Criminal connections. The risky business of acquisition. Joker is back, and it’s not funny. Most dangerous celebrities. Notes from SecurityWeek’s ICS Cyber Security Conference.
Dave Bittner: [00:00:03] Magecart Group 5 is linked to the Carbanak gang. Another reservation system brings a headache to hospitality. Another app is found to carry the Joker malware. Some more notes from SecurityWeek’s ICS Cyber Security Conference in Atlanta, where the emphasis remains on attention to detail and taking care of first things first. And a list of the most dangerous celebrities offers a peek into the bad actors' tackle box.
Dave Bittner: [00:00:34] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud threats fall on customers to resolve, and prevention-based security wasn't designed for the modern attack surface. That's why Gartner predicts that 60% of enterprise security budgets will go towards detection and response in 2020. ExtraHop Reveal(x) Cloud is the only SaaS-based network detection and response solution for AWS with complete visibility, real-time threat detection and automated response powered by cloud-scale machine learning. Request your 30-day free trial of Reveal(x) Cloud at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:30] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 23, 2019. Malwarebytes continues its study of the relationship among Magecart - and in this case, it's specifically Magecart Group 5 - the Dridex banking Trojan, with which Magecart Group 5 appears to share some domains, and the Carbanak crime gang that seems to be behind both of them. Of interest in their current study is the conclusion that Magecart Group 5 represents an advance in sophistication over its predecessors. This criminal activity goes after bigger scores, and it compromises third-party suppliers, the better to propagate itself downstream.
Dave Bittner: [00:02:35] VPNMentor discovered data exposed by Best Western's recently acquired Autoclerk reservation system. It appears to be another case of a misconfigured database. This one has drawn attention because U.S. government personnel personal information and travel itineraries were among the information open to inspection. It's probable that too much is being made of this. Truly sensitive military travel, for example, is unlikely to be conducted over a commercial reservation system. It's also worth noting that Best Western apparently inherited this issue when it acquired Autoclerk. VPNMentor says they noticed the database a few weeks after Best Western made the acquisition. Comparisons are inevitably being drawn to Marriott's acquisition of Starwood, which enmeshed the hospitality firm in a messy incident also involving inherited vulnerabilities. Due diligence in acquisition is important, and that's a good lesson to learn. But it's also harder to do that than it seems to outsiders, which should also be noted, lest those staying in glass hotels throw too many stones.
Dave Bittner: [00:03:41] Pradeo warns that it's found Joker malware in another app that's being offered in Google Play. The app in question is Int App Lock, which is intended to enable users to lock certain data behind a PIN. Thus not every app that promises a measure of security or privacy delivers as advertised. Let the downloader beware.
Dave Bittner: [00:04:03] We've still got CyberWire team members down in Atlanta at SecurityWeek's 2019 ICS Cyber Security Conference. Touring the event floor, they're hearing some familiar observations. Industrial firms, the buyers of security, can find it difficult to distinguish among the products and solutions the vendors have on offer. And we continue to hear calls for better hygiene, for attention to the basics. In these respects, the OT space will sound familiar to those who are used to thinking of security for the IT space. Several of the lessons Thomas Pope of Dragos drew in his presentation this morning were of that variety. He advised his session on the importance of locking down permissions and that being able to see and understand data in the systems are paramount. He also urged the importance of harmonizing traditional IT and process data.
Dave Bittner: [00:04:53] Several presentations have made similar points. They've also noted areas where traditional IT and OT security tend to diverge. Where the differences emerge are the points where industrial systems raise issues of safety and where matters of process integrity become matters of physics, as operators concern themselves in particular with issues of sensor reliability and with the ways in which manual recovery may itself be rendered problematic. The conference program this morning took up the difficulties of blindness with respect to both programs and supply chains. Eric Byres, CEO of aDolus, offered a moderately encouraging view of the challenges of developing a software bill of materials suitable for securing the supply chain. Robert Dyson, global OT security services business leader at IBM, delivered a plea for attention to detail in the OT space and for applying the security lessons learned in IT environments to control systems.
