CyberWire Daily - Russia’s sovereign Internet. Huawei updates. CBP discloses exposure of images collected at a border crossing. Gmail features used for social engineering. M&A notes. Top bugs found by bounty hunters.
Episode Date: June 11, 2019Russia says shrapnel from America’s war on that nice company Huawei is “destroying the world.” Russia also tells Tinder to fork over user pictures and messages. A Recorded Future study outlines ...the case for regarding Huawei as a security risk. US Customs and Border Protection discloses a breach of images collected at a border-crossing point. Crooks are taking advantage of Gmail features. Notes on recent mergers. And the top ten bugs bug hunters are finding. Johannes Ullrich from SANS and the ISC Stormcast podcast on the GoldBrute botnet. Guest is Tim Woods from FireMon reflecting on the past year under GDPR. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia says shrapnel from America's war on that nice company Huawei is destroying the world.
Russia also tells Tinder to fork over user pictures and messages.
A recorded future study outlines the case for regarding Huawei as a security risk.
U.S. Customs and Border Protection discloses a breach of images collected at a border crossing point.
Crooks are taking advantage of Gmail features, notes on recent mergers,
and the top 10 bugs that are bugging bug hunters. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 11th, 2019.
Bloomberg quotes Russia's Deputy Prime Minister Akimov as deploring the way U.S., and especially its suspicion of Huawei, is destroying the world.
The shrapnel will hit everybody, Mr. Akimov added in a discussion outlining and defending Russia's decision to build its very own sovereign Internet. The tech world, whose passing the Deputy Prime Minister prospectively mourns, is presumably one of freely flowing commerce and information,
and Moscow's crackdown on Telegram is therefore painful, as he puts it,
and this is no doubt the result of American shrapnel,
as is the Russian government's request that Tinder hand over photos and messages
exchanged by Russian users of the dating service.
We're pretty sure he means fragmentation and not shrapnel, but anywho, it's Washington's fault.
In any case, TASS is authorized to state that Roskomnadzor says that Tinder has agreed to comply.
That's from TASS, no word yet directly from Tinder.
In any case, the Deputy Prime minister's statement is the latest sign of
a newfound tenderness for Huawei in Russia. Stateside, Huawei has been investing in lobbyists.
Bass Company reports that the company's expenditure on lobbying, which amounted to $570,000 in 2017,
rose in 2018 to $3.7 million. The company's smaller competitor, ZTE, is also concerned,
and concerned to the tune of $1.4 million that it's already spent on K Street this year.
Over in the UK, Huawei representatives are reassuring Parliament that the company is no
threat. The aim on both sides of the Atlantic is the same,
avoidance of crippling sanctions and continued access to a lucrative market.
Anti-Huawei sentiment in the U.S. extends beyond the administration.
In fact, administration critics are expressing concerns
that President Trump might be induced to let Huawei off the hook
in the course of cutting a trade deal with China.
So why are people worried about Huawei? There is the company's reputation for unreliability
with respect to its partner's trade secrets, which we've discussed in the past. But there
are things about the very nature of the company that would give one pause, even were it to become
a model of respect for contracts. Recorded Future has published a study that explains why it's reasonable to consider Huawei a security risk.
The company is large enough to become both a monopoly and a technological monoculture.
A monopoly wields considerable power that's easily misused.
A monoculture is also a problem for a technological ecosystem as much as it is in a biological one.
Monocultures are at risk of sudden collapse under stress.
They can be brought down because they lack the resilience
a more diversified ecosystem tends naturally to enjoy.
The way in which Huawei increasingly pervades global supply chains
is also cause for concern, the study argues.
And finally, the company exists
in symbiosis with a repressive authoritarian government. It grew and flourished under those
conditions, and it's unlikely to be willing or even able to adapt itself to trading in an
environment governed by law as opposed to mere policy. It's been just about a year since GDPR went into full effect in the EU,
with privacy implications felt worldwide. We checked in with Firemon's Tim Woods for a look
back at the GDPR's impact. Well, you've definitely seen an uptick in the reported number of breaches
where people think that perhaps the information that they have ownership of or have
responsibility or custody of, we've seen that go up by almost 40% higher reporting breaches and or
exposed information. And I use the term breach kind of loosely because sometimes it's just
exposed information. It's not necessarily, it's the actual individual who owns the information
that has accidentally, due to misconfiguration of services or misconfiguration of database access or
whatever, they've exposed that information and they really can't qualify or quantify who's
actually had access to that information. But regardless, the reporting of that has definitely
went up since GDPR went live back in May 26th of last year.
