The CyberWire Daily Podcast 5.22.20
Ep 1094 | 5.22.20

An election database leaks. Phishing from Firebase. Shiny Hunters sell Mathway user records. COVID-19-themed scams. On that return to the office thing...

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs, and that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit thecyberwire.com/sponsorship to learn more and connect with us. That's thecyberwire.com/sponsorship. Thanks. 

Dave Bittner: [00:00:43]  Indonesia's election database has leaked, and PII is for sale in the dark web. Phishing campaigns abuse Firebase. The Shiny Hunters are selling Mathway user records. U.S. agencies warn of COVID-19-themed criminal campaigns. Contact tracing technology hits a rough patch. Johannes Ullrich risk on phishing .pdfs with incremental updates. Our guest is author Peter Singer on his new book, "Burn-In." And what are you going to do when you return to the workplace if, that is, you've left the workplace at all and if you're, in fact, ever going to return? 

Dave Bittner: [00:01:22]  And now a word from our sponsor ExtraHop - securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "There is no other company that aligns to supporting the DevOps model - the speed and the lack of friction - than ExtraHop." See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber, and we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:02:26]  Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:49]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 22, 2020. 

Dave Bittner: [00:02:57]  Indonesia's general election commission is investigating the release of voters' private information on a hacker website. Reuters says that 2.3 million people's data have so far been released but that those claiming responsibility are threatening to expose data on 200 million Indonesians. Authorities confirm that the data were authentic and that they included such items as home addresses and national identification numbers. The source of the leak is unknown, but the General Election Commission (ph) said that it didn't happen in the commission's own servers. They suggest that it may have come from the presidential candidates or political parties, with whom the commission is obligated by law to share such data. 

Dave Bittner: [00:03:41]  Researchers at Trustwave SpiderLabs have observed phishing campaigns abusing Firebase, the Google-owned application development platform that offers users secure storage on the Google cloud. The phishing emails are fairly routine, using commodity-level templates that misrepresent themselves as coming from such well-known brands as Outlook, Office 365 or the Bank of America. But the use of Firebase URLs in the phishing is significant as many of those will pass through automated screens established in email systems. 

Dave Bittner: [00:04:15]  The Shiny Hunters gang appears to be offering stolen Mathway user records for sale. Mathway is a highly rated Android and iOS calculator app. Bleeping Computer reports that Mathway is currently investigating the incident. ZeroFOX has been tracking the Shiny Hunters in their other criminal activities. The gang has been an unusually active player in the criminal market for data. 

Dave Bittner: [00:04:40]  Four US federal agencies - The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Internal Revenue Service, the Department of the Treasury and the US Secret Service - all warned that the government continues to encounter attempts by criminals to steal personal and banking information using COVID-19 phishbait to lure their victims. Fifth Domain reports that many of these attempts involve drawing people in with proffers of assistance from the CARES Relief Act and other programs established to help people during the economic stresses of the pandemic. 

Dave Bittner: [00:05:15]  ComputerWeekly reports that authorities in the UK acknowledge that the NHS contact tracing app won't make the June 1 deadline for a national rollout. This is due in part to skittishness by the governments of Northern Ireland and Scotland about the privacy and efficacy of the system. Northern Ireland, for example, doesn't want a system that will impede travel across the border with the Republic of Ireland. NHS Highland, responsible for health care in Scotland, has undertaken development of its own system designed to protect residents, visitors and staff in care homes from the infection by creating virtual geozones around the care home and particularly sensitive or quarantined areas to control access as well as dynamic personal two-meter geozones around everyone with the app. It's also due in part to what's increasingly perceived as an unacceptable degree of bugginess in the app source code itself. As Gizmodo UK put it, "it's just getting silly now." In any case, a June 1st rollout is now generally regarded as an impossibility. 

Dave Bittner: [00:06:20]  The US federal government hasn't undertaken development of a national contact tracing app along British lines, but some of the states have. North and South Dakota have deployed Care19, an app that collects geolocation data under conditions that require opt-in, anonymization and no sharing with third parties. But researchers at privacy-specialist shop Jumbo Privacy have looked at Care19 and report, as the Washington Post reports, that one of the first contact-tracing apps violates its own privacy policy. In particular, Jumbo says that Care19 shares location data with Foursquare, best known for its offerings in support of advertisers, and also that the app's data aren't really as anonymous as one might think. They include devices' advertising identifiers. Jumbo recommends that users not install the app until Care19's privacy policy is updated for accuracy and until the app can assure users that their data won't be shared with third parties. 

