CyberWire Daily - Data breaches and responsibility. Where do you get a decryptor for WastedLocker? Third-party risk. Misconfigured databases. Follow-up on the Twitter hack.
Episode Date: July 28, 2020Cloudflare says that reported Ukrainian breaches aren’t its issue. Trend Micro describes a new and unusually capable strain of malware. Garmin is reported to have obtained a decryptor for WastedLock...er ransomware. Third-party risk continues in the news, as do misconfigured databases that expose personal information. Huawei’s CFO alleges misconduct by Canadian police and intelligence agencies. Ben Yelin examines the EFF's online Atlas of Surveillance. Dave DeWalt with SafeGuard Cyber on the evolving threat landscape as folks return to the workplace. And the Twitter incident seems to have been a problem waiting to appear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/145 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cloudflare says that reported Ukrainian breaches aren't its issue.
Trend Micro describes a new and unusually capable strain of malware.
Garmin is reported to
have obtained a decryptor for wasted locker ransomware. Third-party risk continues in the
news, as do misconfigured databases that expose personal information. Huawei's CFO alleges
misconduct by Canadian police and intelligence agencies. Ben Yellen examines the EFF's online
atlas of surveillance. Dave DeWalt with Safeguard Cyber on the evolving threat landscape as folks return to the workplace.
And the Twitter incident seems to have been a problem waiting to appear.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 28, 2020.
I'm Dave Bittner with your CyberWire summary for Tuesday, July 28, 2020.
Silicon Angle reports that service provider Cloudflare says the breach Ukrainian authorities disclosed over the weekend had nothing to do with Cloudflare and that the company itself
was not breached.
Ukrainian authorities had made a point of saying that many of the affected companies
were Cloudflare clients. But of course, Cloudflare has a point of saying that many of the affected companies were Cloudflare clients.
But of course, Cloudflare has a lot of clients. The National Security and Defense Council of
Ukraine qualified their initial account, noting in particular that some of the stolen data they
found came from older breaches, or as they put it, quote, information on some resources is outdated,
end quote. But they continue to maintain that they've seen evidence of some sort of large-scale incident.
Cloudflare had this to say to HackRead, quote,
We have investigated in detail an alleged leak of DNS information concerning Cloudflare's customers.
The information posted on social media is not the result of a leak or breach of our systems.
information posted on social media is not the result of a leak or breach of our systems.
The published data is available through standard DNS queries on the open internet rather than the result of a leak or breach. Cloudflare provides different services to
different customers. Some customers use us for security services. Some use us for performance
services. Some customers make use of both. The published information reflects a small fraction of Cloudflare customers who either use Cloudflare only for DNS resolution or only for performing services,
and therefore have not configured Cloudflare to secure their origin server.
Security firm Trend Micro has described a PHP web shell its researchers call NSECO,
which they say has both remote code execution and ransomware capabilities.
The ransomware functionality is only one of NSECO's many features.
Trend Micro says it's capable of scanning servers for the presence of other web shells,
defacing websites, sending mass emails,
downloading remote files,
disclosing information about the affected server,
brute force attacks against file transfer protocol,
cPanel and Telnet,
overwriting files with specified extensions, and more.
Which is already a lot.
It's also thought likely to be resistant
to the sort of vigilantism that's recently hobbled Imhotep.
Garmin confirmed that it sustained a cyber attack last Thursday, ABC News reports,
and that while its online services were disrupted and some files were encrypted,
it's restoring services and has concluded that no customer data were compromised.
restoring services and has concluded that no customer data were compromised. Despite noting that files were encrypted, Garmin did not characterize the incident as a ransomware attack.
Wired writes, as others have been writing, that it was an attack by Evil Corp using wasted locker
ransomware. Sky News reported that Garmin had obtained a decryption key that enabled it to
recover its files, but that the company did not directly make a payment to the hackers.
This doesn't rule out that payment might have been made through a third party,
and as Decrypt notes, that wouldn't necessarily protect Garmin
from exposure to U.S. sanctions enforcement.
Evil Corp. has been under sanctions since December.
Another ransomware attack has moved from a third-party vendor to its intended target.
The Wall Street Journal reports that customer data was taken from SEI Investments when M.J.
Brunner, developer of an investment dashboard used by SEI, was compromised and the information
was lost.
SEI says its own systems weren't hacked.
and the information was lost.
SEI says its own systems weren't hacked.
This is another case of third-party risk or perhaps nth-party risk.
SEI Investments manages funds.
