Follow-up to terror attack in Iran. UN data exposure. Kodi and cryptojacking. SHEIN retail breach. Atlanta's ransomware remediation. Payroll phishing. Quantum strategy.
Dave Bittner: [00:00:03] Iran accuses Saudi Arabia, the UAE and the U.S. of running Saturday's terror attack from the shadows. There's been data exposure at the U.N. The Kodi platform's exploited for cryptojacking. The SHEIN retail breach affects more than 6 million. Atlanta says its ransomware incident is now over. The FBI warns of payroll phishing. A U.S. strategy for quantum technology is offered. We've got a look at sports and cybersecurity. And has the Riemann hypothesis been proved?
Dave Bittner: [00:00:42] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 25, 2018. According to reports in Deutsche Welle, Iran accused Saudi Arabia, the United Arab Emirates and the United States of complicity in Saturday's terrorist attack on a military parade. The UAE called the allegations baseless. The U.S. said Iran should look to itself for the explanation, and Saudi Arabia said nothing. So far, the responses to this awful attack have been hard words. But Iran's international adversaries should look to their cyber defenses.
Dave Bittner: [00:02:31] The United Nations has suffered a data exposure incident. Last month, a researcher found ways of accessing the U.N.'s Trello tool where he found ways into the U.N.'s Google Docs and Jira pages. A range of sensitive information was exposed. The researcher disclosed his findings to the U.N., but the world body took notice only after The Intercept broke the story.
Dave Bittner: [00:02:55] It's now six months since the city of Atlanta was hit with ransomware, and the city says the incident is now over. But there's a sour taste in Georgia mouths. The local CBS affiliate reports that the city doesn't know who hit them, what they hit them with or how much they've had to spend to fix things.
Dave Bittner: [00:03:15] The SHEIN fashion retailer sustained a data breach in which records belonging to some 6.4 million customers were exposed. The incident happened in June, but SHEIN discovered it only late last month.
Dave Bittner: [00:03:29] It happens pretty much every time we install a new bit of software - we find ourselves staring down a EULA - an End User License Agreement. It's most often an interminable laundry list of terms and conditions cloaked in impenetrable legalese. Not only is it frustrating, but it defeats its own legitimate purpose - to explain the expectations and agreements between the maker of the software and the user. Users generally dislike this style of EULA. And now, some companies are responding and trying to make things a whole lot easier to understand. From our CyberWire U.K. desk, Carole Theriault has the story.
Carole Theriault: [00:04:06] Security professionals keep reminding us to read the terms and conditions before we sign up for an app or an online service or even on a website. They tell us this because this is where companies have to disclose how they plan to manage your privacy. This is where you find out what information they're going to take from you, how they might track you or whether they send information to third parties.
Carole Theriault: [00:04:30] The problem is that many of these agreements are confusing. To most of us, it can seem like just a bunch of legal mumbo-jumbo. And recent research shows that over time users split into two groups, those that become what they call acceptors - these are people who felt their online access was more important than any of their privacy concerns - or managers, people who strategically control information to reduce their vulnerability online.
Jeremy Forsberg: [00:05:37] Our founders have this at their core. They set up this company because they did not believe that we should compromise our data, our privacy for the sake of convenience. You know, we were - you're basically told you get one or the other. And we're like, no, no, no, no, that doesn't have to be the case.
Jeremy Forsberg: [00:05:52] You can have convenience, but you also can maintain your privacy and greater control over your data. And so that's the approach that we take. So it really compels us and motivates us to kind of be better for our users. And we shouldn't be manipulating people into signing up to terms and conditions that may be unfair to them without their full knowledge because, look, there will be a backlash at some point.
Carole Theriault: [00:06:12] And, you know, that's what it feels like. It feels like manipulation when the agreement is overly complex. There's this other bit in the Axel agreement that says everything that you save in using Axel stays yours. We realize that's a crazy concept. Axel only does the things you ask it to do with your consent. You are in control. See our privacy bill of rights. And I like this, too.
