The CyberWire Daily Podcast 6.10.20
Ep 1106 | 6.10.20
A big Patch Tuesday. Honda ransomware update. Facebook helped the FBI with a zero-day. Cloud service outages. Breach settlements. BellTroX explains itself, sort of.
Transcript

Dave Bittner: Notes on a fairly big Patch Tuesday. Honda continues its investigation of the incident it sustained over the weekend. Facebook is said to have developed a Tails zero-day to help the FBI with a notorious case. Crooks are turning to search engine optimization. IBM and Google cloud services recovered quickly from outages. You're unlikely to get rich from a breach settlement. Joe Carrigan describes free online courses aimed at community college students. Our guest is Dennis Toomey from BAE on how financial institutions need to enact stronger cyber protocols as employees migrate to working from home. And BellTroX says, hey, it was just helping some private eyes.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 10, 2020.

Dave Bittner: Yesterday's Patch Tuesday was a heavy one. Intel fixed 22 bugs, two of which - in its Active Management Technology - are rated critical. BleepingComputer says that Microsoft's patches amounted to the largest set ever, a total of 129 fixes. KrebsOnSecurity assesses three issues with Microsoft Server Message Block as among the most troubling. Sophos points out that a majority of the issues Microsoft addressed, a whopping 69, involve the risk of escalation of privilege exploitation. Adobe was the other prominent participant in Patch Tuesday. The company fixed problems with Framemaker, Experience Manager and Flash Player. 

Dave Bittner: Honda continues its investigation of the incident it sustained over the weekend. The Japan Times reports that domestic production has resumed, but that as of yesterday, the company had advised its employees in Tokyo and some other Japanese offices to avoid using Honda's internal network. According to TechCrunch and other outlets, the incident was an attack using the Snake strain of ransomware, also called Ekans. Honda tweeted that some of its customer-facing operations were affected. Quote, "at this time, Honda customer service and Honda financial services are experiencing technical difficulties and are unavailable," the tweet said, adding, "we are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding." Investigation continues, but Honda has said that as far as it knows, no data were exfiltrated. 

Dave Bittner: Motherboard this morning reported that Facebook helped the FBI track down one Buster Hernandez, a man wanted for harassing, threatening and abusing young girls. The company did so by working with an unidentified security firm to develop a zero-day in Tails, the privacy-focused, Tor-using operating system to give the Bureau the ability to unmask Mr. Hernandez's IP address, a hack that eventually led to his arrest. This is the only known case in which Facebook has provided this kind of assistance. Menlo Park thought the case was too heinous to pass on helping law enforcement. Also factoring in was the company's judgment that providing the assistance posed no threat to privacy and no prospect of use against anyone other than Mr. Hernandez. 

Dave Bittner: Avast describes a criminal campaign that uses search engine optimization tools to draw victims to malicious sites using promises of prizes. In general, the tactic has been to use the same techniques SEO consultants advise their clients to employ to bring their pages to the top. All the major search engines are affected, Google, Bing, Yahoo, Yandex and Baidu. The operators use fixed code to create the appearance of positive Google product reviews in rich search results, Avast says. Should you follow the link, you'll be taken to a variety of pages that eventually, usually after a show of calculating results to determine a winner, tell the searcher that they in fact are the lucky one. The scammers also tune the language to one that fits the visitor's IP address. The examples Avast shares are in German, French, English or Czech, and the researchers say that the grammar and usage aren't bad. The promises we've noticed have been festooned with images of falling confetti and congratulations on just having done the billionth - or maybe it was the five billionth - search. We didn't bite, and you shouldn't either. 

Dave Bittner: Two major cloud services, IBM's and Google's, suffered outages earlier this week. According to Vice, Google's service went down Sunday afternoon, but was resolved within an hour. IBM underwent its own disruption late yesterday afternoon, and had been restored by early evening, Computing reports. Both of the outages had effects that cascaded into other services. In IBM's case, it affected Cloud Object Storage, App Connect, Kubernetes Service, Continuous Delivery, Identity and Access Management, VPN for VPC, and Watson AI cloud services. The Google outage affected, among others, Shopify, Snapchat, Discord and Rocket League game servers. Some of Apple's cloud-based services also felt the effects. These included iCloud Mail, iCloud Drive and iMessage. The causes of both outages remain under investigation. Neither is thought to be the result of a cyberattack. 

Dave Bittner: The lesson that Computing draws from the Google incident - and the same could no doubt be said of the IBM case as well - is that the outages show the risk of a growing general dependency on a small number of cloud providers. There might be another lesson worth drawing as well - the outages were relatively swiftly mitigated and resolved, which might indicate the value the automation layer brings. 

