CyberWire Daily - Web hosts fix account takeover issues. Passenger Name Record exposure proof-of-concept. Swatting isn’t funny. Chinese manufacturers and suspicions of espinonage.
Episode Date: January 15, 2019In today’s podcast, we hear that a bug hunter has found and responsibly disclosed issues in web hosts. Compromising Passenger Name Records in airline reservations. Business email compromise seems on... the rise, and it’s also growing a bit more interactive. A Facebook executive is swatted, and absolutely nobody should dismiss this sort of thing as a joke. China would like everyone to stop saying bad stuff about Huawei, but the Polish government seems unconvinced that there’s nothing to see here. Rick Howard from Palo Alto Networks, revisiting the notion of a cyber moon shot. Carole Theriault reports on a hack of the Australian emergency warning system. She speaks with Paul Baccas from Proofpoint. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A bug hunter finds issues in web hosts.
Compromised passenger name records have been found in airline reservations.
Business email compromise seems on the rise, and it's also growing a bit more interactive.
A Facebook executive is swatted, and absolutely nobody should dismiss this sort of thing as a joke.
China would like everyone to stop saying bad stuff about Huawei,
but the Polish government seems unconvinced that there's nothing here to see.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 15th, 2019.
A well-known bug hunter has located a dozen flaws that affect some of the largest web
hosting companies on the internet.
Bluehost, DreamHost, HostGator, OVH, and iPage.
The researcher, Paolos Ibello, disclosed his discovery to the affected companies before
making it public, and he says the issues have all been fixed.
The account takeover bugs he found arose, as TechCrunch puts it, from, quote,
aging infrastructure, complicated and sprawling web-based back-end systems,
and companies each with a massive user base, end quote.
Amadeus, the widely used airline reservation system that interfaces with major carriers
like Air France, British Airways, Iceland Air, and Qantas,
is reported to leave passenger records open to manipulation.
Israeli security researcher Noam Rotem told TechCrunch that he's discovered that you can
change anyone's booking by plugging in their reservation number.
You could, for example, switch someone to a middle seat or reroute their frequent flyer
miles.
You might also be able to obtain personal information, including phone number, email,
and home address.
These passenger name records, or PNR, are widely shared internationally and have been around so
long they are generally not secure. Rotem points out that you can get a booking number by scanning
a boarding pass barcode. You might do this if you were ill-intentioned by walking around an airport
and using your phone on random passes left sitting next to someone
too engrossed in their copy of, say, Persuader.
That's Jack Reacher, opus number 7, for those of you who may be behind in your airport reading.
The problem was responsibly disclosed,
but what the industry will be able to do about it remains to be seen.
And please look up from your book when you're sitting around the departure gate.
Security firm Agari is seeing an uptick in payroll diversion attempts.
The criminals are using social engineering, specifically business email compromise,
against human resources departments. The classic BEC approach involves impersonating an executive
from a business's C-suite and sending an email from
their spoofed address directing that funds be transferred to some accounts the crooks control
in this current trend agari researchers are seeing impersonations of a wide range of employees
a typical come on starts with a request for help in getting direct deposit change to a new bank
one of the specimens agari shares reads under the subject line,
Payroll Update,
Hi, name of HR rep.
I have recently changed banks and like to have my direct deposit change to my new bank.
I need your prompt assistance on this matter.
Leave aside the questionable syntax and the mix of the friendly,
hi, as in yo bro, and the stiff, your prompt assistance on this matter,
which might put HR on its guard.
Let the one among us who's never written a loosey-goosey email cast the first stone.
The email exchange goes on from there, and it is indeed an actual exchange,
not just a one-time helping of spam.
In the case Agari describes, HR asks for a voided check or something on the bank letterhead.
The crooks answer, sorry, they don't have any of that with them at the moment, and could HR help
by making the change for them if they send on the new deposit information? Of course, HR wants to
help and does so. The whole scam is lent plausibility by the sent from my iPhone tag in the crooks'
emails. Maybe if you were out and
about with your phone, you wouldn't have those documents from your bank. So the moral is this,
don't set up policies that make it easy to transact business by email.
