Dave Bittner: [00:00:03] Cobalt Dickens is back and phishing in universities' ponds. UNICEF scores a security own goal. We've got some Patch Tuesday notes. A look at U.S. election security offers bad news but with some hope for improvement. The U.S. extends its state of national emergency with respect to foreign meddling in elections, and an international police sweep draws in 281 alleged BEC scammers.
Dave Bittner: [00:00:34] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:30] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster, while methodology driven assessments ensure compliance needs are met, at bugcrowd.com.
Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 11, 2019.
Dave Bittner: [00:02:05] Researchers at Secureworks report a resurgence of activity by the Iranian threat group they call Cobalt Dickens. This particular threat actor has been associated with the Mabna group and others indicted by the U.S. Department of Justice back in 2018. Those indictments were for crimes connected with cyber-espionage that the Justice Department said was conducted on behalf of Iran's Islamic Revolutionary Guard Corps. Secureworks says the latest activity consists of a phishing campaign directed against American and British universities. The phishbait in the emails is, as Secureworks put it, library themed. The recipient is told that, quote, "your library access has been suspended due to inactivity," end quote, and is given a link to follow in order to ensure that their library privileges might be restored. Cobalt Dickens' earlier campaigns had used shortened URLs in such links, the better to obscure what was going on. But this latest round dispenses with that coy gesture and simply leaves the full URL out there displayed in all of its implausibility. Some 60 universities have experienced Cobalt Dickens phishing. Those affected schools are located in Australia, the United States, the United Kingdom, Canada, Hong Kong and Switzerland.
Dave Bittner: [00:03:24] UNICEF, the United Nations children's organization, knows it's a small world, and they inadvertently made it a little bit smaller by inadvertently emailing around a list of over 8,000 users of its online educational platform, Agora. This appears to be purely a case of operator headspace and timing, not hacking. So here again, the human factor contributes the dominant share of the risk.
Dave Bittner: [00:03:50] In yesterday's round of Patch Tuesday releases, Microsoft fixed 79 bugs, 17 of which Redmond classified as critical. Adobe addressed critical vulnerabilities in Flash Player.
Dave Bittner: [00:04:03] NormShield has looked at U.S. election security and found it wanting. The results of two risk assessments the company conducted showed, they say, that outdated systems remain in widespread use. More than half of the election systems used Windows Server 2008 r2 and Microsoft IIS 7.5. Four of the election commissions were still using Windows 2003, which reached its end of life some time ago. They also concluded that election authorities remain susceptible to phishing attacks. Fifty-nine percent of the election commissions were missing DMARC records, and more than 40% of them had at least one website with an invalid or expired SSL certificate.
Dave Bittner: [00:04:44] And finally, about a third of the election commissions have, NormShield says, quote, "at least one asset that is reported by blacklist databases," end quote. That is, at least one asset that has been herded into a botnet. NormShield conducted two scans, one in July, the second, in August. The first one concluded that an average hacker, as Axios put it, would be able to breach 27 states' election systems. The company disclosed its findings to the election commissions and secretaries of state and then repeated their scan a month later. The August results were noticeably better. Only 13 states were found to remain vulnerable to the average attacker.
Dave Bittner: [00:05:24] The Synopsys Software Integrity Group recently published a report, titled, "The State of Software Security in the Financial Services Industry." Drew Kilbourne is managing director of security consulting at Synopsys. He joins us to share their findings.
Drew Kilbourne: [00:05:39] You know, one of the stats in the report was 56% of the FIs that we surveyed were still experiencing attacks that were resulting in system failure or downtime. That's a little shocking to me because the biggest banks we work with, many of those banks have pushed cyberfraud down the scale from No. 1 to No. 2 or No. 3 in their fraud list. So we kind of felt like they, that the bigger banks, had really gotten their arms around it. There are other findings that I'll get to in a second that I think leads to this.
Drew Kilbourne: [00:06:12] The other interesting finding was that 38% reported being victims of ransomware. And I was a little shocked that the FIs would be that impacted by ransomware and that they would have solved that problem a long time ago. But apparently, it's still out there. It's prevalent, and it's growing.
Dave Bittner: [00:06:31] So what are some of the other indicators that you think contributes to those findings?
