CyberWire Daily - Third-parties can misconfigure, too. Coinhive goes out of business. Intel decides 5G project with Chinese partner is too hard. Bronze Union. Clearing Facebook data. Proper disposal of lawful intercept tools.
Episode Date: February 28, 2019In today’s podcast we hear that a misconfigured Amazon Web Services database has exposed a risk screening database--and it seems the exposure itself was an instance of third-party risk. Farewell to ...Coinhive, long a favorite of cryptominers everywhere. Intel pulls back from a 5G project with a Chinese partner. A quick look at Bronze Union, and what the threat actor’s up to. Facebook will soon help you clear your data. And if you have a lawful intercept tool you no longer need, please don’t sell it on eBay. Malek Ben Salem from Accenture Labs on the commoditization of malware. Guest is Michelle Dennedy from Cisco with results from their most recent Data Privacy Benchmark Study. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A misconfigured Amazon Web Services database exposes a risk screening database,
and it seems the exposure itself was an instance of third-party risk.
Farewell to CoinHive, long a favorite of crypto miners everywhere.
Intel pulls back from a 5G project with a Chinese partner.
A quick look at Bronze Union and what the threat actor's up to.
Facebook will soon help you clear your data.
And if you have a lawful intercept tool you no longer need, please don't sell it on eBay.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, February 28th, 2019.
A misconfigured AWS database has induced another data exposure. Security researcher
Bob Diachenko discovered the Dow Jones risk screening database residing on a publicly
accessible Elastisearch cluster, TechCrunch says. The watch list contains open source data on more
than 2.4 million potentially risky individuals and business entities.
The data includes personal information as well as extensive notes for each entry,
detailing the reasons for its inclusion on the list.
This data is used by companies to screen clients and identify illegal behavior,
although TechCrunch notes that people can end up on the list based on flimsy evidence.
While the data itself was compiled from public sources,
the fact that a person or entity is on the list is highly confidential
and could damage the reputations of some people who might not deserve it.
Dychenko says the list contains, quote,
the identities of government officials, politicians, and people of political influence
in every country of the world.
A Dow Jones spokesperson said the leak was due to an unauthorized third party's misconfiguration of an AWS server.
A similar incident occurred in 2016 when a security researcher found Thomson Reuters watch list containing 2.2 million profiles in an Apache database that was
configured for public access from the internet by a third party. These incidents serve as a reminder
that companies need to take responsibility for their database deployments even if they outsource
some of the work. Researchers at Cisco recently took a close look at data privacy and security in their 2019 Privacy Maturity Benchmark Study.
Michelle Dennedy is chief privacy officer at Cisco. She joins us to share their findings.
Last year was really the run up to GDPR, the General Data Protection Regulation in Europe.
And so we asked specifically folks, are you ready? Do you feel like you're in compliance such as that is, as well as that's known? And we found that about 60% of our respondents feel good today that they're ready for GDPR. It is a law and it is in force. And about 97% of them felt that GDPR did apply to them in their business. This is a global study. So countries as
far flung as Japan and Hong Kong and Australia all feel that the impacts of GDPR are hitting
them as well. And they're also preparing and getting ready for this. So I think that was
kind of the aha number one is that even sectoral laws have global application in the digital world. I think the other big aha moments
are the recognition of what I call data friction or sales slowdown is growing. So last year,
we found about 65% of our companies were coming back and saying, yes, we are seeing that business
is being slowed down or even stopped by questions
of security and privacy. And this year, it was about 87% of respondents recognizing that questions
of cybersecurity and privacy are actually slowing business. And so that's where the really interesting
dig-in correlations start to begin. Now, this survey is obviously, and I think justifiably, based around
GDPR. And there are pushes for similar type of legislation to be coming to the United States.
There are folks who are pushing for a national data protection law rather than going state by
state. When you look in your crystal ball, when you look toward the horizon, what do you see coming? Yeah, so I'm one of those folks.
And you can see it's not just me alone as the privacy person who's obviously got personal investment in that.
Chuck Robbins, our CEO, has announced his support.
I think that if I look at my crystal ball, it took 10 years for GDPR to become a law.
The Twitter answer is, oh, let's import GDPR. And that's adorable.
But when the real work is done, first of all, most of the countries in the European theater
are civil law countries and not common law. That's a distinction that has meaning.
