CyberWire Daily - Sharing espionage tools and infrastructure. Speculative execution flaws found in Intel chips. A big Patch Tuesday. CrowdStrike’s IPO. WhatsApp exploitation. Cyber Solarium. Ransomware in Baltimore.
Episode Date: May 15, 2019Chinese domestic and foreign intelligence services are cooperating more closely in cyberspace. Another set of speculative execution issues is found in Intel chips. This month’s Patch Tuesday was a b...ig one. CrowdStrike files for its long-anticipated IPO. WhatsApp, spyware, and zero-days. Apple may be required to open its devices to apps from third-party stores. The Cyber Solarium is ready to get started, and Russia offers a helpful hand. Baltimore continues to suffer from ransomware. Malek Ben Salem from Accenture Labs with an overview of the Accenture Technology Vision report. Guest is Tom Pedersen from OneLogin on password use trends. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese domestic and foreign intelligence services are cooperating more closely in cyberspace.
Another set of speculative execution issues is found in Intel chips.
This month's Patch Tuesday was a big one.
CrowdStrike files for its long-anticipated IPO.
We'll talk WhatsApp, spyware, and zero days.
Apple may be required to open its devices to apps from third-party stores.
The cyber-solarium is ready to get started, and Russia offers a helpful hand.
And Baltimore continues to suffer from ransomware. The cyber solarium is ready to get started, and Russia offers a helpful hand.
And Baltimore continues to suffer from ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 15, 2019.
A single command and control server is being shared by a variety of Chinese hacking organizations,
including the National Security Commission, police agencies, and the Ministry of State Security.
Researchers at BlackBerry Cylance found that organizations which normally engage in domestic surveillance, particularly of what Beijing calls the Five Poisons,
particularly of what Beijing calls the Five Poisons,
that is, ethnic Uyghur Muslims, Falun Gong practitioners,
Tibetans, democracy advocates and supporters of Taiwanese independence,
share infrastructure and tools with foreign intelligence and security services like the Strategic Support Force and the Third Party of the People's Liberation Army.
The groups are sharing not only command and control infrastructure,
but also malware tools,
notably the one Palo Alto Network's researchers call Reaver.
Reaver is most familiar from operations
against the unpleasantly named Five Poisons,
but it's also turning up in attacks on foreign intelligence targets.
BlackBerry Silance's lesson is that it's time to update TTPs
and indicators of compromise.
Another set of speculative execution flaws similar to Spectre and Meltdown has been found
in Intel chips. Intel calls the flaws micro-architectural data sampling issues
and others zombie load. As VentureBeat explains, the four vulnerabilities enable side-channel attacks.
Siemens, Apple, Adobe, and Microsoft all patched yesterday.
Apple's patches addressed, among other things,
the Zombie Load side-channel vulnerability in its product's Intel chips.
Cupertino wasn't alone in working on Zombie Load.
As TechCrunch reports, Amazon, Google, Mozilla, and Microsoft also took on the
speculative execution flaw. Intel itself has released a set of mitigations for the vulnerability.
Fixes for zombie load are thought likely to degrade CPU performance by 20 to 40 percent.
Microsoft released 16 updates in total, resolving 79 distinct vulnerabilities.
One involved a bug that could be exploited by a WannaCry-like worm,
and Redmond drew particular attention to this issue.
It was judged serious enough that Microsoft patched beyond end-of-life software,
including Windows XP and Windows 2003.
Although no longer supported, both remain in wide use. Siemens addressed issues in
its industrial control systems, and Adobe fixed problems with several products, including Acrobat
and Reader. Endpoint protection shop CrowdStrike has filed for its long-expected initial public
offering. The company's S1 reached the Securities and Exchange Commission yesterday. CrowdStrike Thank you. unicorns. They may be magical beasts, sure, but prophets don't grow on trees in the Forbidden
Forest, even for unicorns. Just ask Hagrid. NSO Group, the Hurslea-based company whose
intercept product Pegasus is said to have shown up in phones via a WhatsApp bug, is also by most
reckonings a unicorn. The company denies having played a role in the targeted use of Pegasus against various individual users of WhatsApp. Pegasus, the company argues, is a lawful intercept product
of the kind that legitimate governments use to fight crime and terror. The company's critics,
Citizen Lab and Amnesty International, prominent among them, note that Pegasus has been turned up
in too many repressive actions for comfort.
