CyberWire Daily - RDP exploitation. More on the Facebook breach. Google and content moderation. Reaper Group stayed busy even after US-DPRK summit. Spyware in Canada. Hacking an airport.
Episode Date: October 2, 2018In today's podcast we hear that the US FBI and DHS warn that RDP exploitation is up. Facebook's breach exhibits the tension between swift disclosure and sound incident response. A look at slow-rolled ...disclosure. Google draws criticism for some content it hosts. North Korea's Reaper Group never missed a beat. Citizen Lab says Saudi Arabia is spying on at least one prominent dissident who's a permanent resident in Canada. Nepal's airport is hacked, apparently for the lulz. Joe Carrigan from JHU ISI on Android password managers being vulnerable to malicious apps. Guest is Robb Reck from Ping Identity on recently published white papers from the CISO Advisory Council. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FBI and DHS warn that RDP exploitation is up.
Facebook's breach exhibits the tension between swift disclosure and sound
incident response. A look at slow-rolled disclosure. Google draws criticism for some
content it hosts. North Korea's Reaper group never missed a beat. Citizen Lab says Saudi Arabia is
spying on at least one prominent dissident who's a permanent resident in Canada. Nepal's airport
is hacked, apparently for the lulz.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, October 2, 2018.
In the U.S., the FBI and the Department of Homeland Security
warn that exploitation of remote desktop protocol, that's RDP, is on the rise.
Criminals are using it as an infection vector for various ransomware strains,
including Crysis, Krypton, and SamSam.
The feds offer suggestions about how to protect yourself,
and it's all good advice that comes down to following best practices and using
good digital hygiene. If you don't need remote connections, don't use RDP. Apply available
patches. Don't leave open RDP ports without good reason. Use strong passwords and multi-factor
authentication, and back up your systems regularly. Former Facebook executive Alex Stamos, now of Stanford University,
tweeted that Facebook's breach indicates the effects of GDPR's coupling of heavy fines
with a requirement for swift disclosure. His tweet says,
Announce and cop to max possible affected users, which he thinks produces confusion.
A month later, truth is included in official filing.
Thus, public announcements are offered on the basis of incomplete investigation.
Observers, the Washington Post says, see a difficult trade-off.
On the one hand, early disclosure can help victims.
On the other, it can impede investigation and effective response.
As the Post put it,
By getting the word out early, companies alert users that their information may have fallen into bad hands,
but they risk creating confusion by disclosing the breaches before key details are available.
So, early disclosure not only enables a company to pay less in fines to the EU than it would owe if it blew the 72-hour disclosure deadline,
but it also gives affected users a chance to take some obvious steps to protect themselves,
like changing passwords, logging out and back in again, and so forth.
How many victims actually do so is, of course, another matter,
but many are concerned that haste to disclose can cause remediation to be botched,
or at least what the engineers call suboptimal. On the other hand, we apologize for reusing our hands today,
too many companies have whistled past the graveyard, hoping breaches would just go away
if they were ignored. We can't be sure these are cases of superstitious whistling or willful
blindness, but some of the disclosures over the past few years have really been slow-rolled.
The Post mentioned some in their coverage.
There's Equifax.
The credit bureau waited six weeks to disclose that information on 143 million Americans,
and not a few non-Americans, had been breached.
There was Uber.
The gig economy pioneer took a year to come clean
about a hack that affected tens of millions of its contractor drivers. And then there's Yahoo.
The company kept its own investors in the dark for two years before letting them know that,
yeah, well, Russian hackers got information on 500 million users.
All those companies have faced various penalties and court judgments over their breaches.
Facebook is at least being compliant and appears to be working hard to clean up its problems,
but here's an example of possible further problems.
Facebook Messenger has almost 1.3 billion active users,
making it the world's second biggest instant messaging service.
active users, making it the world's second biggest instant messaging service.
Security firm Bitdefender thinks it's possible that messages, chats, and so forth on Messenger could have been accessed with the stolen tokens. No one, they point out, is quite sure yet what
was actually taken, and Bitdefender believes we may see worse news to come.
The incident continues to drive calls for privacy legislation in the U.S.
Security firm Ping Identity recently released a pair of white papers outlining information
gathered from their most recent CISO Advisory Council meeting, a gathering of security leaders
from industries like health care, banking, travel and leisure, education, and others.
Rob Reck is Chief Information Security Officer at Ping Identity,
and he joins us to share what they've learned.
The first white paper is written for C-suite leaders outside of security and IAM.
It's a tool for those identity or security leaders to use as they want to communicate
to their CEO, their CFO, their CIO, what is the importance of identity and really
where does it fit? The second one is written for identity and security professionals themselves.
