CyberWire Daily - WhatsApp sues NSO Group over Pegasus distribution. Georgia continues its recovery, as does Johannesburg. Facebook stops more inauthentic action. A Bed, Bath, and Beyond breach.
Episode Date: October 30, 2019WhatsApp sues NSO Group for spreading Pegasus intercept software through WhatsApp’s service. Georgia continues its recovery from the large website defacement campaign it suffered at the beginning of... the week. Facebook ejects more inauthenticity. Johannesburg hangs tough on cyber extortion. Money laundering finds its way into online games. Norsk Hydro’s insurance claim. An update on pentesting in Iowa. And Bed, Bath, and Beyond sustains a data breach. Awais Rashid from Bristol University on securing large scale infrastructure. Guest is Tanya Janca from Security Sidekick on finding mentors and starting her own company. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
WhatsApp sues NSO Group for spreading Pegasus Intercept software through WhatsApp's service.
Georgia continues its recovery from the large website defacement campaign it suffered at the beginning of the week.
Facebook ejects more inauthenticity.
Johannesburg hangs tough on cyber extortion.
Money laundering finds its way into online games.
Norsk Hydro's insurance claim, an update on pen testing in Iowa,
and Bed, Bath & Beyond sustains a data breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 30, 2019.
Facebook's subsidiary WhatsApp has filed suit against NSO Group in the U.S. District
Court for the Northern District of
California. The suit alleges that NSO Group exploited WhatsApp servers to distribute malware
designed to enable surveillance of specific WhatsApp users. The surveillance tool said to
have been used is NSO's Pegasus. WhatsApp says it detected the incident in May and that it enlisted
the aid of the University of Toronto's Citizen Lab in the subsequent investigation.
WhatsApp called the attack, which used WhatsApp's video calling system to get at its victims, sophisticated.
The users who were targeted didn't have to answer calls in order to be infected with spyware.
WhatsApp says it's put additional protections in place to prevent a recurrence.
The lawsuit alleges that NSO Group's activities violated U.S. federal and California state
laws, as well as WhatsApp's terms of service.
It seeks an injunction against NSO Group's use of any WhatsApp services in addition to
other awards.
WhatsApp calls NSO Group a spyware firm, which is fair enough. Another way
of characterizing them is that they produce lawful intercept products. That's how NSO Group would
describe itself. The company strongly disputes WhatsApp's allegations. They say they sell their
product only to licensed government intelligence and law enforcement agencies for legitimate use against criminals, especially pedophiles, and terrorists.
Any other use of their products, they say, constitutes contractually prohibited misuse,
and they add, we take action if we detect misuse.
Citizen Lab has been a burr under NSO's saddle for some time,
tracking apparent misuse by various governments in the
Middle East and Latin America. Bahrain, the United Arab Emirates, Saudi Arabia, and Mexico have been
singled out as the abusers. The Pegasus tool has often been mentioned in dispatches. Amnesty
International announced, in response to this latest news, that the best way to put a stop to
abuse of Pegasus is to revoke NSO Group's export license,
and it's supporting a suit in Tel Aviv District Court that would require Israel's Ministry of
Defense to do just that. The defacement attack against websites in Georgia may have affected
as many as 15,000 sites, Forbes reports. One of the targets was the pro-service web hosting company, which is now,
it says, restored normal operations. The company cooperated with the Ministry of Internal Affairs
during the recovery. There is still no firm attribution. Suspicion of Russian involvement
is based on a priori probability. And note that not everything that looks like Fancy Bear is in
fact Fancy Bear.
Remember that some criminals have recently found it in their interest to pose as the GRU.
The better to spook victims into thinking that resistance is futile.
There does appear to be some confirmed Russian activity today, however.
Facebook this morning announced that it's just taken down 35 accounts, 53 pages, 7 groups, and 5 Instagram accounts.
They all originated in Russia,
and the content was generally aligned with Russian regional objectives,
intended to have election influence as its objective.
Johannesburg continues to recover from the Shadowkill hackers incident.
The South African city has held firm in its refusal to pay the hackers. You've been buying loot boxes and stuff like that, haven't you?
Go ahead, it's just us here. You can admit it and we won't judge.
Some of us, particularly on our gaming desk, well, let's just say some of us have been there.
Anywho, there's more involved in this than just one-upping your buddies.
In-game purchases are being used to launder money,
and the popular online game Counter-Strike is trying to tamp this down
by preventing keys bought in-game from leaving the purchasing account,
thus making them less useful to those who would use them to launder illicit cash.
So don't trade this stuff.
