CyberWire Daily - Microsoft considers acquiring TikTok. The US considers other Chinese companies as potential security threats. Charges in the Twiter hack. DDoS turns out to be a glitch. Garmin hack update.
Episode Date: August 3, 2020Microsoft is in talks to acquire TikTok as the US hints that it may be considering action against other Chinese software companies. Three young men have been charged in the Twitter hack. An apparent d...istributed denial-of-service attack turns out to have been a glitch. We welcome Verizon’s Chris Novak to the show. Rick Howard talks incident response. And updates on the Garmin hack suggest shifts in the ransomware threat. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/149 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft is in talks to acquire TikTok
as the U.S. hints it may be considering action
against other Chinese software companies.
Three young men have been charged in the Twitter hack.
An apparent distributed denial of service attack turns out to have been a glitch.
We welcome Verizon's Chris Novak to the show.
Rick Howard talks incident response.
And updates on the Garmin hack suggest shifts in the ransomware threat.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 3rd, 2020.
Microsoft said yesterday that it was in continuing talks to acquire TikTok, the social platform currently owned by Chinese firm ByteDance.
The company attributes its decision to talks between its chairman and
U.S. President Trump. Quote, following a conversation between Microsoft CEO Satya Nadella
and President Donald J. Trump, Microsoft is prepared to continue discussions to explore
a purchase of TikTok in the United States. End quote. Reuters has reported that ByteDance has agreed to divest its holdings in TikTok to a U.S. owner.
The announcement came after the president's statement Friday reported in the Washington Post
that he intended on security grounds to ban TikTok from operating in the U.S.
The security issue arises because of the large quantity of personal information the company collects on its users,
including their connections with other users.
TikTok is unlikely to be the last Chinese software firm to face restrictions on its ability to operate in the U.S.
According to the Los Angeles Times,
Secretary of State Pompeo has suggested that other firms will soon be receiving similar close scrutiny.
U.S. federal prosecutors have charged three youths in connection with the Twitter hack. Graham Ivan Clark, age 17, of Tampa, Florida,
Mason Shepard, 19, of Bognor Regis, England, and Nima Fazeli, 22, of Orlando, Florida,
are the three under indictment. The U.S. Attorney for the Northern District of California
declined to name Mr. Clark because of his age,
but his arrest has been so widely reported
by the press in Florida and elsewhere
that there seems little point
in finessing the identification at this point.
The three are alleged to have made contact
with one another in the OG user forum
and then to have fraudulently persuaded
Twitter employees to yield credentials that enabled them to impersonate high-profile Twitter users
in a Bitcoin scam. The specific charges are as follows. The young English gentleman, Mason
Shepard, age 19, who goes by the hacker name Shaywan, is charged with federal counts of
conspiracy to commit wire fraud,
conspiracy to commit money laundering, and the intentional access of a protected computer.
Mr. Shepard's alleged colleague, Nima Fazeli of Orlando, Florida, who goes by the handle Rolex,
and at the advanced age of 22 is, relatively speaking, the gray beard among the accused,
was charged with aiding and abetting the intentional access of a protected computer.
The third defendant is the 17-year-old Graham Ivan Clark of Tampa.
According to the U.S. Attorney for the Northern District of California,
quote,
Pursuant to the Federal Juvenile Delinquency Act,
the Justice Department has referred the individual to the state attorney
for the 13th Judicial District in Tampa, Florida.
The Tampa Bay Times says that Master Clark's bail was set Saturday at $725,000.
Described as the mastermind of the Twitter social engineering and the Bitcoin scam it was allegedly designed to enable,
Master Clark faces 30 Florida state counts related to the incident,
17 counts of communications fraud,
11 counts of fraudulent use of personal information,
and one count each of organized fraud for more than $5,000
and accessing a computer or electronic device without authority.
Florida prosecutors intend to charge him as an adult
in what they're calling the
BitCon case. ZDNet has a timeline of the investigation. It appears that the FBI
tracked online activity in Discord and OG users until they came to points where the three accused
used either their real identities or their home IP addresses or both. Krebs on Security describes how the trio attempted some misdirection with chatter,
but they'd probably have been better advised to keep a lower profile.
The difficulty of attribution is a familiar problem.
If you're hit with a cyber attack, it can be, and usually is, hard to tell who the attacker is.
The Feds moved quickly on the people it thinks responsible for the Twitter hack,
but that's the exception, not the norm.
But there's a prior problem.
Before you attribute an attack to a threat actor,
it's good to know that actually you've come under attack.
That's not always clear.
There are problems and outages that can look like an attack, but aren't.
