CyberWire Daily - DPRK cyber ops. Poland warns of Russian cyber activity. Twitter’s data incident. A crypto trading exchange is rifled. Ransomware shuts down the Port of Lisbon. Small business opportunities.
Episode Date: January 3, 2023Recent DPRK cyber operations: spying and theft. Twitter’s data incident. 3Commas breached. Poland warns of increased Russian offensive cyber activity. Port of Lisbon hit by ransomware. DHS announces... SBIR topics. New additions to the Known Exploited Vulnerabilities Catalog. Ben Yelin on the legal conundrum of AI generated code. Our guest is Tanya Janca from She Hacks Purple with insights on API security. And, news flash! LockBit says they have a conscience. (Yeah, right.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/1 Selected reading. Recent DPRK cyber operations: spying and theft. (CyberWire) Twitter targeted in extortion hack. (CyberWire) 3Commas' API compromised. (CyberWire) Russian cyberattacks (Special Services) LockBit activity over the holidays. (CyberWire) CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA) DHS Small Business Innovation Research (SBIR) Program FY23 Solicitation (SAM.gov) The SBIR and STTR Programs. (SBIR/STTR) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Recent DPRK cyber operations, Twitter's data incident, Thank you. New additions to the known exploited vulnerabilities catalog. Ben Yellen on the legal conundrum of AI-generated code.
Our guest is Tanya Jenka from SheHacksPurple with insights on API security.
And newsflash, LockBit says they have a conscience.
Right.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, January 3rd, 2023.
Good day to you all and Happy New Year. It is great to be back.
Researchers at Kaspersky warned that North Korea's BlueNorof group is using several new methods to deliver malware. Blue Noroff began using.iso and.vhd files to deliver their malware,
which allows them to bypass Mark of the Web flags. The threat actor also seems to be testing out
other file formats for malware delivery. The threat actor set up multiple domains that
impersonate venture capital firms, most of which were located in Japan, but Blue Noroff also
impersonated Bank of America. Be sure you know with whom you're dealing. At the end of December,
it emerged that the data of millions of Twitter users have been stolen and were held for ransom.
The hacker, who claimed responsibility and goes by the name Ryushi, claims to be selling data of over 400 million Twitter users obtained in 2021, bleeping computer reports.
The data was accessible because of a since-patched API vulnerability.
Spiceworks reports that the hacker demanded $200,000 in ransom from the social media outlet for the data to be deleted,
or if not bought by Twitter, it would be sold to buyers
willing to fork out $60,000 a copy. Bloomberg reports that Ireland's Data Protection Commission
began a probe into Twitter on Friday, December 23rd. Estonia-based cryptocurrency trading service
3Kamas fell victim to a breach at the hands of an anonymous Twitter user
that obtained 100,000 API keys belonging to users of 3Commas. Decrypt reports that $22 million
in crypto had been stolen through 3Commas API keys that were compromised, and the company
confirmed that it was the source of the leak on Wednesday of last week.
The company insisted that the issue lies with phishing attacks that caused users to give up their data.
Yuri Sorokin, co-founder of 3Kamas, pushed this idea until Wednesday
when he confirmed on Twitter that the hacker's data is accurate, stating,
We are sorry that this has gotten so far and will continue to
be transparent in our communications around the situation. Coindesk reports that the anonymous
Twitter user identifying themselves as the hacker published more than 10,000 of the API keys last
Wednesday and says that they will be publishing full randomly in the upcoming days.
The government of Poland warned over the weekend that Russian cyber attacks against third-party countries that have supported Ukraine during Russia's war can be expected to increase.
As one would expect, the statement draws particular attention to the Russian threat to Poland in cyberspace.
The Russian target list is expansive,
covering a range of sectors,
and hacktivist auxiliaries continue to play a significant role
in the Russian offensive.
The motivation is retaliatory.
