CyberWire Daily - Trends in phishing. Olympic hacking. Cryptojacking spreads. Litecoin gains black market share. Influence operations. Can Strava be exploited by bicycle thieves?
Episode Date: February 9, 2018In today's podcast we hear that phishing has gotten more personal with conversation hijacking and attempts on direct deposit instructions. The Olympics have opened: do you know where your hackers ar...e? Apple finds leaked iOS source code on Github. Cryptominers found in hospital systems. Litecoin picks up black market share. Notes on recent patches. Concerns about Russian influence operations continue as US midterm elections approach. Dale Drew from CenturyLink on victim notification. Guest is Deidre Diamond from #brainbabe. They are a nonprofit working to replace “booth babes” at trade shows with students. And are bicycle thieves going online? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. and attempts on direct deposit instructions. The Olympics have opened. Do you know where your hackers are?
Apple finds leaked iOS source code on GitHub.
Crypto miners are found in hospital systems.
Litecoin picks up black market share.
We've got some notes on recent patches.
Concerns about Russian influence operations continue
as the U.S. midterm elections approach.
And are bicycle thieves going online?
approach? And are bicycle thieves going online? I'm Dave Bittner with your CyberWire summary for Friday, February 9th, 2018. Phishing shows some fresh plausibility and sophistication
as the criminals pay closer attention to their marks. Researchers report a spike in conversation
hacking, where criminals
interpose themselves into an email thread, spoofing one of the parties to the conversation
in an effort to induce the other to open a malicious attachment that carries the Gozi
Trojan as its payload. Other observers note an increase in phishing attempts that induce
employees to give up their credentials so their paychecks can be directly deposited in the criminal's account.
In this scam, a trusted company resource is spoofed, and suspicious employees who respond
to the initial phishing email with questions are promptly reassured that yes, this is legitimate.
The Winter Olympics open today, but state-sponsored threat actors have hacked in first.
So far it's mostly phishing and doxing by North Korea and Russia, but Mc-sponsored threat actors have hacked in first. So far it's mostly phishing
and doxing by North Korea and Russia, but McAfee and other security firms are warning
that anyone interested in the Olympics should raise their anti-phishing alert levels a bit
while the games last.
Apple has filed a notice under the Digital Millennium Copyright Act to have GitHub remove
leaked iOS source code. Their notice asserts that Apple has been injured by the publication of the code.
Specifically, Apple objects to reproduction of Apple's iBoot source code.
Speaking to MacRumors yesterday, Cupertino said,
Old source code from three years ago appears to have been leaked, but by design the security
of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built
into our products, and we always encourage customers to update to the newest software
releases to benefit from the latest protections. Observers think the leak both large and consequential.
The leak certainly affects iOS 9, and some think it likely that this particular bit of code persisted into iOS 11.
Cryptominers turn up in more uncomfortable places, among them a Tennessee hospital's electronic medical record system.
Decatur County General Hospital saw the first signs of infestation in November.
It began disclosing the incident to 24,000 patients on January 26th. It doesn't appear
the hospital's operations were impeded, but some enterprises have reported that crypto miners have
slowed their systems to a crawl, effectively preventing them from operating under anything
approaching normal levels. As more criminals seek payment in Litecoin, that cryptocurrency
appears to be taking black market share from Bitcoin.
Researchers at security intelligence firm Recorded Future have taken a look at 150 of the dark web's top black markets
and found that the rise in Bitcoin's price is driving crooks and drug dealers to look for a more affordable alternative.
For now, they seem to be finding that alternative in Litecoin.
alternative. For now, they seem to be finding that alternative in Litecoin.
In patching news, Netgear has patched five vulnerabilities that Trustwave's Spider Labs found in their broadband routers. And WordPress has issued an emergency patch for version 4.9.3,
but users will have to apply it manually. Admins are finding the update comes with some headaches.
manually. Admins are finding the update comes with some headaches.
U.S. interest in forestalling Russian midterm election influence operations remains high,
with Congress suggesting strategy to the Department of Homeland Security.
Representative Will Hurd told the Atlantic Council Symposium that the model DHS uses to counter violent extremism could be extended readily to countering Russian disinformation.
Among those expressing concern about Russian influence operations is former President George
W. Bush, who thinks evidence of Russian chaos-inducing disinformation during the last U.S.
election cycle is, quote, pretty clear, end quote. He also offered, in a talk at a Milken
Institute economic summit in Abu Dhabi, his take on Russian motivation.
Speaking of Russian President Putin, Bush said, quote,
He's got a chip on his shoulder. The reason he does is because the demise of the Soviet Union troubles him.
