The CyberWire Daily Podcast 4.1.20
Ep 1057 | 4.1.20
More data breaches. DPRK spearphishing. DoJ IG sees problems in FISA warrant processes. Houseparty updates. Huawei sanctions. And notes about the pandemic.
Transcript

Dave Bittner: [00:00:02] Marriott discloses a major data breach. Another insecurely configured Elasticsearch database is found, this one belonging to a secure cloud backup provider. More spear-phishing from Pyongyang. The U.S. Justice Department IG sees systemic problems with the FISA warrant process. Updates on the Houseparty affair. Huawei suggests that Beijing will retaliate against more sanctions from Washington. And more COVID-19 notes concerning the cybersector. 

Dave Bittner: [00:00:37]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Transitioning to remote work can be complicated. LastPass Identity is here to make the transition easier without decreasing security. Through integrated single sign-on, password management and multifactor authentication, LastPass Identity enables remote teams to increase security. With an uptick in phishing attacks, LastPass reduces the risk of phishing schemes by never auto-filling passwords on suspicious websites and adds MFA across apps, workstations and VPNs. It helps manage user access. Regardless of where or how employees need access, LastPass ensures employees have secure access to work applications through SSO and password manager. It enables secure sharing. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it allows you to maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources, no matter where they're coming from. With LastPass Identity, the transition to remote work can be a simple and secure one. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:39]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 1, 2020. 

Dave Bittner: [00:02:47]  Marriott International yesterday disclosed that it had sustained a data breach that affected as many as 5.2 million guests. No pay card, passport or other identification document data were taken, but the hospitality company says that personal customer contact information, like names, mailing addresses, email addresses and phone numbers, loyalty account information, partnerships and affiliations and preferences - what guests wanted in a room, what language they preferred to speak - were all compromised. The company's investigation concluded that login credentials of two employees at a franchised property were used to access the data. The improper access is thought to have begun in January and was discovered at the end of February. Guests whose information was compromised are said to have been notified by email. 

Dave Bittner: [00:03:37]  Researchers at vpnMentor report finding a data leak at SOS Online Backup. The secure cloud backup provider is thought to have exposed more than 135 million customer records. The exposure was traceable, the researchers say, to a misconfigured Elasticsearch database. 

Dave Bittner: [00:03:55]  Security firm ESET (ph) is describing a spear-phishing campaign run by North Korea's Geumeong121 threat group, Computing reports. The operators are going after people - people in South Korea, mostly - who are interested in North Korean refugees and North Korean politics in general. This is the operation ESET (ph) has called Operation Spy Cloud, after the group's use of Google Drive and PickCloud to prospect its victims. Geumeong121 is associated with Thallium, APT37 and Reaper operations, and ESET (ph) thinks that the APT's reappearance represents an attempt to reestablish itself after Microsoft's takedown of some 50 malicious domains it had used in earlier campaigns. 

Dave Bittner: [00:04:40]  The U.S. Justice Department inspector general has released the report on the FBI's conduct with respect to the Foreign Intelligence and Surveillance Act. The decidedly starchy report found that conduct not only distinctly wanting but also of long duration; problems with the bureau's handling of FISA matters predate the 2016 U.S. elections. The IG was particularly concerned about the way the bureau handled requests for FISA surveillance warrants. The findings in the latest report go beyond the 17 issues the IG surfaced in the earlier look at Operation Crossfire Hurricane, and they suggest that there are deeper systemic issues with the FISA process quite independent of any agent's or official's biases, commitments or individual misconduct. The systemic issues largely come down, apparently, to insufficient and defective oversight of the process itself - institutional weaknesses, The Washington Post calls them. 

Dave Bittner: [00:05:37]  TechCrunch has an update on the Houseparty affair - no breach, no evidence yet of conspiracy but the customary privacy concerns any free service brings. Houseparty collects a great deal of information about its users, and it describes what it does with that information in what TechCrunch describes as a 12,000-word privacy policy. It need hardly be said that many users of an online hangout will not attend to the details of a service's data handling policies with the same care they might give to, say, the closing documents in the purchase of a house. In any case, Houseparty does promise to anonymize and aggregate the data it collects, and there's no reason to doubt its sincerity of purpose. But data can be toxic, and privacy hawks are made skittish by this kind of collection. 