Polish officials state,
such incidents in cyberspace are retaliatory actions typical of Russia,
which are a response to steps taken by other countries
that are
unfavorable and inconvenient for the Russian Federation. Hacker groups linked to the Kremlin
use ransomware, DDoS, and phishing attacks, and the goal of hostile actions coincides with the
goals of a hybrid attack, destabilization, intimidation, and sowing chaos. Portugal's
port of Lisbon sustained a cyber attack that took its website
offline, Cyber News reports. The extent of the attack is unclear, though port officials stated
that operational activity was not compromised. The Lockbit gang has claimed responsibility
and also claims to have stolen financial reports, cargo and crew information, customer data,
mail correspondence, and contracts. The gang is threatening to publish the stolen data
if the ransom isn't paid by January 18th. The U.S. Department of Homeland Security last week
announced its latest round of solicitations under the Small Business Innovation Research Program, SBIR.
Five of them are relevant to cybersecurity,
including accurate and real-time hardware-assisted detection of cyberattacks,
machine learning-based integration of alarm resolution sensors,
mission-critical services server-to-server communication,
voice communications, and 3GPP standards,
reducing order modeling of critical infrastructure protect
surfaces, and finally, theoretical classification methodologies to enable detection with predicted
signatures. If you're a U.S. business, particularly a cybersecurity startup that's engaged in some R&D,
you might well look into the SBIR program and the related Small Business Technology Transfer program.
They are small business administration efforts that are used by many federal agencies,
including the Department of Homeland Security, the Department of Defense, and other departments and independent agencies.
Many of them have a strong interest in cybersecurity,
and some of their topics, like those DHS announced last week,
address cybersecurity. Think of it as angel funding. SBIR has three phases. Phase one is
designed to establish the technical merit, feasibility, and commercial potential of the
proposed research, and to determine that the small business is in fact able to perform.
determine that the small business is in fact able to perform. Phase 1 awards can range between $50,000 and $250,000 for six months in the case of SBIR or of one year for STTR awards. Phase 2 awards
are designed to build on Phase 1. They generally amount to $750,000 for two years. The final award,
to $750,000 for two years. The final award, Phase 3, is interesting in that it brings no direct additional funding. Rather, it involves transition of the R&D into products, processes, or services
that can be bought and used by the federal government. Some surprisingly large businesses
have got their start with SBIR funding. For an overview of the program, see sbir.gov.
The U.S. Cybersecurity and Infrastructure Security Agency
on Thursday added two new entries
to its known Exploited Vulnerabilities Catalog.
Under Binding Operational Directive 22-01,
U.S. federal civilian executive agencies
have until January 19, 2023,
to check and fix their systems.
And finally, the earlier-mentioned Lockabit operators claim they're not just big-time criminals,
the kinds of gonifs who can mess up operations at a major port,
but they're also selective, the crooks with a heart, and so they avoid hitting targets like hospitals.
But what, you'll ask, about the ransomware attack against a major Toronto's children's hospital?
Well, they have an explanation and even an apology. Bleeping Computer reports that the gang released, without charge, a decryptor for the ransomware used against sick kids,
that is, the Toronto Hospital for Sick Children. The gang blamed
an affiliate, stating, we formally apologize for the attack on Sick Kids and give back the
decryptor for free. The partner who attacked this hospital violated our rules, is blocked,
and is no longer in our affiliate program. So, okay then. But before you gush with admiration at LockBit's social
responsibility, consider you'd think it wouldn't take a hermeneutical expert to be able to interpret
an online name like Sick Kids as maybe something you'd want to put a no-fire area around.
Coming up after the break, Ben Yellen on the legal conundrum of AI-generated code.
Our guest is Tanya Jenka from SheHacksPurple with insights on API security.
Stay with us. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Tanya Jenka is Director of Developer Relations and Community at Bright Security,
as well as the founder and CEO of WeHackPurple, an online learning community that revolves around teaching everyone to create secure software.
I caught up with Tanya Jenka for her insights on where we stand when
it comes to API security. A lot of software developers are making more APIs than ever
before because they've discovered it's a lot easier to maintain and make sure you have good
uptime if you're doing a whole bunch of pieces rather than one gigantic monolithic application.
