CyberWire Daily - Watering hole for iPhones. Dental record service hit with ransomware. Huawei reportedly under investigation for IP theft. “erratic” faces cryptojacking charges. Farewell to a Bletchley Wren.
Episode Date: August 30, 2019Google’s Project Zero releases information on a long-running watering-hole campaign against iPhone users. A dental record backup service is hit by ransomware, and the decryptor the extortionists gav...e them may not work. Huawei may be in fresh legal hot water over alleged IP theft. Cryptojacking charges are added to those the accused Capital One hacker faces. And we say farewell to a Bletchley Park veteran. Emily Wilson from Terbium Labs on back-to-school season in the fraud markets. Guest is the one-and-only Jack Bittner, with his insights on how middle-schoolers are handling security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hi, Jack.
Hello.
Do you want to be on today's show?
I would love to.
All right, let's do it.
Google's Project Zero releases information
on a long-running watering hole campaign against iPhone users.
A dental record backup service is hit by ransomware, and the decryptor the extortionists gave them may not work.
Huawei could be in fresh legal hot water over alleged IP theft.
Crypto-jacking charges are added to those the accused Capital One hacker faces.
We take a look at back-to-school
cybersecurity with pre-teen friends and family, and we say farewell to a Bletchley Park veteran.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
August 30th, 2019.
Google's Project Zero has released details of its research into a quiet, sustained watering hole campaign against iPhone users.
They found five distinct exploit chains in use by the attackers.
Google's blog says, quote, There was no target discrimination.
Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. It's worth noting that indiscriminate isn't to be insisted on too broadly.
The watering hole campaign was indiscriminate, but within the communities it targeted.
The report says little about who those communities might be,
but their closing advice to be alert for campaigns targeting you as a member of a given ethnic community
or a resident of a certain geographical area suggests the sort of bounds within which the attackers operated.
They appear to have had particular groups in mind.
Apple patched the zero-day vulnerability the campaign exploited in February.
Google notes that this single campaign probably represents the proverbial tip of the iceberg.
That Google found it at all, the researchers say, was a fail on the attacker's part.
There are probably other campaigns, Mountain View says, that remain undetected.
probably other campaigns, Mountain View says, that remain undetected.
Percysoft, cloud provider for the digital dental record and a widely used backup data repository for the U.S. dental profession, has sustained a ransomware attack. Percysoft is believed to
have paid the ransom to obtain a decryptor, but there are reports the decryptor hasn't been fully
successful. The ransomware strain involved appears to be R-Evil, also known as Sodinokibi.
The Wall Street Journal reports in an exclusive that U.S. federal prosecutors are investigating Huawei for alleged intellectual property theft.
The investigation includes at least one subpoena from the U.S. attorney for the Eastern District of New York,
includes at least one subpoena from the U.S. attorney for the Eastern District of New York,
and this suggests to the Journal that the inquiry is looking into some hitherto unexamined case of IP theft. Huawei, which has denied that it steals intellectual property for almost as long as it's
been suspected of doing so, is currently fighting a case in a Seattle court that alleges the company
illicitly obtained details of T-Mobile test equipment.
Who the alleged victims in the present investigation may be remains unknown,
and the U.S. Department of Justice is remaining tight-lipped.
But the journal does say that the FBI has interviewed a Portuguese national
who's complained that digital imaging technology he developed had been misappropriated by Huawei.
imaging technology he developed had been misappropriated by Huawei.
Cryptojacking charges have been added to those accused Capital One hacker Paige Thompson faces.
An additional indictment was filed Wednesday, InfoSecurity magazine reports.
The new indictment does include some newly identified victims of the alleged crimes, a state agency outside the state of Washington, a telecommunications conglomerate outside the United States,
and a public research university outside the state of Washington.
All told, the indictment alleges that the victims were Capital One and 30 unnamed others.
The cryptojacking, which produces altcoin, also provides a rational criminal motive for the alleged crime.
There seems to be no such rational purpose to the data theft that Capital One sustained.
CSO magazine interviews several experts who point out the difficulty of preparing defenses
against a hacker who works without a rationally discernible motive.
John McAllen, a psychologist at Burnmouth University with an interest in the psychology of crime, hacking, and hacktivism,
pointed out to CSO that many cyber attacks are indeed random and motiveless.
The hacker may come up with a personal, political, or criminal reason for their activity,
but these can often be retrospective and have nothing to do with their actions.
