CyberWire Daily - Spyware campaigns: phishing and watering holes. Signal patches (fast). DHS cyber strategy. Russian election hacking. Cyber Investing Summit. Do smart people pick better passwords?
Episode Date: May 16, 2018In today's podcast we hear that a spyware campaign centered on Pakistan and thought to be the work of Pakistan's military, comes in two variants: one for Android, the other for iOS. Vietnam is said... to be phishing in a compromised Phom Penh Post website. Signal patches a cross-site-scripting issue very rapidly. The US Department of Homeland Security releases its cybersecurity strategy. The Cambridge Analytica whistleblower talks to the Senate Judiciary Committee. The Senate Intelligence Committee concludes that the Russians didn't like Hilary Clinton. Investigation of Vault 7 leaks continues. Notes from the Cyber Investing Summit. And if you're so smart, how come your password is "Ninja?" Johannes Ullrich from SANS and the ISC Stormcast podcast, discusses the EFail email encryption issue. Guest is Michelle Maitland from SecureStrux on risk management framework compliance.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A spyware campaign centered on Pakistan comes in two variants,
one for Android, the other for iOS.
Vietnam is said to be fishing in a compromised
Phnom Penh post website. Signal patches a cross-site scripting issue very rapidly. The U.S.
Department of Homeland Security releases its cybersecurity strategy. The Cambridge Analytica
whistleblower talks to the Senate Judiciary Committee. The Senate Intelligence Committee
concludes that the Russians didn't like Hillary Clinton. Investigation of Vault 7 leaks continues.
We've got notes from the Cyber Investing Summit.
And if you're so smart, how come your password is Ninja?
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Wednesday, May 16, 2018.
Researchers at Lookout describe two extensive Pakistani cyber espionage campaigns,
Stealth Mango, which targets Android devices, and Tangelo, which works against iOS.
The targets were diplomatic, military, and governmental personnel in India, the UAE, and Afghanistan,
with strong interest shown in collecting against Pakistani dissidents as well.
Some Australian, U.S., and German officials were apparently swept up in the campaigns,
thought to be run by Pakistan's military, and using convincing spoof sites, including bogus app stores,
in conjunction with phishing to net the victims.
A Vietnamese state-directed group has compromised Cambodia's Phnom Penh Post website to infect
Vietnamese dissidents and Cambodian human rights activists with spyware. The watering hole was
established shortly after ownership of the paper changed. Signal, the secure messaging app,
gets high marks for quick response to responsible disclosure.
Last Thursday, researchers told the app's developers
about the cross-site scripting issue they'd found.
Signal had a patch ready within about four hours of notification.
The U.S. Department of Homeland Security
has released its long-anticipated strategy.
The plan has these major goals.
Better risk identification, improved reduction of both threats and vulnerabilities,
better attack mitigation, reduction of threats and vulnerabilities,
mitigating the consequences of cyber attacks,
developing infrastructure resilience,
and improving management of the department's cyber portfolio.
Cambridge Analytica and Facebook data scandal whistleblower Christopher Wiley
is testifying before the U.S. Senate Judiciary Committee today.
He tweeted yesterday that Cambridge Analytica was, quote,
the canary in the coal mine, end quote,
and that he hopes Facebook and others will be held accountable to users. The U.S. Senate Intelligence Committee said today that they essentially concur with
the intelligence community's assessment that Russian interference in the 2016 presidential
campaign aimed to both, quote, undermine public confidence in the U.S. democratic process,
end quote, and damage candidate Clinton's electability and
potential presidency, eventually coming to express a preference for the rival Trump campaign.
In other election hacking-related news, Google's corporate parent Alphabet will offer its
jigsaw distributed denial-of-service protection for free to political campaigns during this year's
midterm elections.
DDoS attacks themselves may be growing more difficult to defend against.
Attackers are using a known vulnerability in the UPnP, Universal Plug-and-Play Protocol,
to mount harder-to-track DDoS attacks.
Researchers at security firm Imperva say the port-obfuscated amplification attacks are more stubborn
because they render source IP and port information less reliable for traffic filtering.
The attacks are thus harder to shut down.
Joshua Schulte, a former CIA employee whom U.S. federal prosecutors suspect
in the Vault 7 disclosure of CIA hacking tools to WikiLeaks,
is being held in Manhattan on
unrelated charges of storing child pornography. There's apparently insufficient evidence to
charge him in the Vault 7 case, but he remains under investigation.
