Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
The Week that Was.
February 2, 2019.
By the CyberWire staff
Apple punishes Facebook and Google for rule violations.
Both Google and Facebook have acknowledged that they paid users to allow extensive access to their phones. TechCrunch reported Tuesday that Facebook paid people aged 13 to 35 up to $20 a month if they installed Facebook's Research VPN app, which allowed the company to observe all activity that took place on the phone. On iOS, the app was installed from a website, rather than through the App Store. Facebook was able to distribute the app in this fashion through Apple's Enterprise Developer program, which grants certain companies special privileges meant to be used only for internal corporate apps.
By distributing this app to consumers, Facebook was committing "a clear breach of their agreement with Apple," an Apple spokesperson said. In response, Apple revoked Facebook's membership in the Enterprise Developer program. This disabled all Facebook's internal testing and productivity apps, resulting in company-wide disruption to Facebook's productivity and workflow (TechCrunch).
TechCrunch then reported on Wednesday that Google has been operating an app since 2012 called "Screenwise Meter," which appears similar to Facebook's Research VPN. This app also used Apple's Enterprise Developer program to bypass the App Store, offering gift cards to users in exchange for allowing Google to monitor their phones. Google quickly disabled the app and apologized, but Apple revoked its Enterprise certificates nonetheless (The Verge).
Apple restored both companies' certificates Thursday evening, but the brief punishment made clear the amount of influence that Apple holds over other tech giants if they step out of line (CNBC). Business Insider reports that Facebook will now have to rebuild dozens of internal apps, a process that could take weeks.
Companies Need Skilled Cybersecurity Talent Now - Join Cybrary
Everyone knows the cybersecurity field is in desperate need of talent, and Cybrary has built the world’s fastest growing free training platform for cyber and I.T. career development. Cybrary offers courses taught by industry leading experts, unlimited virtual labs, practice exams, live mentors, and job ready curriculums to support you in reaching your career potential. Cybrary’s talent network is filled with companies and recruiters actively seeking cyber professionals to fill roles open now. Join Cybrary Insider Pro for 30% OFF using discount code CYBERWIRE30.
Doxing oligarchs and patriarchs.
A transparency advocacy group last Friday posted 175 GB of hacked and leaked Russian documents online. The group, Distributed Denial of Secrets, tweeted that the collection contains "hundreds of thousands of messages and files from Russian politicians, journalists, oligarchs, religious figures, and nationalists/terrorists in Ukraine." While most of the data consists of material that was previously hacked and posted online by other groups, prior to now it had been strewn about the Internet in hard-to-find places (Foreign Policy). The New York Times notes that, while no new bombshells were immediately apparent, the collection is so extensive that it will take time for people to sift through it thoroughly.
It usually takes a year to get FedRAMP assessment-ready. But this can be cut in half--just six months to confident readiness. Learn how cybersecurity leader Coalfire helped Innovest prepare for its FedRAMP assessment through Security Automation and Orchestration (SAO). Innovest's CSO, Erick Lindley, said, “Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves.” Find out how.
Spies or private eyes approach Citizens Lab researchers.
Internet watchdog group Citizen Lab reports that two of its researchers were targeted by undercover operatives who were very interested in the Lab's work on some commercial spyware, specifically its research on tools produced by Israeli-based software vendor NSO Group. Since 2016, the University of Toronto-based Lab has published several reports on the use (and misuse) of NSO Group's Pegasus spyware by the company's customers around the world.
The first researcher, Bahr Abdul Razzak, was contacted in early December by a man who claimed to work for a financial technology company called "FlameTech." Abdul Razzak met with the man to discuss a potential job opportunity, but the man instead asked him direct questions about Citizen Lab's investigations and inquired about Abdul Razzak's views on Israel. After the meeting he reported the encounter, and the Lab worked with the Associated Press to confirm that the man's company and persona were complete fabrications.
On January 9th, a second researcher, John Scott-Railton, received an email from someone claiming to be a director at a Paris-based agricultural technology firm called "CPW-Consulting." Further investigation showed that this company was phony as well, so Scott-Railton worked with Associated Press journalists to set up and record a meeting with the man. When the meeting took place, the man asked similar questions about NSO Group and Israel, until he was confronted by AP journalists who grilled him about his company. He refused to answer any questions, and left after paying the bill.
Both Citizen Lab and the Associated Press stress that they have no evidence that NSO Group itself was involved in these incidents, and the company denies any involvement. The two researchers do believe, however, that "they were being steered toward making controversial comments that could be used to blacken Citizen Lab’s reputation" (Associated Press).
The New York Times and BoingBoing offered an identification of the gentleman who called himself "Michel Lambert" during the sit-down with Citizen Lab. He's said to be Aharon Almog-Assoulin, and thought to be affiliated with private security firm Black Cube.
Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
Iranian threat group goes after PII.
Researchers at FireEye published a report on APT39, a threat group believed to be linked to Iran, showing that the group is targeting personally identifiable information. This separates the group from other Iranian state-sponsored threat actors, which typically focus their efforts on disruptive attacks, influence operations, or stealing trade secrets. The researchers say that personal information will likely be used to "support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns." The group is targeting telecommunication firms and other tech companies to gather this data (The Hill).
Vendors, suppliers, and independent subsidiaries are gaining more access to your network and sensitive data because today’s business models include outsourcing of non-mission critical programs and tasks, which brings a new world of risk to your organization. In this webinar, LookingGlass Product Manager, Brandon Dobrec and Security Ledger Editor-in-Chief, Paul Roberts will discuss what you need to assess vendors in the modern cyber environment, providing you with the right map to assess your external risk.
DarkMatter and Emirati surveillance operations.
Reuters reports on a UAE surveillance program that hacked targets' iPhones using a then-cutting-edge tool known as "Karma." Some of the information collected indicates that the surveillance program was targeting journalists, political rivals, and human rights activists, as well as American citizens (Reuters). The program, called "Project Raven," employed a number of American civilian contractors, former US Intelligence Community personnel. The program grew more aggressive after work formerly done by US security firm CyberPoint was taken over by Emirati-owned Dark Matter in 2016. DarkMatter's founder told the AP last year that, despite its close ties with the Emirati government, it doesn't hack, and the Emirati foreign ministry said this week that it didn't spy on citizens of friendly countries (Reuters).
This Super Bowl thing you may have heard of? It's on for Sunday. The contest has been quite without interest to us since the late afternoon of January 6th, at which point we realized that the hype was unseemly, and that our time would be better spent volunteering for good causes, spending more time with our families, and so forth. But should you still be enmeshed in the NFL championship, have a care: the hackers are up, busy, and ready to take advantage of you while your attention is on the Rams and Patriots (New York Post). PV=nRT, Mr. Brady, or so we've seen.
Researchers at Wordfence are telling WordPress site owners to delete a plugin called "Total Donations" from their sites. The researchers discovered a series of zero-day vulnerabilities in the plugin that are being actively exploited by an attacker to gain full administrative access to sites that use the plugin. The plugin appears to have been abandoned by its developers, so no patches are expected (Threatpost).
Apple is working on a patch for a recently discovered flaw that allows anyone to receive audio from an iPhone by FaceTiming the phone and adding their own number to a group call. FaceTime will then allow the caller to hear the targeted user, while the victim's screen still shows an incoming call. Even worse, if the victim presses their phone's power button to silence the call, the caller will receive video from the victim's camera. Apple has disabled Group FaceTime until the patch is issued (SecurityWeek).
Three vulnerabilities that allowed for cross-site scripting attacks in the open-source medical data tool LabKey Server have been patched (Threatpost).
Crime and punishment.
US Federal prosecutors on Monday unsealed a 13-count indictment against Huawei, its CFO Meng Wanzhou, and two of the company's subsidiaries (Huawei USA and Skycom), charging the defendants with financial fraud. Specifically, it alleges that Huawei's relationship with its unofficial Iranian subsidiary Skycom violated international sanctions on Iran. Huawei and Skycom are both charged with "bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, conspiracy to defraud the United States, conspiracy to violate and substantive violations of the International Emergency Economic Powers Act (IEEPA), and conspiracy to commit money laundering." Huawei and Huawei USA was charged with "conspiracy to obstruct justice related to the Grand Jury investigation in the Eastern District of New York," while Meng received charges of "bank fraud, wire fraud, and conspiracy to commit bank and wire fraud."
Courts and torts.
New York's Attorney General has launched an investigation into Apple's allegedly slow response to addressing a serious vulnerability in Group FaceTime calls, which seems a bit starchy. The state has also opened a 1-800 hotline irate consumers can call should they wish to take their whacks at Cupertino. Apple reportedly learned of the flaw a bit more than a week before it hit headlines, whereupon the company disabled the feature until a patch is released. A Texas attorney also filed a lawsuit against Apple, claiming that a private deposition by a plaintiff was recorded by a third party as a result of the bug (Courthouse News).
Policies, procurements, and agency equities.
