CyberWire Daily - Following the spoor of the Twitter hackers, a couple of whom seem to be talking to the press. Marketing databases and intelligence collection. TikTok ban? Hacking biomedical research.
Episode Date: July 20, 2020Notes on last week’s Twitter hack, and on the allure of original gangster and other celebrity usernames. Using marketing databases for intelligence collection. The US Government mulls a ban on TikTo...k. Johannes Ullrich from SANS on Google Cloud storage becoming a more popular phishing platform. Our own Rick Howard on security operations centers, and a preview of the latest episode of his CSO Perspectives podcast. And more reaction to alleged Russian and Chinese attempts to hack COVID-19 biomedical research. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/139 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Using marketing databases for intelligence collection. The U.S. government mulls a ban on TikTok.
Johannes Ulrich on Google Cloud Storage becoming a more popular phishing platform.
Our own Rick Howard on security operations centers.
And a preview of the latest episode of his CSO Perspectives podcast.
And more reaction to alleged Russian and Chinese attempts to hack COVID-19 biomedical research.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
July 20th, 2020. Last week's Twitter hack remains under investigation. Some personal data were taken
during last week's Twitter hack,
according to the Wall Street Journal. The hackers were able to change the passwords on 45 of the
accounts they compromised, which of course opened the possibility that they may have been able to
access users' information. Up to eight of the 130 accounts affected are known to have suffered loss
of personal information. No one has so far fully
and explicitly connected the hackers of those behind the Twitter hack with natural persons.
The New York Times followed the incident from chatter on Discord and concluded that the hack
was the work of three people, probably young, at least two of whom shared an interest in collecting
interesting Twitter accounts. Two of them, one called EverSoAnxious and the other LOL,
appear to have been involved in Bitcoin scams before.
Both were also well-known regulars on OGUsers.com,
a site frequented by those interested in acquiring short so-called original gangster usernames.
OG names are regarded as
having special cachet because they're normally associated with early adopters of a new platform.
The other sort of username that's interesting to what the Wall Street Journal calls a subculture
is, of course, the celebrity username. But neither ever soious nor LOL was the original hacker.
The apparent originator of the hack, one Kirk, contacted LOL with the message,
You, bro, I work at Twitter. Don't show this to anyone. Seriously.
What he shared was a demonstration of his ability to take control of coveted Twitter accounts.
He enlisted LOL and ever-so-anxious as middlemen to sell hij Twitter accounts. He enlisted LOL and Ever So Anxious as middlemen to sell hijacked
accounts. Kirk is thought to have obtained access to a Twitter Slack channel where Mashable explains
he found credentials posted. The hackers progressed to a celebrity Bitcoin scam.
How he got that far is unclear. Twitter hasn't elaborated beyond saying Saturday, quote,
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections, end quote.
So apologies are apparently due Plug Walk Joe, whom Krebs on Security identified as the moving intelligence behind last week's
Twitter hack. His involvement was tangential. He was a customer. He acquired the Twitter account
at six from one of the hackers, ever so anxious. But that, the New York Times concluded, was the
extent of his involvement. As we mentioned before, there's been no report of Kirk's being
identified as a natural person. LOL said he eventually came to believe that Kirk wasn't in
fact a Twitter employee on the circumstantial grounds that he seemed more eager to do the
company harm than LOL thought a real employee would. Make of that what you will, since plenty of employees,
a minority to be sure, but a non-trivial minority, do seem as a matter of history to have been
willing to do their company harm. But in truth, very little is known about Kirk. He was an unknown
on the various chat sites he engaged. He came out of nowhere, and then he vanished back into the virtual beyond.
Researchers at Mississippi State University have shown the relative ease with which devices can be geospatially tracked
through common commercially available databases, the Wall Street Journal reports.
The study is interesting because of the devices it chose to track,
Russian cell phones in and around Moscow
and a missile test site in northern Russia, where there had been some indications that an accident
had occurred. The results indicate, the journal says, the value such open commercial
marketing tools really can have for intelligence collection.
The U.S. government seems to be moving towards serious consideration of banning TikTok as a security risk.
An op-ed in The Hill suggests that such a ban would be based more on the generally frosty bilateral relations between the U.S. and China
than on specific cases of misconduct on the part of the social platform.
But on the other hand, TikTok does collect a great
deal of data on its users. The Washington Post collects expert opinions about Russian and Chinese
hacking of COVID-19 vaccine research and finds they differ over how to respond and even whether
the hacking represented legitimate intelligence collection or a clear violation of international norms.
Norms or no norms, there is a significant amount of bipartisan animus
directed toward recent incidents of biomedical research hacking.
The BBC reports that the Russian ambassador to London says Russia didn't do it.
So there you have it.
Joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and Chief Analyst.
Rick, you are kicking off a new season of your CSO Perspectives show that is over on CyberWire Pro.
And you're starting off this season with an exploration of SOCs. Yeah, Security Operations Center. I've built many of them, toured millions of them. And
you know, I thought that I knew the history of SOC evolution. And as I was digging into this,
I discovered that I was completely wrong. I mean, yeah, it turns out
that operations centers, the idea of them, that you might need them, they've been around since
like 5,000 BC. Can you believe that? 5,000 BC. Really? Yeah. And we started to see the basic
edges of the modern day security operations center, you know center in the early 1900s
as the telecommunications industry started managing these giant networks of telephones.