Some of its own clients were Angelo Gordon & Company,
Graham Capital Management, Fortress Investment Group, LLC,
Centerbridge Partners,
and Pacific Investment Management Company.
They were all exposed to the breach at MJ Brunner
through their business relationship with SEI Investments.
So the breach at Brunner affected data belonging to SEI,
which in turn affected SEI's clients.
Computing quotes Zero Hedge as ascribing the incident
to a RagnarLocker ransomware attack.
Brunner declined to pay the ransom,
and the RagnarLocker responded by dumping some 500 gigabytes of stolen information online.
The data included usernames and passwords,
as well as SQL files with live client data.
We've spent a good deal of time covering the shift to working from home
triggered by the pandemic and the related security issues. It's going to be a while before things get back to normal,
but some states are reopening in fits and starts, and that means some employees are heading back to
the office. Dave DeWalt serves on the board of Safeguard Cyber and is the former CEO of FireEye.
He joins us with insights on the evolving
threat landscape expected with returning to the workplace. As you see innovation continue to,
you know, pick up speed and accelerate, you know, so does the vulnerabilities due to that technology
adoption. And the more vulnerabilities you have the more you know opportunities for attackers
and when you have the underlying premises of you know lack of governance of the internet
anonymity of the internet that it provides now 50 plus nation states all with offensive activity
hundreds of criminal groups terrorist groups you have You have this, you know, perfect storm, this melting pot of things that are going on. So, you know, now add to it social
domains. I mean, one of the hottest areas right now is information warfare and influence ops in
the social domains. Now with 3 billion plus users in these social domains and the virality of content and deep fakes
and false information on there.
I mean, we really have a whole new domain
with billions of users without much security or privacy
really baked into the core architecture.
And whenever we've seen a new attack surface
created like that, a lot of bad things start to happen. So,
you know, add to that, you know, drones flying in the air, satellites in space,
industrial networks, cryptocurrency systems. You know, it's a wonderful thing from a capital
innovation point of view. But when you're looking at it from a security point of view,
it's a little daunting to how we protect all these new domains as they grow
very quickly. What sort of advice do you have for folks who are trying to make their way through
this, trying to navigate this new reality that we're in? Well, you know, a lot of things. You
know, one is, you know, I have a lot of empathy for security professionals around the world and
a lot of pride. I really, truly believe that the security professional will the world and a lot of pride. I really truly believe that the security professional
will become more and more important.
What an opportunity.
If you're a chief trust officer, chief security officer
at major corporations around the world,
what an opportunity, honestly.
I've watched over the last years,
the rise of importance of this professional area
inside companies.
And I believe one of the silver linings coming out of this COVID window
will be the increased inertia of digital transformations.
A lot of brick and mortar kind of companies,
retailer companies are realizing that,
wow, what a power model we now have on online and e-commerce models, way more than we even thought.
And so, you know, how do we, you know, integrate all of that digital transformation and harden security into that?
So security professionals will now have an opportunity, perhaps, you know, one of which we had never seen before, to really be a core part of the business,
not just protecting, you know, the IT networks that they once had.
So, interesting window, and, you know, as they always say, may we live in interesting times.
This is clearly interesting times.
That's Dave DeWalt from Safeguard Cyber.
A more familiar, more easily understood risk has also surfaced again.
Misconfigured databases held in the cloud and left exposed to unauthorized users.
Frontrush, a provider of athletic recruiting and amateur athletic management software,
disclosed that one of its AWS S3 buckets was left exposed to the Internet.
It contained personally identifiable information.
The data included transcripts, injury reports, or athletic reports
that were placed in the platform by institutions.
Also in the bucket were attachments uploaded by student athletes
or prospective athletes or their parents and guardians
in response to prompts in a recruitment questionnaire
formulated and
disseminated by the institutions. And finally, what is it with celebrity-centric voyeurism?
Twitter's recent black eye over the compromise and takeover of a large number of high-profile
accounts seems to have been long in preparation. We've heard that about 1,500 employees and contractors had the sort of
control panel access required to reassign accounts. Bloomberg has been talking to former Twitter
employees and reports that it's been that way for some time. Bloomberg writes, quote,
the controls were so porous that at one point in 2017 and 2018, some contractors made a kind of game out of creating bogus help desk inquiries.