But unfortunately, malicious actors seem to have really noticed this
trend. And so they're focusing on attacking APIs more than ever before. And APIs used to be all
sorts of things, right? Like an API can be on your operating system, like on the host. It can be
between computers over the internet. It could be just on a local LAN. There's all sorts of different
ways that APIs work. But when people talk about them right now, most of the time what they're talking about
is a web API or a web service. So an API that's available over the internet. And so there's lots
of types of APIs, but that's the one mostly everyone's talking about. And when it comes
to vulnerabilities and the ways that the bad guys are coming at them, what are the types of things that you typically see?
Definitely, I am seeing a lot of brute force attacks, basically bots calling your API a zillion times, calling your API in every way they can think of, fuzzing your API.
So figuring out how you're supposed to talk to it.
And that's like, how can I talk to it in a way that is not ideal for that poor little API on
the internet? So I'm seeing a lot of that, like trying to overwhelm and break your way in. And
then I'm also seeing a lot of all the same stuff that works on web apps, except for output encoding
or cross-site scripting. So things that don't need a browser to do the attack, like cross-site
scripting requires a browser. Every other thing, I'm seeing those attacks.
So all sorts of injection attacks, like SQL injection, no SQL injection, LDAP, etc.
So the things that we saw before that were problems are still all happening.
Plus a lot of bots and overwhelming of people.
A lot of bots and overwhelming of people.
Are there any common things that you see from the organizations that are being successful here and mitigating these sorts of things?
Are there common elements that they do?
Definitely companies that, first of all, have an application security team. So that could be one or more people where their entire job is just dedicated to ensuring their organization is releasing more secure software. So that's one
thing, like having one or more people dedicated to that, like that's their full-time job.
The other side of that, which is what that's like people spend a ton of their time doing
is making sure that they're following. And by they, I mean the software developers,
the DevOps team, the operations folks,
following a secure system development lifecycle.
So if you're doing Waterfall or DevOps or Agile,
whatever methodology you want to follow to make software,
just adding security touch points throughout the project
and making sure that the thing actually happens.
So you don't just say we're going to do a secure code review,
you actually ensure that it happens
and the things that are found are remediated
as part of the project's requirements.
And so companies that are doing one or both of those
tend to have way better results
because it's, how do I word this?
It's legitimate.
So there's a policy that says you have to do these things.
There's support from upper management.
But if you just have a software developer who feels security is really important,
but they have no authority to actually change anything,
they don't have buy-in from the management levels,
it's a lot harder to get anything done, Dave.
So what are your recommendations then?
I mean, for folks who want to do a better job with this,
want to wrap their arms around it,
where are the good places to begin? Okay, so I feel that having some sort of secure system
development lifecycle for APIs, web apps, IoT, whatever you're building, if you need to gather
requirements, have some security requirements. Even if it's just one security requirement to start, it's way better than zero. And then when you're doing the design,
there's a bunch of options you could do. You could do like a whiteboarding exercise where
you draw the architecture and discuss where there could be problems. You could do threat modeling.
There's a lot of different things in the design phase that people often say there's no time for.
I'm like, you spent six weeks designing it.
You didn't have an hour to do a threat model,
but it's about having the people on staff to do it.
So if each phase has one security thing, just one,
the thing you're going to publish will be a lot better.
So I always start with that.
For API specifically, if possible,
create some sort of standard or guideline
for what the best practices are or
the policy where you work. So for instance, if your API is going to be on the internet,
I would love for it to be behind an API gateway so it can do authentication and authorization.
And what I mean by that is, who are you and should you even be here? Which sounds silly,
but so if everything goes through this gateway,
that means you can make sure you know who's connecting
and they are who they say they are
and that they should be even allowed to connect.
And then turning on throttling and resource quotas,
which is included in most API gateways
so that you don't have these huge cloud bills from bots
just beating up like incessantly on your APIs.
So that's one good starting point that I would put in a policy.
So if it's public facing, it's got to be behind this.
These are the settings we need.
You know, if you need a license, the security team will set you up.
You know, here's a little guideline we wrote about how to do it.
And so if you can develop a policy or guideline or something
so that the developers know what you want from the start.
