The CyberWire Daily Podcast 11.20.19
Ep 974 | 11.20.19

Louisiana works to recover from Monday’s ransomware attack. Gekko Group sustains a massive data exposure. US student charged with coding for ISIS.

Transcript

Dave Bittner: [00:00:03] Louisiana works to recover from Monday's ransomware attack. The HydSeven criminal group is delivering Trojans via spear-phishing. A hotel reservation company sustained a massive data exposure. India's government says it's legally permitted to surveil citizens' devices when it's deemed necessary. Google, Facebook, Apple and Amazon answer questions for Congress' antitrust inquiry. A Chicago student is charged with coding for ISIS. And the National Security Agency offers advice for implementing TLSI. 

Dave Bittner: [00:00:38]  And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud - intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:56]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 20, 2019. Louisiana continues its recovery from the ransomware attack it sustained Monday. Many services have been restored, but all 79 of the state's Office of Motor Vehicle locations remained closed throughout Tuesday despite earlier estimates that they would reopen by midday. The delay is due to the fact that all of the OMV's computers have to be reimaged. The attack reportedly involved the Ryuk ransomware, and the infestation originated with an unauthorized download on a state computer, which is no surprise at all. 

Dave Bittner: [00:02:37]  Prevailion warns that it's found a clever spear-phishing campaign conducted by the HydSeven criminal group. The campaign, which Prevailion in calls Operation BlockChain Gang, is distributing Linux and Windows versions of the Mac OS Trojan HydSeven used against Cambridge University over the summer. HydSeven has also been spotted phishing around Coinbase. Prevailion calls them a sophisticated threat actor and one that pays close attention to organizations that hold unusually valuable information. 

Dave Bittner: [00:03:08]  Hotel reservation company Gekko Group exposed more than a terabyte of customer information in an unsecured Elasticsearch database, CNET reports. The number of people affected is estimated to be in the hundreds of thousands. The data included names, home addresses, personally identifiable information of children as well as adults, credit card numbers, email addresses and a variety of travel details. Also among the data were plain-text usernames and passwords to accounts on Gekko Group's platforms, including the credentials to the World Health Organization's travel reservation account. The database was discovered by two independent researchers working alongside vpnMentor, who've notified the company of the breach. 

Dave Bittner: [00:03:53]  Gekko Group and its parent company, French hospitality giant Accor Hotels, were initially unresponsive to vpnMentor's attempts to make contact, but they promptly secured the database after the researchers notified CNIL, France's data protection regulator. vpnMentor notes that most of the affected customers were European, so the company should expect to see legal action under GDPR. 

Dave Bittner: [00:04:20]  Trustwave is tracking a spam campaign that uses a phony Windows update notification to distribute a malicious attachment that carries Cyborg ransomware. Cyborg, unfortunately, is easily used by anyone who gets a hold of the Cyborg Builder, which has been available on GitHub. 

Dave Bittner: [00:04:38]  TechCrunch reports that India's minister of state for home affairs, G. Kishan Reddy, said on Tuesday that the Indian government is legally empowered to intercept and decrypt any digital information if such interception is deemed to be in the interest of national security or to maintain public order and friendly relations with foreign states. He noted that each of these cases was to be approved by either the union home secretary or the home secretary of the state. Reddy was responding to a member of Parliament who asked whether the government had used NSO Group's Pegasus spyware to target WhatsApp users in the country. 

Dave Bittner: [00:05:17]  As we come to rely more and more on biometrics to provide access and identity verification, we need to maintain vigilance when it comes to privacy and baked-in bias, so says Bill Harrod, federal CTO at enterprise security firm MobileIron. 

Bill Harrod: [00:05:33]  There are a number of implicit biases, part of it in the code base and part of it simply in the way it's been deployed and tested over time. And in fact, this past week, I believe there was a legislation that's been introduced to limit the ability to use facial recognition, particularly for law enforcement, without some controls around it, similar to the controls that we would have for wiretap. 

Dave Bittner: [00:06:04]  I can certainly see the benefits that things like facial recognition could have for law enforcement - fighting terrorism and so on and so forth. But you walk up against that challenge of being able to do that but also respecting people's privacy - their constitutional rights to privacy. 

