CyberWire Daily - Supply chain security. New cyberespionage from OceanLotus. Data breaches expose customer information. And GCHQ has had quite enough of this vaccine nonsense, thank you very much.
Episode Date: November 9, 2020Alerts and guidelines on securing the software supply chain (and the hardware supply chain, too). OceanLotus is back with its watering holes. Two significant breaches are disclosed. Malek Ben Salem fr...om Accenture Labs explains privacy attacks on machine learning. Rick Howard brings the Hash Table in on containers. And, hey, we hear there’s weird stuff out there about vaccines, but GCHQ is on the case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/217 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Alerts and guidelines on securing the software supply chain.
Ocean Lotus is back with its watering holes.
Two significant breaches are disclosed.
Malek Ben Salem from Accenture Labs explains privacy attacks on machine learning.
Rick Howard brings the hash table in on containers.
And hey, we hear there's some weird stuff out there about vaccines,
but GCHQ is on the case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 9th, 2020.
The U.S. FBI last week made public an alert issued on a restricted basis back in October.
The alert warned that unknown actors had exploited insecurely configured instances of the SonarCube code review tool to steal source code from companies and government agencies.
ZDNet summarizes the research into and remediation of the issue.
While the industry has been rife with warnings of the ways in which MongoDB and Elasticsearch databases can be left exposed, the comparable problem of exposing SonarQube was often overlooked.
But the consequences of an unsecured SonarQube instance are significant for the software supply chain,
since the tool is used in checking code during development.
The typical problem is that organizations using SonarQube have left in place default configurations on port 9000 and default admin credentials.
Those default credentials are admin, admin.
That ought to be a red flag for everyone.
Admin, admin is about as good as username, password.
So do remember to change those defaults.
password, so do remember to change those defaults. Calling the pandemic a wake-up call, the U.S.
Cybersecurity and Infrastructure Security Agency has released a set of lessons learned on building a more resilient information technology and communication supply chain. Noting the ways in
which the supply chain has been globalized, as the document says. A product may be designed in New York, built in Vietnam, tested in Taiwan,
stored in Hong Kong, and sent to China for final assembly before it's distributed.
CISA's task force identifies three primary areas in which supply chains are vulnerable.
Those are, first, lean inventory approaches,
second, undiversified suppliers,
and third, ignorance of lower-tier suppliers.
Their recommendations fall into these categories.
Proactive risk classification, map the corporate supply chain,
broaden supplier network and regional footprint,
potential development of standardized mapping and other illumination tools,
work to shift the optimal amount of inventory held,
and plan alternatives in logistics
and transportation.
Researchers at the security firm Veloxity report that Ocean Lotus, the Vietnamese cyber
espionage crew, also known as APT32, is using an array of bogus websites and Facebook pages
to attract victims.
CyberScoop notes that Ocean Lotus has, since its discovery in 2017,
been particularly active against foreign corporations doing business in Vietnam.
Two significant data breaches have come to light and are currently under investigation.
The Indian online grocer Big Basket has sustained a data breach,
exposing the data of about 20 million users.
According to Bloomberg Quint, the cyber intelligence firm Cyble has informed the
Beguluru police cyber crime cell that has detected criminals selling leaked data on the dark web for
some 3 million rupees, or a bit more than 40,000 US000. The data at risk includes email addresses, phone numbers, order details,
and physical addresses, so it's not the gold standard of Fools, but it's a serious breach
nonetheless. The other data exposure incident affected the Spanish firm Prestige Software,
whose channel management platform, Cloud Hospitality, automates hotel accommodation
availability for delivery to
online booking services such as Expedia and Booking.com. Website Planit's investigation shows
that some significant personally identifiable information is at risk, including names,
email addresses, phone numbers, full pay card information, and even details on guests'
reservations themselves, dates of stay, special requests, and even details on guests' reservations themselves,
dates of stay, special requests, and so on.
Reports say that Britain's GCHQ has gone on the offensive against anti-vaccine propaganda.
