Cobalt Dickens, coming to a university library near you. UNICEF data exposure. Election security notes. Operation reWired arrests 281 alleged BEC scammers.
Kobo Dickens is back and fishing in universities. Ponds Unisex scores of security own-goal got some patch Tuesday notes a look at US election security offers bad news but with some hope for improvement the US extends its state of national emergency with respect to foreign foreign meddling in elections and international police sweep draws in two hundred eighty one alleged B. E. C. scammers. It's time to take a moment to tell you about our sponsor. Recorded future recorded future is the real time threat intelligence since company whose patented technology continuously analyzes the entire web to develop information security intelligence gives analyst unmatched insight into emerging urging threats and when analytical talent is as scarce and pricey as it is today every enterprise can benefit from technology that makes your security teams more productive productive than ever we hear the cyber wire have long been subscribers to record future cyber daily and if it helps us we're confident it will help you to subscribe today today and stay a step or two ahead of the threat go to recorded future dot com slash cyber wire to subscribe for free threat intelligence updates from recorded future. That's recorded future dot com slash cyber wire and we thank recorded future for sponsoring our show funding for this cyber wire podcast is made possible in part by bug crowd connecting organizations with the top security researchers pen testers white hat hackers in the world to who identify ten times more vulnerabilities than scanners or traditional pen tests learn more about how their award winning platform provides actionable insights like remediation advice to help help fix faster while methodology driven assessments ensure compliance needs are met at bug crowd dot com from the cyber wires studios at data tribe. I'm Dave Bittner with your cyber wires summary for Wednesday September eleventh two thousand nineteen researchers at secure works report a resurgence of activity by the Iranian Indian Threat Group they call Cobalt Dickens this particular threat actor has been associated with the matinee group and others indicted by the US Department of Justice back in two thousand eighteen. Those indictments were for crimes connected with cyber espionage that the Justice Department said was conducted on behalf of Iran's Islamic Revolutionary Guard Corps secure work says the latest activity consists of efficient campaign directed against American and British universities the fish bait in the e mails. Els is as secure works. Put It library themed the recipient is told that quote your library access has been suspended due to inactivity and quote and is given a link to follow in order to ensure that their library privileges might be restored cobalt. Dickens's earlier campaigns had used shorten. URL's in such links links the better to obscure what was going on but this latest round dispenses with that coy gesture and simply leaves the full url out there displayed in in all of its implausibility. Some sixty universities have experienced cobalt dickens fishing. Those affected schools are located in Australia. The United States the United Kingdom Canada Hong Kong and Switzerland Eunice F the United Nations Children's organisation knows it's a small world and and they inadvertently made it a little bit smaller by inadvertently emailing around a list of over eight thousand users of its online educational platform Agora this appears to be purely a case of operator head space and timing not hacking so here again the human factor contributes the dominant share of the risk in yesterday's round of patch Tuesday releases Microsoft fixed seventy-nine bugs seventeen of which Redmond classified is critical adobe addressed critical vulnerabilities abilities in flash player. Norm Shield has looked at US election security and found it wanting the results of to risk assessments. The company conducted showed they say that outdated systems remain in widespread use more than half of the election systems used windows server two thousand eight released two and Microsoft to US seven point five four of the election commissions were still using windows two thousand three which reached it's end of life sometime ago they they also concluded that election authorities remain susceptible to phishing attacks fifty nine percent of the election commissions were missing demark records and more than forty percent of them had at least one website with an invalid or expired. SSL Certificate and finally about a third of the election commission's have norm shield says quote at least one asset asset that is reported by blacklist databases and quote that is at least one asset that has been herded into about net norm shield conducted two scans one in July the second in August. The first one concluded that an average hacker as axios put it would be able to breach twenty seven states election systems the company when he disclosed its findings to the election commissions and secretaries of state and then repeated their scan a month later. The August results were noticeably better. Only thirteen estates were found to remain vulnerable to the average attacker. The Synopsis Software Integrity Group recently published a report titled the State of Software Security already in the financial services industry drew kilborn is Managing Director of Security Consulting at Synopsis. He joins us to share their findings. You know one of those stats statue in the report was fifty six percent of the of the F. is that we surveyed. Were still experiencing a tax that were resulting in system failure downtown on dazzle shocking to me because the biggest banks we work with many of those those banks have pushed a cyberfraud down the scale. AOL from from number one to number two number three in their fraud list so we kind of felt like they that the bigger banks really gotten their arms around it. There are other fundings are get to in the second that I think leads to this. The the other interesting finding was thirty eight percent reported being victims of ransomware and I was a little shocked that the F. is would be that impacted by ransomware that that they would solve that problem a long time ago but apparently it's still out there. It's prevalent and it's growing so what are some of the other indicators that that you think contributes to those findings there aren't great established processes four inventory managing open source