Google’s Project Zero releases information on a long-running watering-hole campaign against iPhone users. A dental record backup service is hit by ransomware, and the decryptor the extortionists gave them may not work. Huawei may be in fresh legal hot water over alleged IP theft. Cryptojacking charges are added to those the accused Capital One hacker faces. And we say farewell to a Bletchley Park veteran. Emily Wilson from Terbium Labs on back-to-school season in the fraud markets. Guest is the one-and-only Jack Bittner, with his insights on how middle-schoolers are handling security.
Dave Bittner: [00:00:00] Hi, Jack.
Jack Bittner: [00:00:01] Hello.
Dave Bittner: [00:00:02] Do you want to be on today's show?
Jack Bittner: [00:00:03] I would love to.
Dave Bittner: [00:00:04] All right. Let's do it.
Dave Bittner: [00:00:09] Google's Project Zero releases information on a long-running watering hole campaign against iPhone users. A dental record backup service is hit by ransomware, and the decryptor the extortionist gave them may not work. Huawei could be in fresh legal hot water over alleged IP theft. Cryptojacking charges are added to those the accused Capital One hacker faces. We take a look at back-to-school cybersecurity with preteen friends and family. And we say farewell to a Bletchley Park veteran.
Dave Bittner: [00:00:44] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:50] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pentesters and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pentests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster, while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:17] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 30, 2019.
Dave Bittner: [00:02:26] Google's Project Zero has released details of its research into a quiet sustained watering hole campaign against iPhone users. They found five distinct exploit chains in use by the attackers. Google's blog says, quote, "there was no target discrimination. Simply visiting the hacked site was enough for the exploit server to attack your device and, if it was successful, install a monitoring implant. We estimate that these sites received thousands of visitors per week," quote. It's worth noting that indiscriminate isn't to be insisted on too broadly. The watering hole campaign was indiscriminate, but within the communities it targeted. The report says little about who those communities might be, but their closing advice to be alert for campaigns targeting you as a member of given ethnic community or a resident of a certain geographical area suggests the sort of bounds within which the attackers operated. They appear to have had particular groups in mind. Apple patched the zero-day vulnerability the campaign exploited in February. Google notes that this single campaign probably represents the proverbial tip of the iceberg. That Google found it at all, the researchers say, was a fail on the attackers' part. There are probably other campaigns, Mountain View says, that remain undetected.
Dave Bittner: [00:03:46] PerCSoft, cloud provider for the digital dental record and a widely used backup data repository for the U.S. dental profession, has sustained a ransomware attack. PerCSoft is believed to have paid the ransom to obtain a decryptor, but there are reports the decryptor hasn't been fully successful. The ransomware strain involved appears to be REvil, also known as Sodinokibi. The Wall Street Journal reports in an exclusive that U.S. federal prosecutors are investigating Huawei for alleged intellectual property theft. The investigation includes at least one subpoena from the U.S. attorney for the Eastern District of New York, and this suggests to the Journal that the inquiry is looking into some hitherto unexamined case of IP theft. Huawei, which has denied that it steals intellectual property for almost as long as it's been suspected of doing so, is currently fighting a case in a Seattle court that alleges the company illicitly obtained details of T-Mobile test equipment. Who the alleged victims in the present investigation may be remains unknown, and the U.S. Department of Justice is remaining tight-lipped. But the Journal does say that the FBI has interviewed a Portuguese national who's complained that digital imaging technology he developed had been misappropriated by Huawei.
Dave Bittner: [00:05:06] Cryptojacking charges have been added to those accused Capital One hacker Paige Thompson faces. An additional indictment was filed Wednesday, Infosecurity Magazine reports. The new indictment does include some newly identified victims of the alleged crimes - a state agency outside the state of Washington, a telecommunications conglomerate outside the United States and a public research university outside the state of Washington. All told, the indictment alleges that the victims were Capital One and 30 unnamed others.
Dave Bittner: [00:05:37] The cryptojacking, which produces alt-coin, also provides a rational criminal motive for the alleged crime. There seems to be no such rational purpose to the data theft that Capital One sustained. CSO Magazine interviews several experts who point out the difficulty of preparing defenses against a hacker who works without a rationally discernable motive. John McAlaney, a psychologist at Bournemouth University with an interest in the psychology of crime, hacking and hacktivism, pointed out to CSO that many cyberattacks are indeed random and motiveless. The hacker may come up with a personal, political or criminal reason for their activity, but these can often be retrospective and have nothing to do with their actions.
