CyberWire Daily - Sensitive mortgage documents left exposed online. Someone’s scanning for BlueKeep RDP issues. Huawei updates. The case of Baltimore City’s ransomware.
Episode Date: May 28, 2019First American Financial suffers a data exposure, with hundreds of millions of mortgage-related documents left open to the Internet. Someone is scanning Tor for signs of BlueKeep RDP vulnerabilities. ...China complains about US complaints against Huawei as some major German firms rethink their dealings with Shenzhen. And no, NSA did not hold Baltimore for ransom, but Baltimore wants Washington to pick up its remediation and recovery tab. Malek Ben Salem from Accenture Labs on NIST transitioning some crypto algorithms. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
First American Financial suffers a data exposure
with hundreds of millions of mortgage-related documents left open to the Internet.
Someone is scanning Tor for signs of Blue Keep RDP vulnerabilities.
China complains about U.S. complaints against Huawei
as some major German firms rethink their dealings.
And no, NSA did not hold Baltimore for ransom,
but Baltimore wants Washington to pick up its remedediation and Recovery tab.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, May 28, 2019.
Krebs on Security broke the story late Friday that First American Financial left data pertaining to hundreds of millions of mortgages going back to 2003 exposed on the Internet.
Insurance Journal says First American attributed the issue to a design defect in an application and that it's working to fix the problem.
It's unknown whether the exposed data have been exploited or misused, but they contain a great deal of sensitive personal information of great potential interest to criminals.
First American Financial is involved in closing a great many real estate transactions,
and in the course of those deals it serves as a neutral third party.
It collects social security numbers, account statements, internal business documents,
driver's licenses, and records of wire transfers.
885 million documents were exposed by the design defect.
Security firm Gray Noise tells ZDNet that parties unknown were scanning Tor exit nodes over the weekend
for signs of the Bluekeep vulnerability.
This activity seems so far to be in the reconnaissance
as opposed to the attack phase of a cyber operation.
At least we've seen no reports of the scans leading to active exploitation yet.
Bluekeep, which is CVE-2019-0708,
affects the remote desktop protocol in older versions of Windows.
ZeroPatch is offering a MicroPatch for always-on servers and other systems,
to which Microsoft's patch may be difficult to apply.
China has denounced U.S. suspicions of Huawei as so much political posturing,
a bunch of hoaked-up scare stories designed to give Team America the advantage in trade wars.
But the U.S. concerns continue to have traction.
According to Frankfurter Allgemeine, at least three major German firms,
Siemens, SAP, and Bosch, are reviewing their relationship with Huawei.
Microsoft has also taken some steps toward distancing itself from Huawei,
and China's People's Liberation Army has announced it's getting rid of Windows from its systems.
And why? Because of the risk that the U.S. might be peeking through Windows to spy on China's secrets.
Huawei itself received more unusually bad press over the weekend.
The Wall Street Journal published a long account alleging that Huawei has long engaged in deliberated,
systematic theft of intellectual property from its partners and others.
The Robin Hood ransomware that's afflicted Baltimore this month
appears to have spread via the Eternal Blue vulnerability.
Eternal Blue, distributed to the world by the shadow brokers in 2017,
is widely believed to have been a zero-day flaw
discovered and held for exploitation by NSA,
hence the reporting in the New York Times and elsewhere
that an NSA tool was used against Baltimore.
There have even been some headlines who've suggested,
and this is simply wrong and misleading,
that NSA itself was attacking American cities,
which, of course, NSA is not doing.
Nor is the ransomware itself an NSA tool,
as Baltimore Mayor Jack Young insisted for a time before correcting himself.
It isn't.
Rather, it's a strain of ransomware that's being installed
by exploiting the external blue vulnerability in unpatched systems.
And Eternal Blue is, as we've said, generally believed to be
a zero-day NSA discovered and held back on disclosing. The Robin Hood ransomware is now
thought to have arrived via a phishing email to a city employee. Whether this was targeted
spear phishing or large-scale trawling that just hit it lucky isn't clear. Once the ransomware was
in, however, it spread through systems that had not been
patched against EternalBlue. Critics, and a lot of those working in cybersecurity are among the
critics, point out that EternalBlue has not only been disclosed for two years, but that it's also
been patched for two years. The vulnerability has been exploited to distribute other malware,
notably WannaCry, before. Neither EternalBlue nor its exploitation in high-profile cyberattacks,
nor the fact that Microsoft issued patches to fix it,
including patches for Windows XP and Windows Vista.
XP at the time was beyond the end of its support life,
and Vista was fast approaching the same condition.
