ISIS claims responsibility for Kabul massacre. Huawei gets another temporary reprieve. Local governments in Texas sustain ransomware attacks. Georgia hopes to combat cyberattacks with training. Google cuts a data sharing service. Bulletproof VPN services purchase residential IPs. Smartphones could be used to carry out acoustic side channel attacks. And Hy-Vee warns of a point-of-sale breach. Joe Carrigan from JHU ISI discusses corporate password policies. Guest is Ben Waugh from RedOx talks about bug bounties in healthcare.
Tamika Smith: [00:00:03] ISIS claims responsibility for Kabul massacre. Huawei gets another temporary reprieve. Local governments in Texas sustain ransomware attacks. Google cuts a data-sharing service. Smartphones could be used to carry out acoustic side-channel attacks. And Hy-Vee warns of a point-of-sale breach.
Dave Bittner: [00:00:30] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:26] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Tamika Smith: [00:01:54] From the CyberWire studios at DataTribe, I'm Tamika Smith sitting in for Dave Bittner with your CyberWire summary for Monday, August 19, 2019.
Tamika Smith: [00:02:05] ISIS claimed responsibility for a suicide massacre that killed 63 people at a wedding in Kabul on Saturday. The attack targeted Shiites in the western part of the city and occurred just before the country celebrated its 100th Independence Day on Monday. According to CBS News, the group posted a statement on one of its websites saying the attack was carried out by a Pakistani IS fighter.
Tamika Smith: [00:02:29] Huawei has been granted another 90-day reprieve to continue maintaining its equipment and providing updates for its phones. U.S. Commerce Secretary Wilbur Ross made the announcement Monday morning on Fox Business. He said the extension was meant to allow rural companies in the U.S. to what he called wean themselves off. At the same time, Ross also announced that the Commerce Department is adding 46 more Huawei subsidiaries to its entity list.
Tamika Smith: [00:02:55] Officials in Texas announced that 23 state agencies sustained a coordinated ransomware attack on Friday, August 16. ZDNet says the ransomware that was used does not have an official name but is being called the .JSE ransomware after the file extension it appends to encrypted files. It's a relatively obscure strain of malware that was first seen in August of 2018. The Dallas Morning News reports that the state is responding with a multiagency task force led by the Texas Department of Information Resources. The FBI and the Department of Homeland Security are also involved. Authorities believe a single threat actor is behind the attacks.
Tamika Smith: [00:03:35] Meanwhile, the state of Georgia is stepping up its efforts to train government employees following numerous attempted ransomware attacks against government departments last month. The Georgia Sun reports that Governor Kemp has added more members of his administration to the state government system's cybersecurity board, which is tasked with creating mandatory cybersecurity training programs.
Tamika Smith: [00:03:57] A major question many in the cybersecurity field would like answered is centered around bug bounties. The CyberWire's Dave Bittner reports on the dynamics between the companies who are offering them and the folks that are going after them. He talks with Ben Waugh, who is the chief security officer at Redox.
Ben Waugh: [00:04:15] I've probably been working with bug bounties for about the last five to eight years, and I've definitely seen a change from - they were very much just in the technology scene. They were for smaller organizations, startups and things like that. And now you're certainly starting to see larger organizations, more established organizations start to adopt these types of practices, ones that would ordinarily have never thought about doing this type of activity because they would have considered far too risky - folks in finance and now in health care, as well. We're definitely seeing more adoption. It's becoming much more mainstream, I would say.
Ben Waugh: [00:04:49] And also, we're actually starting to see the rewards more accurately reflect the type of value that these kinds of bugs have. You're seeing organizations offering rewards in the tens or, in some places, even hundreds of thousands of dollars, which really makes it worth that investment on behalf of the researcher to be spending the time to find these unique and interesting vulnerabilities in software.
Dave Bittner: [00:05:13] Now, when you say that organizations previously would've found it too risky, what do you mean by that?