We are a common law nation. So that means we start with principles and we build out with use cases,
which are our
case laws, our judiciary. That doesn't mean we don't have laws. It means that each principle
actually has quite a bit of impact. Essentially, a civil law country tries to cover all use cases
as widely as possible and then figures out how that law is applied over time. Both schemas are
compatible, but that doesn't mean
that you can just pick up one law with all of the negotiations and hearings and cultural
specificities, including data protection agencies that exist in all the member states.
We have attorneys general. They're not the same as DPAs, but they act as DPAs in many significant
ways. So it's a long-winded way of saying,
I don't think it's going to take the 10 years it took GDPR to be negotiated and implemented,
but I do think it's going to take some time. And the time is now to get government leaders
behind not a quick fix, but a real fix. And so that's what we're really pushing for.
Clear privacy by design, privacy engineered,
understanding what is good, understanding how to get to a risk-based situation that is
interoperable, not just with GDPR, but with what the Brazilians have passed recently,
the Japanese have passed, our neighbors to the north in Canada have had Pepita for a very long time. And we have gone sector by sector, but we're finding the example is that I often reach to is the pacemaker.
If I have a pacemaker implanted in my body and I travel from Massachusetts to California,
the IoT safety and security laws in one jurisdiction may not match the health care law and data of another. This is one person
with one device, and we need to make that safe and secure, high fidelity, high integrity.
That is our mission. That's Cisco's chief privacy officer, Michelle Dennedy.
The report is the 2019 Privacy Maturity Benchmark Study.
ZDNet reports that the CoinHive crypto mining service,
notorious for its widespread use in cryptojacking campaigns, will shut down in March. CoinHive was
an in-browser service that let websites use their visitors' computers to mine Monero.
The company said in a blog post that the project is no longer economically viable
due to a recent hard fork and the gradual devaluation of Monero.
A hard fork is what happens when a blockchain protocol is changed,
requiring all users of the protocol to upgrade to the newest version.
Monero seems to ban the use of application-specific integrated circuits, or ASICs,
by implementing multiple hard forks each year.
Each hard fork causes the currency's mining activity to plummet, as the ASICs that have
cropped up since the last hard fork are rendered incompatible. CoinHive will cease operations on
March 8, the day before another hard fork takes place on the 9th. While CoinHive was the most
popular miner for cryptojackers,
crypto mining attacks will continue without it, as there are a number of CoinHive spinoffs,
and attackers can always develop crypto miners on their own.
Intel has ditched its 5G deal with Unisoc, China's largest mobile chip developer,
due in part to worries that the partnership would complicate matters in Washington, the Nikkei Asian Review reports.
The deal was announced less than a year ago at the 2018 Mobile World Congress in Barcelona.
The U.S. has greatly increased its pressure on Chinese technology companies since then, citing security concerns that the equipment could be backdoored during production.
Intel says the decision was mutual and that there was no political pressure from the U.S. citing security concerns that the equipment could be backdoored during production.
Intel says the decision was mutual and that there was no political pressure from the U.S.
Nikkei cites a source as saying that Intel's former CEO, Brian Kurzanich,
who departed the company in July, was the main advocate for the deal.
Unisoc, a subsidiary of Chinese state-owned Xinhua Unigroup, announced on Tuesday that it will design its own 5G modem chip in-house.
Huawei, which has borne the brunt of Washington's criticisms,
has been ridiculing the U.S.'s security concerns at this year's Mobile World Congress.
Earlier today, the company pleaded not guilty to U.S. charges of trade secret theft.
Earlier today, the company pleaded not guilty to U.S. charges of trade secret theft.
Canada will decide tomorrow whether to begin extradition proceedings for Huawei's CFO, Meng Wanzhao,
who has been charged with fraud by the U.S.
The legal and commercial wrangling will continue.
There is, of course, clearly some Chinese espionage afoot, whether Huawei or any other company is implicated or not.
Research from SecureWorks on a suspected Chinese threat actor known as Bronze Union,
or APT27, highlights the group's flexibility and persistence. The hackers use updated versions of tools that have been publicly available for over a decade, as well as custom-made malware,
to conduct espionage and theft against political,
technology, manufacturing, and humanitarian organizations. Their activities include
spying on dissidents and other persons of interest, as well as stealing secrets about
cutting-edge weapons technologies. Facebook will finally release its Clear History feature
later this year, the Telegraph notes.
The tool, which was first announced last May, will allow users to delete data collected by Facebook from third-party apps and websites.
Mark Zuckerberg said the tool will be similar to clearing one's browser history.
