CyberWire Daily - Chinese information operations on Twitter and Facebook. iOS jailbreak released. Adult websites leak information.
Episode Date: August 20, 2019Twitter and Facebook shut down Chinese information operations. A jailbreak for the latest version of iOS is out. Facebook may have known about the “view as” bug. Vulnerabilities in Google’s Nest... cams are patched. Instagram gets a data abuse bounty program. The FCC released a report on the CenturyLink outage. And adult websites leak information. Michael Sechrist from Booz Allen Hamilton on exploits. Guest is John Bennett from LogMeIn on addressing the growing cyber threats to the SMB market. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. operations, a jailbreak for the latest version of iOS is out, Facebook may have known about the
view as bug, vulnerabilities in Google's Nest Cams are patched, Instagram gets a data abuse
bounty program, and the FCC released a report on the Century Link outage.
From the CyberWire studios at DataTribe, I'm Bennett Moe with your CyberWire summary for Thursday, August 20th, 2019.
Court filings suggest that Facebook may have known about and failed to fix the view as bug.
Exploitation of the flaw is thought to have resulted in the theft of access tokens that enabled hackers to obtain sensitive information about roughly 14 million Facebook users and less sensitive information on some 15 million more.
The allegations appear in a filing related to a class action suit
opened since the breach was disclosed in September 2018.
Twitter and Facebook both said yesterday that they had taken down
Chinese state-sponsored information operations focused on discrediting the ongoing protests in Hong Kong.
Twitter suspended 936 accounts on its platform,
while Facebook removed seven pages, three groups, and five accounts. Twitter also preemptively
removed about 200,000 mostly inactive accounts that it identified as part of the same network.
According to Twitter, the operations were, quote, deliberately and specifically attempting to sow
political discord in Hong Kong, including undermining the legitimacy and political positions of the protest movement on the ground.
Unquote.
The Facebook pages shared political posts that portrayed the protests in a negative light,
including photos comparing the protesters to ISIS fighters and cockroaches.
Twitter said that most of the accounts used VPNs, but some used unblocked Chinese IP addresses.
Facebook launched its own
investigation based on a tip from Twitter and linked the operation to individuals associated
with the Chinese government. The Washington Post notes that this is the first time two social
networks have called out the Chinese government directly. Twitter also announced in a separate
statement on Monday that it would no longer accept advertising from state-controlled media
organizations. The company had recently drawn criticism for running ads purchased by Chinese state-run
news outlets. Under the new policy, those media will continue to be able to tweet,
just not buy ads. Motherboard reports that Apple accidentally reintroduced a vulnerability in
iOS 12.4 that had had patched in iOS 12.3. Security researchers discovered the bug over the weekend,
and one of them publicly posted a jailbreak for the latest version of iOS on Monday.
As the Register notes,
this is relevant even for users who don't plan on jailbreaking their phones
because jailbreaking tactics exploit arbitrary code execution flaws.
Such exploit code is now open-sourced in a jailbreak,
and it can be repurposed for malicious endeavors.
Apple is working on a patch, which it will probably release in the next few days,
but until then, iPhone users should exercise caution when downloading apps from the App Store.
Cisco Talos discovered and helped remediate eight vulnerabilities in Google's Nest Cam IQ indoor camera.
The issues could have been exploited to commit denial-of-service
attacks, code execution, and information theft. Facebook has expanded its data abuse bounty
program to include Instagram. The program is meant to encourage security researchers to find and
report third-party apps that misuse their data. The company is also launching an invite-only bug
bounty program to test Instagram's checkout feature,
which lets users purchase products within the Instagram app.
Small businesses are increasingly being subjected to cyberattacks,
and they lack the resources to build strong security programs.
Dave Bittner talks to John Bennett, Senior Vice President and General Manager
of the Identity and Access Management business at LogMeIn.
We recently just released research, SMB's Guide to Modern Identity and Access Management business at LogMeIn. We recently just released research,
SMB's Guide to Modern Identity Research,
where we surveyed over 700 IT and security professionals
from organizations up to 3,000 employees.
And the key takeaways is,
and I don't think these are going to be a surprise to anybody,
is that 98% of our respondents said,
you know, they see room for improvement in terms of how they're
managing their identity access management for their employees and securing that customer
sensitive data. And so I think where we see our sales today, especially with small and medium
businesses, is that increasingly they are being targeted for either ransomware or cybersecurity
attacks. And they also are in a position where they don't have those tools deployed that
enterprises are increasingly deployed to manage and secure their employees' identity and access
to those sensitive systems. I think the state is there's increased risk, there's increased
awareness, and SMBs are looking to deploy better tools and solutions to manage and secure. There's
employees identity access management, but they also are looking for solutions that fit their
needs, their size of their business, and that are easier to adopt, more cost effective. Is cost one of the primary drivers here? I mean, what makes a system more effective for a smaller
business rather than a large enterprise? That's a great question, Dave. On what makes a great
solution or an effective solution for a small and medium business, I think is a couple things.