Dave Bittner: [00:06:21] Apple has responded to privacy concerns over its recording of Siri interactions by deciding to disable recording and storage by default. This autumn, users will be given the option of turning it on, Ars Technica reports, should they be interested in helping train the AI.
Dave Bittner: [00:06:39] And finally, this week, the security and cryptological communities remember a Bletchley Park veteran. The Royal Gazette reports that Pamela Darrell, born in Rutland but making her home in Bermuda, has died at the age of 93. Mrs. Darrell joined the Wrens during the Second World War when she was just 17. She hoped, she'd said, that the Women's Royal Naval Service would send her to sea. Instead, they sent her to Bletchley Park, which, while not Topeka or Chelyabinsk, is by English standards about as landlocked as they come. She served there throughout the war, breaking German codes. Her work remained secret for decades. She was only able to tell her husband about her service when classification of wartime activities was relaxed in the 1970s. So hail and farewell, Mrs. Darrell. And spare a thought and some conversation for the Second World War generation. We won't have them with us for much longer.
Dave Bittner: [00:07:44] Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep this savvier hoods' hands off your endpoints, Blackberry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:08:47] And I'm pleased to be joined once again by Emily Wilson. She's the VP of research at Terbium Labs. Emily, we're coming up here on that time of year when it's time for kids to head on back to school, and that provides some opportunities for folks who may not be up to any good to try to take advantage of them.
Emily Wilson: [00:09:06] This is a fantastic time of the year for cybercriminals. Of course, if you're a cybercriminal, if you're a fraudster, you love things like the Christmas shopping season. The back-to-school period is also just a really great time, unfortunately, for these cybercriminals to work out all sorts of schemes and collect all kinds of data.
Emily Wilson: [00:09:24] There are a few different ways that this is problematic. One, you have these kids who are going off to school - I'm thinking here specifically about college freshmen. You think about the number of emails that you get, the number of links you're sent, the number of places you need to enter your data for housing and for orientation, for clubs and career fairs, right? So there's a lot of different places there for people to be collecting data to questionably secure systems and also a ton of opportunities for phishing, right? If you're a college freshman and you have your college email address for the first time and you get something - hey, free pizza, come click here and put in your information - of course you're going to click it. Everyone loves free pizza. You know, it's your first time at school, so that's really exciting for people.
Emily Wilson: [00:10:08] That's sort of on the data side. On the other side, on sort of the financial fraud side, we have big-ticket purchases here - maybe stuff for a dorm room, maybe you're getting a car for the first time, certainly for electronics. There are a lot of opportunities here, again, to phish people or to collect data or opportunities to sneak fraudulent purchases in under the radar. You think about normal spending patterns, right? We've talked about how during the holiday season, you know, it might not be normal for you to make five Amazon purchases in an hour and ship them to three different addresses. But a week before Christmas, you might do that. Same thing with the back-to-school period. It might not be typical to go and spend a lot of money at the Apple store or to make five trips to Target or what have you, but you might do that in the middle of August if you're moving. You might see charges out-of-state depending on what sort of school you're going to.
Emily Wilson: [00:11:00] And so there's all of these questions here where is it traditional spending, is somebody taking their kid to school, is it a fraudster. How would you know? When do you pull the trigger? Fraudsters love that. They love that uncertainty.
Dave Bittner: [00:11:11] Yeah. I can imagine, too, there's probably a lot of folks who those bills get sent home to Mom and Dad. They may see purchases in the school bookstore or the local Ikea or something like that and not think twice about it.
Emily Wilson: [00:11:25] That's definitely a great example. You have parents who are just going to say, you know, wow, they spent a lot of money this month, but you only go to college once. Or, you know, for students on the other side, this might be the first time that some of these kids have financial independence. It might be the first time that they have a credit card. It's certainly, you know, the first time that they might be getting inundated with credit card offers. You know, how many of those are getting intercepted? How many of those are legitimate? If you get an email saying hey, you need to finish setting up your new credit card. Click here, and enter your information and verify your card number for us, you know, as a college freshman, how much do you know about any of this? When do you know to be suspicious when it is a time of your life where a lot of people are looking for a lot of sensitive data? It's a difficult position.
Dave Bittner: [00:12:10] Yeah, it's an interesting insight. Emily Wilson, thanks for joining us.
Emily Wilson: [00:12:14] Thanks.
