CyberWire Daily - Timehop refines its breach disclosure. Speculative execution side-channel attacks described. Tech manuals offered for sale on the dark web. Twitter versus bots.
Episode Date: July 12, 2018In today's podcast, we hear that Timehop has released more information as its breach investigation proceeds. The case will be interesting as an indicator of what GDPR enforcement will look like. Tw...o speculative execution side-channel attacks are described (in the lab, but not yet, it's believed, in the wild). The US Senate's flesh creeps over bug disclosure practices. Someone uses a Netgear exploit to get some US technical manuals. Twitter goes to work against bogus accounts. Mike Benjamin from CenturyLink on cryptojacking. Guest is Yaniv Avidan from MinerEye on cloud GDPR compliance.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
TimeHop releases more information as its breach investigation proceeds.
Two speculative execution side-channel attacks are described.
In the lab, not yet in the wild. The U.S. Senate's flesh creeps over bug disclosure practices. Someone uses a Netgear exploit to get some U.S. technical manuals. And Twitter goes to work against bogus accounts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 12, 2018.
The time-hop breach disclosed over the past week seems to have gotten worse.
The service acknowledged that dates of birth, gender of customers, and country codes were also compromised. For GDPR purposes, the records that fall within the scope of the European Privacy Regulation
include 2.9 million name and email address combinations,
as well as 2.2 million name, email address, and date of birth records.
The timeline of the breach is interesting.
The incident began on December 19th of last year,
when an unauthorized party used a TimeHob admin's
credentials to log in to a third-party cloud account. The hacker subsequently created a new
admin account and logged in three more times, quietly looking for personally identifying
information. By the time of the fourth login, enough PII had been moved into the cloud to make
it worthwhile. The hacker then waited until July 4th,
an American and not a European holiday, one notes, presumably expecting a relaxed guard
over the holidays, and logged in to steal the database. The case is also interesting for what
it will ultimately reveal about how the European Information Commissioner will balance zeal in
reporting against completeness of reporting.
TimeHop disclosed the incident swiftly shortly after discovering it on the 4th,
but they were forced to issue updates to their disclosure over the last two days.
The Information Commissioner has been blogging, in a spirit of firmness but fairness,
that while there's no grace period for compliance, since everyone has had two years to
prepare, the EU is committed to being reasonable. As the Commissioner's blog puts it, quote,
we pride ourselves on being a fair and proportionate regulator, and this will continue
under GDPR. Those who self-report, who engage with us to resolve issues, and who can demonstrate
effective accountability arrangements, can expect this to be taken into account when we consider any regulatory action.
The past few years have seen a migration of data to the cloud,
as organizations take advantage of potential cost savings, security, and convenience.
But how can you be sure your cloud-based data is fully compliant with regulations like GDPR?
How can you be sure your cloud-based data is fully compliant with regulations like GDPR?
Yaniv Avidan is CEO and co-founder of MinerEye,
where they claim their interpretive AI-based technology can assist with these sorts of tasks.
Specifically when looking at the number of companies that are migrating data to the cloud or generally speaking, adopting cloud infrastructure or services.
We see public cloud services are growing exponentially year over year, specifically with big companies
such as Microsoft, Amazon, Salesforce, and Google, and several others.
So that's on one hand, we see the race to the cloud,
which basically is motivated by, you know,
cost saving and productivity, right?
On the other hand, we see GDPR that in a collision
kind of route with this kind of vector,
since it actually limits or provided some regulation
on top of data that affects the cloud migration
activities. Now, where do people usually find themselves getting in trouble when it comes to
cloud adoption and how that could bump up against GDPR? First and foremost, where is my sensitive
data located? So data residency, which is an explicit requirement by GDPR. You need to be
able to continuously at any point of time point on the data that is personal data and its location,
either for purposeful use proof or for right to be forgotten request or subject request
to delete their data or to hand over their data and so on.
Other requirements have to do with the protection
of that data in specific use cases.
For instance, if my data is going out of an EU geography,
it needs to be protected and handled accordingly.
Okay, and again, this has to do with the location
of the data. Or let's say the data needs to be well segregated based on geographies,
but not just based on geographies, but also based on use. So it all comes into the point
of identifying the data and its location with respect to the specific requirement that is defined by GDPR.
