CyberWire Daily - Utility phishing. Google wins on the right to be forgotten. Transatlantic data transfer. Responsible state behavior in cyberspace. Huawei and 5G. Permanent Record, temporarily phishbait.
Episode Date: September 24, 2019APT10 has been phishing in US utilities. Google wins a big round over the EU’s right to be forgotten. European courts are also considering binding contractual clauses and Privacy Shield, which toget...her have facilitated transatlantic data transfer. Twenty-seven nations agree on “responsible state behavior in cyberspace.” A hawkish take on Huawei’s 5G ambitions. And Edward Snowden’s book is being used as phishbait (not, we hasten to say, by Mr. Snowden). Johannes Ullrich from the SANS Technology Institute on the security issues with local host web servers. Guest is Fleming Shi from Barracuda with research on city/state ransomware attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
APT10 has been phishing U.S. utilities.
Google wins a big round over the EU's right to be forgotten.
European courts are also considering binding contractual clauses and privacy shield,
which together have facilitated transatlantic data transfer.
27 nations agree on responsible state behavior in cyberspace,
a hawkish take on Huawei's 5G ambitions,
and Edward Snowden's book is being used as fish bait.
Not, we hasten to say, by Mr. Snowden.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, September 24th, 2019.
Proofpoint has released a report concluding that APT10, associated with China's government, was responsible for a series of phishing attacks conducted against at least 17 entities in the U.S. utilities sector
between April 5th and August 29th of this year.
The malware used, called Lookback, which was discovered in the wild in July,
was embedded in malicious Microsoft Word files attached to emails.
The APT impersonated the Engineering Research and Intelligence Institution,
and its emails represented themselves as invitations to complete the Global Energy
Certification exam. The activity appears to involve reconnaissance and battle space preparation.
The European Union's Court of Justice has found that Google is not liable
for enforcing the EU's right to be forgotten worldwide.
The poignantly named right to be forgotten guarantees European citizens
the right to have information about them removed from the Internet,
and particularly from that portion of the Internet indexed by search engines,
which of course makes the rule particularly important to Google.
The court ruled that the EU could not require Google and others
to remove data from the World Wide Web as a whole,
and that its writ didn't run outside its member nations.
So it would seem that European regulations will, at least in this respect,
fall short of becoming a de facto global regime.
The ruling was certainly welcome to Google,
but it will take a bit of time before companies and others fully work out its implications.
The Wall Street Journal thinks other decisions expected soon
will introduce more uncertainty into transatlantic data transfers.
There's a challenge to the EU's Privacy Shield rules
that may make it more difficult to move information between Europe and North America.
Privacy Shield, the 2016 successor to Safe Harbor, had governed such transfers along with standard
contractual clauses. Both Privacy Shield and the contractual clauses are being challenged
on the grounds that they don't sufficiently protect European data from American misuse. A decision on the binding contractual
clauses is expected in December, with one on Privacy Shield to follow shortly thereafter.
If you do transatlantic business, prepare to lawyer up.
Lately, it seems that distributors of ransomware have been targeting cities and municipalities.
For a variety of reasons, they've been irresistible targets for these particular crooks.
Fleming Shi is chief technology officer at Barracuda Networks.
He offers these insights.
A lot of the ransomware attacks in the past are going after consumers,
but we're seeing upttaking attacks on cities where potentially
cities can pay more, but also some cities are starting to have insurance coverage.
That's one of the biggest fears I have is once we have insurance coverages, you can
have larger payouts.
The bad guys kind of just go after that kind of situation where then,
obviously, they get more pay. You know, we're feeding the attackers in that way, right?
And what makes these city governments and small towns and so forth, what makes them a particularly
attractive target? Basically, a lot of the attacks are going after services that could affect, you know, basically basic services,
right, including law enforcement, which can be disrupted. I think that the level of impact
to everyday life is higher, especially when they hit home in the cities. And also information related to citizens are gold to the bad guys, right?