One, if they look at the plethora of solutions that are available to large enterprises today,
the first is complexity.
It's not just a cost factor.
It's whether it's single sign-on or password management vaulting or multi-factor authentication,
privilege access management solutions.
What they look at is there are all these bespoke point solutions in the market today that they require deep subject matter
expertise, not just to select them and evaluate them, but once they've deployed them, they
also have to have increased expertise in terms of managing those solutions within their organizations.
A lot of these businesses, they know that they want to increase their investment, but
they're looking for, I think, solutions where
they're either more holistic approach, where it's solving more than just securing one point of the
access, whether that's single sign-on or multi-factor authentication or PAM or password
management vaulting. And then the second piece is I think they're looking for solutions that
with their current IT staff, that these are, that the administrative
experience, that the security policy experience is tailored to, you know, a medium or small business
where they're able to deploy these tools and get the value from these tools without having to shift,
you know, additional headcount into the organization to manage those.
Yeah. I mean, I guess that's the trick really is being able to dial in that combination of
needs specific to that kind of business.
Exactly. Look, I think we in the industry also, you know, we have a responsibility
as we're seeing, you know, this increased threat and the pain point that it's creating,
you know, for small and medium businesses. We know that when a small
business is hacked, 60% of those, they go out of business within six months of experiencing a
breach. And I think we in the industry have a responsibility to make our solutions easier
for organizations that have four to five IT professionals. They wear many hats. They don't
have a CISO. They don't
have threat analysts in their organization. We have a responsibility to also make our tools
affordable, easier for them to understand what the cost is for deploying our tools,
and make it easier for them to deploy those to their employees and manage those and have an ROI
that they can justify in their organization. I think it's something we all vendors in the organization,
I mean, all vendors in this identity access management ecosystem,
we have a responsibility to do a better job here in terms of accessibility for mid-market and below.
One of the things that your recent research looked at was individual teams within companies.
Who's doing better jobs than others? What sort of stuff did you find there?
Yeah. So, you know, in some of the key takeaways, and I think these aren't a surprise,
is, and we looked at the research, you know, organizations like finance and IT,
like they're doing a better job in terms of making sure that our employees are following good behavior and good policies and
securing that sensitive data in a way that is protecting the organization from external threats.
And I think the other thing we learned is that when you look at parts of the organizations within
small and medium businesses, whether that's marketing or sales. Again, what these employees
want to do, they want to be able to use the tools that are available to them, whether they're
sanctioned or not sanctioned, to be able to get their job done. And what we see there is the
behavior there is generally high sharing of passwords, using applications outside the
organization, password reuse. What we found in our research is in those parts of the organization, they're struggling with the
balance of the employees. What the employees want is convenience. And they want, if they're going to
improve their security posture, it has to be an effortless for them in order to be able to
use the tools that they want to. And I think that it's not a surprise, but I think it's an area that there are simple things that
businesses can do to improve the security posture for those parts of the organizations,
deploying a password management for improving that, deploying multi-factor authentication.
What we've learned is we know that employees, there's a high reuse of passwords across the
organization, that they're using applications that even if a medium business or a small
business has deployed a single sign-on solution, which is using that single password and credentials
to access applications that are supported by that solution, that there's a host of applications
that we all bring into the workforce that are not covered under solution, that there's a host of applications that we all bring into the
workforce that are not covered under single sign-on. And so the other thing that we found
from our research is, and I think there's a high awareness, and we're seeing an acceleration in the
adoption of multi-factor authentication. Because again, this is a way where you're using a second
set or a third set of either biometrics or credentials or a trusted device that is securing
all those access points, whether it's through a single sign-on application or an application
outside of that. And that's John Bennett, Senior Vice President and General Manager of the Identity
and Access Management business at LogMeIn. Lawfare has published an appeal for public engagement
with the Cyberspace Solarium Commission.
This commission, seen as a successor to the original Solarium Council of Elders that worked out U.S. deterrent policies in the early days of the Cold War, is trying to do something similar
for cyberspace. If you have insights, suggestions, or perspectives you'd like to share with the
commissioners, drop them an email. Their address is info at solarium.gov. So let them hear from you.
