CyberWire Daily - A quick look at Big Tech’s antitrust testimony. BootHole may be tough to patch. Fake COVID contact tracers. Netwalker warning. And Chinese espionage against the Vatican and the United Kingdom.
Episode Date: July 30, 2020Yesterday’s antitrust hearings in the US House of Representatives focus on Big Tech’s big data as something open to use in restraint of trade. And there are questions about community standards as ...well. The BootHole vulnerability may not represent an emergency, but it will be tough to fix. Android malware masquerades as COVID-19 contact-tracers. The FBI warns against Netwalker ransomware. China says it didn’t hack the Vatican. Justin Harvey from Accenture demystifies red teaming. Our guest is Christopher Ahlberg from Recorded Future on trends in threat intelligence. And somebody’s spoofing a British MP: he’s looking at you, Peoples Liberation Army. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/147 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Yesterday's antitrust hearings in the U.S. House of Representatives
focus on big tech's big data as something open to use in restraint of trade.
And there are
questions about community standards as well. The boothole vulnerability may not represent an
emergency, but it will be tough to fix. Android malware masquerades as COVID-19 contact tracers.
The FBI warns against NetWalker ransomware. China says it didn't hack the Vatican.
Justin Harvey from Accenture demystifies red teaming.
Our guest is Christopher Allberg from Recorded Future on trends in threat intelligence.
And somebody's spoofing a British MP.
He's looking at you, People's Liberation Army.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 30th, 2020.
Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, July 30th, 2020.
Amazon, Apple, Google, and Facebook completed by WebEx yesterday's testimony before the U.S.
House Judiciary Committee's antitrust subcommittee. Bezos, Cook, Pichai, and Zuckerberg hewed two foreseeable lines during the testimony. The Telegraph thought they emerged unharmed,
but observers thought the congressional inquisitors generally well-prepared.
The House subcommittee was interested in both anti-competitive practices
and the roles the platforms have assumed in moderating content and influencing elections.
The Wall Street Journal sees the central issue raised in the session
as the economic and social power, big data data analytics have enabled big tech to concentrate.
The chief's answers to both questions about alleged anti-competitive practices were to disclaim any attempt to use data they collect on their customers or partners to favor their own business at the expense of those customers or partners.
favor their own business at the expense of those customers or partners. They also said it wasn't their practice to acquire potential or actual competitors to clear the field for their own
products or services. To questions about content moderation, with Democrats seeming mildly in favor
of more of it, Republicans decidedly wanting less of it, the executives gave mixed responses that
expressed an interest in enabling the free sharing of ideas, feelings, and experiences, but within the limits of safety and unspecified community standards.
The representatives seemed well-briefed, equipped with news reports, corporate email exchanges, and stories from disgruntled competitors and customers.
competitors and customers. In fairness to big tech, the questions they were asked were sometimes complex, presumed that those testifying would have sufficient amount of detail at their fingertips,
and were in most cases tenditious. They had the character of a cross-examination whose purpose
isn't to elicit new information, but rather to get things you already think you know into the record.
The answers stayed as close as possible to the statements the companies came in wishing to make.
At several points, those testifying promised to return responses
once they had the opportunity to check the information on which their answers would depend.
Those follow-ups will cover specific cases of alleged anti-competitive practices,
details on the composition of their fact-checking
and other content moderation staffs,
their use of data analytics
and the specifics of content moderation policies
or community standards in force at their companies.
Two things seem likely,
at least to our editorial staff who listened to the hearing.
First, it will be difficult for online services
to hang on to
Section 230 immunities they currently enjoy while they exercise more gatekeeping with respect to
content. The role of publisher and neutral public square are likely to prove ultimately incompatible.
And second, big tech's antitrust problems are unlikely to go away. And as investigators
continue to examine tech companies
as incipient monopolies, those companies' access to and use of massive quantities of data
will be the entering wedge of antitrust action. Eclipsium has found a vulnerability
boothole that affects the Grub2 bootloader used by most Linux systems. It could be exploited to gain the ability to execute arbitrary code
even when secure boot is enabled.
An attacker would need either administrative privileges
or physical access to a device to infect it, however,
which, as Ars Technica points out,
if the attacker has those, you've got a lot of other problems to worry about.
