CyberWire Daily - Ransomware hits Equinix. Tools for vandalism for sale. Stealing VoIP call data records. ByteDance negotiates for TikTok. EU clamps down on Facebook data handling. A high-profile Twitter hijacking.
Episode Date: September 10, 2020Ransomware hits a major data center provider, but appears to have left service unaffected. There’s a thriving criminal market for website defacement tools: vandals can be consumers, too. CDRThief do...es what its name implies. ByteDance tried negotiating TikTok’s American future. Ireland’s Data Protection Commission starts enforcing Schrems II against Facebook. Awais Rashid outlines software development security pitfalls. Our guest is John Morello from Palo Alto with insights from their new State of Cloud Native Security report. And China’s ambassador to the UK has his Twitter account hacked. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/176 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. hits a major data center provider but appears to have left service unaffected. There's a thriving criminal market
for website defacement tools.
Vandals can be consumers too.
CDR Thief does what its name implies.
ByteDance tried negotiating TikTok's American future.
Ireland's Data Protection Commission
starts enforcing Shrems 2 against Facebook.
A Weiss Rashid outlined
software development security pitfalls.
Our guest is John Morello from Palo Alto with insights from their new state of cloud native security report.
And China's ambassador to the UK has his Twitter account hacked.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 10th, 2020.
Ransomware continues to hit large and potentially lucrative markets.
Late yesterday, the data center giant Equinix disclosed that it had sustained a ransomware attack. The company said that the incident, which it says left its customers' data and operations untouched,
involves ransomware on some of our internal systems.
ZDNet says that Equinix's statements to the effect that customers haven't been impacted
seem correct. In any case, there are no reports of service outages, and the usual drumfire of
social media complaints about problems hasn't begun. The company is working with law enforcement
to investigate the incident. Comparatec's look at the cyber underworld and its criminal markets has led it to conclude that some 86 vulnerabilities in content management systems affecting more than 100,000 sites are being actively traded.
Many of the vulnerabilities are zero-days, and they're exploited for the most part in website defacement attacks.
Defacement is common, Comparatech thinks, because hackers want to count coup.
They want to be noticed.
Researchers at security firm ESET this morning released a study of CDR thief,
malware that attacks certain Chinese-manufactured voice-over IP switches.
CDRs are call detail records, data like caller and callee IP addresses,
starting time of the call, call
duration, calling fee, and so on. CDR Thief, as its name suggests, is an information stealer.
ESET doesn't know for sure what the spyware's purpose is, but the fact that it exfiltrates
sensitive information, including metadata, suggests to the researchers that it's probably a cyber espionage tool.
It could also be used for voiceover IP fraud, specifically for international revenue share fraud,
a scam in which grifters get access to an operator's network in order to bring traffic
to phone numbers they've obtained from an international premium rate number provider.
The Washington Post says that ByteDance, TikTok's corporate parent,
is in discussions with the U.S. government to determine if U.S. security concerns can be
allayed by anything short of the sale of much of the social platform to American companies.
It's unclear what alternative arrangements might satisfy the U.S. government,
but ByteDance's general line appears to be that banning TikTok
will have unintended, unexpected, and undesirable consequences. One of those alleged consequences
seems to be, surprisingly and counter to general impressions, that TikTokers tend to skew
conservative, and that a ban would leave the social media field open to progressives.
That's ByteDance's story, anyway.
Ireland's Data Protection Commission,
the EU's one-stop GDPR shop for many American companies,
has told Facebook to stop transferring data
about its European users to the US,
the Wall Street Journal reports.
The directive was issued pursuant to the July ruling
by the European
Court of Justice that invalidated the privacy shield arrangement between the EU and the US.
And finally, the Twitter account belonging to Liu Xiaoming, China's ambassador to the United
Kingdom, was apparently hijacked earlier this week, the BBC reports. Mr. Liu's account displayed
likes that included tweets
highly critical of Beijing's repressive policies
towards several of its domestic groups and regions.
The false tweets also link to what we must call,
for SEO reasons and also because we're a family show,
saucy adult content video.