If you do work with the U.S. federal government or are a cleared contracting facility,
you're likely aware of risk management framework compliance.
Michelle Maitland is a senior cybersecurity analyst at SecureStrux, and she joins us with the details.
So the government has been following this policy since about 2010,
and it's basically a methodology for figuring out what type of data you have and how to protect your data,
the different kind of settings and documentations in order to make sure your data is protected. There was kind of a
regulation that has been starting rolling out recently to companies, commercial companies that
work with the federal government, and they're forced to follow this new framework as well. So
it's a new policy for them. They're not used to having to follow this methodology.
So it's a new policy for them.
They're not used to having to follow this methodology.
So it's been giving folks a lot of heartburn, especially smaller businesses, because this methodology kind of tends to work really well for enterprise. But smaller companies, it doesn't necessarily scale down very well.
So that's kind of one of the big stressors that people have had, especially for small businesses.
One new process and two new
process seems to be overly complicated when you have 14 employees. So take us through exactly
what's involved with this. You figure out what type of data you are protecting and you walk
through a couple of steps on how to do that. And you assign essentially a series of important
indicators of how to protect that data. It's called the CIA triad, confidentiality, integrity, availability.
So confidentiality is what we're used to dealing with, protecting my personal data from making sure it doesn't fall into the wrong hands or protecting company data, making sure it doesn't fall into the wrong hands.
But integrity is kind of new to some businesses.
It's making sure that data is protected from accidental or intentional modifications.
So banking industries, things like that, deal with high integrity data all the time.
And availability is making sure that you maintain access to the data in the event something happens.
So hospitals, things like that, in the event they lose power, they're still going to need to have their systems up and running. So that would be a high availability system. So based on the type
of data that you're protecting, you have different level indicators for each of those, high, medium,
low, essentially. Based on those three indicators, it walks you through the different requirements
on how to document and protect that data. So for a small company who's trying to make
their way through this,
what are some of the challenges that they face?
Generally, most companies, you know, the folks wear many, many hats.
Security is kind of one where it's seen as an overhead function, right?
It doesn't necessarily make a profit unless you're in the business of doing security explicitly.
So nobody really wants to spend and have a large budget on security.
So most of the folks that I work with aren't IT people.
They're not security people.
They do other things in the company, and they have to do this on the side.
Not having that background and only kind of doing it part-time when they have time to do it
seems to be pretty much the greatest challenge, I would think.
So in terms of your advice, if folks find themselves having to deal with this,
what do you advise them for the best way to get going and make sure that they're in compliance?
Google essentially is your friend. There are a lot of resources out there that can help you step
through the process if you get stuck. Where it seems to be the hardest thing that I don't think
that the framework fully explains is kind of the action plan. Okay,
so I take the training, but how do I do this? That's where outside sources can kind of help
you walk through the process. So there's several help sites where you can take free training.
But if you go through and you follow the guide, it should walk you through things, but there you
may need supplemental assistance. And the internet has a treasure trove of things to help walk you through. When you start a company, if you're actually doing
it and you're in the weeds every day, you might not have the time necessarily to step back and
think of the picture holistically. And I think that that's what the risk management framework
does in general. It'll focus you to kind of step back and look at the bigger picture
and help address any gaps that you may miss in your normal day-to-day operation.
That's Michelle Maitland from SecureStrux.
The third annual Cyber Investing Summit was held yesterday in Lower Manhattan's Financial District.
Dave DeWalt, co-founder and CEO of Momentum Cyber and a managing director
of Allegis Cyber, delivered a keynote that set the terms of discussion by drawing the
history of what he called the perfect cyber storm.
He traced that history since 2000, noting that 29 countries now have declared offensive
cyber capabilities.
64, he said, have declared defensive capabilities,
and these 64 at least probably also have unavowed offensive capabilities.
As the storm has grown, so too has the cybersecurity market.
Worth $3.2 billion in 2000, this year it's reached some $96.3 billion.
DeWalt sees the biggest opportunities in that market where there are the biggest gaps.
Drones and domes, the drone economy and the security infrastructure it will necessarily require.
Industrial and IoT, which are increasingly pervasive.
Social and satellite, with just a handful of companies specializing in social media security.
And satellites, assuming an increasingly bigger share of communications infrastructure,
and cloud and crypto, especially with respect to identity management and advanced cryptography.