Bill Harrod: [00:06:25]  That's right. And Dave, one of the things that's really interesting is that we have to, in some cases, protect people against themselves. So as we enter the busy travel season with Thanksgiving and the Christmas holidays coming up, we find that people voluntarily give up a certain amount of that privacy when they enroll in things like Global Entry and CLEAR and TSA PreCheck. But it's not always clear that they're well-informed and understand what it means that they're giving up that information - fingerprints and facial recognition and even iris scans. The use of that information then becomes a concern around how people's privacy is used. And certainly, we've seen largescale breaches into things like The Office of Personnel Management and Equifax. 

Dave Bittner: [00:07:22]  Where do you suppose we're headed with this sort of thing? Do - is there - is more regulation inevitable? 

Bill Harrod: [00:07:29]  I think more regulation is inevitable, and I think where we're really headed is that enterprise biometric technology will become more commonplace. So we'll see biometrics being used - it is today for unlocking a laptop or a smartphone or a device. I think we'll see biometrics being used and tied to identity for agencies and organizations. I do think there'll be some regulation and some privacy controls put in place. We've seen the California privacy act and GDPR about how people have the right to be forgotten and control their privacy and their data, and I think biometrics is going to fall into that same area of controls. Using fingerprint data is an interactive process. Using facial recognition and capture, the individual may never know that it's happened. And so I think there's - there really is a difference, particularly when it comes to facial recognition. 

Dave Bittner: [00:08:39]  Do you have any recommendations for organizations that are thinking about implementing some sort of biometric factors for authentication into their own security workflow, anything they should know before they head down that path? 

Bill Harrod: [00:08:57]  So Dave, I think it's important, when we talk about leveraging biometrics - so certainly, we want to move away from user ID and password. That's a framework that's been broken for a long time. Using multifactor authentication, including some biometrics, is a much stronger way of being able to tie a user to an identity. And if the user and the identity and the fingerprint or the biometric - the facial recognition is done on an endpoint - on a device, where it's captured there and not stored across the entire enterprise, that seems like a really good method of being able to provide a new way of doing authentication for the user. And it's certainly something that we're doing at MobileIron around zero sign-on, and it becomes a part of the larger Zero Trust framework for enterprises. Collecting all of the biometrics in a central repository is an area that's going to be particularly fraught and vulnerable for a data breach and have lasting impact to the user or to the employee. 

Dave Bittner: [00:10:13]  That's Bill Harrod from MobileIron. 

Dave Bittner: [00:10:16]  Reuters summarizes the answers the U.S. House Judiciary Committee has received so far in its antitrust inquiry into big tech. Facebook, Apple, Amazon, and Google were the companies who went under scrutiny. Google argued that it didn't favor its own services over its competitors' but failed to present much of the data requested by the committee. Apple's responses to the committee mostly involved things that are already publicly known. Facebook acknowledged that it blocks apps such as Vine from its developer platform if those apps replicate core aspects of Facebook's products, but the company offered vague answers when the committee pressed for specific details relating to those decisions. Amazon said that it uses data from merchants for business purposes but that it doesn't use this data to source private-label products. 

Dave Bittner: [00:11:05]  Thomas Osadzinski, a computer science student at Chicago's DePaul University, was arrested by the FBI and charged with writing code for ISIS. Specifically, according to ZDNet, he's alleged to have been working on a Gentoo Linux distro intended to help the terrorist organization better handle their multimedia propaganda accounts. He also wrote a Python script to facilitate sharing ISIS propaganda on social media. At least two of his online ISIS contacts turned out to be undercover FBI agents. CyberScoop noted that Osadzinski's LinkedIn page indicated that he had worked at BlackBerry Cylance for two months as a software tester. This doesn't seem to be the case, however. A BlackBerry Cylance spokesperson said that, according to our records, this individual has never been an employee or contractor for Cylance. 

Dave Bittner: [00:11:57]  And finally, the U.S. National Security Agency issued an advisory offering advice for enterprises that implement Transport Layer Security Inspection, or TLSI. Organizations use TLSI to decrypt traffic that enters or exits their corporate network so the traffic can be inspected before being sent on to its destination. The process is meant to prevent the infiltration of malware or the exfiltration of sensitive data, as well as identify encrypted command and control channels. However, NSA notes that TLSI brings risks of its own if it's not implemented properly. The agency recommends that TLSI only be performed once within an organization, and the device that performs the decrypting should be isolated and well-protected. Organizations should monitor and analyze their logs to identify insider threats and misrouted traffic, and they should use TLSI products that are validated by the National Information Assurance Partnership. 