Dave Bittner: [00:12:19] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud helps your organization move fast, but hybrid isn't easy, especially for security teams already dealing with alert fatigue, tool sprawl and legacy workflows. Teams without unified policies and cloud-native threat detection have no easy way to spot misconfigurations or attackers who have breached an increasingly vulnerable perimeter. ExtraHop Reveal(x) provides cloud-native network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps you secure and support your business in the cloud and on the ground. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:13:19] And joining me today on our CyberWire show is our extra special guest all the way from Lake Elkhorn Middle School in Columbia, Md., Jack Bittner.
Jack Bittner: [00:13:29] Hello.
Dave Bittner: [00:13:30] Jack, welcome back to the show. You know, we brought you back because we've had several listeners write in and say when's Jack coming back.
Jack Bittner: [00:13:38] Well, here I am.
Dave Bittner: [00:13:39] Here you are, ready for back to school.
Jack Bittner: [00:13:41] Yeah.
Dave Bittner: [00:13:42] Yeah. So...
Jack Bittner: [00:13:43] Going into seventh grade.
Dave Bittner: [00:13:44] Seventh grade, very exciting. School starts next week.
Jack Bittner: [00:13:46] Right.
Dave Bittner: [00:13:47] So I wanted to touch base with you and learn about how you and your friends think about and handle your cybersecurity issues. So let's just start off with just some really basic stuff here. When you think about cybersecurity, what kind of stuff do you think about?
Jack Bittner: [00:14:06] I'd say passwords, online accounts, keeping your online information safe.
Dave Bittner: [00:14:13] Mmm hmm. How about privacy?
Jack Bittner: [00:14:15] Yeah, privacy, so not saying your real name online. That's a rule that me and my friends use a lot when playing video games together.
Dave Bittner: [00:14:26] Why is that?
Jack Bittner: [00:14:28] Just because, you know, better safe than sorry.
Dave Bittner: [00:14:31] Yeah.
Jack Bittner: [00:14:31] You don't want people knowing your name and where you live.
Dave Bittner: [00:14:35] Yeah. Do you ever have any issues with that? Have you ever had people come and be a bully or be, you know, creepy on any online gaming things?
Jack Bittner: [00:14:44] Not really, no.
Dave Bittner: [00:14:45] Yeah, well, that's good.
Jack Bittner: [00:14:46] We're pretty safe.
Dave Bittner: [00:14:47] That's good. So let's walk through some of those things together. In terms of passwords, how do you come at your password security?
Jack Bittner: [00:14:55] Usually I custom-make something for which site I'm on. So if it's Facebook or Snapchat or Instagram or Xbox, have a different password for each.
Dave Bittner: [00:15:07] OK, so you don't reuse passwords.
Jack Bittner: [00:15:09] Yes.
Dave Bittner: [00:15:10] Very good, very good. That's my boy (laughter).
Jack Bittner: [00:15:12] Never share your password.
Dave Bittner: [00:15:13] Never share your password, right, right. All right, excellent, excellent. Let's talk some about school.
Jack Bittner: [00:15:20] OK.
Dave Bittner: [00:15:20] Your school has computer lab.
Jack Bittner: [00:15:23] Right, yes.
Dave Bittner: [00:15:24] What kind of security is set up there?
Jack Bittner: [00:15:27] Well, you log in with your username and password.
Dave Bittner: [00:15:31] Which are set by the school?
Jack Bittner: [00:15:32] Yes.
Dave Bittner: [00:15:33] OK.
Jack Bittner: [00:15:34] So the school gives out username and passwords for everybody. And then usually, we use sites like Canvas, which help us with our - organize our school things. And so we have username and passwords for those.
Dave Bittner: [00:15:47] Now do you have access to the internet on the computers in the lab?
Jack Bittner: [00:15:52] Yeah, yeah.
Dave Bittner: [00:15:54] And is that restricted?
Jack Bittner: [00:15:55] It might be. I wouldn't know. But...
Dave Bittner: [00:15:59] Well, you've - certainly, you've seen your friends - I guess what I'm getting at is do kids at school figure out workarounds to get past any of the security things at school?
Jack Bittner: [00:16:10] I wouldn't say that there are a lot of security blockers at school. I think a lot of the kids at school are smart, and they know that if they are, you know, doing something that they are not supposed to on the school computers that they'll get caught by one of the teachers. And the teachers are good with letting us know what we're supposed to be on and what we're not supposed to be on.
