Dave Bittner: [00:00:03:11] British police think ISIS not-so-lone wolves may have been howling over WhatsApp. WikiLeaks is still disgruntled over its disclosure offer's cool reception. March-Madness is also phishing season. How and why online gamers cheat. GiftGhostBot drains gift card balances. States mull next steps after the America's JobLink breach. CrowdStrike walks back some claims in its Ukrainian artillery hacking report, but insists the hack was real, and that signs point to Fancy Bear. April 7th marks two deadlines for cyber actions; observers hope for two fizzles.
Dave Bittner: [00:00:43:03] Time for a moment from our sponsor, Netsparker. You know web applications can have a lot of vulnerabilities, of course you do, you're a regular listener to this podcast. And of course every enterprise wants to protect its website, but if you have a security team you know how easy it is for them to waste time calling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily, you can use it to automatically scan thousands of websites in just a few hours. Learn more at Netsparker.com, but don't take their word for it. Go to Netsparker.com/CyberWire for a free 30 day fully functional trial of Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. That's Netsparker.com/CyberWire. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:47:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 27th, 2017.
Dave Bittner: [00:01:57:11] After the attacks in London, ISIS makes large-scale and predictable use of online video as recruiting and inspiration tools. British police investigate the possibility that a cell, which may have supported the attacker, made use of encrypted messaging apps. The authorities have one man still in custody who they believe was in communication with the attacker by WhatsApp. It's worth noting in this context, as so often with ISIS, that the sense in which an attacker is a lone wolf is often attenuated. At the very least, they're responding to recruitment and inspiration, even if there's no immediately directing command-and-control. The Westminster attack may have involved some coordination with at least one collaborator, and perhaps with a larger organization.
Dave Bittner: [00:02:42:02] WikiLeaks continues, largely in vain, to persuade tech vendors they ought to play ball in remediating the vulnerabilities suggested by the Vault 7 leaks. Consensus now seems to run toward Apple's early conclusion: the zero-days alluded to in the files are old news, for the most part patched long ago.
Dave Bittner: [00:03:01:02] Zscaler and others warn of a spike in March-Madness-themed phishing. March-Madness is shorthand for the annual US university basketball playoffs, much followed by gamblers, enthusiasts, and subway alumni. Not that any of you would do this, but some people actually bet money on these teams. Shocking, we know.
Dave Bittner: [00:03:20:14] Shocking too is the sheer amount of cheating that goes on with online gaming, even when it doesn't involve gambling, as any parent of a child who's been booted out of Pokemon-Go for downloading a teleportation app can tell you. The video game industry is big business, with about $91 billion in revenue in 2016. A fast growing piece of that pie is e-sports, where gamers compete for prizes and glory ,and there's a growing audience of spectators who like to watch them play. All this activity is attracting investors, TV executives and advertisers, but it also attracts cheaters. Sarah Needleman is a Tech Writer for the Wall Street Journal and her recent article outlines the challenges video game companies face.
Sarah Needleman: [00:04:02:15] Players are looking to get an edge by using unapproved software and exploiting bugs to win competitions. It's a problem for the industry because right now e-sports is a rising area, and when there's rampant cheating it affects the integrity of games, and people lose interest in playing them and lose interest in watching them. So companies are going out of their way to stop, or at least fight cheating, because it's actually impossible to stop it outright. But they're working really hard to minimize it as much as possible.
Dave Bittner: [00:04:34:11] One of the things that struck me in your article was how much third party help there is on both sides of this. I mean, there are companies who are selling the cheats and there are companies who are helping the game manufacturers try to fight the cheats.
Sarah Needleman: [00:04:48:12] The ones that are selling the cheats, I don't know if I would call them companies in the traditional sense, I think a lot of these are individuals that are coming up with it and selling it online. In some foreign countries they are setting up businesses, but I think for the most part it's individuals who are very tech savvy, who come up with these cheat codes and then sell them online to an underground network of players that are, you know, very tech savvy and very interested in getting an edge. And then what you're doing is using software so that every time you fire your weapon, for example, you have perfect aim, or you can see through walls. It's not like a one time movement where you, you know, skip ahead of the level, this is affecting the entire gameplay. And we're also talking about games that are played competitively. You know, you're not playing by yourself in your basement, you are playing online against other people, in some cases part of a tournament, you're trying to win prize money. The landscape is a little bit different than it used to be back in the day.
Dave Bittner: [00:05:50:07] One of the things that struck me, I was surprised to find out the scale that this was running at. We're not just talking about a handful of people who were cheating at these games.
Sarah Needleman: [00:05:58:23] Right. For example with Devo Soft, Tom Clancy's The Division, that game has been out for about a year and the company has banned something like 40,000 players from it. In the first week that Overwatch was out the, Activision Blizzard game, they also banned thousands of players. These games have several millions of players overall, so it is still a small percentage that are getting banned, but it is definitely higher than you might think. It's a constant battle. One person put it to me as an arms race, and that it's impossible to make it impossible to cheat, so they're constantly working to stop the problem.
Dave Bittner: [00:06:35:00] That's Sarah Needleman from the Wall Street Journal.
Dave Bittner: [00:06:38:22] If you're using gift cards online, beware: Distil Networks warns businesses and consumers of a threat to gift cards. GiftGhostBot uses nearly 1000 infected sites to inspect and drain gift cards of their balances.
