CyberWire Daily - Facebook discloses a major breach. Botnet brute forcing ransomware. Retail domain typosquatting. ATM wiretapping. Ransomware in San Diego. SEC hits cyber deficiencies. Assange retires?
Episode Date: September 28, 2018In today's podcast, we hear that Facebook has disclosed a cyberattack that affected fifty million users. A botnet is brute-forcing credentials. Cybercriminals show signs of ramping up spoofed retail d...omains in preparation for holiday shopping. The US Secret Service warns of ATM wiretapping. The Port of San Diego struggles with ransomware. The US SEC fines a company for cyber deficiencies. Mr. Assange goes offline. And some guy says he'll live-stream his annihilation of a prominent Facebook page. Jonathan Katz from University of MD on Bluetooth pairing protocol vulnerabilities. Guest is Andrea Little Limbago from Endgame on the internet’s effect on global conflict. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_28.html Extended interview with Endgame's Andrea Little Limbago: https://www.patreon.com/posts/21704947 Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook discloses a cyber attack that affected 50 million users.
A botnet is brute forcing credentials.
Cyber criminals show signs of ramping up spoofed
retail domains in preparation for holiday shopping. The U.S. Secret Service warns of ATM wiretapping.
The Port of San Diego struggles with ransomware. The U.S. SEC finds a company for cyber deficiencies.
Mr. Assange goes offline. Andrea Little Limbago from Endgame joins us. We discuss how cyber capabilities intersect with international statecraft and warfare.
And some guy says he'll livestream his annihilation of a prominent Facebook page.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Friday, September 28, 2018.
Late this morning, Facebook disclosed that it had been the victim of a cyber attack.
According to reports in the New York Times and elsewhere, it's thought that at least 50 million accounts were affected with user information exposed.
According to Facebook CEO Mark Zuckerberg's own Facebook post,
the company discovered the issue on Tuesday. Attackers stole access tokens that would in
principle have allowed them to log in to roughly 50 million people's accounts. He says they don't
yet know if any information exposed in the attack has been misused, but investigation continues.
The social media company has patched the vulnerabilities the hackers used to get the tokens,
and they've invalidated the stolen tokens.
Thus, if you find yourself logged out of Facebook, that's why.
You'll have to log back in to regain access to your account.
The company has notified the affected users with a message that appears on top of their news feed,
so look for it there when you get back in.
Facebook has also taken down the service's View As feature, which is the one that contained the vulnerability the hackers exploited.
View As is a tool that lets you see yourself, or at least your profile, as others see you.
The company has taken the additional precaution of logging users out who used the
View As feature since Tuesday. Guy Rosen, Facebook's vice president of product management,
blogged that the vulnerability arose from, quote, the complex interaction of multiple issues in our
code, end quote, which he says stemmed from changes they made to their video uploading feature in July
of 2017.
The investigation is still in progress, of course, so there's not even a preliminary attribution.
Facebook has involved law enforcement, and they want their users to know that they regret the attack.
The story is developing, and no doubt more will emerge over the weekend.
For PyX Trick, a botnet with some worm functionality, is brute-forcing ransomware through port 5900.
It finds vulnerable remote desktop protocol and virtual networking computer servers,
and runs through a list of commonly used credentials to gain access.
Researchers at Security Scorecard say the payload is typically a Grand Cab ransomware variant. The holiday season isn't here yet, but it's not too early to begin thinking about retail security.
Security firm Venify is observing an unpleasant expanse of look-alike domains being registered,
with the apparent intent of duping online shoppers.
When you do begin your holiday shopping, watch your typing and don't fall for an imposter's sight.
The U.S. Secret Service is warning banks that there's an increase in ATM wiretapping attacks
that involve drilling a small hole in an ATM, inserting the skimmer, often with an endoscope,
and then covering the hole, often with a little sticker that has the bank's logo on it.
If you've got an ATM in your mom-and-pop shop, give it a once-over
and pay attention to any warnings from the bank.
The Port of San Diego continues to struggle with a ransomware infestation in its business systems.
It's now been running for several days and seems unusually resistant to remediation.
