CyberWire Daily - When catphishing, it pays to know what bait they'll take. Permission hogs are often misers. Cyber comes to the NTC. Natural intelligence screening for artificial intelligence. The Thermanator.
Episode Date: July 6, 2018In today's podcast we hear about catphishing in Berlin and Tel Aviv: whether you're offering payment for a white paper or up-to-date futbol scores, it pays to know the right bait. Android apps may... be permission hogs, but it's surprising how often the hogs hoard like misers, never really using them. The US Army pushes cyber into the brigades. How Facebook checks facts. The Thermanator knows which keys you've typed from the heat your hot hand leaves behind. Emily Wilson from Terbium Labs on their recently released white paper on fraud as a supply chain. Guest is Brian Wells from Merlin International discussing how high-performing health care organizations are addressing cyber threats.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Catfishing in Berlin and Tel Aviv.
Whether you're offering payment for a white paper or up-to-date football scores,
it pays to know the right bait.
Android apps may be permission hogs, but it's surprising how often the hogs hoard like misers,
never really using them. The U.S. Army pushes cyber into the brigades, how Facebook checks fax,
and the Therminator knows which keys you've typed from the heat your hot hand leaves behind.
typed from the heat your hot hand leaves behind.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 6, 2018.
Catfishing remains in the news.
Not only have Israeli soldiers been prospected by fictitious dating profiles, apparently prepared by Hamas,
but members of Germany's Bundestag have received the attentions of Chinese intelligence services.
In the case of the Bundestag members, the profiles, while bogus, seemed unusually open in their operation, making little or no attempt to conceal their Chinese nationality.
The Chinese affiliation would have come to light sooner or later,
and it was evidently better and more disarming
to put it out there from the start.
German lawmakers were offered payment
for various kinds of inside information,
and in some cases for writing papers
providing their analysis of certain issues.
They were also invited to visit China,
where presumably they would be further entangled were also invited to visit China, where presumably they
would be further entangled. Some officials did visit China, where unsurprisingly their mobile
devices were compromised, as tends to happen on such junkets. The recruitment technique is fresh
but ultimately classic. Accustom the person being recruited to doing small and more or less innocent favors for you,
then escalate to the point where the recruit has gone too far.
At that point, you have him or her.
Perhaps it starts at a party where you discover a common interest in stamp collecting or birdwatching.
You trade stamps.
You help that nice person get a good spot to watch, say, the storks migrate.
A bit later, they ask for a copy of your office phone directory.
They've lost touch with some old colleague who works in an adjacent department,
and they'd love to get back in contact to renew acquaintances.
That phone book's not classified, right?
No harm there.
It's that sort of thing.
And online, it happens over social media.
It's that sort of thing.
And online, it happens over social media.
A Chinese ministerial delegation is scheduled to arrive in Berlin for bilateral talks Monday.
The spying incident is expected to figure in the agenda.
Viel Splash, BFA!
Give the Bundestag a refresher on social engineering.
Returning to the Israeli incidents for a moment, the soldiers were not only approached
for dates, but with probably greater success were offered apps that kept them up to date on World
Cup results. An Israeli officer involved in the investigation said, according to a report in the
Arab Weekly, that at least one of the football apps was pretty good, a nice interface and slick coverage of the games.
As Golden Cup's self-description had it, the app provided
HD live streaming of games, summaries, and live updates.
The Israeli Defense Forces attribute the campaign to Hamas,
generally regarded as aligned with Iran to the extent that it's a virtual proxy for Tehran.
It's worth noting that the data stealing went on beneath an app
that performed pretty much as advertised.
As Checkpoint said, quoted in the register,
quote,
This attack involved the malware bypassing Google Play's protections
and serves as a good example of how attackers hide within legitimate apps
which relate to major popular events
and take advantage of them to attract potential victims.
So what are all these apps up to anyway? Here's something that can be either a good news or a bad
news story, depending upon how you choose to spin it. Researchers at Northwestern University and the
University of California Santa Barbara investigated more than 17,000 Android apps from Google Play and three
major third-party app stores. They concluded that while apps tend to be permission hogs,
the permissions they hog usually go unused. Only 21 of the apps inspected were extracting
and reporting data in a questionable fashion. So the good news is that your Android phone
probably isn't spying on you and reporting
back to Shanghai, Pyongyang, or Moscow, or for that matter to Laurel, Sheltonham, Ottawa, Canberra,
or Wellington. The bad news seems to be that if you're careless with your permissions,
your phone could do all that if it really wanted to. The U.S. Army continues to integrate cyber
operations into unit training at brigade level and below.
It's established a cyber range for rotational units to use as they come through the National Training Center at Fort Irwin for brigade and task force training.
Cyber operations have long been a national and not an organizational responsibility.
There have been plans to change this for some time, and if cyber operations have
come to Fort Irwin, our NTC desk assures us that's the clearest possible sign that this change is now
a reality within the Army. Facebook, like other platforms, continues to struggle with content
screening. An interview in Wired offers some perhaps surprising perspective on how their
process works.
