CyberWire Daily - Internet blackout in Belarus. Papua New Guinea’s insecure National Data Centre. Chrome and CSP rule bypass. Zoom gets sued in DC. Patch Tuesday. Go Spartans.
Episode Date: August 11, 2020Belarus shuts down its Internet after its incumbent president’s surprising, perhaps implausible, no...really implausible landslide reelection. Papua New Guinea undergoes buyer’s remorse over that ...Huawei-built National Data Centre it sprung for a couple of years ago. Versions of Chrome found susceptible to CSP rule bypass. Zoom is taken to court over encryption. Patch Tuesday notes. Ben Yelin looks at mobile surveillance in a Baltimore criminal case. Carole Theriault returns to speak with our guest, Alex Guirakhoo from Digital Shadows with a look at dark web travel agencies. And card-skimmers hit a university’s online store. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/155 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. Perhaps implausible, no really implausible landslide re-election.
Papua New Guinea undergoes buyer's remorse over that Huawei-built national data center it sprung for a couple years ago.
Versions of Chrome are found susceptible to CSP rule bypass.
Zoom is taken to court over encryption.
We've got some Patch Tuesday notes.
Ben Yellen looks at mobile surveillance in a Baltimore criminal case. Our guest is Alex Giricu from Digital Shadows with a look at dark web travel agencies.
And card skimmers hit a university's online store.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 11th, 2020.
with your CyberWire summary for Tuesday, August 11, 2020.
In the aftermath of a contested election that saw longtime incumbent president Alexander Lukashenko
return to office with a nominal 80% of the vote,
Belarus has apparently shut down most Internet access
in the country, Vice reports.
Twitter said yesterday that its service
had been blocked in the country, and others reported that said yesterday that its service had been blocked in the country,
and others reported that many other services
had also been disrupted,
including a number of virtual private networks
that, left undisturbed, could have enabled users
to bypass service interdictions.
The New York Times said yesterday
that the U.S. had condemned the elections as fraudulent,
neither free nor fair,
and deplored the Internet shutdowns.
President Lukashenko's principal opponent, Svetlana Tikhanovskaya,
has rejected the election and urged resistance to President Lukashenko.
U.S. Secretary of State Pompeo said in a statement,
We strongly condemn ongoing violence against protesters and the detention of opposing supporters,
as well as the use of Internet shutdowns to hinder the ability of the Belarusian people
to share information about the election and the demonstrations.
A report prepared at the request of Papua New Guinea's National Cybersecurity Center
by an investigator contracted by Australia's Department of Foreign Affairs and Trade
concluded that Papua's National Data Center is insecure, computing reports.
Huawei built and staffed the National Data Center in 2018.
Computing's account suggests careless implementation.
The report read in part,
Core switches are not behind firewalls.
This means remote access would not be detected by security settings within the appliances.
The firewalls themselves were also a problem.
They were beyond their 2016 end of life by the time the center came online.
The Australian Financial Review is harshly direct in its assessment.
The center was built to spy, the paper says,
with the weaknesses constituting, from the contractor's point of view anyway, features and not bugs.
Other countries, especially Australia, which shares some long-haul telecommunications infrastructure with Papua,
had at the time warned against bringing in Huawei to build the national data center.
But such concerns were dismissed.
Papua New Guinea's Minister of State Investment,
William Duma, said that since his country didn't have enemies, the government wasn't worried about
security concerns that surround the use of Huawei equipment and telecommunications infrastructure.
The view that Papua has no enemies may not be perfectly true, but it's about as true as such
a claim can be in this veil of tears. But it seems that
sentiment may have shifted in Port Moresby as the Papuan government has asked for Australian
assistance in bucking up the country's security. Australia is thinking about it.
Security firm PerimeterX says it's found a zero-day that affected Chromium-based browsers
and permitted attacks to bypass browser enforcement of CSP rules.
The vulnerability existed in Chrome versions 73 through 83.
It's reckoned a medium-severity vulnerability,
but it was so widespread, affecting Mac, Windows, and Android systems,
that it presented a considerable risk to user data.
According to the Washington Post, Zoom is being sued by the group Consumer Watchdog,
which alleges that the company misled consumers about the quality of encryption the service
provided. The company had, the suit alleges, misleadingly claimed to offer end-to-end
encryption when, in fact, it provided only the less rigorous transport layer security.
The lawsuit was filed late yesterday in Washington, D.C.'s Superior Court,
thereby taking advantage of a local statute that permits not-for-profit organizations
to bring suits on behalf of consumers. In most states, such lawsuits would have to
either be class action suits or suits brought by the state's attorney general.
would have to either be class action suits or suits brought by the state's attorney general.
It covers people who used Zoom for personal social online connection as opposed to business purposes.
It might include distance learning users, but that's not immediately clear. The plaintiffs seek up to $1,500 for every instance in which a D.C. resident used Zoom for non-business purposes.
in which a D.C. resident used Zoom for non-business purposes.