Ben Waugh: [00:05:18] There is always a level of risk that you're exposing yourself to, depending on the type of data that your system is using or the type of processing you're doing. I think a lot of folks are always hesitant sometimes to potentially expose that. You don't want that information to be unnecessarily exposed, and you don't want even a well-meaning person to accidentally break a system. I think a lot of industries have kind of struggled with figuring out the right balance between supporting a program like this and getting the security value from it versus ensuring, at the same time, that they're protecting the systems from a potential, even accidental, failure or abuse.
Dave Bittner: [00:05:57] Now, wouldn't it have been the case that, regardless of whether or not the organizations were supporting bug bounties, there were going to be folks poking around anyway out of curiosity? And I suppose those folks might not have had an avenue to report things if they wanted to do so in a proper manner.
Ben Waugh: [00:06:15] Absolutely, and that's probably been my personal opinion for the longest time. I believe that, regardless of what you say, people are going to poke at your application. And I do think that the real value that a bug bounty brings is it gives those people a safe way to do that, and they're not opening themselves up to legal prosecution. And so you end up ultimately being more informed about security problems because you don't have people afraid to report issues. And at the same time, they're able to do a testing and follow instructions in a certain way that reduces that risk of something going wrong.
Ben Waugh: [00:06:48] For example, within our bug bounty, we ensure that we give researchers explicit instructions about how to go about testing safely so that they are only interacting with parts of the system that can't, if things go wrong, actually impact a real production hospital or things like that.
Dave Bittner: [00:07:05] So you have the opportunity there for the bug bounty itself to incentivize the folks who are out there looking for these things to do so in a safe and responsible way.
Ben Waugh: [00:07:16] Absolutely, especially if they follow the instructions that you put together. And that's why it's critical that you spend the time working on what your scope is and what your instructions are to these researchers - to ultimately help them ensure that they don't end up putting themselves or yourself in hot water.
Dave Bittner: [00:07:31] Now, what are some of the specific issues that folks are up against when it comes to bug bounties in the health care sector?
Ben Waugh: [00:07:37] In health care, we deal with PHI, and so there are a significant number of regulations around dealing with that type of data, and for good reasons, in my personal opinion, as well. One of the examples that I like to use is, when it comes to my information, my data, if my banking credentials are exposed, even if I lose money because someone steals out of my bank account, I can recover that funds. I can potentially change out those credentials. With this health care data, or PHI, I can't change that. If that data is exposed, it's out there forever. I can't go and change that, and that's why this type of data within the black market has such a value attached to it.
Dave Bittner: [00:08:16] Now, what are your recommendations for organizations that may want to start implementing a bug bounty program? How do they get started? How do they go about it?
Ben Waugh: [00:08:25] The first thing is to be ready. Even if you're working with an outsourced provider like HackerOne or Bugcrowd, there is a lot of overhead that you need to be prepared for. I'd probably say - and I'd say this is consistent with everyone who I speak to who's run one of these programs - the signal-to-noise ratio is very large. You're probably going to be dealing with - I'd say 95% of the issues that are filed are just noise or they're duplicates or they're minor things that have been called out. So it takes a lot of time to work through all of that noise and figure out what is actually - what's the signal? What are the real issues that we need to investigate and be aware of? And I think that's the same across all industries.
Ben Waugh: [00:09:05] The second thing I would say is, again, spend the time working out what your scope is and how you're providing instructions and details to researchers about how they should go about testing your platform. We're also not a SAS - your standard kind of SAS application, and so that means that it's not just throwing the basic sort of, like, web application tests at us, which is, I'd say, the same from a lot of companies out there. And so you need to really help folks understand what the platform is, how it works. What are the nuances with your particular application or system that will give you more meaningful tests from these folks?
Tamika Smith: [00:09:44] That was Ben Waugh, who's the chief security officer at Redox.
Tamika Smith: [00:09:49] Reuters says that Google terminated a service it had offered mobile carriers as a means of testing their network coverage. The company's mobile network insight service had since 2017 offered carriers data collected from Android users who'd opted in to sharing location and performance data. Although the program was organized on a transparent opt-in basis and the data it collected were both anonymized and aggregated, Google apparently decided that mobile networks' insights expose the company to more regulatory risk than it wished to accept.