So what are your recommendations to make sure that they are in compliance?
Raise awareness internally within companies as to personal data handling.
Awareness and training is the first thing.
People need to be aware that they hold some very sensitive information and be very careful about what they do with it, who they send it to, what kind of use they do with the data. that into a marketing presentation, this is something that needs to be realized.
I mean, it needs to be the customer or the people handling the data needs to be aware
of it.
Second, companies need to shift how they identify and how they store data and understand that
these processes need to shift between the manual approaches or traditional approaches used up until now to some very advanced approaches leveraging artificial intelligence.
Because we are talking about huge amount of data, right?
And we talk about a major effect on the company once you break the law.
And the difference now is that GDPR becomes a law, right, rather than a directive.
So I think shift in how using and handling personal data, using advanced technologies
in order to cover much more areas and unstructured data specifically, because this was a black
box or weak points for every company,
that would be a good start.
That's Yaniv Avidan from MinerEye.
Two new attack techniques similar to Spectre have been identified.
These speculative execution side-channel attacks are researchers' discoveries,
not attacks being observed in the wild.
ARM, AMD, and Intel chipsets are all susceptible to the attacks.
Speculative execution is a common and important feature of contemporary chip design,
so any methods of exploiting it will have widespread impact.
Intel, which paid a bug bounty of $100,000 to the researchers,
has offered advice on mitigating the issue.
ARM says most of its chips are probably unaffected, but it has mitigation suggestions as well.
AMD is still considering the matter, but will probably have its own recommendations available
shortly. The report of the new speculative execution issues roughly coincides with U.S.
congressional hearings on Specter and Meltdown.
The Senate Committee on Commerce, Science, and Transportation deliberated the matter yesterday,
and the discussion might count as a contribution to the larger issues of responsible disclosure,
information sharing, and vulnerability equities. While industry had become aware of the issues and discussed it within industry channels. The chipmakers apparently did not inform the U.S. Department of Homeland Security or any other responsible federal agency.
The Feds found out about it in January, when the rest of us did, at the time of public disclosure.
But customers and partners learned of Spectre and Meltdown first.
Intel shared the discovery with Chinese companies it partners with,
and Arm's chief marketing officer told the committee directly
that they began sharing with affected customers
within 10 days of learning about the problem.
Arm's Joyce Kim said,
quote,
We do have architecture customers in China
that we were able to notify to work with them on the mitigations,
end quote.
It's difficult to fault a company for
wanting to take care of its customers, and there's little to no evidence that Chinese
intelligence services actively exploited either Spectre or Meltdown, but the possibility that
some of the Chinese firms would have passed the disclosure on to their government before DHS so
much has got wind of it has given several senators an understandable case of the heebie-jeebies.
At the very least, it would seem that some aspects of public-private information sharing
still need to be worked out.
Manuals covering various items of U.S. equipment have been found offered for sale on the dark
web.
The systems covered include the MQ-9 Reaper drone and the M1 Abrams main battle tank, two weapons that have
been in use for some time. According to Recorded Future, the asking price was only $200, but since
sales appear to have been slow, they were knocked down recently to $150. The person responsible,
described by Naked Security as a sad sack, apparently had no real understanding of what he or she had,
what it was worth, or where to sell it.
But the sad sack knew enough to find Netgear routers with password admin
and follow familiar steps to exploit an FTP vulnerability,
change the password, and get access.
Some of the material appears to have been stolen from a U.S. Air Force captain.
Other material is openly
available from Defense Department sites. In truth, the material doesn't appear to be particularly
valuable or the kind of thing that would be difficult for a determined service to obtain,
although a hobbyist or buff might want it for a collection. None of it is likely to be classified,
but some of it at least was restricted from distribution to foreigners.
be classified, but some of it at least was restricted from distribution to foreigners.
So perhaps hacker Sadsack didn't have his or her price point off too far after all.
And finally, Twitter has said about purging bogus accounts and bots spawned from troll farms.
