CyberWire Daily - Trend Micro answers spying allegations. Magecart blamed for British Airways breach. Tor Browser exploit disclosed. Google vs. the right to be forgotten. Accused JPMorgan hacker extradited.
Episode Date: September 11, 2018In today's podcast, we hear that Trend Micro has clarified what was up with allegations it was deploying spyware with its tools—no spyware, but they've changed their products to remove the appearanc...e of impropriety. RiskIQ fingers the Magecart gang as the hoods behind the British Airways data breach. Exploit broker Zerodium discloses a no-longer profitable Tor Browser vulnerability. Google will challenge the EU's right-to-be-forgotten in court this week. An extradition in the JPMorgan hack. Justin Harvey from Accenture with tips on building an effective incident response plan. Guest is Colin McKinty from BAE systems, discussing the launch of The Intelligence Network, a collaborative task force developed in partnership with Vodafone and Surrey University, to engage, unite and activate the global security community in the fight against cybercrime. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_11.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Trend Micro clarifies what was up with the allegations it was deploying spyware with its tools.
Risk IQ fingers the Magecart gang
as the hood's behind the British Airways data breach.
Exploit broker Zerodium
discloses a no longer profitable Tor browser vulnerability.
Google will challenge the EU's right to be forgotten
in court this week.
And an extradition in the JP Morgan hack.
JP Morgan hack.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 11th, 2018.
Trend Micro has responded to accusations that surfaced over the weekend and resulted in the ejection of some of its security apps from the Apple Store.
They don't, the company says, report anything to Chinese servers.
Charges that they've been taking user data and exfiltrating them to an unidentified server in China are, quote, absolutely false, end quote.
What did happen, the company says, is that its products, Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder, all collected and uploaded what Trend Micro calls, quote, a small snapshot of the browser history on a one-time basis covering the 24 hours prior to installation, end quote.
Thus, the data collection on user systems they did perform was a one-time thing designed to enhance the product's performance and not an ongoing scraping of information.
Furthermore, this collection was fully disclosed in the end-user license agreement, and they point out where, although in fairness to users, EULAs are notoriously difficult to navigate.
Nonetheless, the company says it understands the objection and regrets the incident. Trend Micro reports that it's now
discontinued that particular feature in its apps. They've also permanently deleted all the legacy
logs, as they put it on their corporate blog, quote, we apologize to our community for a concern
they might have felt and can reassure all that their data is safe and at no point was compromised.
End quote.
A number of observers were struck by apparent similarities
between the British Airways breach and the earlier incident at Ticketmaster.
This morning, Risk IQ offered an explanation for the similarity.
The company says that the two hacks were conducted by the same criminal group,
Magecart. The company has been tracking Magecart since 2015. Researchers also say the gang remains active on an unusually large scale, conducting digital skimming attacks against a range of
enterprises. They scan for websites that don't secure payment card data entry forms, and then
take whatever's available.
This time, their attack seems to have been more tailored than usual. MageCard compromised
JavaScript on the airline site. Many of the gang's earlier operations had concentrated on attacking
third-party providers of payment services. That was, for example, the case in the Ticketmaster
breach. But in this instance, Magecart appears, says RiskIQ,
to have gone after British Airways more directly.
British Airways hasn't commented on the attribution.
They say that they notified all affected customers within a day or so of discovering the breach
and that they're now working closely with law enforcement as the authorities investigate the incident.
BAE Systems recently launched a collaborative task force they're calling the Intelligence Network with the aim to unite and
activate the global security community in the fight against cybercrime. Colin McKinty is VP
of Cybersecurity Strategy at BAE Systems. We launched it back in July with Vodafone and another organization called Cylon.
And what we produced was a manifesto explaining how we can see a path towards a safer digital world.
We got a bunch of industry experts together.