The Federal Communications Commission yesterday released a report on the countrywide network
outage experienced by CenturyLink last December. The outage affected 911 systems across 29 states,
and at least 886 911 calls were not delivered as a result. The outage was traced to CenturyLink's
node in Denver, Colorado,
which for unknown reasons generated four malformed management packets and sent them to all connected devices. These packets had valid headers and checksums and had no expiration time. Each node
that received the packet would retransmit them to all of its connected nodes. The report explains
that, quote, the exponentially increasing transmittal of malformed packets resulted in a never-ending feedback loop that consumed processing power in the affected nodes, which in turn disrupted the ability of the nodes to maintain internal synchronization.
Without this internal synchronization, the nodes' capacity to route and transmit data failed.
As these nodes failed, the result was multiple outages across CenturyLink's network.
The FCC said CenturyLink could have prevented or mitigated the outage by disabling unused systems,
implementing stronger filtering, and using processor utilization alarms.
Ars Technica notes that the FCC didn't announce any disciplinary action for CenturyLink,
nor did it order the company to take steps to improve its network.
It's an interesting case of how a small issue
can cascade into a larger one.
It seems that there was no attack involved.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Michael Sechrist.
He's chief technologist at Booz Allen Hamilton,
and he also leads their managed threat services intelligence team. Michael, it's always great to have you back. I know one thing that you and your team
have been tracking is this notion of quickness to exploits. What can you share with us about that?
Sure. Yeah. Thanks for having me back. So one of the things that is growing is the time to
exploit and a particular vulnerability. What we've seen in some cases, obviously within days,
sometimes even before potentially the exploit is even announced,
there has already been exploitation seen in the wild.
And that has to do with the fact that once typically,
on your typical vulnerability scale, once a patch is released,
kind of malicious actors or even kind of sort of gray hat or white hat actors can
typically just do a differential of the patch in the file that's issued and then kind of the current
release of the software and find potentially the vulnerability and what was changed in the code
and kind of reverse engineer that and try to find a way to reverse engineer that code into an actual
functioning exploit. And this is kind of a cottage industry that's obviously
been in place for years. But the rise in this and the quickness to publish some of this results,
either via a GitHub page or just a blog, has grown significantly and something that we as
an Intel organization work hard to try to track for our clients as well as ourselves.
From a practical point of view, does this mean that organizations out there
really need to accelerate their patching process?
It's definitely something for an organization to consider. You know, there's been some discussion
that, you know, most Microsoft patches can be reverse engineered in this way within a matter
of a few days. I think with other kind of patches that we know are applied to software that is or even middleware or hardware that's difficult to
identify or difficult to patch, you see more actors trying to find exploits in reverse engineer
patches for those kind of to target that software or hardware in that case. The patching process has to speed up,
but I think it has to speed up for the software that has kind of higher likelihood of TAC or
exploit just because a vulnerability exists. And even if it's a high CVSS score, that doesn't
necessarily mean that that vulnerability is going to be developed for that vulnerability.
It's going to take a lot of other factors,
typically, for a full functioning exploit to be developed and to be really readily used in the
wild. Obviously, we've been tracking this Blue Keep vulnerability that Microsoft put out and
some of the now functioning exploits that are in the wild for that, because it does have the
potential to release another kind of
want to cry event in the industry. And that's something that our clients and basically everybody
who works in cyber threat intelligence is concerned with. What are your tips in terms
of organizations setting priorities for ordering how they go about doing their patching?
I think it's a bit of an art and a science here. A strong patching cycle and having a well-oiled machine to kind of release patches is important so that you can, in times of crisis, when you really need to get a patch out because you know potential exploitation is happening at that moment, potentially even exploitation that you're seeing on other sort of logs and servers, there has to be that kind of reliance and that trust in your organization that we can push a patch out as fast as we might need to.
and that trust in your organization that we can push a patch out as fast as we might need to.
You know, in some cases, that could be less than a day, I would think, for an organization. And that's a significant operational undertaking in a lot of cases. But the other kind of flip side to
that is to build an intelligence kind of function that works well with your vulnerability management
team, so that you're not constantly setting fire drills off in your organization.
A lot of times there aren't that many vulnerabilities that you really need to patch in that way just because it reaches a certain, like I said, CVSS score or it is something that's
even being talked about in the industry.
That doesn't necessarily mean that you have to go light your hair on fire and try to patch
within a day.
But there are in certain circumstances, and I think this is where the art comes in.
There's obviously it's based on, you know,
kind of your risk posture as an organization,
as well as maybe where your critical data is residing.
There are some instances where you're going to want to pull that fire drill lever
and get kind of the organization, you know,
moving very fast to release a patch
because potentially, you know, the struts software platform is vulnerable
and you use some of your critical apps rely on struts and are externally facing. Well,
that might be a situation that you want to not only validate whether kind of an exploit would
work against those systems, but if it does, you need to patch immediately.
All right. Well, Michael Seacrest, thanks for joining us. Thank you. I approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.