Amnesty is petitioning a Tel Aviv court to revoke NSO Group's export license.
Some commentary on the WhatsApp affair has drawn scornful reactions in the Twitterverse,
particularly a Bloomberg op-ed that appears to suggest that just because end-to-end encryption doesn't prevent the sort of exploit WhatsApp just patched,
that encrypted communication tools amount to little more than marketing hype and eyewash.
That's surely going too far.
End-to-end encryption remains an important privacy and security tool.
That it doesn't infallibly protect users is beside the point.
Nothing infallibly protects users.
Exploits that target secure devices are rare and pricey.
Zerodium, the exploit brokers of Montpelier and Annapolis Junction,
who revel in a bad boy image,
will pay up to a million dollars for a WhatsApp bug,
which suggests that they're not particularly easy to come by.
Zerodium, by the way, sells exploits to security, intelligence,
and law enforcement agencies, not criminals.
Their office locations suggest they're probable market.
World Password Day has come and gone, and while it may have helped raise awareness of proper password hygiene,
the fact remains that passwords are problematic.
Thomas Peterson is CTO and co-founder of OneLogin.
Well, passwords continue to be the bane of our existence. They're pretty hard to get rid of.
There's a difference between consumer passwords and passwords in the enterprise.
What we as a company focus on is helping manage and eliminate passwords in the enterprise,
and there are standards that we can use to do that. But on the consumer side,
it's still not really better than it was 10 years ago.
People still have passwords for all kinds of things.
What happens is most people still resort to password reuse. And I guess if it's something that's not super sensitive,
no, my Yelp reviews and my OpenTable book,
yeah, they're not really, it's not high risk.
But no, for my bank account and my Carta account
and my PayPal and so on,
I use multi-factor authentication. I
have a machine-generated password just to make sure that I can just never be compromised there,
at least lose my credentials. Do you think the word is getting out about that? Do you think
people are adopting multi-factor and those sorts of secondary security measures? It's getting more
traction in the enterprise because more and more companies are aware
that they need to have a cybersecurity initiative.
But even within the enterprise,
we're not even talking about 50% adoption.
And on the consumer side, very few people do it.
Some, let's say, bank applications,
they actually do force you to do it.
So they will send you an SMS with a one-time password
when you sign in from a new
browser. That's what MyBank does. But there's a lot of places where you don't have to use it.
PayPal, for instance, they don't mandate that you use multi-factor authentication. It's something
you have to opt in for. And the same thing with Facebook and Gmail and so on. And I think that
the vendors can do a better job of pushing it, but they also don't want to push people away because end users don't like it.
It's kind of annoying that you have to do it.
It's definitely more of a necessary evil.
Most people don't know that it even exists, and they don't know what the risk is, so that's why they don't even look into it.
Do you suppose that we could be heading towards a time when we don't need this anymore?
I'm thinking of things like with Touch ID and Face ID, those sorts of technologies.
Are we going to see those shift into more of our day-to-day password use?
Yeah, I think it definitely helps.
We're getting there slowly, I would say.
Things like Face ID and Touch ID, they're kind of just masking.
There's a couple of applications on my phone where I can use Face ID,
but I still actually do have a password for the app because it also has an online version.
And so it's only partially solved problem on a mobile device because the device is so sophisticated.
But even most of the websites, they don't really, they can't work with it.
So it's still just a patch when you look at it more holistically.
Where do you think we're going to head ultimately?
Do we have passwords in our future for the immediate future?
But will we ever get beyond them?
You know, the question is always in a consumer space,
who's going to be that trusted identity provider that everybody will use?
And I think for a long time, Facebook was making headway.
And I started signing into a bunch of things with my Facebook identity.
