CyberWire Daily - When DDoS and defense collide.
Episode Date: July 31, 2024A global Microsoft outage takes down Outlook and Minecraft. The US Senate passes The Kids Online Safety and Privacy Act. Lame Duck domain names are targets for takeovers. A GeoServer vulnerability exp...oses thousands to remote code execution. China proposes a national internet ID. Email attacks surge dramatically in 2024. Columbus Ohio thwarts a ransomware attack. When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold. Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo, discussing the issues that security teams face when dealing with data control and data orchestration. Was it really Windows 3.1 that saved Southwest Airlines? Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo, discussing the issues that security teams face when dealing with data control and data orchestration. You can read more here. Selected Reading Microsoft apologises after thousands report new outage (BBC News) Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks (Bleeping Computer) Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content (SecurityWeek) Don’t Let Your Domain Name Become a “Sitting Duck” (Krebs on Security) Hackers Actively Exploiting GeoServer RCE Flaw, 6635 Servers Vulnerable (Cyber Security News) China Wants to Start a National Internet ID System (The New York Times) Email Attacks Surge, Ransomware Threat Remains Elevated (Security Boulevard) Columbus says it thwarted overseas ransomware attack that caused tech shutdown (Dispatch) Gold rush for data: Paris 2024 Olympic apps are eavesdropping on users (Cyber News) No, Southwest Airlines is not still using Windows 3.1 (OSnews) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A global Microsoft outage takes down Outlook and Minecraft.
The U.S. Senate passes the Kids Online Safety and Privacy Act.
Lame duck domain names are targets for takeovers.
A geo-server vulnerability exposes thousands to remote code execution.
China proposes a national internet ID.
Email attacks surged dramatically in 2024.
Columbus, Ohio thwarts a ransomware attack.
When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold.
Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo,
discussing the issues that security teams face when dealing with data control and data orchestration.
And was it really Windows 3.1 that saved Southwest Airlines?
It's Wednesday, July 31st, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great, as always, to have you with us.
Microsoft experienced a global
outage impacting services like Outlook and Minecraft, lasting nearly 10 hours. The company
attributed the issue to a cyber attack compounded by a defense implementation error. This incident
follows a similar outage two weeks prior, caused by a flawed update from CrowdStrike, which affected
8.5 million systems. This DDoS attack overwhelmed Microsoft's defenses, amplifying the outage's
impact. Services like Azure, Microsoft 365, Intune, and Entra were affected, along with
external services relying on Microsoft's platforms. Microsoft issued an apology, implemented a fix, and continues monitoring to ensure recovery.
The outage occurred just before Microsoft's financial update,
revealing slower growth in its Azure cloud services, leading to a 2.7% drop in after-hours trading.
Despite this, the company reported a 21% rise in intelligent cloud
revenue and a 15% overall revenue increase, totaling $64.7 billion. Additionally, Microsoft
has warned of ransomware gangs exploiting a VMware ESXi authentication bypass vulnerability.
a VMware ESXi authentication bypass vulnerability.
Discovered by Microsoft researchers and fixed in a June 25 update,
the flaw allows attackers to create an ESX admins group
with full administrative privileges on the ESXi hypervisor.
Exploitation requires high privileges and user interaction,
but leads to full admin access, data theft, lateral network movement,
and encryption of the hypervisor's file system.
Ransomware groups like Storm 0506, Storm 1175, OctoTempest,
and Manatee Tempest have exploited this flaw,
deploying Akira and BlackBasta ransomware.
These attacks have targeted ESXi hypervisors, causing significant outages and disrupting business operations.
Microsoft noted the doubling of such incidents in the past three years.
With a 91-3 vote, the U.S. Senate passed a bill aimed at protecting children from harmful online content.
The Kids Online Safety and Privacy Act, COPSA, promoted by parents of children harmed by online
bullying, mandates that tech companies take steps to safeguard minors. This includes requiring
platforms to default to the safest settings and exercise a duty of care. The House has not yet
acted on the bill, but strong Senate support may prompt action. President Biden has urged the House
to pass the legislation quickly. The bill would be the first major tech regulation in years,
potentially paving the way for future privacy and AI laws. It requires companies to prevent harm from bullying, violence, and other dangers,
and to offer miners protections like disabling addictive features
and opting out of personalized recommendations.
