 2020.
And good dogs go after bad guys' data storage devices.
From the CyberWire studios at DataTribe,
I'm Dave Bittner, with a little bit of a cold,
with your Cyber Wire summary for Tuesday, November 5th, 2019.
Ransomware has hit Spain.
Reuters reports that a ransomware attack hit the country's largest radio station,
Cadena SER, yesterday.
National service was disrupted, but local broadcasting continued without interruption.
It's unknown what strain of ransomware was involved in the attack.
SER is working toward recovery.
Spain's National Security Department said that other unspecified companies were affected by similar attacks.
The agency said that SER had disconnected its major systems from its networks,
and it recommended that other organizations similarly affected do likewise.
Bleeping Computer says it's obtained a leaked copy of a ransom note that confirms that NTT
data subsidiary Iveris was one of the officially unnamed companies that were also hit.
One of Spain's larger managed service providers, Iveris is thought to have been infected with
a variant of BitPaymer ransomware.
The extortionists have asked the MSP
for just under $836,000 in ransom,
Bitcoin.es reports.
Other enterprises are concerned
about the possibility of downstream attacks
flowing from those affecting the widely used MSP.
Bleeping Computer cites an anonymous source close to those investigating the incident
as saying that the extortionists may have exploited the Blue Keep vulnerability in their
attack, but the grounds for this suspicion may be circumstantial.
The advice to disconnect systems is being read by more than a few observers as an indication
that there's a worm involved, and the wormhole of the day is, of course, Blue Keep.
The list of those WhatsApp warned of possible Pegasus infections
strikes many in India as suggesting that the spyware was distributed by the government.
India's government, the BBC reports, denies any such involvement in the incident.
The scroll describes the activists, lawyers, and scholars whose devices were affected.
WhatsApp's litigation against NSO Group is proceeding in a U.S. court, but Reuters reports
that an activist lawyer has petitioned India's Supreme Court to direct the country's counterterrorism
agency to open an investigation into not only NSO Group, but also WhatsApp and its corporate parent,
Facebook. One of the matters at issue is said to be a claim that the app's encryption isn't up
to snuff.
The Chinese-owned social media app TikTok remains the subject of a U.S. security investigation,
and the Defense Department is considering how to educate military personnel about the
risks the app might pose, Military Times reports.
TikTok seems destined for the Huawei ZTE treatment
from Washington, and it's displaying the kind of preemptive good corporate citizenship the two
hardware giants used in their own charm offenses. In TikTok's case, the social medium has applied
to join the Global Internet Forum to counter terrorism, a club to which Facebook, Microsoft,
Twitter, YouTube, Pinterest, Dropbox,
Amazon, LinkedIn, and WhatsApp currently belong. The Hill says that the forum has so far declined
to admit TikTok, probably over concerns surrounding the company's data collection
and censorship practices, but you can't blame them for trying. Booz Allen today released its
predictions for the major threat trends of 2020. They call
out nine of these. First, the global balkanization of technology, by which they mean such government
policies as Roskomnadzor's movement toward creating an autarkic Russian internet and
Moscow's offers to create similar national internet infrastructures for the BRICS nations
Brazil, Russia, India, China, and South Africa,
as well as an alternative domain name system.
Second, they see the clones and counterfeits
posing a growing threat to supply chains.
Third, the swiftly increasing rates at which automobiles generate data
will prove, they say, irresistible to cyber criminals.
They expect the hoods to work hard at stealing information from cars
and monetize that information as they have other categories of data.
And a similar development, the proliferation of drones as business tools,
will, in Booz Allen's fourth prediction, increase many businesses' attack surfaces.
A lot of Bluetooth exploits, for example, work only if you're close to the targets.
And drones will, they say, make for a new generation of war driving.
Fifth, since satellites are becoming more enmeshed with terrestrial IT,
the study predicts more cyber attacks against satellites.
Consider the ubiquity of GPS and the arrival of satellite constellations like Starlink that will deliver the Internet to users on the ground.
Sixth, nation-states can be expected to use more of the same attack tools and techniques,
and attribution, already difficult, will get tougher.
Seventh, threat actors will continue their efforts to interfere with elections
by the trolling of opinion, by disinformation,
and by direct attack on election infrastructure.
Cyber operations will continue their integration with conventional kinetic military operations.
Sometimes that will offer nation-states a non-lethal option, but, and here's their
eighth prediction, at other times cyber attacks can be expected to prompt kinetic retaliation.
And ninth and last, next year the world will come to Tokyo for the Olympic Games.
