CyberWire Daily - DDoS as a holiday-season threat to e-commerce. TikTok challenge spreads malware. Meta's GDPR fine. US Cyber Command describes support for Ukraine's cyber defense.
Episode Date: November 29, 2022DDoS as a holiday-season threat to e-commerce. A TikTok challenge spreads malware. Meta's GDPR fine. Mr. Security Answer Person John Pescatore has thoughts on phishing resistant MFA. Joe Carrigan desc...ribes Intel’s latest efforts to thwart deepfakes. And US Cyber Command describes support for Ukraine's cyber defense. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/227 Selected reading. Holiday DDoS Cyberattacks Can Hurt E-Commerce, Lack Legal Remedy (Bloomberg Law) TikTok ‘Invisible Body’ challenge exploited to push malware (BleepingComputer) $275M Fine for Meta After Facebook Data Scrape (Dark Reading) Before the Invasion: Hunt Forward Operations in Ukraine (U.S. Cyber Command) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Look at DDoS as a holiday season threat to e-commerce.
A TikTok challenge spreads malware.
Meta's GDPR fine.
Mr. Security Answer Person John Pescatori has thoughts on phishing-resistant MFA.
Joe Kerrigan describes Intel's latest efforts to thwart deepfakes.
And U.S. Cyber Command describes support for Ukraine's
cyber defense.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary
for Tuesday, November 29th, 2022.
Good day to you all.
We trust you survived Cyber Monday with your wallet and your reason intact, and that
you weren't drawn into an uncontrollable vortex of avaricious delirium. Or at least you didn't,
you know, spend too much or get ripped off. Anyway, today, by recent tradition, is Giving Tuesday.
We hope everyone takes a moment to think about donating to some good cause,
and that when you do, you remember to stay safe.
Now on to the news.
We tend to think of cybercrime during the holidays as basically representing the threat of fraud.
That it surely does, and the possibility of being scammed is rightly at the top of the online shopper's mind.
But that's not the only threat out there.
Fraud is a demand-side threat, but there are supply-side threats too.
So while consumers look to protect themselves from scams
when shopping online during the holidays,
retailers face an additional challenge.
DDoS attacks intended to make their sites unavailable to customers.
Bloomberg Law reports that the motives for such attacks against e-commerce sites vary.
They can be anything from extortion by a gang to economic disruption by a nation-state's intelligence service.
They can range from hacktivist protests to some loser out to cause trouble for the simple lulz trouble brings.
to some loser out to cause trouble for the simple lulz trouble brings.
While distributed denial-of-service attacks are usually of relatively short duration,
measured in minutes or at most hours and almost never lasting for days, they can nonetheless exact a significant toll from affected merchants.
Online commerce is time-sensitive.
If the designer galoshes you intended to buy from runwaywellington.com
can't be purchased because runwaywellington.com is unavailable, you, e-consumer, will probably
just bop on over to leonshouseofrainwear.com and buy them there. Unfortunately, as Bloomberg Law
points out, the merchants who are victims seldom have any realistic legal recourse to DDoS attacks.
Often, you don't know who they are or where they are, and even when you can find these things out, the perpetrators are commonly out of reach anyway.
Hold up somewhere, a protective government will refuse to either extradite them or respect the ruling of a court.
Better to take precautions against DDoS
than to try suing the perpetrators after the fact.
Have you seen the latest TikTok challenge, TikTokers?
It involves asking you to pose naked using a filter called Invisible Body.
But it's okay, probably even safe for work, not that we'd recommend it,
because Invisible Body replaces the unclad version of you with a blurred outline.
And of course, the story doesn't end there.
Those of you of a certain age will remember ads in old comic books for x-ray specs,
cheap and bogus glasses that supposedly would let the wearer see beneath people's clothes.
It turns out the market
for x-ray specs has been updated to the digital age because fraudsters are offering a filter that
takes out the blurriness, just the way x-ray specs would do away with those tiresome clothes.
Anywho, as you can imagine, the defilterizing filter is a scam. Not only does it not work, but it carries the WASP info-stealing malware as a payload.
Researchers at security firm Checkmarks sourly observe
that more than 30,000 people with nothing better to do
have joined the attacker's Discord server, and it's trending.
The Irish Data Protection Commission has fined Facebook's corporate parent Meta
265 million euros over a breach
that affected personal information
of hundreds of millions of Facebook users,
the BBC reports.
The case is an unusual one
in that most of the data obtained
and subsequently dumped on an online forum
had been scraped and not hacked.
The Data Protection Commission found Meta in violation of Article 25 of GDPR.
The commission noted in its decision that this wasn't Facebook's first brush with unwelcome and illicit data scraping.
The BBC quotes a Facebook spokesman as saying,
We made changes to our systems during the time in question,
including removing the ability to scrape our features in this way using phone numbers.
