CyberWire Daily - Under Armour fitness app breached. Warning shot from WannaCry. Lazarus Group update. Aadhaar security questions. Ransomware and city governments. FBI agent charged in leak case.
Episode Date: March 30, 2018In today's podcast, we hear that Under Armour's MyFItnessPal app has sustained a data breach. Boeing's WannaCry incident is minor, but a timely warning that this particular threat hasn't vanis...hed. The Lazarus Group is showing fresh signs of activity against its usual targets. Questions about the security of India's Aadhaar circulate. Baltimore and Atlanta incidents show the ransomware threat to city governments. An FBI agent is charged with leaking secret documents. Updates on the Novichok affair and the Facebook data scandal. Awais Rashid from Bristol University on blockchain trust issues. Guest is Laurin Buchanan from Secure Decisions, discussing NICE competitions. She is co-chair of the competitions subgroup. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
Under Armour's MyFitnessPal app has sustained a data breach.
Boeing's WannaCry incident is minor,
but a timely warning that this particular threat hasn't vanished. The Lazarus Group is showing fresh signs of activity against its usual targets.
Questions about the security of India's Athar circulate. Baltimore and Atlanta incidents show
the ransomware threat to city governments. An FBI agent is charged with leaking secret documents
and updates on the Novichok affair and the Facebook data scandal.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 30, 2018.
Sports apparel manufacturer Under Armour disclosed yesterday that data associated with 150 million users
of the company's fitness app MyFitnessPal have been exposed.
Information at risk is said to include usernames, email addresses, and hashed passwords.
The company began investigating on March 25th when it discovered that an unauthorized party
had accessed the data in February.
discovered that an unauthorized party had accessed the data in February.
Under Armour acquired MyFitnessPal for $475 million in February 2015,
so it's not exactly a recent acquisition,
but there are surely lessons to be drawn with respect to security due diligence during mergers and acquisitions.
Despite the British spelling of its name,
Under Armour is based in Baltimore, in fact quite close to Fort McHenry.
The data security issue with MyFitnessPal is the latest in a series of incidents involving other companies' fitness trackers.
Under Armour's public disclosure four days after realizing that there had been a problem seems commendably fast,
especially given the company's notification of affected users before making
a general announcement yesterday.
Investigation and remediation are in progress.
Boeing insists that reports of a massive WannaCry infection at its South Carolina manufacturing
facilities have been massively exaggerated.
The infection was minor and swiftly contained and did not affect production or business operations.
But it's worth noting that WannaCry is still a risk and that enterprises shouldn't drop their guard.
Unaffected by Pyongyang's recent diplomatic charm offensive,
North Korea's Lazarus Group is showing fresh signs of activity,
probing financial sector targets and looking for ways of obtaining cryptocurrency. This is a long-standing campaign on the DPRK's part as it looks for ways of
redressing its sanctions-exacerbated financial shortfalls through crypto mining and cyber theft.
Reports of vulnerabilities in India's Athar National Identification System circulate,
despite official assurances that all's well.
Baltimore's 911 system hack last Sunday turns out to have been ransomware,
city officials said yesterday.
The city was able to restore service after a few hours of resorting to manual backup.
Atlanta's SamSam infestation was far more serious and enduring.
That city continues recovery and remediation.
Consensus among observers is that U.S. municipal governments
need to devote some close attention to protecting themselves
against such attacks, which are likely to continue.
Lenovo is looking over its shoulder at Huawei's regulatory problems in the US.
The FCC is pushing to restrict Huawei systems from use by US wireless providers.
And Lenovo prudently thinks that it may be the next Chinese firm
to find itself in the security crosshairs of regulators.
And a crypto wars update.
The US Department of Justice, especially the FBI, are meeting with researchers who claim to have a third way
that will satisfy both sides of the controversy.
Such a mutually acceptable compromise seems unlikely to us,
but we'll keep you posted.
Some of the approaches being recommended involve key escrow systems,
widely distributed keys that would require public consensus for decryption, and so on.
In any case, this suggests that another round of engagements in Crypto War 3 is about to begin.
The FBI is having a rackety week in cybersecurity and counterintelligence.
