CyberWire Daily - More data breaches. DPRK spearphishing. DoJ IG sees problems in FISA warrant processes. Houseparty updates. Huawei sanctions. And notes about the pandemic.
Episode Date: April 1, 2020Marriott discloses a major data breach. Another insecurely configured Elasticsearch database is found, this one belonging to a secure cloud backup provider. More spearphishing from Pyongyang. The US J...ustice Department IG sees systemic problems in the FISA warrant process. Updates on the Houseparty affair. Huawei suggests that Beijing will retaliate against more sanctions from Washington. And more COVID-19 notes concerning the cyber sector. Joe Carrigan from JHU ISI on Safari blocking third-party cookies, guest is Monzy Merza of Splunk on becoming an InfoSec leader. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_01.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Marriott discloses a major data breach.
Another insecurely configured Elastisearch database is found,
this one belonging to a secure cloud backup provider.
More spear phishing from Pyongyang.
The U.S. Justice Department IG sees systemic problems with the FISA warrant process.
Updates on the House Party affair.
Huawei suggests that Beijing will retaliate against more sanctions from Washington.
And more COVID-19 notes concerning the cyber sector.
And more COVID-19 notes concerning the cyber sector.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 1st, 2020.
Marriott International yesterday disclosed that it had sustained a data breach that affected as many as 5.2 million guests.
No pay card, passport, or other identification document data were taken,
but the hospitality company says that personal customer contact information,
like names, mailing addresses, email addresses, and phone numbers,
loyalty account information, partnerships and affiliations, and preferences,
what guests wanted in a room, what language they preferred to speak, were all compromised.
The company's investigation concluded that login credentials of two employees at a franchise property were used to access the data.
The improper access is thought to have begun in January and was discovered at the end of February.
Guests whose information was compromised are said to have been notified by email. Researchers at VPN Mentor report finding a data leak at SOS online backup.
The secure cloud backup provider is thought to have exposed more than 135 million customer records.
The exposure was traceable, the researchers say, to a misconfigured Elasticsearch database.
traceable, the researchers say, to a misconfigured Elasticsearch database.
Security firm ESET is describing a spear phishing campaign run by North Korea's Gumung-121 threat group, Computing Reports. The operators are going after people,
people in South Korea mostly, who are interested in North Korean refugees and North Korean politics
in general. This is the operation ESET has called Operation Spy Cloud
after the group's use of Google Drive and PicCloud to prospect its victims.
Gumong-121 is associated with Thallium, APT-37, and Reaper operations,
and ESET thinks that the APT's reappearance represents an attempt to re-establish itself
after Microsoft's takedown of some
50 malicious domains it had used in earlier campaigns.
The U.S. Justice Department Inspector General has released the report on the FBI's conduct
with respect to the Foreign Intelligence and Surveillance Act.
The decidedly starchy report found that conduct not only distinctly wanting, but also of long
duration. Problems
with the Bureau's handling of FISA matters predate the 2016 U.S. elections. The IG was
particularly concerned about the way the Bureau handled requests for FISA surveillance warrants.
The findings in the latest report go beyond the 17 issues the IG surfaced in the earlier look at
Operation Crossfire Hurricane, and they suggest
that there are deeper systemic issues with the FISA process, quite independent of any agents
or officials' biases, commitments, or individual misconduct. The systemic issues largely come down,
apparently, to insufficient and defective oversight of the process itself. Institutional
weaknesses, the Washington Post calls them.
TechCrunch has an update on the House Party affair.
No breach, no evidence yet of conspiracy,
but the customary privacy concerns any free service brings.
House Party collects a great deal of information about its users,
and it describes what it does with that information
in what TechCrunch describes as a 12,000-word privacy policy.
It need hardly be said that many users of an online hangout will not attend to the details of a service's data handling policies
with the same care they might give to, say, the closing documents and the purchase of a house.
In any case, House Party does promise to anonymize and aggregate the data it collects,
and there's no reason to doubt its sincerity of purpose.
But data can be toxic, and privacy hawks are made skittish by this kind of collection.
The U.S. is considering imposing stiffer restrictions on Huawei,
ones that would cut the Chinese manufacturer off from its U.S. chip suppliers.