And then we saw the first real operations center to do it in the early 60s.
So that's pretty exciting.
But through the next 30, 40 years, we get this evolutionary change
from not only the telecoms,
but from the intelligence community, from the government,
from the commercial sector, and all these folks,
all these groups are sort of taking hits at how do you build these things.
I always think of the communication center in the movie War Games.
True.
That's what all, every stock I've ever been in, we were trying to build that operation
center to some extent, okay?
Even if it's two guys and a dog next to the coffee pot, okay?
You know, but as I was looking into this, though, we've discovered that the evolution
of SOCs have really stagnated, like, since the early 2000s.
They haven't really changed that much.
And I was talking to Helen Patton, she's the Ohio State University CISO, about this kind of lack of momentum and also about how she is managing the zero trust policies from the SOC.
And she had this to say.
The other challenge about research, which people sort of forget about in the private sector, and it's great right up into the point where you've got a patent and then you don't want anyone to
know and you know and now it's locked down tighter than a drum and then once you publish
now you want it to be all open again because you need people to come in and validate that
your research is good and all this kind of stuff, right? And we haven't built zero trust protocols or access and
authorization protocols around a changing life cycle requirement. So she's basically saying that
our concept of zero trust is not really mature enough to handle dynamic access rights. And this
is something I've never even considered. You know, when I think about zero trust, I'm thinking, you
know, we want to limit the marketing department
from getting to the financial database.
And, you know, that's good enough.
Right.
But what Helen is talking about
is she's got a group of individuals,
researchers at her university
doing COVID-19 research
that has varying degrees of requirements
for access rights,
depending on where they are in the process.
And the zero trust platforms that we all use today just aren't strong enough or mature
enough to handle that.
I mean, is it fair to say that there's been sort of this push and pull, this tension between
what's needed and what's possible throughout the history of SOX themselves?
Absolutely.
All right.
Then, you know, we've always wanted more in the SOX.
And by the way, I've never gotten it, okay?
I think in my mind, what I would really want
in my own security operations center
is security operations, network operations,
physical security, all in one spot
with the authority to make decisions
to counteract some bad thing that's happening.
Nobody that I know of has a sock like that, and I really do think it's the way it should be.
Yeah. All right. Well, there's much more where that came from. Do check out Rick Howard's CSO
Perspectives podcast that is part of CyberWire Pro. You can check it out over on our website,
thecyberwire.com.
You can check it out over on our website, thecyberwire.com.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say so long to winter. Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You have been tracking some stuff that's been going on within Google Cloud and some folks using it for phishing.
What's going on here?
Yeah, that's something that we have seen sort of pick up beginning of the year.
And by now, pretty much all phishing attempts that I am receiving that sort of matter, that make it past my spam filter and such,
they use Google Cloud Storage to actually store
the phishing page. Now, we have seen this in the past with some of the Microsoft Cloud and such,
but I guess they have gotten better in preventing this and cleaning this up. Turns out with Google's
Storage API, those pages are quite persistent. And it's a little bit limited what you can do.
You can basically just have a static page there.
But then they just add some JavaScript that will forward the data that the user submits to whatever actual sort of data collection website the attacker has set up.
So why Google?
What's causing them to choose this?
Well, I think there are a couple of reasons.
Now, first of all, Google is ultimately
of a trusted site. The URL, the host name they're using is storage.googleapis.com.
Like with all these cloud providers, there's a lot of necessary good stuff on this host name,
so you can't really blacklist it. On the other hand, I found that Google is quite slow in removing these phishing sites.
And that may also contribute a little bit to Google becoming more popular and some of
the other providers becoming less popular because, well, now the attacker has more time
here to collect data.
Because the page they have to protect is the page the user gets to first.
And that turns out to be here, this storage at
googleapis.com. If their collection site gets taken down, they can just make a change to the
JavaScript and collection page. But users that received the email in the past that actually
triggers them to go to the phishing site, they'll still end up on that phishing page. So this is
sort of the part that attackers usually have to keep up the longest.
And if they can keep that up for a week,
that's usually all they need to collect all the credentials
that they would get out of a particular phishing run.
And does that initial page, I mean, at first glance, does it seem benign?
Is it the sort of thing where you could understand
how a surface inspection by Google, for example, would not raise suspicions?
Well, actually, it usually is just copy-pasted code from the particular page that they're trying to impersonate.
So some simple signature-based matching or so may actually capture a lot of these pages.
or so may actually capture a lot of these pages.
And once the user is done with the page,
they usually will redirect them to the user's domain,
kind of trying to fool the user into believing that they just entered the wrong credentials
and of course they may then try again.
I see.
So what are your recommendations here
for folks to protect themselves?
This is something where you probably have to rely
on user education.
I would still recommend report these pages to Google as much as possible.
Google Chrome has a little add-on that makes it really easy to report phishing sites.
I hope that Google will eventually get better in cleaning up these pages as people report them.
All right. Well, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.