Dave Bittner: [00:06:24]  The U.S. is considering imposing stiffer restrictions on Huawei, ones that would cut the Chinese manufacturer off from its U.S. chip suppliers. WIRED worries that the main effect of such restrictions would be to jump-start a domestic Chinese chip industry. But Huawei has worries of its own about the sanctions. These are sufficiently troubling that it moved the company's rotating chairman, Eric Xu, to tell CNBC that, quote, "the Chinese government would not sit there and watch Huawei being slaughtered," adding, "I do believe there would be countermeasures." 

Dave Bittner: [00:06:56]  The COVID-19 pandemic continues to draw scammers along in its wake, everything from bogus cures to phishbait to pranks pulled for the lulz are accumulating at what The Washington Post calls unprecedented numbers. One index of how widespread the fraud is may be seen in figures the U.S. Federal Trade Commission reported yesterday. Complaints about coronavirus scams the FTC has received so far this year doubled over the course of a single week - quote, "the top categories of coronavirus-related fraud complaints include travel- and vacation-related reports about cancellations and refunds, reports about problems with online shopping, mobile texting scams and government and business impostor scams. In fraud complaints that mentioned the coronavirus, consumers reported losing a total of $4.77 million with a reported median loss of $598," end quote. 

Dave Bittner: [00:07:53]  It's hard to believe it's been only a few short weeks since many of us gathered together at the 2020 RSA Conference. A lot has changed since then. And I'd wager it's safe to say most of us look forward to having the option of getting together face-to-face to catch up and talk shop. Monzy Merza is VP of security research at Splunk and always interesting to catch up with. We spoke at RSA. 

Monzy Merza: [00:08:18]  I'd like to reflect on it from, really, from the perspective of our customers, 'cause that's really my biggest sort of input data points. And those big points are automation, orchestration is very much top of mind for customers. Evolution of cloud application services and how that permeates through their operation on a day-to-day basis - how does something that happened in the cloud affect what happens on prem? How does something that happens on prem affect what's happening in the cloud? And so that sort of really dynamic, nontraditional security operations is top of mind for customers. 

Monzy Merza: [00:08:49]  I mean, I know Splunk says data to everything, and our customers are very much in that loop to say it is data to everything. It's not just about data from a firewall or an endpoint, traditional security things. It's all the things - apps, services, cloud infrastructure, on-prem infrastructure. So - and, of course, there is - a lot of that is being underpinned now with the expansion and become, really, the reality of practical AI and machine learning. And so those are really the things that are top of mind for customers. 

Dave Bittner: [00:09:16]  Looking forward, as the industry continues to evolve and mature, how do you see things sort of settling out - this distillation process - you know, the companies that are all offering services, the tools themselves? What's in your crystal ball as we look towards the future? 

Monzy Merza: [00:09:36]  I'd break it down into maybe three layers in my head. The first one is I think companies who are focused on platforms are really the ones who are going to be a key player in the future and be able to serve their customers better. So one is going to be the platform component. I think the second component is going to be companies that are really, really focused on large scale without kind of calling themselves necessarily for security only or for IT only or for this other case only. And then the third one is organizations who are focused on essentially what I like to call the consumerization of security operations or the consumerization of security analytics. I think whoever takes those three approaches is going to have success. And when we dive deeper, some of these are actually in conflict with each other just a little bit. But let me break it down a little bit as to why I believe that. So first, on the... 

Dave Bittner: [00:10:33]  Yeah. 

Monzy Merza: [00:10:33]  ...Platform side, you have to have these platforms because there's this explosion - everything from cloud and apps and services on prem, lots and lots of different point products. And all this data has to be collected. All these things have to be connected to each other and bidirectionally from an automation, orchestration point of view or detect, investigate a response point of view. So if you don't have a platform, if you're just doing a point thing, then you're not going to be very successful because the world is pretty complex now. And I guess it always was. We're seeing more of it now. 

Dave Bittner: [00:11:01]  Yeah. 

