CyberWire Daily - Telco data breach. Firmware supply chain problems. Hacking BLE. Census security. Continuity of operations. Decryptor for GandCrab, NSPM 13. Bulgaria’s tax hack.
Episode Date: July 17, 2019Sprint warns of data breach. Eclypsium announces discovery of server firmware supply chain problems. Bluetooth Low Energy may be less secure than thought. Congress hears about US census cybersecurity.... Ransomware and continuity of operations. The FBI offers help decrypting GandCrab-affected files. Venafi on why financial services are especially affected by certificate issues. Congress asks to see NSPM 13. And an arrest is made in Bulgaria’s tax agency hack. Ben Yelin from UMD CHHS on the DOJ being required to make public attempts to break encryption in Facebook Messenger. Tamika Smith speaks with Alex Guirakhoo from Digital Shadows about scammers registering fake domains to try to capitalize on Facebook’s Libra cryptocurrency plans. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sprint warns of a data breach.
Eclipsium announces discovery of server firmware supply chain problems.
Bluetooth low energy may be less secure than thought.
Congress hears about U.S. Census cybersecurity, ransomware, and continuity of operations.
The FBI offers help decrypting Gancrab-defected files.
Venify on why financial services are especially affected by certificate issues.
Congress asks to see NSPM-13.
And an arrest is made in Bulgaria's tax agency
hack. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, July 17, 2019. U.S. telco Sprint has warned customers that unauthorized persons may have obtained access to their Sprint account.
The hackers obtained access in some unspecified manner through the Samsung.com add-a-line website.
Sprint says it's taken steps to secure its customers' accounts.
Security firm Eclipsium has an account of how a firmware supply chain problem has cropped up in several marks of servers.
The issue involves the BMC, that is the Baseboard Management Controller, and devices from at least six different manufacturers are affected.
Eclipsium found two distinct vulnerabilities.
First, some BMC firmware update processes fail to verify cryptographic signatures verification before accepting updates.
And second, the BMC code that performs the firmware update contains a command injection vulnerability.
Some server vendors, notably Lenovo, have released updates and mitigations to address these problems,
but Eclipsium notes that supply chain issues of this kind tend to be persistent and can be difficult to fix. Researchers at Boston University report that they've demonstrated
they can defeat the MAC address randomization Bluetooth Low Energy uses to protect devices
from being identified and tracked. There's a wide range of ways in which Bluetooth Low Energy can be
implemented in a device, but the researchers'
conclusions suggest that this isn't as simple a matter as, for example, making sure your AWS S3 buckets are left open to the internet. Even properly, carefully implemented instances can
yield a lot more information about a device than had generally been believed.
Congress is raising concerns about the 2020 U.S. Census.
This is the first U.S. Census in which a significant portion of the data collection will be done online,
with the attendant possibility of hacking and the customary a priori jitters are to be expected.
The Government Accountability Office testified before Congress that,
although the Bureau, that is the Census Bureau's attention. The Bureau is delaying action
on 104 of these, citing either technical or resource issues. That said, in all things being
equal, the GAO thinks that, quote, while there's a lot of work needed going forward, they don't
think we're looking at a disaster. The whole point, of course, is to be able to carry out the
constitutionally required headcount,
and the Census Bureau is confident it can do that while securing the personal data it will collect.
Sensibly, they say they have a variety of continuity of operations plans in place,
and that they're working on a plan that would cover the worst-case catastrophic takedown of its systems.
Continuity of operations and mission assurance are worth thinking about
with respect to ransomware, too. One of the bigger ransomware demands issued lately has been received
by Monroe College, a proprietary school headquartered in the Bronx. Naked Security puts
the extortion demand at $1.8 million, and Inside Higher Ed says it's an even $2 million. In any case, what may be most
interesting about the episode is the way in which Monroe is working to continue operations.
The college has declined to say whether it will pay the ransom, but it has said that it's reverted
to manual and even face-to-face operations to continue to deliver its product to the students.
As President Mark Jerome put it, quote, we're simply doing it
the way colleges did before email and the internet, which results in more personal interactions,
quote. Given the way in which schools and city governments have been clobbered by ransomware
over the course of this year, this particular fallback, readiness to revert to manual backup,
is well worth considering. Every organization has a mission,
and IT systems are there to facilitate accomplishing that mission.
So it's worth thinking in terms of continuity of operations and mission assurance.
If we may be permitted a local observation,
had the city mothers and fathers of Baltimore devoted some time and attention to this, they wouldn't have found themselves in this year's ongoing ransomware pickle. And the citizens of Charm City would be spared the sticker shock of a huge water
bill that represents a catch-up bill after months of downtime. Facebook has been under a good bit of
scrutiny lately for a variety of things, not the least of which is their recently announced move
into cryptocurrency and digital wallets. Tamika Smith has more on that story.
