CyberWire Daily - Dangers of data collected in Afghanistan. Another cryptocurrency theft. Hardware backdoors? LockBit dumps airline’s data. CISA opens registration for the President’s Cup. Too much gaming, kids.
Episode Date: August 31, 2021Possible consequences of the Taliban’s seizure of Afghanistan’s APPS data. Another DeFi platform sustains a cryptocurrency theft. How would one handle a hardware backdoor? LockBit begins dumping d...ata stolen from Bangkok Airways. Registration for CISA’s President’s Cup is now open. Joe Carrigan describes the superiority of AI generated phishing emails. Rick Howard speaks with Art Poghosyan from Britive on Software Defined Perimeters. And China moves to keep minors from wasting too much time in online gaming. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/168 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Possible consequences of the Taliban seizure of Afghanistan's apps data.
Another DeFi platform sustains a cryptocurrency theft.
How would one handle a hardware backdoor?
LockBit begins dumping data stolen from Bangkok airways.
Registration for CISA's President's Cup is now open.
Joe Kerrigan describes the superiority of AI-generated phishing emails.
Rick Howard speaks with Art Pagassian from Britiv on software-defined perimeters,
and China moves to keep miners from wasting too much time in online gaming.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 31st, 2021.
The Taliban's seizure of HIDE, that's Handheld Interagency Identity Detection Equipment,
biometric registration and identification devices, aroused concern when it was first reported, but the risks of that loss, while real, seem likely to be limited.
MIT Technology Review argues that a more serious matter is the insurgent government's
acquisition of APS, the Afghan Personnel and Pay System, used by the deposed government's
ministries of defense and the interior. A great deal of data was collected in APS.
Technology Review's sources tell it that each profile in APPS contains at least 40 data fields.
Quote,
These include obvious personal information such as name, date, date of birth,
as well as a unique ID number that connects each profile to a biometric profile
kept by the Afghan Ministry of Interior.
But it also contains details on the individual's military specialty and career trajectory,
as well as sensitive relational data, This amounts to a catalog of community connections with anyone whose name appears in a profile flagged as
connected in some non-trivial way to the subject of the profile. And, unfortunately, there are
signs that the lists are being used in headhunting searches for personnel who served in or were
otherwise connected to the former government's military services. App's data was unprotected by retention or deletion policies
and was presumably seized intact.
Another DeFi cryptocurrency platform,
that's DeFi as in decentralized finance,
Cream Finance, has suffered the theft of $29 million.
Cream suspended supply and borrow in the affected AMP market
shortly after blockchain security firm PeckShield
detected activity that looked like a re-entrancy criminal attack.
In general, re-entrancy can occur when a procedure can be initiated,
interrupted, initiated again in a second instance,
and when both instances can then be run to
completion without error. Peck Shield tweeted how the robbery worked.
The hack is made possible due to a re-entrancy bug introduced by AMP, which is an ERC-777-like
token and exploited to re-borrow assets during its transfer before updating the first borrow.
Specifically, in this case, the hacker makes a flash loan of 500 Ethereum
and deposits the funds as collateral.
Then the hacker borrows 19 million in AMP tokens
and makes use of the re-entrancy bug to borrow 355 Ethereum inside the AMP token transfer.
Then the hacker self-liquidates the borrow,
end quote. And then, of course, Bob's your uncle, or rather the thieves' uncle.
Cream tweeted a summary account of the incident yesterday, quote,
Cream V1 market on Ethereum has suffered an exploit resulting in a loss of 418,311,571 in AMP and 1,308.09 in Ethereum by way of re-entrancy
on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP.
No other markets were affected. The Record thinks the theft displays some of the unfortunate tendencies in the
still-young cryptocurrency world. They argue, quote, this trend of hackers targeting DeFi
platforms can be explained by the fact that the cryptocurrency ecosystem is highly unregulated,
security is almost an afterthought, and many platforms fail at implementing their underlying
technical base, many running buggy contract scripts that can be easily abused by anyone with knowledge of cryptography and C and C++ coding.
Global Control points out the potential threat of hardware backdoors in transformers and other power generation, transmission, and distribution equipment.
The essay also notes the limitations of software bill of materials in addressing this risk.
Chinese manufactured equipment has received some adverse comment
for the potential security risk it poses,
but it remains popular because of its relatively lower cost.
The issue may illustrate the familiar maxim
that lowest cost doesn't always equate to best value.
The Register reports that the LockBit ransomware gang has, in the wake of Bangkok Airways' refusal to pay the ransom, begun to release the personal data the gang stole.
