CyberWire Daily - Sino-Australian, Sino-American cyber tensions. Threat trends. Bare-metal cloud issues addressed. USB-C and memory attacks, Credential stuffing in tax season. Twitter hijacking.
Episode Date: February 26, 2019In today’s podcast, we hear updates on suspicions of Chinese operators. Some trend reports from IBM and NETSCOUT. Bare-metal cloud services get reflashed. USB-C ports may be more vulnerable than th...ought to direct memory access attacks. Credential-stuffing attacks hit users of online tax-preparation services. And that missile attack on Tampa was not a drill—in fact, it never happened at all—and congratulations to the citizens of Florida for recognizing a hack and a hoax when they see one.  Justin Harvey from Accenture on the types of vulnerabilities adversaries target. Guest is Guarav Tuli from F-Prime Capital on the current venture capital environment for cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Updates on suspicions of Chinese operators.
Some trend reports from IBM and Netscout.
Bare metal cloud services get reflashed.
USB-C ports may be more vulnerable than thought to direct memory access attacks.
Credential stuffing attacks hit users of online tax preparation services.
And that missile attack on Tampa was not a drill.
In fact, it never happened at all.
And congratulations to the citizens of Florida for recognizing a hack and a hoax when they see one.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, February 26th, 2019.
Investigation of the wave of hacking Australia's parliament and major political parties sustained continues.
Speculation, and it's important to note that the speculation, while informed, is determinedly unofficial.
Speculation has centered on Chinese intelligence services.
Some are calling for the Australian government to just go ahead and get the attribution over with,
but their deliberation is commendable.
Attribution is notoriously tricky,
but eventually the investigation will reach a conclusion. The question, as a note in ZDNet
points out, is whether the investigators will be willing and able to show their work.
Australia has already taken steps to keep Huawei out of its 5G networks before this latest round
of incidents, none of which,
by the way, seem to implicate Huawei.
In the U.S., there are calls in Congress to go even farther than that and ban the company's
hardware from even legacy networks.
Huawei continues to insist that the Americans have no, zero evidence that there are any
security problems with their devices.
IBM's X-Force released its 2018 Threat Intelligence Index report this morning.
They found that ransomware declined while cryptojacking rose.
The researchers also found that misconfigurations continue to be a problem for organizations,
with public disclosure of such incidents up by 20% over 2017.
Scammers continue to make heavy use of business email
compromise, so watch out for social engineering. And attackers are taking a much greater interest
in the transportation sector. That industry was the second most attacked in 2018,
rising from the 10th place it occupied in 2017.
Netscout also released a trend report today.
They find an increasing threat to the Internet of Things,
with IoT devices coming under attack as soon as five minutes after their installation.
Much of the attention attackers give these devices is done to mount distributed denial-of-service attacks.
NetScout also thinks they're observing more involvement of nation-states in the conduct of such DDoS campaigns.
Security firm Eclipsium this morning released a study of potential security issues that arise with bare-metal cloud services.
IBM, among the vendors affected, responded yesterday by requiring that all baseboard management controllers be reflashed with factory firmware before they are
reprovisioned to other customers, end quote. Eclipsium says it's pleased to learn of this
mitigation, but that they disagree with IBM's assessment of the vulnerability as low severity.
Eclipsium thinks it more serious than that. Do dongles make you nervous? Do you worry about that thumb drive? How about USB chargers? Well, worry.
New research from the University of Cambridge and Rice University shows that computers with USB-C ports are more vulnerable to direct memory access attacks than previously thought.
Current protection provided by Input Output Memory Management Units, or IOMMUs, was found to be insufficient.
As a result, Cambridge says many computers running Windows, macOS, and Linux
can be compromised by peripheral devices like chargers.
Complete remediation will require changes in system design on the part of the technology companies,
which the researchers say is in progress.
Until then, users are advised to
avoid connecting untrusted devices to their platforms. Looking toward the business side
of cybersecurity, the sector as a whole continues to be hot with venture capital investors.
We checked in with Gaurav Thule, partner at F Prime Capital, for his take on the market.
VC funding and security is really robust,
and it's been steadily growing from kind of $1 billion to $2 billion per year
several years ago to now it's approaching $5 billion a year.
And really today security is one of the largest areas of investment in venture capital,
and that's a pretty big statement considering how much money is going into private companies.
The common wisdom, and I think it is still yet to be refuted, is that cybersecurity has
been effectively an evergreen area.