Dave Bittner: [00:13:01]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you too. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:14:03]  And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. You and your team at Webroot recently published a midyear threat report for 2019. Can you take us through, what were some of the key findings there? 

David Dufour: [00:14:19]  Oh, David, as always, great to be back. Some things that we're really seeing - it - they're kind of continuations and some maybe - oh, yeah, that's right. You know, just - we're trying to put some exclamation marks and underscore some things. One of the first things we saw is trusted domains - you know, the HTTPS with the - in your browser. Everybody sees the green lock in all the major browsers that shows that you're on a secure connection. Well, just because you're on a secure connection doesn't mean you're on a secure site. So a lot of hackers are starting to really use HTTPS heavily. I mean, it's been in use by malicious folks for a while, but it's becoming more and more prominent. And so, basically - I like to kid, but just to put it out there - people are securing through HTTPS the hacks that they're implementing on you. So you're getting securely hacked, which - I don't know if that makes you feel better or not. 

: [00:15:13]  (LAUGHTER) 

Dave Bittner: [00:15:14]  Right. While the hack's going on... 

David Dufour: [00:15:15]  Exactly. 

Dave Bittner: [00:15:15]  ...At least your data's safe in transit. 

David Dufour: [00:15:18]  Exactly. You can be - rest assured that the hacker's making sure your data can't be compromised. 

Dave Bittner: [00:15:24]  Right. Right. 

David Dufour: [00:15:25]  But what we saw - nearly 25% of malicious URLs - you know, the domain is the davidbittner[.]com or davedufour[.]com - that's the domain. We saw that 25% of malicious URLs, which are like that .com, /sports, /videogames - those - 25% of malicious URLs are hosted on trusted domains. So you can actually look at the domain and believe the website is good, but a hacker has actually accessed the back end of that domain and deployed malicious software there that, if you click on that, it's going to infect your machine. So it's something you've really got to be aware of. Not all trusted domains equate to trusted URLs. 

Dave Bittner: [00:16:08]  Now, you're also tracking some stuff here with Windows 7. 

David Dufour: [00:16:11]  Oh, yeah. Windows 7 - look; Windows 7 was a great operating system. It's just very antiquated - lots of malware on Windows 7. It's really time for folks to start thinking about upgrading to Windows 10. It's a great operating system as well. I'm not advocating for Microsoft, but we are talking about the Windows platforms here. You know, the exploits in Windows 7 have grown over 75%, and we continue to see malware taking advantage of those vulnerabilities in Windows 7. 

Dave Bittner: [00:16:42]  What do you say to those folks who are in a situation where it's not necessarily easy to upgrade? I'm thinking of people in industrial situations, you know, those kind of things, where that Windows machine may be tied to other devices. 

David Dufour: [00:16:55]  Yeah. That is always a great and tricky question, David, because if it is an industrial machine that potentially can't be upgraded because of the fact that it's running equipment, you have to evaluate your risk allowance. Can you take it off of a public network so that people can't get to it through the internet or through your network in some other mechanism? And make those determinations. Maybe you have to work with your vendor to get it upgraded because you are exposed because it does need to be online. But you need to evaluate that and be very knowledgeable of the risk that you're open to. 

David Dufour: [00:17:32]  And that's a point I want to make there. A lot of times, people just kind of put their head in the sand. OK, so you've got a Windows machine; it's running Windows 7. There's potential for exploits, but you've got a business decision because you've got to run your business that you're going to let that potential sit there. Well, maybe you need to invest in some tools that monitor that machine at a higher level to make sure it's not being exploited. So there's things you can do, but the No. 1 thing is evaluate your situation. 

Dave Bittner: [00:17:57]  All right. Well, it's the midyear threat report. You can find it on the Webroot website. David Dufour, thanks for joining us. 

David Dufour: [00:18:03]  Great being here, David. 

Dave Bittner: [00:18:08]  And that's the CyberWire. 

Dave Bittner: [00:18:10]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:18:21]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.