WhatsApp sues NSO Group over Pegasus distribution. Georgia continues its recovery, as does Johannesburg. Facebook stops more inauthentic action. A Bed, Bath, and Beyond breach.
Dave Bittner: [00:00:03] WhatsApp sues NSO Group for spreading Pegasus intercept software through WhatsApp's service. Georgia continues its recovery from the large website defacement campaign it suffered at the beginning of the week. Facebook ejects more inauthenticity. Johannesburg hangs tough on cyber extortion. Money laundering finds its way into online games. Norsk Hydro's insurance claim. An update on pen testing in Iowa. And Bed Bath & Beyond sustains a data breach.
Dave Bittner: [00:00:37] And now a word from our sponsor Coalfire. When organizations stand up new services or move existing applications to the cloud, IT security efforts need to be coordinated with business units and partners. A common question inevitably arises. Is security the cloud platform provider's responsibility, or is it the customer's responsibility? To optimize data security, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the introduction of the HITRUST shared responsibility program, there's now a solid path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011, and they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor, at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:16] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 30, 2019.
Dave Bittner: [00:02:25] Facebook subsidiary WhatsApp has filed suit against NSO Group in the U.S. District Court for the Northern District of California. The suit alleges that NSO Group exploited WhatsApp servers to distribute malware designed to enable surveillance of specific WhatsApp users. The surveillance tool said to have been used is NSO's Pegasus. WhatsApp says it detected the incident in May and that it enlisted the aid of the University of Toronto's Citizen Lab in the subsequent investigation.
Dave Bittner: [00:02:55] WhatsApp called the attack, which used WhatsApp's video calling system to get at its victims, sophisticated. The users who were targeted didn't have to answer calls in order to be infected with spyware. WhatsApp says it's put additional protections in place to prevent a recurrence. The lawsuit alleges that NSO Group's activities violated U.S. federal and California state laws as well as WhatsApp's terms of service. It seeks an injunction against NSO Group's use of any WhatsApp services, in addition to other awards.
Dave Bittner: [00:03:28] WhatsApp calls NSO Group a spyware firm, which is fair enough. Another way of characterizing them is that they produce lawful intercept products. That's how NSO Group would describe itself. The company strongly disputes WhatsApp's allegations. They say they sell their product only to licensed government intelligence and law enforcement agencies for legitimate use against criminals, especially pedophiles, and terrorists. Any other use of their products, they say, constitutes contractually prohibited misuse. And they add, we take action if we detect misuse.
Dave Bittner: [00:04:04] Citizen Lab has been a burr under NSO's saddle for some time, tracking apparent misuse by various governments in the Middle East and Latin America. Bahrain, the United Arab Emirates, Saudi Arabia and Mexico have been singled out as the abusers. The Pegasus tool has often been mentioned in dispatches. Amnesty International announced in response to this latest news that the best way to put a stop to abuse of Pegasus is to revoke NSO Group's export license and it's supporting a suit in Tel Aviv District Court that would require Israel's Ministry of Defense to do just that.
Dave Bittner: [00:04:41] The defacement attack against websites in Georgia may have affected as many as 15,000 sites, Forbes reports. One of the targets was the ProService web hosting company, which has now, it says, restored normal operations. The company cooperated with the Ministry of Internal Affairs during the recovery. There is still no firm attribution. Suspicion of Russian involvement is based on a priori probability. And note that not everything that looks like Fancy Bear is, in fact, Fancy Bear. Remember that some criminals have recently found it in their interest to pose as the GRU, the better to spook victims into thinking that resistance is futile.
Dave Bittner: [00:05:21] There does appear to be some confirmed Russian activity today, however. Facebook this morning announced that it's just taken down 35 accounts, 53 pages, seven groups and five Instagram accounts. They all originated in Russia, and the content was generally aligned with Russian regional objectives and tended to have election influence as its objective.
Dave Bittner: [00:05:43] Johannesburg continues to recover from the Shadow Kill Hackers incident. The South African city has held firm in its refusal to pay the hackers. There's no word yet that the extortionists have made good on any of their threats, and so hanging tough may have paid off for Joburg.
Dave Bittner: [00:06:00] You've been buying loot boxes and stuff like that, haven't you? Go ahead. It's just us here. You can admit it, and we won't judge. Some of us, particularly on our gaming desk - well, let's just say some of us have been there. Anyhoo, there's more involved in this than just one-upping your buddies. In-game purchases are being used to launder money. And the popular online game Counter-Strike is trying to tamp this down by preventing keys bought in game from leaving the purchasing account, thus making them less useful to those who would use them to launder illicit cash. So don't trade this stuff. Be content with sharing videos of you doing the Fortnite Charleston.
Dave Bittner: [00:06:41] Many of us have at one time or another throughout our professional careers thought about striking out on our own and starting a company. Some of us have even done it. My guest today is Tanya Janca. And along with her business partner Aaron Hnatiw, she has co-founded Security Sidekick, a company looking to tackle real-time web application inventory and vulnerability discovery. Part of her journey was leaving a comfortable job at Microsoft.
