CyberWire Daily - Zoom addresses concerns about call joining and cameras. ICS vulnerabilities addressed. Patch Tuesday notes. Tracing a disinformation campaign.
Episode Date: July 10, 2019Zoom agrees to change what it still sort of regards as a feature and not a bug. Industrial control system vulnerabilities are reported and patched. Microsoft issues seventy-seven fixes on Patch Tuesda...y. Adobe has a relatively light month for patches. Marriott is hit with a large fine from the UK’s Information Commissioner’s Office. An investigative report traces disinformation about a 2016 Washington murder to Russia’s SVR foreign intelligence service. Craig Williams from Cisco Talos with info on the Spelevo exploit kit. Tamika Smith speaks with Myke Lyons, CISO for Collibra, on new industry regulations based on GDPR. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Zoom agrees to change what it still sort of regards as a feature and not a bug.
Industrial control system vulnerabilities are reported and patched.
Microsoft issues 77 fixes on patch Tuesday.
Adobe has a relatively light month for patches.
Marriott is hit with a large fine
from the UK's Information Commissioner's Office.
And an investigation report traces disinformation
about a 2016 Washington murder
to Russia's SVR foreign intelligence service.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 10, 2019.
Last night, Zoom revised its video conferencing service to completely remove the local web server
and add an option to its menu that enables users to remove the app.
Two other changes planned for release Friday will save new users' choice of the
Always Turn Off My Video option and will permit returning users to turn video off by default.
Zoom says it made these changes in response to widespread outcry against the way a user could have been unwittingly joined to a conference with their video on.
The company had viewed these controversial aspects of its service as features, not bugs,
design elements that they said were essential to our seamless join process.
The company also addressed the possibility of distributed denial of service
conducted against users of its conferencing platform.
It's striking to see the extent to which Zoom has stuck to its metaphorical guns.
The aspects of their platform that attracted such odium earlier this week were, the company says,
deliberate design choices made to provide an easy and pleasant user experience.
They're listening to the users and changing the production to suit the market's mood,
but one has the distinct impression
that they think the marketplace of opinion
has this one largely wrong.
Tenable has reported a range of ICS vulnerabilities,
many of them involving systems
used in the operation of power plants.
The vulnerabilities have been disclosed
to the vendors responsible for the systems, and they appear to have been addressed with patches or other mitigations. The U.S.
Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the young
organization known by its acronym CISA, has issued a number of advisories on the industrial
control system vulnerabilities this week. The vendors who have been fixing their systems include major providers, Siemens, Schneider, and Emerson. Yesterday, of course,
was Patch Tuesday. Microsoft brought out 77 fixes, many of them addressing issues in Explorer and
Edge. The patches fix two zero-days that are being actively exploited in the wild.
The first is a vulnerability in Spooler Windows OS, a Windows process.
The second is an issue that arises when Win32K improperly handles objects in memory.
This vulnerability has been found in a targeted attack against an Eastern European target
where the tactics and techniques looked a lot like those used by Fancy Bear,
that is, Russia's GRU military intelligence service.
Both of the zero days are rated important but not critical.
There were 15 critical patches.
The one that seems to have drawn the most attention from observers is CVE-2019-0785,
a remotely exploitable memory corruption issue
that affects all versions of Windows Server released since 2012.
Adobe had a relatively light set of patches, offering fixes for issues in Dreamweaver, Experience Manager, and Bridge CC.
None were rated critical. It's perhaps noteworthy that Flash, which normally takes a star turn on Patch Tuesday,
was completely absent from this month's list.
In the past week or so, we've seen substantial fines levied against global organizations for GDPR violations.
This has many companies taking a fresh look at their approaches to risk and regulation.
The Cyber Wire's Tamika Smith examines best practices to make sure your plans fit the bill.
Rekha Smith examines best practices to make sure your plans fit the bill.
It's been just over a year since GDPR was implemented,
and it's inspiring other countries to create their own data privacy policies and laws.
As this transition takes effect,
CIOs are trying to create multiple strategies around new laws and regulations that are being developed.
Here to shed more light on this topic is Mike Lyons.
He's the CISO for Calibra. They raised $100 million recently through their Series E funding route and was recently valued at a billion dollars, raising the company's status to unicorn.
Welcome to the program, Mike. How are you, Tamika? I'm doing great. It's safe to say you
guys are doing something right. We're in a good place. So like I said before, the GDPR passed its one-year milestone in May, and countries,
including the U.S., are developing their own regulations to tighten up data privacy and
security. What advice do you have to CIOs who are watching this transition?
I think you highlighted well, there's a lot of additional regulations coming state by state, country by country.
So organizations are going to need to figure out how they can quickly adopt these standards.
Many of these new regulations will be based on GDPR, but look at ways that they're different and look at ways that they can adopt them and really start to think about a privacy platform or a governance platform, rather than single one-off technologies.