Dave Bittner: Dennis Toomey is global director of Counter Fraud Analytics at BAE Systems Applied Intelligence. He joins us with insights on how financial institutions need to enact stronger cyber protocols as employees continue to work from home. 

Dennis Toomey: I think it's probably important to note that during the global lockdowns and the border closures, restrictions on movement and the rest of the stuff that's going on during the pandemic, we are seeing the ethically challenged or criminally motivated, if you will, individuals or groups who would usually operate in the physical world, they're moving to the online or cyber world, if you will. And since February of this year, BAE Systems Applied Intelligence Threat Intelligence Team has tracked numerous threat actors across the globe ramping up their attempts to steal data and secure information from institutions through phishing attempts, via email and other activities. Some of these attempts made users believe they were receiving the latest information from the CDC, Center for Disease Control, or the World Health Organization. But in reality, they were just attempting to transmit malware, spyware to uncover and prey on the vulnerabilities from a cyber perspective. 

Dave Bittner: You know, it's been my perception that financial institutions have often been on the leading edge of things like fraud detection, you know, being able to have automated systems that can detect when something is amiss. Has that given them an advantage here as - during this shift, as more people have shifted to working from home? Do they have a little bit of a leg up? 

Dennis Toomey: Yeah, it's a really, really good point because, you know, technology is not driven by social distance and guidelines. We - you know, the companies that have fraud detection systems or online systems - or automated systems to identify suspicious activity, they can still look at the data. The data is still there. Everything relates to the data. And if they have the right systems in place, then they are able to identify that suspicious activity within the data. 

Dennis Toomey: The companies that are thinking about cutting back on that technology or are not invested into that technology in the future, they're the ones that are going to be on the outside looking in. The criminals are smart. These guys that are doing - attempting fraud or committing fraud across the financial institutions, they know which institutions resist it and which institutions don't resist it. The ones that don't resist it, you know, it's an easy target. They're going to go for them, and they're not going to go for the ones that are resisting it. So technology does play a deterrent factor as well. 

Dave Bittner: What sort of things are financial institutions learning as a result of this shift to work from home and the social distancing and all those sorts of things? Are there lessons they're going to take with them when we come out on the other side? 

Dennis Toomey: Yeah, I do think there's a lot of lessons that they're going to be - that's going to drive us into the future. I think, you know, working from home is going to consistently be a more efficient way for organizations to do business. And, you know, that would be one of my recommendations for anybody out there, is to redo your risk assessment. If you haven't done one, you definitely need to do one. But if you have done one and you haven't done it in the past six months, you need to redo it because you need to really look to see what other risks are out there for people working at home. And it's not just the technology; it's the human factor as well. 

Dennis Toomey: And one of the other things is surveillance. You know, I think financial institutions have to put into place some surveillance technology to monitor the emails, monitor where the data is going and be able to block it right away through some type of mitigation process. 

Dave Bittner: That's Dennis Toomey from BAE Systems. 

Dave Bittner: The Wall Street Journal reports that the latest settlement in Equifax's 2017 breach, $30.5 million, will mostly go toward a requirement that Equifax invest $25 million in upgrading its own security. So an adverse judgment can punish a company, but it's unlikely that any affected individuals are going to get rich from this kind of settlement. 

Dave Bittner: And, finally, Sumit Gupta, founder of BellTroX - the Indian company Citizen Lab named in its report on hackers-for-hire - has told Reuters he did nothing wrong. All BellTroX did was help private investigators access email accounts when BellTroX was given credentials to those accounts. The snooping around environmental activist groups the Citizen Lab reported has gained a great deal of attention, but among the tasks BellTroX allegedly received from his customers was assistance in seeing what law firms, investment firms, short sellers and private litigants were up to. That's a pretty wide net. So who were the gumshoes and peepers who Mr. Gupta worked for? Well, if they did divorce work, they wouldn't be Philip Marlowe. Beyond that, well, there are a million stories in the naked city. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute. He is also my co-host on the "Hacking Humans" podcast. Joe, always great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: I wanted to congratulate you. You recently had a paper published. 

Joe Carrigan: Yes. 

Dave Bittner: Share with us what's going on here. 

Joe Carrigan: So the paper is written by me, and the principal investigator was Dr. Anton Dahbura, my boss Tony. And he and I worked on a - developing a distributable cybersecurity course for community college students. And the goal of this course is to expose students at the community college level to the - to a sampling of topics in cybersecurity. In this course - the course is divided into four modules. The first module is offensive security and forensics, and we talk about - we have - Dr. Leschke, who is our forensics instructor, gives a really good overview lecture of forensics. I do a lecture on passwords and the history of passwords and how to crack passwords. 