First came a report that the imbroglio over decrypting the iPhone used by the San Bernardino jihadist gunman
could have been avoided entirely with better communication among field leadership
and techs. Now an agent has been arrested and charged with leaking secret documents.
Terry Albury, an FBI special agent assigned to the Minneapolis field office, has been charged
with unauthorized transmission of classified national defense information to a journalist,
apparently to The Intercept. Albury's attorneys say he was, quote, driven by a conscientious commitment to long-term
national security and addressing the well-documented systemic biases within the FBI, end quote,
and that he takes full responsibility for his actions.
The Intercept, the same publication to which ex-NSA staffer and contractor Reality Winner
is accused of leaking,
made Freedom of Information Act requests that suggested to investigators
they were already in possession of classified material they eventually published.
And the FBI will receive more uncomfortable attention from the Justice Department's Inspector General.
The IG has opened an inquiry into compliance with legal requirements and
applications the Bureau filed with the U.S. Foreign Intelligence Surveillance Court
relating to an unnamed U.S. person. Russia has responded to punitive U.S. diplomatic moves with
tit-for-tat expulsions and a consular closure of its own. U.S. official policy toward Russia is
hardening, with concern running high about
Russia's threat to the grid. The Russian ambassador to the U.S. is having trouble getting officials
to take meetings with him. It's thought that the U.S. closing of Russia's Seattle consulate
may have been particularly painful to Moscow. It's thought to have been a major center of
spying on technological development. For their own different reasons, Facebook's Mark Zuckerberg and WikiLeaks' Julian Assange
have had a bad PR week.
Mr. Zuckerberg's response to Facebook's data scandal hasn't gone over particularly well
with users, and his Silicon Valley peers aren't showing him much love either.
Apple CEO Tim Cook's commentary on the Facebook and Cambridge Analytica affair
verges on schadenfreude. And Mr. Assange looks more like Russian stooge than libertarian activist.
He's still got support from Pamela Anderson, but a number of others who've applauded his conduct
of WikiLeaks are very much put off by his retailing of the Kremlin line in the matter
of the attempted murder in Salisbury
of Sergey and Yulia Skripal by NerveAgent.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Weiss Rashid. He's a professor of cybersecurity at
the University of Bristol. Welcome back. You know, certainly Bitcoin has been in the news lately
with the wide range of prices as it's been swinging back and forth.
And we wanted to touch today on blockchains and specifically issues of trust.
What do you have to share about that today?
So Bitcoin is actually a great example of blockchains.
And there is a view, which is not incorrect, that Bitcoin, because of the underlying cryptographic algorithms that underpin it, is trustless by design.
True that might be for the cryptographic protocols that underpin Bitcoin.
that I can show that the wider ecosystem in which Bitcoin exists and where the transactions happen actually is shaped quite strongly by both human and organizational aspects of trust.
So when we're talking about these trust issues, I mean, what sort of factors come into play?
Well, if you think about it, Bitcoin itself is cryptocurrency. And yes, it was designed to be
not under the control of any institution per se and be a purely decentralized, decentralized ledger based system.
But as Bitcoin has evolved, there are a number of organizations that have evolved in the ecosystem.
So you have got the exchanges.
You have actually also the core core development team as well, which is also in some form a group or organization. You've got
escrow systems and all those kinds of things. So while the cryptocurrency itself may not require
any centralized control or trust, when transactions happen, you still have to trust all these parties.
You have to trust, for example, that the core development team is doing its job properly. You
have to trust that you can exchange currency through the
exchange mechanisms that exist. You have to trust in escrow systems and so on. And of course, the
only thing that the ledger confirms is that the transaction has taken place. It doesn't actually
confirm that goods have been delivered. And that's why you have all these additional systems that
have come into play. So the key thing to think about is that as we are moving towards a world
where blockchains are being seen as a key solution for a number of applications from, for example, things like energy trading to even providing security for Internet of Things devices and things like that.
It is very important to understand that it is not just the blockchain that matters.
There are lots of complex human and organizational aspects of trust that come into play when people use these systems.
And there will need to be organizations or systems that would need to evolve beyond the blockchain in whatever context it is deployed for that trust to be engendered and people actually being willing to engage with that particular application of blockchain.
As always, I'm Weiss Rashid. Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Lauren Buchanan.