None of this has figured in Ambassador Liu's social media presence,
so the claim that
his account was hijacked seems pretty clearly to be true. China's embassy in London yesterday
denounced the hijacking, they called it the work of anti-China elements, and called for Twitter to
investigate. The embassy tweeted, quote, Recently, some anti-China elements viciously attacked
Ambassador Liu Xiaoming's Twitter account
and employed despicable methods to deceive the public.
The Chinese embassy strongly condemns such abominable behavior.
End quote.
A follow-on tweet said, sounding a bit like a shadow broker bucking for employee of the month,
quote,
The embassy has reported to this Twitter company and urged the latter to make thorough investigations and handle this matter seriously.
The embassy reserves the right to take further actions and hope that the public will not believe or spread such rumor.
End quote.
Some of the tweets Mr. Liu was represented as liking were straightforward political attacks on Beijing's record
with respect to the repression of Uyghurs, Hong Kong,
Tibetans, and so on. The tweeted responses to the embassy's denials, harrumphing and calling
for redress of grievances, tended to be at least literally sympathetic, offering support for Mr.
Liu's leisure-time appreciation of adult content, evidently something to do with feet, it seems.
They urged the ambassador to own it and not to feel pressure to deny a hobby that, some of the tweeters implied, they themselves might be given to enjoy.
One tweeter did express concern.
Looking at adult foot content may be fine as an avocation, but doing so on government time with government equipment is problematic to say the least and should be looked into by HR or somebody. It's hard to tell when someone's being ironic, but there does seem to be
some such intent gurgling around all this intentionality. The few who expressed unalloyed
support for the Chinese government were not so sure. They may really mean the outrage they
express about British lies
and propaganda slandering the People's Republic. Some of them went so far as to say they intended
to write their MP to complain. Takes all kinds, right? Upon regaining full control of his account,
Mr. Liu confined his response to a proverb, a good anvil does not fear the hammer. Well, of course it doesn't.
It's always the anvil that breaks the hammer,
not vice versa.
The anvil's always good to go.
Transat presents
a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. Too icy. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
John Morello is VP of Product Container and Serverless Security at Palo Alto Networks.
He comes to us with insights from their latest report on the state of cloud-native security.
Well, I think one of the goals we had, probably the primary goal we had, was just to understand not why cloud is being adopted, but how cloud is being secured as it is adopted.
And I think there's no argument at this point that cloud is both sort of the present state as well as the future state for the majority of most organizations, infrastructure, and applications.
And there's been a lot written about people were concerned about security
and hadn't moved to the cloud because of that.
But I think over the past few years, that's really declined as you've seen the providers and just the industry itself.
Well, I mean, based on the information you've gathered here, based on those insights,
what sort of recommendations do you have for folks to get a better handle on all this?
Well, one of them I think is, and we saw this reflected in the data as well, is to really start thinking about security as not something that happens once you deploy your application or you turn on that service,
but instead something that needs to be there from the very beginning of your design and development of that application.
You know, this notion of shift left that I'm sure you've heard of or DevSecOps or DevOps.
I mean, they're all kind of different flavors of the same general philosophy, which is I
want to make sure that I don't first evaluate an application or a service for security the
day that the developer actually turns it on in production.
Instead, I want to make sure that as I'm designing and building that service, that those security guardrails are built into it from the very beginning.
And a very common basic example of that is every time I'm building my application, every time I'm creating a new container image, for example, that runs that application,
I want to make sure that every one of those build jobs includes an assessment of that application for vulnerabilities and compliance and configuration.
So if there is a problem, I can notify the developer right then and there,
and they can fix that problem before it ever goes into production.
In the old world, if I wanted to run an application with five servers or something,
some dude went into the data center and physically racked five pizza boxes or something and cabled them together.
That was the way that it was done.
Well, now, of course, with cloud providers, not only are you not touching physical hardware,
but in most cases, you're not, or at least you should not, be going through some kind of graphical user interface
and pointing and clicking, the things where people can make mistakes and have insecure configurations.
Instead, you want to declare what that infrastructure should look like.
Again, in Terraform or Ansible or Puppet or any one of these other tools that are very common today.
And using that declarative way to say this is what the infrastructure should be.