Dave Bittner: [00:07:21]  There are other state-level projects under development. The Telegraph reports that British tech company Wejo has contracted with eight states to develop a system for tracking the movements of connected cars, the better to help the states ensure that people are following stay-at-home orders, going out only for essentials like groceries and not simply gallivanting around like a bunch of Sunday drivers. Comments on the story generally evince a negative reaction to this kind of tracking, as well as some expression of relief that, thank heaven, the commenter drives a primitive rattletrap without newfangled internet gizmos. 

Dave Bittner: [00:07:58]  Remote work appears likely to remain widespread even after the pandemic abates. Facebook is the most prominent corporation to announce that it's all-in on a teleworking future. The Wall Street Journal reports that Menlo Park sees many advantages in terms of cost savings, productivity and employee quality of life when its people won't actually have to show up in Menlo Park. And, of course, Mr. Zuckerberg foresees more geographical and ideological diversity if the company's workers can live anywhere and not remain so closely tied to the San Francisco Bay area. The US federal government has also found that many of its jobs can be done from home. Federal Times reports that the US Federal CIO Suzette Kent says the government has been able to rethink its ways of doing business and now has a better grip of the sorts of work that, in fact, require physical presence to accomplish. This is good news for vendors who specialize in remote collaboration tools, as the Wall Street Journal also observes. The effects on individual workers will vary depending on their home circumstances. They may also have to accept lower salaries. Few places have a higher cost of living than Silicon Valley, and that will surely factor into compensation plans. 

Dave Bittner: [00:09:14]  There are some downsides to both returning to the office and continuing to work from home. Police in the UK are concerned that businesses take proper precautions to ensure that the offices they've abandoned during the pandemic are clear of cyber threats when people return. SC Magazine quotes Peter Goodman, chief constable for the Derbyshire Constabulary, National Lead for Cyber Crime and for Serious and Organised Crime, National Police Chiefs' Council, as saying, quote, "because, unfortunately, some may have locked the front door but have forgotten to close the backdoor as they left. We do anticipate that there may be some malware sitting on people's systems as they get back to work," end quote. Imagine an infestation of evil maids if you must, but at least take a look at security upon your return. 

Dave Bittner: [00:10:02]  Another issue that might be easily overlooked by organizations continuing to work remotely - does your cyber insurance cover risks of telework? JDSupra advises you to check your policies. 

Dave Bittner: [00:10:15]  And finally, Monday is Memorial Day in the United States, and we'll be observing the federal holiday with a break from publication. We'll be back as usual on Tuesday, May 26. In the meantime, spare a thought and a memory for the fallen, for their families and for those alongside whom they served. 

Dave Bittner: [00:10:38]  And now a word from our sponsor, Thycotic. Thycotic protects companies from cyberattacks by developing innovative technologies that secure privileged accounts across the modern enterprise. Thycotic recently partnered with Cybrary to conduct a global survey of IT professionals focusing on how organizations are implementing least privilege. Their new survey report shows overprivileged users are still a big challenge for IT professionals. The report reveals important insights for anyone planning or already down the path with their own least-privilege security program. From the survey, they found that even though least privilege is a top or urgent priority, most organizations struggle with complexity and user complaints when implementing a least-privilege security strategy. Go to thycotic.com/cyberwire to download the report now and get more details about the survey results, the key takeaways and recommendations for how to ensure success in your least-privilege implementation. Again, that's thycotic.com/cyberwire to download this special report on the state of least privilege. And we thank Thycotic for sponsoring our show. 

Dave Bittner: [00:11:53]  P.W. Singer is author of a number of noteworthy books, including "LikeWar: The Weaponization Of Social Media," and "Ghost Fleet," which he co-authored with August Cole. Their latest effort is the techno thriller "Burn-In: A Novel Of The Real Robotic Revolution." P.W. Singer joined me to discuss the book. 

P.W. Singer: [00:12:13]  What we did with "Burn-In" is that we designed into it from the very start the idea that it could be a blend of both storytelling but also that people would learn from it. So it's a new kind of book. It's a mix of novel and nonfiction. So it's a techno thriller. It follows a character, an FBI agent 20 years from now, set in Washington, D.C., as she's on the hunt for a new kind of terrorist who's using new cyber means, relevant to what you and I are gathered to talk about, to conduct the types of attacks that weren't possible before and, in fact, to hold an entire city hostage. But along the way, baked into the story are some 300 explanations and predictions that are drawn from nonfiction-style research. And literally, they've got the footnotes in the text. 