The plaintiffs also want an explanation of Zoom's suspected closeness to Chinese law,
since so many of its operations were conducted in places where Beijing's writ ran.
The notion of using a travel agent may seem a bit old-fashioned in this world of online booking,
not to mention that at the moment, thanks to the pandemic, nobody's really going anywhere.
But there is no doubt that for a lot of people,
travel agents provide real value.
But were you aware that there are travel agents on the dark web?
Our UK correspondent, Carol Theriault, has the story.
So today, we're going to take the pulse of the travel industry.
Let's see if we can figure out how cybercriminals have been impacting that area,
both before the pandemic and now.
We are checking in with Alex Guraku.
He is a threat research team lead at Digital Shadows.
Now, way back in February,, digital shadows put out research about how
cyber criminals had been disrupting the travel industry. Alex, can you give us a few highlights
on that research? Yeah, Carol, thanks for having me on. So back in February, we conducted some
research into the ways in which cyber criminals were targeting the travel and tourism sector on
various cyber criminal platforms. And we found sector on various cybercriminal platforms.
And we found that on some cybercriminal forums, both English and Russian language,
there were these what we like to call dark web travel agents that were advertising
these services to get people really, really discounted luxury travel.
So like something that would cost me like a few thousand was suddenly available for a few hundred,
that sort of savings? Exactly. So just like you would go me like a few thousand was suddenly available for a few hundred, that sort of savings?
Exactly. So just like you would go talk to a regular travel agent, they would say that they could get you these. And they're able to fund these deals because they're using stolen flyer points that they're turning into some kind of cash in order to fund that.
Yeah, or they're using the stolen credit cards themselves.
So from the buyer perspective, you don't have to go to a cyber criminal marketplace and purchase a stolen credit card and run that risk yourself.
Instead, you can go via these travel agents and then they'll
hold that risk for you. And all you have to do is tell them, hey, I want a trip here. This is when
I want the trip. Can you get me a deal on this? And they'll do all that in the background. And
then there you go. You have an extremely cheap trip. Wow. And okay, as a customer of these guys,
do I know that I'm doing something a little bit dodgy or does it all look bona fide to me?
So the way that they advertise this,
they use a lot of flashy banners.
They advertise a lot on different cyber criminal forums.
They also have dedicated channels
on various messaging services.
So even if you don't have access to a cyber criminal forum,
say if you knew this person through a friend
who had done something similar,
they'd just give you the phone number
and you'd message them yourselves.
And so that means you don't actually have to go to these cyber criminal forums, which definitely
opens it up to a lot more people than it would otherwise. Whoa. Okay. So you discovered all this
out back in February. There's tons more stuff that you guys found out. Leave that to listeners to go
and read on your website. But of course then Corona happened, right? Which meant loads and loads of
flights were grounded. How did that impact their business model? So for a lot of the major travel
agents that we saw on these cyber criminal forums, a lot of times they would get their customers to
take pictures of themselves, you know, in the background of a luxurious hotel or on a flight
to show that their services had actually worked.
And so we noticed that following various lockdowns
because of the pandemic, these posts had stopped
or they strongly decreased.
So it's definitely had an impact on these people
that target the travel industry.
And in general, we've seen various approaches
being taken by these vendors.
So some have decided to stay silent and not bother to post new advertisements at all.
So ones that were previously prolific, they've fallen quiet during this period.
Whereas some others have looked to alternative ways to target the travel industry,
reminding people that even though you can't travel internationally,
you may still be able to travel within your own country and kind of adapting to the way the
pandemic has affected it. Haven't you always wanted to stay at the Hilton in your very own state?
That's exactly it. Do you have advice for people like me? Is this something that I would have to
go look for? Or could I happen to get fished into one of these and be suckered in because the deal was so good? So I think a lot of it comes down to trusting your gut instinct.
If you see a deal that's advertised that is, you know, crazy 50 to 60% off, if something seems off,
then it's very likely that it is. And that goes back to, you know, making sure that you only do
your purchases on legitimate, trusted websites. I mean, that's a hard piece of advice to take, though, as well, because you think of all
these dedicated, hardworking startups that are trying to do really good things out there.
And the reputation angle is very difficult for them, right?
That's a big ceiling to go through from becoming a startup to a trusted company.
Exactly.
Well, thank you very, very much.
Listeners, if you want to hear more about this,
there's tons of information, as I said earlier,
on the Digital Shadows website.
So just go to their blog.
And Alex, thank you so much for speaking with us today.
Thank you so much, Carol.
Thanks for having me on.
This was Carol Terrio for the Cyber Wire Daily.
Our thanks to Carol Terrio for bringing us that story.
Today, of course, is Patch Tuesday. Adobe's fixes are already out and they address 26
vulnerabilities, 11 of them rated critical in Adobe Acrobat, Reader, and Lightroom.
Citrix fixed five vulnerabilities that affect versions of Citrix Endpoint Management on-premise instances.
