CyberWire Daily - Capital One sustains a major data breach. Phishing in LinkedIn. VxWorks patches and mitigations. Brute-forcing NAS credentials. LAPD doxed?
Episode Date: July 30, 2019Capital One sustains a major data breach affecting 106 million customers, and a suspect is in custody, thanks largely to her incautious online boasting. Iranian social engineers are phishing in Linked...In, baiting the hook with a bogus job offer. WindRiver fixes VxWorks bugs. Network Attached Storage is being brute-forced. A hacker claims to have doxed members of the Los Angeles Police Department. Ben Yelin from UMD CHHS on cities piloting aerial surveillance programs. Tamika Smith interviews Noam Cohen from the New Yorker on California’s new law regulating bots. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Capital One sustains a major data breach affecting 106 million customers,
and a suspect is in custody thanks largely to her incautious online boasting.
Iranian social engineers are fishing in LinkedIn, baiting the hook with a bogus job offer.
Wind River fixes VXWorks bugs, network-attached storage is being brute-forced,
and a hacker claims to have doxxed members of the Los Angeles Police Department.
Los Angeles Police Department.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, July 30th, 2019.
Data associated with about 106 million credit card users and applicants, mostly in the United
States and Canada, were exposed in a breach said to have been committed by a Seattle-area woman,
Paige A. Thompson.
Capital One says that the compromised data include
names, addresses, zip code, postal codes, phone numbers, email addresses,
dates of birth, and self-reported income.
Also exposed were customer status data,
credit scores, credit limits, balances, payment history,
contact information,
and fragments of transaction data from a total of 23 days during 2016, 2017, and 2018.
A more limited set of U.S. Social Security numbers, about 140,000, Canadian social insurance
numbers, about a million, and linked bank account numbers of credit card customers,
roughly 80,000, were also taken.
Ms. Thompson was arrested yesterday on a charge of computer fraud and abuse.
She is alleged to have gained access to Capital One customer data between March 12 and July 17 of this year.
Her point of entry is said to have been a misconfigured firewall, the Wall Street Journal said.
The Department of Justice says that Capital One was warned on July 17th by a GitHub user
who'd noticed that their customer data had turned up on GitHub.
Capital One had stored the data in AWS,
and various reports have noted that Ms. Thompson is a former Amazon employee,
last working there in 2016,
but Amazon Web Services do not appear to have been implicated in the breach.
This was quick work by law enforcement, The Washington Post notes.
Federal investigators found their task simplified by Ms. Thompson's online boasting.
If convicted, she faces up to five years' imprisonment and a $250,000 fine.
In the press release disclosing the breach, Capital One summarized the financial costs it expects to incur.
Quote,
credit monitoring, technology costs, and legal support.
Capital One shares dropped some 3% in after-hours trading upon the news.
Iran's APT34 has been particularly busy on LinkedIn,
which security firm KnowBefore says has become a leading venue for social engineering attacks.
FireEye researchers note that APT34 is particularly interested in the oil, gas, energy, utility and governmental sectors and that they're posing as the research staff at University of Cambridge.
The fish bait is a job offer.
If you take the bait, you'll be asked to complete a form, which unfortunately will also open a back door in your system.
The particular malware used in this attack is called ToneDeath.
Wind River has addressed 11 zero-day flaws in its VXWorks product.
VXWorks is used in over 2 billion industrial, medical, and enterprise devices.
Armis Labs, which discovered and disclosed the flaws to Wind River,
calls VXWorks the most widely used operating system you may never have heard of.
Six of the zero days were critical remote code execution flaws, according to Armis Labs' report.
When you are online going about your business, how do you know if the other individuals you're
interacting with are actual flesh-and-blood humans, or maybe bots? And if they are bots,
is that necessarily a bad thing?
The Cyber Wire's Tamika Smith looked into that question.
This month, California became the first state to create a law that curtails the power that bots
have. It essentially requires that they reveal that they are artificial in two instances,
influencing a voter and selling a product. Here to talk more about
this new law is Noam Cohen. He's the author of The Know-It-Alls, The Rise of Silicon Valley
as a Political Powerhouse and Social Wrecking Ball. Welcome to the program, Noam.
Oh, thanks, Megha. I'm glad to be here. Yeah.
You recently wrote an article for The New Yorker titled, Will California's New Bot Law Strengthen Democracy? I want to get straight
into this and start with regulating bots. In your article, you talk about how it should be
low hanging fruit when it comes to improving how we use the Internet. However, when the senator
from California decided that he wanted to explore creating this law, he found out that it wasn't as
easy as he thought it would be. Totally. He found out that it wasn't as easy
as he thought it would be. Totally. Yeah. And when I say low hanging fruit, what I meant is that like,
you know, a bot isn't a person. So you could see that it's kind of complicated to say, hey,
you're saying something that's hateful. You shouldn't be allowed to be on Twitter. Right.