There won't be any medals in cyber, but the competition can be expected to be fierce.
Ourselves, we're pulling for Team Japan on this one. Finally, the New Yorker this week takes a
quick look at how dogs help investigate cybercrime. No, you can't learn to code at obedience school.
But on the principle that any cyberspace badness has to manifest itself in some hardware sometime, somewhere,
police agencies are training dogs to sniff out electronics
to help them find the servers, flash drives, SD cards,
GPS units, Bitcoin hardware wallets,
and so forth on which criminal evidence can be found.
These things are often hidden away like other contraband, inside file cabinets, walls, fire
extinguishers, and the like.
The specialty is called electronic storage detection, ESD, and the dogs are trained to
sniff out triphenylphosphine oxide, commonly used to coat memory chips.
The handlers train their canine assistants with treats,
and says one trainer that's why they tend to favor labs, because labs have big appetites for snacks,
even by dog standards. So if you're up to no good, the dogs will sniff you out,
or at least your triphenylphosphine oxide.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
This is a story that came by on Motherboard, written by Joseph Cox, and the title is,
AT&T says customers can't sue the company for selling
location data to bounty hunters. What's going on here? So we saw some articles earlier in the year
based on investigations by Motherboard and other entities that AT&T and other telecommunications
companies were selling user location data to bounty hunters for a price. Once this information became public, AT&T and the
other companies claimed that they were not going to do this anymore. They're going to change their
policies, and that is all well and good. But the people whose information was the subject of those
sales obviously have some sort of legal grievance against AT&T. So they decided to file a class action lawsuit
in order to get themselves compensated for damages, but also to halt AT&T from engaging
in this practice in the future. And AT&T is saying that those users cannot instigate a
class action lawsuit because when they agreed to their terms of services, they agreed to resolve
all disputes in arbitration proceedings. So it is a mandatory arbitration agreement. Now,
pretty much every telecommunications company and pretty much any big business for that matter
has these mandatory arbitration clauses. When you sign those terms and conditions, when you press
I agree to the 40 pages of terms and conditions that AT&T is presenting itself when I just want to open my new iPhone, you are agreeing to these mandatory arbitration clauses.
These are very disfavorable to users of the technology because generally AT&T picks the arbiters.
AT&T picks the arbiters. So the users themselves, once it gets into arbitration, generally do not have a good chance of winning at those proceedings. And you're cutting off all other avenues of
judicial review. So this is, I think, a public policy issue. If these technology companies are
able to enforce these mandatory arbitration clauses, there's not
sufficient recourse for users when AT&T and other telecommunications companies engage in
questionable conduct. Now, an interesting note in this article, they spoke to an attorney,
Adam Gutried, I believe his name is, and he had sued AT&T over an incident involving roaming fees,
and they persuaded a circuit court that the arbitration clause was unenforceable.
What's going on there?
So his claim is that because the arbitration clause would prevent consumers
from obtaining what's called a public injunction,
which is a way to stop the alleged illegal conduct that mandatory arbitration is not enforceable. I think this is
an interesting argument. That was a decision made at the Ninth Circuit U.S. Court of Appeals. So
obviously, they've gotten themselves to the appeals court level. This has not been subject to review by the United States Supreme Court.
I don't know if that argument will ultimately prevail, but that's probably the best chance
users are going to get for some sort of equitable outcome.
The other option they mentioned in this article for users is to opt out of the arbitration clause, which some telecommunications companies allow you to do while still agreeing to the majority
of the terms and conditions. But I just think most lay people never read the terms and conditions,
probably have no idea what a mandatory arbitration clause is, and would have no way of knowing that this was a potential option.
So I think it's really a recourse in name only. The other recourse is to make changes in public
policy. And that's actually what's happening at the congressional level right now. So the House
passed a bill that would prohibit mandatory arbitration clauses. It was an acronym known
as the FAIR Act. I don't know what this acronym was. I'm guessing the A stands for arbitration clauses. It was an acronym known as the FAIR Act. I don't know what this
acronym was. I'm guessing the A stands for arbitration. Something like that. Yeah. I'm
pretty sure that's the case, but I don't know what they came up with for the other letters.
Yeah. This is something that Democratic members of the House have been working on for a while.
They see these mandatory arbitration clauses as unfair to consumers.
It blocks the ability for consumers to get recourse in the event of bad behavior from big business.
This bill is going nowhere fast in the United States Senate, so it is not a policy that's going to be adopted in the near term.
But this could be a preview of future federal action to curtail the use of these mandatory arbitration agreements.
We'll keep an eye on it. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.