CyberWire Daily - Security companies allegedly hacked by Fxmsp remain unidentified. SharePoint bug exploited in the wild. G7 preps major cyber exercise. Anthem hack motive? Amnesty takes NSO Group to court.
Episode Date: May 13, 2019Fxmsp criminals are now said to have code from a fourth security company, but none of the claimed victims have been publicly identified. A SharePoint vulnerability is being exploited against unpatched... servers in the wild. The G7 are preparing a major exercise to evaluate the financial system’s ability to withstand a major cyberattack. No one is saying what the Anthem hackers were after. Amnesty takes NSO Group to court. And the Pentagon takes a security look at VCs. Jonathan Katz from UMD on differential privacy, a technique for providing privacy for individuals taking part in studies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
FXMSP criminals are now said to have code from a fourth security company,
but none of the claimed victims have been publicly identified.
A SharePoint vulnerability is being exploited against unpatched servers in the wild.
The G7 are preparing a major exercise to evaluate the financial system's ability to withstand
a major cyber attack.
No one is saying what the Anthem hackers were after.
Amnesty takes NSO Group to court.
And the Pentagon takes a security look at VCs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 13, 2019.
The gang FXMSP, widely active in both Russian and English-speaking hacker black markets,
may have stolen code from a fourth security company.
This story remains obscure after it broke last week.
For one thing, none of the alleged affected companies have been publicly named,
and there's still hope that there may be less to the story than people fear.
The researchers at security firm Advanced Intelligence say they have moderate to high confidence that FXMSP has the goods it says it does,
which are said to include source code.
The evidence for this consists of screenshots and FXMSP's claims
that they're selling antivirus companies Crown Jewels,
a project they say they've been working on for six months.
How could this still prove to be more smoke than fire?
SC Media UK quotes Synopsys CRC's Tim Mackey, who points out that the screenshots that accompany
FXMSP's Ballyhoo appear to show assembly code, and that, Mackey says, is something you can
get by running a debugger on an application.
It doesn't require access to source code.
It would be more disturbing if there were solid evidence that FXMSP had the access to the security company networks the gang says it has.
It's worth noting that FXMSP has, for now at any rate, pulled its wares from some of the black markets where they've been offered.
The criminal group says they think one of their sources has been compromised.
A known SharePoint vulnerability is being actively exploited in the wild.
AT&T Alien Labs is tracking incidents involving CVE-2019-0604,
a vulnerability Microsoft addressed in late winter.
The Canadian Center for Cybersecurity warned last month of China chopper malware hitting unpatched servers.
Saudi Arabia's National Center for Cybersecurity has also observed remote code execution exploitation of the vulnerability.
The obvious lesson from this is, if you can patch, patch,
especially if patching is relatively unproblematic as it is in such cases.
Yet enterprises continue to show the usual horror of the obvious. Consider WannaCry. TechCrunch
reports that Shodan searches reveal that there are still 1.7 million unpatched endpoints out there,
still vulnerable to the North Korean attack code. Thomson Reuters reports that the G7 are preparing a major exercise next month
that will simulate a cross-border cyber attack against financial services and associated infrastructure.
The Bank of France is taking the lead in the exercise,
and they say that it, quote,
will be based on the scenario of a technical component widely used in the financial sector becoming infected with malware.
All members of the Group of Seven will participate.
Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States will all be involved.
The U.S. indictment of two Chinese nationals last week, one named, the other identified,
but named only as John Doe, has raised some questions.
The U.S. Justice Department alleges that they're behind the big anthem attack of 2015.
But what were they after? It's not clear, if it were a purely criminal operation,
how they monetized the data, because the data don't appear to have shown up for sale in the
usual places. And if it was espionage on behalf of a nation-state like,
obviously, China, why didn't the Justice Department come out and say so?
Amnesty International intends tomorrow to petition the District Court of Tel Aviv
to direct that Israel's Ministry of Defense revoke NSO Group's export license. NSO's lawful
intercept tool Pegasus,
is alleged to have been improperly used in surveillance
by the governments of Mexico, Saudi Arabia,
and the United Arab Emirates.
The New York University School of Law's
Bernstein Institute for Human Rights and Global Justice Clinic
is supporting the suit.
Pegasus is called a lawful intercept tool, by the way,
because that's the industry term of art for software sold to legitimate law enforcement and counter-terrorist organizations.
It doesn't mean that any use of such a tool is by definition lawful.
At issue in the dust-up between Amnesty and NSO Group is the quality of NSO Group's customers,
because, of course, such software can be easily abused if it's sold
to repressive or corrupt regimes, or even to not-so-bad regimes that see themselves
hard-pressed.
Amnesty, which says its own people have been targeted with Pegasus, wants, among other
things, more transparency concerning NSO Group's due diligence with respect to its customers.
The rights group dismisses the company's remarks
about an ethics board as so much eyewash and hand-waving. To pick two contrasting police
agencies, neither of which are alleged to be NSO customers, it's not as if you're always selling to
the Royal Canadian Mounted Police to take a police outfit with a generally good reputation.