Monzy Merza: [00:11:02]  On the second layer of really being data agnostic is this ability to bring things in so that the user doesn't necessarily have to concern themselves with it. 'Cause if you can't do that, then the user's constantly going to get stuck. There's going to be low time to value, essentially, and you're not going to survive. 

Monzy Merza: [00:11:17]  And the third thing around consumerization is people are going to work where they're going to work. This whole notion that I'm going to go into a SOC and do something - we're a very mobile planet now. There's a lot of things that we do. Things have to be easier to achieve and easier to understand and easier to use, even on a mobile platform. So that consumerization has to come into play so people can be more peoplelike. And so companies that focus on those types of capabilities are really going to do well. 

Dave Bittner: [00:11:41]  That's Monzy Merza from Splunk. 

Dave Bittner: [00:11:44]  Remote work solutions are seeing very heavy use. According to The Verge, Comcast reports that voice and video calls have risen 212% during the current period of self-isolation. Seeking Alpha thinks that Akamai, with its content delivery and cloud security solutions, is particularly well-placed to serve the needs of teleworking enterprises during the emergency. Zoom has also seen a sharp increase in usage, but the attention the teleconferencing solution is receiving continues to be decidedly mixed. TechCrunch reports that researcher Patrick Wardle has found two local security flaws in Zoom's Mac OS client. 

Dave Bittner: [00:12:22]  The pandemic has put a stop to at least one major acquisition attempt. The Wall Street Journal reports that Xerox has given up its attempted purchase of HP - for the duration, at least, and quite possibly for good. The hostile takeover involved both a $30 billion tender offer and a proxy fight. It is, the Journal observes, a cautionary tale of the effect the pandemic is having on large-scale M&A activity. 

Dave Bittner: [00:12:49]  The cybersecurity sector continues to seek to do its part in the crisis, offering security for health care organizations very much at risk from conscienceless criminals and secure, reliable connectivity for emergency medical facilities. 

Dave Bittner: [00:13:03]  The emergency has also, of course, affected daily life in many ways beyond the immediately obvious social distancing and sheltering at home. And Reuters says that Saudi authorities have urged Muslims to defer the hajj, normally scheduled for July, until the pandemic has passed. The kingdom has already suspended the year-round Umrah pilgrimage. Jewish communities are observing Passover under unusual circumstances. And Christian churches are doing the same at Easter. As The Baltimore Sun quotes one religious leader, "we can't meet, but we will gather." Take care. Stay safe. And stay healthy. 

Dave Bittner: [00:13:47]  And now a word from our sponsor Mazars Cybersecurity. Currently, the largest fine under the GDPR is over 200 million euros. With other similar laws like the California Consumer Privacy Act coming online, it's critical to review your company's readiness for and compliance with privacy regulations. The legal experts and cybersecurity professionals at Mazars Cybersecurity can review your systems and processes, ensuring that you are in compliance with privacy regulations, reducing your risk moving forward. Their world-class team in over 90 countries has experience with a full range of regulatory regimes globally and insight into local requirements at the state level. They can even act as your data protection officer. They understand that today's business world is international, online and interconnected. A law a world away can substantially impact your organization. Can you afford to be out of compliance? See how Mazars helps at www.mazarsusa.com/cybersecurity. Again, that's www.mazarsusa.com/cybersecurity. And we thank Mazars Cybersecurity for sponsoring our show. 

Dave Bittner: [00:15:10]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: [00:15:20]  Hi, Dave. 

Dave Bittner: [00:15:21]  We're looking at a story today from the Naked Security blog by Sophos. And this is "Apple Safari Now Blocks All Third-Party Cookies by Default." 

Joe Carrigan: [00:15:30]  That's... 

Dave Bittner: [00:15:31]  What's going on here? 

Joe Carrigan: [00:15:31]  That's fantastic. So a third-party cookie - when you go to a webpage, you are, I guess, the first party. And the website you're visiting is the second party, right? And that website can have little bits of HTML of itself that allow the loading of another party's cookies - third-party cookies. And this is how all the tracking happens is through third-party cookies. Facebook does this a lot. Google does this a lot. Amazon does this like crazy. In fact, the other day, I was buying an onboard diagnostic reader, right? So I search for onboard diagnostic reader. And... 