An example of that occurred over the
weekend in Australia, where The Guardian reported that Telstra said its users were hit Sunday with
a distributed denial-of-service attack. Service had been disrupted in much of the eastern part
of the country. The problems extended to some major cities, Melbourne, Sydney, and Brisbane
among them. Only it wasn't so. It turned out that while there were outages, and Brisbane among them. Only, it wasn't so.
It turned out that while there were outages, there was no attack.
Telstra backtracked on its diagnosis soon after it made it.
A few hours after warning of the attack, the company announced that it had determined that it was a domain name server issue.
The Islander quotes company representatives of saying,
The massive messaging storm that presented as a denial-of-service cyber attack
has been investigated by our security teams,
and we now believe that it was not malicious but a domain name server issue.
We're really sorry for getting in the way of your weekend plans."
The problems were resolved by 2.30 in the afternoon local time.
Bleeping Computer confirmed Saturday that Garmin indeed obtained a key for Wasted Locker.
The outlet says that it knows of no way Garmin could have obtained the key other than by
paying the ransom the hacker demanded, the hacker widely believed to be the Russian-based
Evil Corp gang.
Wired sees the Garmin attack as a disturbing harbinger of more to come.
The gangs appear to be hitting more sophisticated, richer, and better protected targets,
and they're asking for an order of magnitude more ransom.
There are some implications for election security as well.
Both the U.S. Departments of Justice and Homeland Security
have warned of the disruptive effects on election systems that a ransomware attack can have.
And joining us once again with a preview of his CSO Perspectives podcast is our own Rick Howard,
the CyberWire's chief analyst and chief security officer.
Rick, welcome back.
Hey, Dave.
So this week you are covering a topic that I find endlessly fascinating, and I'm not being sarcastic there.
I'm being sincere, and that is incident response.
Take us through how you're coming at this this week.
Well, here's my big, fat, hot take.
All right, you ready for this?
Yeah.
Incident response is not rocket science, okay?
Okay.
Now, if you look at the documents that NIST have put together, they put a couple of them together.
This is the National Institute of Standards and Technology.
Right.
And they say, you know, you only have to do five things for incident response.
You plan, you detect bad guys, you respond to it, and then you communicate what you did and then do a postmortem so you do it better the next time.
That sounds pretty simple, right?
But the complicated part, though, is managing all the pieces within your organization.
That's where it starts to get a little tricky, right?
to get a little tricky right because it turns out that if there's something material to the business going on some penetration right somebody in the organization has to coordinate all these
activities across multiple functions of the company because as soon as the technical teams
discover that it's real as opposed to maybe it's real right All right, now we're talking lawyers, we're talking PR people, we're
talking finance people. Everybody has a say about how to do this, right? And it turns out that most
CISOs, they don't own most of those functions in terms of responsibility, right? In fact,
you know, and that's a big deal, right? That's a huge deal. In fact, most cases, they're pretty
much low man on the totem pole for these kinds of things.
So it is difficult to coordinate that when you're not the one in charge of everything.
But I was talking to an old friend of mine.
His name is Jerry Archer.
He is the CSO of Sallie Mae Bank.
He's been there for 11 years.
And I talked to him or convinced him to sit down at the hash table with me to discuss,
you know, how he does incident response. And I discovered that his organization is unique
and will probably be the envy of every CISO in the business, right? Because he owns the entire
security function inside Sallie Mae, and he built it that way from scratch when he first started.
So let me run a clip from him.
Here's what he said.
The organization that's under me is basically a converged security organization that has
both physical and logical security merged into one organization.
So we manage everything security related for the firm.
One of the things that's probably most interesting
about that model is, as we're going to talk about an incident response, because we have a converged
security organization, we have a very robust capability that we use a lot of our physical
security guys as part and parcel to our incident management scheme. So the converged organization works very well in that incident management
or incident response kind of a scenario.
We early on, Rick, created a strategy that we called aggregate, automate, and accelerate.
And so the theory of the case that we presented to executive management
and got buy-in to early on was the
idea that we needed to leverage scarce security resources. So a lot of resources associated with
security are very scarce, hard to find, hard to keep. And so we said, look, we need to aggregate
everything security so we can take advantage of that. So that was the aggregation part. And again, we got synergies from both sides working together in a holistic manner to create a strong security presence in the firm.
We wanted to automate.
So again, we could use the tools that were, you know, all the tools that we could find to heavily automate our environment, take advantage of the automation to get rid of
routine kinds of work and focus on more relevant things and strategic things versus just doing
the arms and legs works every day.
And then the idea was accelerate by doing all those first two things.
It gave us the ability to accelerate
and keep up with the business
as the business changed
and new products evolved and so forth.
So that was how we sold it to the organization.
And I think it's worked very well since then.