Senator Warner (Democrat of Virginia) wants an accounting from Homeland Security Secretary Nielsen about the impact of the Government shutdown on cybersecurity. A third-party preliminary answer suggests that such impact may have been other than many imagine. SecurityScorecard thinks that, while the familiar certificate-expiration problem was indeed real, in fact there were actually some improvements in security posture across the Government. Agencies caught up with a lot of patching and endpoint security upgrades, for example. Some conjecture that this may have been because, not being pestered with as many small, urgent but not particularly important requests, IT departments actually had the time to take care of what's actually more important. Zscaler argues with some force that furloughing many IT staffers exposed the Government to serious risk, but if SecurityScorecard preliminary look is correct, the damage Zscaler foresaw may not have fully materialized.
US Federal IT workers have been reporting low morale brought on by the shutdown (Federal News Network). Should, absent a budget agreement, the Government close again in February, some observers predict that the long-forecast "retirement tsunami" will finally wash through the Civil Service (Federal News Network).
The US Senate's Homeland Security Committee, one of the many Congressional committees with cyber oversight responsibilities (about eighty of them, as Representative Langevin, Democrat of Rhode Island, points out to NextGov), has outlined its priorities for the coming session (Washington Post).
Legislation introduced into the US Senate this week would give the Department of Energy more responsibility for the cybersecurity of oil and natural gas pipelines, and of liquefied natural gas facilities (Houston Chronicle).
Fortunes of commerce.
Add Vodafone to the list of companies deciding that Huawei presents too much of a security risk. The telco has suspended purchases of Huawei hardware (Nasdaq).
Palantir, the big-data analytics unicorn that's headed for an IPO, almost went under a few times during its history because, CEO Alex Karp says, he didn't know how to pitch to investors (Connecticut Post).
A survey by Thycotic suggests that infosec professionals don't feel particularly appreciated within their larger organizations, which tend to see the security team as an irritating nay-saying cost-center (TNW). Cops, goons, even "doom mongers" (Forbes). Another study, this one commissioned by Trend Micro, reaches similar conclusions: security managers feel isolated, and generally expect only indifferent success when they seek to communicate with their organizations. A failure to communicate, surely, but perhaps also a failure to show value and work friendly. We have no wish to foul the infosec nest, but perhaps some honest self-reflection is in order.
We continue to see a great deal about the ongoing shortage of cybersecurity workers, and even how that scarcity portends a bleak 2019 (TechCrunch). The Center for Strategic and International Studies has weighed in with recommendations about how to redress the shortage with training and education.
Mergers and acquisitions.
To ease European anti-trust concerns over its acquisition of Gemalto, Thales is spinning out hardware security module shop nCipher (ComputerWeekly). nCipher, which had been owned by Thales for the past eleven years, is currently looking for buyer, and has been receiving bids (Computer Business Review).
CACI has announced two significant acquisitions. The first, Virginia based LGS Innovations ($725 million price tag), will bring CACI new capabilities in "real-time spectrum management, C4ISR and cyber products." It also brings with it LGS's customers in the US Intelligence Community and Department of Defense. The other acquisition is Mastodon Design, based in Rochester, New York. Mastodon's expertise lies in "rapid design and manufacturing of rugged signals intelligence, electronic warfare, and cyber operations products and solutions." CACI is paying $225 million for the company (Washington Technology). CACI sees the two acquisitions as bringing it a technological edge that will give it an advantage over competing service providers (Washington Business Journal).
California-based endpoint-protection start-up DarkBytes has been acquired by Sophos, which is interested in the start-up's “'rich domain experience' in managed detection and response (MDR) and security orchestration automation response (SOAR)" (ARN). The buy represents Sophos's second acquisition so far this year: the company announced its acquisition of Avid Secure in mid-January (ARN).
Orange has announced its purchase of UK-based SecureData Group, including its SensePost consulting arm. The French telecommunications multinational intends to use the acquisition to consolidate its place in European cybersecurity markets. SecureData is the UK's largest independent cybersecurity service provider.
A $10 million funding round will enable Salt Security to enhance its API protection solution (Globes).
Mimiro, which offers an AI platform, has raised $30 million in a Series B round to extend its offerings to include detection of financial crime, including various forms of fraud and money laundering. The round was led by Index Ventures with participation by existing investor Balderton Capital (Help Net Security).
And security innovation.
Thales and Québec-based start-up incubator Centech have entered into a partnership, AI@Centech, that will support new companies developing AI technologies (Jane's 360).
Today's issue includes events affecting China, Iran, Israel, Russia, United Arab Emirates, United Kingdom, United States.
By the way, happy Ground Hog Day, especially to our readers in Pennsylvania.
ON THE PODCAST
Research Saturday is up. In this episode we talk with Trend Micro about "Online underground markets in the Middle East." Their researchers have recently published their look inside online underground marketplaces in the Middle East and North Africa, where criminals are buying and selling malware, laundering money and event booking their next discount vacation. Jon Clay, director of global threat communications at Trend Micro, joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.