CyberWire Daily - The minor mystery of GPS-jamming. Twitter investigates apparent data breach. Ransomware C2 staging discovered. A C2C offering restricted to potential privateers.
Episode Date: July 25, 2022The minor mystery of GPS-jamming. Twitter investigates an apparent data breach. Ransomware command and control staging is discovered. Andrea Little Limbago from Interos looks at the intersection of so...cial sciences and cyber. Our guest is Nelly Porter from Google Cloud on the emerging idea of confidential computing. A C2C offering restricted to potential privateers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/141 Selected reading. Why Isn’t Russia jamming GPS harder in Ukraine? (C4ISRNet) Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5Mac) Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record by Recorded Future) Russian Ransomware C2 Network Discovered in Censys Data (Censys) Researcher finds Russia-based ransomware network with foothold in U.S. (The Record by Recorded Future) New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The minor mystery of GPS jamming,
Twitter investigates an apparent data breach, ransomware command and control staging is discovered,
Andrea Little-Limbago from Interos looks at the intersection of social sciences and cyber.
Our guest is Nellie Porter from Google Cloud on the emerging idea of confidential computing and a C2C offerings restricted to potential privateers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 25th, 2022. Russian electronic warfare hasn't been particularly aggressive in jamming GPS.
C4ISR reviews the potential explanations, and they closely parallel the reasons why Russian offensive cyber operations have been similarly restrained.
The first possibility is that, just maybe, Russian electronic warfare isn't as good as everyone thought it was.
Other Russian capabilities have been overestimated, and there may have been a tendency to exaggerate Russian
electronic warfare prowess as well, the thinking goes. Maybe. But on the other hand, Russia has
shown an ability to jam GPS signals in Norway, for example, or spoof them in the Black Sea,
for example. It's not like the ability to maneuver armored units against opposition.
If you can jam in peacetime, there's no obvious reason you can't jam in wartime.
Other explanations seem likelier. Or there's this. Russian forces themselves use GPS,
and they don't want to deny their own access to the system in the theater of operations.
deny their own access to the system in the theater of operations.
Russia does have both GLONASS, a domestic alternative to GPS,
and CHICA, a terrestrial navigation system roughly equivalent to the American LORAN,
but these are not as widely used.
GPS receivers are cheap and ubiquitous, and many Russian units use them. Almost every smartphone has GPS.
Very few, if any, use GLONASS.
GPS is everywhere, so this seems possible.
Or maybe Russian EW operators, or more properly their commanders,
are concerned about the ease with which their jammers could be located,
targeted, and destroyed.
The assets are valuable, and they have to be husbanded for a time when they're really needed.
Another possibility, Ukraine's stockpile of Soviet-era weapons aren't dependent upon GPS,
and so GPS jamming won't affect them.
Of course, Ukrainian forces are just as likely to use GPS receivers as Russian forces are,
and systems they've recently received from NATO use GPS,
so this possibility seems unlikely.
Or, finally, perhaps Russia is pulling its punches,
holding its full capabilities in reserve
against possible use against the main enemy, which would be NATO.
In any case, the question has an interesting symmetry
with the question about why Russian offensive cyber operations have been more limited,
less destructive in their effects, than had been expected.
Twitter is looking into the possibility that data from a breach are now being posted on the dark web.
Restore Privacy traces the incident to reports
in HackerOne back in January of a breach that had the potential of exposing user information
even when that information was hidden in privacy settings. Twitter closed the vulnerability and
paid the researchers who reported it a bug bounty, but it appears possible that the vulnerability has been exploited to collect a
very large tranche of user data. Restore Privacy says that some of the data released as a teaser
are authentic, and that the criminal who holds them, who goes by the hacker name Devil,
is offering the database for sale. Bidding starts at $30,000.
for sale. Bidding starts at $30,000. 9to5Mac sees the principal risk in the compromised data as more plausible, more effective phishing campaigns. Twitter told The Record that it's investigating,
but their comments focused principally on the January vulnerability disclosure.
A Twitter spokesperson said,
We received a report of this incident several months ago through our bug bounty program,
immediately investigated thoroughly and fixed the vulnerability.
As always, we are committed to protecting the privacy and security of the people who use Twitter.
The spokesperson went on to say,
We are grateful to the security community who engages in our bug bounty program
to help us identify potential vulnerabilities such as this.
We are reviewing the latest data to verify the authenticity of the claims
and ensure the security of the accounts in question.
Census reports finding a criminal ransomware operation that's being staged
and the discovery comes before actual attacks appear to have been carried out.