She's a principal investigator at Secure Decisions, but she joins us today to talk about
NICE, the National Initiative for Cybersecurity Education, where she serves as co-chair of the
competition's subgroup. The National Initiative for Cybersecurity Education is a working group
that is a cooperative work alliance between the government. NIST is currently heading the National Initiative for
Cybersecurity Education, but lots of government agencies participate. There are members of
academia, both higher education and K-12 and informal education and industry as well. So it's
kind of the entire universe coming together to say we need to do more and to educate the cybersecurity professionals as well as create a pipeline for the next generation of cybersecurity professionals.
And you were a part of that pipeline. You're the co-chair of the competition subgroup. What does your group do there?
What does your group do there?
So the competition subgroup is really trying to promote a wide spectrum of cyber competitions that are intended to advance knowledge, skills, and abilities in the cyber field.
The idea is to help public and private competitions develop,
providing guidelines, standards, and best practices.
We have a number of projects that are currently
focused on identifying how to build a cyber competition, as well as how to participate
in a cyber competition, because we recognize that not everybody is clued in to the fact that
these competitions exist and how they can participate. And can you give us an idea of
what are the range of ages of people who participate in these competitions?
What are the range of ages of people who participate in these competitions?
Oh, well, there are competitions for middle school kids, clubs, and groups like the Cyber Patriots that have teams of students who learn while they're competing
and then actually have the joy of going off and doing a national competition
if they have made it through the qualifying rounds.
There are college students, high school students, people in the workforce,
people who are transitioning into cyber but have spent years working elsewhere.
It's the full gamut of novices to experts from middle school on up,
and I think that probably in the next few years we'll actually see some form of competitions for elementary school students.
And what does the actual environment of having this be a competition,
what does that provide versus things like regular classroom learning, continuing education, those sorts of things?
Well, depending on the competition, whether it's a solo competition, an online competition, or a team competition,
you can get different things out of
it. But in reality, most of the competitions allow you the opportunity to practice something that you
may have conceptually learned, but now you actually get to apply those skills and knowledge
into solving a problem, a challenge that's been set forth. And sometimes these challenges are
incredibly real-world based. There are some competitions at the collegiate level where an organization entity has been described,
an environment has been set up, there are real-world regulatory concerns, and real-world
failures, both in terms of cybersecurity or maybe even just business failures that you
now have to understand and deal with and confront,
just as you would in the real world.
So it's a microcosm of the things a cyber professional might actually do in their day-to-day
job.
And when I say cyber professional, we're talking in the gamut here from cyber defense to forensics
to policy.
Competitions address all topics in cyber domain at this point.
If folks want to find out more, what's the best way for them to get more information?
The National Initiative for Cybersecurity Education has a website that's part of the NIST.gov website.
And the competition subgroup has a page there. And many of our publications
are available for download there. We also have a letter that is 10 things parents need to know
about cyber competition, which is useful in case parents are wondering, well, cyber competition,
doesn't that mean hacking? Because it's not at all what it means. People can also go to
Cyber Compact, the Cyber Competition Exchange. That's cybercompx.org. It's a social media kind of website, social networking site
for people who are interested in cyber competitions. They have calendars, they have
information, they are hosting the podcast that the competition subgroup is currently doing,
which actually talk with various people who are involved in cyber competitions,
whether you're looking to host a competition or you're just interested in participating
as a competitor. I think it's important that people understand that cyber competitions,
while they're incredibly serious because they are a competition and people want to win,
they're also an excellent way to get to know other people. That is not just the competitors, but people who are at different stages in their careers who may be able to connect you with additional resources.
They're an excellent way to find people who are trying to hire cybersecurity professionals in various roles. And it's a great way to discover more about
cybersecurity because even in a narrowly focused competition, there are going to be people with
different backgrounds. And if you meet them and have a conversation with them, if it's an in-person
event, it's a great way to learn more. Even if it's a solo online competition, just seeing the
questions that are asked and the things that are presented in terms of the competition is always a learning experience.
That's Lauren Buchanan.
She's a principal investigator at Secure Decisions,
and she's also the co-chair of the competition subgroup for NICE, the National Initiative for Cybersecurity Education. of rest of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.