The CyberWire Daily Podcast 7.28.20
Ep 1139 | 7.28.20

Data breaches and responsibility. Where do you get a decryptor for WastedLocker? Third-party risk. Misconfigured databases. Follow-up on the Twitter hack.

Transcript

Dave Bittner: Cloudflare says that reported Ukrainian breaches aren't its issue. Trend Micro describes a new and unusually capable strain of malware. Garmin is reported to have obtained a decryptor for WastedLocker ransomware. Third-party risk continues in the news, as do misconfigured databases that expose personal information. Huawei's CFO alleges misconduct by Canadian police and intelligence agencies. Ben Yelin examines the EFF's online Atlas of Surveillance. Dave DeWalt with SafeGuard Cyber on the evolving threat landscape as folks return to the workplace. And the Twitter incident seems to have been a problem waiting to appear.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 28, 2020. 

Dave Bittner: SiliconANGLE reports that service provider Cloudflare says the breach Ukrainian authorities disclosed over the weekend had nothing to do with Cloudflare and that the company itself was not breached. Ukrainian authorities had made a point of saying that many of the affected companies were Cloudflare clients, but, of course, Cloudflare has a lot of clients. The National Security and Defense Council of Ukraine qualified their initial account, noting in particular that some of the stolen data they found came from older breaches or, as they put it, quote, "information on some resources is outdated," end quote. But they continue to maintain that they've seen evidence of some sort of large-scale incident. 

Dave Bittner: Cloudflare had this to say to HackRead - quote, "we have investigated in detail an alleged leak of DNS information concerning Cloudflare's customers. The information posted on social media is not the result of a leak or breach of our systems. The published data is available through standard DNS queries on the open internet rather than the result of a leak or breach. Cloudflare provides different services to different customers. Some customers use us for security services. Some use us for performance services. Some customers make use of both. The published information reflects a small fraction of Cloudflare customers who either use Cloudflare only for DNS resolution or only for performing services and therefore have not configured Cloudflare to secure their origin server," end quote. 

Dave Bittner: Security firm Trend Micro has described a PHP webshell its researchers call Ensiko, which they say has both remote code execution and ransomware capabilities. The ransomware functionality is only one of Ensiko's many features. Trend Micro says it's capable of scanning servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol, cPanel and Telnet, overwriting files with specified extensions and more, which is already a lot. It's also thought likely to be resistant to the sort of vigilantism that's recently hobbled Emotet. 

Dave Bittner: Garmin confirmed that it sustained a cyberattack last Thursday, ABC News reports, and that while its online services were disrupted and some files were encrypted, it's restoring services and has concluded that no customer data were compromised. Despite noting that files were encrypted, Garmin did not characterize the incident as a ransomware attack. WIRED writes, as others have been writing, that it was an attack by Evil Corp using WastedLocker ransomware. Sky News reported that Garmin had obtained a decryption key that enabled it to recover its files but that the company did not directly make a payment to the hackers. This doesn't rule out that payment might have been made through a third party. And as Decrypt notes, that wouldn't necessarily protect Garmin from exposure to U.S. sanctions enforcement. Evil Corp has been under sanctions since December. 

Dave Bittner: Another ransomware attack has moved from a third-party vendor to its intended target. The Wall Street Journal reports that customer data was taken from SEI Investments when M.J. Brunner, developer of an investment dashboard used by SEI, was compromised and the information was lost. SEI says its own systems weren't hacked. This is another case of third-party risk or perhaps nth-party risk. 

Dave Bittner: SEI Investments manages funds. Some of its own clients were Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners and Pacific Investment Management Company. They were all exposed to the breach at M.J. Brunner through their business relationship with SEI Investments. So the breach at Brunner affected data belonging to SEI, which in turn affected SEI's clients. Computing quotes Zero Hedge as ascribing the incident to a RagnarLocker ransomware attack. Brunner declined to pay the ransom, and the RagnarLocker responded by dumping some 500 gigabytes of stolen information online. The data included usernames and passwords, as well as SQL files with live client data. 