The gang involved is Russian. Some of the attack infrastructure, the researchers say,
has been put in place in the U.S. According to the report, census located a host in Ohio,
also possessing the DIMOS-C2 tool discovered on the initial Russian host and leveraging historical analysis,
discovered that the Ohio host possessed a malware package with software similarities
to the Russian ransomware hosts. The record points out that Census duly acknowledges the
role CISA played in the discovery. The record reports, part of how Census was able to tie the hosts to Medusa Locker
was from a Cybersecurity and Infrastructure Security Agency report released three weeks ago
that spotlighted the ransomware group and provided email addresses, IP addresses, and Tor addresses that the group uses.
And finally, there are special offers in the underground markets, too.
Sometimes it's like a membership club, a little restrictive maybe,
in ways that might not pass legal muster in most jurisdictions.
But then the writ runs differently in the C2C underworld.
Security Week reports that Luna ransomware is available only to Russian-speaking cybercriminals.
Luna is a cross-platform capable attack tool coded in Rust that's landed with some eclat recently in the criminal-to-criminal markets,
is being offered only to Russophone affiliates, presumably because of their suitability as privateers.
Are you a criminal speaking a different language?
Sorry? Go take your trade elsewhere. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io. Nelly Porter is Group Product Manager for Google Cloud,
where she and her colleagues have been contributing to efforts
to enable and implement confidential computing.
Confidential computing is one of the tools
to protect customers' data in cloud and everywhere else.
It's one of the privacy-preserving techniques, I would say, where hardware will assist us to provide cryptographic isolation in addition to normal isolation that we usually have to protect our tenants amongst themselves and our tenants against cloud provider itself.
And how does that work from a practical point of view? What exactly is going on behind the scenes? So behind the scenes, CPUs like AMD CPUs and Intel CPUs
provide specific instructions
that allow very quickly and very efficiently
to encrypt memory of your environment,
your trusted execution environment.
And by protecting memory,
we need to ensure that all sensitive data,
keys, anything that you don't want to see
by anyone else will be always separate text.
But separate text, when you're looking from outside in,
when you're running your application,
your workload, your
container, you will see
everything without any changes.
And this magic
has happened because
those
CPUs, so specific,
I would say, system
on the chip, all those
specific extensions, not only
encrypt memory memory but very efficiently
decrypt memory when it's coming to cache line. So memory controllers would be able to deal with this
began situation and encrypt decrypt very quickly so CPUs completely unaware that the data they need to process actually was previously encrypted
and will be encrypted right after instruction will be completed.
And that's probably where computational computing is different from full homomorphic encryption
when CPUs are actually performing their instruction on fully encrypted data.
So is the idea here that because we're doing the encryption and decryption in hardware that
the users don't suffer any sort of performance hit?
The opposite, you're right. And not only performance hit, as security people,
they also love to separate duties. And if keys and encryption is done by hardware, it means it's done by somebody else,
like AMD and Intel and cloud provider, even if they wish, would not be able to extract those keys.
So we will modify anything as the operation and workload performing what needs to be done.
Well, how are you and your
colleagues there at Google
approaching this? What sort of things
are you all going to be making available?
Done
some work in this area.
For many years we worked
and they are
actually one of the
creators,
Confidential Comput computing consortium.
So we strongly believed from day one,
is it only working together,
we would be able to crack this nut
and to offer confidential computing to our customers.
It has to be interoperable.
Different approaches will be possible.
But as a product, we offered our customers
confidential VMs. These AMD what we
call security virtualization extension and we provide confidentiality of those workloads when
they run in GCP. We also extend the support of confidential environments to other GCP services. Our customers love to run pods and containers
in our managed Kubernetes service,
which is called Google Kubernetes Engine.
So we offer confidential environments for Kubernetes as well.
And we bring in secure analytics to the market.
We have a set of products that actually help customers to run managed Hadoop and manage Spark.
So we have a confidential variant of those services as well.
Are there any downsides to this?
Are there reasons why people might not want to implement it?
You're probably asking the wrong person. I do believe that
confidential computing providing stronger data protection
control to our customers and without implication
of performance and usability. It's probably
a way how we will see cloud providers
will offer services for our customers
and Stan will progress
and we will become much more available.
The things that might be complicated for our customers,
our customers will run only VMs and Kubernetes.
They need analytics
and they need ability to run data value houses but run only VMs and Kubernetes. They need analytics,
and they need ability to run data,
value houses, and huge workloads.
So one of the customers told me,
not once, by the way, a few, that they need to run in a confidential environment
HANA SAP workloads
with huge, huge monsters, databases.
So we don't have
the support right now
for those services,
but it would be one
of the reasons why customers would not
apply this particular
protection for
their workloads.
Do you envision a time in
the future where this just becomes a standard
part of cloud computing, where this is something that's enabled by default?
Absolutely. And I think it's something that certificate for web services is never going to catch up.
