Potentially malicious SDKs draw cease-and-desist letters. Nursing homes get ransom demands. A look back at the Sony Pictures hack. CISA offers advice on safe online shopping.
Dave Bittner: [00:00:03] Twitter and Facebook warn of potentially malicious software development kits being used by app developers to potentially harvest and monetize users' data. Nursing homes affected by a third-party ransomware incident receive extortion demands that amount to some $14 million. The Hollywood Reporter retails skeptical musings about the Sony Pictures hack on the fifth anniversary of the North Korean attack. And CISA offers advice for safe holiday shopping.
Dave Bittner: [00:00:36] And now a word from our sponsor Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate, isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing their resources. It runs, looks and is just as powerful as a local browser with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you are required to keep your online investigations completely anonymous and safe from cyber threats, you should consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 26, 2019. Facebook and Twitter warned yesterday that users may have unwittingly compromised personal information to two data-harvesting apps downloaded from Google Play, Giant Square and Photofy, by developers oneAudience and MobiBurn, reports CNBC. Facebook ejected the apps from its platform and issued appropriate cease and desist letters. The social network says the companies encouraged developers to use malicious software developer kits. MobiBurn has said that it didn't collect, share or monetize data collected from Facebook. It did, the company said, facilitate the process by introducing app developers to companies that monetize data. MobiBurn says that while it doesn't regard this as problematic, it stopped doing so. Twitter calls out oneAudience as having used a potentially malicious software development kit. The platform says it's notifying users whose data may have been harvested and that it's told both Google and Apple about the likelihood that this SDK has found its way into apps available in their respective stores.
Dave Bittner: [00:03:26] Nursing homes affected by a ransomware attack against Virtual Care Provider, a company that provides the care facilities with a range of IT and security services, have received their ransom demands. Those demands, CBS News says, amount to a total of $14 million. The infection vector appears to have been a protracted series of phishing emails carrying malicious attachments.
Dave Bittner: [00:03:50] The U.S. Department of Energy has released its inspector general's unclassified evaluation of the department's cybersecurity program. The inspectors found a variety of familiar recurring issues at energy installations, including several facilities managed by the National Nuclear Security Administration. Among those issues is a persistent failure to patch, a vulnerability management system that struggles to address high-risk, high-priority vulnerabilities and unsupported software being run on endpoints and in networks. In sum, the IG recommended 54 improvements that the department should undertake to improve its cybersecurity posture, and the department's leaders agreed with all of them.
Dave Bittner: [00:04:32] Sony Pictures was hacked five years ago this week. Principal responsibility for the attack was widely and convincingly attributed by the U.S. government and others to the North Korean government. But The Hollywood Reporter recounts skepticism from film businesspeople who were around Sony Pictures at the time who continue to wonder what happened. The U.S. Department of Justice issued a statement about accused Lazarus Group figure Park Jin Hyok for his role in the Sony attack and other capers. Big targets may attract a lot of people's attention, but the skepticism about North Korean involvement in the Sony Pictures hack seems mostly a priori. It's really tough to prove a negative, but there seems little reason to think the U.S. Department of Justice got this one wrong.
Dave Bittner: [00:05:18] Apple's iOS mobile operating system generally has a good reputation when it comes to security, and part of that comes from Apple's limiting what users are able to do and see on the OS. For those who want to see and do more, there's jailbreaking, circumventing Apple's access limitations. Sam Bakken is from security company OneSpan, and he says app developers need to be mindful of jailbreaks.
Sam Bakken: [00:05:43] Really, what jailbreaking your device is, is it's essentially - you're compromising your device, right? You are sort of sidestepping some built-in security functionalities built into iOS that keep users safe. And so developers really need to consider the fact that there may be some number of jailbroken iOS devices accessing their apps. And so, you know, there's a couple of different ways that their apps might be affected by this. For one, attackers will use a jailbroken device because it gives them a little bit more access into the internals of iOS and could allow them to kind of poke and prod apps in a way that they're not capable of on a non-jailbroken app. And so developers need to take steps to make sure that they're kind of obfuscating their code; they're using white-box cryptography and a number of technologies to make sure that attackers are slowed down in trying to analyze their apps and potentially find vulnerabilities within them. So that's one.