And that although we look at the market today and there's thousands of companies and it
feels overfunded, the reality is that it's really hard to be an enterprise and win.
And you're fighting against attackers
that are incredibly sophisticated technology,
incredibly sophisticated experience,
potentially backed by governments.
It is a monumental task to keep up.
And at the same time,
you've got a very, very rapidly expanding threat landscape.
So the ability for incumbents,
the typically large security vendors
or diversified technology vendors
to keep up and continue to supply enterprises with the technology they need to protect themselves.
And that's a really difficult problem to solve.
And that's why startups have been so important and I think will always be important in cybersecurity.
And that's why the investment continues.
Now, the companies that you're seeing at F Prime Capital, what are the things that set the folks
apart, the ones that catch your attention, the ones you want to spend time with? What are the
differentiating factors for them? It's a great question. So, you know,
we are very long-term optimistic on the space. So I think we continue to see lots of areas of
innovation in security, lots of companies that we like. And the questions we ask ourselves in security are similar to the
questions we ask ourselves in many other areas, which is, you know, let's understand the founder
and their motivations. Let's understand how this company will exist in its environment,
the product, the defensibility around it, and finally, how's it doing?
There are very few enterprises, less than 1%, that have the luxury of massive IT budgets,
massive and potentially unlimited security budgets.
I put Bank of America and JP Morgan and Citigroup into that bucket.
They're very well-paid CISOs, large security engineering teams.
They're building custom protection, custom monitoring, custom response, security operation centers that are heavily staffed.
But, you know, outside of this kind of Fortune 500, Global 2000, most companies, frankly, have very little.
And, you know, we speak to many of these companies and they'll have a designated IT guy as their informal CISO.
And it's a really daunting job if you're alone and if you're new to security. So we look for interesting solutions that can both solve this problem, which is,
you know, how do I help organizations that just can't scale up on the human resource side to
manage, you know, more security alerts or more vendors, but at the same time, protect them,
allow them to respond efficiently
and quickly and understand their environment. So the kind of companies that can do that,
and I think we have several in our portfolio that we're really excited about,
that really catches our eye. Because not only can you solve the problem for that 99%
that don't have the resources to do it, you can scale up and still help very large enterprises,
which tend to have the resources to do it, you can scale up and still help very large enterprises, which, you know, tend to have the larger budgets.
Do you have any advice or words of wisdom for that person who's, you know,
sitting in their garage or basement, thinks that they have a better mousetrap,
a better way to solve some of these problems?
Any tips or words of wisdom for them to prepare themselves to be properly prepared for going out and speaking to folks like you?
Ultimately, I think it's the most important consideration any security entrepreneur should have, and I think the best ones do, is around understanding the customer and understanding the customer need.
and understanding the customer need.
And that's what we believe all of our companies are guided towards,
that kind of true north, which is how do we significantly improve the lives of our customer?
And that can come through many areas.
But to your point about a better mousetrap,
there's lots of exciting technology you can throw into a security product today.
But at the end of the day, you have to remember that
CISOs and security teams are overwhelmed with the amount of technology, the amount of jargon,
the amount of companies that are coming at them. And what they really need is someone to help them
solve their problems. Sometimes that's just basic blocking and tackling, and they need a more
efficient way of doing it. And sometimes it's innovative new threat vectors that they need to
wrap their heads around. But you really have to spend time with the customer to understand their needs, understand how
they think about things, and understand their real problems before you can take a better mousetrap
and turn it into a company. That's Gaurav Thule from F Prime Capital.
It's tax season in America, and in some other places, too. It had been reported that TurboTax had been breached, but that seems not to be true.
The popular online tax preparation service wasn't itself compromised, but a number of users were.
Credential stuffing attacks appear to have hit an undisclosed number of accounts.
And finally, no, the mayor of the city of Tampa is not a delusional lunatic rampaging wildly through social media.
He does have a Twitter account, and someone did hijack it.
The still-unidentified hacker got control of the account for about five hours last Thursday
and used it to post a series of vile and threatening tweets, including a fake ballistic missile warning.
The tweet read,
including a fake ballistic missile warning.
The tweet read,
Ballistic missile inbound thread inbound to Tampa Bay area.
Seek immediate shelter. This is not a drill.
That's thread, not threat, friends, which is... That's thread, not threat, friends, which would have been redundant in any case
since an inbound missile is as close to a threat by definition as anything ever is in this
veil of tears. Of course, the tweet was in all caps, presumably so everyone would get the urgency,
because nothing says call to action like caps lock. Tampa's City Hall responded by saying,
Earlier this morning, we noticed someone hacked Mayor Buckhorn's Twitter account.