The business systems affected seem to be non-core and not crucial to port
operations. Things like parking access, parking permits, public records requests,
business document filings, and so on. The Port of San Diego surely includes a cargo and cruise
ship handling port proper, but its remit also extends to the city's waterfront parks, shops,
museums, convention center, and marinas.
It's 34 miles of coastline, that's 55 kilometers for our international listeners,
and the activities the port's responsible for pretty much cover the waterfront.
In the first case of its kind, the U.S. Securities and Exchange Commission
is bringing an enforcement action against Voya Financial Advisors for poor cybersecurity.
Acting against a company for deficient cybersecurity,
the U.S. Securities and Exchange Commission has obtained an agreement from Voya Financial Advisors
to pay $1 million in fines over violations of the Safeguards Rule and the Identity Theft Red Flags Rule.
The SEC says this is its first enforcement action under the red flags rule.
After receiving some tough love from Ecuador's London embassy, Julian Assange has stepped down
as the leader of WikiLeaks. Spokesperson Kristin Ruffinson will take over. Mr. Assange is still in
the embassy, but Ecuador's taken away his internet access. Ecuador's President Moreno is thought to regard Mr. Assange as an embarrassment
held over from his predecessor's administration.
The embassy has been looking for ways of encouraging Mr. Assange to move on,
but the situation still seems to be a failure to launch.
And finally, in a development we think is unconnected with Facebook's other issues,
a freelance hacker in Taiwan named Shang Xiong says he's going to obliterate Mark Zuckerberg's Facebook page this weekend
and that he'll be live-streaming the hack.
He says he's a white hat, and he may well be,
but on the other hand, the word on the street is that he does seem to get himself sued from time to time.
the word on the street is that he does seem to get himself sued from time to time.
Stream if you dare, voyeurs of low tastes, but we'll be watching reruns of The Gong Show instead.
It's a more elevated pastime. And that Chuck Beres was one dangerous mind. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Jonathan Katz. He's a professor of computer science at the
University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
You sent over an interesting article here about some Bluetooth vulnerabilities
that the researchers have labeled severe.
What's going on here?
This was a vulnerability that researchers found in the Bluetooth pairing protocol.
So the pairing protocol, as many listeners might know,
is what's used when you want to pair two Bluetooth devices,
say, for example, your cell phone with the communication system in your car.
And what the researchers showed was that the underlying cryptographic protocol
that was used to set up a secure pairing between two devices
was actually vulnerable to an attack that would potentially allow an attacker
to either impersonate one of those devices
or potentially to eavesdrop on further communications between them.
The Bluetooth coupling used a mathematical concept called ECC,
that's elliptic curve cryptography.
What can you tell us about that?
It was a very interesting attack, actually,
although looking at the protocol as a cryptographer myself, it's the sort of attack that when you see the protocol,
you almost immediately realize that the protocol was designed in really a silly way to enable that attack.
Fundamentally, what's going on here is that the protocol was using what's called elliptic curve cryptography.
And without getting into the details of that, let me just kind of say at a high level that this involves sending back and forth strings representing points on some mathematical curve.
And even if you don't understand any of that, what it comes down to, what the attack boils down to, is that essentially half of that string was signed and the other half was not.
And the designers of the protocol basically thought that by signing half the string,
it would be enough to secure the protocol.
And what the researchers showed was that
by cutting corners like that,
they were able to manipulate the second half of the string
and thereby carry out the attack.
So I think in the end,
what it really points out to is the fact
that you need to have security protocols
analyzed by experts in the field.
And in the best case scenario, you want to have security protocols analyzed by experts in the field. And in the
best case scenario, you want to get your protocols validated and proven secure. And I think trying to
analyze this protocol in a structured way and trying to prove security would have immediately
identified that signing only half the string was not sufficient. Now, but it strikes me that,
I mean, obviously, you know, Bluetooth is not some fringe bit of technology.
The folks who are in charge of validating these sorts of things,
surely they would have had somebody look at this before it was sent out and made a standard, right?
Can I say no comment?
You know, all I can say is that the flaw was there, and it's a pretty basic flaw. It's the kind of thing that I would cover in a graduate cryptography class. So I don't know who looked at it, who didn't look at it.