Tanya Janca: [00:07:08] Both of us were pen testers. And then we both turned into application security people because pen testing is one part of the application security umbrella, if that makes sense. And it's the most glamorous, fancy-looking part that is in the movies. However, there's a whole bunch of different areas of AppSec. And running an AppSec program, you realize, you know, I could treat the entire disease instead of just a symptom. Just like, you know, delivering a prescription, you're the end of the problem.
Tanya Janca: [00:07:41] And so we both started talking about, you know, like, what could we do to, like, get in there earlier and solve the problem on a bigger scale? Like, you know, like, let's make big, bold moves where you attack the problem as a whole as opposed to just, like - you know, as a pen tester, I would come in, and I'd be like, pew, pew, pew, pew - yeah, and just find, like, a few problems at the end, but they still would be releasing lots of other apps that were really insecure. And so we came up with an idea of things - of something we could make that would start at the beginning of the problem to try to solve it on a bigger level.
Tanya Janca: [00:08:24] And so he was like, you know, here I am, like, traveling around the world with Microsoft, basically like - they kept telling me at Microsoft, like, you should scale yourself. Like, maybe you could travel less, and you could stream more. Or you could travel less, and you could write more. And then I thought, well, I could scale the best if I made an AppSec tool. And they're like, wait. No, no, no. That's not what we meant. Don't leave.
0:08:48:(LAUGHTER)
Tanya Janca: [00:08:49] But really, they were very supportive.
0:08:51:(LAUGHTER)
Tanya Janca: [00:08:53] Yeah, so we decided we would take the scary leap together and start our own company, which is so exciting.
Dave Bittner: [00:09:01] Well, I can hear the excitement in your voice. I have to say, I mean, take us through that decision-making process. You've got a good thing going there at Microsoft. You have a certain amount of security. You have a certain amount of freedom. You built a reputation for yourself in the industry. I think a lot of people would be intimidated to take this leap and go out on their own.
Tanya Janca: [00:09:25] Honestly, I was really terrified and scared. And when Aaron first asked me, I was like, oh, maybe in, like, five to six years (laughter). So I run this thing called Mentoring Monday on Twitter, where I try to match people with professional mentors. So I used Mentoring Monday to find a mentor. And so first, I found a mentor, and she is a CEO of a company, and she's amazing. But she was like, you should just come work for me instead. And so then I had to - I was like, OK, no, that's not the mentoring I was looking for. We demoted each other from mentor and mentee to just friends.
0:10:06:(LAUGHTER)
Tanya Janca: [00:10:09] So then I found another professional mentor. And she is - founded two really big companies in infosec that I won't - that are Canadian and I won't name so she can keep her privacy. But she's so amazing. And so we met. And her - the very first meeting, she's like, do you want to know what the biggest thing that I regret about the two companies I founded? And I was, you know, curious. And - what? And she said, that I didn't jump sooner. She's like, jump. Jump right now. Stop waiting. Are you really excited? And I said yes. She's like, do you have any sort of crazy crippling debt or, you know, a hundred babies you need to feed or something like that? Like, can you afford to just not have paychecks for a few months and just, like, go do it? I'm like, yeah, but it's scary. She's like, Tanya, you're so qualified. Do you understand if you announce you're looking for a job, the internet would melt? You would definitely find a job. You would have so many job offers. You will never be unemployed if you don't want to be. So just go do it. Live your life. Just - like, you'll never regret the chance you took, and you will regret if you don't take this awesome opportunity to go work with someone you think is awesome and, like, solve a problem that you really, really care about. And so she's amazing. And basically, I called Aaron, and I was like, yes. So, yeah, it turns out finding a professional mentor is pretty helpful.
Dave Bittner: [00:11:40] That's Tanya Janca from Security Sidekick. We'll have more of my conversation with her tomorrow when we'll discuss web application inventory and vulnerability discovery.
Dave Bittner: [00:11:52] Norsk Hydro's insurance has paid about 6% of the costs the company incurred as a result of the LockerGoga ransomware attack it sustained in March. The company's recent financial report suggests that additional claims might be filed as necessary.
Dave Bittner: [00:12:07] There are developments in the odd case of the penetration testers arrested in Iowa for burglary. Coalfire continues, with some success, to fight criminal charges two pen testers face for work they performed at an Iowa courthouse. The company's CEO, Tom McAndrew, called the situation completely ridiculous, and he called for justice and common sense. What happened, in essence, was this. The Iowa State Judicial Branch hired Coalfire to conduct penetration testing that included a physical pen test. The Dallas County sheriff didn't get the word, apparently, and arrested the two pen testers at the Dallas County courthouse. The two were initially charged with felony burglary in the third-degree and possession of burglary tools. Yesterday, those charges were reduced to criminal trespass. Coalfire says it intends to press for full dismissal of all charges, especially since the Iowa Supreme Court chief justice acknowledged that, well, mistakes were made. We should mention that Coalfire is a sponsor of the CyberWire podcast.