It's really helping them answer the question, what should they be learning about and preparing for,
for what's going to be coming up in the next few years around identity?
And so what are some of the key take-homes from each of the papers? What are the things
that you hope people come away with?
The number one thing I'd say for those listening, if you're looking to kind of help get your executive team on board for identity, this is a great place to start and a great one to download.
I see a few of the highlights from it.
Number one is regardless of where identity reports in the organization, whether it's in the IT or in the security, in order to
minimize breaches, in order to maximize security, you really need to get those teams talking
together. There's a lot of synergies that you can get between identity and security. But if they're
into different silos, if they're not working closely together, you lose a lot of it and you
have a lot of rework that's not necessary. A second key point from that white paper is that
identity is essential to digital
transformation. And if you look at the top list of items that all of your C-level C-suites are
looking to accomplish, digital transformation is going to be up on that top of that list.
Digital transformation is all about knowing your customer experience better,
knowing what your customers are doing, and identity is a key part of that.
As you start to look at identity as a building block
for digital transformation, you start to get the importance that it deserves there. And the third
thing I'd pull out of that first white paper is as you're thinking about identity, you shouldn't
just be thinking about workforce. You need to think about it across three different areas. You
have your employees, you have your customers, and you also have your partners. And in order to have
a comprehensive program, you really need to think about plans for each of those three groups. And the plans are
quite different between them as the nature of how you work with your workforce and how you work with
partners is going to be very different than how you work with your customers.
And are there any areas that you all feel as though are being overlooked,
that aren't being given the attention they deserve?
feel as though are being overlooked, that aren't being given the attention they deserve?
Certainly the understanding of the differentiation between where does identity start and where does marketing start, those are really tough questions to answer. And I think you have to get both of
those groups together. You can start to make a lot of mistakes if you just go to the marketing
team and ask them, how are we going to manage these details? By bringing in the security and identity folks early, understanding what are the compliance requirements, you can answer some of those questions in a scalable way that's not going to get you in trouble with things like GDPR.
And as you look at our second white paper, there's, I think, a really relevant point there.
So the second one where we're talking about what's coming in the future, one of those key things is password authentication or zero login.
And how do we get to a place where users on a day-to-day basis are not having to enter
a password?
Using different kind of signals, doing different telemetry, you can start to manage risk.
But the second one, which is where I was getting to here, is we look at things like behavioral
analytics and machine learning, or as we at Ping College, it's intelligence.
As you build intelligence into identity, that is what we've seen from all of these companies that are harvesting and selling
information on consumers. The flip side of that coin is consent and privacy, right? These are
two areas that you really have to think about both as you're coming up with your plan. As we use
customer data to make smarter choices, as we use customer data to give a better experience, we also have to provide customers with the ability to opt in
and to opt out and to truly own their own data about themselves. It's going to be a balance for
years to come here. And those organizations that are able to quickly recognize that it is a market
differentiator to be the ones who can not only give a good experience, but also let customers know what's being held about them.
Those are the ones who are going to win in this new world that's coming up.
That's Rob Reck from Ping Identity.
The white papers are titled,
Seven Trends That Will Shape the Future of Identity,
and Eight Things Your C-Suite Should Know About Identity.
You can find both of them on the Ping Identity website.
Google is having trouble keeping unwanted material
off its platforms. YouTubers have posted instructions for hacking Facebook. The Telegraph
reports that the videos address such topics as how to get into people's Facebook profiles by
stealing access tokens and other elements of what observers have called the daisy chain of
vulnerabilities that were exploited in
the recent breach. YouTube has removed some, but apparently not yet all, of the instructional
videos. They've drawn thousands of views. How serious a matter this might be is unknown,
especially since Facebook says it's closed the vulnerabilities, but the videos can't be regarded
as a good thing. One of the YouTube screenshots the Telegraph reproduces
includes an unidiomatic disclaimer across the bottom,
for only educational purposes,
says the note underneath the picture of the hacker,
shown with hands clasped, perhaps in prayer,
while wearing fingerless gloves, a Guy Fawkes mask, and the obligatory hoodie.
Right. Educational purposes
only. Education in the lulls. And what's with the hoodie anyway? Are anarcho-syndicalist
hacktivists and cybercriminals really that uniform conscious? You're apparently likelier
to see U.S. Marines wandering around outdoors without their cover than you are to see Jack Well, all we know is what we read in the papers and see on TV and in the movies, so it must be true.
Google is also taking some criticism for the sorts of advertising it accepts.