and the other is there aren't great processes for managing third party supply chain so what you see in the largest f Isaiah still bile out software either by or they or they outsource having a developed and they all use open source in the mid Tier F is it's. It's more prevalent than to be buying third party software than it is to be building software if anything they integrate great when you look at those two findings this is kind of where the problem stem only forty-three percent had established process for inventory managing open source only fifteen eighteen percent had any tools deployed help in aid in that dividend open source so prevalent in the industry that gets a little eyebrow raising that they're not taking care of that part of the problem as well as maybe they should. They're probably introducing a lot of errors in the open source out of the House. The other interesting finding was that no one has a great process for managing supply chain of software that comes in Assad of open source just any third party software or you might buy or have built for. You and I think that's another weakness as well. Maybe there's a pen test of that software but not many companies are looking at how the software is bill bill in the processes and the Security Elsie. Those companies are undertaking as they built software. The other interesting finding came out of this is people still tend to rely heavily heavily on a manual ethical hacking penetration testing at the end of the process in fact sixty five percent of the respondents said they felt pen testing was the most most effective way to find security abilities actually is probably the least most effective way because the very end of the cycle right so it's extremely costly need to find your defects. They're selling pen. Testing is very time box. Usually it's a one or two week test. You can only cover so much stuff and so it's not very thorough and then when when you started to look deeper beyond that finding new found that only forty percent of the respondents were using automated tools in their secure. St L. C. to do more finding defects earlier on things like static analysis or dynamic analysis interactive application security testing. There's there's other mechanisms tools you could put into the into that. S. DLC they will automate defining throughout versus waiting to the tail end. If you had that up you add up that only nineteen percent of the respondents do mandatory development training up for the developers you start to say okay. We're not training our developers so they're not getting had expired or about the problem. You're not finding things earlier in the life cycle and you've limited the size of the tests that the end under which you will find any vulnerabilities ladies you find out that might opinion you're pretty inefficient actually discovering defects in USAO seat automation it provides several several things that provides consistency which is great it provides speed which is which is really good as well and it allows you to provide governance said are you can creeks governance in the deal see to say if you don't cross a bar so high you don't move forward and I have told it's going to consistently test the same way every time to measure if you cross that bar to me those are the things that have to take place and as companies move to devops in what they'll call. Dev Ops and are moving faster stir it building and releasing software automation's going to become even more and more important in my mind that's drew kilborn from Synopsis Software Integrity Group. The report is titled the State of Software Security in the financial services industry. US President Trump yesterday extended the national emergency with respect to foreign interference appearance in or undermining public confidence in US elections for one year the note announcing the extension says quote although there has been no evidence of a foreign power or altering the outcomes or vote tabulation in any United States election foreign powers have historically sought to exploit America's free and open political system and quote wrote it goes on to discuss the proliferation of online devices and communication channels and concludes that both unauthorized accessing of election and campaign infrastructure structure and covert distribution of propaganda and disinformation warrant continuing the state of emergency. The extension maintains the provision as of executive order thirteen eight forty eight issued on September twelfth twenty eighteen that executive order prominently includes provisions for sanctioning foreign individuals. It's an institution's attempting to meddle in. US Elections Charles Kupperman Fox News reports will serve as interim national security advisor her to the US President Kupperman had been serving as deputy to the now departed John Bolton. A search for a permanent replacement is in progress today is of course the anniversary of the nine eleven terrorist attacks we spare a thought for those who lost injured or bereaved in the terror and and for those whose health continues to be affected by the effects of the attacks the government has taken the occasion to announce tighter sanctions against those who support and finance terror are any foreign financial institution found to be engaged in such support risks losing access to the US dollar and to the world financial system expect online online investigations into money laundering and fund transfers on behalf of sanctioned groups and finally the US Justice Department has announced the results results of operation rewired around up of business email compromise crooks that collared two hundred eighty-one alleged scammers in ten countries it was a multi the national multi agency sweep authorities in Nigeria Ghana Turkey France Italy Japan Kenya Malaysia and the United Kingdom participated as did the the US Department of Justice Homeland Security State and treasury along with the US Postal Inspection Service three point. Seven million dollars were also seized at the conclusion of the four-month investigation. The largest hall of alleged perpetrators was in Nigeria where one hundred sixty four were arrested seventy four were picked up in the united it states eighteen in Turkey and fifteen in Ghana. The remaining ten were scooped up in various other countries congratulations to those who organized and conducted did this cooperative effort against international crime and now a word from our sponsor observe it the greatest threat to businesses. Today isn't the outsider trying to get in. It's the people you trust