Therefore, much of his moves are to regain Soviet hegemony. End quote.
Finally, an alert listener tells us we should warn you that the geolocations betrayed by Strava
could also be used by thieves who want to steal your bicycle.
We've looked into it, and it appears the police in a, to us, unpronounceable Welsh town
have been warning against this possibility since 2014.
What's that town, you ask?
Diffied Piaws? Diffied pows? Diffid poes? Diff-pows? We'd know how to say it if we were
from central Pennsylvania or western New York. But we're a Balmer show, hon. Anywho, our listener
tells us this is a thing in the U.S. as well. He says, quote, my understanding is that cyclists
like to map their rides and compete with other riders. They also list what their bikes are.
Thieves go online and look for a bike, see where the ride always stops or starts,
and this allows them to wait for the garage door to go up, and no one is watching, and they take off.
These bikes can easily run north of $5,000 or $10,000 and up.
Just an FYI.
And a good FYI it is, too.
So, thanks, listener.
It's not just a military OPSEC matter, but a crime prevention issue as well.
A bit of awareness we're happy to share.
We'd like to include a special warning to whoever it is that's been seen in the Strava heat map
peddling their Schwinn around the Groom Lake airstrip at Area 51.
The gray aliens, widely believed to be resident there, are notoriously sticky-fingered,
so take your bike lock with you.
It gets nuts in the Peloton sometimes, but hey, the truth is out there.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dale Drew.
He's the chief security strategist at CenturyLink.
Dale, welcome back.
We wanted to touch today on this notion of victim notification and
the importance of that. What do you have to share there? We have a bit of a dilemma from a victim
notification perspective. We took an initiative late last year and beginning of this year and
made the decision to notify every victim that we identify with our threat intelligence platform. So as an example,
just us alone, we're tracking 178 million victims globally, and it's about 60,000 new victims a day.
And so we want to do something about it. And so- Now, when you say a victim, to tell me what is that, what's the breadth of what that could entail?
Ah, that's a compromised computer done by a piece of malware or a bad guy.
So that could be a desktop sitting on a consumer's home, or that could be a server or a desktop sitting within a company or corporation.
So a company which has been compromised.
And so we wanted to do something about it.
And so with regards to notifying our customers who might be victims, that's relatively easy. We've we've got a trust path to those to those customers and we can send them notifications and they can feel relatively comfortable that it's coming from a trusted source.
But when we made the decision to start notifying anybody on the internet who we saw as a victim of a compromise, we're running into a conundrum of how do you notify a victim that they've been a victim of a computer intrusion without that notification looking like a phishing attack?
Right, exactly.
How do you do that, Dale? And that's exactly our dilemma is we are trying to navigate a way to be able to notify, in essence, 178 million people who have been compromised
by some form of malware that they've been a victim and here are the steps that they need to take to be able
to repair their system in such a way that that person can trust that notification and not think
it's a phishing attack. And so imagine having to send a notification with no links. You know,
if you want more information, you should go to the following locations, but not providing any
reference information. Because if you provide a link, then someone can replicate that and put their own link
in it. And so we definitely have this dilemma of, you know, we're sort of on this teetering edge of,
you know, how do you build a trust infrastructure to a large base of people that you don't have a relationship with to make
them aware that they've been compromised somehow so that you can protect and increase the level of
security within the global internet. If we can get 178 million people who are currently compromised
and either participating in larger botnets or having their information stolen, if we could notify them and have them take action the moment that they've been compromised,
we could have a significant dent in the amount of global internet theft that's occurring today.
And that's the dilemma that we don't currently have an answer for,
but it's one that I think is a very emerging problem that we have to solve for
to dramatically increase the security of the internet. Yeah, it seems to me like it's sort
of the equivalent of almost a digital postcard where you're sending out this message, but at
the same time, you're not really looking for interaction with them. You can't become their
tech support, so you're notifying them, but you can't have the
expectation. With that volume, you can't have the expectation of any really significant interaction,
right? Yeah, exactly. I mean, how many people have gotten one of those car warranty expiration
letters? Sure. You know, that looks extremely official, and it looks like it came from your
dealership, and it really is an insurance scam. And so we have to find a way.
And my largest concern is let's say we do find a way to send a communication, whether it's via a portal or some other mechanism through their internet service provider, as an example.
If we do discover a way of sending a trusted communication to these victims, we have to do it in such a way that can't be replicated for bad purposes by a bad guy. And so it's a bit of a double-edged sword where we
definitely are tired of seeing victims being taken advantage of and nothing being done about it.
And so we made the decision that we were going to invest in notifying anybody we saw being compromised.
And like you said, it's about 60,000 new victims a day.