Fraudsters are apparently still able to buy ads, despite Mountain View's public determination to stop them from doing so.
The Times of London complains that they were able to buy ads at the rate of a dollar per click,
with the obviously fraudulent come-ons of buy fake ID, buy fake passport, and buy fake reviews.
The two incidents really don't seem to indicate any malice toward Facebook,
nor any particular commitment to collaboration with criminal enterprises as a business model.
Instead, they offer another instance of the difficulty of content moderation,
especially when the business of posting and hosting content can move in near real time.
Hopes that the North Korean government might dial back their hacking,
thanks to the lure of becoming something approaching
a more normal country, seem to have faltered. Palo Alto Networks notes that Pyongyang's Reaper
Group deployed malware Nokii and Dogcall in June against a range of companies. The campaign
involved exfiltration of screenshots, keylogging, and staging of further infestations. The motive was apparently the DPRK's usual one, financial gain.
The University of Toronto's Citizen Lab reports finding Pegasus spyware from NSO Group
in a Saudi dissident's phone.
The affected person, Omar Abdullaziz, is a permanent resident of Canada.
He's been critical of the kingdom and has received asylum in Canada.
Citizen Lab attributes the infection to the Saudi government,
and they say they've been unable to find any Canadian permission given
for surveillance of Abdulaziz or anyone else.
And finally, Tribhuvan International Airport in Nepal
saw its official website taken offline between September 28th and 30th.
It appears to have been a case of hacktivism, if counting coup for the lulz can be considered hacktivism.
The unidentified hacker who claimed responsibility commented,
Typical idiot security. Nepalese authorities think it's some guy in Indonesia.
Their report doesn't say whether they think he's
wearing a hoodie, but be
on the lookout.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge
of technology. Here,
innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. He is also my co-host on the Hacking Humans podcast. Joe, welcome back.
We have a story from Naked Security from Sophos.
Right.
And the title of it is Android Password Managers Vulnerable to Phishing Apps.
Yes, it is.
Take us through what's going on here.
All right.
So what's happening is there are these Android password manager apps.
Right.
And I'm a big proponent of password managers, whichever one you choose to use.
Yeah.
The way they work with websites is different from the way they work with apps.
Okay.
So if you're on your desktop and you're going to have these things integrate with your browser,
they're going to check the site certificate before they send a username and password to it.
I see.
To make sure you're not on a phishing website.
Before they automatically fill in your information.
They're going to auto-fill.
They double-check.
Exactly.
Before they auto-fill, they double-check, which is a great idea.
However, once you are talking about using an app, that becomes a different issue.
Let's say I'm a customer of Dave's Bank.
Right.
And I go and I download Dave's Banking app to get access to Dave's Bank.
Right.
The password manager is going to say, this is Dave's Bank app, and I'm going to go ahead and fill it in.
Right.
Right.
Well, let's say somebody malicious out there creates a bank app called Dave's Bank and fills out enough metadata in the package to make it look like Dave's Bank.
metadata in the package to make it look like Dave's Bank, they can fool the password manager into providing the credentials, the legitimate credentials to my account to the malicious
app.
And once I've done that, I've told the password manager to autofill the username and password,
just get sent to the attacker, and then the attacker logs into my account at Dave's Bank
and drains my account.
I see.
to the attacker, and then the attacker logs into my account at Dave's Bank and drains my account.
I see.
So this is a matter of the apps not having as accessible a way to check the authenticity.
Correct, because there's a way to check the authenticity, but it can be spoofed is the problem.
I see. So they're advocating a new method in Android apps,
and they say in this article they would call it get verified domain names in the API
so that LastPass or any of these other password managers could call that function in that app
and get a list of the verified domain names that they're getting.
There would have to be some kind of cryptography behind the scenes.
And, of course, the get verified domain names method or function would be under the control
of the malicious app.
So they could respond with anything they need to respond with, I think.
Yeah.
So I don't know how this would work exactly.
I'm not an Android developer.
But so there has to be some significant cryptography under the hood for that.
Yeah.
It's interesting, too, because it's sort of a, it's a multi-layered thing here, because for this to happen, you've
already gotten to the point where you have downloaded, you've been fooled once by downloading
the malicious app. Correct. And so really this is a matter of the password managers are doing
what they're supposed to do, but unable to successfully take that second look to verify that what they're
filling in your username and password where they should be.
Right.
Yeah.
This is like when the malicious software was actually targeting password managers.
It's still out there targeting password managers.
Right.
So, you know, that's the keys of the kingdom.
And now they're just finding other ways to get in, get everything you have. Yeah. Okay. Something else to look out for.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.