The Verge notes that this could potentially have a significant negative impact on Facebook's revenue, which relies heavily on targeted advertising, but it would be a positive step toward transparency
and granting users control over their data.
Smartphone hacking devices from Celebrite are selling for cheap on eBay, according to Forbes.
The tools, which are meant to be used by law enforcement, can be used to hack iPhones and
Android devices. Israeli company Celebrite sells the products for $6,000 apiece, but used versions
are being sold on eBay for as low as $100. While the devices themselves are dangerous in the wrong
hands, a more pressing concern is that the vulnerabilities they exploit will be discovered by malicious actors.
Celebrite's tools presumably take advantage of zero-day vulnerabilities to yield access to phones.
Security researcher Matthew Hickey, who bought 12 of the devices earlier this month,
has been trying to find out what information they contain.
He says the software is encrypted, but the keys should be extractable from the device,
although he hasn't had any luck so far. Hickey was also concerned to find leftover data from
the previous owner, including Wi-Fi passwords, which is particularly worrying considering that
most of Celebrite's customers are government agencies such as the FBI. Celebrite is understandably
unhappy with these developments
and urges customers to return their old devices to the company for proper disposal.
And eBay does not count Friends as proper disposal.
Nor is Craigslist or an ad in the local penny saver,
the local flea market, and so on.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's great to have you back. You wanted to share with us some work that you've had your eye on.
And this is some folks who've been measuring the commoditization of cybercrime.
What's going on here?
What can you share?
Yeah, this is a study
conducted by researchers
from Delft University.
They wanted to look at
to what extent
cybercrime has been commoditized.
We've all observed
the increasing commoditization
over the last few years,
particularly by looking at reports
on cybercrime as a service offerings, which included DDoS attacks starting at $10. But the
researchers wanted to investigate whether this spanned beyond DDoS attacks, whether a cyber
criminal could buy everything they wanted if they decided to perpetrate an attack. For instance,
suppose they wanted to hit a bank with financial malware, could they do so with off-the-shelf
components? So they explored which parts of cybercrime value chains were successfully
commoditized and which ones were not. They also looked at what kind of revenue criminal B2B services,
business-to-business services generated, and how fast they were growing.
And their study covered eight online anonymous markets over six years.
It included the original Silk Road as well as AlphaBay.
And so what did they discover?
There were some interesting findings.
They found that the number of vendors offering these cybercrime products was growing over time.
As a matter of fact, it grew by 150% between 2015 and 2017. They also revealed that the cybercrime was very much resilient to law enforcement
takedowns, which I guess we knew. You know, you take down one of these online markets,
anonymous markets, it restarts under another name. They also found that commoditization
was not happening across all products. So for certain categories,
you know, there was enough variety and standardization, for example, in malware.
But for others, such as exploits, there was a scarcity of various exploits. There was a focus
on office exploits, but not enough to cover all types of exploits.
Another thing that they found was that a lot of the offerings were related to cash out offerings,
such as credit card numbers, growing number of distribution vehicles, such as compromised
websites that you can use to distribute malware. But there was not enough, again, around
exploits and other types of cybercrime offerings. So if I'm a cybercriminal looking to go out there
and do some bad things, but I don't necessarily have the technical skills to spin it up on my own,
I might be somewhat limited in what I can go out there and find.
on my own, I might be somewhat limited in what I can go out there and find.
Exactly. And that's basically the major finding. So overall, their findings suggest that while there's growth in cybercrime, commoditization may be a spottier phenomenon than what we've
previously assumed. Obviously, commodities or cybercrime offerings may be available somewhere else, like in forums.
But in those cases, forums actually do not necessarily offer the safeguarded structure that online anonymous markets may offer.
And therefore, they would require more interaction by somebody who's looking to buy something, to buy a service or an offering,
which means that whatever is offered there is for the most part a service rather than a
commoditized product, right? So if we're not seeing traces or evidence for cybercrime commodities in these online anonymous markets, then we're unlikely to see evidence for
them elsewhere. And this is what the study concludes is that, again, where there's some
limited evidence that this market is being commoditized, it's not across the board,
right? It's lowering the barrier for would-be criminals, but these would-be criminals
would not be able to outsource everything they need in order to conduct a cyber attack.
Hmm. Yeah, it's interesting findings. Malek Bensalem, thanks for joining us.
Thank you, Dave.
us. Thank you, Dave. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back
here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.