Be content with sharing videos of you doing the Fortnite Charleston.
Many of us have at one time or another throughout our professional careers
thought about striking out on our own and starting a company.
Some of us have even done it.
My guest today is Tanya Janka, and along with her business partner Aaron Nattu, about striking out on our own and starting a company. Some of us have even done it. My
guest today is Tanya Janka, and along with her business partner Aaron Natu, she is co-founded
Security Sidekick, a company looking to tackle real-time web application inventory and vulnerability
discovery. Part of her journey was leaving a comfortable job at Microsoft.
Both of us were pen testers, and then we both turned into
application security people, because pen testing is one part of the application security umbrella,
if that makes sense, and it's the most glamorous, fancy-looking part that is in the movies.
However, there's a whole bunch of different areas of APSEC and running an APSEC program, you realize,
you know, I could treat the entire disease instead of just a symptom, just like, you know,
delivering a prescription near the end of the problem. And so we both started talking about,
you know, like, what could we do to like, get in there earlier and solve the problem on a bigger scale like you know like let's make
big bold moves where um you attack the problem as a as a whole as opposed to just like
you know as a pen tester i would come in and i'd be like pew pew pew pew
yeah and just find like a few problems uh the end, but they still would be releasing lots of other apps that were really insecure.
And so we came up with an idea of things of something we could make that would start at the beginning of the problem to try to solve it on a bigger level.
And so he was like, you know, here I am, like traveling around the world with Microsoft, basically, like,
they kept telling me at Microsoft, like, you should scale yourself, like, maybe you could travel less, and you could stream more, or you could travel less, you could write more.
And then I thought, well, I could scale the best if I made an AppSec tool. And they're like, wait,
no, no, no, no, that's not what we meant. Don't leave. But really, they're very supportive.
oh, no, no, no, that's not what we meant.
Don't leave.
But really, they were very supportive.
Yeah, so we decided we would take the scary leap together and start our own company, which is so exciting.
Well, I can hear the excitement in your voice.
I have to say, I mean, take us through that decision-making process.
You've got a good thing going there at Microsoft.
You have a certain amount of security.
You have a certain amount of freedom.
You built a reputation for yourself in the industry.
I think a lot of people would be intimidated to take this leap and go out on their own.
Honestly, I was really terrified and scared.
And when Aaron first asked me, I was like, oh,
maybe in like five to six years. So I run this thing called Mentoring Monday on Twitter,
where I try to match people with professional mentors. So I used Mentoring Monday to find a
mentor. And so first I found a mentor and she's a CEO of a company and she's amazing, but
she was like, you should just come work for me instead.
And so then, um, I had to, I was like, okay, no, that's not the mentoring I was looking
for.
Um, we, we demoted each other from mentor and mentee to just friends.
Um, so then I found another professional mentor and she is founded two really big companies
in InfoSec that are Canadian and I won't name so she can keep her privacy, but she's so amazing.
And so we met and the very first meeting, she's like, do you want to know what the biggest thing that I regret about the two companies I founded?
And I was curious what she said that I didn't jump sooner.
She's like, jump, jump right now. Stop waiting. Are you really excited?
I said, yes. She's like, do you have any sort of crazy crippling debts or, you know, 100 babies you need to feed or, or something like
that? Like, can you can you afford to just not have paychecks for a few months and just like, go
do it? Like, yeah, but it's scary. She's like, Tanya, you're so qualified. Do you understand
if you announced you're looking for a job, the internet would melt, you would definitely find
a job, you would have so many job offers, you will never be unemployed if you don't want to be.
You will never be unemployed if you don't want to be.
So just go do it.
Live your life.
Just have, like, you'll never regret the chance you took and you will regret if you don't take this awesome opportunity to go work with someone you think is awesome and, like, solve a problem that you really, really care about.
And so she's amazing.
And basically I called Aaron and I was like, yes!
So yeah, it turns out finding a professional mentor is pretty helpful.
That's Tanya Janka from Security Sidekick. We'll have more of my conversation with her tomorrow
when we'll discuss web application inventory and vulnerability discovery.
and we'll discuss web application inventory and vulnerability discovery.
Norsk Hydro's insurance has paid about 6% of the cost the company incurred as a result of the Locker-Goga ransomware attack it sustained in March.
The company's recent financial report suggests that additional claims might be filed as necessary.
There are developments in the odd case of the penetration testers arrested in Iowa for burglary.
Coal fire continues with some success to fight criminal charges two pen testers face for work they performed at an Iowa courthouse.
The company's CEO, Tom McAndrew, called the situation completely ridiculous, and he called for justice and common sense.