Dave Bittner: We've spent a good deal of time covering the shift to working from home triggered by the pandemic and the related security issues. It's going to be a while before things get back to normal. But some states are reopening in fits and starts, and that means some employees are heading back to the office. Dave DeWalt serves on the board of SafeGuard Cyber and is the former CEO of FireEye. He joins us with insights on the evolving threat landscape expected with returning to the workplace. 

Dave Dewalt: As you see innovation continue to, you know, pick up speed and accelerate, you know, so does the vulnerabilities due to that technology adoption. And the more vulnerabilities you have, the more, you know, opportunities for attackers. And when you have the underlying premises of, you know, lack of governance of the internet, anonymity of the internet that it provides, now 50-plus nation-states all with offensive activity, hundreds of criminal groups, terrorist groups, you have this, you know, perfect storm, this melting pot of things that are going on. So, you know, now add to it social domains. 

Dave Dewalt: I mean, one of the hottest areas right now is information warfare and influence ops in the social domains. Now with 3 billion-plus users in these social domains and the virality of content and deepfakes and false information on there, I mean, we really have a whole new domain with billions of users without much security or privacy really baked into the core architecture. And whenever we've seen a new attack surface created like that, a lot of bad things start to happen. 

Dave Dewalt: So, you know, add to that, you know, drones flying in the air, satellites in space, industrial networks, cryptocurrency systems. You know, it's a wonderful thing from a capital innovation point of view, but when you're looking at it from a security point of view, it's a little daunting to how we protect all these new domains as they grow very quickly. 

Dave Bittner: What sort of advice do you have for folks who are trying to make their way through this, trying to navigate this new reality that we're in? 

Dave Dewalt: Well, you know, a lot of things. You know, one is, you know, I have a lot empathy for security professionals around the world and a lot of pride. I really truly believe that the security professional will become more and more important. What an opportunity. If you're a chief trust officer or chief security officer at major corporations around the world, what an opportunity, honestly. 

Dave Dewalt: I've watched over the last, you know, years the rise of importance of this professional area inside companies, and I believe that one of the silver linings coming out of this COVID window will be the increased inertia of digital transformations. A lot of brick-and-mortar kind of companies, retailer companies, are realizing that, wow, what a power model we now have on online and e-commerce models - way more than we even thought. And so, you know, how do we, you know, integrate all of that digital transformation and hardened security into that? 

Dave Dewalt: So security professionals really now have an opportunity - perhaps, you know, one of which we have never seen before - to really be a core part of the business, not just protecting, you know, the IT networks that they once had. So interesting window - and, you know, as they always say, may we live in interesting times. This is clearly interesting times. 

Dave Bittner: That's Dave DeWalt from SafeGuard Cyber. 

Dave Bittner: A more familiar, more easily understood risk has also surfaced again - misconfigured databases held in the cloud and left exposed to unauthorized users. FrontRush, a provider of athletic recruiting and amateur athletic management software, disclosed that one of its AWS S3 buckets was left exposed to the internet. It contained personally identifiable information. The data included transcripts, injury reports or athletic reports that were placed in the platform by institutions. Also in the bucket were attachments uploaded by student athletes or prospective athletes or their parents and guardians in response to prompts in a recruitment questionnaire formulated and disseminated by the institutions. 

Dave Bittner: And finally, what is it with celebrity-centric voyeurism? Twitter's recent black eye over the compromise and takeover of a large number of high-profile accounts seems to have been long in preparation. We've heard that about 1,500 employees and contractors had the sort of control panel access required to reassign accounts. Bloomberg has been talking to former Twitter employees and reports that it's been that way for some time. Bloomberg writes, quote, "the controls were so porous that at one point in 2017 and 2018, some contractors made a kind of game out of creating bogus help desk inquiries. Those inquiries allowed them to peek into celebrity accounts, including Beyonce's, to track the star's personal data, including their approximate locations gleaned from their devices' IP addresses, two of the former employees said." 