So when you say look at a platform, what platforms would you suggest or at least put on their radar?
When you're looking at a platform, you need to be able to understand that data is going to take all shapes and forms.
And what those data are and how they're tagged and classified is a very difficult and challenge that could never be accomplished through the manual labor that we have today. You could probably hire a million people to do it,
but that's very not economical. And so looking at ways to automate those classifications are
going to be critical. It's about knowing where your data is so you know how to protect it better.
If I know my data is sitting in this DMZ or on this web server and is available through these
mechanisms, I know that if it's important data on there, I'm going to add additional layers of protection. But one of the
challenges that governments have faced for so long, they take a broad brush when they apply
things like a classification. When you have a technology that allows you to, you know, be a
little bit more surgical or more precise is probably even a better word with those data,
you can then put the appropriate levels of control in place to protect that system,
protect the data that's sitting on that system. That's sort of the security view.
The business view of that is, I have this data, let me make sure that I'm using the data
appropriately. So, for example, I'm a person who's looking for sales data about a product
that I'm trying to come up with a new package or offering to my potential customers. Well, there's another person who's responsible for the data itself and owns
that data. So when I go to find data that I can use to make sure that I'm targeting the right
folks, and you know, they're not just being spammed, etc, I'll make a request of an individual
or see, I'll find a data set, I'll make a request. And what essentially comes on the back side of
that is that someone else is going to say, well, you can use my data, but these are the conditions for which you need to
abide by. So a new area I would like to explore is the security compliance incident response plan.
What are the do's and don'ts of having one? Well, I think do's are have one. Definitely
the most important one, right? You have to have one. Yes.
You don't, you're in trouble. You know, the one you need to allow for and understand for is that
there's never a security incident that involves one team within a company, right? Those are not
really incidents. Those are just general events. And so you need to be able to work and work
collaboratively across all of the parts of your business. This can be parts that
you may not have thought through, right? This could be, I need finance involved because I need a bag
of money. These are things that are real nowadays. The second thing about incident response plan is
don't just think about it as an incident, like this nation state decided to break into my network.
And now they're ruining my day. You've got to think about it in the context of things that
are outside of your control, like a vulnerability that is released by a vendor through a responsible disclosure program. But now
that's an incident for me because I use that vendor software and I have to act and I have to
act quickly. And vendor software has definitely been one of the weaknesses of companies.
Well, absolutely. And we're going to use vendor software, right? We're always going to
use vendor software. I think the important thing there is making sure that you're working with vendors that have an understanding of how to remediate their flaws. Software has hours. That's a pretty aggressive timeline, quite frankly.
And these are things where CIOs and CISOs are being challenged is how do you do that?
How do you get in contact with the appropriate people
to notify them there?
With all of those aspects,
the reality is you need to practice
and work hard towards getting that muscle memory generated
so you can, in fact, respond appropriately.
Mike Lyons, thanks for joining the program. We definitely have a lot to learn here.
Thank you, Tamika. This has been great.
That's our own Tamika Smith reporting.
The UK's Information Commissioner's Office handed out its second big fine of the week
for a GDPR violation. After levying a £183 million fine against British Airways, that's US$229 million.
The ICO announced yesterday that it was fining Marriott just over £99 million, that's $123 million.
For a breach, the hotel chain suffered in 2018 as it integrated the reservation system it acquired when it bought the Starwood properties.
when it bought the Starwood properties.
The fine amounts to 3% of the chain's annual revenue,
one percentage point lower than the maximum allowable fine under GDPR.
Marriott, disappointed by the ruling, intends to appeal.
The two big fines are widely seen as representing some sort of shift at the ICO,
which had previously taken a lighter hand with data privacy fumbles,
in some cases issuing warnings without fines,
giving organizations a period of a few months to resolve their problems, and so on.
This week's heavy fines are regarded as likely to change businesses' risk calculations and move them away from a willingness to accept risk and toward a determination to mitigate it.
Transferring the risk of punitive action under GDPR seems a less
likely option. A Yahoo News investigative report has concluded that Russia's SVR foreign intelligence
service developed and disseminated a particularly ugly piece of disinformation during the last U.S.
presidential election season. Seth Rich, a young data director working for the U.S. Democratic National Committee,
was murdered early Sunday morning, July 13, 2016.
Local authorities concluded, and continue to believe,
that he was the victim of a botched armed robbery, a mugging gone wrong.
But three days after the killing, the SVR fabricated a bogus intelligence report
that retailed the story that Rich was a whistleblower
who was killed by a hit squad working for then-presidential candidate Hillary Clinton.
The story was that he was a disappointed supporter of Senator Sanders,
who intended soon to be in touch with federal authorities about criminal corruption
involving the Democratic Party's nominee.