And what's been the global impact?
I think there's greater awareness also from especially by large enterprises or global companies where you have a global presence.
You know, you have to it's like any of the regulatory compliance initiatives.
You have to kind of look at your zones of control.
It's like, where are we using that information? Do we have EU citizens data or not? Are we processing EU citizens data
or not? And sometimes in a multi-global large conglomerate, you don't really know where that
information may or may not be. And then also some of the things that maybe we don't, again, if I go
back to the awareness of it, is some of the things that you may not consider, such as a marketing mail out or a marketing database that may actually have email addresses of EU citizens and things of that nature.
It gives us reason for pause to go back and look at the information that we're holding on to to say, hey, even though we're not in the EU, are we processing any of that personally identifiable information that may be associated
to an EU citizen? Have there been any unintended consequences, anything that's taken place that
where people didn't expect it was going to go down that way? I've spoke to a number of different
companies. I've spoke to a number of different individuals and companies, and they've definitely
kind of stepped back to look at what they believe their number one, their legal stance is, what their
legal responsibility is and where they where they are using personally identifiable information, and then how they
determine the association of that personally identifiable information. You know, is it related
to EU citizenship or not? And then just in general, again, you know, are we giving individuals the
right to refusal or the right to be forgotten? And are we making sure that
we're transparent? I mean, we've seen some pretty big fines kind of coming down the pipe there.
You know, from a GDPR perspective, there haven't been what I would call, you know, because the
teeth, I call it the teeth around GDPR, which sometimes brings the enforcement or the recognition,
you know, of, hey, we need to be compliant to this. You know, I think Google probably was the largest where they were fined $50 million
for the failure to acknowledge the transparency of the information.
But now we see here in the States right now, we see Facebook kind of running from GDPR.
And of course, Facebook is facing a big FTC fine right now, too.
They've set aside, I don't know, almost $3 billion, you know, due to a lack of
transparency. So I think some of these, you know, people are definitely taking note when it comes to
the penalty phase and the fine phase as far as what could the implications to our company be,
because you don't want to have something that could be catastrophic to our business.
That's Tim Woods from Firemon. There's the circumstantial evidence of the breach Perceptix disclosed late last month,
and the CBP email that announced the problem had the subject line, CBP Perceptix Public Statement.
The Post and others connect the dots and conclude that the Tennessee-based provider of license plate readers was the company in question.
Perceptix has been a vendor to CBP, Wired Notes, in a decades-long relationship.
Many observers are concluding that this is another object lesson in the inherent risk of accumulating data.
Those data can prove irresistible to attackers.
Data collection and the tight coupling of services are attractive when they appear in the private sector, too.
Google's Gmail and Calendar services are providing an object lesson here as well.
Calendar is designed to let anyone schedule a meeting with any user,
and that, Kaspersky researchers report,
is a bit of functionality that's being exploited by criminals.
When you get a Calendar invitation,
a pop-up notification of that invitation appears on your phone.
The attackers embed malicious code in their invitation.
Because users are accustomed to trust the invitations,
the pop-up becomes an effective fishhook.
Kaspersky says that the attacks observed so far are sending the unwary to credential-stealing sites,
but there's considerable untapped opportunity
for other forms of social engineering here as well.
A senior engineer at Synopsys commented to Forbes that, quote,
automation is not your friend in cases such as this, end quote.
Don't let a calendar app automatically stick invitations into your calendar.
Raytheon's combination with United Technologies,
described at the time of its announcement as United Technologies' acquisition of Raytheon, is now being characterized as a merger of equals.
The combined company will be called Raytheon Technologies, a very large aerospace integrator that will play in both civilian and military markets.
Notably, United Technologies' carrier, the HVAC company, and Otis Elevators will be spun out.
The new company's investor prospectus lists cyber protection for commercial aerospace
as one of the complementary capabilities Raytheon brings to the merger.