This was clearly not Mayor Buckhorn. Upon noticing the hack, we immediately began investigating these reprehensible tweets.
So what was reprehensible behind, oh, a false alarm announcing nuclear Armageddon?
Well, beyond inbound missiles, the hijackers said that he, she, or they had put a bomb somewhere
and looked forward to seeing minorities die.
There was a range of sexist and racist invective,
along with particularly repellent child abuse content tagged with what Naked Security calls personalities in the gaming community.
There's a good news side to this,
and that side is the fact that apparently no one took this nonsense seriously.
His honor, Bob Buckhorn, normally tweets normal, upbeat stuff,
happily boosting Tampa with encouragement for investment, development, home repair,
swapping good ideas, and so on.
Depravity and the gaming community really aren't in his line at all.
Apparently, people knew that something was amiss,
and that it had nothing to do with Mayor Buckhorn.
He wouldn't tweet panic, murder, and obscenity. This skeptical response is a pleasing sign to some local herd immunity
to epistemic contagion. How did the hijacker get control of the account? Well, the best guess so
far is weak passwords, possibly exploited in credential stuffing or a dictionary attack.
What about the perpetrators, you might ask?
Here, alas, it's a familiar-sounding story.
Personalities in the gaming community is probably the key.
The skid responsible for the incident sought to shift responsibility to three gamers,
one of whom said the whole thing came about in the course of an online disagreement.
Some of the gamers tagged have been swatted by
other gamers in the past. The city of Tampa is working with law enforcement to find the person
or persons responsible. Good hunting to you, we say, and be on the lookout for a half-hackerweight
skid who spends way too much time trading skins.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
You know, you travel all over the world looking at, well, responding to these incidents and looking at how people have been attacked and the vulnerabilities that they have, what are the things that you see out there? What are the vulnerabilities that adversaries
are really looking for? Well, they're looking for any sort of vulnerability they can use to
their advantage. And there's been a lot of talk about zero days and zero days are not used as often as you might think in these cases.
Adversaries typically have several tiers of exploits that they run.
They've got their zero days.
Some of them have their zero days.
They have their best private stuff that they have at the top of the scale and all the way at the bottom of the scale, you've got your run-of-the-mill stuff that you can maybe download from the web or the dark web,
stuff that has been put into antivirus and other protective measures that you might think that
may never be successful. But I'll tell you, there's a golden rule here. And the golden rule
or the golden motto of these adversaries is use the path of least resistance.
So you're not going to bring out your best stuff, your highest tier exploits and capabilities if it's not needed.
We've worked a case earlier this year where a nation state was actually using an extremely old remote access Trojan, one that had been in the public domain
for several years, including the source code. Why did they do that? They used it because it worked
until organizations can raise their collective level of capabilities within their cyber defense
programs. Then you're going to continue to see adversaries using the path of least resistance,
doing whatever they can do, starting from the easiest stuff to get into those systems.
Now, what about on the social engineering side of things?
I mean, we talk about technical things like you mentioned, zero days.
But how about getting your employees up to speed with training and things like that?
It's an absolute must.
training and things like that? It's an absolute must. The ability to recognize and respond to social engineering attacks is becoming much more mainstream in security awareness programs for
organizations. Business email compromise attacks, basically the type of attack where you send a
login page to someone and they click it and they put in
their credentials and that's used later for theft or for malfeasance. That can only exist because
of social engineering. We've also seen password reset attacks using social engineering. We've
seen MFA type of attacks using social engineering, meaning someone can call up a call center and say
that their multi-factor isn't working anymore and they can impersonate the user. And then, of course, work with the
help desk in order to reset the multi-factor and put it on the adversary's device. And then
not quite social engineering, but in that same vein is impersonation. So impersonation is where an adversary becomes the administrator or becomes the engineer on an OT network by abusing the credentials.
Typically, we see adversaries use malware to get in the front door to establish their foothold.
They steal credentials and then they move about in the enterprise utilizing those stolen credentials.
And a lot of times they don't use malware anymore.
So more and more organizations are looking at things like insider threat platforms and the ability to really question your identity logs in the enterprise to see if there's any sort of
anomalous behavior by your administrators or by your users. For instance, why is the CFO
logging into the development environment? That would be a really good example of the types of
breadcrumbs you're looking for from these adversaries.
Now, it's interesting insights.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our
daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.