Our president, you know, says things that are abusive, but he's still on Twitter. It's
complicated. These are bigger issues. I have opinions on them. But I thought, I think the senator, right, Hertzberg thought that
a bot would be pretty easy. We can all agree that if it's this computer that's pretending to be a
person and is like getting, you know, being annoying or manipulative or harassing and just
sort of, you know, thousands of these same, these computer programs saying the same thing over and
over again, lock her up or send them back
that we could agree that that's like not good low-hanging fruit it shouldn't be much complicated
about it all so that's i think what he thought and what you anyone might think we're not even
dealing with how to deal with the tough questions of people who are abusive and on this platform but
just even machines that are and then what i'm saying what he discovered is that there was such
an extreme kind of libertarian view in Silicon Valley that basically they raised all these issues about bots that you wouldn't even think of, like that bots actually are kind of like people speaking.
You're like, really? Why? It seems like it's just a computer saying the same thing over and over again.
But it's like, well, a person wrote it and it's conveying ideas or maybe it's an experiment.
They were all these kind of theories that like maybe a bot is exploring the idea of what we think of bots. And so if it's identified as a bot, we won't have the
ability to look at it and see, you know, see how it goes, that kind of thing. So people would think
that would be pretty extreme, right? That these kind of interpretations, but yet they basically
did force the state senator to really reevaluate in how to write the law. And he backed off a lot.
It didn't require
the sites to block them themselves. That's what he really was hoping would happen, that they would
block them themselves. They would agree that we shouldn't have bots on our platform and we're
going to be responsible for getting them off of the platform. But that was kind of, they argued
and lobbied. So effectively, it got taken out of legislation. As I'm processing this, I'm thinking that when California State Senator Robert Hertzberg decided he wanted to embark on this journey, he tapped into something, tapped into something very huge.
And that's probably why Silicon Valley of the Electronic Frontier Foundation.
He wrote something in his Declaration of Independence of Cyberspace in 1996.
In your article, it's quoted, you have no moral right to rule us, nor do you possess any methods of enforcement.
We have true reason to fear.
What do you think he's saying there?
What is he tapping into and this is
like you know this is something i've thought a lot about it's kind of like maybe the original
of the internet it's this fiction that if we're even calling it right for the longest time when
i was a porter at the times i would write electronic freedom foundation i was like that's
and you know it's actually called the electronic frontier foundation i think i even made an error
in the paper that because it's so weird like what is it a frontier what do you mean i know they're
about electronic freedom right but they kind of see the frontier as like the west the wild west
what that quote saying like right you and your laws don't apply to us i think in that case he's
kind of saying we're so much smarter than you we're hackers you can't even you couldn't even
discipline us if you wanted to you couldn't even tell us to shut up because you don't even know
how to how to like stop us from communicating by the internet because we're brilliant computer scientists and you're a bunch of idiot bureaucrats.
I think that view you see to this day, making fun of public workers and of representatives and how they don't know anything about tech and that arrogance.
So I think it had that aspect that we're in our own world.
You can't reach us.
that aspect that we're in our own world, you can't reach us. But I think the thing I've always really felt bad, you know, felt has gotten wrong is that I actually wrote this in a book review,
a book called The Player's Wall about the West, the Wild West idea is that like, you know,
the West was conquered by killing the natives, right? You know, killing Native Americans and
like, you know, obviously slavery built the country, all these original sins of our country.
And it's like this myth that like, it's just the Wild West and there's no history, no rules. So, you know, not recognizing that when
the internet isn't fair, it's going to play out that women and minorities are not going to be
able to speak as much. So they can think it's like, hey, it's just freedom. But actually freedom
really is allowing the majority to oppress the minority. So what do you think is the step
forward? Do you think California, as your article poses,
do you think the rest of the nation
is going to look at California's new law and say,
okay, we can start here?
I really hope so.
I do think they can see,
I think it's a good basic rule to say
that bots should identify themselves.
You shouldn't trick people into thinking
that they are people.
When you're talking to a person,
you're actually talking to a bot that's actually trying to maybe demoralize you, right? That's also what bots can
try to do. They can try to make you feel bad by saying negative things or to trick you or to give
you false information. So I do think it's like it is starting the conversation. And I think that's
really important. I do think that probably the way it's going to have to play out is that these big
companies have to be broken up because I think they are just too powerful and too,
like the article said, they're going to be too resistant to change. And I don't think it's a
good system. I think we need more kind of democracy among the companies almost and among the platforms.