Now, his strategy of aggregating,
automating and accelerating
was way ahead of its time.
And it's so compelling that when he told his board that's what he wanted to do, they gave him permission to do this.
So it's really amazing stuff.
You know, I have to ask you, Rick.
I mean, my perception on incident response is that, I don't know, almost, I guess it's almost funny to say it, but it seems to me like your
success in responding to an incident is directly proportional to your amount of pre-planning for
the incident. Is that accurate to say? It absolutely is. And you can look at some of the
public incident responses, you know, things we've seen in the news. And we all can sense the companies that are doing it wrong
because they appear to be fumbling.
Like this is the first time they've ever considered it,
that they might have to explain this to the public.
And then there's other companies that do it completely right.
You know, they're rolling it out and it seems, oh yeah, that sounds reasonable.
And the news kind of goes away.
So the reason those companies are good at it is
that they've actually practiced. And that's one of the things we talk about in the show, that you
need to have very simple exercises where you run your executives through potential scenarios,
not so they can do it verbatim, but so they're not being exposed to it the first time when the
big crisis happens. Yeah. All right. Well, at CSO Perspectives, it is part of CyberWire Pro.
Do check it out.
Rick Howard, thanks for joining us.
Thank you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined by Chris Novak. He is the director of the Verizon Threat Research
Advisory Center. Chris, it is great to have you on board.
We're excited to have you join us as a partner here along with Verizon.
Welcome to the Cyber Wire.
Thanks. Happy to be here.
So before we get going, just figured we'd use this first opportunity together to get to know you a little bit,
let our audience learn a little bit about you.
Can you take us through your career journey? How did you get your start and what led you to where you are today? Sure. Yeah. So kind of
an interesting journey indeed. I actually started with an electrical engineering background,
playing with hardware, circuit design, things like that, and started out there after moving into
industrial control systems and operational technology, and then
eventually going into the IT and IT security side. And the whole cybersecurity aspect really just
fascinated me. And so from there, I kind of went into the journey of helping organizations build
security apparatus for their IT infrastructure. And as things went on, organizations started
recognizing, hey, something looks funny with my website. Looks like someone might have defaced it.
Let's do an investigation. And then that led to the growth of incident response. And actually,
one of the co-founding members of the incident response team here at Verizon and, you know,
help organizations all around the world deal with, you know, incidents of various, you know,
shapes and sizes from financial fraud to theft of intellectual property to, you know, cyber espionage and terrorism.
And really has kind of just kind of taken off into an interesting journey down the incident
response and digital forensics and threat intelligence side of things ever since.
And it's just been an exciting journey.
Can you give us some insights?
What do having the resources of an organization
like Verizon behind you, what does that bring to bear in terms of the capabilities that you
and your team are able to bring to the table? Yeah, it's a really interesting aspect. So
actually, before I came to Verizon, I worked at an organization called Cybertrust. Verizon acquired them in 2007.
And initially, the reaction a bunch of us had was, we're being acquired by a telephone company.
And then we started looking at it going, whoa, we're being acquired by a telephone company.
This company has access to all sorts of interesting resources.
And one of them being, you know being a giant portion of the internet backbone.
Think about that from an incident response standpoint. If you can actually see what's
happening on the internet, the way I describe it to people who don't quite get it is, if you've
ever seen the movie The Matrix, that point where you can suddenly start to see how it all fits
together. And I tell people, when you have access to the internet backbone and you're doing incident response, you can start to see how packets flow in ways to places from places
that if you didn't actually have optics into the backbone itself, you'd really be missing a big
piece of the picture. So that's honestly been a fantastic and exciting part of kind of the
interesting capabilities and resources that we
can really bring to bear when we do an incident response or when we're researching something from
a threat intelligence perspective. And so what is your day-to-day like these days? What sort of
things keep you busy? Everything. Ransomware has been a big thing on the rise. I think everyone
has seen quite a bit of that.
In fact, we produce our annual data breach investigations report, and we saw so many ransomware cases just in the last year.
It actually had almost a skewing effect in the data.
We had to actually produce some of the charts that show this is what it looks like if you include ransomware in the data, and this is what it looks like if you exclude it, depending on, you know, what your threat model looks like. But then we also see a fair amount of, you know, everything
from your credit card breaches to, you know, your, like I said, intellectual property theft.
And then also, you know, as it relates to things like, you know, COVID, there's obviously a lot of
new and interesting angles in which we're seeing organizations be targeted from a,
you know, purely from a social be targeted from a, you know,
purely from a social engineering as well as, you know, phishing perspective. All right. Well,
Chris Novak, welcome to the Cyber Wire. We're looking forward to continuing discussions with you. of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.