Wired worries that the main effect of such
restrictions would be to jumpstart a domestic Chinese chip industry. But Huawei has worries
of its own about the sanctions. These are sufficiently troubling that it moved the
company's rotating chairman, Eric Zhu, to tell CNBC that, quote, the Chinese government would
not sit there and watch Huawei being slaughtered, adding, I do believe there would be countermeasures.
The COVID-19 pandemic continues to draw scammers along in its wake.
Everything from bogus cures to fish bait to pranks pulled for the lulz
are accumulating at what the Washington Post calls unprecedented numbers.
One index of how widespread the fraud is may be seen in figures the U.S. Federal Trade Commission reported yesterday.
Complaints about coronavirus scams the FTC has received so far this year doubled over the course of a single week.
Quote,
The top categories of coronavirus-related fraud complaints include travel and vacation-related reports about cancellations and refunds,
reports about problems with online shopping,
mobile texting scams, and government and business imposter scams.
In fraud complaints that mention the coronavirus,
consumers reported losing a total of $4.77 million,
with a reported median loss of $598.
It's hard to believe it's been only a few short weeks since many of us gathered together at the 2020 RSA conference.
A lot has changed since then, and I'd wager it's safe to say most of us look forward to having the option
of getting together face-to-face to catch up and talk shop.
Manzi Mirza is VP of Security Research at Splunk, and always interesting to catch up with, we spoke at RSA. of cloud application services and how that permeates through their operation on a day-to-day basis.
How does something that happened in the cloud
affect what happens on-prem?
How does something that happens on-prem
affect what's happening in the cloud?
And so that sort of really dynamic,
non-traditional security operations
is top of mind for customers.
I mean, I know Splunk says data do everything
and our customers are very much in that loop to say
it is data do everything.
It's not just about data from a firewall or an endpoint, traditional security things.
It's all the things, apps, services, cloud infrastructures, on-prem infrastructure.
And of course, a lot of that is being underpinned now with the expansion
and really the reality of practical AI and machine learning.
And so those are really the things
on top of mind for customers.
Looking forward, as the industry continues
to evolve and mature,
how do you see things sort of settling out,
this distillation process?
You know, the companies that are all offering services,
the tools themselves.
What's in your crystal ball
as we look towards the future?
I break it down into maybe three layers in my head. The first one is I think companies who
are focused on platforms are really the ones who are going to be a key player in the future
and be able to serve their customers better. So one is going to be the platform component.
I think the second component is going to be companies that are really, really focused on large scale without kind to call the consumerization of security operations
or the consumerization of security analytics.
I think whoever takes those three approaches
is going to have success.
And when we dive deeper,
some of these are actually in conflict with each other
just a little bit.
But let me break it down a little bit
as to why I believe that.
So first on the platform side,
you have to have these platforms
because there is this explosion, everything from cloud and apps and services,
on-prem, lots and lots of different point products.
And all this data has to be collected.
All these things have to be connected to each other
and bidirectionally from an automation orchestration point of view
or detect investigator response point of view.
So if you don't have a platform, if you're just doing a point thing,
then you're not going to be very successful
because the world is pretty complex now.
And I guess it always was.
We're seeing more of it now.
On the second layer of really being data agnostic
is this ability to bring things in
so that the user doesn't necessarily
have to concern themselves with it.
Because if you can't do that,
then the user's constantly going to get stuck.
There's going to be low time to value, essentially, and you're not going to survive. And the third
thing around consumerization is people are going to work where they're going to work. This whole
notion that I'm going to go into a sock and do something, we're a very mobile planet now. There's
a lot of things that we do. Things have to be easier to achieve and easier to understand and
easier to use even on a mobile platform. So that consumerization has to come into play so people
can be more people-like.
And so companies that focus on those types of capabilities
are really going to do well.
That's Manzi Mirza from Splunk.
Remote work solutions are seeing very heavy use,
according to The Verge.
Comcast reports that voice and video calls
have risen 212% during the current period of self-isolation.
Seeking Alpha thinks that Akamai, with its content delivery and cloud security solutions,
is particularly well-placed to serve the needs of teleworking enterprises during the emergency.
Zoom has also seen a sharp increase in usage,
but the attention the teleconferencing solution is receiving continues to be decidedly mixed.