Dave Bittner: [00:05:51] As you may know, tomorrow is the CyberWire's Sixth Annual Women in Cyber Security Reception. The reception highlights and celebrates the value and successes of women in the cybersecurity industry. We're grateful to our sponsors who helped make this event possible. During the event, our guests will have an opportunity to hear perspectives on diversity in our industry from this year's hosting sponsor KnowBe4, as well as representatives from our presenting sponsors McAfee, Northrop Grumman and Trinity Cyber. Our platinum sponsors include CenturyLink, Cooley, Exelon and Recorded Future. We're grateful to all of our sponsors for making this year's Women in Cyber Security Reception possible. And we're looking forward to seeing many of you there tomorrow night.
Dave Bittner: [00:06:33] As our Women in Cyber Security event approaches, we've been highlighting the successes of women in our industry. Mandy Rogers is one of those women. She's an operations manager at Northrop Grumman. We're proud to say Northrop Grumman is one of the sponsors of our event.
Mandy Rogers: [00:06:47] My unintentional cyber journey actually began when I was quite young. I grew up in a farm town in - I'll say southern Northern Virginia. My mother, who worked at Vint Hill in the Signals Intelligence Office, was a rental vehicle car dispatcher for that Vint Hill respective arm. And she would sometimes bring me to work or to her nighttime cybersecurity college classes that actually took place in a barn. So that was kind of those touch points that really early on, probably before I was even 10 years old, got me exposed to cyber.
Dave Bittner: [00:07:20] So your mother had that interest of her own, and you saw that and thought that was - that sparked your own interest?
Mandy Rogers: [00:07:28] Exactly. So I was always a technologically savvy child just because of us growing up in the age where we were starting to be on computers and starting to have personal home computers. Not quite young enough, I'll say, to have grown up with cellphones but, you know, I was definitely playing video games from a young age on - booted from floppy disks. And that was very exciting to me. So fast-forward 10 years from those young days, and I was in high school, still not really understanding the implications of cyber and technology just yet. And I go to enroll my senior year in this fashion marketing class. And it was the really cool elective that people took 'cause we got to take field trips from our rural farm town to go see the Versace and the Louis Vuitton stores, and that was really kind of a cool interest of mine growing up.
Mandy Rogers: [00:08:17] Fast-forward, I get my curriculum for the year, and my fashion marketing class is not on there. I instead have this computer math course I've never heard of, nobody's ever taken before at my high school. And I go to my guidance counselor, and I'm like, hey, what is this? My elective's supposed to be fun. This doesn't sound fun. You know? I already am really good at math, and I'm taking the advanced courses in English and math. I want to transfer out of this. She told me, nope, the class is full. You're good with computers. You're good with math. Stick through it and get the easy A. That course ended up being the history of computers and also an introduction to programming. I found out I was really passionate about solving hard problems and learning how to do things a little bit more differently. And my male professor, my male teacher, actually, encouraged me to pursue STEM. And then my grandfather, also part of the cyber DNA that I didn't realize I had until much later in life, a career Navy cryptologist, told me that I was going to be an engineer.
Dave Bittner: [00:09:11] Now, in retrospect, as you look back, do you think that that guidance counselor was actually sort of looking out for your best interest by placing, insisting you be in that class rather than the fashion class you had your heart set on?
Mandy Rogers: [00:09:24] Absolutely. I think that there are a couple pivotal points in my life, and that might have been one of them - actually, it definitely was one of them - where someone nudged me to go into an area that I wasn't really familiar with or what the grander impact really had on my life. Had I not taken that class, I wouldn't even know what an engineer looked like or what they did. I wouldn't even know what computer programming really was, despite growing up in the days where we all had MySpace pages, and we were coding in HTML and didn't even know it, right? So it was really curious to be able to take that nontraditional path and have those people who intentionally engaged in my career.
Dave Bittner: [00:10:01] So you finish up school, and you head off into the workforce. Where did you begin there?