If you were among those who pride themselves on the quantity as opposed to the quality of your followers, and we're looking at you middle schoolers, you may find to your dismay that all those people from St. Petersburg who were
hanging on your every word are soon to be gone, gone with the wind. That's St. Petersburg, Russia,
of course. Your grandparents in St. Petersburg, Florida, still love you as much as always.
still love you as much as always.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's a Senior Director of Threat Research at CenturyLink.
Mike, welcome back. We wanted to touch base on cryptojacking, where we stand today,
the ways to defend yourself against it.
What can you share with us?
stand today, the ways to defend yourself against it. What can you share with us?
So the world can't help but have heard of crypto mining or cryptocurrency. And so the act of creating a digital currency and trading it, whether it be for the purposes of separating
from a government or anonymized transactions, whatever the goal of the coin is, there's a lot of good
and bad that have come from the creation of these. And as with any type of money in the world,
people want to steal it. They want to create it. They want to make money and take advantage of a
new system that's in place. And so for a number of years, it was relatively easy to go out and
buy some hardware and mine a cryptocurrency. Bitcoin mining was very popular for a number of years, it was relatively easy to go out and buy some hardware and mine a cryptocurrency.
Bitcoin mining was very popular for a number of years, and people were making relatively easy money by doing that.
Evolved today, that's no longer the case.
And so the cost of you see a GPU on Amazon that you need to go buy, the cost has gone through the roof.
It's extremely expensive, time consuming and ultimately power consuming in order to mine a cryptocurrency.
So a few things have happened. The first is that the actors have taken advantage of a similar thing
to what they do with any botnet, where they try to take advantage of thousands, hundreds of
thousands of infected computers across the internet to do their bidding. And so if you can imagine the cost of a GPU or the cost of power to mine a single Bitcoin,
imagine if you could get 100,000 machines to support you in doing that. Now, unfortunately,
in the case of Bitcoin, it's still not very profitable. However, another currency known
as Monero has been useful. And so we actually see
JavaScript miners being deployed inside websites. And so cryptojacking really is the concept of
taking over a user's browser, hijacking their resources, hence the name cryptojacking,
and getting it to do their bidding and make them a few dollars. And so while that tab is open in a browser,
while that JavaScript is executing,
it is doing mining in Monero and making that actor money.
Now, I've seen some interesting approaches to this
where some organizations have said,
hey, instead of showing you an ad,
how about you let us use your GPU for a while
and that'll be the deal that we strike.
Yeah, it's actually interesting.
And so I think it's a bit exciting to see new economic opportunities where websites are very open about what they're doing.
Unfortunately, when we describe the cryptojacking side, it's a malicious actor.
And so whether they are doing malvertising injection of that code or whether they've actually broken into a website
in order to deliver it. They've got a lot of criminal ways they're attempting to achieve it.
But there's obviously a very interesting economic opportunity for websites to be using a small
amount of resources. We've actually seen some of the criminal actors utilize some discretion in
how they've been utilizing this. Because if you think about crypto coin
mining and its CPU intensity, it can slow down a computer. And so nobody wants their computer to
be slow while they're doing their day-to-day activity. And so these actors have taken upon
themselves to use less than 100% of resources, look for idle interaction on the machine and do
a number of things where they're not actually impacting the user experience as they're doing their criminal activities. And I imagine the advertising
world or the website operator world will utilize the same methodology when they're looking to make
profits through it. So they don't want to draw attention to themselves by having the fans spin
up when you load that browser window. I'm curious, how are the developers of the browsers responding to this? Are they building
in ways to detect it and block it? Well, we've seen a lot of different methods out there that
folks are looking to develop. First, from a security perspective, we obviously have to touch
on first. The security world is doing a relatively good job of going out with either emulated browsers or just simple spiders and looking for websites that have had this injected report on them, some cases block them, in some cases develop extensions for browsers that inform the user that they're about to interact with it, similar to any sort of browsing methodology.
And the other is that the natural evolution of solving bugs inside of your computer is to isolate processes from each other and never allow a single process to impact the overall machine.
So just through the natural evolution of what we see from keeping a computer stable, we're adding in mitigations and technology into the computer that can allow a single miner or a single interaction with a crypto miner to not bring down the computer,
slow it down, or like we said, impact the user experience.
All right.
Well, it's interesting stuff as always.
Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time, and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.