Apple has responded to privacy concerns over its recording of Siri interactions by deciding to disable recording and storage by default.
This autumn, users will be given the option of turning it on, Ars Technica reports, should they be interested in helping train the AI.
And finally, this week, the security and cryptological communities remember a Bletchley Park veteran. The Royal Gazette reports that Pamela Darrell, born in Rutland but making her home in Bermuda,
has died at the age of 93.
Mrs. Darrell joined the Wrens during the Second World War when she was just 17.
She hoped, she'd said, that the Women's Royal Naval Service would send her to sea.
Instead, they sent her to Bletchley Park,
which, while not Topeka or Chelyabinsk,
is by English standards about as landlocked as they come.
She served there throughout the war, breaking German codes.
Her work remained secret for decades.
She was only able to tell her husband about her service
when classification of wartime activities was relaxed in the 1970s.
So, hail and farewell, Mrs. Darrell,
and spare a thought and some conversation
for the Second World War generation.
We won't have them with us for much longer.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, we are coming up here on that time of year when it's time for kids to head on back to school.
And that provides some opportunities for folks who may not be up to any good to try to take advantage of them.
This is a fantastic time of the year for cybercriminals.
Of course, if you're a cybercriminal, if you're a fraudster, you love things like the Christmas shopping season. The back to
school period is also just a really great time, unfortunately, for these cybercriminals to
work out all sorts of schemes and collect all kinds of data. There are a few different ways
that this is problematic. One, you have these kids who are going off to school. I'm thinking
here specifically about college freshmen. You think about the number of emails that you get,
the number of links you're sent, the number of places you need to enter your data for housing
and for orientation, for clubs and career fairs, right? So there's a lot of different places there
for people to be collecting data to questionably secure systems and also a ton of opportunities for phishing.
If you're a college freshman and you have your college email address for the first time and you get something, hey, free pizza, come click here and put in your information.
Of course you're going to click it.
Everyone loves free pizza.
It's your first time at school.
So that's really exciting for people.
That's sort of on the data side. On the other side, on sort of the financial fraud side, we have big ticket
purchases here. Maybe stuff for a dorm room, maybe you're getting a car for the first time,
certainly for electronics. There are a lot of opportunities here, again, to fish people or
to collect data or opportunities to sneak fraudulent purchases in under the radar.
You think about normal spending patterns, right? We've talked about how during the holiday season,
you know, it might not be normal for you to make five Amazon purchases in an hour and ship them to
three different addresses. But a week before Christmas, you might do that. Same thing with
the back to school period. It might not be typical to go and spend a lot of money at the Apple store
or to make five
trips to Target or what have you. But you might do that in the middle of August. If you're moving,
you might see charges out of state depending on what sort of school you're going to. And so there's
all of these questions here where is it traditional spending? Is somebody taking their kid to school?
Is it a fraudster? How would you know? When do you pull the trigger? Fraudsters love that.
They love that uncertainty. Yeah, I can imagine too. There's probably a lot of folks who those
bills get sent home to mom and dad. They may see purchases in the school bookstore or the local
Ikea or something like that and not think twice about it. That's definitely a great example. You
have parents who are just going to say, you know, wow, they spent a lot of money this month, but you only go to college once. Or,
you know, for students on the other side, this might be the first time that some of these kids
have financial independence. It might be the first time that they have a credit card. It's certainly,
you know, the first time that they might be getting inundated with credit card offers.
You know, how many of those are getting intercepted? How many of those are legitimate?
If you get an email saying,
hey, you need to finish setting up your new credit card, click here and enter your information and
verify your card number for us. You know, as a college freshman, how much do you know about any
of this? When do you know to be suspicious when it is a time of your life where a lot of people
are looking for a lot of sensitive data. It's a difficult position.
No, it's an interesting insight.
Emily Wilson, thanks for joining us.
Thanks.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me today on our Cyber Wire show is our extra special guest all the way from Lake Elkhorn Middle School in Columbia, Maryland, Jack Bittner.
Hello.
Jack, welcome back to the show.
You know, we brought you back because we've had several listeners write in and say, when's Jack coming back?
Well, here I am.
Here you are, ready for back to school.
Yeah.
Yeah.
So.
Seventh grade.
Seventh grade.
Very exciting.
School starts next week.
Right.
So I wanted to touch base with you and learn about how you and your friends think about
and handle your cybersecurity issues.