And it's again today when your site doesn't support HTTPS and doesn't have certificate, it's becoming an exception.
It's not the rule.
I do believe that confidential computing will be exactly the same.
As time will progress and more diversity of services and CPUs will come to the market,
it will become simply a default ubiquitous option for public cloud providers
to offer additional privacy and protection for customers' workloads and their data.
That's Nelly Porter from Google Cloud.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Andrea Little-Limbago.
She is Senior Vice President of Research and Analysis at Interos.
Andrea, always great to welcome you back to the show.
I want to touch today on the social sciences and how they are intersecting with our cybersecurity world.
What's the latest there?
Yeah, no, thanks, Dave.
And as you know, this is something I always like to be a big proponent of.
I think we're at a point where it's almost becoming much more normal
and accepted to have social sciences and cybersecurity.
So it's great to be here.
I wouldn't say that we're 100% there yet.
I still remember probably maybe eight years
ago being at conferences and being asked what a social scientist is doing in cybersecurity.
And that was always the top question I got wherever I was at RSA, Black Hat, B-Sides,
sort of the large community events. Always got that question, and I never do now. And actually,
in contrast, I see more and more of the next
generation coming in with some aspect of multidisciplinary. They have social science
training. They've got data science or with various kinds of information security. And it's a really
great multidisciplinary perspective that they're bringing into the industry. So it's, one, it's
very refreshing. It's great to see. It's great to talk with them about what they're interested in looking at.
And then it's also great to connect with others across the industry.
And that's been another core component of it.
Our SA now has a human element track of it.
And we're seeing more and more acknowledgement that there is room for a whole range of disciplines in cybersecurity. And that's something that we increasingly need to go toward,
not only because of the whole workforce shortage that the industry has,
but just because it impacts so many different aspects of society
that it really does take so many different perspectives
to address the challenges that we have right now in the industry.
And so the more social scientists that can come in to complement, not replace,
and I think that's the important thing.
You know, it's complement and bring the perspective in, the better off we are.
And whether it's for looking at some of the legal frameworks that are going on, looking at the whole range of cyber warfare and discussions on that.
And actually make it, you know, sync with, you know, decades old of theories that have actually been applied in other areas
that might be useful in this area.
And obviously social engineering and that whole element of it.
There's just a whole range where the social sciences can contribute
and we're increasingly seeing it.
It's really great to see that trend continue to emerge.
And so are you finding that more and more the social scientists have a seat at the table?
Increasingly.
I'd say I'm not – so it's not there yet.
Very often it's also – it's kind of pushing our way in.
But I do think that there – yeah, I think increasingly there is a seat being made.
increasingly there is a seed being made.
And I think there are, in this area and in other areas of the industry,
still gatekeepers that try and keep
sort of a narrow focus of what cybersecurity should be.
But I really do think for the broader part of the community,
I think is excited and willing to work together.
And that's where I think some of the most
exciting innovations are going to come is
when you have the multidisciplinary collaboration going on.
We don't want the social scientists to be in their own silo and the vulnerability experts
in their own silo and so forth.
We want to get that cross-fertilization together.
And because I think we're fairly new at that as an industry, I think it leads to a whole
lot of optimism about some innovations that might be coming down the road.
Even if you think about things like for passwords and so forth, right?
Like, you know, if you bring in, you know, social scientists can understand
a bit better why or what may be a better solution to passwords.
There's even just various and basic things where we're getting people
to do more multi-factor authentication.
So even the fundamentals can really benefit from that.
Yeah, I mean, what is
your pitch, you know, when you're making the case that the social scientists deserve a seat at the
table and that you all have, you know, serious things to contribute, what are you telling the
folks on the tech side? Yeah. I mean, so on the one hand, I'd say, I mean, clearly, you know,
what we've been doing isn't working. We're still seeing ransomware off the charts.
We're still seeing people, everyday citizens still are really not pursuing the foundations of proper cyber hygiene.
And so we're not necessarily succeeding yet as an industry.
And so why not try something new?
And then you can continue to do the exact same thing we've always done, is the definition
of insanity.
So we shouldn't be doing that.
And instead of just continuing to look within the same areas, exploring more and starting
to think about the human element of it.
And that's what, because again, we see over and over again, sort of the notion that human
is the weakest link, that was 90 plus percentage of attacks that are linked to humans, and we can't take the human out of it, right? And so instead of
blaming it on humans, which is a cop-out because we're part of the system, integrate them into a
solution. And that's where the social scientists can come in and really help make the integration
of human behavior into solutions, make them smarter, sustainable, and something that humans
will actually implement as opposed to trying to work around.
All right.
Well, interesting stuff as always.
Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Guru Prakash, Justin Sebi, Rachel Gelfand, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com