TechCrunch reports that
researcher Patrick Wardle has found two local security flaws in Zoom's macOS client.
The pandemic has put a stop to at least one major acquisition attempt. The Wall Street Journal
reports that Xerox has given up its attempted purchase of HP, for the duration at least,
and quite possibly for good. The hostile takeover
involved both a $30 billion tender offer and a proxy fight. It is, the journal observes,
a cautionary tale of the effect the pandemic is having on large-scale M&A activity.
The cybersecurity sector continues to seek to do its part in the crisis,
offering security for health care organizations
very much at risk from conscious-less criminals, and secure, reliable connectivity for emergency
medical facilities. The emergency has also, of course, affected daily life in many ways,
beyond the immediately obvious social distancing and sheltering at home.
And Reuters says that Saudi authorities have urged Muslims to defer the Hajj,
normally scheduled for July,
until the pandemic has passed.
The kingdom has already suspended
the year-round Umrah pilgrimage.
Jewish communities are observing Passover
under unusual circumstances,
and Christian churches are doing the same at Easter.
As the Baltimore Sun quotes one religious leader,
we can't meet, but we will gather. Take care, stay safe, doing the same at Easter. As the Baltimore Sun quotes one religious leader,
we can't meet, but we will gather.
Take care, stay safe, and stay healthy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
We're looking at a story today from the Naked Security blog by Sophos, and this is Apple
Safari now blocks all third-party cookies by default. What's going on here?
That's fantastic. So a third-party cookie, when you go to a web page, you are, I guess,
the first party, and the website you're visiting is the second party, right? And that website can have little bits of HTML of itself that allow the
loading of another party's cookies, third party cookies. And this is how all the tracking happens
is through third party cookies. Facebook does this a lot. Google does this a lot. Amazon does
this like crazy. In fact,
the other day I was buying an onboard diagnostic reader, right? So I searched for onboard diagnostic
reader and as you do, as you do, right. And everywhere I go now, there's an ad for an OBD2
reader on every webpage I load. Right now, here's the funny thing. I've already bought it from,
from advanced auto parts. I, because Amazon right now can't promise delivery very quickly, and I needed it because my wife's car had an engine code on it.
So I ran out and bought one. These large data brokering companies get access to the data that allows a dossier of you, of every internet user to be built that is remarkably good.
And now Safari is going to stop allowing those third-party cookies by default.
Now, Firefox has already been doing this since September of last year, 2019.
And, of course, the Tor browser has been doing this since its
inception, right? From the get-go, yeah. But the Tor browser is terribly, terribly slow.
So if you're going to use a mainstream browser, it's actually not a mainstream browser. It uses
the onion routing network, which is why it's slow. So if you're going to use a mainstream
browser, now you have another option. You have Safari and you have Mozilla. There's also the Brave browser, which blocks most of
these third-party cookies. In January of this year, Google announced that it would gradually
kill third-party cookies in Chrome over the course of the next two years. Now, Dave, I make no secret
about this. I'm a Google services user. I have an Android phone. I'm looking at this article right now on my Chrome browser. I may very well migrate to Firefox over this.
How come? Because I think that Google has a real conflict of interest here. I think that there is
a, you know, because they are in fact, one of the biggest users of these third-party cookies.
That's how they make a lot of their ad revenue. So why would I expect them to expeditiously move
towards killing these third-party cookies in Chrome?
Well, and the fact that they're saying
they're going to kill it off over the course of two years,
which certainly in tech terms is an eternity.
That is an eternity.
Two years from now,
the internet will be a very different place.
It's interesting that Apple has made this move and that it seems like things are headed this way and that perhaps
it's considered a competitive advantage. I would think it is a competitive advantage. I don't know
if I can use Safari on Windows. I don't think they make any Windows products over at Apple.
Yeah, I mean, Apple used to make a version of Safari that would run on Windows, and I suppose you could still go find an old version, but they haven't updated that in a while.
So not really an option on the Windows side of things.
I would not advise anybody go out and use an unsupported piece of software, particularly as a web browser.
I mean, that's just asking for trouble.
Yeah.
Right?
If it's not supported anymore and somebody finds a vulnerability in an old version, that's going to suck for you.
Okay.
Fair enough.
All right.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.