It was just about a year ago that a false ballistic missile alert was issued
over the emergency alert system in Hawaii, triggering panic and disruption
throughout the state. The governor apologized, Congress investigated, and the emergency
management administrator for Hawaii resigned. Australia recently had their own issues with
their emergency alert system, and Carol Terrio has the story. When you live in a place like Australia,
you are pretty reliant on emergency warning systems, particularly if you live somewhere where there's wildfires or cyclones or any other kind of natural disaster.
You want a heads up.
Well, imagine how tens of thousands of people across Australia felt when they received a message from the early warning network warning that EWN has been hacked.
Your personal data is not safe.
Try fixing the security issues.
According to ABC News,
EWN, or the Emergency Warning Network,
said a hacker accessed its alerting system
and sent the message to part of its database.
The message was sent out via email, text message, and landline.
Now, EWN say they are incredibly embarrassed that they've put some of their customers through this.
They also say they will do everything they can to prevent future breaches. I reached out to Paul
Backus, senior malware researcher at Proofpoint, to get his take on the story. Welcome to the Cyber Wire.
Hi, Carol.
Now, Paul, you spend your days knee-deep analyzing these kind of attacks.
What was your reaction to the initial story?
Why was the database for the early warning network connected to another email system?
network connected to another email system. If it's true that one of the users was hacked,
compromised login details, and they could log into the system from a remote,
that seems that the security wasn't up to par.
Do you think that the early warning network's reaction to this fake news alert was good? Did they handle this problem well? I think the response is quite dismissive. The article says the actual data held
in our system is just white pages type data. But this white pages type data will be true for a government early warning system, because unlike Facebook or LinkedIn, where you may lie because you don't want to give this data away, you wouldn't have thought that for a government entity.
You will be telling the truth. Hackat needs to know your address, your zip code, and secondary password data is always made up of white pages data.
Now, what lessons do you think organizations can take away from this situation, this snafu?
In the old movies, you had two different people and they had to be standing more than six feet apart and they
had to turn their keys simultaneously while you possibly you can't do the simultaneous parts
you should have some multi-factor authentication right so having different layers of security
allows you to maybe catch out a potential problem before it occurs. Yes, that is the point in this case.
Right. So I guess our takeaway is don't wait to be hacked before you review your security posture.
This was Carol Theriault for The Cyber Wire.
A Facebook executive has been subjected to a swatting attack.
Naked Security calls it a prank, but it's an unusually repellent and
dangerous one. The caller pretended to be the executive, unnamed in reports, and told police
he'd shot his wife, tied up his children, and placed pipe bombs throughout their home.
Fortunately, no one was injured in the police response. We hope the police get the creep behind
the swatting soon. These things are by no means jokes.
Swatting can be and has been murderous.
Finally, if you're out there fabricating connections between Huawei and espionage,
the Chinese government would like you to please knock it off, reports Reuters.
The council will probably fall largely on deaf ears,
even after its supplementation by a statement from Huawei founder and CEO Ren Zhengfei.
Mr. Ren says the company hasn't installed backdoors in its products,
isn't required by Chinese law to do so,
and would refuse any request to assist in espionage.
Despite American animadversions about Huawei's potential threat to security,
Mr. Ren also says he likes the cut
of President Trump's jib, but that friendly avowal seems unlikely to affect his company's position
in the markets. Mr. Ren's daughter, Huawei CFO Meng Wanzhao, is still in Vancouver,
fighting extradition to the U.S. on a sanctions evasion beef.
In asking everybody to stop with the fabrications already,
Beijing is probably scowling in the general direction of Warsaw, the Wall Street Journal
reports. The Polish government is not only considering a ban on Huawei, but is also
urging its NATO allies to develop a coordinated response to Chinese spying.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intelligence team.
Rick, great to have you back.
You and I had talked previously about this notion of a cyber moonshot.
And it's an interesting concept, but not one without some controversy.
In fact, I've seen some pushback from some well-known folks around the security industry.
So I thought it'd be a good time to revisit this, maybe get some clarification and see how things have evolved and updated along the way.
Bring us up to date.
What's the latest on this cyber moonshot notion?
Yeah, thanks, Dave.
There's been some movement here, right? And the thing I wanted to highlight in this session is
that at the beginning of the month, President Trump's National Security Telecommunications
Advisory Committee, known as the NSTAC, published its draft report entitled NSTAC Report to the
President on a Cybersecurity Moonshot.