The size of the data dump is assessed variously, with estimates coming in between 103 gigabytes and
more than 200 gigabytes. The airline has emphasized that the compromise didn't affect safety of flight
and it's apologized for the exposure of passengers' personal data. Bangkok Airways has told its
customers, quote, for primary prevention measures, the company highly recommends passengers to
contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,
end quote. And of course, to be wary of any communications they may receive that purport
to be from the airline, but that might be phishing for more data. The U.S. Cybersecurity and
Infrastructure Security Agency has opened registration for the President's Cup Cybersecurity Competition.
Individuals can register through October 4th. Teams have until September 20th to sign up.
CISA describes the President's Cup, which was established in response to Executive Order 13870, 1870 as a national cyber competition aiming to identify, recognize, and reward the best
cybersecurity talent in the federal executive workforce. Hosting challenges from across the
National Initiative for Cybersecurity Education cybersecurity framework, competitors will face
a diverse array of challenges and will require an extensive skill set to succeed. And finally, Bloomberg reports that the government of China
plans to restrict children's access to online games.
During most weeks, young gamers will only be able to play for three hours a week,
with some relaxation of the limits on some holidays.
Bloomberg summarizes the move as follows,
quote,
Gaming platforms from Tencent Holdings Limited to NetEase Incorporated Bloomberg summarizes the move as follows, quote, citing a notice by the National Press and Publication Administration. The new rules are a major step up from a previous restriction set in 2019
of one and a half daily hours most days.
End quote.
So, a top-down solution, which would seem to require a reliable way of identifying minors.
Parents everywhere will agree that wasting time rummaging through the loot boxes and yelling at the screen would be a cross-cultural universal of human youth.
China's solution really puts the authority in authoritarian, doesn't it?
We'll watch with interest to see how it works out.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Art Boghossian is the CEO and co-founder of Bridev, a cloud-native identity and access management product.
I wanted to talk to him because his product spans across a couple of security vendor categories.
Zero Trust, because you can't do zero trust without a robust identity and authorization program.
And SDP, or Software Defined Perimeter, which is a horrible marketing name because the tech involved smashes completely
the perimeter paradigm. By the way, Art didn't invent the name. You can blame the U.S. military
for that when they came up with it in the mid-2000s. The Bride of Product just happens to
fit into the category. In the general sense, SDP moves the functions of identity verification and
authorization away from the workloads that users are trying to get to.
In other words, instead of logging into the Linux machine that hosts the data, users log into a completely different system that's not connected to the Linux system at all.
The STP system verifies your identity, checks if you are authorized to access the Linux
system in question, and if you are, establishes the connection.
Not to the entire network, just to the specific Linux system.
So, Art, let's just back up and talk about the general problem in the industry with all of these cloud deployments.
Any company of any size is probably going to be in multiple clouds.
And even small companies like mine, we're a startup.
We have like 25 different SaaS services that we use to do our stuff.
And that's important context.
Even on your examples, being a small business, you already are in multi-cloud.
I'll throw an interesting statistic out there.
There's research that indicates mid to large size enterprises, 90% of them are already in multi-cloud, including two or more infrastructures of service,
Azure and AWS, GCP Azure and whatnot, plus 50 to 60 SaaS and other as-a-service technologies.
And it's growing. From the standpoint of operational processes, especially in the
infrastructure and DevOps, but also on the business side, it's very difficult to have
multiple processes given the differences
in the cloud technologies and the way the access
and permissions are defined in each of the systems. It becomes
extremely inefficient and costly, and most
of the time organizations end up granting this access without much control or foresight into how that exposes too much access because they have to do it at a fast pace. support multiple infrastructure platforms, it becomes, again, a very inefficient and costly process
to support, let's say, DevOps, CICD pipelines
for both Azure and AWS.
And all that results in, on one hand,
very high operational costs and burden.
But from a security standpoint, what it means is
when you have to cut corners and compromise security for the sake of velocity,
the outcome is almost 100% of the time you have exposed some access in the cloud that is only a matter of time before it gets exploited.
I was reviewing the attack sequence behind the SolarWinds attack, the famous supply chain attack from earlier in the year.
behind the SolarWinds attack, the famous supply chain attack from earlier in the year.
It seems to me that if a SolarWinds customer had an SDP solution in place before the attacks,
it would have greatly reduced the chances that the attackers would have been successful.
I realize that you might be biased here because you sell an SDP product, but would you agree with my assumption?
I would not only say that, I would be prepared to defend it.
I would not only say that, I would be prepared to defend it.