While some tech companies support the bill,
others, like meta-platforms, prefer different approaches.
Critics, including the ACLU, warn of potential censorship and privacy risks.
Researchers from Infoblox have revealed that over a million domain names,
including those registered by major companies,
are vulnerable to takeover due to authentication weaknesses
in several web hosting providers and domain registrars.
According to Krebs on Security, this issue involves so-called lame DNS records,
where authoritative name servers lack sufficient domain information,
making these domains easy targets for cybercriminals.
Attackers can exploit these weaknesses to hijack domains,
potentially using them for phishing, spreading malware, or impersonating brands.
Infoblox and Eclipsium researchers found that some compromised domains,
originally registered by brand protection firms, were hijacked due to misconfigured DNS settings.
This problem persists despite previous exposure with domain takeover
facilitated by weak or non-existent verification processes. Some providers like DigitalOcean and
Hostinger are working on solutions, but broader cooperation and improved practices are necessary
to mitigate these vulnerabilities and protect domain registrants and internet users.
A critical vulnerability in GeoServer, an open-source Java-based software server,
exposes thousands of servers to remote code execution.
Hackers can exploit this by sending malicious POST requests,
gaining full control over affected servers.
Approximately 6,600 GeoServer instances are at risk,
impacting sectors like urban planning and emergency response.
GeoServer has released patches and recommends users update immediately.
In China, anonymity online is already challenging
due to mandatory phone number verification tied to personal IDs.
Now, the Chinese government proposes a national Internet ID to simplify verification and enhance privacy,
aiming to prevent fraud and limit personal data collection by companies.
This proposal by the Ministry of Public Security and Cyberspace Administration
would be voluntary for websites and apps and open for public comment through the end of August.
While some support reduced data collection by multiple apps,
critics fear increased government control and surveillance.
Legal scholars warn of excessive monitoring,
likening the system to the COVID-19 health code app.
Concerns include potential harm and fear of using the Internet.
This proposal has sparked significant online debate, highlighting the tension between privacy protection and social control.
Email attacks and ransomware incidents have surged dramatically in 2024,
Email attacks and ransomware incidents have surged dramatically in 2024, with a 293% rise in email attacks and a 47% increase targeting organizations, according to research published by Acronis.
Ransomware remains a critical threat, particularly to SMBs in government and healthcare, with a 32% rise in detections from the fourth quarter of 2023 to the first quarter of 2024. Lock, bit, black, basta, and play are major culprits.
Experts advise adopting a zero-trust model, network segmentation, and AI-driven threat detection.
Cybercriminals are increasingly using AI for social engineering and automation attacks, making traditional defenses less effective.
Acronis recommends enhancing security measures and continuous monitoring to counter these evolving threats.
City officials in Columbus, Ohio, say they thwarted an overseas ransomware attack,
shutting down much of the city's technology for 10 days to prevent
data encryption. Mayor Andrew Ginther revealed that the attack involved a sophisticated threat
actor and resulted in potential data theft. The city's Department of Technology, with the FBI
and Homeland Security, recommended severing affected systems from the internet, mitigating
the risk. The cyber outage affected
email, website updates, and emergency dispatch systems. Columbus is restoring services and has
strengthened its tech defenses to prevent future attacks. The official Paris 2024 Olympics app
is raising significant privacy concerns due to its invasive data collection
practices. While marketed as a personal companion for the games, providing schedules, breaking news,
medal results, and event insights, the app's capabilities extend far beyond these functions.
It tracks users extensively, collecting web browsing history and sharing it with advertisers and big tech
companies. Downloaded over 10 million times, the app requires multiple dangerous permissions,
granting it access to deeply personal data on Android devices. The International Olympic
Committee openly acknowledges collecting personal data, building user profiles, and sharing
information with advertisers, including major companies like Facebook, profiles, and sharing information with advertisers,
including major companies like Facebook, Google, and Apple. This extensive data collection is justified by the IOC as necessary for providing the best possible experience for users.
Permissions requested by the Paris 2024 Olympics app include access to precise location, camera, audio, media files, and
high sampling rate sensors. These permissions can track detailed user activity and movements,
painting a comprehensive picture of the user. The app's privacy policy outlines extensive
use cases for collecting data, including fan analysis, marketing activities, user profiling, and targeted advertising.