The Times says that the SIGINT agencies using techniques proved against Islamic state online activity
against state-sponsored purveyors of
vaccine disinformation. It's not a comprehensive rumor control effort, but operates against state
directed disinformation only. According to Reuters, GCHQ is taking down hostile state-linked content
and disrupting the communications of the cyber actors responsible. The campaign against which GCHQ's efforts are directed is Russian,
Engineering and Technology reports.
The Week suggests the motive for the disinformation is at least partly commercial,
since Russia is interested in seeing widespread adoption
of two vaccines developed in that country.
The disinformation is directed against a COVID-19 vaccine
developed in the UK by AstraZeneca and Oxford University.
One might think that such disinformation would take the high-toned friend-of-nature line that circulates in the tonier precincts of Silicon Valley or Marin County.
Vaccination causes various childhood development impairments and so on.
Not true, of course, although vaccines have had their troubling side effects.
Consider the swine flu vaccine problems in the mid-70s, for example.
No, the straight line out of Moscow is a lot scarier
and much more direct in terms of its proposed cause and effect.
Here's the deal.
So those eggheads at Oxford and AstraZeneca come up with this vaccine, right?
But did you know that they used a chimpanzee virus to make it?
Anywho, it stands to reason that anyone who gets the vaccine will turn into an ape,
on account of they made their vaccine from, like, some chimpanzees or something.
What the hay?
Chimps, man.
Edward Jenner, call your office.
Maybe using cowpox wasn't such a good idea after all. Weren't there all those cattle people mooing out there in the countryside? What? No? Well, maybe the whole ape man risk is being overstated here,
or else there's some serious mad science going on in the urals. But it seems more likely
that this view of vaccine trials is more informed by repeated viewings of the fly,
the Vincent Price version, not the Jeff Goldblum remake, than it is by the history of medicine.
The whole story is more Seymour's Fright Night than it is the New England Journal of Medicine.
We hope that few are persuaded by the Russian campaign,
and above all, we wish GCHQ good hunting.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show Rick Howard, the CyberWire's Chief Analyst and Chief Security Officer.
Hello, Rick.
Hey, Dave.
So on last week's CSO Perspectives episode, you made the preliminary case, and I would say compelling case,
that since containers and serverless functions are really infrastructure as code stored in the cloud,
that we need to protect them with the same rigor as any other collection of data we store there.
Now, this week, you brought in some hash table experts to get their thoughts on this whole matter.
What sort of feedback did you get from them?
Well, as per usual with the hash table group, Dave,
my theories about how to protect our digital environments have run afoul
of practical considerations and resource limitations.
What I initially thought was important may not be.
And the question I wanted the hash table members to answer was this.
Is there a high risk of material impact to your organization
because you use containers or serverless functions?
In other words, should you drop everything in order to focus resources
on securing these digital
assets? The answer, at least for today, is probably not. All right. I have to say that's
not what I was expecting. So what's their logic here? Well, if we just look at the MITRE ATT&CK
framework, which by the way, I'm a huge fan of, You're familiar with it. It's the most comprehensive open source
collection of adversary tactics, techniques, and procedures in the world right now. And if you're
not using it to establish your intrusion kill chain first principle prevention strategy, you're
probably failing at that. We did a whole entire episode of this way back in season one on episode eight. But even the MITRE attack framework is
silent about any container-related tactics, techniques, and procedures.
Why is that? I mean, are the bad guys not coming after it yet? What's the reality on the ground?
Yeah, at least they're not right now. And we can debate the reason why, but it's probably because
it's too hard to do. Not impossible, but hard.
You know, adversaries have many other ways to destroy or steal data that are not nearly as complicated.
So I was talking to Roselle Safran about this at the hash table.
She is the CEO and founder of a small startup called Key Caliber.
She uses containers to deliver her security service to her customers.
And I've known Roselle for a number of years, and she has a first-class cybersecurity mind and in a former life worked as a government cyber operator in multiple functions.
Here's what she had to say.
Well, I mean, some of it is just the infrastructure by its nature.