So, while Boothole is a widespread vulnerability,
it's not a terrifying one and has earned a rating of moderate severity.
But, as Ars Technica adds,
not scary isn't synonymous with not serious,
and Boothole is something that should be dealt with.
Fixing it won't be simple.
Eclipsium has an account of the various steps vendors will need to provide for their users before this particular hole can be patched.
Eclectic IQ and its partners at Threat Fabric report that malicious Android packages have been found presenting themselves as legitimate, government-backed COVID-19 contact tracing apps.
contact tracing apps. According to Bleeping Computer, the FBI has issued a warning that NetWalker ransomware is being deployed against government agencies, both in the U.S. and
internationally. NetWalker has specialized in exploiting vulnerable VPN appliances,
web apps, user interfaces, and weak remote desktop protocol passwords as its methods of
gaining access to victims' networks.
The Bureau said, quote,
Two of the most common vulnerabilities exploited by actors using NetWalker are Pulse Secure VPN, CVE-2019-11510,
and Telerik UI, CVE-2019-18935.
The FBI discourages any victims from paying the ransom,
and it recommends that organizations adopt familiar measures of sound digital hygiene
to protect themselves from infection in the first place.
China says it's always been firmly opposed to cyber espionage
and that anyone who thinks Beijing hacked the Vatican,
like, for instance, Recorded Future,
whose report on Chinese operations has been widely cited,
needs to put up or shut up, Global News reports.
Give them specific evidence, says the foreign ministry.
It seems unlikely that Beijing would find any evidence adequate,
in either quantity or quality.
The Holy See itself has declined to comment on the reports. And speaking of Recorded Future,
the CyberWire's chief analyst and chief security officer Rick Howard
checked in with Recorded Future's CEO Christopher Allberg
for his insights on the latest trends in threat intelligence.
It actually over time has gone from open source data exclusively
down to sort to the electrons
of the internet and trying to put all of that together.
We call that our security intelligence graph that we connect all those dots.
That's been the really exciting journey in all of this.
So the point of all that is you're trying to forecast where the next attacks are coming.
Is that the main function of the service?
I would say that that's one element,
and we have some pretty incredible success stories of that. But it can be sometimes when you're able to see something around the corner,
but then it can also just be where you're detecting something totally outside in.
We had a really cool success here in the spring where this, we'll just call it European Energy Organization,
had been for a month leaking email data to a sophisticated actor.
And we were able to observe that completely outside in and not just sort of do intelligence around it,
but find the incident.
And it blew people away that we were able to do it. And it was sort of connecting six layers
through that security intelligence graph. So I think sometimes it's about forecasting, but it can just as well
by being able to sort of help people understand things that are ongoing or
make it easier to do incident response. So it sort of can be across that spectrum.
So can you talk about at a high level,
I don't want you to give any secrets away,
but how do you take this vast amount of unstructured data
and turn it into something useful?
Is there techniques that you can describe
that people can use in their own organizations
or any tips or tricks you can hand over to us?
Yeah, no, I think, you know, look,
you can take a big step back and think about,
like, if you have a lot of data,
so we use the Bloomberg analogy,
you can use, you know,
whether it's sort of a sales dashboard analogy,
whatever sort of thing.
Understand the problem you're trying to solve,
and I think you were getting that before.
You know, don't just collect data
for the sake of collecting data,
even though sometimes it's pretty enticing to do that.
We have plenty of that.
Yeah, you're right. There's a lot of people just collecting large, giant lakes of data and they don't really know what to do with it.
Yeah, but to be honest, you have to do some of that. I'm sort of a huge believer
that as we collect all this data, you need to apply analytics.
I think analytics is the word that I come back to. It's more than just simple data
analysis and doing roll-ups and sums and minuses,
even though the simple is sometimes underrated.
But the key is trying to understand analytically, what are you trying to do?
It really is the secret that most people forget about.
And that will inform you what sort of dashboards do you need to build,
what sort of analysis do you need to do,
what sort of automated correlations do you need to provide for? Understand the problem and be disciplined about that so that
when you then don't, if you don't succeed, you can tune the analytics, tune what data you need to add,
tune whatever you're doing. So you really think about it as an analytical process. And actually,
I think a lot of people learned in the intelligence community can be put to work here,
but it needs to be more data driven.