Dave Bittner: [00:06:54:16] The US state of Vermont, at least, is contemplating legal action against America's JobLink for what appears to be its loss of significant personal information belonging to job seekers. Nine other states were also affected. One of them was Maine, which was using JobLink to help process unemployment claims. We heard from Ebba Blitz, CEO of encryption-as-a-service firm Alertsec, who sees the case as another unfortunate reminder of the seriousness of third-party risk. He thinks New York State's recent adoption of more stringent cyber security regulations may provide other states with a model for third-party compliance.
Dave Bittner: [00:07:31:09] We also heard about New York's new requirements from Brad Keller, who directs third-party strategy at the New Jersey-based security company, Prevalent. While much of what New York now requires has already been recognized as best practice, the regulations go farther in requiring companies licensed for banking, insurance, or financial services, to maintain comprehensive cyber risk management programs that address cyber risk at the C-level, and board level, and that specifically address third-party risk.
Dave Bittner: [00:08:00:17] CrowdStrike retracts some aspects of its Ukrainian artillery hacking report, but not its core findings concerning Agent-X malware. The retractions generally walked back claims of heavy losses sustained by Ukrainian D-30 gun batteries during fighting with Russian forces in the Donbas, unsurprising, given the notorious difficulty of battle damage assessment. They also clarified misunderstandings about claims that Ukrainian units had been forced to fire on one another. That didn't happen. But they do stand by their claim that a fire direction app was compromised to reveal general position information about Ukrainian fire units, and that the malware was a Fancy Bear production.
Dave Bittner: [00:08:43:06] Finally, two deadlines expire April 7th, which is less than two weeks away. The Turkish Crime Family says it's going to wipe hundreds of millions of iOS devices unless Apple pays ransom. Apple says the threat's a lot of hooey, and pretty much everyone agrees. And Anonymous will run its annual OpIsrael against various online targets in the Jewish state. OpIsrael has traditionally been a fizzle that fails to rise beyond the level of low-grade nuisance, but Israeli authorities warn people to be on their guard nonetheless. So be on the alert, but hope to be pleasantly disappointed.
Dave Bittner: [00:09:22:15] Time to thank our sponsor, Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. The cloud is a remarkable business enabler, but when you use public clouds, like Amazon Web Services and Microsoft Azure, remember that security is still a shared responsibility. They're your apps and your data, and no one cares more about securing them than you do. Palo Alto Networks's next gen cloud security can help. It gives you complete visibility to control your apps and reduce your threat surface area from the network to the cloud. Stay secure and protected wherever your apps and data may be. Palo Alto Networks offers the most comprehensive cyber security for all clouds and software as a service environments, because secure clouds are happy clouds. Get started securing yours at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:10:24:15] Joining me once again is Awais Rashid, he heads the Academic Center of Excellence in Cyber Security Research at Lancaster University. Professor, welcome back. I know today you wanted to touch on some things with social engineering and open source intelligence.
Awais Rashid: [00:10:39:15] Thank you very much. The key challenge at the moment is that a lot of us use social media, online social media, so the likes of Facebook, Twitter, Google+ and so on, and inadvertently people expose a lot of information online which can make it a lot easier for attackers to craft social engineering attacks. So, for example, very targeted spear phishing attacks. What can normally happen is that an attacker can harvest an employee's information and use that as a basis to craft a very targeted attack, things that, for example, provide the interesting hooks which would encourage someone to click on an embedded link, or an attachment that will enable download of malware.
Dave Bittner: [00:11:29:05] Yeah, I saw a story not too long ago about someone who got hit because he had an interest in classic cars, and the bad guys were able to craft a message that hit him exactly where his interest was and get him to click through to something.
Awais Rashid: [00:11:42:12] Absolutely, and that's how, for example, RSA were breached. It was a very simple social engineering email, but the interesting thing is that with the power of computational tools that we now have at our disposal, we can do positive things, but they can also be used by attackers. So we have recently for instance done some work where we've actually demonstrated that you can automatically identify the employees of an organization using only information which is visible to a remote attacker as a member of the public. So you don't need to be listed on the organization's website for you to be detected as a member of that organization. For example, most employees would tend to follow the organization that they are part of on Twitter and other social network. But then what you can do is you can actually potentially link the profiles of such people across different social networks, so you can extract further information about them to make your attacks really, really sophisticated, and providing those really good hooks that will encourage someone to click on embedded links or download malware.
Dave Bittner: [00:12:49:12] So how do people find the balance between, you know, going on, leading their day to day lives and enjoying all the benefits of social media, but also protecting themselves and their organizations?
Awais Rashid: [00:12:58:23] I think there are multiple ways that this can be done. Individuals can be more cautious and vigilant about it themselves as to what kind of information do they expose. Very often keeping separate accounts for personal and professional use can be a very useful thing, but also organizations themselves can take active measures by trying to identify what kind of information about them or their employees is visible outside. This is not in terms of any punitive measures against employees, it's more about trying to understand what kind of information can be out there that can potentially be targeted, and in some ways use that information to, for example, educate employees about not revealing certain types of information that may make them more prone to such attacks.
Dave Bittner: [00:13:41:12] Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:13:46:02] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to cylance.com. We hope you'll check us out on Facebook, Twitter and LinkedIn. And if you'll head on over to iTunes and leave a review for our podcast, well, that's really helpful as well, it's one of the best ways that you can help new people find our show, so thanks in advance.
Dave Bittner: [00:14:16:21] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, our Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.