Mandy Rogers: [00:10:07] I was lucky enough to have multiple internships, one of which was with Northrop Grumman, where I worked as a software engineer in the intelligence domain. So I was able to, firsthand, very early in my career, get that experience and that exposure into what it means to support mission very early on and how I can translate my technical skills to the workforce and mission. In the past 10 years since joining as an intern, Northrop Grumman has offered me opportunities to be a software engineer, test engineer, a program manager in cyber analytics, as well as even an innovator. Right? My job, coming into work every day, was to innovate and look at how we do things a little bit differently. Currently, I'm an operations manager. And that means that I support our gigantic portfolio of amazing talent on anything strategic and tactical around people and performance. And that includes helping our cyber workforce think about things a little bit differently on how we recruit and retain our talent.
Dave Bittner: [00:11:01] That's interesting to me, that in a, you know, environment where you hear of people hopping from company to company a lot, that Northrop Grumman has provided you the opportunities within to stay there, to feel challenged, to have new opportunities for growth, and you've been there, you say, around a decade.
Mandy Rogers: [00:11:22] Mm hmm. Yeah. So I mean, it's no secret, Dave, that there's a huge shortage of cybersecurity talent within our country and even globally. By 2021, the estimates at a global scale is that we'll have a 3.5 million role shortage, people shortage, of talent to be able to help us tackle our nation's hardest problems. The greatest thing about Northrop Grumman is that we do have this big portfolio of really exciting domains that we support. And cyber is really at the heart of all of that. Some of the really great things we're doing is to help bring in people who may not have a cyber background and help upskill them if they're curious about the domain or if they feel that they might need it to help support their job.
Mandy Rogers: [00:12:03] We have an in-house cyber academy that helps upskill our talent and brings in some of the professionals who live in this world and are constantly upping their game to help us help our talent really bring up that skill set. So about four years into my career, I really enjoyed mentoring. And I took on a young male mentee fresh out of college, and we were working together, day in, day out, trying to help show him how we utilize technology in support of mission. And he actually stops me one day and said, hey, look. You're capable. I think you need to look up this thing called imposter syndrome. You're here. You're amazing. You're competent. You're intelligent. And that was really a pivotal moment because I realized that I was capable, but I was too scared sometimes to raise my hand. And sometimes the mentee is the one that's bringing out that confidence, right, and trying to build up our confidence and reflecting on that. So that was really interesting, and I think that men and just everyone in general trying to figure out where we can build up confidence in maybe our hesitant scientists and engineers is an important factor of us trying to build a more robust and diverse workforce.
Dave Bittner: [00:13:07] That's Mandy Rogers from Northrop Grumman. And again, we are grateful for Northrop Grumman's sponsorship of our Women in Cyber Security Reception. And finally, are you a fan of celebrity news? You know who you are. Anyhoo, McAfee has offered its annual study of the most dangerous celebrities to search for online, the ones the Google turns up results that are likeliest to send the curious over to questionable sites.
Dave Bittner: [00:13:33] This year, the shiniest lure in the hackers' tackle box is Alexis Bledel, formerly of the "Gilmore Girls," now of "The Handmaid's Tale." The others in the top 10 were the talk show host James Corden, followed by Sophie Turner from "Game of Thrones," Anna Kendrick of the "Twilight" saga, Jimmy Fallon, that other late-night talk show guy, the redoubtable Jackie Chan, who needs no introduction, rap artists Lil Wayne and Nicki Minaj, and finally, Tessa Thompson, everybody's favorite Valkyrie from that "Thor" movie. So stick to the tabloids in the supermarket checkout line, fangirls and fanboys. Here's a point McAfee quietly makes. Searching for Alexis Bledel and Sophie Turner is strongly correlated with including the word torrent in the search. Far be it from us to pass judgment, but if you want to watch "Handmaid's Tale" or "Game of Thrones," subscribe to them like a decent consumer. There's no such thing as a free lunch, we hear. Or free premium content.