This product is also known as Zenmobile Server.
Citrix advises users to apply the patches as soon as possible.
Although the company says it's seen no evidence of exploitation in the wild,
attacks taking advantage of unpatched systems are probably only a matter of time.
And Microsoft's updates for August are also out.
As expected, they prominently address vulnerabilities in Windows 10.
If you're still using Windows 7, which you really should think about not doing,
you're out of luck.
That version is now beyond the reach of support,
unless, of course, you've paid for the extended security updates
that will keep Windows 7 bucketing along for a couple more years.
And finally, attention all you Spartans, Michigan State version.
Your university yesterday disclosed that it had sustained a data breach.
In this case, it was an online card skimmer that hit the university's store.
Michigan State said in a statement that about 2,600 shoppers who bought at that store between October 19th of last year and this past June 26th
had their credit cards exposed. The university said yesterday, quote, the university began
notifying all potentially affected individuals of the breach today. It is offering them free
credit monitoring and identity protection
and making recommendations to further protect their information from exposure, end quote.
The university's security team has remediated the problem and presumably it's now safe to shop again.
And we noted when we checked out the site that the summer sale is still in progress.
So you got that going for you, alumni. Like somewhere hot? Yeah, with pools. And a spa. And endless snacks. Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, good to have you back.
Good to be with you again, Dave.
Interesting story we're going to cover today.
This is from The Baltimore Sun,
written by Jessica Anderson.
It's titled, Baltimore City County Police
Make Arrest in Rape Cases, Search for Additional Victims.
Now, obviously, the subject matter here is terrible.
What caught my eye about this,
and the reason I think it merits our discussion here
is that the process that the police and law enforcement went through to capture
this alleged rapist is really a grab bag of various types of surveillance technologies.
Take us through what's going on here, Ben. Sure. So this is somebody who is an alleged serial rapist. The first victim was identified
in an area in Baltimore County near the Cromwell Valley area at a high school parking lot. She had
just been through a traumatic experience, flagged down a passerby in a car and got into that car and called the police to
report this rape and where it had taken place. A second rape with an additional victim was alleged
to have occurred in a completely different area of Baltimore County in the Dundalk area.
And basically the same thing happened. This person flagged down a passerby, called the police to report the rape.
And because the modus operandi was relatively similar between the two cases, law enforcement started to try to put the pieces together and realize that they had a serial rapist that they were trying to apprehend.
So the way they were able to obtain data is they found evidence from a speed camera that this suspect's vehicle, their Silver Oldsmobile, had entered the parking lot of Lock Raven High School, which is the high school where the first event was alleged to have occurred.
They obtained evidence from a camera at a city gas station where the first victim was picked up.
And, you know, they got some other forensic evidence from the school parking lot.
The other very interesting surveillance technique they used is geofencing.
So the detectives obtained a search warrant signed by a judge to compel Google to give them information on all of the account users in the area of the high school parking lot during the time of this alleged crime. And that search, and Google complied with a
subpoena, and that search identified only one user, and that user was the suspect in this case. It was
later traced to Mr. Saunders, the man who has now been apprehended.
Yeah, and it was an additional subpoena that they then went to T-Mobile,
the mobile provider, to get the records associated with that number that Google had tracked.
Yes, and they were able to identify that it was the suspect who owned that mobile device.
So, you know, this is very strong detective work here. And obviously, these are heinous alleged crimes. And a lot of really groundbreaking and well-executed police
work was done here to apprehend the suspect, making use of the digital tools at our disposal.
the suspect making use of the digital tools at our disposal. Geofencing, being able to trace somebody's cell phone, and the use of public surveillance, things like the camera in the
school parking lot and a separate camera at a city gas station. And when you piece that video footage together with geofencing, you know,
it becomes a very effective way to solve a case like this.
One of the reasons I wanted to highlight this on our show is that when you and I talk about
these sorts of things, the capabilities of these kinds of surveillance, I think it's very easy for us to
kind of sniff at them and say, you know, it's too much. I think the appropriate civil liberties
concerns. In this case, you've got a combination of all these surveillance things and could be
used to solve some terrible crimes. Yeah. I mean, I think that's important for us always to remember is, you know, you never want to have a system of surveillance where you inadvertently collect information from innocent people.
and on the Caveat podcast is when the tools become too intrusive and broad and encompass unnecessary amounts of collection and information, then it really can violate people's civil
liberties.
But the other side of that equation is we have somebody here who's a serial rapist who
potentially would threaten other victims.
a serial rapist who potentially would threaten other victims.
And law enforcement was able to apprehend this individual because of these technological tools.
So the tools really can be used for both good and evil.
And I think it's appropriate for us to recognize the circumstances when they are used for something
that's good, for something that's valuable.
Yeah.
All right.
Well, again, it's from The Baltimore something that's valuable. Yeah. All right.
Well, again, it's from The Baltimore Sun,
written by Jessica Anderson.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced
in Maryland out of the startup studios of DataTribe
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.