I think one of the things going on here is that perhaps people thought that because of the pairing
protocol and because Bluetooth in general is something that's carried out between two devices
in close proximity, it's a little bit more difficult in practice to carry out the attack.
You would need somebody, you would need the attacker to basically be within close physical proximity of the honest users, and presumably they might be detected. So the
practical impact of this is unclear. All right. Well, the major manufacturers have been alerted,
and they've done some patching and updates and so forth. So they're on it.
We hope so. And I'm sure it's something that's also easy to fix.
And so I'm sure that the next versions of the protocol will address this vulnerability.
Jonathan Katz, thanks for joining us. Great. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
Returning once again as our guest today, we welcome Andrea Little-Limbago. She's Chief Social Scientist at Endgame, working at the intersection of global policy and cybersecurity.
Our conversation today centers on how cyber capabilities affect international statecraft and warfare,
the need to establish norms in cyber conflict,
and how technical and policy people can do a better job of supporting each other's efforts.
and how technical and policy people can do a better job of supporting each other's efforts.
As someone who has more of a political science background,
but spends my time very much in information security,
and I work at a cybersecurity company,
the conversations are really quite different about the impact and the relationship between various aspects of digital state graph,
digital capabilities, and warfare and conflict.
On the one hand, I'm seeing very much so on the information security,
more from the technology folks, the concern, and the right concern,
of the militarization of the Internet and how we're framing things
and how increasingly we're seeing more and more of the full range
and full spectrum of attacks, as opposed to the more utopian vision
of what the Internet can and hopefully one day will do as far as being a democratizing force, help civil liberties,
those kind of things. And so those are very, very important conversations. But when you switch over
to more the political science conflict studies and warfare
experts and policy folks, the discussion more so is looking
at how the various range of cyber capabilities, and again, they'll focus more on,
they'll call it all cyber.
So even some of the terminology is a little different.
They'll focus on how cyber is impacting warfare already and evolving really the fundamental and core components of warfare, such as even the notions of power, how is power shifting
and how is the internet enabling really completely new and distinct constructs of how we think
about power during warfare. So it's a really different conversation that's more so looking at, you know, how, basically
it's taking it as an assumed, and again, I think that's also the right way to look at
it, that various aspects of, you know, digital integration and digital capabilities are going
to be, are already serving as a disruptor into warfare.
But the interesting thing on that even is that, you know, within that community, it's
more, it's still, it's presented more so as a future scenario, as in how may it one day
impact warfare.
And doing some of my research, as you look back at it, it's really been over a decade
now since various aspects of digital capabilities have already been influencing and integrated
within warfare.
And so I think that's something that is a little underappreciated and needs to be better
understood. So again, so we can prepare both for limiting the militarization of internet as best
we could through norms and other forms of agreements on one end, but also making sure
that we're prepared and working for what to expect. Now, one thing that I've noticed, and I
think noted as well, is that there seems to be this resistance to drawing any clear lines when it
comes to, as you say, norms, when it comes to cyber conflict. It seems like world leaders are
reticent to say, if you cross this line, then that is warfare. Do you think that's an accurate
description of what we're seeing? I do. And I think there have been some efforts
at the United Nations, a group of governmental experts for a while
tried pushing forth norms along those lines
and that fell apart last year
both in warfare and as far as
what's off limits for targets, what's off limits for kinds of behavior
which still also helps establish some of the fundamentals, at least in peacetime.
There have been declarations that the laws of armed conflict apply also to the cyber
domain.
That still seems a little bit somewhat nebulous as far as whether everyone agrees to that.
There's a talent manual that defines things a little bit more, but again, it's more guidance
than a formal regulation or law.
So there are these attempts at it in certain areas,
but even a lot of those are very vague,
especially if you look at like in NATO,
Article 5 now has a cyber attack as part of it.
So a cyber attack on one is viewed as attack on all.
But it still fails to define really what kind of cyber attack,
what kind of effects might it have,
would be the example that instigates the collective security of the alliance.
And so it still remains very, I think states and leaders are very hesitant to really define that red line.
I think for many reasons.
One is that means other countries or other actors will push up as far and as close as possible to that line
without knowing that they may not have any repercussions for it.