Because if you look at, yeah,
if you kind of break down sort of the whole attack trajectory there,
it was a classic, classic scenario that we've been talking about for a few years now.
Lateral movement, compromise of a privileged,
static privileged credential in the VMware management console,
which let the attackers pivot into Azure environment,
gain federated identity controls, set up identity endpoints.
And that was pretty much game over at that point.
How a tech like this would have eliminated that exposure is
there would not be a static admin access into the VMware console.
And any session with that admin level
should and would have gone through
multiple levels of authorization authentication
to verify who the user is
before they would be allowed to do that.
That's Art Pergozian, the CEO and co-founder of Brightof.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, over on Hacking Humans, we talk a lot about things like phishing emails
and spear phishing and whaling and all those kinds of things.
This article from Wired written by Lily Hay Newman caught my eye.
It's titled, AI Wrote Betterishing emails than humans in a recent test.
Yeah.
What's going on here, Joe?
So some researchers from Singapore's government technology agency presented at Black Hat and DEF CON.
What they did was an experiment.
It was a kind of a small sample size experiment.
They wrote 200 phishing emails themselves.
They wrote 200 phishing emails themselves.
And then they used OpenAI's GPT-3, which is a language generation deep learning model,
to generate another 200 spear phishing emails.
And they found that the AI-generated phishing emails were more effective than the ones they wrote themselves.
So this is interesting because it is a small sample size, right? It's only 200 people. They kind of had inside knowledge about these people so they
could tailor these phishing attacks towards these individuals. But the key takeaway here is that the
AI generated better click-through results for these phishing emails, more successful click-through
results. Yeah. And you know, this speaks to something I think we've wondered about, which is, you know,
at what point and to what degree do the bad guys start using some of these AI as a service
platforms for their own purposes? There's a lot of discussion about that in the article. And one
of the things the article points out is that it does cost a lot of money to build your own model or to train your own model.
You have to have AI experts who understand what the algorithm is going to do.
And then you have to spend actual money on hardware to train it because the hardware to do it isn't cheap.
It's actually one of the barriers to entry to this field.
Yeah.
But if you can do it as a service, then...
Exactly.
If you do it as a service,
for example,
with this OpenAI product,
actually,
Microsoft has licensed
the model.
Yeah.
Right?
But you can still,
they have exclusive rights
to the underlying model,
but you can still go out
and use the API,
which is what these guys
from Singapore did.
Mm-hmm.
And you can feed it
in some parameters
and it spits out
really, really effective text.
Yeah.
And there is, OpenAI is in this article says,
we put a lot of tests on our, you know,
checks and balances on our system
to make sure that it doesn't get abused.
Right.
And the people from Singapore's technology agency
worked with OpenAI.
They didn't just do this out of the blue.
They told OpenAI what they were doing. So OpenAI. They didn't just do this out of the blue. They told OpenAI what they
were doing. So OpenAI knew about this. But they're not the only people out there with a natural
language processing language generator. And it costs millions of dollars right now to train a
model, but in the future, that will not be the case. So this is something we need to start thinking
about now. How do we protect ourselves against these things?
I say frequently, email is terrible because if I have an email address, I just put a server out there.
Anybody can put anything in there.
And that's like I can't think of another aside from anonymous FTP where you have to deliberately turn on the ability for people to upload things.
I can't think of another system on the internet like that. Yeah. It also strikes me that because there are so widely available these data sets
about all of us, you know, I could go to a data broker and I'm sure I could find out all sorts
of things about Joe Kerrigan, you know, hobbies and interests and work history and all those sorts
of things that could be plugged in
to some sort of automated system that could then weave together some sort of plausible
sounding message that seems like it was written just for you because in a way it was.
Exactly. I don't see this becoming a big problem for phishing emails, right? Because of exactly
what you just said. In order for these things to be effective, you have to feed the algorithm information about the target. But the fact that an AI model generates
more effective spear phishing emails, that's significant. Now, there does need to be further
study on this. And both the people from OpenAI and Singapore Government Technology Agency
agree that this is just a first bit of research on it. There's much more that
needs to be done, but this is something we need to start thinking about right now.
Yeah. Yeah. Interesting. Fascinating. I mean, the business case,
if the cost for buying that information from data brokers or, I mean, heck, it's out there
on the dark web also. You can download. It's on LinkedIn, right?
Yeah. Yeah. Right. So if the cost of doing that is low enough and you combine that with the low price of using one of these AI systems as a service, if your profits from that are high enough, then it makes sense to go in this direction.
Absolutely.
Yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Thanks for joining us.
My pleasure, Dave.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.