Yahoo's report points out that there's no particular evidence
that Rich supported any
particular Democratic candidate, and that he seems not to have been the disappointed Bernie bro the
disinformation represented him as being. The story was first leaked to whatdoesitmean.com,
a site with a reputation for being a conduit for Russian information operations.
On August 9th, WikiLeaks' Julian Assange strongly suggested
that the late Mr. Rich had been the source of leaked DNC emails Wikileaks had received.
Mr. Assange offered a $20,000 reward for information leading to the solution of the crime,
noting at the time that,
Our sources take risks.
There's been scant evidence that Seth Rich was in contact with WikiLeaks.
The story nonetheless was featured for some months by RT and Sputnik, both Russian government
media outlets. It was also amplified by inauthentic social media accounts operated by the St.
Petersburg-based Internet Research Agency. The Assange connection is interesting, suggesting,
as it does, at least a shared worldview in the Kremlin and the guest quarters of Ecuador's London embassy,
if not actual coordination.
Yahoo's report offers an interesting reconstruction of how the story grew its legs.
The lie received its customary bodyguard of truth,
in this case the sad street murder of a young man,
and was designed to hit a fault line in public opinion,
where those disposed to see corruption would find their suspicions apparently confirmed.
Either the SVR or its sister service, the FSB, by the way,
are generally thought to be cozy bear.
Whichever KGB institutional descendant actually runs cozy bear
probably doesn't matter much, unless you're a Kremlin insider concerned with agency equities. In the end, of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the head of Talos Outreach at Cisco.
Craig, great to have you back.
You all recently published some new research.
This is about something that you're referring to as Splevo. What's going on here?
Well, so Splevo is basically an exploit kit that we've been tracking. You know, a lot of people
think exploit kits kind of died because they really went from an incredibly common thing to
something that we just don't quite see as much anymore.
You know, like if you think back about it, I would say the most popular heyday of the exploit
kits was probably four years ago when we had the Angular exploit kit out there, basically
compromising everybody. And we were able to show that they were basically making millions of
dollars, you know, super profitable, very widespread. But as word got out, and as browsers started hardening,
they've gotten a little bit out of, you know, popularity, just because the difficulty involved
in the redirection systems are very complicated. And so the fact that Splevo is back and pretty
effective, it's a good notable piece of malware to look at. And so what are some of the details
here that you need to share? Well, so the way that exploit kits work is they find a legitimate website and find a way to inject some code into
it. And this can be done through like a redirection technique. It can be done by compromising the
website. So, you know, let's say one of the people with access to the webpage isn't using
two-factor authentication and is sharing credentials on various sites, right? I know
no one would do that, but it does happen from time to time.
And so what happens is the attackers
can then get onto those sites and add in the code,
or they can find a vulnerability on the server
and add in the code.
And it's very, very difficult to detect.
I mean, typically when we're talking about these redirects,
it's like one line of code, right?
One little link hidden in the webpage.
And so you can literally be looking at it
and it's very, very easy to miss,
especially if you're not super technically savvy.
You know, it'll look like you just went to a website,
it redirected once or twice.
And meanwhile, in the background,
your web browser was interrogated.
It tried to figure out if you were vulnerable
to any of the exploits that it was using.
And if it was, it would feed you one.
And if not, it would redirect you to something else
like a phishing website, potentially.
So in terms of detection,
is this the kind of thing where if I'm, for example,
running antivirus or something like that,
is that going to get pinged by this?
Potentially, right?
A lot of the payloads, a lot of the loaders
are often detected.
However, we have seen several examples
of loaders for stuff like this
that are generated on the fly.
And to make it worse, these sites have a system in place so that you can't automatically harvest the binaries.
You can't automate detection very easily.
And they do that by looking at the redirection paths and the source and the referrer paths.
And if they don't match up to the right sites, you won't actually get the malware sample.
So when we see something like this, there's a couple of different layers you can block it at, right?
The first one would be the DNS lookup, right?
Maybe we know that the site's compromised because we saw it through our telemetry system.
And so we block the website for a couple hours until they can have a time to clean up that broken link, right?
So that would be done at like, you know, umbrella or something like that.
Another way to do it would be with like a web inspection, right? So something like our web security appliance or something like
a firepower or any content inspection box out there, right? Now those may not be super effective,
but that's, you know, where you can go to something on the endpoint, right? So like
endpoint antivirus, something like that, like AMP, that's the other layer. So there's really,
you know, let's say two really good layers to focus on this type of stuff, right?
The DNS lookup and on the endpoint.
Because in those two places, you're going to have the capabilities to see what you need to see.
And on the endpoint, you can actually do a little bit more advanced inspection and, you know, look for things like obfuscation techniques that's not used by normal software.
All right.
Well, the blog post is titled Welcome Splevo, New Exploit Kit Full of Old Tricks. Check it out. It's on the Talos website. Craig Williams, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.