And so those are things I would put on there. I also tend to remind software developers about
the security things you should do for web apps. They still almost all apply for API. So we don't
have to do that output encoding, but every other thing we got to do. So we still need you to do logging, monitoring,
and maybe even alerting on things that seem disconcerting. Oh, did someone try to log in
10 times in under a second? That feels like a bot, not like a person. And so going through those
things, like making sure you follow a secure coding guideline. Anyway, I'll go on and on, Dave. I'm sorry.
But I feel like if you can have some security steps in your SDLC
and you can have guidance
to the software developers
about what you want to see,
you will get way more
of what you want in life.
That's Tanya Jenka
from Bright Security
and WeHackPurple. And We Hack Purple.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Welcome back, Ben.
Thank you for having me, Dave.
So, article over on the IEEE Spectrum website, and this is about a class action suit that's
being brought against GitHub Copilot and their parent company, Microsoft, about these claims
that these AI engines are basically pirating open source software.
What do you make of this, Ben?
So this is really fascinating.
We have an issue here that I think is novel and extremely complicated.
So Copilot, as probably most of our listeners would know, is an AI pair programmer for software developers. It suggests
code in real time, but the input is, at least as alleged here, copyrighted material. Somebody has
actually developed the code that goes into the system that leads to co-pilots spitting out
suggested code. This is open source software as well.
So obviously the vision of open source is that anybody can use it and access it.
But there are individuals, and that's the nature of this lawsuit,
who think that their own creative work in developing these lines of code
is being used without attribution.
And eventually, if somebody uses the output from Copilot to make a profit, that's going to be a violation of our intellectual property laws.
There's another side to this story, though, and I think that's best articulated by Kit Walsh, a staff attorney at the Electronic Frontier Foundation.
And Kit argues that training Copilot on public repositories is fair use. Fair use
allows for the analytical use of copyrighted work. So for academic purposes, for learning purposes,
the question here is whether this counts as fair use under our intellectual property laws.
What Kitt is saying is that Copilot is ingesting code and creating associations in its own neural net about what tends to follow and appear in what context.
Right.
And that is sort of doing analytical, that's the equivalent of doing analytical work on somebody else's copyright protected material.
Yeah.
Really, this could boil down to how much Copilot is reproducing from any given iota,
any element of the training data that was used as input.
And that's something that's somewhat metaphysical. We might not know exactly how much of the suggested code comes from a distinct piece of data
that somebody else's copyrighted work.
So this is a really complicated issue.
I'm not sure
we're going to get a satisfying resolution for a long time, but I can understand why people who
have poured their heart and mind into developing lines of code would be upset by it being used
potentially to profit somebody else without attribution. Yeah. It strikes me that at the core of this is whether or not an AI system can express creativity.
And if you're able to input things and it's able to come up with novel solutions based on inspiration from other people's work, to me that's new work.
As opposed to just cutting and pasting some lines of code.
That seems pretty clear cut to me.
Right. If you find,
you know, some code that you had put in your book about programming in whatever language,
and the AI takes it and just pastes it in there and doesn't even change any of the variables,
well, we've got an issue here. But if the AI is inspired by the code you write,
as you say, that's a lot fuzzier in my mind. And can an AI even be inspired? Is
that a thing? Right. Because unlike us, you know, you use an example on Caveat where we talked about
this as well, of going to an art museum, being inspired by Picasso or whomever, and going home
and coming up with your own painting inspired by his work, even though it's unattributed.
Right.
And that's a really interesting metaphor,
but in that case, you're using your own creativity.
You are using the contents of your own mind
to turn the inspiration from somebody else into your own distinct creative work.
And is that happening with artificial
intelligence? It's a hard question to answer. Can a computer have creativity or are they just
digesting pieces of information and spitting them out algorithmically. It's something that I don't think is clearly answerable.
Well, I think we all need to go back and watch the Star Trek The Next Generation episode,
Measure of a Man, where Lieutenant Commander Data is put on trial
as to whether or not, as a computer, he has the rights of a human being.
I think it's all pretty well laid out.
Maybe you and I can turn that into a one-act play where we just do that scene and we have
attorneys on each side arguing the best arguments on behalf of their clients. I sense that's a
good creative work in our future. Yeah. All right. Well, this one, more to come for sure
as this develops and I find it fascinating.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
Thank you. Proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.