The CyberWire Daily Podcast 1.15.19
Ep 760 | 1.15.19

Web hosts fix account takeover issues. Passenger Name Record exposure proof-of-concept. Swatting isn’t funny. Chinese manufacturers and suspicions of espinonage.

Transcript

Dave Bittner: [00:00:03] A bug hunter finds issues in web hosts. Compromised passenger name records have been found in airline reservations. Business email compromise seems on the rise, and it's also growing a bit more interactive. A Facebook executive is swatted, and absolutely nobody should dismiss this sort of thing as a joke. China would like everyone to stop saying bad stuff about Huawei, but the Polish government seems unconvinced that there's nothing here to see.

Dave Bittner: [00:00:36] I'd like to take a moment to thank our sponsor Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyber threats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both - you decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, you're invited to attend an upcoming webinar on Tuesday, January 29 at noon Eastern time. Visit scs.georgetown.edu/cyberwire to RSVP. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:01:36] From the CyberWire studios a DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 15, 2019.

Dave Bittner: [00:01:44] A well-known bug hunter has located a dozen flaws that affect some of the largest web hosting companies on the internet - Bluehost, DreamHost, HostGator, OVH and iPage. The researcher, Paulos Yibelo, disclosed his discovery to the affected companies before making it public. And he says the issues have all been fixed. The account takeover bugs he found arose, as Tech Crunch puts it, from, quote, "aging infrastructure, complicated and sprawling web-based backend systems and companies each with a massive user base," end quote.

Dave Bittner: [00:02:18] Amadeus, the widely used airline reservation system that interfaces with major carriers like Air France, British Airways, Iceland Air and Qantas, is reported to leave passenger records open to manipulation. Israeli security researcher Noam Rotem told TechCrunch that he's discovered that you can change anyone's booking by plugging in their reservation number. You could, for example, switch someone to a middle seat or reroute their frequent flier miles. You might also be able to obtain personal information, including phone number, email and home address. These passenger name records, or PNR, are widely shared internationally and have been around so long they are generally not secure. Rotem points out that you can get a booking number by scanning a boarding pass barcode. You might do this if you were ill-intentioned by walking around an airport and using your phone on random passes left sitting next to someone too engrossed in their copy of, say, "Persuader." That's Jack Reacher opus No. 7 seven for those of you who may be behind in your airport reading. The problem was responsibly disclosed, but what the industry will be able to do about it remains to be seen. And please look up from your book when you're sitting around the departure gate.

Dave Bittner: [00:03:33] Security firm Agari is seeing an uptick in payroll diversion attempts. The criminals are using social engineering - specifically, business email compromise - against human resources departments. The classic BEC approach involves impersonating an executive from a business's c-suite and sending an email from their spoofed address directing that funds be transferred to some accounts the crooks control. In this current trend, Agari researchers are seeing impersonations of a wide range of employees. A typical come-on starts with a request for help in getting direct deposit changed to a new bank. One of the specimens Agari shares reads under the subject line, payroll update. Hi, name of HR Rep. I have recently changed banks and like to have my direct deposit changed to my new bank. I need your prompt assistance on this matter. Leave aside the questionable syntax and the mix of the friendly - hi, as in yo, bro; and the stiff, your prompt assistance on this matter - which might put HR on its guard. Let the one among us who's never written a loosey goosey email cast the first stone. The email exchange goes on from there, and it is indeed an actual exchange, not just a one-time helping of spam. In the case Agari describes, HR asks for a voided check or something on the bank letterhead. The crooks answer, sorry, they don't have any of that with them at the moment, and could HR help by making the change for them if they send on the new deposit information? Of course HR wants to help and does so. The whole scam is lent plausibility by the sent-from-my-iPhone tag in the crooks' emails. Maybe if you were out and about with your phone, you wouldn't have those documents from your bank. So the moral is this - don't set up policies that make it easy to transact business by email.

Dave Bittner: [00:05:22] It was just about a year ago that a false ballistic missile alert was issued over the emergency alert system in Hawaii, triggering panic and disruption throughout the state. The governor apologized, Congress investigated, and the emergency management administrator for Hawaii resigned. Australia recently had their own issues with their emergency alert system, and Carole Theriault has the story.

Carole Theriault: [00:05:47] When you live in a place like Australia you, are pretty reliant on emergency warning systems, particularly if you live somewhere where there's wildfires or cyclones or any other kind of natural disaster. You want a heads-up. Well, imagine how tens of thousands of people across Australia felt when they received a message from the early warning network warning that EWN has been hacked. Your personal data is not safe. Try fixing the security issues. According to ABC News, EWN, or the Emergency Warning Network, said a hacker accessed its alerting system and sent the message to part of its database. The message was sent out via email, text message and landline. Now, EWN say they are incredibly embarrassed that they've put some of their customers through this. They also say they will do everything they can to prevent future breaches.

