CyberWire Daily - GoDaddy's compromise. Twitter disables SMS authentication for all but blue-checked users. Deutsche DDoS. Is Bing channeling Tay?
Episode Date: February 21, 2023GoDaddy has discovered a compromise of its systems. Twitter disables SMS authentication for those not subscribed to Twitter Blue. Last week’s cyber incident impacting German airports was confirmed t...o be DDoS. The consequences of cyber irregular participation in cyber wars. Semiconductor tech giant Applied Materials sees significant financial losses from a cyberattack. Joe Carrigan on scammers dangling fake job offers to students. Our guests are Max Shuftan & Monisha Bush from the SANS Institute, on the reopening of their HBCU Cyber Academy application window. And is Bing channeling Tay? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/34 Selected reading. GoDaddy Inc. - Statement on recent website redirect issues (GoDaddy) GoDaddy: Hackers stole source code, installed malware in multi-year breach (Bleeping Computer) GoDaddy SEC Filing (SEC) An update on two-factor authentication using SMS on Twitter(Twitter) Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only (The Hacker News) SMS-Based 2FA Will Be Limited to Twitter Blue Users (HackRead) Twitter will limit uses of SMS 2-factor authentication. What does this mean for users? (NPR) Twitter's Two-Factor Authentication Change 'Doesn't Make Sense' (WIRED) Twitter Shuts Off Text-Based 2FA for Non-Subscribers (SecurityWeek) Official: Twitter will now charge for SMS two-factor authentication (The Verge) German airport websites downed by DDoS attacks (Register) German airports hit by DDoS attack, ‘Anonymous Russia’ claims responsibility (The Record from Recorded Future) Russian phishing attacks flooded Ukraine, tripled against NATO nations in 2022: Report (Breaking Defense) Civilian hackers could become military targets, Red Cross warns (The Record from Recorded Future News) I helped create a 'cyber army' to help Ukraine defeat Russia. We can't fight with guns, but we can fight with our laptops. (Business Insider) How Uncle Sam enlisted Big Tech to thwart Russia from launching catastrophic cyberwar (The Washington Times) Big Tech Descends on Munich Conference in Support of Ukraine (Bloomberg) Applied Materials will take a $250M hit to sales this quarter, thanks to a cyberattack at one of its suppliers (Silicon Valley Business Journal) Semiconductor industry giant says ransomware attack on supplier will cost it $250 million (The Record by Recorded Future) How should AI systems behave, and who should decide? (OpenAI) Why Bing Is Being Creepy (Intelligencer) Microsoft's new chatbot is a liar. And it says it's ready to call the cops. (Mother Jones) After AI chatbot goes a bit loopy, Microsoft tightens its leash (Washington Post). My Week of Being Gaslit and Lied to by the New Bin (Information) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
GoDaddy has discovered a compromise of its systems.
Twitter disables SMS authentication for those not subscribed to Twitter Blue.
Last week's cyber incident impacting German airports was confirmed to be DDoS.
The consequences of cyber irregular participation in cyber wars.
Semiconductor tech giant Applied Materials sees significant financial losses from a cyber attack.
Joe Kerrigan on scammers dangling fake job offers to students.
Our guests are Max Schuften and Monisha Bush
from the SANS Institute
on the reopening of their HBCU Cyber Academy application window.
And is Bing channeling Tay?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 23rd, 2023. GoDaddy has disclosed its discovery of a December 2022 breach
that resulted in a threat actor redirecting customer websites to malicious domains, bleeping computer reports.
The threat actor was reportedly able to install malware on GoDaddy's cPanel shared hosting
environment, and the company added that they have evidence and law enforcement has confirmed
that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy.
GoDaddy also stated in an SEC filing that it believes the same threat actor was responsible for security incidents the company disclosed in 2020 and 2021.
to revoke SMS texts as two-factor authentication modality for all but paying Twitter Blue subscribers
has been poorly received.
Twitter explained,
while historically a popular form of 2FA,
unfortunately we have seen phone number-based 2FA
be used and abused by bad actors.
So starting today, we will no longer allow accounts to enroll in the text
message SMS method of 2FA unless they are Twitter Blue subscribers. The Verge points out that the
move away from SMS 2FA may be a cost control measure since it costs a little bit of money
to send an SMS. It's true enough that SMS text authentication is not the best 2FA method,
but it's way better than nothing, and it's likely, as experts point out to NPR and Wired,
that people who've used it as their default will not replace it with anything. And besides,
why should subscribers paying for their blue check be expected to be content with an inferior method of authentication,
or are they paying for convenience?
It's now been confirmed that the cyber incident a number of German airports sustained last week
was indeed a distributed denial-of-service attack.