the ones who already have the keys your employees contractors and privileged obliged users sixty percent of online attacks are carried out by insiders the stop these insider threats. You need to see what users are doing before an incident occurs. There's observant enables security teams to detect risky user activity investigate incidents in minutes and effectively respond with observe it. You know the whole story story. Get your free trial at observant dot com slash cyber wire. That's observe the letter the letter T. dot com forward slash cyber wire and we thank observe it for sponsoring our show and I'm pleased to be joined once again by Ben Yellen. He's a senior policy analyst at the University of Maryland Center for Health and Homeland Blend Security Ben. It's always great to have you back. at a couple articles come by that dealt with this notion of geofencing and the the privacy implications there. There was an article from think progress. This was about some Catholics in Iowa who went to church and Steve Bannon Bannon of all people were tracking their phones. There's not another article from the New York Times about New York City. Possibly banning the sale of cell phone location location data can can you unwrap what's going on here for us sure so this isn't as much of A. Steve Bannon story as it is about many political campaigns and end many private corporations that use geofencing as technique to promote their own advertising so how it works is you either collect from APP makers or the telecommunications companies themselves information on which individuals were at a given location at a given time so at this. Steve Bannon article mentions is his political organization collected the Meta data so the phone numbers of people who are at a Catholic Church Service on the Sunday prior to the twenty eighteen midterm elections and people who were at that church ended up receiving a targeted advertisements on their smart devices and on their APPs This is something that's actually been done It's a very common tactic among among political campaigns to engage in what's called micro targeting if you know who's in a Catholic Church or who's at a particular community meeting or who's at potentially a political rally that information is incredibly valuable to campaigns and political organizations and they're happy to buy that information and so they can target their advertisements. They can micro target based on what they already know about those voters they go to Catholic Church on Sunday New York City interestingly. The city council is considering a measure that would ban companies from selling this geofencing data to all firms TMZ political firms and all other private entities. I think the chances of passage of this in New York are relatively small. There's been a lot out of opposition from the telecommunications companies themselves who think that this law is going to create an undue burden for them because they're going to have to figure out how to comply hi with New York City Law which is a limited jurisdiction. Even though it's the biggest jurisdiction the country as opposed to only having to follow some sort of national standard so so I think the telecommunications companies the makers might actually be okay with some sort of regulation on selling this data but they like it to come from the national level at the national level so there could be some sort of a uniform standard now. This data can come from multiple places. There's there's the actual telecommunications all communications firms they they sell it but then also apps that you install on your device we've heard stories of you know buried in the Ula Hula is permission for them to share your location every minute or so or something like that yeah. I recently read an article about the weather channel. Oh APP which there was a controversy in Los Angeles they were collecting location data from their users on what was alleged to be somewhat out of a fraudulent basis. They said that users who were Checking local weather forecasts would not have their data sold to private. advertisers turns turns out it was sold there was an investigation by the Los Angeles district attorney and I mean on any given smartphone. They're probably going to be ten to fifteen fifteen apps that make use of your location at one point or another and we're almost so mindless about it that we just click the accept button as soon as we want to agree to that APP APP. It's like yeah I don't WanNa read the lease when I'm trying to send my snapchat the result of that is that you've probably agreed to you as a user for this APP to sell your Geo location data and until there's some sort of regulation in place ace it's up to both the users to look closely at the at those license agreements and to put pressure on the technology companies themselves. I think as we've seen more stories about geofencing the telecommunications companies have been forced to respond and to voluntarily limit how much data they we are actually selling to companies and political organizations and I should also mention you know the uses we've talked about for the technology seen kind of benign but if you take geofencing to its logical extension it could potentially be pretty scary. you know if we were conducting some investigation in the war on terror and collected. Geo Location data for every single mosque in the country for example. I mean that could have both a major chilling effect on free speech and the free practice of religion but would really be a a massive invasion of personal privacy. C can see how this would be just a major civil liberties violation so in some ways. I think it's it's admirable that New York City is trying to address this problem but I also think even even for a city as large as New York. The problem is is at two large of a scale for them to really have a big impact all right. We'll Ben Yellen. Thanks for joining us. Thank you and that's the cyber wire. Thanks to all of our sponsors for making the cyber wire possible label especially are supporting sponsor observe it the leaving insider threat management platform learn more at observe it dot com the cyber wire podcast is proudly proudly produced in Maryland out of the startup studios of data tribe with their co building. The next generation of cybersecurity teams and technology are amazing cyber wire team is Stefan Missouri to make Smith Kelsey Bond Tim no Dr Joe Kerrigan Carol -Tario Nick Valenki Bennett Mo- Chris Russell John Patrick Jennifer Orion Peter Kilby and gave bittner. Thanks for listening. We'll see you tomorrow.