You can identify relationships between people.
If you get that information, you can identify social engineering angles to further mount additional personal attacks or more targeted attacks against people using their information to do more damage to, you know,
by opening accounts and doing things like that. So I think the information within city halls and
used to be walled off with a lot of protection, physical protection now, you know, can be easily
exposed digitally, which becomes a fuel for the bad guys to do more to everyone.
So what are your recommendations for cities to go about protecting themselves?
What sort of things should they put in place?
The number one thing is figure out how not to pay the ransom.
If the business is not there for the bad guys, they will retreat.
The only way you can protect yourself really
from a situation like this is making sure all your parameters and all your attack surfaces are covered. Email obviously is one of the highest attack vectors by the bad guys. At the same time,
make sure you have backup, right, and also ensure the backup is being tested so the restoration of your data is sufficiently fast enough so you can restore services if you need to.
Also train the city clerks and do phishing training and also ensuring the email that's coming in, the attachments are clean.
So there are a multitude of things you can do by having a good backup
that's well tested also well trained staff who touches citizens data you know and also ensuring
all the applications that's actually accessible by the citizens are protected by some type of
web application firewalling capability so you can defend defend against SQL injection, cross-site scripting,
all those very standard things.
Because applications in the private sectors are very useful,
especially web applications.
And now they're becoming more useful in public sector as well.
So you can do lots of things online, right?
I think it's added convenience,
but also exposes a greater
surface for potential attacks. That's Fleming Shi from Barracuda Networks.
As the United Nations General Assembly's annual summit meets, some 27 countries,
including all the Five Eyes, have issued a brief joint statement on advancing responsible
state behavior in cyberspace.
It calls for bringing cyberspace into the framework of international law.
In particular, this would by implication mean applying the principles of proportionality
and discrimination that inform the law of armed conflict,
rendering critical civilian infrastructure off-limits,
while permitting legitimate intelligence collection,
and during periods of conflict, attacks against military targets. Thus, a missile command
and control network would be a legitimate wartime target, but a city's water utilities would not.
CNN and others see the statement as directed implicitly against Russia and China.
The statement condemns attempts to undermine democracies.
They're looking at you, Moscow, and undercut fair competition,
which would be you, Beijing.
The statement doesn't name those two governments explicitly,
but you don't have to be Henry Kissinger to figure this one out.
The concerns on display in the statement have been addressed at length elsewhere.
For example, this morning we attended a press conference
convened by Global Cyber Policy Watch,
a project of Cambridge Global Advisors.
Three experts spoke, Tom Ridge,
former U.S. Secretary of Homeland Security
and 43rd Governor of Pennsylvania,
Nate Snyder, senior counterterrorism official
with the Department of Homeland Security
and the Countering Violent Extremism Task Force under U.S. President Obama,
and Chris Comiskey, former undersecretary for management at the U.S. Department of Homeland Security
and current senior fellow and adjunct faculty member at Virginia Tech's Hume Center for National Security and Technology.
The topic was 5G technology and what's at stake with it in terms of security.
And in the context of 5G, discussions of security seem inevitably to be discussions of Huawei.
The three speakers gave a thoroughly hawkish assessment of the risks of allowing the Chinese
telecommunication and IT giant to achieve a dominant position in the coming 5G infrastructure.
Governor Ridge characterized
Huawei as, quote, basically an extension of the Chinese government, an instrumentality of the
state, and in some, a massive, massive security risk, end quote. He pointed to the large ownership
stake, almost 99% held by Chinese trade unions, which are organized under and whose leaders are appointed by the
Chinese government, as evidence of the company's position in China.
The company's attempt to secure a dominant position for itself in 5G infrastructure is,
the panel said, a long game being played patiently. It competes on price and time to market,
both of which, the three speakers said, it's able to offer because of heavy government subsidies.
5G will be so pervasive in economic life, Secretary Comiskey said,
that as a globally distributed platform, it's important to avoid its domination by any one entity.