We're approaching a month since Facebook announced its new cryptocurrency, Libra,
and their digital wallet, Calibra.
The tech giant's move has spawned an increase in domain permutations,
drawing out hackers and scammers across the web seeking a payday.
Here to talk more about this is Alex Giracou.
He's a strategic intelligence analyst at Digital Shadows. Hi, Alex. Welcome to the program.
Hey, Tamika. It's good to be here.
Okay, so you recently wrote an article that delves into how scammers and hackers have seen this sort
of like a gold rush. So let's start with charts you created. What were you looking for in the
results?
I initially was doing some research completely unrelated for a client report. And I had noticed
that there was a weirdly high number of domains that were being created that essentially appended
the client's name brand with either Libra or Calibra. And I thought to myself, hey,
that's a little bit weird because spoof domains are extremely common, but it's a bit more rare
to see a consolidated
effort like this. And so that got me thinking. What I did was I went into Shadow Search, which
is a tool that searches across Digital Shadow's data repository and basically includes everything
from Whois records and CVEs to Threat Actor profiles and dark web search results. And I used
that to pull up a list of all the domains that we had collected on that
either had Libra or Calibra in the URL that were created either on or around the days of the
announcement which was on June 18th. Interesting so all of the domains that were set up on the 18th
as you categorize them in your article they're hosting malicious content but they're split up
into different categories can you talk about that? Yeah, so essentially, the three different categories that I came up with
were the boring ones. So those that aren't really doing much, they're sitting there,
parked, not hosting content. But the more interesting ones, I split into the two
different categories. So they were either directly impersonating the Libra Calibra website,
or they were using the Libra Calibra brand to run a type
of scam. Does GDPR have a role to play in what countries are going to be hit the hardest by this?
So the way that GDPR will work is that it's really only going to be effective on the companies
themselves and whether or not they operate within essentially the jurisdiction of GDPR.
It's not really going to curb anything
that these criminals are going to do. In the long run, it might tighten up security controls that
the companies will have in place and kind of put these up in the forefront within an organization's
policies. And that in itself could make it more difficult for attackers to target these kinds of
organizations. So now let's look at cryptocurrency in itself. It's not new. Everyone knows about cryptocurrency.
One of the ones that became very famous is Bitcoin. But now, you know, Facebook is in the game as well.
And they're attracting a lot of attention, garnering attention from political figures and the banking industry.
What makes their cryptocurrency different from, say, Bitcoin?
Yeah, so everyone knows about Facebook.
They're extremely popular. They have strong footing in the tech world. And so, like you said,
it's natural that they attract a lot of this kind of attention. As of right now, Facebook has no
plans on offering Calibra's digital wallet services in its largest market in India. And
India has made it very clear that they're not happy with having a private cryptocurrency in their market as well. So much so that the country's economic affairs
secretary said in a Bloomberg interview that they would not be comfortable with a private
cryptocurrency and that they will be proposing stringent penalties, including prison sentences
up to 10 years. So Facebook is absolutely huge. And essentially, the goal with
Libra and the Calibra wallet is to leverage their big their global platform to create an easy to use
borderless currency. But in practice, like you said, that can be a bit more difficult with India
saying that they're not too comfortable with the implementation of cryptocurrencies like Libra.
It raises a couple of questions. But mainly things like blockchain
networks, which typically operate in a more decentralized manner, it can make it difficult
to regulate it in the way that you would a more traditional currency. But the way that Libra
appears to be set up, it seems more centralized than most other cryptocurrencies, like you
mentioned Bitcoin. And so it's probably more likely that Facebook will try to abide by the
laws within countries like India and that Libra would be operating in otherwise. But we'll have
to see how that actually works and how that's implemented once the cryptocurrency actually
comes around in 2020, because it's difficult to fully manage a blockchain network, especially
with regards to cryptocurrencies, because people can always use VPNs to get around things like
IP blacklisting.
So it is possible. And essentially, we'll just have to see what happens come 2020.
Exactly. So we'll have to leave the conversation here for now.
Thank you so much for joining the conversation, Alex.
It was so nice to be on. Thank you so much.
Alex Giricou is a strategic intelligence analyst at Digital Shadows. You can find him tweeting at photon
underscore research, tweeting about Facebook's Libra, leaky SMB file shares, among other topics.
And Tamika Smith joins me in the studio now. Tamika, along with the folks sort of going out
on this gold rush for domain names, representatives from Facebook had some time in front of Congress
yesterday. They got a front of Congress yesterday.
They got a bit of a grilling.