Sam Bakken: [00:06:49] You know, secondarily, they may have consumers - you know, regular users - that are sort of power users of iOS that still jailbreak their phone. And this is a little bit more common in markets sort of outside of the United States. Jailbreaking phones in the U.S. just isn't quite as popular as it is elsewhere. But you know, in, you know, APAC, it's a little bit more popular. And so banks want to actually provide some services to people that have jailbroken their phone because otherwise, those people might go to another bank that does allow them to use the mobile banking app.
Sam Bakken: [00:07:25] Really, what it boils down to, to simplify, is developers should kind of assume that their app will be installed in sort of potentially hostile environments. So, you know, whether - whatever the prevalence of that is - you know, who knows? It depends on your market. But just, you know, start from the beginning, thinking, hey, this app could be put on a bad device that's jailbroken and could be at risk. So let me apply security protections such as what's called in-app protection and also called app shielding, which kind of monitors the runtime of the app itself so that if there's anything malicious going on, if there's any kind of odd-seeming sort of poking and prodding of that app, it monitors for that. It detects it, and then it can take action on it. So it can say, I don't like the looks of this. This might be fraud, so let me shut that down. And so you might shut down the app in total, or you might limit some of the functionality that's available.
Dave Bittner: [00:08:19] So there are ways as a developer that I can sort of test to see if perhaps the device I'm running on has been jailbroken.
Sam Bakken: [00:08:27] Yes, there are multiple sort of ways to go about deciding whether or not the app is executing on a jailbroken device, some more sort of involved than others. But there's any sort of number of clues that this might be happening. But yes, there are tools that can be integrated into the app that say, hey, is this running on a jailbroken device, which is a potentially hostile environment? And then it's a business decision whether or not you let the app actually execute on those devices.
Dave Bittner: [00:08:59] That's Sam Bakken from OneSpan.
Dave Bittner: [00:09:03] It's just two days before the more or less official beginning of the holiday season, marked by the U.S. holiday of Thanksgiving this Thursday. The holiday season is also the shopping season. And the more or less official beginning of that season is this Friday, Black Friday, which is used to denote the day the Great Depression started in 1929 but now ironically names a day of big sales, bargains galore, doorbuster specials and so on.
Dave Bittner: [00:09:30] Anywho, the U.S. Cybersecurity and Infrastructure Security Agency has issued some advice on how to shop safely during the holiday season. It's good advice, short advice and grouped under three convenient headings. First, check your devices, make sure the software on them is up to date and check the accounts on them. Do you have strong passwords? You should, and you shouldn't reuse those passwords. If the accounts offer multifactor authentication, use it.
Dave Bittner: [00:09:56] Second, shop through trustworthy sources, the sites you know that are reputable, not, let's say, Crazy Joe's Nuthouse Site of Huge Online Bargains, which you've never heard of but, hey, just popped up and - that looks pretty good. Steer clear of the dodgy and the unfamiliar, and be aware that crooks will spoof legitimate sites. Look at the URL. That's not foolproof, but it's not a bad practice. And remember that phishing con artists will be sending out special offers during the season, too. Don't follow the links in emails unless you're sure of where they go, and don't provide personal information, especially credentials or pay-card data.
Dave Bittner: [00:10:32] Third and finally, use safe methods of payment. Credit cards are always better than debit cards and much, much better than using wire transfers. Keep an eye on your credit card statements, and alert your card provider at once if you suspect fraud. So there's CISA's advice for holiday shopping. Check it out at cisa.gov/shop-safely.
Dave Bittner: [00:10:55] Have you noticed a sad fact of holiday creep? We have. We're ashamed to say that right here in greater Baltimore, our shopping desk noticed that Halloween candy went on sale at a local supermarket during the first week of August, and that's just not right. And there's forward creep as well as backward creep. We confidently predict that after the New Year celebrations have succeeded Hanukkah and Christmas, we're going to be prepped for Valentine's Day with a short detour around the hemi-demi-semi-official American civic holiday of the Super Bowl. But there's a silver lining to all of this. Go back to CISA's advice on shopping safely. It applies 24/7, 365 days a year, 366 during leap year. So shop if you must, and you know you will. But please shop safely.