Tamika Smith: [00:10:24] Krebs on Security describes how cybercriminals hide their tracks by renting out bulletproof residential VPN services. Residential IP addresses are ideal for criminal activities because they're usually trusted by businesses and they periodically rotate between users. The use of residential connections to anonymize traffic is nothing new, but it's usually achieved by hacking a device on a residential network and using it as a proxy. In this case, Krebs discovered an internet provider that rented out these addresses for primarily fraudulent use.
Tamika Smith: [00:10:58] The Maryland-based company called Residential Networking Solutions, or RESNET, maintained a block of nearly 70,000 IP addresses. RESNET and several affiliated websites sold access to residential proxies for a monthly fee. They also advertised various types of spamming and botting services. About 7,000 of these IPs belonged to AT&T until late last year. Krebs discovered that the nonprofit that administered these addresses had apparently been tricked by someone posing as AT&T into transferring control of the IP block over to RESNET. It's not clear if AT&T had any connection to RESNET, but the mobile provider told Krebs it had referred the incident to law enforcement.
Tamika Smith: [00:11:41] Science Daily and other sources say that researchers at Southern Methodist University have developed a proof-of-concept in which smartphone sensors could record the sounds of keystrokes on nearby laptops, enabling eavesdroppers to capture and interpret those keystrokes. The technique does not seem to represent an immediate threat, but the researchers suggest it should raise awareness of the risk inherent in always-on sensors like those in smartphones.
Tamika Smith: [00:12:08] ZDNet reports that the Midwestern supermarket chain Hy-Vee is warning its customers to keep an eye on their bank accounts after the company discovered unauthorized activity on some of its point-of-sale systems. The activity affected some of Hy-Vee's fuel pumps, drive-thru coffee shops and restaurants. The company did not specify which locations were involved but says the activity has been stopped. Hy-Vee does not believe its grocery stores, drugstores or convenience stores were impacted. The company notes that its investigation has just begun, and more information will be forthcoming.
Tamika Smith: [00:12:43] And finally, TASS is authorized to disclose that Russia's sport minister sees a good chance that cyber sports will be added to the Olympics in 15 to 20 years. Minister Kolobkov appears to have video games in mind, not capture the flag competitions. Olympians, this is the moment you've been waiting on. Get ready to practice your Fortnite dance.
Dave Bittner: [00:13:11] And now a word from our sponsor KnowBe4, the experts in a new-school approach to manage the ongoing problem of social engineering. The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place, hackers are still getting through to your end users, making them your last line of defense. KnowBe4 has an on-demand webinar featuring Roger Grimes, KnowBe4's data-driven defense evangelist. He'll take you through the cyber kill chain to show you how a single email slip-up can lead to the total takeover of your network, and he'll share actionable strategies you can put in place now to greatly reduce your risk. Go to knowbe4.com/cyberkillchain and watch the free webinar. That's knowbe4.com/cyberkillchain. And our thanks to KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:15] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: [00:14:24] Hi, Dave.
Dave Bittner: [00:14:25] Last week, you and I spoke about my musings...
Joe Carrigan: [00:14:29] Right.
Dave Bittner: [00:14:29] ...About whether or not organizations should basically force their users to use a password manager but also not allow them to choose their own passwords.
Joe Carrigan: [00:14:39] Correct.
Dave Bittner: [00:14:39] Have those passwords be generated so that they are strong and random.
Joe Carrigan: [00:14:43] Yes.
Dave Bittner: [00:14:44] Right? And we both sort of joked about how we would likely receive feedback from our listeners.
Joe Carrigan: [00:14:49] Yes.
Dave Bittner: [00:14:50] And they came through.
Joe Carrigan: [00:14:51] Right, did not disappoint.
Dave Bittner: [00:14:53] No.
Dave Bittner: [00:14:54] So I want to read part of what one listener sent in. This is a particularly good one. This is from someone who goes by the name Jay (ph), and he says, Dave and Joe had a great conversation about password managers and not allowing corporate users to choose their own passwords anymore. It's a great idea, but I'd like to offer another viewpoint. To stop users from choosing their own passwords, you need to do a lot more than enforce rules in the password manager. You need to be able to enforce that password policy on each of the identity stores/authentication mechanisms the user is connected to. Turns out this is really tough. So let's address that part here.