What happened, in essence, was this.
The Iowa State Judicial Branch hired Coalfire to conduct penetration testing
that included a physical pen test.
The Dallas County Sheriff didn't get the word, apparently,
and arrested the two pen testers at the Dallas County Courthouse.
The two were initially charged with felony burglary in the third degree
and possession of burglary tools.
Yesterday, those charges were reduced to criminal trespass.
Coal Fire says it intends to press for full dismissal of all charges,
especially since the Iowa Supreme Court Chief Justice acknowledged that, well, mistakes were made.
We should mention that Coal Fire is a sponsor of the Cyber Wire podcast.
And finally, Bed Bath & Beyond, the well-known U.S. houseware retailer,
disclosed today in an 8K filing with the SEC.
The company said that a third party acquired email and password information
from a source outside of the company's systems,
which was used to access less than 1% of the company's online customer accounts.
No online customers' pay cards were compromised, Bed Bath & Beyond said.
The retailer also said it had notified affected customers yesterday, as required by law.
And, as one would expect, the company has retained a security forensics firm
and has begun taking remedial action.
and has begun taking remedial action.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant
to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, welcome back.
Today we wanted to touch on some of the challenges when it comes to securing large-scale infrastructures.
What can you share with us today? Our critical infrastructures on which our society relies, such as water, power, transportation, digital health care, energy generation and distribution, they are becoming increasingly connected. And we are through,
for example, industrial Internet of Things devices and so on, and connecting these systems also to
enterprise systems. We are increasing this connectivity all the time. And that has great business benefits, but it also means that the size
and interconnectedness of these infrastructures make security a very challenging problem.
So I'll give you one example. For instance, as we roll out many smart devices, including,
say, for example, smart refrigeration across wide areas, then the scale of attacks can be very large,
and attacker can potentially compromise smart refrigeration across a whole area
and hence overload the power grid.
And you can imagine that the impact of attacks are considerably larger as well,
disruption to a large population and massive business losses.
Yeah, I've seen stories come by recently about potential problems with, for example,
hot water heaters, you know, devices that require a large amount of energy.
And if you could spin up some sort of botnet to trigger them simultaneously, well, that
could cause some trouble in the grid.
Absolutely.
And I think this is really where the challenge comes, because we cannot, there's good business reasons to
not isolate these systems from the rest of the environment in the first instance, but
we need to have more systematic ways of having security assurances about their behavior.
And I will go even further and say we need to have more resilience assurances about their behavior. And I will go even further and say we need to have more resilience assurances about
their behavior. So in an ideal, in any world, you do not want to have to take your power grid
offline because there is an attack going on. What you want to do is you want the power grid to be
able to respond to it gracefully and maintain perhaps its operation at somewhat reduced capacity and then recover very, very gracefully.
And I think this is really where I would say the frontier lies at the moment for cybersecurity,
because while we create these massively connected infrastructures from which we derive great value and they end up in our society,
we also have to think about as to this is not a case of, you know,
these infrastructures being compromised and then being unavailable. They have to be able to be
resilient in an increasingly adversarial world where secure and insecure devices and systems
interact. Yeah, and it seems to me like there's an economic component as well. I mean, I've talked
to folks who describe remote systems that are away from cities or towns, and so they're not monitored by human personnel and also 24 hours a day.
But equally, there can also be the challenge that if devices or systems in these edge sites can be compromised or peripheral sites, as they're also known, can be compromised, then it can be quite a cost to the organization because you do then have to go on site.
And if you can think about it, an attacker can just simply make themselves a nuisance by just constantly bringing a particular peripheral site down, taking it out of operation. on the whole system, it does require engineers to consistently go out to that site and sense
incurring significant cost for the organization in dealing with the problem.
Yeah, it's sort of a death by a thousand cuts, I suppose.
Yes, and we do see that. We already do see that, that, you know, the attack does not necessarily
need to lead to a massive data breach or even a massive disruption of service.
It can just be what you would call a nuisance attack.
But that does not mean that it does not create a huge cost to the organization that operates
the system or the infrastructure and also those who are charged with maintaining and
defending the infrastructure.
And ultimately, people who work on game theoretic notions of security, they would say,
you know, this is ultimately a game theoretic problem as to how the attacker wants to, you know,
increase the cost to the defenders. And the defenders, of course, want to minimize their
costs, but increase the cost to the attackers. And here I go back to this point that we need to have
more resilient systems who can actually withstand these kind of issues and gracefully recover
when they are under attack
without having to constantly rely on people having to go and fix these kind of problems.
Yeah. Professor Owais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.