Unauthorized data scraping is unacceptable and against our rules,
and we will continue working with our peers on this industry challenge.
We are reviewing this decision carefully.
U.S. Cyber Command yesterday released a brief and general account that provides some
additional insight into when U.S. support for Ukraine's cyber defense began and what the nature
of that support was. The U.S. Cyber National Mission Force deployed a large hunt-forward
team in December of last year to work with Ukraine's own Cyber Command. That initial deployment
continued through March of this year. Despite the aggressive-sounding name,
hunt-forward operations are, according to U.S. Cyber Command, defensive in nature. The hunting
is conducted in the networks being defended. They say hunt-forward operations are purely
defensive activities and operations are informed by intelligence.
While U.S. Cyber National Mission Force personnel are no longer physically deployed in Ukraine,
continued direct support of Ukraine's cyber defenses continues.
The agency says Cybercom remains committed and continues to provide support to Ukraine,
remains committed and continues to provide support to Ukraine, other allies, and partner nations with U.S. joint forces aligned and supporting the European theater. This support included
information sharing of threats and cyber insights, such as indicators of compromise and malware.
For example, in July 2022, CNMF publicly disclosed novel indicators to cybersecurity
industry partners in close
collaboration with the Security Service of Ukraine. None of this, of course, takes away
from the work Ukraine's cyber operators have done to defend their country's networks,
but it does shed some additional light on why Russian cyber offensives have generally fizzled.
So good hunting forward, Cyber National Mission Force.
Coming up after the break, Mr. Security Answer Person John Pescatori
has thoughts on phishing-resistant MFA.
Joe Kerrigan describes Intel's latest efforts to thwart deep
fakes. Stick around. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode comes via email.
The question is, I hear folks on this podcast say that FIDO keys are better than one-time codes
because even a person-in-the-middle attack will fail.
Can you explain how this works?
And importantly, when a person-in-the-middle attack could still work, such as if there are misconfigurations. Thanks. Well, Mr. Security
Answer Person tends to specialize in tongue-in-cheek answers to broad, lightweight questions,
so this one is a nice change of pace. Let's first set a baseline here, though.
Reusable passwords are the root vulnerability for over 80% of successful breaches.
Reusable passwords are the root vulnerability for over 80% of successful breaches. Reusable passwords are a form of what-you-know authentication,
just like mothers made a name, color of first car, etc. type answers are.
These approaches rely on a shared secret, or as NIST defines it,
a secret used in authentication that is known to the subscriber and the verifier.
That shared secret is what enables phishing to succeed.
If an attacker can get between you, the subscriber,
and the site you want to access, the verifier,
or trick you into giving up the secret directly, the game is over.
Public key-based authentication does not have a shared secret.
All entities have a private key that they share with no one
and a cryptographically related public key that has to be maintained at a trusted site, like a directory service or certificate authority.
The elegant math behind all this allows a subscriber to be verified as long as there
is a common and reliably accessible source of trustable public keys, which has been the obstacle
to adoption in the past. In the old days, when the telephone was the heart of all communications, we had trustable
centralized directory services, such as dialing 411 or using hard copy phone books.
Cell phones and the internet broke that.
There are no central directories of email addresses or cell phone numbers.
Instead, silos of directories evolved, mostly Microsoft Active Directories at businesses, or contact lists on cell phones, or bookmarks in web browsers, or email service-specific address books for individuals.
Efforts in the past to agree upon standards and trusted third-party directories failed, because the big IT players, if you want to see the history, searched on Sun Liberty versus Microsoft Alliance Passport.
If you want to see the history, search on Sun Liberty versus Microsoft Alliance Passport.
And the big business players like banks all wanted to maintain control of user enrollment and authentication so that no one could get between them and their customers.
But in recent years, the cost of successful phishing attacks has changed the economic equations
for businesses and cell phone users.
Cell phone users have become accustomed to strongly authenticating to their phones
via fingerprint sensors and facial recognition, and on having high-value services
like banks require the use of those text messages to phones to prevent phishing from succeeding.
All of that has caused today's big IT players, namely Apple, Google, and Microsoft, to, at least
for now, put down their swords and play nicely together in backing the FIDO2 web auth and standards
for what has become known as Phishing Resistant Multi-Factor Authentication,
or PASCIs.
Done right, PASCIs can be created for logins
and stored on iPhones, Android phones, and even Windows PCs
and used to cross a variety of services and platforms
with high barriers against man-in-the-middle and other attacks.
So, here's, finally, the direct answer to your question.
SMS text messages for multi-factor authentication greatly raise the bar against phishing
but are still vulnerable to man-in-the-middle attacks, and bypass attacks too.