Jeremy Forsberg: [00:06:37] I studied law, and I struggle to understand the terms and conditions. What it genuinely means for me - and I think the key thing is we want to build a little bit more trust and transparency with our users. And, you know, and we noticed the failings that other companies - big companies - you know, load up with in their terms of service. And it's just - felt unfair for people to tick a box when they don't really understand what's going on.
Carole Theriault: [00:07:00] Maybe you can tell us and other companies out there that might be flirting with the idea of simplifying their agreements what the benefits are. Like, how does it improve your relationship with your customers, improve your business?
Jeremy Forsberg: [00:07:15] Well, I think it makes it more focused on our users, which allows us to connect with our users a little bit more and actually build up a relationship and build up a dialogue. Ultimately, you know, what you want to do is - you can't necessarily speak to every person one by one especially if you're a growing company.
Carole Theriault: [00:07:31] OK, but here is an issue, right? So nobody really wants to have more regulation. Companies kind of don't want to have to comply with it all, and it can be complex. I mean, just look at GDPR, right? So if we think about - how do individuals - users - fight back? If we go back to that idea of acceptors and managers, how do we make people shift over from acceptors to managers?
Jeremy Forsberg: [00:08:01] If they need to use a platform for some reason, they're just going to have to weight that up with their data and, you know, what they feel like they're compromising. A lot of the big social platforms and search platforms are asking a lot of people. They're asking people to give up a lot. And people don't realize that. And that really frustrates me. You know, that - it really frustrates me that people are being asked to compromise so much about their identities - their digital identities - without really understanding.
Jeremy Forsberg: [00:09:01] It's not just a legal or moral decision. It's a business decision.
Carole Theriault: [00:09:06] This was Carole Theriault for the CyberWire.
Dave Bittner: [00:09:09] And, of course, you can hear more of Carole Theriault on the "Smashing Security" podcast along with her co-host Graham Cluley.
Dave Bittner: [00:09:18] The U.S. FBI has issued a warning that criminals are actively phishing for payroll login credentials. These are the sorts of accounts organizations use to enable their employees to check when and how much they've been paid. They also often enable employees to change direct deposit accounts or request prepaid debit cards. Those last two possibilities are the ones that criminals find attractive, since they give them away to Loot bank accounts. There are two general lessons to be drawn from this trend in online crime.
Dave Bittner: [00:09:50] First, criminals are moving to the cloud just as enterprises are. Compromising this sort of payroll service usually doesn't involve any intrusion into an organization's networks, still less the compromise of any endpoints. If an employee gives up his or her credentials, the crooks will cheerfully precipitate cash from the cloud. Second, organizations teach by the way they communicate. If your organization is in the habit of sending employees emails with links to click, if this is the way you handle communication about accounts and credentials, you are teaching your employees some dangerous security habits.
Dave Bittner: [00:10:28] The U.S. has announced a national strategy for quantum information science. Major companies meeting at the White House to discuss the strategy include JPMorgan Chase, IBM, Honeywell, Lockheed Martin, Goldman Sachs, AT&T, Intel, Northrop Grumman and Google. The strategy includes, but isn't confined to, quantum computing and its implications for cryptography and security generally. It extends to most aspects of information technology and, according to some reports, to the prospect of advancing work on materials by design.
Dave Bittner: [00:11:05] Something about quantum theory has long troubled our physics desk. You've heard of Schrodinger's cat, the unobserved cat in the closed box that's neither alive or dead until somebody looks in. That's always struck our experts as a gratuitously cruel thought experiment. They prefer Schrodinger's dog. They prefer Schrodinger's dog.
Dave Bittner: [00:11:26] The dog is unobserved, neither standing cheekily on top of the dining room table nor staying dutifully on the floor. Consider the dog to be in a state of quantum superimposition until mom walks in, sees what's up and vigorously collapses his wave packet for him. That's better, right? Anyway, we've always been a BYOD shop - that's bring your own dog - here at the CyberWire.