And through a lot of conversations and collaboration, we focused down on kind of three broad themes.
we focused down on kind of three broad themes. The first one of these was around the economic incentives and buying power of larger corporations, how this has driven fragmentation
and complexity in the cybersecurity marketplace and the technical landscape that we're trying to
buy security tools from. What often this means is that small and medium businesses really don't get
the right level of support. We're also struggling with integration and implementation. The second theme is around the fact that societies,
large enterprises and governments are going to continue to be disrupted by this new or growing
digital business world that we're in. There's also a really fast pace of development and economic
growth going on at the moment, which just basically means it's really hard to keep up. And the final theme is around the increased software intensity of the
world and the growing use of AI raises real concerns around the risk to cybersecurity and
what these trends mean. And so these key three themes led us to develop this manifesto and
ultimately produce three pillars to how we think we can develop over the next seven
years a framework to combat this threat. All right, well, let's continue then. Describe to us
what are the pillars? So there's three pillars. The first one is collaboration. And the key mindset
change that we're looking for here is about building a new culture through radical trust.
Now, we really need to move from each organization only defending themselves to
where organizations are working together to defend everyone. It really do need to collaborate.
Now, in this context, we can't defend the herd by seeking just to outrun it and be an individual.
We have goals for this. So in 2025, what we want to see is a society where we can respond as one
to these threats, really act as a collective.
The second pillar is simplicity. So again, here, we're looking for a mindset change where we don't
blame the people, we actually change the game. This change is around making sure the security
is focused on making it easier rather than punishing honest mistakes. The third pillar,
then, is certainty.
So what we have here is we're looking for a mindset change here where we're turning kind of the volatility of cybersecurity
into just business as usual.
What we see is, you know, kind of cybersecurity is quite exciting.
It's adrenaline-fueled where heroes fly in at the most important time
with great technology to kind of try and save the day
and sort out the issues. And what we need to do is actually focus less to kind of try and save the day and sort out the issues.
And what we need to do is actually focus less on kind of those heroes and technologies,
increasingly more on a reliable world of competence and procedure, just basically where it becomes
this standard everyday process.
And by driving this kind of maturity, this transparency, we believe we can position ourselves
to be ready for the future of cybersecurity.
Well, I mean, certainly, I would say admirable and perhaps lofty goals. So what is the,
what's the plan from here? How do you turn these ideas into reality?
So it's been really exciting since we launched this in July, we've actually had over 700
people and organizations sign up to join the network,
over 200 of those being in the US. And so what we've started is a collaboration between those
organizations. So if folks want to get involved, what's the best way for them to get in touch?
Well, there's a range of information out there. Go to the BAE Systems website. There's information
about the intelligence network there. You can click on, sign in, and join the network. And then all we ask you to do is come and bring your thoughts,
bring your problems, openly share and collaborate, and help us work out how we prepare for the
future.
That's Colin McKinty from BAE Systems.
The exploit brokers at Zerodium have dumped some of their wares on Twitter. In this case, it's a zero-day vulnerability in the Tor browser.
Their business is, for the most part, selling exploits to government organizations.
Zerodium says it's disclosed the exploit publicly because the bug has, quote,
reached its end of life and it's not affecting Tor browser version 8, end quote.
If you're a Tor browser user and you haven't yet updated to version 8,
you might want to do so soon.
Version 8 was released last week.
Users of earlier versions can expect the usual rounds of attempts on their systems.
An important case goes before the European Court of Justice this week.
Google will be challenging aspects of the EU's right to be forgotten.
In this case, Google seems to be on the side of the free speech angels.
Many observers see broad application of the right to be forgotten as the entering wedge of more intrusive censorship.
Authorities in the country of Georgia have extradited a Russian national to the US
where he'll face charges related to the 2014 hack of financial services companies.
It's generally known as the J.P. Morgan hack, but there were a number of other victims as well,
including E-Trade Financial Corporation, Scottrade, and Dow Jones.
Andre Turin could receive up to 30 years if he's convicted on charges of computer hacking, wire fraud and conspiracy
Mr. Turin and his alleged co-conspirators are thought to have made hundreds of millions in stock manipulation
Internet gambling, credit card fraud and cryptocurrency money laundering
There's much speculation about what he knows concerning connections between the Russian government and the Russian underworld.
Today is, of course, the 17th anniversary of the 9-11 attacks.
Spare a thought for the victims and their bereaved survivors, and for all who've suffered since in the war on terror.
Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
Obviously, your area of expertise, one of many, is incident response.
So we thought we'd touch today on the best ways to go about developing and testing an effective incident response program.
What's your advice?