Dave Bittner: [00:14:38] And now a word from our sponsor, Dragos. Cyberattacks on oil and gas environments are continuing to progress in frequency and sophistication. Attackers are creating tailored attacks to cause significant operational and financial impacts and, most importantly, they're becoming aware they can overcome automated safeguards to cause physical effects and harm the lives of those who work in the facilities. Read the latest case study from Dragos to learn how they helped an oil and gas organization ensure it had detections and response plans against TRISIS-like activity on its networks and comprehensively defend its environment. You can find it at dragos.com/case-studies. That's dragos.com/case-studies. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:15:36] And I'm pleased to be joined once again by Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security. Ben, always great to have you back. Had an interesting ruling come down from the U.S. Court of Appeals for the 9th Circuit. This had to do with a company who was trying to gather some information from LinkedIn profiles. Unpack what's going on here.
Ben Yelin: [00:16:02] So this company, HighQ, scrapes information that LinkedIn users have included on public profiles - so those profiles where users haven't included privacy settings to keep their profiles private. LinkedIn is alleging that this violates the Computer Fraud and Abuse Act, a federal law that prohibits unauthorized access to a network. And they sent a cease-and-desist letter to HighQ demanding that HighQ stop scraping these public profiles. Obviously, this dispute went into federal court, and a district judge granted a preliminary injunction stopping LinkedIn from prohibiting HighQ from accessing these public profiles.
Dave Bittner: [00:16:48] Hmm.
Ben Yelin: [00:16:48] So I think it merits a little bit of background as to what a court considers when it grants a preliminary injunction.
Dave Bittner: [00:16:56] Mm hmm.
Ben Yelin: [00:16:56] So the main prong of that test for our purposes is there has to be a substantial likelihood of success on the merits of the case. And I'm going to get to that in a moment because I think LinkedIn's case is rather weak. But another key prong of that test is that HighQ would face irreparable harm if the injunction is not granted. And what the court here is saying is HighQ's entire business is aggregating data from these LinkedIn profiles so if the court were to not grant this injunction stopping LinkedIn from prohibiting access then HighQ's entire business would be destroyed. And I think that's one of the key reasons that a preliminary injunction was granted even beyond the actual merits of the case.
Dave Bittner: [00:17:41] Hmm.
Ben Yelin: [00:17:41] Now, because this is just an injunction, we don't have a definitive ruling on whether HighQ is actually violating the Computer Fraud and Abuse Act, the court sort of got into the details just for the purposes of evaluating HighQ's case to determine if they have any likelihood of succeeding on the merits. And the dispute seems to center around the word unauthorized access. And this court seems to believe that HighQ's technology does not consist of unauthorized access for the purposes of the Computer Fraud and Abuse Act because they are simply aggregating data that is already public that can be scraped without accessing any secret algorithms, any private protected information, any internal LinkedIn documents or communication.
Dave Bittner: [00:18:30] Right. So if I were - if I wanted to take this to the extreme, if I were someone just anonymously surfing the web, I could go to LinkedIn, and with a pad of paper and a pencil, write down all the information here that's publicly facing. It would take me a lot longer than their bot, but...
Ben Yelin: [00:18:49] It sure would. Yeah. (Laughter).
Dave Bittner: [00:18:49] ...But I could do it.
Ben Yelin: [00:18:50] Good luck with that. Yeah.
Dave Bittner: [00:18:51] But it's - in other words, LinkedIn is not attempting to restrict access to this information to the general public.
Ben Yelin: [00:18:59] Right. And I think that's where they're really going to struggle on the merits of the case. HighQ is basically just doing what any average Joe could do, just in a extremely condensed time period. I think this is definitely is a dispute to watch going forward, and it shows how when we're talking - when we're in this world of preliminary injunctions, the courts will consider the potential business impacts on these technology companies of some of these legal decisions.
Dave Bittner: [00:19:32] All right. Well, we'll keep an eye on it. Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:35] Thank you.
Dave Bittner: [00:19:40] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:53] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.