Dave Bittner: [00:13:11] And finally, Bed Bath & Beyond, the well-known U.S. houseware retailer, disclosed today in an 8-K filing with the SEC. The company said that a third party acquired email and password information from a source outside of the company's systems which was used to access less than 1% of the company's online customer accounts. No online customers' pay cards were compromised, Bed Bath & Beyond said. The retailer also said it had notified affected customers yesterday, as required by law. And as one would expect, the company has retained a security forensics firm and has begun taking remedial action.
Dave Bittner: [00:13:54] And now a word from our sponsor KnowBe4. Having spent over a decade as part of the CIA's Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She's seen firsthand how the bad guys operate. She knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yourself a hard target. Get the inside spy scoop and find out why Rosa, now KnowBe4's SVP of cyber operations, encourages organizations like yours to maintain a healthy sense of paranoia. Go to knowbe4.com/cia to learn more about this exclusive webinar. That's knowbe4.com/cia. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:55] And joining me once again is Professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, welcome back. Today we wanted to touch on some of the challenges when it comes to securing large-scale infrastructures. What can you share with us today?
Awais Rashid: [00:15:09] Our critical infrastructures on which our society relies, such as our water power, transportation, digital healthcare, energy generation and distribution - they are becoming increasingly connected. And we are, through, for example, industrial internet-of-things devices and so on and connecting these systems also to enterprise systems, we are increasing this connectivity all the time. And that has great business benefits, but it also means that the size and interconnectedness of these infrastructures make security a very challenging problem.
Awais Rashid: [00:15:42] So I'll give you one example. For instance, as we allow many smart devices, including, say, for example, smart refrigeration, across wide areas, then the scale of attacks can be very large, and attackers can potentially compromise smart refrigeration across a whole area and tend to overload the power grid. And you can imagine that the impact of attacks are considerably larger as well - disruption to a large population and massive business losses.
Dave Bittner: [00:16:10] Yeah, I've seen stories come by recently about potential problems with, for example, hot water heaters - you know, devices that require a large amount of energy. And if you could spin up some sort of botnet to trigger them simultaneously, well, that could cause some trouble in the grid.
Awais Rashid: [00:16:25] Absolutely. And I think this is really where the challenge comes because we cannot - there's good business reasons to not isolate these systems from the rest of the environment in the first instance, but we need to have more systematic ways of having security assurances about their behavior. And I will go even further and say we need to have more resilience assurances about their behavior. So in an ideal - well, ideal in any world, you do not want your - you do not want to have to take your power grid offline because there is an attack going on. What you want to do is you want the power grid to be able to respond to it gracefully and maintain, perhaps, its operation and somewhat reduce capacity and then recover very, very gracefully.
Awais Rashid: [00:17:15] And I think this is really where I would say the frontier lies at the moment for cybersecurity because while we create these massively connected infrastructures from which we derive great value and they end up in our society, we also have to think about it as to this is not a case of, you know, these infrastructures being compromised and then being unavailable. They have to be able to be resilient in an increasingly adversarial world where secure and insecure devices and systems interact.
Dave Bittner: [00:17:44] Yeah. And it seems to me like there's an economic component as well. I mean, I've talked to folks who describe remote systems that are away from cities or towns, and so they're not monitored by people onsite. They're remotely monitored, and so having confidence in the data that they're returning back to you - well, that's an important aspect.
Awais Rashid: [00:18:05] Absolutely. And it is not really possible for efficiency reasons for all endsites to be monitored by human personnel and also 24 hours a day. But equally, there can also be the challenge that if devices or systems in these endsites can be compromised, or peripheral sites that also can be compromised, then it can be quite a cost to the organization because you do then have to go onsite. OK, and if you can think about it, an attacker can just simply make themselves a nuisance by just constantly bringing a particular peripheral site down and taking it out of operation. And while it may not have a systemic impact on the whole system, it does require engineers to consistently go out to that site, incurring significant costs for the organization in dealing with the problem.
Dave Bittner: [00:18:57] Yeah. It's sort of a death by a thousand cuts, I suppose.
Awais Rashid: [00:19:00] Yes, and we do see that. We already do see that. But, you know, the attack does not necessarily need to lead to a massive data breach or even a massive disruption of service. It can just be what you would call a nuisance attack. But that does not mean that it does not create a huge cost to the organization that operates the system or the infrastructure, and also those who are charged with maintaining and defending the infrastructure. And ultimately, people who work on game theoretic notions of security - they would say, you know, this is ultimately a game theoretic problem as to how the hacker wants to, you know, increase the cost to the defenders. And the defenders, of course, want to minimize their costs but increase the cost to the attackers.
Awais Rashid: [00:19:41] And here I go back to this point that we need to have more and more resilient systems who can actually withstand these kind of issues and gracefully recover when they are under attack without having to, you know, constantly rely on people having to go and fix these kind of problems.
Dave Bittner: [00:19:58] Yeah. Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:20:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
