Magecart is back. Bad apps booted from Google Play. OilRig taken seriously. Election influence operations. Sending in the National Guard. ICO fines Equifax for last year's breach.
Dave Bittner: [00:00:03] Magecart hits a Philippine media conglomerate. Bogus malicious financial apps are ejected from Google Play. Gulf States are taking warnings about Iran's oil rigs seriously. A cloud hosting service serves up phish. Taiwan believes China is preparing to meddle in its elections. Facebook sets up an anti-disinformation war room. Nebraska sends in the National Guard. And the U.K. ICO fines Equifax for last year's breach.
Dave Bittner: [00:00:38] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There is a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good - or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 20, 2018. Magecart has struck again, this time in the Philippines, where it's hit the media conglomerate ABS-CBN. The criminal group behind the operation - and there's a loose assembly of several gangs using Magecart - is exfiltrating data to their servers in Russia. Magecart attacks, which have recently infested Ticketmaster and British Airways, are generally thought to be criminal capers as opposed to state intelligence operations.
Dave Bittner: [00:02:15] ESET researchers report an infestation of malicious financial apps in Google Play. The apps have since been removed. In operation since June of this year, they presented themselves as apps belonging to the Commonwealth Bank of Australia; the Australia and New Zealand Banking Group Limited; the ASB Bank; the TSB Bank; PostFinance, which is Swiss Post's financial services unit; the Polish Bank Zachodni WBK, now rebranded as Santander Bank Polska and Bitpanda. This last one is the more interesting target. Bitpanda is an Austrian cryptocurrency exchange that doesn't even have an app.
Dave Bittner: [00:02:56] Various Gulf States are taking seriously warnings from FireEye about an increase in Iranian government hacking. Much of the recent activity has been associated with the actors involved with the oil rig attacks.
Dave Bittner: [00:03:09] Zscaler notes that a cloud hosting service is being abused by hackers. Cogeco Peer 1 is hosting domains used to serve a range of phishing attacks and attempts on cryptocurrency wallets. According to Zscaler's blog, the problems have been around since February of this year. See Zscaler's blog for details on the affected domains and be alert for social engineering staged through this particular hosting service.
Dave Bittner: [00:03:36] China is in election influence mode. Beijing has opened a campaign to affect Taiwan's coming elections. Since taking office in 2016, President Tsai Ing-wen and her Democratic Progressive Party have starchily rejected China's claims to the island nation. The Sydney Morning Herald reports that the mainland would welcome a change in administration and a more tractable attitude to its claims. Officials in Taiwan note that the country has long served as an attractive proving ground for Chinese operations elsewhere. They're bracing for a coming wave of cyberattacks.
Dave Bittner: [00:04:12] Determined to do better during this U.S. election cycle, Facebook is offering bipartisan help to campaigns - get-out-the-vote support and an anti-disinformation war room. The effort will inevitably be labor-intensive. The sort of content moderation the war room aspires to, so far, defies full automation.
Dave Bittner: [00:04:33] In the U.S., we note for the benefit of our international audience and those Americans - most of us, alas - who snoozed through high school civics classes, elections are decentralized affairs with the several states constitutionally responsible for conducting them. And the states are taking various measures to secure not only elections but other infrastructures as well. California and New York have passed laws and regulations in cyber matters of most concern to them. New Jersey is working on infrastructure protection legislation. And Connecticut does a little bit of chest-beating about the number of cyberattacks it fends off every day. Good job. But don't get cocky there, Hartford.
Dave Bittner: [00:05:16] The Center for Cyber Safety and Education has partnered with professional services provider Engility to fund scholarship opportunities for U.S. military veterans in an effort to help close the workforce gap while providing educational advancement for those who have served. Roela Santos is VP of communications at Engility.
Roela Santos: [00:05:37] We saw the need for more cyber talent. You've seen the statistics about the cyber talent gap. Center for Cyber Safety and Education's predicting a 1.8 eight million cybersecurity talent gap by 2022. So we think that veterans are a great source of filling that talent gap. Also Engility - basically, veterans is part of our DNA. Twenty-eight percent of our employees and 45 percent of our new hires are veterans. So we have a long history of supporting veteran causes. DOD is a huge customer of ours, so we're committed and motivated to include veterans in part - as part of the solution as we address this broader cyber challenge.
Dave Bittner: [00:06:25] So can you describe to us what the scholarship is all about, how you engage with veterans and basically how it all works?
Roela Santos: [00:06:32] Sure. So we partnered with the center to promote and solicit applications from veterans. So we divide it up and have awards. Four in the spring, and then four in the fall. And we suggest that veterans submit their applications online. And there's just a few questions that we ask. We ask that they submit their resume and why they feel that this scholarship will help them as they see the next phase in their cyber career. The cyber scholarship, which we call CyberWarrior Scholarship, actually provides training and testing so that they can be certified in cyber, which the (ISC)² organization provides. So these are critical cyber certifications that are needed for people who want to get into a cyber career.
Dave Bittner: [00:07:29] And what specifically do veterans bring to the table here? What are the experiences that you all find they've gained from their time serving the country?
Roela Santos: [00:07:42] Absolutely. I think three things - three reasons why we think veterans are ideally suited in cyber careers. First, they already have the mindset to be a cyberwarrior. They have the grit and determination because our cyber adversaries are tenacious. So they already have that mindset. Second, they're very patriotic and protective by nature. They're protective of our country, our people and our economy. And third, cybersecurity gives veterans a lot of flexibility in their careers. So they can continue serving our country as a government employee or as a contractor, like working for companies like Engility. Or they can move into the private sector where everybody from small to large companies to nonprofits all could use cyber expertise.