Those inquiries allowed them to peek into celebrity accounts, including Beyoncé's, to track the star's personal data, including their approximate locations gleaned from their device's IP addresses, two of the former employees said.
said. Twitter has a complex business and a lot of privacy balls in the air, but Bloomberg's look at the ongoing investigation into the recent socially engineered security incident concludes that the
company does seem to have placed its priorities on growth and revenue, and not devoted as much
time and attention to security, and in particular, security against potential insider threats. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at
Starbucks. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Happens to me quite often. I'll be walking down the street and people will stop me and they'll say, Dave, I love hearing that Ben Yellen on the Cyber Wire podcast.
I wish I could hear more of him.
And I respond to them and I say, well, you're in luck because he is also my co-host on the Caveat podcast
where you get to hear Ben talk for much longer periods of time in much more depth about legal and policy issues.
We give the people what they want.
That's what we're here
for. If you have not yet checked out the Caveat podcast, what are you waiting for? Give it a try.
It's a good, fun show. So we'll move past that pitch and move to our topic for today.
This came across my desk, and I thought this was right up your alley, Ben. This is from the folks at the EFF, the Electronic Frontier Foundation.
And it is a website called atlasofsurveillance.org.
What's going on here?
So friend of the show, Electronic Frontier Foundation.
By friend of the show, I mean we're fans of theirs and we wish they were our friends.
But they do fantastic work, obviously concerned about civil liberties issues in the age of technology.
And they put together this really cool atlas of surveillance.
They map the entire United States, and for each, both state and locality, they list, and it's very well sourced, which surveillance methods are used. So for example, I can zoom in and see that in
Baltimore City, where I work, and in the area in which we live, we use cell site simulators.
In the state of Maryland, there's broad use of automatic license plate readers,
facial recognition technology used by the Maryland Vehicle Administration. And that's all very well marked
in this map here. So they track things like those things
I just mentioned. Also police departments that have body-worn cameras
the use of drones. We know that that's something we've discussed
that's going on in Baltimore City is they have unmanned aircraft
taking surveillance photos.
That's all accounted for here. What are some of the practical uses of this? I mean, is it as simple as it could be just for awareness, sort of an eye-opening kind of thing, or is this a good
research tool for some folks as well? So it's mostly an awareness thing. I mean, certainly
for citizens living in these jurisdictions, it's good for us
to know which methods are being used. You know, it's good for democracy because we can make policy
decisions with more complete information. So if I had problems with the fact that Baltimore City,
you know, is using cell site simulators, maybe I find out by going to this database and actually,
you know, I can contact my state legislature or, you know, the city council and say, I don't like the way this technology is being deployed.
One thing that I'm sort of fearful of is it also could be potentially useful for law enforcement,
and I'll explain why. Obviously, for the Fourth Amendment, everything is about whether you have a reasonable expectation of privacy. And if a feature like this became so ubiquitous that it was very widely known
which jurisdictions were using automated license plate readers, then, you know, theoretically,
at least, citizens would have a diminished expectation of privacy, and thus it would be
more unlikely for a court to find that
a Fourth Amendment violation has occurred. I think we're an extremely long way from there,
just because, A, that standard is pretty malleable, and B, you know, besides me and you
and other surveillance nerds out there, I think most people happen to come across this atlas of surveillance. But that's
something I would certainly think about in the long run. Yeah, one thing that struck me with this
was, you know, there are some things that would grab my attention in one way. In other words,
if I saw that my local town was using predictive policing, well, that is something that would
grab my attention and I would want to go find out more
about why that was happening. That would be a concern of mine. But I could see the flip side
if I also looked at my locality and saw that, for example, my police department was not using
body-worn cameras. Well, I think, you know, that might be something that I'd want to ask, why not?
You know, but maybe that's something that I feel is a good way to keep, you know, track of perhaps what law enforcement is up to. That's a good type of
surveillance to keep everybody, you know, a little more on the straight and narrow.
Absolutely. You know, I think that's a very effective tool. And as I said, you know,
that could be used as a way for you to try and change policies.
I should also note one thing that's very cool about this is it's crowdsourced.
So you can volunteer to help build this data set, but you can also submit a data point.
So let's say you live in a really small jurisdiction, a small town that's not already listed in this atlas. You can write in and say, well, I know that our local police department uses predictive policing.
This is how they do it.
Here's a news article on it.
And they'll actually post it on this atlas.
So it's a way for people who care about this stuff
to get involved.
Yeah.
All right.
Well, the website is atlasofsurveillance.org.
If nothing else, it is fun to play with.
So check it out.
Absolutely. Geek out on these maps.
I certainly have myself.
Right. All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.