DeWalt emphasized that companies in this space must know their go-to market window,
always narrower and more fleeting than they assume.
He advised investors to, quote,
look for management teams who can figure out go-to-market, end quote.
The summit also saw the release of the Cybersecurity 500 list.
We'll have more notes on the summit tomorrow and Friday,
but it's worth noting what venture investors seemed to think were hot and what left them cold.
Data science is pretty hot, but endpoint protection and threat intelligence have cooled off.
We also had an interesting conversation with Wells Fargo CISO Rich Bache.
His team is making interesting use of cyber ranges in evaluating security products.
Companies interested in selling to some of the bigger enterprises
might well expect to have their wares put to realistic test on these ranges. And finally, hey wise guy, if you're so smart, how come you aren't rich?
Answer that one, umnitsa. It's an old question first asked on the record of the Greek philosopher
Thales, whose answer was that he could be rich if he wanted to, but that he just wasn't interested,
and to prove he could do it,
he cornered the olive press market before a bumper crop came in.
So there. He meant to be poor.
But here's a less encouraging update,
courtesy of Asia Pacific College in the Philippines.
If you're so smart, how come you use such lousy passwords?
Well, it turns out that when you correlate percentages of compromised
passwords with students' grade point averages, the honor student types didn't do significantly
better than the students in the C- to D range. Everyone came in between around 12 and 20 percent
compromised. Sure, the higher GPAs were at the higher end of that narrow range, but they're
underachieving. The researchers call
for a larger sample and a follow-on study to get more definitive results. So again, if you're so
smart, how come you're still using a password that's listed in previous public breaches?
Answer that one, Poindexter.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting-edge Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
and joining me once again is johannes ulrich he is the host of the internet storm center stormcast podcast johannes welcome back certainly getting a lot of attention uh recently is this whole
incident with e-fail uh bring us up to date here what do we need to know about this? Yeah, e-fail is a really interesting vulnerability because it does show some of the risks that we take when we are sending HTML email.
HTML email may contain external resources like, for example, style sheets or images.
Now, this has always been problematic whether or not you're using email encryption or not.
But one of the e-fail
vulnerabilities really takes advantage of these external includes. The way it works is an adversary
has gotten a hold of an encrypted email that you received. So now the next thing the adversary
needs to do is they need to decrypt it. So what they will do is they'll take that encrypted email
and make it part of an image tag. So what they're sending to you is an HTML email, essentially,
with an image tag, where the image tag is the encrypted email. So next thing that happens is
your email client receives the email, decrypts the email, because you know the key for that email,
and then it tries to download that image. But the image name is now the decrypts the email because you know the key for that email, and then it tries to download that
image. But the image name is now the decrypted content of your email. So the attacker who runs
the web server this image is supposedly hosted at, well, they will receive the decrypted content
of the email. So pretty interesting, tricky vulnerability. That vulnerability is really more a problem with how the mail client parses these encrypted emails,
how they deal with external includes like images and such.
The second vulnerability with e-fill is actually kind of the more severe one in a sense
that it allows the attacker to modify an encrypted email.
in the sense that it allows the attacker to modify an encrypted email.
Now, typically with encryption, when you modify stuff,
that's being recognized as being altered.
But the way PGP and S-MIME in particular,
actually S-MIME more so than PGP, implement their encryption,
they're not really all that careful about the email being modified in transit. So now an attacker could actually inject that image tag into the encrypted part of the email.
And that would now cause a data leakage, no matter whether or not your email parser or
your email client correctly parses email.
So really kind of tricky, but not really all that difficult to pull off a method to have you decrypt email
and then send the response or the decrypt email back to the attacker.
And so what's to be done right now to protect yourself against this?
Well, since nobody really encrypts email, I think what you really should do is you should
configure your mail client to not load external resources. That's a bad idea, no matter whether or not you encrypt emails or not.
Lots used for tracking.
It can be used to modify the email after the fact.
So that's probably the first thing you should do.
Now, if you do use actual email encryption, decryption, then you should configure it to not happen automatically.
So that you're being prompted, for example, for a passphrase.
So then you can make a decision whether or not you actually want to decrypt the email.
If you're a little bit more careful in that, then just decrypt your emails offline.
So save the email to a file and then decrypt it on the command line or in special software
that you have to decrypt content.
That way, again, you're preventing some of the data leakage.
All right. Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
smart speaker too.
The Cyber Wire podcast is proudly produced
in Maryland
out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.