CyberWire Daily - T-Mobile outlines what it’s offering customers hit by its data breach. Taliban on good T&C behavior? Apple’s CSAM. OS bug may affect medical devices. A report on 2020’s US Census Bureau hack.
Episode Date: August 19, 2021T-Mobile describes what it intends to do for those who may have been affected by its big data breach. The Taliban is taking care not to get banned from social media. Apple defends its CSAM measures ag...ainst a technical objection, but advocacy groups see a slippery policy slope. The US FDA warns of vulnerabilities in an OS used by medical devices. A report on a 2020 incident at the US Census Bureau. David Dufour shares a few surprises from Webroot’s 2021 Threat Report. Our guest is Brandon Hoffman from Intel 471 on cybercriminals creating turbulence for the transportation industry. And a Bitcoin tumbler cops a guilty plea. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/160 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
T-Mobile describes what it intends to do for those who may have been affected by its big data breach.
The Taliban is taking care not to get banned from social media.
Apple defends its CSAM measures against a technical objection, but advocacy groups see a slippery policy slope.
The U.S. FDA warns of vulnerabilities in an OS used by medical devices.
A report on a 2020 incident at the U.S. Census Bureau.
David DeFore shares a few surprises from WebRoot's 2021 threat report.
Our guest is Brandon Hoffman from Intel 471 on cyber criminals creating turbulence for the transportation industry.
And a Bitcoin tumbler cops a guilty plea.
From the CyberWire studios at Datatribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 19th, 2021. T-Mobile has responded to the breach it confirmed two days ago with a range of customer protection and reassurance measures.
The most serious risks appear to be, as Wired reports,
identity theft and SIM swapping.
As Wired summarizes,
T-Mobile says that of the people whose data was compromised,
more than 40 million are former or prospective customers
who had applied for credit with the carrier,
which is to say they're not presently customers at all.
An obvious question is why the mobile carrier maintained the data in the first place.
What use did it have for prospective customers' social security numbers and driver's license information, for example?
Wired adds, quote, another 7.8 million are current post-paid customers, which just means T-Mobile
customers who get billed at the end of each month. Those roughly 48 million users had their full
names, dates of birth, social security numbers, and driver's license information stolen. An
additional 850,000 prepaid customers who fund their accounts in advance had their names, phone
numbers, and pins exposed. So, the current tally of individuals affected is somewhere above 48 million.
While that's a lot by any reckoning, it's far short of the 100 million victims the crooks who offered the data in an underworld market claimed.
It's not clear how the attackers gained access to the data in the first place.
T-Mobile was alerted to the problem by the hackers woofing on the dark web.
T-Mobile was alerted to the problem by the hackers woofing on the dark web.
To its customers, the telco is offering two years of McAfee ID protection,
as well as access to T-Mobile's own scam shield and account takeover protection.
The company advises customers to change pins and passwords,
even though it says these don't appear to have been compromised,
and that they consider putting a freeze on their credit if they think they're likely to be the victims of credit fraud.
The Washington Post shrugs that the general public has entered a period of learned helplessness
with respect to big data breaches,
and that no doubt the T-Mobile affair will be largely forgotten within a week or so.
It lists five major data breaches that have,
it thinks, done their bit to inure people to the problem. J.P. Morgan in 2014, which had
83 million victims. Adult Friend Finder in 2016 with 400 million victims. Yahoo in 2013,
but disclosed in 2017 with 3 billion victims. Marriott in 2018 at 500 million victims and
Facebook in 2021 at 533 million victims. Against this background, having your credit card stolen
is an inconvenience. Not good, but we get over it. 50 million people's PII exposed?
That's not even an inconvenience. It's a statistic.
As social media platforms consider how to respond to the Taliban conquest of Afghanistan,
the Washington Post says that the Taliban itself seems to be punctiliously towing the line drawn by those platforms' terms and conditions.
We'll have more discussion of the topic in this week's pro-disinformation briefing, out later this afternoon.
Apple defends its proposed child sexual abuse material detection technology, telling Vice that
the version it will deploy isn't susceptible to the hash collision vulnerabilities researchers
claim to have demonstrated. The proposed system would, under certain
circumstances, scan for CSAM images flagged by a small set of international child protection
clearinghouses, but critics remain unmolefied. Reuters reports that various privacy and rights
advocacy groups, the Center for Democracy and Technology among them, fear the technology could
not only subvert end-to-end encryption,
but could be readily adapted to screening for other content, and that there are insufficient
protections against abuse by repressive governments. If, the critics ask, Apple moves against scanning
for CSAM images in iCloud and messaging services, this puts them on the slippery slope to backdooring their systems
under governmental pressure and of putting larger censorship programs in place.