When done right, Passkeys implementing FIDO2 web
auth and standards are very secure. However, misconfigurations are still possible and backup
processes for when something goes wrong need to be in place and tested. Note above I said,
when done right, we were still in the very early days of PASC implementation and adoption.
As we all know, very rarely is software anywhere near trustable before version
3.0 or sometimes version 30.0. Look for many reports of vulnerabilities in early implementations.
We also have to see if the major social media platforms join the standards bandwagon
and that all the IT providers avoid the temptation to vary from those standards.
None of those concerns should slow anyone down
from moving from reusable passwords
to standard-based passkeys early and often.
Seatbelts were uncomfortable at first,
and airbags sometimes deployed unexpectedly early on,
but they have saved millions of lives since those early days.
If you really want to poke a stick in the eyes of the criminals,
passkeys are a great stick to use.
Mr. Security Answer Person. Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person. Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on The Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute
and my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave. How are you?
Doing well, thanks.
Interesting article from the folks over at VentureBeat.
This is written by Sharon Goldman, and it's titled,
Intel Unveils Real-Time Deepfake Detector Claims 96% Accuracy Rate. What's going on here, Joe?
So this is called Fake Catcher, and Intel is saying that it is the first real-time detector
of deepfakes, has a 96%, just like you said, percent accuracy. But it is using something interesting.
It is not looking for artifacts within the actual deepfake.
It's working on video.
It's working specifically on video.
It is based on a technique called photoplethysmography.
And that's a very hard word to say.
So I'm just going to say PPG from now on.
And what PPG is,
is it is a measurement of what's going on in your skin. In this case of the amount of blood
that flows in and out of your skin.
You see every time your heart beats,
the amount of blood in all your blood vessels changes.
And that is measurable in computer vision systems. Your skin
actually gets a little redder when that happens because there's more blood closer to the surface.
You and I never see it because our eyes are not as sensitive as a computer camera is.
And there's been tons of different things where you can go and look at samples of colors that are one bit off, and you can't tell the difference.
But a computer can tell the difference very easily.
Right.
So if you have something with a higher grain sensitivity, if you will, then you can easily detect that someone's heart is actually pumping.
And in fact, Face ID uses the same technology or something very similar to it.
And you and I were talking earlier, and one of the points that you made is that Face ID doesn't work
on a cadaver. So if you need to unlock someone's phone and they've already passed, putting their
face up to it won't work because their heart is not pumping and there's no blood flow change in
their face. And Face ID won't work. Yeah. My understanding with Face ID is that it's, in fact, it's using infrared illumination,
which really highlights the, you know, the blood pumping through the veins.
It, I think it, you know, it sees through that first layer of skin.
That's comforting.
Apple is seeing through your first layer of skin.
Well, you know.
Yeah.
You make your sacrifices for your companies, right?
Right, right.
They go on in this article to talk about how important it is
to detect deepfakes and be able to identify them.
And they talk about the history of the challenges with it.
In 2020, there was a group from Google and Berkeley
that showed that AI systems that were trained to distinguish
between real and synthetic content were susceptible to adversarial attacks. And Intel is claiming here that their method is
less susceptible because there's no big PPG data set out there to use to build fakes that will be
able to get by their detector, which is interesting, I think.
I'm hopeful about that comment,
but I'm also a little skeptical about it.
I think that,
I don't think that this is something that's remarkably hard to fake.
Maybe it is.
Maybe it's something that's very, very hard to fake
without a large data set.
Right.
And if that's the case,
maybe there are some adversaries out there that will
begin building large data sets of these things or large enough data sets. They don't have to be
super large. They just need to be large enough to fool this particular model. And of course,
what does that mean? That means, well, we're looking at another arms race situation. Right now, it looks like Intel is in the lead, this PPG-based deepfake detector. But I am worried that in the future,
this will just become another part of the deepfake generation software that's already out there. It strikes me that if it's looking for a rhythmic, slight, subtle change in the color of someone's skin tone, that that's not a hard thing to write a filter to do automatically over any video, really.
Right.
And that's my fear.
Now, maybe there's more to it that Intel's not discussing here, which I would almost guarantee is the case.
They're not telling you all their trade secrets in an immediate interview, right?
So maybe you need to get on the back end and figure it out, figure out what it is, run a bunch of tests and see what happens.
Or maybe you just need to look at a real video yourself and start looking at the data sets and seeing what it is and then maybe just
coding it. I don't know. I would like to think that Intel's right here. I would really,
really, really like to think that. I am not as optimistic as this
spokesperson from Intel is. But that's just me, right?
Yeah, well, it's good that they're working on this. I mean, it shows that there's...
I think this is good work. I don't mean to disparage the work.
The work is good and important work.
And I think that everything we can have that can authenticate media is great.
And I appreciate Intel doing this.
All right.
Well, again, the work from Intel is titled Fake Catcher.
And this article comes from the folks over at VentureBeat.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.