Security researchers and privacy advocates emphasize the need for users to remain vigilant
about the permissions they grant and to revoke unnecessary ones. The widespread use of these
invasive apps, combined with state-sponsored threat actors targeting the Olympics, increases
the risk of unauthorized access, identity theft, data breaches, and other cyber threats.
Users are urged to prioritize their privacy and be cautious about the data they share with apps,
especially during high-profile events like the Olympics.
Coming up after the break, my conversation with Rakesh Nair,
Senior Vice President of Engineering and Product at Devo.
We're discussing the issues that security teams face when dealing with data control and data orchestration.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Rakesh Nair is Senior Vice President of Engineering and Product at Devo.
I recently caught up with him for insights on the issues that security teams face when dealing with data control and data orchestration.
A few things that are happening from a trend perspective.
One is the
data explosion side of things, where
there's an enormous amount of data
that companies are collecting,
mostly because they're all moving to
data-driven decision-making.
The second one is around data
conversions, where I believe that
some clients are looking at
putting all of the data into
one central location and then having multiple applications or customers of this consume data from the same location across, whether it's security, whether it's IT operations, or whether it's business intelligence.
They all want to take advantage of these two trends.
these two trends.
So as we are pulling in enormous amount of data,
and as all this data is converging into one place,
not all data are the same.
They don't have the equal value.
So there is definitely a notion of what should be in hot storage,
what should be in warm storage,
and what can be kept in cold storage.
So the ability to control that aspect of
what is the cost or TCO associated with each data source,
as well as filtering out some noisy messages or key value pairs from certain logs
to be able to manage the overall cost is another trend that we're seeing.
So primarily around filtering and routing data to different places as they need to be.
Is it fair to say that some of these folks find themselves with just too much data?
Absolutely. I think one of the predictions that I've seen from Gartner lately is that
by the next six or seven years, the amount of data each of these enterprises are collecting
is going to increase by 23-fold. That's a lot of data coming into that has to be managed,
governed,
and then analyzed to seek intelligence out of some of this data.
What about the tools themselves?
I mean, the things that folks use
to kind of make order out of this data.
My understanding is that
for many organizations,
the number of tools just,
it kind of keeps growing and growing.
Yeah, I think the
data convergence aspect of the
one aspect that I mentioned
is revolving primarily around
this notion of bringing all
of the data into one place and then be able
to generate or create vertical
applications. There's a lot of companies
doing their own ML data science
teams within those companies.
So there is a notion of let the data sit in one place
but have vertical applications, be able to take advantage of it.
The third trend that I see is around technology convergences
within those verticals.
So for instance, if we take the security operations
and the workflows, I see a lot of convergence starting to happen.
If you look at generally across the same market,
to see some of the companies that are being merged or being acquired,
there is this whole push for bringing technology convergence to
each of those vertical labs that can perform at a much better,
much more automated, much more interesting way within that vertical.
What about the people themselves?
You know, the folks who are staffing these SOCs?
Are they, I mean, is it the age-old story
of there not being enough people,
of them being, you know, overworked
and under-provisioned?
It still continues to be true.
I think for a security analyst
to be really useful for a company, they have to be within the company for two, three years. And there's a lot of turnover in the industry around security analysts, mostly because there is still a lot of shortage for such crucial talent across the industry.
Can we talk about some of the potential solutions here? I mean, what do you and your colleagues there at Devo,
what do you consider to be some of the ways to solve these issues?
I think one of the, again, going back to my trends definition
around data explosion, for instance, orchestration,
the ability to filter out and manage the different data sources differently
and bringing that control to the enterprises themselves is very
crucial. On data conversion side, I think I'll focus more
on the openness of the system, the ability to pull data
applying various filters to understand it, or if you need to do
some analytics, being able to go to the data set and bring the specific data
out to do more analytics on top of it.
So kind of a more open data analytics platform is much more needed.
And the third friend around technology conversions,
when you look at primarily from a security operations standpoint,
you've been seeing the trends of UEBA being consumed into a SIM platform,
and we can see that SOAR being consumed into the same platform.
So one of the things we are trying to do
is kind of build that unified workflow
that not only brings some of these technologies together,
but they have a lot of automation
and AI capabilities infused into it
so that the operations
or the security operations software of the system
is telling the customer what is happening
from a narrative, a story perspective,
instead of generating vast amount of alerts
and the security operations teams have to go
and analyze all of these alerts back to back.