And people are not thinking enough about that.
That's the Cyber Wire's Rick Howard speaking with Recorded Future CEO Christopher Allberg.
And finally, whatever China might have been up to in the Vatican and the Hong Kong diocese, and candidly, it looks like it was up to no good.
the Vatican and the Hong Kong diocese, and candidly, it looks like it was up to no good.
There are other allegations of the Chinese services undertaking some active cyber measures against an out-of-favor foreigner. Conservative member of the British Parliament Tom Tugendhat,
who chairs the Foreign Affairs Select Committee and has been critical of China,
says he's been the victim of an email spoofing campaign in which Chinese operators
send embarrassing emails and other communications from bogus accounts that purport to be his.
The Express says that Mr. Tugendhat realized the campaign was in progress when a reporter
asked him about a press release he'd issued, only in fact he hadn't issued it and was quite
in the dark about it.
No doubt China's foreign ministry would like to see the evidence here too.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. familiar flavors of pistachio, or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He is the Global Incident Response Leader at Accenture.
Justin, always great to have you back.
I wanted to check in with you and get your take on red teaming and just start with some basics.
How do you define it and how does it work within the organizations that you work with?
Well, red teaming is a concept where you take humans and you make them act like an adversary toward an objective.
And that objective or those objectives that you define, there are multiple ways to accomplish them.
You can do them through social engineering.
You can do them through direct system and network exploits.
And, of course, there's always a set of rules of engagement around a red team operation that should be discussed ahead of time.
Can outside tools be used like zero days?
There's also the behavior of the red team.
Should you simulate being a nation state in an enterprise when nation states typically
aren't targeting you?
So you want to right-size that red
team engagement. There has been a lot of talk these days about automating red teaming. And I
think that, you know, I'm a little bit of opinion here that until we can have a system that really mimics the thought process of humans,
then we're likely not to see an effective automation of red teaming. Because red teaming really requires the team to sit there and think about,
okay, how are we going to accomplish the mission?
Just like you were, just like a normal adversary would.
And then, of course, simulate it in an environment.
adversary would, and then, of course, simulate it in an environment. There are ways out there to automate a lot of persistence, vulnerability checking, persistent network scanning,
but I would never consider them part of a red team engagement.
But when you're out there looking for someone to be a red teamer, you know, you're interviewing
somebody or something like that, what are the attributes you look for? What makes a good red teamer?
I would say one of those attributes would be cleverness, the ability to think outside the box
and be able to look at a problem in a different way. If you need to get access to a system,
and let's say it's a pretty tight system, well, then you're going to think,
well, how do I get in if I can't do a direct network or system exploit? I don't have access
to the system. How do I do it? And you want to watch your candidates or your red teamers
thought process to say, okay, how do I get in? Well, I can't get on via the network or the system.
Well, how about if I get on via an administrator? Or what sort of communications
are going in and out of that box and examining the network activity and maybe compromising a neighbor
and then using that neighbor? So I think number one, maybe, and these are in no particular order,
I'd say one of them is being clever. And I think another one is being a geek, being someone who is technically proficient and that just loves breaking into
systems. And I could say the same is true for incident response and all of the other disciplines
that we have in cyber defense, Dave. And that is, you've got to be passionate about what you do.
And that passion also has to be channeled into technical acumen.
So red teaming, just like incident response, requires a pretty high degree of technical
sophistication, being able to write scripts, being able to look at executables or network
traffic, and being able to string a few of these together.
and being able to string a few of these together.
And then I would say the third one would be knowledge of the library of attacks that are available out there.
And I use the library like a capital L.
There are so many exploits and procedures and tactics and techniques. And there's probably 10 times that many open source areas that you can go to to find those tools. So knowing what tools are out there,
knowing the systems you're attacking, and then being able to find the right tool for the job.
And then, of course, being up on the leading edge. Some of the most successful red teamers at Accenture
are always looking at the news
and looking at open source intelligence
and saying, oh, wow, there's this new type of exploit
that this other red team did over here.
I bet you I could grab that code
and apply it to this other situation here.
So I would say those are the main three things
that I look for in red teamers.
All right. Well, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.