So in some respects, Redmond's patching was a commendable
act of supererogation. Should Baltimore have patched over the past two years?
The city is asking for federal emergency relief funds to help mop up its ransomware disaster.
The mayor and the city council are arguing in effect that this is NSA's mess and that Washington
needs to step in and help clean it up. The squabble puts the Maryland congressional delegation in a bit of a bind.
To take one example, Representative Dutch Ruppersberger, whose district includes both
portions of Baltimore City and Fort Meade, home of NSA, has expressed shock that an NSA
discovered vulnerability should have found its way into the hands of bad actors, and
has called upon the agency to answer to Congress as to how this came about. It seems worth considering that the time
for shock, if any, would probably have been back in 2017, and that Representative Ruppersberger is
about as well informed about the U.S. intelligence community in general, and the National Security
Agency in particular, as anyone in Congress.
And a lot of constituents either work for NSA or in the cybersecurity industry.
It's worth noting that what to do with zero days the intelligence community finds is controlled by the vulnerability equities process,
an interagency procedure that decides what to disclose and when and to whom.
There's always a degree of vagueness with assigning blame for negligence.
It may be hard to draw a sharp line between day and night,
but only the most obtuse member of a city council would deny the obvious difference
at Charm City's latitude between 3 p.m. and midnight.
With respect to patching and recovery planning,
at City Hall it's probably around 10.30 p.m. Eastern Daylight
Time. And yes, it can be tough to patch, but Baltimore's IT issues seem to run fairly deep.
Ars Technica has a useful rundown of the high turnover among the city's IT leadership over
the past several years. The publication reports, quote, since 2012, four Baltimore City Chief
Information Officers have been fired or have resigned, two left while under investigation, quote.
It seems only fair to note that Baltimore did much better when hackers intruded into the city's networks back in March 2018.
The city's 911 and 311 systems were out for about 17 hours, but the city reverted quickly to manual backups and had everything back to normal in less than a day.
The contrast with the chaos produced in Atlanta by a SamSam ransomware attack at about the same time was striking.
Atlanta was clobbered. Baltimore looked pretty good by contrast.
Not so this time around.
Not so this time around.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's great to have you back. You wanted to touch today on some stuff coming from NIST about transitioning crypto algorithms.
What can you share with us today?
Yeah, last month, NIST published the second revision of the special publication,
800-131A, which looked at transitioning the use of cryptographic algorithms and key lengths.
The first revision of this publication, which was published back in November 2015, is now
withdrawn. And this publication, NIST provides some guidance on the recommended
key management procedures, the recommended algorithms that protect sensitive information,
and how to plan for possible changes in the use of crypto algorithms, including the migration
to new algorithms. This actually addresses possible use of new cryptanalysis, but also the increasing
power of classical computing technology and the potential emergence of quantum computers.
And so what are some of the key updates here with this version versus the one that it replaces?
Yeah, the main change with respect to the previous version is the recommended security strength for crypto algorithms.
It used to be 80 bits.
Now NIST recommends a security strength of at least 112 bits for applying crypto protection to data, whether it's for encrypting data or for signing data.
As I mentioned, you know, in previous episodes on Cyber Wire, we talked about
the emergence of quantum computing and the threat that it brings to the way we protect our data
today, because it jeopardizes the strength of the underlying math that we use to encrypt algorithms.
The way we encrypt data which relies on public key infrastructure is based on the interactability
of the integer factorization and the discrete log problems, and that interactability may
no longer be valid when we have quantum computers.
So NIST is prepping for that, as well as for the advancements of classical computing technology
by asking businesses and federal agencies to increase the key lengths of the algorithms
they use today so that a security strength of at least
112 bits is used. And is there any particular downside to this? Does this mean that they'll
have to be more computing power thrown at these algorithms to make them work? That may be the
case. There may be more computational power used to encrypt data.
Obviously, the data that has been encrypted already will continue to be decrypted with the existing algorithms,
with the existing keys that present some risk that organizations need to be aware of.
But, you know, that's part of, you know, going through this transition.
be aware of. But, you know, that's part of, you know, going through this transition.
And in terms of organizations plotting out their own use of encryption and deciding what sort of levels they should set it at, I mean, is this the type of thing where you take a risk-based
approach or is there generally a minimum level below which you should not even consider falling?
Absolutely. They should take a risk-level approach.
I think the current recommendation for 112 bits
in terms of security strength,
that applies obviously for protecting highly sensitive data.
For less sensitive data,
you would take a risk-based approach
and choose the right algorithm
or the right security strength for your algorithm.
All right. Well, it's interesting information. Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
as Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.