Dave Bittner: [00:16:32] How does that happen?
Jack Bittner: [00:16:34] They just kind of enforce it.
Dave Bittner: [00:16:36] Yeah. So what about at home? When you're using a computer - we have a family computer that we use for your homework.
Jack Bittner: [00:16:43] Right.
Dave Bittner: [00:16:44] You recently got handed down a Chromebook.
Jack Bittner: [00:16:47] Right.
Dave Bittner: [00:16:47] You use that.
Jack Bittner: [00:16:48] Right.
Dave Bittner: [00:16:49] How do you approach your security with those devices?
Jack Bittner: [00:16:51] Same thing - you know, username, password, keep everything safe. Usually I use the family computer for homework and research and stuff. I use my laptop for playing games and - not just games, but, you know, if I need to write a paper or do some research on the laptop, I'll do it on there, too.
Dave Bittner: [00:17:11] Do you have any friends who've had any issues with cybersecurity, of getting their devices hacked or things like that?
Jack Bittner: [00:17:18] Yeah, some kids at school with their Instagram accounts, the, you know, the classic get free followers by clicking this link.
Dave Bittner: [00:17:27] Oh.
Jack Bittner: [00:17:28] And so, you know, they give their username and password out, and then they get their account hacked.
Dave Bittner: [00:17:32] I see.
Jack Bittner: [00:17:33] So there has been a couple instances of that at school, but not to me.
Dave Bittner: [00:17:39] What about on your phone? You have a mobile device.
Jack Bittner: [00:17:41] Right.
Dave Bittner: [00:17:42] What do you do to keep that safe and sound?
Jack Bittner: [00:17:44] I mean, you know, always keep it on you.
Dave Bittner: [00:17:46] Yeah.
Jack Bittner: [00:17:47] You know, I don't really give it out to people unless I know them. But I don't really even give it out. You know, if I just need to show somebody something on my phone, I can let them see something. But...
Dave Bittner: [00:17:59] You show it to them but don't hand it to them necessarily.
Jack Bittner: [00:18:02] Well, I mean, you know...
Dave Bittner: [00:18:03] Depends on who it is.
Jack Bittner: [00:18:04] Right, yeah. And, you know, I have a password on my phone. I haven't given it to anybody.
Dave Bittner: [00:18:09] Have you ever lost your phone?
Jack Bittner: [00:18:11] Yes. I have lost my phone, actually, a couple of times. But I found it.
Dave Bittner: [00:18:15] (Laughter) OK, you've gotten it back safe and sound.
Jack Bittner: [00:18:17] Right, yeah.
Dave Bittner: [00:18:18] Yeah, yeah. What about your friends? I mean, do you - overall, do you think your friends are doing a good job with this stuff? Do you think - I guess my question is do you think kids today are up on the basics and know how to keep themselves safe?
Jack Bittner: [00:18:32] Yeah, I do because I think that we live in a very cyber world, and everybody's on their phones a lot or on the internet. So I think kids really understand how to keep their things safe.
Dave Bittner: [00:18:50] So what would your advice be for parents who are sending their kids off to school? What do you think the best approach is for parents to educate their kids and handle these things in a way that the kids are going to respond to?
Jack Bittner: [00:19:06] I think that teaching kids about passwords and keeping their privacy safe online and, you know, like I talked about before, not giving your personal information out online, which I think is - it should be a given with online things because, well, I think, you know, kids are smart. And I think they know not to give out personal information like that that could lead to no good.
Dave Bittner: [00:19:31] Do you think the kids today are better at this than their parents?
Jack Bittner: [00:19:35] Some of them. But, you know, people like me, my dad is a cybersecurity master.
Dave Bittner: [00:19:41] (Laughter).
Jack Bittner: [00:19:44] And so - but I think a lot of them are because, you know, kids are, you know, stereotype goes, stuck in their phones all the time...
Dave Bittner: [00:19:52] Yeah.
Jack Bittner: [00:19:53] ...Which is true sometimes. But I think they just have a lot more experience with that type of stuff than some of their parents do.
Dave Bittner: [00:20:01] Yeah. All right, well, Jack, good luck to you with this year's school year. And stay safe out there.
Jack Bittner: [00:20:07] Thank you.
Dave Bittner: [00:20:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:25] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
Email is still the #1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware! Find out how to protect your organization in this on-demand webinar by Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and he also shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick. Go to www.KnowBe4.com/10Ways to watch the webinar!
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.