Yes, they did.
Specifically, David Marcus.
He's the co-creator of Facebook's new digital currency, Libra.
What I thought was very interesting is that he knew, from what I could see, that he was stepping into a zone where a lot of criticism was going to be coming his way.
He brought up the Independent
Libra Association, which includes companies in the financial sector, the blockchain sector,
venture capitalist companies, nonprofits. They're specifically there to regulate this new currency
and to make sure that implementing safeguards is what they're there to do. And most importantly, that Facebook will only get 1% of the vote on this association.
Hmm. All right. Well, it's certainly interesting developments.
I think Facebook is under a lot more scrutiny than perhaps they had hoped to be under or even bet on.
Tamika Smith, thanks for keeping an eye on this stuff.
Of course.
The U.S. FBI has issued a flash alert
offering master decryption keys
and other useful information
concerning the now possibly retired
but still troublesome GANDCRAB ransomware.
Good for the Bureau, we say.
Now anyone can create their own decryptor.
A survey by Venify suggests
that financial services are likelier to suffer a
certificate-related outage than are businesses in other sectors. They're particularly vulnerable
because, as Venify puts it, quote, financial services organizations rely on machine identities
to secure and protect a wide range of business-critical machine-to-machine communication,
end quote. Bulgarian authorities have arrested a 20-year-old man in connection with a data breach
at the national tax agency that exposed some 7 million people's personal information.
The unidentified suspect is said to have been a legitimate penetration tester
who went over to the dark side.
And this just in, humans now read the cyberwire on Alexa. Lack the time or inclination to
read the daily news briefing? Let us do it for you on your Alexa. Just say, Alexa, what's my
flash briefing? Or, Alexa, what's in the news? After you've set the Cyber Wire as part of your
flash briefing, and your regular podcast hosts, most likely me, will take it away.
And your regular podcast hosts, most likely me, will take it away.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back.
Saw a publication, this was a press release from the EFF, the Electronic Frontier Foundation,
and this was outlining how Justice Department
efforts to break encryption of Facebook Messenger must be made public.
What's going on here?
So last year, the DOJ made an effort to obtain the Facebook messages of a customer who they
believed was involved in gang activity, specifically the MS-13 gang, the one that we've heard so much
about over the past several years.
Facebook, as most technology companies have done, refused the request.
DOJ tried to get an injunction, get a court order to hold that company in contempt and
actually force them to break their own encryption.
If this sounds familiar, it is. I mean, most famously, we saw it with Apple and the FBI back in 2016, when the FBI wanted access into
the device used by the terrorists in San Bernardino. They got into a major legal skirmish.
Eventually, FBI was able to break encryption without getting Apple's cooperation. The court actually denied the
government's effort to get Facebook to decrypt their messaging service. And what EFF is petitioning
is to get that opinion public. The reason that's so important for people who care about digital
privacy and civil liberties is there's going to be some reasoning contained within that decision
that would apply to all
different types of other cases. Now, depending on what court that is, that could be mandatory
authority if it's in a federal court that's located in California and that would have to
rely on this decision, or it can be persuasive authority where courts from other states might
look to this California case and say, here's really persuasive reasoning as to why we should
not force Facebook to decrypt their own messaging service. And so far, the federal judge has denied
the EFF and other civil liberties groups petition to make that information public.
So the case is still classified. We don't have the government's reasoning.
That's left EFF to do a lot of guesswork. And what they're arguing is that in order to keep the public informed about the government's anti-encryption tactics, that information
needs to become public. And I think they have a very compelling case.
What are the odds that you think they'll prevail in this? Well, you know, this is something
that's up to the judge. I'm sure the judge is being heavily persuaded by the DOJ because
any public opinion on this, even if it's partially redacted, could reveal methods that the federal government uses to decrypt devices or software, any type of technology.
So there is that element where law enforcement is always reluctant to unveil the tactics that they use in conducting their work.
And to be clear, I mean, that's a legitimate argument from the DOJ's side.
Absolutely. It's completely legitimate.
You know, there are other ways to get basic information out there about the legal reasoning,
in particular, under what federal statute did the judge base his or her decision. And that,
I think, could be done without revealing any of the underlying information about law enforcement
tactics.
Now, frankly, there's a lot we don't know about the case. So there might be something contained
in there that is classified and that would really harm law enforcement efforts as it relates to
either dealing with technology companies or confronting groups like MS-13. But my inkling
is that if a judge was amenable to refusing the DOJ's request to decrypt Facebook software, perhaps they'd be amenable to a petition from a civil liberties group to get that opinion unsealed. So far, that's been unfounded. But that would be a logical conclusion from the original decision.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at the Cyber Wire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
a tribe where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.