Can you give us an example
of how automation comes into play here?
I mean, that strikes me as being a real potential time saver.
Absolutely.
I think one of the things that we're launching
as part of Black Hat is around
kind of an umbrella term called Settling,
which is internally a playbook running,
trying to look at these alerts,
find entity relationship between these alerts,
group them together when needed,
invoke additional AI to do deeper investigation, and bring back all of this information into a case where
even if the security analyst is not that senior, he still sees the entire context of what was
happening revolving around that alert.
So that is one of the examples.
The most prototypical example is CR.
People get tired of
phishing. I think around 70% of
the time
is spent on phishing attacks.
So taking some of those phishing attacks,
understanding what the
URL is, what the email
location is, etc., and to be
able to block whether the IP address
or the domain, etc., the entire be able to block whether the IP address or the domain, etc.,
or that an entire workflow can be automated as a preliminary step.
And then we can do deeper analysis on top of it. So some of those things we could
have systems handle. Actually, the systems are trying to take over those
kind of the groundwork of doing the same thing over and over again, as opposed to forcing
security analysts to do that.
You and your colleagues are going to be attending the Black Hat conference this year,
coming up in early August here.
Should folks stop by to say hello
and then check out more about your offerings there, yes?
Absolutely, yes. Absolutely, yes.
I think we have some really good demos
that we have set up for Black Hat, as well as some beautiful integrations that we have done from a security operations workflow, from data orchestration perspective, as well as kind of opening up that analytics platform perspective.
That's Rakesh Nair from Devo. We'll have a link to Devo's research in our show notes. Cyber threats are evolving every second, and staying ahead is more
than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, our fact-checking desk insisted we check out the story of one man's journey to debunk a popular rumor that had come to be accepted as fact.
Tom Halverda, managing editor at OS News, was scrolling through the latest tech news when a particular story caught his eye.
The headline boldly claimed that Southwest Airlines had escaped the recent CrowdStrike event
because they were still using Windows 3.1.
The story fit perfectly with the current tech narrative,
suggesting that sometimes older technology is more reliable.
But something about it seemed off to Tom.
He delved into the details.
The story was widely reported by reputable news outlets
and shared extensively on social media.
But Tom's instincts told him to question its veracity.
He began by tracing the claim to its origins.
A tweet from Artem Rusakovsky stating,
The reason Southwest is not affected is because they still run on Windows 3.1.
The tweet, though widely referenced, provided no
sources or additional information. Digging deeper, Tom found a follow-up tweet from Rusakowski
admitting it was a troll, stating, To be clear, I was trolling last night, but it turned out to be
true. Some Southwest systems apparently do run Windows 3.1 LOL.
However, this claim was also unsupported by evidence.
Tom continued his investigation, tracing the origins further.
His search led him to an article by the Dallas Morning News discussing Southwest's scheduling system issues around Christmas.
The article mentioned that Southwest uses internally built systems like
SkySolver and Crew Web Access, which, quote, look historic like they were designed on Windows 95.
These paragraphs had been misinterpreted to suggest that Southwest was still using
outdated operating systems. Tom realized the misunderstanding had snowballed. The article didn't say Southwest
systems ran on Windows 3.1 or 95, merely that they appeared outdated. Additionally,
these systems are available as mobile apps, indicated they were not based on decades-old
technology. Determined to set the record straight, Tom documented his findings. He highlighted how a single unsourced tweet had sparked widespread misinformation,
compounded by hasty and inaccurate reporting.
His fact-checking revealed that, contrary to the viral story,
Southwest Airlines systems are not running on ancient operating systems.
Tom's investigation underscored a critical issue in online journalism.
Reputable sites had failed to perform
even basic fact-checking.
His thorough yet straightforward fact-checking process
had debunked a widely believed myth in minutes.
As he published his findings,
Tom hoped his efforts would encourage others
to question sensational stories
and prioritize accuracy over clicks.
In the end, Tom Halverda's dedication to truth
illuminated the pitfalls of modern media
and the importance of diligent journalism,
reminding readers that sometimes the truth is just a few clicks away.
a few clicks away. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing
world of cybersecurity. If you like our show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector.
From the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies. Thank you. dot com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor
is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.