Carole Theriault: [00:06:43] I reached out to Paul Baccas, senior malware researcher at Proofpoint, to get his take on the story. Welcome to the CyberWire.

Paul Baccas: [00:06:51] Hi, Carole.

Carole Theriault: [00:06:52] Now, Paul, you spend your days knee-deep analyzing these kind of attacks. What was your reaction to the initial story?

Paul Baccas: [00:07:02] Why was the database for the Early Warning Network connected to another email system? If it's true that the - one of the users was hacked - compromised login details - and they could log in to the system from a remote, that seems that the security wasn't up to par.

Carole Theriault: [00:07:25] Do you think that the Early Warning Network's reaction to this fake news alert was good? Did they handle this problem well?

Paul Baccas: [00:07:35] I think the response is quite dismissive. The article says, the actual data held in our system is just White Pages-type data. But this White Pages-type data will be true for a government's early warning system because unlike Facebook or LinkedIn, where you may lie because you don't want to give this data away, you wouldn't have thought that for a government entity. You will be telling the truth. The hacker needs to know your address, your ZIP code. And secondly, password data is always made up of White Pages data.

Carole Theriault: [00:08:17] Now, what lessons do you think organizations can take away from this situation - this snafu?

Paul Baccas: [00:08:24] In the old movies, you had two different people, and they had to be standing more than 6 feet apart, and they had to turn their keys simultaneously. While you possibly can't do the simultaneous part, you should have some multifactor authentication.

Carole Theriault: [00:08:42] Right. So having different layers of security allows you to maybe catch out a potential problem before it occurs.

Paul Baccas: [00:08:50] Yes, does. That is the point in this case.

Carole Theriault: [00:08:53] Right. So I guess our takeaway is don't wait to be hacked before you review your security posture. This was Carole Theriault for the CyberWire.

Dave Bittner: [00:09:04] A Facebook executive has been subjected to a swatting attack. Naked Security calls it a prank, but it's an unusually repellent and dangerous one. The caller pretended to be the executive, unnamed in reports, and told police he'd shot his wife, tied up his children and placed pipe bombs throughout their home. Fortunately, no one was injured in the police response. We hope the police get the creep behind the swatting soon. These things are, by no means, jokes. Swatting can be, and has been, murderous.

Dave Bittner: [00:09:36] Finally, if you're out there fabricating connections between Huawei and espionage, the Chinese government would like you to please knock it off, reports Reuters. The counsel will probably fall largely on deaf ears, even after its supplementation by a statement from Huawei founder and CEO Ren Zhengfei. Mr. Ren says the company hasn't installed back doors in its products, isn't required by Chinese law to do so and would refuse any request to assist in espionage.

Dave Bittner: [00:10:04] Despite American animate versions about Huawei's potential threat to security, Mr. Ren also says he likes the cut of President Trump's jib, but that friendly avowal seems unlikely to affect his company's position in the markets. Mr. Ren's daughter, Huawei CFO Meng Wanzhou is still in Vancouver fighting extradition to the U.S. on a sanctions of Asian beef.

Dave Bittner: [00:10:29] In asking everybody to stop with the fabrications already, Beijing is probably scowling in the general direction of Warsaw. The Wall Street Journal reports the Polish government is not only considering a ban on Huawei but is also urging its NATO allies to develop a coordinated response to Chinese spying.

Dave Bittner: [00:10:52] And now a word from our sponsor Virtru. Virtru is a data privacy company that protects your organization's data wherever it goes. Using a data-centric security approach, Virtru brings persistent protection and control to the platforms where your data is stored and shared, including Microsoft Office 365 and Google G Suite. Now, I know what you're thinking. What makes this different from any other data protection tool? Well, have you ever tried to protect data from inside your perimeter? It's hard, but Virtru makes it easy by not only encrypting at the data object level, but also by giving you the ability to track where your data is shared, revoke access, maintain audit visibility and host your own keys, so you don't have to trust third-party services to keep your data safe. Virtru helps protect thousands of companies' data, including HBO, WeWork and The Associated Press. And for a limited time, they're providing our listeners a free copy of Forrester’s 14-page report on "The Future of Data Security and Privacy." Get your copy at virtru.com/cyberwire today. That's virtru.com/cyberwire. And we thank Virtru for sponsoring our show.

Dave Bittner: [00:12:18] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intelligence team. Rick, great to have you back.

Dave Bittner: [00:12:28] You and I had talked previously about this notion of a cyber moonshot. And it's an interesting concept, but not one without some controversy. In fact, I've seen some pushback from some well-known folks around the security industry, so I thought it would be a good time to revisit this, maybe get some clarification and see how things have evolved and updated along the way. Bring us up to date. What's the latest on this cyber moonshot notion?