Dave Bittner: [00:08:32] That's Roela Santos from Engility. You can learn more about the CyberWarrior Scholarships at the Center for Cyber Safety and Education website. That is iamcybersafe.org. Don't delay. There's a deadline for an upcoming round of scholarship awards. It's coming up in just a few days.
Dave Bittner: [00:08:51] There's an interesting story unfolding in Nebraska. The town of Beatrice has come under some form of cyberattack. Details aren't being widely shared, but what is being shared, beyond the town's disconnection and reversion to manual backups, is that the FBI is investigating and that the Nebraska National Guard has dispatched cyber incident response teams to help. The use of the guard in this manner has long been discussed, and Nebraska's employment of the reservist cyber capabilities will be worth watching.
Dave Bittner: [00:09:23] It's now been a little more than a year since Equifax disclosed its data breach. And many have commented on what they take to be a surprising lack of enforcement actions. Here's one. The U.K.'s Information Commissioner's Office, the ICO, will fine the credit bureau 500,000 pounds for last year's data breach. Some 15 million individuals are believed to have been affected in the U.K.
Dave Bittner: [00:09:52] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:10:53] And I'm pleased to be joined once again by Craig Williams. He's the director of Telos outreach at Cisco. Craig, welcome back. You know, there's an old joke - that's not a bug, that's a feature - but then also I suppose you could add design flaw. Take us through it. What's the difference here? And why does it matter?
Craig Williams: [00:11:10] So this is a really common thing. And believe it or not, we ask ourselves this very often. You know, as you know, we do a lot of vulnerability research. You know, I think when the fiscal year ended, we were over 350 vulnerabilities, which is amazing. It's more than one per business day.
Dave Bittner: [00:11:23] Wow.
Craig Williams: [00:11:24] And so we deal with this a lot. You know, the way it works on our end is if it's a bug and it's considered a security issue, well, the vendor magically gets 90 days to fix it, right? And hopefully they can fix it by then, and if not, we'll have some conversations that sort it out. But on the other hand, if the vendor says that, no, no, no, it's supposed to work that way, that's a feature - or no, no, no, that's just a design flaw, the software is fine - then a lot of the times, they don't want to fix it. Which can put us in a weird situation because on one hand, we want to try and get the issue fixed, but on the other hand, if that's the way that it's supposed to work, and the attackers are taking advantage somehow, it puts us in a really difficult situation.
Craig Williams: [00:12:03] Let's move away from the abstract and talk about a real-world example of this. You know, one of the most recent cases we found this is with some of the MDM research we published. So if you weren't familiar with the MDM research we published, basically what would happen is an adversary would craft a really clever email saying, hey, go to this server on, say, your iPhone and install the managed certificate and, you know, you'll get something out of it. Like, you'll get free antivirus. Or you'll get your phone managed by us and we'll patch it for free. Something no reasonable user should do, right? I want to be very clear.
Craig Williams: [00:12:37] Apple has this locked down pretty well. On enterprise phones, you shouldn't be able to do this because there should already be a certificate on there, and that certificate should be locked in place with a password that the user doesn't have. Now, the problem is home users, on the other hand, they don't have a managed device. So when they see these, you know, effectively almost a phishing email and they fall for it and they click on it and it says, hey, would you like to install the certificate? They're like, yes. And your iPhone is like, no, seriously, are you really, really sure you want to install the certificate? And, you know, it's like highlighting no and flashing at you. And they're like, sure, yes.
Craig Williams: [00:13:11] Well, that can get you in a tricky situation, right? Because then what happens is the attacker has basically taken control of your phone. Now, the question there is, is that a bug? Well, no. That's how a managed device works, right? Is it a feature? No, that's just how it works. It is a design flaw? Well, the user's warned about nine times.
Dave Bittner: [00:13:33] Right.
Craig Williams: [00:13:34] What else are they supposed to do, like, make the phone vibrate and blink and then would that do anything different? And so when it comes down to these type of bugs, it's a really difficult thing to fix because you're basically forced to figure out, how can I work around the user's willingness to be compromised?
Dave Bittner: [00:13:49] Now, when you're dealing with a vendor who claims that something is working the way it's supposed to, how often is it them denying that there's a actual security problem? Are they being willfully ignorant, or do they not want to put the effort into doing the fix?
Craig Williams: [00:14:08] No, I don't think that's it. I think some of the time, in order for things to work as designed, you know, they have to have certain functionality, right? You know, for example, on an enterprise network, you're using the same username and login your Wi-Fi as you are for your Exchange server sometimes. It's a convenience factor. Well, so what happens if a user clones a Wi-Fi access point and sets up a rogue one? Well, conceivably, they could steal your password. And that would be the same password used everywhere, right? Not a security issue. It's more of a design flaw because of credential reuse and the fact that you allowed the laptop to connect to, you know, a cloned access point.
Craig Williams: [00:14:42] But things like that are things where you really have to sit down and think about how everything's engineered and how bad guys could manipulate the system. And that's why this is so important to think about when you're designing a product or when you're designing the way a protocol should work. And it's also something that needs to be kept in mind when you start, you know, expanding the protocol or revising it to the next revision.
Dave Bittner: [00:15:01] Craig Williams, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:15:15] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:15:33] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.
Dave Bittner: [00:15:42] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.