The objections raised by the Center for Democracy and Technology aren't confined to adult civil
liberties. The CDT is to some extent speaking in loco parentis, seeing as it does a large issue The letter explains, after remarking on the unreliability of the algorithms used to identify CSAM content,
quote,
used to identify CSAM content,
quote,
End quote.
The U.S. Food and Drug Administration has warned that medical devices running some versions of BlackBerry's QNX real-time operating system may be vulnerable to certain
cyber attacks. The FDA says it has no evidence of exploitation in the wild, but that it's advising
vendors and developers to use appropriate caution. The U.S. Commerce Department's inspector general has released a report that concluded
the Bureau of the Census mishandled a January 2020 incursion into its servers.
Quote, specifically, the Bureau missed opportunities to mitigate a critical vulnerability,
which resulted in the exploitation of vital servers. Once the servers had been exploited,
the Bureau did not discover and report the incident in a timely manner.
Additionally, the Bureau did not maintain sufficient system logs,
which hindered the incident investigation.
Following the incident, the Bureau did not conduct a lessons-learned session
to identify improvement opportunities.
We also found that the Bureau was operating servers that were no longer supported by the vendor, end quote. The name of the vendor
is redacted in the published reports, but the record thinks the internal evidence points to
Citrix servers used to give employees remote access to bureau resources. The damage appears
to have been limited. As the report puts it, quote, the exploit was
partially successful in that the attacker modified user account data on the systems to prepare for
remote code execution. However, the attacker's attempts to maintain access to the systems by
creating a backdoor into the affected servers were unsuccessful, end quote. And there seems to have been no corruption of 2020 census
data. And finally, a Bitcoin mixer who shuffled funds for contraband traders through a double
blind system to help them remain difficult to track has taken a guilty plea in a U.S. federal
court. The Washington Post reports that Larry Harmon, 38 years old and a
resident of the state of Ohio, yesterday admitted to a D.C. court that between 2014 and 2017,
he operated a service called Helix that tumbled hundreds of millions in Bitcoin.
Mr. Harmon acknowledged that he sought the business of drug traffickers and others who sought to evade law enforcement
and says he now intends to cooperate with federal investigators looking into other money laundering operations.
Mr. Harmon arrived at his plea after the court rejected his earlier defense
that he couldn't be guilty of money laundering because Bitcoin wasn't really money.
But Chief U.S. District Judge Beryl A. Howell was having none of it,
ruling, quote,
Money commonly means a medium of exchange, method of payment, or store of value.
Bitcoin is these things, end quote.
A sentencing date has yet to be set.
The feds want to see how cooperative Mr. Harmon will be
before they pencil him in on the calendar.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more Brandon Hoffman is Chief Information Security Officer at Intel 471,
and he and his team recently took a closer look at threats targeting the transportation industries.
I checked in with him for the specifics.
When we talk about transportation, there's kind of commercial transportation,
which is, you know, airlines and kind of hotel companies and stuff. Then there's transportation
companies that are more kind of almost considered critical infrastructure in the sense that more
like the trucking industry or the shipping industry and things like that. In this case,
we were talking mostly around commercial transportation.
And they have a lot of the same problems that other companies do. They are dependent on a
significant supply chain. They have lots of footprint on the internet. They have places
where customers can log in. They have places where their employees log in that are exposed
to the internet. So there is a large attack surface available for the transportation industry at large.
And so what were some of the specific things that you all were looking at here?
Yeah, so specifically here we were looking at kind of a surge in traditional initial access, so access to their networks.
So people selling access to these networks,
or of course, compromised credentials. Compromised credentials have always been,
but are now even becoming potentially the number one initial access vector that we're seeing.
Abusing transportation systems for cashing out other activity or even kind of the basis for
or cashing out other activity, or even kind of the basis for monetization through kind of gift cards.
And of course, nobody's safe from this these days is ransomware.
Yeah. Can we dig into some of the stuff you found with gift cards?
I think that's an interesting aspect that a lot of people don't always consider.
Yeah, absolutely. So, you know, cashing out through gift cards, specifically before cryptocurrency was around, you from. You can use a gift card and largely
the organization whose gift card it's for, they're not checking if you're authorized to use that gift
card because to a degree, they want it off the books. It's money out there that they have to
account for day over day, year over year. They want it spent because they want to account for day over day, year over year. They want it spent because they want to account for
that money spent. And so cybercriminals have long used that to, of course, launder some money,
but also in this case, specifically stealing points, rewards miles, turning them into gift
cards. Because when you think about the initial access vector, something like compromised credentials, if you get compromised credentials that work on an account that has a bulk of airline miles or hotel points, the easiest thing to do would be to convert that into a gift card, take that, but there's not a lot of infrastructure that's been designated to tracking that type of fraud as compared to traditional financial fraud.