Yet such domination is what Beijing aims at, the panelists said.
Mr. Snyder pointed out in particular that interoperability is essential
to the sort of openness one wants in 5G or any comparable infrastructure,
but Huawei, he said, wants no interoperability whatsoever,
which would give it a de facto vertical monopoly.
In response to questions about evidence for Huawei's enjoyment
of substantial government subsidies and for specific intelligence tying Huawei to repression of Hong Kong dissidents and China's
own Muslim minorities, the panel pointed for the most part to circumstantial evidence and
a priori possibility. Snyder said, quote, there may not be a smoking gun, but it's not a hard
dot to connect, end quote. We asked them how they would advise the U.S. government to engage China over this matter.
Governor Ridge spoke for the panel by recommending that the administration listen to
and take the advice of the intelligence community and U.S. Cyber Command.
He also thought that this was an excellent time for consultation and coordinated efforts by the Five Eyes.
And finally, Edward Snowden's new book, Permanent Record,
is being used as fish bait, Bloomberg reports.
Criminals unconnected with Mr. Snowden are emailing a PDF
that purports to be the book and asks the recipient to open and share the PDF.
The email says the book has been banned, which isn't true in any case,
so refuse the chain letter.
The PDF holds malware. Read the book if you're interested, but turn down the PDF. There's no such thing as a free lunch.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't
a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute,
and he's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
Interesting stuff you wanted to cover today, some stuff going on with sandboxing web browsers
and some local host web servers.
What are we talking about here today?
Yeah, what this is really all about is that we see more and more web servers pop up on
desktops
that are typically not associated with running a web server.
But the reason this is happening is to make it easier
to integrate various software with web applications.
In your web browser, it's not easy for the web browser
to start an application on a laptop, on a desktop.
So what these companies are doing,
they're setting up a little web server.
Then you can send a normal HTTP request to this web server,
just like to any other website.
And that web server will now start software,
collect system information,
anything that the web browser,
for pretty good reasons, isn't allowed to do.
And a couple of companies, well, have gotten into trouble about this recently.
Yeah, I think the one that's attracted a lot of attention was Zoom, the popular conferencing
service. They caught some heat for this.
Yes, and exactly. For them, it was usability. That's what it came down to.
Yes, exactly. For them, it was usability. That's what it came down to. One of their differentiators is to be the more usable, the easier to use video conferencing system.
If you click on a link and you go to their website, and then it would like to start the
Zoom application on your system, typically in your browser browser there will be a little dialogue box warning you that the website is now going to start this application and they didn't like that
so in order to avoid that dialogue box that the user has to click on they actually installed a
web server on the user's system now what of course hit them a little bit worse than just
the web server itself was that when you uninstalled the application, well, it left the web server behind.
That one didn't get uninstalled.
And also because, well, they didn't really secure that web server correctly, it could be used to then launch any application.
So some of the software you often get from manufacturers like Dell and such that then helps them offer support via web-based tools. So now the web-based tool can reach out to their application that's installed on your laptop, desktop, that then provides them debugging diagnostic information about your hardware.
debugging, diagnostic information about your hardware.
Now, is there any easy way to go through systems to audit them to see if these rogue web servers are running?
No, you should definitely take a look at your system, see if anything is listening
on a network port.
The tricky part here is they will only typically listen if they're somewhat configured correctly
on the loopback
interface. So you will not be able to reach them, for example, with a port scanner or something like
this. But yeah, just take a look at what's listening on your system. You'll probably be
surprised even if you don't have anything bad listening on your system. There's always something
there that you probably don't recognize. It's probably good to follow up on that and figure
out what it does. And if in doubt, just use a tool like Netcat or so, connect to the port, send a little HTTP request, see what
you get back. It's not always HTTP, but HTTP is particularly dangerous because that could then be
triggered by a malicious website that you visit in your browser. All right, Johannes Ulrich,
thanks for joining us. Yeah, thanks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. For more of these stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.