This is your Shared Security Weekly Blaze for June 3rd 2019 with your host, Tom Eston. In this week’s episode: US cities are being rampaged with ransomware, mobile phishing attacks on the rise, and do you know what your iPhone is doing while you sleep?
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I was intrigued by an opinion piece posted to Dark Reading about the recent rise in ransomware attacks targeting cities and local governments. From Atlanta, Cleveland’s airport, and now the city of Baltimore, ransomware is grinding communication and critical processes to a halt in many cities across the country. Local governments are expected to provide certain critical services for citizens, such as obtaining permits, and closing home sales, so without computer systems working it’s like going back to the ice age with paper and a manual process. My hometown of Cleveland Ohio had a ransomware attack hit the airport but thankfully, only affected the flight and baggage information screens and not the security of flights or the airport itself. This latest string of ransomware attacks appears to be attributed to the previously leaked “EternalBlue” exploit back from 2017 which was created by the NSA. Anyone else find it ironic that our own cities are being used against us with the same tools and exploits designed to attack other nation states?
One thing is clear, cyber criminals see a massive target in cities and local government because they know (as well as many of us) that IT budgets are tight and more often than not systems are not being patched or maintained. The other ethical dilemma this brings up is if cities should pay the ransom. While we always say to never give in and pay a ransom, the recent ransomware incident in Atlanta cost the city an estimated $17 million in recovery costs when the ransom was only $50,000. Now just paying the ransom may not work out either as there have been cases of criminals asking for more money or just not giving the keys to unlock the data regardless of being paid. It’s a tough situation for sure and will continue to be hotly debated as attacks on cities increase.
From a prevention perspective, perhaps with limited IT and security budgets money may best spent by focusing on security awareness training. Many of these ransomware attacks start though a phishing email or by clicking on a malicious link to a compromised website which then allows the malware to propagate through the network. If the first line of defense, the users, knows how to identify a malicious email or link that alone may prevent the entire ransomware attack from happening. I started a Twitter post which I’ve linked in the show notes about this very topic so I’d love to hear your thoughts and ideas on how we can help the cities that we live in defend themselves from a ransomware attack.
Speaking of social engineering, Phishlabs released a report on mobile phishing attacks which have not gotten the past attention like we see with email based attacks. With the rise in mobile phone usage there has been quite the increase in phishing attacks using SMS text messages and leveraging specially designed phishing exploit kits which mimic login screens of legitimate apps. According to the report, the financial industry appears to be the main target and attacks are looking to replicate your bank’s mobile login screen so that you’re tricked into entering credentials and even two-factor authentication codes.
SMS phishing in particular is getting more complicated to prevent. For example, phone numbers can be easily spoofed and filtering of SMS or text based spam is pretty much non-existent. In addition, mobile phishing attacks take advantage of small screen sizes and uses techniques like URL padding which can hide the full URL making the site seem legitimate. Also in the report Phishlabs noted that Android is currently the number one target for mobile malware and that banking trojans are the most popular malware that’s being used today. Ironically the Bankbot Anubis malware uses a Twitter account for command and control of the malware to avoid detection. This is something myself and researchers Kevin Johnson and Robin Wood, who developed a proof of concept of this, first talked about in a DEF CON and subsequent ShmooCon talk way back in 2009. Crazy that this concept that I was a part of is actually being used in modern day malware.
In related phishing news, Brian Krebs from Krebsonsecurity.com posted an article about people being fired for failing phishing tests put on by their companies. He goes on to interview several phishing industry experts to get their opinion, which of course, are not in agreement to fire employees over an awareness exercise. We’ll link the article in the show notes so you read it for yourself but what do you think? Is the hard handed and fear based approach the best way to increase awareness?
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Have you wondered what your iPhone is doing while you’re sleeping? Like most of us, our phones go into “do not disturb” mode and we gently drift off into our quiet slumber to be awakened by the horrible sound of the alarm we set for some ungodly hour so we can get up and go to work. But did you know, your phone is constantly communicating and your apps in particular are sending tons of information about you and your device to marketing companies, research firms and ad agencies? Well a technology columnist from the Washington post worked with a privacy firm to find out exactly what was going on here. Through their research they found that there were over 5,400 trackers in a single week, mostly from apps, which resulted in 1.5 gigabytes of data being used over the course of a month. Information sent from these apps included his phone number, email address, exact location and device fingerprints, while also helping trackers link back to his phone. And these trackers do activate at night or when the device is plugged in because of the background refresh setting that is on by default with an iPhone. And don’t think that just because you don’t own an iPhone you’re immune. Android users face the same issue with apps that use trackers like these as well.
Now none of this news should be at all surprising, except for the volume of data we’re talking about here. The most concerning part is that we really don’t know where apps are sending our data and we don’t know what these companies are doing with our data. There is no disclosure system by Apple or anyone that shows you what these ad trackers are doing unless you do what this columnist did and dig into the technical details of how these apps work. Privacy notices and polices don’t help much either because they don’t go into the gory details of what these trackers do and transmit. You can read the article for yourself in the show notes but I think the best quote from the story is about transparency and that quote is “If we don’t know where our data is going, how can we ever hope to keep it private?”.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.