And when you do that, not only do you have a guaranteed more consistent end result,
but you also have the opportunity to have a much more secure
configuration because similar to the way that we just talked about being able to scan that
application software that's being built by the developer, so too can you scan the
infrastructure as code template that's being used to declare the infrastructure. So for example, you could say
when somebody's deploying this app that has that S3 bucket, as part of that CloudFormation template,
I want to make sure that that S3 bucket is not configured for anonymous access. And as part of that same
deployment or build job, you can check that infrastructure as code in just the same manner
that you check the application code that you've authored as well. That's John Morello from Palo Alto
Networks. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Professor Awais Rashid.
He's a professor of computer science at Bristol University.
Awais, it's great to have you back.
I want to talk today about some of the security pitfalls
that teams need to avoid in the process of software development.
What can you share with us today?
So software lives at the heart of our societal fabric.
You know, all sorts of systems that we use
are built on the software from, you know,
from your cars to your Hoovers to, for example,
the online communication systems that we are all relying on
during this pandemic.
And of course, you know, there is a lot of awareness
about vulnerabilities in software,
and there is lots of advice around as to how do you fix typical security bugs.
So, for example, there is the OWASP Top 10,
which talks about the top 10 typical vulnerabilities
in software and how to mitigate against them.
But I think one of the things that I wanted to talk about today
was that those are really important considerations,
but they're not the only things that lead
to vulnerabilities in software.
So it's not just the act of writing the code, but it's a lot of things that developers do
and teams do around that act of writing the code, going all the way from the initial conception
of the design to how you may consider the testing strategies for your software, even
to the kind of plugins that you deploy within your
integrated development environments that you are using to develop your software.
All these decisions have an impact potentially in terms of the security of your software.
And how do you weigh each of those possibilities to keep everything in balance?
So I think the key here is that we need to consider
that security is not a one-shot thing, right?
And most of the software nowadays is not developed
in what you call the traditional waterfall model
where you did some requirements and then you did some design
and then an implementation.
It's done in an iterative fashion.
And we have to sort of really build security
into all the activities or security
considerations into all the activities that we do. So let's take as an example of, you know,
setting up your integrated development environment. So are you utilizing, for example, you know,
static analysis checkers, which would check for particular security violations or security
properties as you develop your code, for instance? Or if you're
considering testing strategies, are you considering particular types of testing strategies that would
actually enable you to explore a wide array of potential security bugs? Or let's consider
mobile app development, for example. If you're using a monetization approach that includes
incorporation of ad libraries, do you carefully consider what kind of permissions do those ad libraries require?
You know, what would that mean in terms of the security of the resulting app that you are producing?
So I think the key point here is for both individual developers, but also teams to consider that consideration of security throughout all the
various activities that surround the ultimate act of writing code is as important as the code itself.
So I'll pick a particular example. How do teams, for example, appreciate the importance of security?
And we did some work in this regard and found that actually doing sort of, you know, simple workshops where teams did
some threat modeling to try and understand, you know, how their software could be compromised
actually led to an increased awareness about security issues and then to consider them in
the design of their software or some, you know, sort of constant sort of gentle reminders through
the teamwork that they were doing or challenges from other team members asking questions about that.
So it doesn't always have to be a very heavyweight activity,
but it has to be, we go back to the old point about
what is the security culture within your team?
But then the question is, if you are largely a solo developer,
then how do you actually benefit from such cultures when you don't have a team around yourself?
Yeah, that's interesting.
It's always good to have someone to bounce things off of
or someone to remind you when you've strayed from the path.
Yeah, and it's not just that it has to be other people
who do security.
So one of the interesting things that we found
was that it can
be challenges from anyone. It could be challenges from, say, the product team itself, or it could
be challenges from the testers. It could be challenges from your customers who ask you
questions about the software that you are producing. So it doesn't always have to be a security
challenge, but it could be a set of challenges that ask interesting questions with regards to security.
And let's stretch that further.
And privacy properties of the software that you're producing that then encourage developers to think about how they are actually going to overcome them.
And these challenges could also come from the tools that you deploy.
So earlier I mentioned static analysis tools.
You might be using testing tools like fuzzing tools and so on. And it's really interesting if you start to think about it in
terms of these challenges, that could be, that is an interesting way of thinking about security,
but embedded across the lifecycle, whatever method or process you're using in terms of
developing your software. Yeah, no, it's interesting for sure. Professor Awais Rashid, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it sounds great on vinyl.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.