But we have to do it in such a way where we can establish some trust with those people.
And we can have them have some confidence that when they do that corrective action, they're doing it to really protect their systems and not opening themselves up as another victim.
Well, you got your work cut out for you, that's for sure.
Dale Drew, thanks for joining us.
Great. Thank you for having me.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Deidre Diamond. She's founder and CEO at CyberSN, a staffing firm specializing in cybersecurity
professionals. A few years ago, while attending an industry conference, she grew frustrated with
seeing so many booth babes on the show floor, scantily clad women hired to attract attendees
into the booth. She couldn't help thinking there had to be a better solution, a win-win for everyone.
I thought, oh gosh, why don't we make them brain babes? And I
said brain babes out loud and everybody, we all looked at each other and we said, let's go to RSA.
My team was around me, a lot of my team. Let's wear shirts to RSA that say booth babe crossed
out and brain babe instead. And we got stopped and talked to so much that I realized my story was so rare.
Me being a female at the time, you know, mid 40s and having a successful resume in building, you know, technology and cyber companies.
And I realized, wow, I really have such a rare story.
story. And so I started getting out and publicly speaking about, you know, the types of cultures that will foster women and why my career was successful and what the environments that I
walked into had for me and that I was able to take advantage of. And then fast forward two more years
going back to RSA and I'm walking the floors and realizing that all we've done is just change the
clothing on these women and we're not training them. And I said, gosh,
this is such a shame. These would be great jobs for students, you know, to come see our
environments in terms of the events that we put on and the educational tracks and hear about what
we're doing and all the jobs. And so I said, I wish we made these jobs for students. And when
that sort of when I realized, you know what,
I know how to, I run a staffing agency. This is a staffing job. Why don't I do this? And so brainbabe.org launched STEAM Conference Connection. And that means we take STEAM students from local
geographies of wherever the event is and of all genders. And we provide them for booth services
and event services. And we give them videos and training on what cyber and all the different
types of jobs and, and also give them some instruction on how to work a booth and how to
help the folks that are hiring them to work. So to play devil's advocate, if I'm someone who's
running a booth at RSA or somewhere else, What's the problem with me having attractive people there at the entrance to my booth
if really their only job is collecting people's badge numbers, scanning their badges,
and saying hello and having a nice welcoming presence?
What's the downside for me to hire a professional actress to do that?
So the downside is that we're sexualizing what is a work environment and you selling sex. If it was just about a pretty person or pretty human, which is also relative in terms of what's pretty, but let's just go with it, then why not have men if we're struggling to be treated as equals.
And we go to these work events and that sort of vibe really takes away from us as women,
our ability to be taken seriously or treated correctly.
And then from a man's perspective, and if you ask a man this, they're not, that's not
where they're going to these events.
And the ones that are, you know, they flush out pretty quickly. Like they don't want to just, you know, be talking to these beautiful women in, you know, bikinis. They want to learn about products and they want to understand what the services are.
are. And so not only are we making these jobs for all genders and heck those, those models can come to Brain Babe and we'll give them the training such that they understand the field and they show
up interested. I'm happy to do that. The problem is we're not utilizing their brains and the problem
is dressing them scandalously. Right. And so even with changing their clothing, if we're not willing
to educate them on the industry and what's here and what, you know, what we're doing and all that,
then we're really just utilizing them to sell sexuality. Yeah, let's go through some of the
practical things that you're getting at here with the situation with the lack of women in
cybersecurity. You know, you make the point that there are a lot
of reasons why we need to be focused on this. Absolutely. It's a national security issue,
first and foremost. We are short over a million people. The numbers are showing to be up to
two million by in the next few years. And we still socialize young girls to think that tech and cyber is a keyboard and a hoodie in a dark room, which means they're not coming into our field.
You know, so this allows us to spread the word and to show folks and particularly women.
However, there's a ton of young men out there who think the same thing and think it's not for them. And the reality is I came, I'm in cyber. I came through the sales
divisions of companies and then becoming a CEO of cyber companies to include the ones I'm
running now. And so there's all kinds of different ways to be involved in cyber. All those jobs
aren't just the keyboard and hoodie job. In fact,
without the sales folks and the marketing people and, you know, and all the folks to manage
projects, you know, we're going nowhere. So it's really a collective team effort of high EQ and high skills in whatever, you know, your intellectual focus is, whether it's tech
or sales or marketing, we need everybody. And so, yeah, this is all about, you know,
all genders and spreading the word to so many people that aren't looking into this industry
because they didn't think it was for them. That's Deidre Diamond. You can learn more
about the STEAMCon connection at brainbabe.org.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.