Drew Kilbourne: [00:06:36] There aren't great established processes for inventorying and managing open source. And the other is, there aren't great processes for managing third-party supply chain. So what you see in the largest FIs is they still buy a lot of software - either buy it, or they or they outsource having it developed. And they all use open source. In the mid-tier tier FIs, it's more prevalent for them to be buying third-party software than it is for them to be building software. If anything, they integrate. When you look at those two findings, I think this is kind of where the problems stem. Only 43% had an established process for inventory and managing open source. Only 15% had any tools deployed to help and aid in that. Given that open source is so prevalent in the industry, that gets a little eyebrow raising that they're not taking care of that part of the problem as well as maybe they should, and they're probably introducing a lot of errors in the open source side of the house.
Drew Kilbourne: [00:07:39] The other interesting finding was that no one has a great process for managing supply chain of software that comes in outside of open source, just any third-party software you might buy or have built for you. And I think that's another weakness, as well. Maybe there's a pen test of that software, but not many companies are looking at how the software is built and the processes in the secure SDLC that those companies are undertaking as they build software.
Drew Kilbourne: [00:08:05] The other interesting finding that came out of this is people still tend to rely heavily on manual ethical hacking or penetration testing at the end of the process. In fact, 65% of the respondents said they felt pen testing was the most effective way to find security vulnerabilities. Actually, it's probably the least-most effective way because it's at the very end of the cycle. Right? So it's extremely costly to find your defects there. Secondly, pen testing is very timeboxed. Usually, it's a one or two-week test. You can only cover so much stuff. And so it's not very thorough.
Drew Kilbourne: [00:08:39] And then when you started to look deeper beyond that finding, you found out that only 40% of the respondents were using automated tools in their secure SDLC to do more finding of defects earlier on, things like static analysis, or dynamic analysis or interactive application security testing. There's other mechanisms, tools, you could put into that SDLC that would automate the finding throughout, versus waiting to the tail end.
Drew Kilbourne: [00:09:08] If you add that up, you add up that only 19% of the respondents do mandatory development training for the developers. You start to say, OK, we're not training our developers. So they're not getting smarter about the problem. You're not finding things earlier in the lifecycle. And you've limited the size of the test at the end, under which you will find any vulnerabilities, you find out that, in my opinion, you're pretty inefficient actually discovering defects in your SDLC. Automation, it provides several things. It provides consistency, which is great. It provides speed, which is really good, as well. And it allows you to provide governance. So now you can create some governance in the SDLC to say, if you don't cross a bar that's so high, you don't move forward. And I have a tool that's going to consistently test the same way every time to measure if you cross that bar.
Drew Kilbourne: [00:10:02] To me, those are the things that have to take place. And as companies move to DevOps and what they'll call DevSecOps and are moving faster at building and releasing software, automation's going to become even more and more important, in my mind.
Dave Bittner: [00:10:15] That's Drew Kilbourne from Synopsys Software Integrity Group. The report is titled "The State of Software Security in the Financial Services Industry."
Dave Bittner: [00:10:24] U.S. President Trump yesterday extended the national emergency with respect to foreign interference in or undermining public confidence in U.S. elections for one year. The note announcing the extension says, quote, "although there has been no evidence of a foreign power altering the outcomes or vote tabulation in any United States election, foreign powers have historically sought to exploit America's free and open political system," end quote. It goes on to discuss the proliferation of online devices and communication channels and concludes that both unauthorized accessing of election and campaign infrastructure and covert distribution of propaganda and disinformation warrant continuing the state of emergency. The extension maintains the provisions of Executive Order 13848, issued on September 12, 2018. That executive order prominently includes provisions for sanctioning foreign individuals and institutions attempting to meddle in U.S. elections.
Dave Bittner: [00:11:25] Charles Kupperman, Fox News reports, will serve as interim national security adviser to the U.S. president. Kupperman had been serving as deputy to the now-departed John Bolton. A search for a permanent replacement is in progress.
Dave Bittner: [00:11:41] Today is, of course, the anniversary of the 9/11 terrorist attacks. We spare a thought for those who were lost, injured or bereaved in the terror, and for those whose health continues to be affected by the effects of the attacks. The government has taken the occasion to announce tighter sanctions against those who support and finance terror. Any foreign financial institution found to be engaged in such support risks losing access to the U.S. dollar and to the world financial system. Expect online investigations into money laundering and fund transfers on behalf of sanctioned groups.