Dave, like you said, we've talked about this thing a couple of times, and I want to just
give it a little bit of an update.
First, some background on the Instac.
President Reagan created the Instac by executive order back in September of 1982.
It is composed of up to 30 presidentially appointed senior executives who represent
various elements of the telecommunications industry. And it advises the president on a wide range of thorny and complex
policy and technical issues related to national security and emergency preparedness. And in the
past, the INSEC has made recommendations to the president on internet and communications resilience,
big data analytics, and the internet of Things, just to name three.
This year's 56-page draft report framed the cybersecurity moonshot project.
And from the report, here is the massive transformative purpose statement that they were trying to solve.
Here it is.
Make the Internet safe and secure for the functioning of government and critical services for the American people by 2028.
Yeah, I think, though, a lot of people have they take issue with this analogy of comparing the cyber moonshot to the actual moonshot that President Kennedy started us on that took us to the moon back in the 60s.
How does this report address those issues?
I know, and it talked about it directly in the report, and I get that question a lot as I travel
around the world and talk about this. The main criticism stems from the fact, like you pointed
out, that any success criteria for a cybersecurity moonshot initiative will be less precise and
measurable because its achievement will be a societal transformation
rather than a singular visual triumph like the Apollo program with men walking on the moon.
That said, the reason the analogy is appropriate, the reason we like to use it,
is that it is aspirational.
And the target date is a bit into the future, not too far, just 10 years.
And we know we will have to innovate things that we don't
have today in order to meet whatever criteria we establish. So how does this differ from past
initiatives that were similar to this? I know there have been other administrations, other
presidents have had similar things in the past. How is this one different? Yeah, it's true that
past administrations have tried and some would say failed in the past to establish something like this.
But my argument to that is just because we failed a couple of times does not – does that mean that we shouldn't try again?
As President Kennedy said, we choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.
Damn straight.
That's what we're trying to do, right?
So the thing we are trying to do this round is to put in place the proper incentives to get the work done. All right,
from the report, here's a quote. Previous cybersecurity initiatives have failed to
articulate the cybersecurity challenge in a way that incentivizes and ensures this level
of collective action. So one of the key components of the Cyber Moonshot program
is the use of the grand challenge philosophy. And I'm not sure you're familiar with this. It's
this idea that the project establishes a set of incentive prizes to accomplish key milestones.
And various organizations have used these things in the past, like the $25,000 Orteig Prize for
the first nonstop aircraft flight between New York and
Paris, and that was won by Charles Lindbergh in 1927. Another one is the $10 million XPRIZE for
the first commercial and reusable three-person spaceship won by Richard Branson in 2004.
And it turns out that the U.S. government has been running all kinds of grand challenges for incentive programs for a while now, from a $2.5 million Health and Human Services prize to develop a new kidney dialysis redesign and a $100,000 IARPA prize to accurately forecast the future in Africa and the Middle East based on public news feeds.
The Instac report says that using this grand challenge tool
is a big differentiator. All right. So what are the recommendations from NSTAC? What do they want
to have happen here? Yeah. So the report discusses two buckets of recommendations, governance and
strategic pillars to focus on. And so for governments, they are recommending the following.
Either the president or the vice president should be the strategic champion and announce the cyber moonshot at the State of the Union or something equivalent
with that kind of gravitas. They want to include all areas, government, commercial, and academia,
and they want to establish the moonshot council led by the government but includes reps from all
three, and the president or the VP should chair the council.
And then after due consideration by the council, they should publicly articulate a strategic framework based on six pillars of energy. So first one is technology. Second one is human
behavior. Third is education. Fourth is the ecosystem that supports it all. Five is privacy. And the last one is policy discussions.
So where do we stand now? How do we get started? What's the next step?
Well, we wait for the president to make a decision on the report to see what he wants to do with it.
But in the meantime, a small working group of about 80 people will be meeting up in Annapolis in January to discuss this very thing.
people will be meeting up in Annapolis in January to discuss this very thing.
The goal is to present all the ideas coming out of that workshop to the Joint Service Academy Cybersecurity Summit in April.
The JSAGs, as we like to call it, will be the first gathering of the government people,
the academic people, and the commercial people talking about how to move the Cyber Moonshot
program forward.
All right.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.