Well, my advice is let's step back and look at this from a high level perspective. And really,
the words that I think about are cyber resiliency. How does an enterprise become resilient
to cyber attacks? I think that really comes down to being able to, one, prepare for, two, detect, three, respond and recover to advance cyber attacks.
And that first step, preparing for, I think is one of the most important, particularly around the areas of incident response. So if you're going to respond and recover and restore your business operations,
which is what our clients want to do time and time again,
for all the incidents that we work, the first question out of their mouth is,
how do we restore our operational services or how do we recover?
And really that begins with preparation. It begins with
an incident response plan that takes into consideration not only when something goes
wrong, how are you going to do the forensics? How are you going to restore the systems and
your backups? But it also includes things like a communications plan. How are you going to
effectively communicate to the C-suite
and to the board and let them know what's going on? It includes things like operating with legal,
ensuring that you have both general counsel and an outside third party counsel ready to go,
spun up, all the contracts are done. Because in an incident or a breach, it is best
practice to go with an outside third party in case there is litigation later on. You don't want
all of your decisions and all of your data and all of your emails to be subpoenaed. So
you want to keep an outside third party counsel on hot standby. And then finally, you also want to have your PR
team and marketing team ready to go. Because if there is an operational impact, if there is a
material breach or you've lost some PHI or PII or customer data, you want to have your PR team
ready to go and talk to the press about what happened with the facts. They are armed with
the contingency plan in case something was lost. How do you ensure that there is a concerted
process and a concerted methodology to explain to the market, to explain to your customers in a very
public way that you're going to resolve that. And what we're
also seeing is a trend not only to respond to a breach or an incident on a technical level,
but also address it on a crisis management perspective. So let's take a destructive attack.
Last year, about the same time, Dave, you and I were talking about NotPetya. We were talking
about WannaCry. We were talking about these destructive attacks. And when there's a destructive attack,
you may not be able to access the same systems, applications, and data that you were operating
off of yesterday. So if you need a contact legal to get that contract done with an incident response
company, how do you even know how to contact them? In a destructive attack,
if you lose your Active Directory or your Outlook,
there's no more global address list.
Perhaps there's no more Cisco voiceover IP anymore because your voiceover IP systems have gone down.
So you need to have an out-of-band communication systems
put in place, which includes phone, instant messaging,
screen sharing, email,
and a lot of our customers are pivoting to have that hot standby system. And even,
if you can believe this, it even will include things like having an air-conditioned room
for your war room or catering in some of the more remote environments that we've actually done
incident response,
particularly in the Middle East, everything shuts down at 6 or 7 p.m.
And it can get quite hot in those buildings with no access to food or water for 12 hours
as we are working through the incident in a war room.
Now, what about this notion, the sports analogy is you practice like you play.
I'm thinking of companies actually taking the time, the sports analogy is you practice like you play. I'm thinking of companies actually
taking the time, the investment of time to really seriously rehearse these things.
You're exactly right. The traditional way of testing your incident response plan is to do
a tabletop. And a tabletop is merely a paperwork exercise where everyone gets in the same room.
Some of us use cards or some of us
give sheets of paper to say, okay, there's been an incident. What do you do next? And we watch them
role play in essence the steps that they are going to take. But what we have found with my
larger clients is that is not enough. They can still drill and drill and drill. And when the
actual event occurs,
there's still a lot of scrambling around and there's still a lot of nervousness and trepidation
and things aren't being done effectively. So what we've done is we've actually introduced what we
call a coached incident simulation, which is a hybrid between a red team operation and a blue
team operation. So really that's called a purple team.
And what that means is we all get in a room and we start our simulation. But instead of saying to
the incident response team and role playing with them, giving them a card, we actually give them
the full laptop. And that laptop actually has a threat on it. And we actually observe and coach based upon the reaction,
the reaction time and the steps that the technical team follows in order to actually work that
incident. So doing pressure testing your incident response plan and actually using real world
circumstances and technology, things like cyber ranges is really the next level up that more and more companies are adopting.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. secure AI agents connect, prepare and automate your data workflows helping you gain insights
receive alerts
and act with ease
through guided apps
tailored to your role
data is hard
Domo is easy
learn more at
ai.domo.com