Dave Bittner: [00:12:17] And finally, the U.S. Justice Department has announced the results of Operation reWired, a roundup of business email compromise crooks that collared 281 alleged scammers in 10 countries. It was a multinational, multi-agency sweep. Authorities in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia and the United Kingdom participated, as did the U.S. Departments of Justice, Homeland Security, State and Treasury, along with the U.S. Postal Inspection Service. Three-point-seven million dollars were also seized at the conclusion of the four-month investigation. The largest haul of alleged perpetrators was in Nigeria, where 164 were arrested. Seventy-four were picked up in the United States, 18 in Turkey and 15 in Ghana. The remaining 10 were scooped up in various other countries. Congratulations to those who organized and conducted this cooperative effort against international crime.
Dave Bittner: [00:13:17] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:14] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, it's always great to have you back. I had a couple articles come by that dealt with this notion of geofencing and the privacy implications there. There was an article from ThinkProgress. This was about some Catholics in Iowa who went to church, and Steve Bannon, of all people, was tracking their phones. There's another article, from The New York Times, about New York City possibly banning the sale of cellphone location data. Can you unwrap what's going on here for us?
Ben Yelin: [00:14:53] Sure. So this isn't as much of a Steve Bannon story as it is about many political campaigns and many private corporations that use geofencing as a technique to promote their own advertising. So how it works is you either collect from app makers or the telecommunications companies themselves information on which individuals were at a given location at a given time. So what the Steve Bannon article mentions is his political organization collected the metadata, so the phone numbers, of people who were at a Catholic church service on the Sunday prior to the 2018 midterm elections. And people who were at that church ended up receiving targeted advertisements on their smart devices and on their apps.
Ben Yelin: [00:15:45] This is something that's actually been done. It's a very common tactic among political campaigns to engage in what's called microtargeting. If you know who's in a Catholic church or who's at a particular community meeting or who's at, potentially, a political rally, that information is incredibly valuable to campaigns and political organizations. And they are happy to buy that information so they can target their advertisements. They can microtarget based on what they already know about those voters that go to Catholic church on Sunday.
Ben Yelin: [00:16:18] New York City, interestingly, its city council is considering a measure that would ban companies from selling this geofencing data to all firms, political firms, and all other private entities. I think the chances of passage of this in New York are relatively small. There's been a lot of opposition from the telecommunications companies themselves, who think that this law is going to create an undue burden for them because they're going to have to figure out how to comply with New York City law - which is a limited jurisdiction, even though it's the biggest jurisdiction in the country - as opposed to only having to follow some sort of national standard.
Ben Yelin: [00:16:59] So I think the telecommunications companies and the app makers might actually be OK with some sort of regulation on selling this data, but they'd like it to come from the national level - at the national level so there could be some sort of uniform standard.
Dave Bittner: [00:17:15] Now, this data can come from multiple places. There's the actual telecommunications firms. They sell it. But then also, apps that you install on your device. We've heard stories of, you know, buried in the ULA is permission for them to share your location every minute or so, or something like that.
Ben Yelin: [00:17:36] Yeah. I recently read an article about the Weather Channel app, which, there was a controversy in Los Angeles. They were collecting location data from their users on what was alleged to be somewhat of a fraudulent basis. They said that users who were checking local weather forecasts would not have their data sold to private advertisers. It turns out it was sold. There was an investigation by the Los Angeles district attorney. And I mean, on any given smartphone, there are probably going to be 10 to 15 apps that make use of your location at one point or another. And we're almost so mindless about it that we just click the accept button as soon as we want to agree to that app. It's like, yeah, I don't want to read the legalese when I'm trying to send my Snapchat.
Ben Yelin: [00:18:25] The result of that is that you've probably agreed to, as a user for this app, to sell your geolocation data. And until there's some sort of regulation in place, it's up to both the users to look closely at those license agreements and to put pressure on the technology companies themselves. I think as we've seen more stories about geofencing, the telecommunications companies have been forced to respond and to voluntarily limit how much data they are actually selling to companies and political organizations.
Ben Yelin: [00:19:04] And I should also mention, you know, the uses we've talked about for this technology seem kind of benign. But if you take geofencing to its logical extension, it could potentially be pretty scary. You know, if we were conducting some investigation in the war on terror and collected geolocation data for every single mosque in the country, for example, I mean, that could have both a major chilling effect on free speech and the free practice of religion but would really be a massive invasion of personal privacy. So you can see how this would be just a major civil liberties violation. So in some ways, I think it's admirable that New York City is trying to address this problem. But I also think, even for a city as large as New York, the problem is at too large of a scale for them to really have a big impact.
Dave Bittner: [00:19:58] All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:00] Thank you.
Dave Bittner: [00:20:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.