Spiegel reports that the attack lasted about an hour
and that Russian hacktivists claimed responsibility.
The Register, which dismissed the incident
as script kitties up to shenanigans,
points out that it spared the three largest German airports.
The Record reports that anonymous Russia
counted coup in its Telegram channel with a snarky,
and again, non-flying weather in Germany.
What's up?
Followed by links to outage reports at each affected airport.
Spiegel also reported that Lufthansa, Germany's national airline,
had experienced service disruptions earlier in the week, on Wednesday,
and that preliminary investigations suggested that the cause
might have been broken fiber-optic cables supplying the airline's network.
But the Russian hacktivist auxiliary Kilnet has since claimed responsibility for that incident.
In a communique published by the Russian outlet Gazeta, Kilnet said,
We killed the corporate network of Lufthansa employees with 3 million fat data packet requests per second.
It was an experiment on rats, which
was successful. Now we know how to stop the work of any airport in the world. The attack was
retaliation, the Kill Milk section of the group said, for Germany's decision to furnish Ukraine
with Leopard tanks. The auxiliaries asked rhetorically, who else wants to supply weapons to Ukraine?
One consequence of the growing tendency of auxiliaries, hacktivists, privateers, and other irregulars to participate in wartime cyber operations
appears to be an extension of combatant status to actors who would otherwise be considered non-combatants.
who would otherwise be considered non-combatants.
The Record reports that last week,
Mauro Vignotti,
advisor on the digital technologies of warfare to the International Committee of the Red Cross,
addressed the Munich Cybersecurity Conference
on the risk that this trend could undermine protections
non-combatants currently are entitled to
under the laws of armed conflict.
Vignotti said,
while individuals may be physically removed from the theater of hostilities, they are only one click away from the digital battlefield.
He cautioned governments to restrain themselves from encouraging civilians to participate
in offensive cyber operations, stating, encouraging civilian participation in cyber activities during
armed conflict could undermine the protection of civilians who must be spared from the effects of
armed conflict. That's why ICRC strongly recommends states to reverse the trend of
civilianization of the digital battlefield. It's worth noting that participation by
irregulars in combat doesn't deprive them of all
protections under the laws of armed conflict. They exchange the protections afforded non-combatants
for the less extensive but still significant protections combatants enjoy. The International
Committee of the Red Cross has a convenient summary of the relevant distinctions on their website.
of the Red Cross has a convenient summary of the relevant distinctions on their website.
Semiconductor technology giant Applied Materials estimates financial losses of $250 million in sales this quarter due to a cyber attack, the Silicon Valley Business Journal reported Friday.
A ransomware attack impacted one of the company's suppliers, deduced by industry analysts to be MKS Instruments, the record wrote last week.
In a recent earnings report release from Applied Materials,
the company anticipates the second fiscal quarter of this year to net $6.4 billion
and cites ongoing supply chain challenges and a negative estimated impact of $250 million from the incident.
And finally, do you remember Tay?
We do.
Tay was a Twitter chatbot Microsoft researchers launched back in 2016
in a trial of how well an artificially intelligent system could interact with humans,
and do so as if it had a personality.
Tay's personality was generally described as approximating a teenager with attitude,
or as The Verge quoted Microsoft,
an AI fam from the internet that's got zero chill.
Anywho, the experiment produced a personality that was basically a jerk, and because
it was trained on human tweets, it learned to be a really major jerk in less than 24 hours.
Tay was an experiment, and so not a failure, since things are learned even from negative results,
still more from unpleasant potty-mouthed results. But now, by some account,
Bing's incorporation of chat GPT seems to be following a related disinhibited path.
Jensen Harris tweeted his experience with the new Bing as,
A wild story in which I probe what Bing's chatbot is capable of if you take away the rules. It gave Not that there's anything wrong with ordering pizza, all things being equal.
Gary Marcus on Substack has an extended meditation on what's been going on with Bing.
He writes, Marcus on Substack has an extended meditation on what's been going on with Bing.
He writes,
Anyone who watched the last week unfold will realize that the new Bing has or had a tendency to get really wild,
from declaring a love that it didn't really have,
to encouraging people to get divorced,
to blackmailing them,
to teaching people how to commit crimes,
and so on.
In full disclosure, Microsoft is a CyberWire partner. If we really wanted to find the kinds of stuff that Harris and Marcus learned
from Bing, we'd probably just Google it or maybe ask the rational folks you find over on Nextdoor.
But here's a question. Are bad behavior, error, wrong-headed advice, criminal complicity, and so on, inevitable features of AI trained on a large corpus of human-produced content?