Most accounts of it have focused on the role played by artificial intelligence,
with the dopey, biased, or otherwise tenditious results that periodically surface
being attributed to the algorithms.
But Facebook's relationship with content is more complicated than that.
Most descriptions have imagined the AI screening
and then the humans intervening as necessary. That seems not to be correct. In its efforts
against the propagation of fake news of the kind spread about by the troll farmers of Russia's
Internet Research Agency, the AI just looks for trending stories, with human fact-checkers,
and Facebook employs thousands of them, doing
what their job title implies, checking facts.
Then the humans turn the content they've found to be bogus, or if you're in a suspicious
mood, objectionable on whatever mysterious grounds the House of Zuckerberg may have established.
Fact-check that, muggalows.
They turn that content over, we repeat, to the AI,
which then romps out to look for its appearance.
And no, your clown makeup won't help.
Finally, another team of researchers,
those at the University of California, Irvine,
reports on the Therminator proof-of-concept hack.
Someone with a decent mid-range thermal camera
who gets close enough to an
unattended keyboard or keypad within 30 seconds of use can see what keys were pressed. Hunt and
Peck typists, as opposed to those who paid enough attention in school to use all 10 fingers,
left particularly clear thermal signatures. It's tough to imagine how this might be useful in the
wild. You'd think someone hanging around the office with a decent mid-range thermal camera would be conspicuous and easily recognized,
even if they were wearing Juggalo or Juggalette makeup.
On the other hand, setting up an inconspicuous camera around a terminal where people enter pins,
an ATM in a high-traffic area maybe, might work,
although how you'd get the rest of the pay card
data isn't entirely clear. Perhaps the proof of concept is useful in drawing attention to
the possibilities brought by the increasing commodification of sensors that were once
relatively expensive and exotic, or another reminder, as if more were necessary, of the
shortcomings of passwords and pins generally.
But here's one lesson that shouldn't be overlooked.
Your typing class could have made you a more secure user of computers.
So stay in school, kids.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
You all have a white paper that is recently released.
And you're looking at things like fraud and how it relates to supply chain and things like that.
Can you give us an overview?
What are you getting at here?
Sure, yeah.
So very excited to have this research coming out.
I'm looking forward to having conversations about it. I think it's a conversation starter. We're looking at a couple of things here. Sure. Yeah. So very excited to have this research coming out. I'm looking forward to having conversations about it. I think it's a conversation starter. We're looking at a couple
of things here. We're thinking about fraud as a supply chain. And so we're looking at really two
pieces. One, sort of the goods and services aspect. And then also, what does this mean if
this is a supply chain? Does this modify the way that we're thinking about fraud? So on the one
hand, the sort of goods and services side,
we talk about a lot, and certainly other people are discussing,
you know, the dark web, trade and information
isn't kind of a scramble or a one-off.
It's a really well-structured economy.
There are vendors and there are buyers.
It's subject to supply and demand.
Goods command certain prices.
And so we're able to evaluate it as an economy.
And one of the things that we're looking at is, how is data valued? We all have a concept in the real world. We think about our
risk calculations or our data classifications of what information is most important.
And we think of information as being valued in the same way that we measure import. But it's
different on the dark web. The information that is most prevalent or
most valuable may not directly tie back to your concepts of data sensitivity or data classification.
And if we're going to be thinking about the economy and thinking about how it impacts us,
we need to understand how data is actually valued. So the things that might be valuable to me,
or I may perceive as being valuable, that might not align to what
the folks on the dark web consider to be valuable. Right, because when these people on the dark web
are thinking about data, they're thinking about the potential for monetization. So something that
you might have that's very sensitive may not be easy to monetize, or may have such a small audience,
like intellectual property, where it's going to be kind of one-offs, right? It's going to be very
targeted, people
coming after specific things as opposed to the information that's being traded constantly.
The other piece of this that we're thinking about is if this is a supply chain, how do we think
about disrupting it? And the analogy I'm trying out here, and I'll try out with you guys who are
listening, is we think about agriculture. We have an understanding of what a product recall would
look like, right? If something goes wrong, somebody gets sick. Oh, no, I've started eating salads and
now Romaine's going to kill me. You know, we walk this process back and we identify a point and we,
you know, we issue a big recall. In fraud, we're having kind of the same approach, right? Payment
card fraud, something goes wrong. We say, okay, we'll figure it out.
We scramble. It's a very reactionary approach because right now that's our only way of
understanding when fraud has occurred is as it's occurring after it's occurred.
But if this is a supply chain, how can we think about getting ahead of it? How can we think about
stepping back? What if we could get to it before something happened? What if we could get to it
as this information is becoming available?
And so that's a hard question.
It's something we're working on.
So I'm excited to discuss with people.
All right.
Well, check out the white paper over at Terbium Labs.