Dave Bittner: [00:16:06]  As you do. 

Joe Carrigan: [00:16:06]  As you do. Right. 

Dave Bittner: [00:16:07]  (Laughter). 

Joe Carrigan: [00:16:08]  And everywhere I go now, there's an ad for an OBD2 reader on every webpage I load. 

Dave Bittner: [00:16:15]  Right. 

Joe Carrigan: [00:16:15]  Now... 

Dave Bittner: [00:16:15]  Right. 

Joe Carrigan: [00:16:15]  Here's the funny thing. I've already bought it... 

Dave Bittner: [00:16:18]  Yeah. 

Joe Carrigan: [00:16:18]  ...From Advance Auto Parts because Amazon right now can't promise delivery very quickly, and I needed it because my wife's car had an engine code on it. So I ran out and bought one. But this is how this tracking works. And this is kind of how these large data brokering companies get access to the data that allows a dossier of you, of every internet user to be built that is remarkably good. And now Safari is going to stop allowing those third-party cookies by default. Now, Firefox has already been doing this since September of last year, 2019. And, of course, the Tor browser has been doing this since its inception, right? 

Dave Bittner: [00:17:02]  (Laughter) From the get-go. Yeah, yeah. 

Joe Carrigan: [00:17:03]  But the Tor browser is terribly, terribly slow. You know, so if you're going to use a mainstream browser - it's actually not a mainstream browser. It uses the Onion routing network, which is why it's slow. So if you're going to use a mainstream browser, now you have another option. You have Safari, and you have Mozilla. There's also the Brave browser, which blocks most of these third-party cookies. 

Joe Carrigan: [00:17:25]  In January of this year, Google announced that it would gradually kill third-party cookies in Chrome over the course of the next two years. Now, Dave, I make no secret about this. I'm a Google services user. I have an Android phone. I'm looking at this article right now on my Chrome browser. I may very well migrate to Firefox over this. 

Dave Bittner: [00:17:45]  How come? 

Joe Carrigan: [00:17:46]  Because I think that Google has a real conflict of interest here. I think that there is a - you know, because they are, in fact, one of the biggest users of these third-party cookies. That's how they make a lot of their ad revenue. So why would I expect them to expeditiously move towards killing these third-party cookies in Chrome? 

Dave Bittner: [00:18:06]  Well, and the fact that they're saying they're going to kill it off over the course of two years, which... 

Joe Carrigan: [00:18:11]  Right. 

Dave Bittner: [00:18:12]  ...Certainly in tech terms is an eternity. 

Joe Carrigan: [00:18:14]  That is an eternity. Two years from now, the internet will be a very different place. 

Dave Bittner: [00:18:18]  It's interesting that Apple has made this move and that it seems like things are headed this way and that perhaps it's considered a competitive advantage. 

Joe Carrigan: [00:18:26]  I would think it is a competitive advantage. I don't know if I can use Safari on Windows. I don't think they make any Windows products over at Apple. 

Dave Bittner: [00:18:34]  Yeah. I mean, Apple used to make a version of Safari that would run on Windows. 

Joe Carrigan: [00:18:39]  Yeah. 

Dave Bittner: [00:18:39]  And I suppose you could still go find an old version. But they haven't updated that in a while, so... 

Joe Carrigan: [00:18:43]  Yeah. 

Dave Bittner: [00:18:44]  ...Not really an option on the Windows side of thing. 

Joe Carrigan: [00:18:46]  I would not advise anybody go out and use an unsupported piece of software, particularly as a web browser, right? That's just asking for trouble. 

Dave Bittner: [00:18:53]  Yeah. 

Joe Carrigan: [00:18:54]  Right? 

Dave Bittner: [00:18:54]  Yeah. 

Joe Carrigan: [00:18:54]  If it's not supported anymore and somebody finds a vulnerability in an old version, that's going to suck for you. 

0:19:00:(LAUGHTER) 

Dave Bittner: [00:19:02]  OK, fair enough. All right. 

Joe Carrigan: [00:19:04]  Right. 

Dave Bittner: [00:19:05]  Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:07]  It's my pleasure, Dave. 

Dave Bittner: [00:19:12]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:31]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:42]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.