So I hope that's the way it'll go. But I think it's a really good first step to ask hard questions
about how the internet runs. Thank you so much for joining the conversation. Thanks very much.
I hope it was helpful. Great.
Noam Cohen, he's the author of The Know-It-Alls,
The Rise of Silicon Valley as a Political Powerhouse and Social Wrecking Ball.
He writes for The New Yorker and has a regular column with Wired Magazine.
That is our own Tamika Smith reporting.
Synology has warned its users to protect themselves against a ransomware campaign
that's hitting its network-attached storage product.
The attackers are brute-forcing admin credentials in a coordinated series of dictionary attacks.
While Synology has been out front with its warning,
Naked Security reports that they're not the only NAS vendor whose products are affected.
Indeed, the attack does not exploit any specific flaw in any NAS system. And finally, a self-proclaimed hacker has told the Los Angeles Police Department
he's got data on some 2,500 police officers and about 17,000 recruits,
according to Information Security magazine.
NBC4 Los Angeles says the police union is very unhappy. The incident remains under investigation.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security.
Ben, it's always great to have you back.
We had a story come by from The Atlantic.
It's titled, Mass Surveillance is Coming to a City Near You.
It's actually sort of revisits something you and I have talked about in the past.
Bring us up to date here.
Yeah, so this is about aerial surveillance.
is about aerial surveillance. This technology that was referenced in this article was actually used here in Baltimore City in 2016 as part of a pilot program. Place a plane in the sky over the city
and get real-time access to people's movements, aerial surveillance that you can zoom into the
level of a city block, an individual house, a street, etc.
This is something that obviously presents major civil liberties concerns.
There's this legal concept called the plain view doctrine,
where if you exhibit some sort of behavior in plain view that violates the law,
you've lost your expectation of privacy,
and the government can arrest you based on what they've seen in plain view.
There was a case where a government surveillance plane caught somebody growing marijuana in his
own backyard. As long as the technology being used by law enforcement is something that's
relatively widely available. That's where I think the legal question will be really
crystallized in this case. Because this technology is so new, people who are walking around Baltimore City or any
other city where this technology has been deployed aren't necessarily going to be aware
that this type of technology exists.
And thus, they won't be able to comport their own behavior to the fact that there's constant,
persistent surveillance that's tracking our every movement.
constant, persistent surveillance that's tracking our every movement. It requires almost no resources for law enforcement to press the rewind button on hours and hours of aerial
surveillance footage as opposed to what they used to do, which is send a cop outside someone's house
and actually follow the guy and see if he's committed any crimes. Not to mention, it just feels weird and
uncomfortable for people to know that they're being tracked in real time by an airplane 24 hours a day
and information that's stored and can be searched by law enforcement. I think that's just a very
uncomfortable conclusion that is just going to start settling in for people.
I can't help wondering, I mean, what about if we put this behind the requirement for a warrant?
In other words, go ahead and gather all this stuff up. But if a police department wants to
go in and look at someone, they've got to convince a judge first.
I mean, I think that would be the best way to ensure the legality of something
like this, because then you wouldn't run into whether this actually falls under the plain view
doctrine. The problem is, you may not be able to establish probable cause for a warrant unless you
had access to some of this aerial surveillance. So let's say you had an inkling, but something
below probable cause, that somebody committed a robbery. You may need to actually get access to the surveillance to know whether that
person left their house that day and went to the store that was robbed,
et cetera,
et cetera.
And what law enforcement is going to say is we're trying to conduct an
investigation.
We don't have enough information to obtain a warrant.
We would like access to the surveillance to see if we can connect this person
with a crime. And, you know, I can see why that potentially could be compelling to jurisdictions
like Baltimore City that have major violent and nonviolent crime problems.
Yeah, I can really see the appeal to law enforcement, obviously, because let's say you
had some sort of robbery at a store or something, the ability to go to the time of that robbery and then basically run everything in reverse
and track back every vehicle that came to that place back to wherever they started from.
Well, boy, that's a powerful law enforcement tool.
It is. I mean, you just take normal blue light surveillance cameras and multiply it by the entire city.
So it's an extremely effective law enforcement tool. But yeah, I mean, we've talked about so
many of the potentials for for abuse. One thing that this article talks about is,
even though you'd think, well, you know, they can't this database of information that's being
collected through aerial surveillance is so vast, no one's going to search, you know,
you as an individual, because they're just not going to have the time and resources to do it.
But through machine learning, it's possible, and artificial intelligence, it's possible that the
system can start to understand various patterns, you know, where gang activity is located, where
certain people are hanging out at certain times. And that information,
you know, is much easier to deduce without conducting searches of hundreds of thousands,
the whereabouts of hundreds of thousands of individuals. And it could have the same effects on personal privacy. All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.