Raytheon owns cybersecurity company Forcepoint.
United Technologies owns security provider Linnell.
United Technologies owns security provider Linnell.
Salesforce's acquisition of Tableau in a $15.7 billion deal represents a CRM and data analytics merger with complex security implications.
The company will handle a tremendous quantity of sensitive data.
As ZDNet points out, the acquisition suggests that Salesforce has ambitions outside
of its core CRM market. And finally, which vulnerabilities are bug hunters finding?
HackerOne, which coordinates bug bounty programs for a living, has taken a look at what they
characterize as 120,000 security vulnerabilities reported across more than 1,400 customer programs globally.
Here's what they found the bug hunters are finding.
The top 10 vulnerabilities are, from 10 to 1.
Number 10, cross-site request forgery.
Number 9, generic improper access control.
Number 8, insecure direct object reference.
Number 7, server-side request forgery. Number seven, server side request forgery.
Number six, code injection.
Coming in at number five is SQL injection.
Number four, privileged escalation.
Number three, information disclosure.
Number two, generic improper authentication.
And the number one vulnerability the bug hunters are finding is...
Cross-site scripting.
All types of cross-site scripting.
Domain, reflected, stored, and generic.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute.
He's also host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You wanted to share some information about a botnet that you all have been tracking there at SANS.
What can you tell us?
Yeah, this is an interesting botnet for a number of reasons now
first of all it's going straight after rdp this remote desktop protocol that of course has caused
a lot of news lately with the blue keep vulnerability that is sort of rumored to be in
the development of being turned to a major worm. Now, this botnet doesn't actually
do anything about this vulnerability. What it's really just going after is weak passwords. And I
think it's a good lesson learned here. It's the old vulnerabilities that often get you,
not necessarily the new and shiny ones. Now, this botnet is currently just sort of collecting vulnerable hosts.
So it's brute forcing passwords.
Once it finds passwords that work, reports them back.
Also interesting, this botnet is entirely written in Java, which is sort of unusual because in order to work, it actually has to deliver the full Java runtime.
So the entire download for the botnet is around 80 megabytes.
And you all are referring to this as GoldBrute?
GoldBrute is what we call it because the one sort of unique Java class that was added to the code
here, that's called GoldBrute. So we went with that particular name.
Now, there's some interesting behaviors here.
The way that it reaches out, the way it only hits vulnerable servers from different directions,
there's some interesting things going on.
Yeah, so once a host gets infected with this particular botnet,
it will first start scanning for systems that are listening for RDP, so port 3389. Now once it found new systems
listening, it will report them back to a command control server to be added to a list to later be
brute-forced. The interesting part here is that essentially this command control server is first
waiting for individual bots to do some work for it. It waits for 80 vulnerable hosts to be reported back
before it then feeds new vulnerable hosts back to the bot
to be actually brewed for.
So it's sort of a two-stage process
where first the bot that is looking for just hosts
that have this port exposed
so they're possibly listening on RDP.
Once a bot proves its worth, so to speak, by reporting 80 vulnerable hosts back,
then it's actually put to task to brute force passwords.
And the way this works again is that each bot only gets one username and
password pair. So we assume that this is sort of used
to avoid some of the lockout that some services
are doing.
So each bot is trying a username and password.
If it works, great.
If it doesn't work, well, another bot will try another username and password later.
Now, you all did some analysis of this in your own lab.
You were able to manipulate the code to make it send the host and username and password to your lab machine.
What did you find out there?
Well, what we found is that this particular list of usernames and passwords
that is being retrieved,
the entire target list is about one and a half million vulnerable systems large.
So that's basically what's being fed by this command control server.
Once it gets into a system, all it does basically is then reporting back that, yes, I got into it.
I got into it with this username and password.
So where do you suppose it's going to go from here?
Any ideas what to expect?
Well, there's sort of two options.
First of all, that whatever group is behind this GoldBrute botnet is later going to deploy some additional payload.
Or in the malicious economy, we sort of have these different roles that groups take on,
that this particular group is just collecting the machines and then selling them off to someone else that has a worthwhile payload for them.
It's interesting work you all are doing here.
It's the GoldBrute botnet.
Johannes Aldrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.