Joe Carrigan: [00:15:33] OK.
Dave Bittner: [00:15:33] I think he's got a good point here.
Joe Carrigan: [00:15:35] Right, because there's no way for me to know that the user is actually using a password from a password manager from the authentication mechanism in question.
Dave Bittner: [00:15:46] Right.
Joe Carrigan: [00:15:47] Right.
Dave Bittner: [00:15:47] So if your user wants to go rogue...
Joe Carrigan: [00:15:50] Right.
Dave Bittner: [00:15:50] ...And use their own password, it's hard for you to control that.
Joe Carrigan: [00:15:53] Right, exactly. You can't really mitigate that.
Dave Bittner: [00:15:57] So he goes on and writes, I think the better approach is to invest the energy in true SSO. That's single sign-on.
Joe Carrigan: [00:16:04] Right.
Dave Bittner: [00:16:04] It's matured a lot in recent years. Enforce MFA to log in to the endpoint, or at least have risk-based step-up authentication - SSO using those credentials so the users only have to remember one long, complex password to log in to the endpoint point and then SSO to everywhere.
Joe Carrigan: [00:16:21] Correct.
Dave Bittner: [00:16:22] OK.
Joe Carrigan: [00:16:23] So this is true. First off, you're 100% correct about multifactor authentication. Enforce that. Do that and - that actually is what my No. 1 suggestion is now. Password managers are my No. 2 suggestion. If you're going to do one thing to improve your security, use multifactor authentication. If you're going to do two things, use multifactor and a password manager. Single sign-on is great because it does a couple of things. One, it allows the user to frictionlessly move throughout their services that they need to move through, right? They don't have to continually log in.
Dave Bittner: [00:16:58] Right.
Joe Carrigan: [00:16:58] And coming from a perspective where I am not really in a domain right now at my job - I have to log in to everything manually - it's still kind of a pain.
Dave Bittner: [00:17:07] Yeah. Little speed bumps in your day.
Joe Carrigan: [00:17:08] Yeah, little speed bumps here and there.
Dave Bittner: [00:17:10] Right.
Joe Carrigan: [00:17:10] The other point that I would like to make about this is single sign-on is not going to be a full solution for this. There are going to be other places that are not going to integrate with your single sign-on solution that your users need to go to. And I'm thinking, in particular, like, third-party websites where your users may need to go to look things up or to use software that's necessary for their job, or even cloud services that may integrate with your SSO or may not. They may not integrate with it. In that case, what do you do? You have to make sure that their passwords are good and that they're using multifactor authentication. And in order to make sure their passwords are good, you have to use a password manager.
Dave Bittner: [00:17:46] Right.
Joe Carrigan: [00:17:47] So I think his suggestions here are right on, and he has - in this thing, he says passwords needed to be killed a long time ago. And as much as I talk about passwords, I couldn't agree more with that statement.
Joe Carrigan: [00:18:02] I don't think we're going to be stuck with passwords forever. I think it's getting closer to the time where we're going to be able to get rid of them, like Jay says, and I welcome that time because I'll tell you, just having a simple password on your - on any account is just asking to be hacked.
Dave Bittner: [00:18:18] Yeah. All right, well, thanks to Jay for writing this in, a very thoughtful response. And it made us think a little more about this.
Joe Carrigan: [00:18:26] Yeah, Jay makes a lot of good points.
Dave Bittner: [00:18:27] Good suggestions.
Joe Carrigan: [00:18:28] Thanks, Jay.
Dave Bittner: [00:18:28] All right. Well, Joe, thanks for joining us.
Joe Carrigan: [00:18:29] It's my pleasure.
Tamika Smith: [00:18:35] Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Tamika Smith: [00:18:47] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Dave Bittner, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Tamika Smith. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
In this on-demand webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will take you through the "Cyber Kill Chain" to show you how a single email slip up can lead to the total takeover of your network. And he’ll share actionable strategies you can put in place now to greatly reduce your risk. Watch the webinar.