P.W. Singer: [00:13:16]  So it might be anything from when two characters are talking and, in the distance, a delivery drone with six rotors flies overhead, it'll then have a footnote to show that's not what, you know, Singer dreamed up; it actually has to have Amazon patent for that specific design. 

Dave Bittner: [00:13:34]  You know, you mention the extensive endnotes for the book, and it really is sort of a hybrid. I don't know that I've ever seen a work of fiction that is so well documented the way that you and your co-author have done here. And I'm wondering, can you give us some insights on these boundaries that you've set up for yourselves? It's almost like you put a certain set of rules, like a puzzle that you had to solve by not allowing yourself the sort of hand-waving that you'll see with many books that deal with the future, that deal with technology. 

P.W. Singer: [00:14:10]  Yeah, it's certainly a heck (laughter) of a lot more challenging. It'd be a lot easier if you could just say, oh, and then the - you know, the good guy pulled out his X, Y, Z thing and solved it or... 

Dave Bittner: [00:14:23]  Right. 

P.W. Singer: [00:14:23]  ...You know, the way some of the TV shows are where - and now we hacked the system. Clickety clack. OK, we're in. 

Dave Bittner: [00:14:28]  (Laughter). 

P.W. Singer: [00:14:30]  And - but, again, you know, it goes back to this concept of a cross between a novel and nonfiction. For some people, it's just hopefully going to be a great summer read. Now, I don't know whether it's going to be a read while they're still stuck at home or maybe they'll be allowed to go out to the beach. But, you know, some people will just enjoy it that way. For other people, they're going to go, ooh, and maybe look at that footnote. And that's because we spent, literally, years on this double track, one which is, you know, building up the characters and the scenes. 

P.W. Singer: [00:15:14]  But sometimes, as you hit that idea of a puzzle, you know, it's - a character faces a certain challenge. How do I cause this bad thing to happen? OK, what would a real-world bad guy do? Or the bad guy has just done X; how would a real-world FBI agent or a Marine respond? 

Dave Bittner: [00:15:34]  Yeah. Well, the book is certainly very entertaining. It's quite a page-turner. But, you know, beyond that, what are the things people... 

P.W. Singer: [00:15:41]  I'm going to - yeah, just - you're going to have to have that quote out there and blast it out to everyone. I really appreciate that. 

Dave Bittner: [00:15:48]  (Laughter) No, but I'm curious. Beyond just the entertainment factor, what are the things that you hope people take away from it? 

P.W. Singer: [00:15:57]  A couple of things. One is this challenge of understanding the world that's changing around us. We have a certain irony playing out right now, where the technologies of science fiction, they're coming true. And yet science fiction hasn't well equipped us for them. 

P.W. Singer: [00:16:20]  Either it's something that is never going to happen in the distant future - you know, the secretary of treasury said that automation is not something we have to think about for, quote, "50 to 100 years," end quote. And that's why it's, quote, "not even on his - not even on my radar screen," end quote - is how he talked about it. We're already seeing the effect of automation in everything from critical infrastructure systems, be it a regular business, be it at a power system, be it at a hospital. We see automation playing out in our homes. 

P.W. Singer: [00:16:59]  And we're only at the start of this. So you have that one - it's way off in the distance. And then you have the other that - it's all about - you know, the only risk factor to think about is, you know, one day they might kill us all, the killer robot narrative that's gotten so much attention. 

Dave Bittner: [00:17:11]  Yeah. 

P.W. Singer: [00:17:12]  No, we've got all of these issues we have to think about - everything from how it changes our economy, how it changes our politics, how it changes our security. So the book raises these issues, but also, it helps share the basics of them for people that don't want to read, you know, an academic white paper. And I'm an academic, and I get most people don't want to read it. 

P.W. Singer: [00:17:39]  So, you know, we explain through the story everything from how AI works to some of the issues we have to figure out, like the concept of algorithmic bias - what happens when the machines train the wrong way and it gives you a bum steer. We explain that but in a way that you don't feel like you're being, you know, spoon-fed the yucky vegetables. So I hope it's helpful to people in understanding what looms and giving them sort of the basic terms and concepts. And then, you know, maybe we also steer towards certain things that - hey, you have to fix this if we want to be a lot safer. 

Dave Bittner: [00:18:22]  That's P.W. Singer. The book is titled "Burn-In." There's much more to our conversation, and you can check that out when you sign up for CyberWire Pro. 