And then if you do have that red line, as we've seen this over and over again just in traditional warfare, it then leads to a lot of domestic costs for leaders
if it turns out that red lines cross and it's not a popular war.
So there are a lot of, you know, it's much more nuanced than just doing a red line or not,
but at the same time, we definitely need a lot more structured approaches
and various kinds of policy advances to help us
evolve and understand when these kinds of acts should be treated and responded to with various
kinds of statecraft, anything from the range of non-kinetic responses, from the sanctions,
the persona non grata, indictments that we've been seeing a lot lately, all the way to when
it should trigger a militarized response.
What do you wish that the folks on the tech side understood better?
What messages do you think they need to know?
Yeah, and that's great.
And I wish I had all the answers to that.
But actually, the interesting thing about that, I think some of it is starting to change.
I kind of look at the breaking point or sort of the inflection point of our elections in 2016.
If you look at prior to that, really very few, there's almost people were accusing more of the national security folks of being alarmist in many of these areas.
But with the election interference, I think that has started changing some folks to understand really the national security threats that are out there.
But that would be, really the overarching one is that,
actually I probably have two different areas.
One is to broaden our, to expand our understanding
of how we even view or define cyber or security
or information security.
And this is actually a point that Alex Damos made
in a recent interview as well.
We really need to expand to think about the full range
of ways that information and various kinds of digital capabilities can be used by
attackers, by adversaries. And so for so long within InfoSec, we focused really on the network
compromises, the spear phishing, malware, so forth, which is understandable. And that absolutely
should remain a core focus. But when you look into the broader realm of cyber statecraft,
if you want to call it that,
you've got all the propaganda and disinformation,
data manipulation, all those kind of things.
And so it does get back a little bit into the confidentiality,
integrity, and availability of data.
All that still is very, very true.
But when you think about it broader than just network compromises,
if we can think about it as that full spectrum,
I think that really impacts how we will start
to think about how to defend against it,
but also how the people with the tech backgrounds
and tech capabilities, what they can contribute
to fighting that full spectrum of attacks as well.
Increasingly we're seeing in different examples,
it's not just going to be a network compromise.
In addition to that, the example that I like to give a lot is
in Qatar, when the, basically, there's the height of the tensions in Qatar, which they're currently
still as a boycott. But there was a, there was a hack of the, of a state media site in Qatar.
And then from there, there was posting of disinformation on that media site. And then
that disinformation was spread via, you know, Twitter bots. And there was basically, you know,
bot armies spreading the disinformation.
And that's kind of the adversary playbook that I talk about that I see occurring more and more,
is integration of the disinformation with the hack, with the bots and the automation.
And so that's what we need to start thinking about.
How can we defend against those areas as opposed to thinking about them all as stovepiped?
Because the adversaries don't.
They think about it as full-spectrum information security,
you know, attempts for information control.
And so if we're not understanding how they're viewing it
and what kind of strategies they're using,
it makes it really hard for us to defend against that.
And that would be one area is just really focusing on those.
And then just, again, another area,
I just would love to get more and more of the people
with more tech backgrounds just talking to policy folks
and vice versa.
It goes both ways. So even just the more opportunities we can have, like next year,
there might be a law and policy village at DEF CON. I think that'd be a great thing. I hope that
happens. The foot soldier is doing the work for policy within the military, within the government,
within some of academia. In talking to them, there still is plenty of collaboration going on,
more at lower levels of government and lower levels within the military.
And so that actually made me, it was heartening actually to hear a lot of those examples that,
you know, honestly just aren't, it's not sensational, right?
So it's not going to make the press that, oh, these two groups are coordinating and collaborating very well.
That's just not going to make the news.
So there still is plenty of collaboration still going on. And so that's the nice thing. Our democratic institutions
are strong and our alliances are very strong. And so I'm hopeful that they can withstand
some of the stress that's going on at the national leadership levels across the world.
So we'll see, which isn't to say that we shouldn't be concerned, but something that,
you know, I'm hopeful that we're resilient enough to withstand it.
Yeah. Interesting times, right? It is indeed. Absolutely.
That's Andrea Little Limbago from Endgame. There's an extended version of our interview
over on our Patreon page. We'll have a link to it in the show notes for today's episode.
Do check it out.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.