Joe Carrigan: Dr. Lanier Watkins does two lectures, one of which is about how he brings down UAVs or drones, commodity UAVs or drones. Very interesting stuff. The next module that we have is an Internet of Things module. We discuss what an embedded system is, and we do Internet of Things security for commodity Internet of Things. Then, again, Dr. Watkins does a talk on SCADA and ICS devices, which are part of the Internet of Things. Even though they're kind of separate, they're kind of very similar to Internet of Things devices and embedded systems. 

Joe Carrigan: And then we have two modules - one on cryptography, which provides a good background of cryptography from doctors Matt Green and Abhishek Jain, and then another module on blockchain, where Abhishek Jain - again, Dr. Jain walks you through the idea behind blockchain, the idea behind distributed consensus and, essentially, how bitcoin works, from soup to nuts. And then one of our Ph.D. students, who's now actually a doctor, Gabriel Kaptchuk, walks the students through other uses for blockchain technology, things like auditing and microblogging. 

Dave Bittner: So what's in it for Hopkins here to provide this sort of stuff to community colleges, broadly? What motivates you all to do that? 

Joe Carrigan: Well, of course, we'd like to see more people come into our ISI program, right? 

Dave Bittner: (Laughter) I see. OK. 

Joe Carrigan: That's really what we'd like. 

Dave Bittner: So it's completely unselfish (laughter). 

Joe Carrigan: No. No. I mean - but, generally, there is a consensus that there's a problem with getting people into the field. I've talked here about how that problem may not be as big as it seems. But we do need to get people interested in this field of cybersecurity, and we do need to make it available to as many people as possible. And that was really the goal, was to expose as many people as possible to these underlying theories or these - this broad sampling of topics in the field and, hopefully, show people that there are some interesting fields that they might enjoy. 

Dave Bittner: Yeah. Now, can you give me some insights? What's your experience with folks coming up through the community college pipeline versus state schools or private schools? Are we getting quality folks coming up through the community colleges? 

Joe Carrigan: Absolutely, we get quality folks coming up through the community college. My son started with a community college. He started here with Howard Community College, which is here in Howard County, Md., and now has progressed on to a four-year institution, where he'll get his degree hopefully at the end of next year. It's a great way to start a college career and make it more affordable as well because a lot of these community colleges have enrollment agreements with other four-year institutions. 

Joe Carrigan: So if you're a senior in high school or a junior in high school - actually, you'll probably be thinking about this in your sophomore or junior year - look at the community colleges and ask where they have transfer agreements to and see if you would like to go to some of those schools as well. Then enroll with the community college and target - with the target of going to that school, that four-year school because, when you graduate from that four-year school, you just get a degree from that four-year school, right? 

Dave Bittner: Right. 

(LAUGHTER) 

Joe Carrigan: You don't - nobody... 

Dave Bittner: No - right. 

Joe Carrigan: Nobody really knows or cares that you went to community college for two years. 

Dave Bittner: Right. Right. Nobody cares where you started; they care where you finished. 

Joe Carrigan: Right. Exactly (laughter). 

Dave Bittner: Right. Right. 

Joe Carrigan: And then once you have your four-year degree, give us a call here at Hopkins or come to the ISI program. 

(LAUGHTER) 

Joe Carrigan: Or heck, you can transfer... 

Dave Bittner: You know, Joe, you know we sell ads, Joe. You know, we... 

Joe Carrigan: Right. 

(LAUGHTER) 

Joe Carrigan: I believe we buy ads, right? 

Dave Bittner: You do. You do. 

(LAUGHTER) 

Dave Bittner: All right. Well, before my boss comes at me, I suppose it's probably a good time to wrap up this segment, Joe Carrigan. 

Joe Carrigan: Can I plug the website? 

Dave Bittner: Sure. Why not? (Laughter). 

Joe Carrigan: Yeah. Right. I mean, I want people to have this course. If you want to check it out, go to cybercourse - all one word - cybercourse.isi.jhu.edu. And you can sign up for an account there and immediately download the course package. The course material is one zip file. 

Dave Bittner: Yeah, that's a great opportunity because these are some high-level people offering their insights and, you know, teaching you some of these topics. 

Joe Carrigan: That's right, Dave. It's - a lot of our faculty are involved in this. I deliver a couple of lectures. We even have some people from the Applied Physics Laboratory talking. 

Dave Bittner: That's right. That's right. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.