They can't account for it because it hasn't really been spent yet.
It hasn't been used for a service or a good.
And so they want it to be used, but they don't want their customers to be defrauded, but they're not losing
money, right? I mean, somebody's spending that money anyway. So if I steal a gift card from you,
Dave, right? And let's say you had a $100 gift card for an airline and I steal it from you and
I sell it for $50 and somebody uses the gift card. Well, the airline's still getting their $100 worth,
right? Yeah. So what are the take-homes here? I mean, for folks who are in the transportation industry,
are there any things that you suppose they should be doing that isn't getting the proper
attention it deserves? But largely, the takeaway is not all that different from other conversations
we've had around cyber hygiene. No industry is immune to the cyber
attacks, whether it's initial access and data exfiltration, whether it's some type of fraud,
and whether it's ransomware. I mean, everybody who has an internet-connected business is at risk for
these things, these attacks. And you should do everything you can to take care and at least do the basics from a cybersecurity standpoint to make sure that at least the simplest of attacks go checked, right?
Yeah. Yeah. Don't be the low-hanging fruit, right?
Exactly. Yeah, exactly. That's the best way to put it.
That's Brandon Hoffman from Intel 471. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at Webroot.
Dave, it's always great to have you back.
You all recently published your 2021 Webroot Threat Report.
Can you take us through some of the highlights here?
What did you all find in this round of your report?
Hey, David, great to be back as always.
Yeah, so first of all, where's WebRoot get its
data? We have 285 million endpoints and sensors out there through our solutions that we sell. So
we have a lot of a very large footprint where we're gathering this information. And we have a
strong team who collates it, looks at it, and then gives us this information. I personally am not analyzing the data from all 285 million machines. I think my upper limit is around 200 million machines.
I wasn't able to handle it after that. I see. Well, you're only one man.
Exactly. No, seriously, there's a massive team that spends lots of time on this, so my hat off
to them. But some interesting stuff, and it's kind of fun to look at this. Typically,
we talk about healthcare or social media being the top of the scale and everybody better watch
out, but it actually fell this time significantly year over year, a 41% decrease in those areas
being attacked. Yeah, and I think some of that has to do with a year ago,
we had all just got home and, and that we had COVID and everybody was online. And I think
that's really where the attackers focused their efforts. Cause, um, as we've talked many times,
the nefarious actors really are, um, savvy about what's popular right now. But what we're seeing is a huge, huge push,
and this will not surprise anyone, into oil, gas, industrial. And I think a lot of that's
stemming from, you know, for the last five to 10 years, we've talked about the crossover with IoT
solutions and getting your operational infrastructure plugged into your back office
infrastructure and what's going to happen there.
And I think we're really seeing the cyber criminals take advantage of that because they realized I could lock up Dave Bittner's selfies and no one's going to pay anything for that.
Or I could lock up an oil and gas company and I'm going to get millions and millions of dollars.
So there's a big shift we're seeing.
Yeah.
I mean, is it that they're becoming much more, or they have become much more deliberate in
who they're hitting, that they're focusing their energy on these high-value targets?
Well, I would say yes and no.
I think they still are opportunistically attacking everywhere and seeing what sticks. But then they've gotten much, much better at saying, you know, that's Dave Dufour, that's Dave Bittner, or saying that's an oil and gas company. Let's go for them. And so I would say they're still opportunistic. They're not like saying, I'm going to go attack this company or attack that company.
At least that's not what I'm seeing.
They're taking advantage of very common popular exploits, but they've really refined who they're going to go get the ransom from.
Any other things stood out for you in this year's report?
It's kind of interesting.
report? It's kind of interesting. The top brands are moving around about who's getting hacked and who people are impersonating. And I think it's kind of like you and I still wear all our old
80s clothes because we think they look cool. But some big names are coming back. Like eBay
topped the list of not brands that were hacked, but what are being targeted and how they're
impersonating. So that tells me people are using eBay more than I realize. And so we're seeing a
shift in, you know, hey, maybe it's not the common ones, you know, today, maybe it's a little bit
older school that people are going to impersonate and try to get in that way. Yeah, those threat
actors are certainly nimble, if nothing else. They're very good at what
they do. And I'm not, I begrudgingly have to tip my hat to them. They're very good, very savvy,
and they continue to become more and more sophisticated. So it is a challenge to protect
against them. Yeah. Well, it's WebRoot's 2021 Threat Report. David DeFore, thanks for joining us.
Great being here, David DeFore. Thanks for joining us. Great being here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow. Thank you. But also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.