But I think over the past couple of years, they have lost a lot of credibility
just because they have had so many security issues.
And the question is, who is it going to be?
Is it going to be Apple or Google or will there be multiple identity providers?
And I think that's still too early to say.
On the enterprise, it's a lot easier because when you work for a company,
that company basically owns your corporate identity for as long as you work for that company.
So that's what we have made a living out of, to sell identity management solutions for the enterprise.
And there we can pretty much eliminate all the passwords.
But on the consumer side, it's just still a problem.
And I don't see there's any, there's no obvious solution right around the corner.
That's Thomas Peterson from OneLogin.
The U.S. Supreme Court has decided that consumers can sue Apple over prices in its app store.
The suit would allege that Apple operates a monopoly that artificially inflates prices.
If successful, a suit could require Apple to allow apps purchased from third-party stores
to be downloaded to its devices.
This may not be a good thing for security.
Apple's store has been more rigorous than most at keeping out rogue or sloppy software,
and industry observers see the possibility that the decision will tend to relax that rigor.
Third-party app stores have been a security problem in the Android ecosystem.
The Cyber Solarium, a U u.s deliberative body modeled
on the eisenhower era group that considered nuclear strategy in the early 1950s is ready
to begin its work 5g issues figure high among the agenda the solarium will have three working
groups to address three major aspects of cyber strategy, persistent engagement, deterrence, and international norms and standards.
And hey, the U.S. may get help from a country that wants to be partners.
According to Sputnik News, Russian Foreign Minister Sergei Lavrov on Tuesday
offered a helping hand in cyberspace.
The foreign minister said, quote,
I'd like to reiterate that Russia wants to and is ready to cooperate with our U.S. partners in issues relating to the cyberspace.
We want to do this on a professional level, without emotions, without ideology and politicization.
Mr. Lavrov's offer is likely to be coolly received, but maybe it's the thought that counts.
Finally, Baltimore continues to struggle to recover from the ransomware attack it sustained last week.
A number of citizen-facing services have been affected.
If you're trying to buy a house here in the land of pleasant living,
or as Natty Bo Beer has taught us to call it, Charm City,
you may be out of luck,
because the city transfer office cannot process deeds or deeds of trust for recordation.
The city is also having trouble generating lien certificates and water bills.
Its bad batch warnings about street drugs are also down,
and that's proving a more serious problem because it affects a matter of health and safety.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Bensalem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's always great to have you back.
Some of your colleagues there at Accenture recently released a new publication,
a technology vision publication. Can you describe to us what's that all about and what are some of the take-homes?
Sure. So the Accenture Technology Vision is a publication that Accenture Labs
publishes every year. We monitor emerging trends across businesses. And in this year,
one of the main security trends that we've identified is what the ecosystem-driven business reality implies to
security. As you know, companies continue to integrate their core business functions with
third parties, with third platforms. So you have entire ecosystems that are forming and shifting
industries. Now, threat actors recognize these ecosystems and see them as a
widening attack surface. Yet most businesses don't see that they're no longer just the victims of
cyber attacks, but also they are the vectors of these cyber security attacks. So in this ecosystem dependent business world, which amplifies exponentially the impact
of cyber attacks, incidents cripple from one enterprise to another. And one good example of
that is for more than five years, a group of hackers stole insider information about publicly traded companies, not by attacking the companies
themselves, but by targeting the newswire agencies that get early access to press releases
from these large businesses. Right. News organizations will often get information
ahead of time that's under embargo. They agree not to release it. And these folks
got access to
that information and used it for profit. Correct. So the question is, how do you respond to this
reality? Organizations need to change their approach and incorporate security into the
collaborative strategies that they use to build their products and services.
What that means is they must include ecosystem dependencies as part of their own security posture by updating the way they do threat modeling, for instance, and they need to make security
an important component of how they build these partnerships. In this new ecosystem-driven business reality, companies really have
opportunities to use their ecosystems to up their cyber defense game and improve their security
posture for themselves, obviously, but also for their partners at the same time.
All right. Good information. Malek Ben-Salem, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.