Dave Bittner: [00:11:49] And now a word from our sponsor McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off. And it's perfect, your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. That's mcafee.com/insights. And we thank McAfee for sponsoring our show.
Dave Bittner: [00:13:02] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. I wanted to touch base today about smart cities and how making our cities smarter might mean that we also need to up our cybersecurity game as well.
Justin Harvey: [00:13:20] That's exactly right. There are many new types of services that are being developed, whether it be advanced traffic light signaling and the ability to control traffic lights on a citywide basis. There's water and power, jail systems, public transportation. And what has been discovered within the last decade is the internet protocol - maybe it's not so bad when it's controlling other types of operations. It's a great signaling and transportation protocol.
Justin Harvey: [00:13:53] And unfortunately, what's happened is all of these new types of services that are being developed and management systems that are using the internet protocol - many times, people don't realize that, A, it does eventually connect up to the internet, and B, they are susceptible to attack from adversaries, regardless if it is an air-gapped network or not. Many of my clients say, well, we have a great air-gap system. And then, of course, we run our red team operations, and in about 80% of the cases, they find a way in through the air gap, sometimes through maintenance connections, sometimes through engineers that connect up to that air-gap network. So there are paths to access those.
Dave Bittner: [00:14:39] Something that strikes me is, you know, say, for example, I have all of my - all of my city's lighting is automated and hooked up to some sort of smart city system. Well, in that case, if I want to take my city dark, I don't have to knock out the power generation facilities. I may be able to just throw the switch and turn off all the lights.
Justin Harvey: [00:15:01] That's exactly right. And any time that a digital system can affect the kinetic or affect the real world, there is susceptibility to tampering and to inciting chaos or inciting real-world physical damage. So it's important that when cities consider this, they consider two things. The first is I think that they should build up to this iteratively, which means having a very strong core, which means developing defense in-depth techniques with their own non-kinetic digital systems - accounting, tax revenue generation, digital records for their criminal justice system - and really work up to that 'cause we've seen, Dave - I think we even mentioned this a few weeks ago about more and more cities and states that are being held for ransom through ransomware. So it's important that you start with a firm base and you work up to that.
Justin Harvey: [00:15:58] In fact, I think probably the first kinetic system that cities should probably start to take a look at is the smart grid, and the reason I say smart grid is that there are already utility providers doing this. It's proven. There are mature security standards, mature systems. And they could also probably see some additional funding avenues through working with - in partnership with a commercial organization like a utility provider.
Justin Harvey: [00:16:28] The second thing that they need to think about is having proper funding. I cannot stress this enough. There needs to be proper funding around not only the technology and the telemetry and the transportation and setup of this, but these are very large operations that will be in - probably in place for decades. So it's important to have proper funding. Now, many times, that does mean going back to the public who are voting with their wallets and saying, we want to do this, and this is going to be the tax implications. This is how much tax revenue we need to do that, which will, of course, fund properly trained people, a security operation center and additional technology and telemetry that will be necessary to do this in a safe and responsible manner.
Dave Bittner: [00:17:17] Yeah, it's a really interesting insight that this requires the input from so many different departments around the city. In other words, it's not just facilities people putting up new streetlights. Suddenly, you've got data flowing that could be connected to all sorts of other parts of the city.
Justin Harvey: [00:17:37] That's exactly right, Dave. Recently, I was in New York City for the Aspen Cyber Summit. And Jeff Brown, who is the CISO and head of the New York City Cyber Command, made some great points in saying that New York City in particular is all digital, and it is all about safeguarding these digital systems - or his department is safeguarding these digital systems that are susceptible to attack. And I think that New York City has a great attitude and idea about this in the sense that it's all about managing the threat and providing these key services and key uptimes to their citizens. But the only way that they are able to do this successfully is through building a strong base, creating a security operations center, working closely with law enforcement and then, of course, having adequate funding in order to roll these services out on an iterative basis. So my hat's off to Jeff Brown and New York City on this one.
Dave Bittner: [00:18:36] All right. Well, Justin Harvey, thanks for joining us.
Justin Harvey: [00:18:38] Thank you.
Dave Bittner: [00:18:43] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:56] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.