Dave Bittner: [00:18:36]  And now a word from our sponsor, BlackCloak. Securing your company's data, intellectual property and reputation is job No. 1. But you have a big gap. You can only secure your executives' computers and devices that are part of the corporate network. You can't control the cybersecurity or privacy of their homes, devices, personal accounts or other family members. Attackers know this and, especially in these trying times, are actively exploiting the soft underbelly of the company by targeting your executives' digital lives. BlackCloak's cybersecurity platform solves your coverage problem. Their trusted team actively protects all personal devices, accounts, homes and family members so that a breach on the personal side doesn't take down your company. In fact, over 37% of BlackCloak customers have an intrusion discovered during their onboarding. Onboard your executive team in under a week. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:19:53]  And I am pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute, and he is also host of the ISC "StormCast" Podcast. Johannes, always great to have you back. You all have been tracking some reflective DNS DDoS attacks. Fill us in here. What's going on? 

Johannes Ullrich: [00:20:12]  Yes. Well. We just want to know what's happening with these attacks. They used to be really big, like, a few years ago when they hit some large banks, but hadn't really heard much about these attacks. So what we did is we set up a little honeypot that basically acted as a reflective DNS server. So basically, it could be used to amplify these attacks. We put, of course, some controls around it that wouldn't cause any damage. But then we just looked, how is it going to be used? And we did see actually quite a number of reflective attacks being launched. What we sort of noticed is a couple things. First of all, the targets were all small businesses or hobby sites and things like that. It looks like the banks, the large targets that used to be in the news like a few years ago, well, they found workarounds for this. Essentially, they managed to buy their way out of it. That's what you usually do with... 

Dave Bittner: [00:21:07]  (Laughter) 

Johannes Ullrich: [00:21:07]  ...Denial-of-service attack. You hire some service, you buy more bandwidth to block these attacks. These small companies, well, they don't really have the option to do that. 

Dave Bittner: [00:21:19]  Can you give us a little bit of the background? What's going on when we're talking about a reflective DNS DDoS attack? 

Johannes Ullrich: [00:21:25]  Yeah. So the way they essentially work is that an attacker will spoof a query. So they'll claim to be, like, that small business, and they'll ask a question. And the question is very small. Like, hey, tell me everything you know about this particular domain name or this particular hostname. And then the DNS server that's badly configured in this case will respond with a very large response. Now, this response will go to the victim that the attacker claimed to represent. And this can lead to amplifications of sort of in the order of 20 to 100. Since it's DNS, it's also kind of difficult to defend against. You can't just easily block DNS. You have to be a little bit more selective in how you filter this. And so the amplification, plus the fact that these responses come from  valid innocent bystander DNS servers here, really makes it difficult to defend against. And also, the attack can be quite massive. There can be, you know, gigabytes - gigabits per second, which, again, for a smaller website is difficult to defend and can be quite expensive. 

Dave Bittner: [00:22:41]  Do you have any insights as to why these small businesses and hobby sites end up being targets? 

Johannes Ullrich: [00:22:48]  It's sometimes a little bit hard to tell. But one thing we noticed is a lot of IRC servers. And yes, IRC is still around. IRC has historically been sort of a favorite target for these sort of nuisance denial-of-service attacks - kids getting angry at each other. I remember way back when I started in this business, it was, like, around 2000, there was this game of IRC jousting where basically two people sort of gave each other their IP address and then launch denial-of-service attack against each other and whoever dropped off the IRC channel first lost. In the process, they took down, of course, a couple of ISPs and such. 

Dave Bittner: [00:23:30]  Ah, well, you know. 

0:23:32:(LAUGHTER) 

Johannes Ullrich: [00:23:32]  It's all for the fun of it. 

Dave Bittner: [00:23:33]  Right. Yeah. Sure. 

Johannes Ullrich: [00:23:35]  Sort of an interesting little side note on this, I noticed that a lot of .gov domains are being abused here. And the reason for this is that .gov mandates the use of DNSSEC. Now, DNSSEC is security technologies. You would think, hey, it's a good thing. But it does make DNS response a lot larger, because now you have to include all these keys and such. Of all websites, peacecorps.gov is, like, one of the top targets we have seen here. 

Dave Bittner: [00:24:12]  Wow. Yeah. There's a small irony there I suppose. 

Johannes Ullrich: [00:24:14]  Yeah. Yeah. 

Dave Bittner: [00:24:15]  Yeah. All right. Interesting as always. Johannes Ullrich, thanks for joining us. 

Dave Bittner: [00:24:25]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:24:43]  Don't miss this weekend's "Research Saturday," where I'm joined by Alex Tilley. He's a senior security researcher at Secureworks. We're going to be discussing some of their ransomware research and the effects of business email compromise. That's "Research Saturday." Check it out. 

Dave Bittner: [00:24:58]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:25:10]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.