So let's just start off with just some really basic stuff here.
When you think about cybersecurity, what kind of stuff do you think about?
think about cybersecurity, what kind of stuff do you think about? I'd say passwords, online accounts,
keeping your online information safe. How about privacy? Yeah, privacy. So not saying your real name online. That's a rule that me and my friends use a lot. We're playing video games together.
use a lot. We're playing video games together.
Why is that? Just because, you know,
better safe than sorry. You don't want people knowing your name and where you live. Do you ever have any issues with that?
Have you ever had people come and be a bully or be
creepy on any online gaming things? Not really.
We're pretty safe. That's good.
So let's walk through some of those things together in terms of passwords.
How do you come at your password security?
Usually I custom make something for which site I'm on.
So if it's Facebook or Snapchat or Instagram or Xbox, I have a different password for each.
Okay, so you don't reuse passwords.
Yes.
Very good, very good. That's my boy.
Never share your password.
Never share your password, right?
Right, all right. Excellent, excellent.
Let's talk some about school.
Okay.
Your school has Computer Lab.
Right, yes.
What kind of security is set up there?
Well, you log in with your username and password which are set by the school yes okay so the
school gives out username and passwords for everybody and then usually we use
sites like canvas which help us with our organize our school things so we use
the name of passwords for those now do you have access to the internet on the computers in the lab
yeah yeah that restricted it might be I wouldn't know but you've certainly you've
seen your friends I guess what I'm getting at is do do kids at school
figure out workarounds to get past any
of the security things at school I wouldn't say that there are a lot of
security blockers at school I think a lot of kids at school are smart and they
know that if they are you know doing something that they are not supposed to
on the school computers that they'll get caught by one of the teachers and the
teachers are good with letting us know
what we're supposed to be on and what we're not supposed to be on.
How does that happen?
They just kind of enforce it.
Yeah.
So what about at home when you're using a computer?
We have a family computer that we use for your homework.
Right.
You recently got handed down a Chromebook.
Right.
You used that.
Right.
How do you approach your security with those devices?
Same thing, you know, username, password, keep everything safe.
Usually I use the family computer for homework and research and stuff.
I use my laptop for playing games and not just games, but, you know, if i need to write a paper or do some research
on the laptop i'll do it on there too do you have any friends who've had any issues with
with cyber security of getting their devices hacked or things like that uh yeah some kids at
school with their instagram accounts to you know the classic uh get free followers by clicking this link.
Oh.
And so they give their username and password out, and then they get their account hacked.
I see.
So there has been a couple instances of that at school, but not to me.
What about on your phone?
You have a mobile device.
What do you do to keep that safe and sound?
I mean, always keep it on you.
I don't really give it out to people unless I know them.
But I don't really even give it out.
I just need to show somebody something on my phone.
I can let them see something.
You show it to them but don't hand it to them necessarily? Well, yeah, I mean, you know.
Depends on who it is.
Right, yeah.
And, you know, I have a password on my phone.
I haven't given it to anybody.
Mm-hmm.
Have you ever lost your phone?
Yes, I have lost my phone, actually, a couple times.
But I've found it.
Okay.
You've gotten it back safe and sound.
Right, yeah.
Yeah, yeah.
What about your friends?
I mean, overall, do you think your friends are doing a good job with this stuff?
Do you think your friends are doing a good job with this stuff?
Do you think, I guess my question is, do you think kids today are up on the basics and know how to keep themselves safe?
Yeah, I do, because I think that we live in a very cyber world and everybody's on their phones a lot or on the Internet.
So I think kids really understand how to keep their things safe. So what would your advice be for parents who are sending their kids off to school? What do you
think the best approach is for parents to educate their kids and handle these things in a way that
the kids are going to respond to? I think that teaching kids about passwords and keeping their privacy safe online
and, you know, like I talked about before, not giving your personal information out online,
which I think should be a given with online things because, well, I think, you know,
kids are smart and I think they know not to give out
personal information like that that could lead to no good do you think the kids today are better at
this than their parents some of them but you know people like me my dad is a cyber security master
um and so but i think a lot of them are because, you know, kids are, you know, stereotype goes stuck in their phones all the time.
Yeah.
Which is true sometimes, but, um, I think they just have a lot more experience with that type of stuff than some of their parents do.
Yeah.
All right.
Well, Jack, good luck to you with this year's school year and stay safe out there.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.