Discuss among yourselves. Extra credit if you work the transmission of original sin into your explanation.
Class dismissed.
Coming up after the break,
Joe Kerrigan on scammers dangling fake job offers to students.
Our guests are Max Schuften and Monisha Bush from the Sands Institute on the reopening of their HBCU Cyber Academy application window.
Stick around.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The SANS Institute recently announced the reopening of the HBCU Cyber Academy application an opportunity for students at historically black colleges and universities to gain hands-on cybersecurity training and real-world experience free of charge.
For details on this offering, I spoke with Max Schuften, Director of Mission Programs and Partnerships at SANS, and Manisha Bush, U.S. Missions Programs and Partnerships Coordinator for SANS.
Max Schuften starts us off.
SANS has been focused on initiatives to grow the cybersecurity workforce and diversify
it since 2015 through what we call academies or really reskilling programs in which individuals
who have strong aptitude for learning security can receive training, hands-on skills development, learning key knowledge, and pursue industry certifications to empower them to start careers in the field.
We've helped reskill several thousand students across the globe over the last seven and a half years, especially growing in the last three to four years.
And as part of that, we've started the SANS effort to build a bridge with HBCUs and help talent from HBCUs come into cybersecurity.
So at that point, I'll turn it over to Mo to talk a little more about that.
Yes, thanks, Max. Speaking of bridges, as a part of the SANS HBCU mission,
we did gather a committee together where our mission is to create that bridge to diversify cybersecurity with innovative Black talent from historically Black colleges and universities.
So we came up with this idea to kind of peek into this niche area and see if we can provide
opportunities for HBCU students and alumni to be able to take part of one of these academies that
we kind of already had a really successful
student path with some of our other academies. We began with a pilot academy back in 2020,
and it was with the University of Virgin Islands. And we, I'm sorry, excuse me, that was in 2021.
We established our first partnership with the University of Virgin Islands.
It was very much successful.
I think we had a cohort of about five individuals who were very successful in attaining all three GIAC certifications.
And we even have a few success stories from those individuals in which they were able to find careers within less than three months.
When we're talking about historically Black colleges and universities,
where have they sat in terms of the offerings that they've had available to their students?
I would definitely say that we've seen and just when we're trying to come together and engage in partnerships with these HBCUs, a lot of them did have cyber curriculums, but not program and curriculum that we are offering towards these HBCU academies where it was just HBCU focused.
Max, what is in it for SANS here? I mean, the opportunity to provide this, this is an opportunity you're providing free of charge.
Correct. It is a scholarship based program, the HBCU Academy,
funded by SANS. For us, it's about having an impact on a community that we felt was underserved,
similar to our Women's Academy and Diversity Academy, trying to help launch careers in cyber.
And as Mo said in her answer, certainly there are computer science programs, especially across
HBCUs, and those are great at helping individuals get into IT and computing jobs, tech support jobs, etc.
But what we saw the academy is having the ability to do is help some of those individuals
kind of springboard or launch on a fast track into cybersecurity.
Rather, they're working with their way through the IT side, finding the individuals with
really high potential and helping them go through the industry training that a professional
might get 10 years into their career and move into a
cybersecurity specialist or security engineer type job now. So at the end of the day, it's
definitely about that community partnership. And certainly we do want to raise awareness of SANS
as an opportunity for skills development across individuals in the tech and computer science space.
Manisha, I'm curious, you mentioned that you all had completed a pilot program here.
What was the feedback from the folks who've been through that program?
Oh, we got some very, very, very positive feedback, to say the least.
One of our very, very first graduates, his name is Rex.
Shout out to Rex.
I mean, he couldn't have been one of the better candidates to represent our pilot academy from the University of Virgin Islands.
He was a computer science major. And as being a part of the first HBCU Academy, he did express that it taught him the skills and the life lessons that kind of actually helped him land his first dream job.
He is actually a security engineer for a government agency, and we couldn't be more proud of Rex.
Manisha, what's the future for this?
As you experience the success here, are you looking to expand to even more opportunities at more universities?
So glad that you asked that, Dave.
So the continuation of actually building
these direct relationships with the HBCUs
is probably number one.
We want to get the word out there
that SANS has this type of program available.
And we are definitely open to any of the HBCUs out there that are willing and open to partnering with SANS.
We are expanding on our nationwide HBCU Cyber Academy.
We are now in the second year of our actual annual Cyber Academy.
We do have applications that are open right now and they will be closing at the end of this month.