Dave Bittner: [00:11:52] Security firm Panorays has taken a look at American professional football to see which National Football League teams have the most secure websites. They conclude that the top five are, counting down to the most secure, the Pittsburgh Steelers - as the Yinzers would pronounce it - the Los Angeles Rams, the Miami Dolphins, the New York Jets and, coming in at No. 1, the Kansas City Chiefs. This study is obviously flawed since it completely overlooks the Baltimore Ravens, the only team to our knowledge who ever had a lineman on the roster - the now-retired John Urschel - who was invited to deliver papers on applied mathematics to NSA at Fort Meade. So phooey.
Dave Bittner: [00:12:33] On the other hand, our sports desk has long been a hotbed of admiration for Kansas City defensive coordinator Bob Sutton, so maybe there could be something to this study after all. And finally, at a conference in Heidelberg, mathematician Michael Atiyah says he's proved the Riemann hypothesis but stopped short of offering the proof itself. He can say what he wants, but we'll believe it when John Urschel tells us it's so.
Dave Bittner: [00:13:05] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:15] And joining me once again is Johannes Ullrich. He's from the SANS Institute. He's also the host of the ISC "StormCast" podcast. Johannes, welcome back. We wanted to touch today about hurricane and disaster-related scams. We recently had the Hurricane Florence - came at the East Coast of the U.S. And with that comes people who are trying to profit off of that. What can you share with us?
Johannes Ullrich: [00:14:38] Yeah, thanks for having me. So with these hurricanes, it's sort of an annual reminder really that whenever there is a large disaster that, of course, gets people interested and makes the news and also makes people want to help that there are people that take advantage of it. And what we have seen in the past is, for example, fake charities that are all of a sudden springing up and that register host names - web addresses - that are then being used to advertise their services.
Johannes Ullrich: [00:15:12] Also, a lot of lawyers lately that sort of jump in and essentially do ambulance chasing, I guess it's called, trying to get cases lined up. So really, it's more - so be aware. Don't necessarily trust anybody that you haven't done business with before, whether that's a charity, whether that's a lawyer or whether that's a contractor.
Dave Bittner: [00:15:35] Yeah, we saw a couple of stories come by. One was people were actually - the scammers were actually going door to door telling people that they had to evacuate. And the notion was that they were basically casing the joints to see who was home, who was planning on staying, who was planning on going, so they could come back later and presumably rob the place.
Johannes Ullrich: [00:15:57] Yeah, that's another sort of issue. So the cyber component of this is if you, for example, advertise on Facebook or such that you had evacuated, this may be used by criminals then to target your residence for burglary.
Dave Bittner: [00:16:11] Yeah. And, of course, the phishing campaigns come through with the targeted attacks. We saw another one that people were saying that they were trying to gather information by saying in order to be eligible for disaster relief funds after the fact, we need all of your personal information now.
Johannes Ullrich: [00:16:29] Yes. And that's actually something I saw last year when a hurricane here moved through Jacksonville where I live. A couple of my neighbors a couple of months later got letters from FEMA telling them that they applied for disaster assistance and essentially - without them ever doing so.
Johannes Ullrich: [00:16:47] So essentially what's happening is that people use stolen data they either got via targeted phishing emails like this or from other breaches to apply for disaster relief. And then, of course, the money is actually paid pretty quickly, but then later FEMA or whoever paid the money comes back to actually verify the information. And at that point, of course, they are now contacting the victim of the scam that - whose information got stolen.
Dave Bittner: [00:17:14] Yeah, and I think it's also an important point that, you know, for those of us who are in the business, we kind of - we're tuned to recognize these things. But I think it's important to reach out to other family members, particularly if you have elderly family members, who may be more susceptible to these.
Johannes Ullrich: [00:17:30] Yes. That's very important because people are under distress. When they're receiving these emails, they worry about evacuating, and they're necessarily not verifying all of these emails and these messages they're getting there very carefully.
Dave Bittner: [00:17:44] Yeah. All right, well, it's certainly a cautionary tale. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:17:50] Thank you.
Dave Bittner: [00:17:54] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:02] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.