Yes, yes, and we're sure you'll let us know that
the Mounties have their issues too, which no doubt they do being a human institution,
but surely one can see the difference between the RCMP and, say, the law enforcement force of the
Islamic Republic of Iran. They're apples and oranges, friends. Just ask Inspector Fenwick.
But from two such examples, it should be easy to infer the principle and move on from there.
And there are differences around the world as to how seriously judicial independence and the rule of law are taken.
An SO group is an Israeli firm, which is one reason the action will be filed in Tel Aviv.
But there's also some reasonable expectation that the suit will receive a fair hearing.
In many parts of the world, no one would bother.
What? Night court in St. Petersburg or Shanghai?
Please, consider that the complaint against the Chinese hackers for the Anthem breach
was filed in Indianapolis, not Shenzhen.
We're familiar with efforts to secure the supply chain.
Securing the venture community is now also receiving attention.
Following incidents in which Chinese government money found its way into startups,
and in which sensitive technology may have found its way out and back to Beijing,
the U.S. Defense Department is moving forward with its Trusted Capital Marketplace program.
This is intended to connect entrepreneurs with investors who don't represent
a security threat by compiling a vetted list of VCs suitable for tech startups to consider.
And finally, we say farewell to one of the last of the U.S. Marine Corps code talkers.
The Navajo Nation announced that Fleming Begay Sr. passed away Friday
in Che'inli, Arizona, at the age of 97.
The Second World War veterans served at Tarawa and Tinian,
two of the toughest Marine Corps battles of the Pacific campaign.
Rest in peace and Semper Fi, Mr. Begay.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. science at the University of Maryland and also director of the Maryland Cyber Security Center. Jonathan, it's great to have you back. Saw an article come by recently and it was explaining
something they refer to as differential privacy. They're using some examples of the Census Bureau
here. Can you describe to us what are we talking about? So differential privacy is a technique that
was introduced by computer scientists about roughly 15 years ago or so. And basically what
it's meant to do is provide privacy for individuals who are taking part
in some study.
So like you were saying here, they're talking specifically in the context of the U.S. Census,
where the Census Bureau is going to collect lots of information about people across the
U.S. and then release information, say, on a neighborhood by neighborhood level.
And the concern is that you don't want that information that's being released to reveal something private about an individual or even a
small group of individuals. And so differential privacy provides a way to think about the privacy
of statistical analyses of this sort. And so how does it work? Well, there are lots of different
techniques that people are proposing. What this article was mentioning specifically was actually an old idea called randomized response.
And this you can think about as being applied when you're asking people a potentially sensitive question.
For example, have you ever used drugs?
And so people might not want to give the true answer, especially if that answer is yes.
So what you can do essentially is have the person flip a
coin or flip a couple of coins privately. So even the person asking the question doesn't see what
the result is. And then to basically give an incorrect answer. So to lie with some small
probability. So let's just say that, you know, 10% of the time you'll be told to lie and 90% of the
time you'll be told to tell the truth. So the point is that now when somebody asks me, right, have you used drugs?
Even if I answer yes, it's not clear whether the true answer is yes or whether the true answer is no,
and I'm just lying because I'm in the 10% of the time when I'm supposed to lie.
And so therefore, it gives you a sort of plausible deniability.
You can prove it actually gives you some formal notion of privacy.
But nevertheless, it turns out that because you're only lying with a small probability, the researchers can still use
the answers to those questions to do statistical analysis over the result. Now, is this what I
hear people refer to to a fuzzing mechanism? Is this what we're talking about? Yeah, essentially.
So in that case, like I was describing, individual people are adding noise or fuzzing their own answers.
But you could also imagine doing this through a centralized mechanism.
So there everybody would tell the truth to the Census Bureau, let's say.
But then what the Census Bureau would do is before releasing any information publicly, they would themselves add noise to that data.
And so that, again, provides a notion of privacy for everybody who took part in the study.
to that data. And so that, again, provides a notion of privacy for everybody who took part in the study. And is this reliant on having a large enough data set that any one individually
flipped answer is going to fall within that realm of, I guess, statistical insignificance?
Yeah, exactly. So that's actually an important point that you bring up. You do need more people
to participate, or conversely, if you have the same number of people participating, then adding this noise does degrade the quality of your answer.
But researchers have studied exactly the tradeoffs involved, and you can basically try to tune the amount of privacy you get with the noise you add, and then that determines basically how accurate the results you're getting are.
So these are a bunch of parameters you have to play with, allowing you to tailor the privacy versus the accuracy.
And the bottom line is that these techniques seem to work.
Well, they definitely work in theory. You know, what's interesting in particular is that the
Census Bureau is actively working on pushing these results into practice, and they're going to see
exactly how far they can push them, how usable these techniques are, how efficient they are,
and whether it will, in the end, give them results that are accurate enough for their purposes. It looks like it's going to happen, and I guess it will happen, but it'll be interesting
to see how that all plays out. Yeah, all right. Well, Jonathan Katz, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.