Excuse me, they will be closing at the end of this month. Excuse me, they will be
closing March 1st. Sponsoring more cyber competitions like our Cyber Wars and growing
our initiatives that are more HBCU focused, like maybe New to Cyber or some of our Sand Summit
tracks to kind of have a more HBCU focus and just kind
of continually creating that community for past, current, and future alumni of the academy for our
HBCU students. That's Manisha Bush from the SANS Institute along with her colleague Max
Shuftan. You can find out more about the HBCU Cyber Academy on the SANS website.
And joining me once again is Joe Kerrigan. He is from Harbor Labs and the Johns Hopkins
University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article that caught my eye here.
This is from the folks over at Avanon, an article written by Jeremy Fuchs,
and it's titled, Hackers Dangling Fake Job Offers to Students.
Joe, you've spent some time in academia over there at Johns Hopkins.
Yes, I have.
What do we need to know about the scam that's going on here?
So this scam is really just a simple phishing scam. What's interesting is that it is coming
from a valid email account. So in this particular case that Avanon is talking about. So these guys
have gone through the trouble of breaking into
somebody's email account. And rather than performing a business email compromise attack
and making tons of money, they're just going out and phishing students, which is interesting.
I don't know what the status of the email account is right now, but it doesn't matter.
What's important is that this is coming from a legitimate company. It's coming from a legitimate
email. So it's probably just making it through all of the spam filters and is looking like a job offer.
And the only thing they're trying to do is harvest credentials from these students.
Oh. Okay. So they're offering a job that pays, it says $450. It doesn't say per week or whatever.
It says it's a remote part-time $450 job opportunity. Okay. When they,
there's a link in the email that is not connected to the company at all. And it just takes you to
a place where they harvest your credentials. They don't tell you which credentials they're
looking for. I would assume it's either Google or Yahoo or something. All of these accounts have
value on these dark web marketplaceplaces, these dark markets.
Right.
So these can be turned around and sold.
And if you're having your email compromised can be devastating, particularly because somebody can go into your email, look through your email, find out what accounts they have, you have there as well.
Maybe your bank gets reset.
Your bank password gets reset by having
an email sent to that email account. They can also take over maybe your streaming services,
which they can then, again, turn around and sell. All these things are just ways for people to go
about making money. What's interesting is they're going after college students. They're soliciting,
they probably have a mailing list of college students, of new college students.
Right.
That is probably available somewhere, whether from a legitimate source or a dark source.
Who knows?
Yeah.
And they are targeting these people because they know, hey, college students like to have money to do things on the weekends, right?
Yeah.
money to do things on the weekends, right? Yeah. And it's interesting to me that they're going after college students because as you say, college students, yes, college students in general need
money. Right. And are willing and able to pick up little side jobs like this. Yep. But what I,
what leaves me scratching my head is college students are not known for having a lot of money.
Right, right. So, so what's, so it's interesting to me that
they're targeting them. What do you make of that? That is, that's a great point. Um, well, the
credential itself does have value. Yeah. These guys might not be going after tons of money. Uh,
and they're probably coming from a country where the average income of per capita is a lot lower
than the U S. Right. So that's one of the things we need to think about
constantly when we're talking about cybercrime is a lot of these guys, if they can make $5,000 a
year doing this kind of thing, they're living pretty well in their country. They're in the top
1% of income earners in that country. It's, well, maybe not 1%. You get the idea. My numbers might
be off, but the idea stands. So it doesn't matter that
it's a college student. If the college student has a bank account with $100 in it, that's a score.
That's a find. Plus, all these different accounts that you can have access to can be sold off for
money. And that's how these guys monetize it. So I think that's what's going on here.
If they're just doing credential harvesting, like this article is talking about,
then they are monetizing that by selling access to those accounts.
I'm curious, you know, at Johns Hopkins, do they have programs to try to get students up to speed
on this sort of thing? As you onboard students, is cybersecurity a topic?
Campus security does run, or the campus police do run a, or, you know, it's campus security.
They run a program for freshmen that come in, and they also have all kinds of outreach programs,
and I've worked with them before on that. Although, you know, I don't have the opportunity
to do that as much anymore because my duties at Harbor Labs are full-time duties and I'm kind of part-time at Hopkins still.
Yeah. Yeah. But yeah, there is a program in place that does that and a lot of universities have
that. It's universal. It's not just at universities. It's going to be everywhere. I mean,
we talk on Hacking Humans about this kind of thing all the time. People
are targeted all the time, and they just have to be aware that anything that seems too good to be
true probably is. Be mindful of where you're going when you're being asked to log in. If you
are already logged into your email account and something's asking you to log in again,
that should raise a red flag every single time. Yeah, yeah.
All right, well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and Thank you. Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer
Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was
written by John Petrick. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.