As always, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Brian Wells.
He's the Chief Technology Officer at Merlin International.
Brian previously served as the Associate Vice President of Health Technology and Academic Computing for the University of Pennsylvania Health System, Perelman School of Medicine.
He also held a leadership position at Children's Hospital of Philadelphia.
Our conversation focused on the lessons that can be learned from high-performance healthcare organizations,
specifically how they approach cybersecurity.
They are under attack. They are a very target-rich environment.
They have a lot of legacy technology that's been around for years that isn't secure enough, perhaps.
And they also are attractive in that they're running an organization that provides life and death services to patients.
And they can't afford to have any systems go down, be they electronic medical record systems or medical devices that has to work all the time.
Really can't go down and force everyone to work with a paper system that they're not used to using any longer.
And so there's a lot of power that a hacker might have to extort or to use ransomware to force a health system to pay them money to get their systems back up and running again.
Yeah, and particularly when it comes to ransomware, I think the common advice is to not pay the ransom.
But I can certainly see in a healthcare situation, when lives are on the line, that it may be something that organizations consider.
They definitely consider it.
I think it depends on the maturity of the organization.
So if you're a large organization with a robust IT team that's following best practices around security and
disaster recovery, you may be able to recover quickly enough and not pay the ransom. But if
you're a smaller health system or hospital that doesn't have the depth of team and technologies,
you may have to just pay. Now, you have quite a bit of experience in the healthcare sector.
What sort of advice do you have for organizations to help protect themselves?
There's a lot of basics they have to start with.
Number one would be educating their staff and their employees about how to be careful with the emails and other types of things that they maybe come in contact with on their computers,
to not click on links they don't recognize or to open up files that were given to them and someone they don't trust.
to open up files that were given to them and someone they don't trust.
And so a big part of it is just educating the staff as to how to be very careful and secure in their daily dealings with data and working with information.
And then secondly, they have to secure their network.
So a robust firewall system that protects their network from external attack.
They need to have constant monitoring tools that are checking the endpoints on their network
that are connected to make sure that they're patched and current and running the proper antivirus technologies
and that sort of thing. And then they just have to really just hire a chief information security
officer and build a security team that is constantly monitoring the organization,
checking log files and looking at data to make sure that they have not been attacked
and to prevent future attacks.
It's a difficult, never-ending job.
It's kind of like weeding your lawn.
You're never done.
Killing the weeds on your sidewalk.
They always come back, and you just never give up.
You have to have the collection of people and technologies to really be vigilant about protecting everything.
And what about incident response and sort of practicing for the inevitability of these
sorts of events? I can imagine in a healthcare situation, it's hard to carve out the time for
those sorts of exercises. It's very hard to carve it out. You definitely have to have one. If you
can't carve out time to stage a fake situation, you definitely should do tabletop exercises
that brings the appropriate business,
clinical, and technology folks to the table and walk through what would we do if we had a ransomware
attack and we couldn't access our electronic medical records for 24 hours. What would we do
or even longer potentially? So you do have to have a plan. You have to accept the fact that
it's not a question of if, it's a question of when, and really prepare and practice to the best of your ability.
You can't really stage a real attack because it's going to upset patient care, and that's the primary job.
And so you really just have to model it, maybe set up a test environment where you can simulate it in a non-production mode to see how everyone responds.
But you really just have to, at a minimum, run these tabletop exercises.
Now, what about the notion of reducing friction? I'm thinking particularly for the doctors and
nurses, the people who are actually, you know, doing the healthcare, applying the medicine.
I've heard that, you know, if something gets in the way of them being able to provide care to
their patients, well, that's not going to be their priority.
Some sort of security procedure that slows them down in the operating room or in the patient care,
they're not going to stand for that.
How do you strike that balance between meeting their needs as health care providers
but also protecting the organization?
You have to involve them in the
process. The more mature organizations have a security governance committee that has security
people as well as IT people, as well as clinicians, nurses, doctors, and business folks. And they sit
around the table and they weigh the pros and cons of forcing an automatic screensaver timeout of
five or 10 minutes versus 20 minutes or 30 minutes. Those kinds of organizational discussions have to happen with all the stakeholders in the room,
and they have to be educated as to the trade-offs of what would happen if we weren't secure.
Can you tolerate switching back to using a paper system for 48 hours if we allow people to not be
secure? And so there is that constant conversation. IT can't just
inflict these things on the organization. They have to understand the pros and cons.
I think one thing that is important is the role that third parties play. So many organizations
use third-party software vendors for their applications, as well as they bring in consultants
and other organizations. And I think it's extremely important to make sure that all
of your third-party partners, be they vendors of technology or vendors of people, nurses or IT people or
other consultants, have a shared accountability so that they're also involved in ensuring that
their software, their technology, their people are following the rules and behaving securely as well.
That's Brian Wells. He's Chief Technology Officer at Merlin International.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. Thank you. co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. But also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.