It implicitly has some defenses in place. And maybe that's just because it's
newer technology. And so that was more built into it than with some older technology. For example,
from the perspective of the memory and making sure that the memory is protected.
sure that the memory is protected. NX bit, so an attacker couldn't execute from the stack and ASLR, so where everything is in a, the stack is in random locations. It forces the attacker to
have to go to return oriented programming attacks. So they can't even get to softball attacks. And so you have that type of infrastructure that's
already in place with it. And so that helps. This doesn't mean that hackers will never try
to leverage this new client-server architecture. It just means that they aren't right now.
That if your organization has limited cyber defense resources and you still have work to do,
preventing all the things we already know that hackers do
that are currently listed in the MITRE ATT&CK framework,
diverting security resources away from that
to containers and serverless functions
is probably not the right move.
Well, as always, there's a lot more to the conversation.
So check out here what the hash table had to say.
It's the CSO Perspectives podcast.
It is part of CyberWire Pro.
You can check that out on our website.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Malek Ben-Salem.
She's the America's security R&D lead at Accenture Labs.
Malek, it is great to have you back.
I wanted to focus today on some stuff that you and your team have been tracking, and this is privacy attacks to machine
learning. What's going on here? Yeah, Dave, as you know,
more and more businesses are using their data
to gain insights into their clients or customers
and using it for predictive
use cases.
And that means, you know, using machine learning, if you will.
And this has been expedited by the prevalence of data,
but also by the capabilities,
the computing capabilities available to us on the cloud.
But that machine learning,
whether it's performed by one company on its own,
or whether it's performed in collaboration with ecosystem partners,
requires, in most cases, sharing data between the different parties or uploading data to the cloud. And there are risks associated with that, particularly privacy risks, which is what I want to focus on today.
The first one comes from if a party is uploading data and storing it on the cloud in the clear,
right? Obviously, there's a risk associated with that. Most companies do encrypt their data when they upload it to the cloud.
But that data has to be decrypted if you want to perform any computation on it.
So when it gets decrypted, then there's a privacy risk if the data contains private information.
That is just the obvious risk, but most companies do a
pre-processing step where they try to anonymize the data, remove any sensitive or PII data.
But we've seen that that step is not enough to prevent de-anonymization.
And there have been several attacks where the data was anonymized, but parties can take or adversaries can take that data and combine it with external data or third party data to be able to de-anonymize it and to re-identify the individuals whose data shows up
in that data set. But those are, again, those are the straightforward attacks.
But there are more sophisticated attacks. So one of the techniques that companies do or one of the pre-processing steps they go for in order not to
have their data, their private data in the clear on the cloud or on any system is a step where they
take the raw data and turn it into what is known as features that can be used by the machine learning model as input.
So this is a pre-processing step that extracts some of the features that are used to train
the machine learning model out of the raw data.
And then the party would take that feature data and upload it on the cloud or the server where they perform the computation
instead of the raw data itself.
However, adversaries can, even when only the features are transferred
and stored on the computation server,
there is this threat known as a reconstruction attack
where the adversary's goal is reconstructing the raw private data
by using the knowledge they have of the feature vectors.
So examples of that that have been performed previously are taking a fingerprint
or reconstructing a fingerprint image
from a Manushe template.
That includes just features.
Or taking mobile device touch gestures
and reconstructing the touch events from the features that include the velocity and the direction of the touch.
Now, in both of these cases, the threat resulted in a security threat.
So from a privacy threat, this resulted into a security threat to an authentication system.
So that's basically the third type of attack. And this can be exacerbated by the type of machine
learning algorithm that is used. So in some cases, even if that feature data is not available, but the adversary gets access to the machine learning model that uses it, some of the machine learning models store these feature vectors in them.
So models like support vector machines or the K-nearest neighbor, use these feature vectors to identify the model itself.
So if the adversary gets access to the model
without getting access to the data at all,
they may be able to infer some information,
private information, about the individuals
whose data was used to build that model.
Wow. Well, it's a lot to unpack, but
I always appreciate you explaining this stuff for us.
Melek Bensalem, thanks for joining us. Thank you, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Oh, what heights we'll hit.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence.
Every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Guru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.