Rick Howard: [00:12:52] Yeah. Thanks, Dave. There's been some movement here, right? And the thing I wanted to highlight in this session is that at the beginning of the month, President Trump's National Security Telecommunications Advisory Committee, known as the NSTAC, published its draft report entitled "NSTAC Report To The President On A Cybersecurity Moonshot." Now, Dave, like you said, we've talked about this thing a couple of times, and I wanted to just give it a little bit of an update. First, some background on the NSTAC, President Reagan created the NSTAC by executive order back in September of 1982. It is composed of up to 30 presidentially appointed senior executives, who represent various elements of the telecommunications industry. And it advises the president on a wide range of thorny and complex policy and technical issues related to national security and emergency preparedness.

Rick Howard: [00:13:44] And in the past, the NSTAC has made recommendations to the president on internet and communications resilience, big data analytics and the internet of things - just to name three. This year's 56-page draft report framed the cybersecurity moonshot project. And from the report, here is the massive transformative purpose statement that they were trying to solve. Here it is. (Reading) Make the internet safe and secure for the functioning of government and critical services for the American people by 2028.

Dave Bittner: [00:14:17] Yeah. I think though a lot of people have - they take issue with this analogy of comparing the cyber moonshot to the actual moonshot that President Kennedy started us on that took us to the moon back in the '60s. How does this report address those issues?

Rick Howard: [00:14:35] I know, and they talked about it directly in the report. And I get that question a lot as I travel around the world and talk about this. The main criticism stems from the fact - like you pointed out - that any success criteria for a cybersecurity moonshot initiative will be less precise and measurable because its achievement will be a societal transformation rather than a singular visual triumph, like the Apollo program with men walking on the moon. That said, the reason the analogy is appropriate - the reason we like to use it is that it is aspirational. And the target date is a bit into the future - not too far, just 10 years. And we know we will have to innovate things that we don't have today in order to meet whatever criteria we establish.

Dave Bittner: [00:15:17] So how does this differ from past initiatives that were similar to this? I know there've been other administrations, other presidents have had similar things in the past. How's this one different?

Rick Howard: [00:15:29] Yeah, that is true that past administrations have tried - and some would say failed - in the past to establish something like this. But my argument to that is just because we failed a couple of times does not - does that mean that we shouldn't try again? You know, as President Kennedy said, we choose to go to the moon in this decade and do the other things not because they are easy but because they are hard. Damn straight. That's what we're trying to do, right? So the thing we are trying to do this round is to put in place the proper incentives to get the work done.

Rick Howard: [00:15:58] All right, from the report, here's a quote - "previous cybersecurity initiatives have failed to articulate the cybersecurity challenge in a way that incentivizes and ensures this level of collective action." So one of the key components of the cyber moonshot program is the use of the grand challenge philosophy. And I'm not sure if you're familiar with this. It's this idea that the project establishes a set of incentive prizes to accomplish key milestones. And various organizations have used these things in the past, like the $25,000 Orteig prize for the first nonstop aircraft flight between New York and Paris. And that was won by Charles Lindbergh in 1927. Another one is the $10 million XPRIZE for the first commercial and reusable three-person spaceship, by Richard Branson in 2004.

Rick Howard: [00:16:48] And it turns out that the U.S. government has been running all kinds of grand challenges, or incentive programs, for a while now - well, from a $2.5 million health and human services prize to develop a new kidney dialysis redesign and a $100,000 (indistinguishable) prize to accurately forecast the future in Africa and the Middle East based on public newsfeeds. The NSTAC report says that using this grand challenge tool is a big differentiator.

Dave Bittner: [00:17:15] All right. So what are the recommendations from NSTAC? What do they want to have happen here?

Rick Howard: [00:17:43] And they want to establish the moonshot council, led by the government but includes reps from all three. And the president or the VP should chair the council, right? And then after due consideration by the council, they should publicly articulate a strategic framework based on six pillars of energy, all right. So first one is technology. Second one is human behavior. Third is education. Fourth is the ecosystem that supports it all. Five is privacy. And the last one is policy discussions.

Dave Bittner: [00:18:17] So where do we stand now? How do we get started? What's the next step?

Rick Howard: [00:18:21] Well, we wait for the president to make a decision on the report to see what he wants to do with it. But in the meantime, a small working group of about 80 people will be meeting up at Annapolis in January to discuss this very thing. The goal is to present all the ideas coming out of that workshop to the Joint Service Academy Cyber Security Summit in April. The JSACS, as we like to call it, will be the first gathering of the government people, the academic people and the commercial people talking about how to move the cyber moonshot program forward.

Dave Bittner: [00:18:53] All right. Rick Howard, thanks for joining us.

Rick Howard: [00:18:55] Thank you, sir.

Dave Bittner: [00:19:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.