Dave Bittner: Twitter has a complex business and a lot of privacy balls in the air, but Bloomberg's look at the ongoing investigation into the recent socially engineered security incident concludes that the company does seem to have placed its priorities on growth and revenue and not devoted as much time and attention to security and, in particular, security against potential insider threats. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security. And, you know, Ben, it happens to me quite often. I'll be walking down the street, and people will stop me. And they'll say, Dave, I love hearing that Ben Yelin on the CyberWire podcast. I wish I could hear more of him. And I respond to them, and I say, well, you're in luck because he is also my co-host on the "Caveat" podcast, where you get to hear Ben talk for much longer periods of time in much more depth about legal and policy issues. So... 

Ben Yelin: We give the people what they want. That's what we're here for. 

Dave Bittner: (Laughter) If you have not yet checked out the "Caveat" podcast, what are you waiting for? Give it a try. It's a good, fun show. So we'll move past that pitch and move to our topic for today. This came across my desk, and I thought this was right up your alley, Ben. This is from the folks at the EFF, the Electronic Frontier Foundation. And it is a website called atlasofsurveillance.org. What's going on here? 

Ben Yelin: So friend of the show, Electronic Frontier Foundation - by friend of the show, I mean we're fans of theirs and we wish they were our friends. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: But they do fantastic work, obviously concerned about civil liberties issues in the age of technology. And they put together this really cool Atlas of Surveillance. They mapped the entire United States, and for each both state and locality, they list - and it's very well-sourced which surveillance methods are used. So for example, you know, I can zoom in and see that in Baltimore City, where I work and the area in which we live, there are - we use cell-site simulators. In the state of Maryland, there's broad use of automatic license plate readers, facial recognition technology used by the Maryland Vehicle Administration. And that's all very well-marked in this map here. 

Ben Yelin: So they track things like those things I just mentioned, also police departments that have body-worn cameras, the use of drones. We know that that's something we've discussed that's going on in Baltimore City is they have unmanned aircrafts taking surveillance photos. That's all accounted for here. 

Dave Bittner: What are some of the practical uses of this? I mean, is it as simple as it could be just for awareness, sort of an eye-opening kind of thing? Or is this a good research tool for some folks as well? 

Ben Yelin: So it's mostly an awareness thing. I mean, certainly, for citizens living in these jurisdictions, it's good for us to know which methods are being used. You know, it's good for democracy because we can make policy decisions with more complete information. So if I had problems with the fact that Baltimore City, you know, is using cell-site simulators, maybe I find out by going to this database. And actually, you know, I can contact my state legislature or, you know, the city council and say, I don't like the way this technology is being deployed. 

Ben Yelin: One thing that I'm sort of fearful of is it also could be potentially useful for law enforcement, and I'll explain why. Obviously, for the Fourth Amendment, everything is about whether you have a reasonable expectation of privacy. And if a feature like this became so ubiquitous that it was very widely known which jurisdictions were using automated license plate readers, then, you know, theoretically at least, citizens would have a diminished expectation of privacy. And thus, it would be more unlikely for a court to find that a Fourth Amendment violation has occurred. 

Ben Yelin: I think we're an extremely long way from there just because, A, that standard is pretty malleable. And B, you know, besides me and you and other surveillance nerds out there, I think most people haven't come across this Atlas of Surveillance. But that's something I would certainly think about in the long run. 

Dave Bittner: Yeah. One thing that struck me with this was, you know, there are some things that would grab my attention in one way. In other words, if I saw that my local town was using predictive policing, well, that is something that would grab my attention. And I would want to go find out more about why that was happening. That would be a concern of mine. 

Dave Bittner: But I could see the flipside. If I also looked at my locality and saw that, for example, my police department was not using body-worn cameras, well, I think, you know, that might be something that I'd want to ask, why not? You know, maybe that's something that I feel is a good way to keep, you know, track of, perhaps, what law enforcement is up to. That's a good type of surveillance to keep everybody, you know, a little more on the straight and narrow. 

Ben Yelin: Absolutely. You know, I think that's a very effective tool. And as I said, you know, that could be used as a way for you to try and change policies. You know, I should also note one thing that's very cool about this is it's crowdsourced. So you can volunteer to help build this dataset, but you can also submit a data point. 

Ben Yelin: So, you know, let's say you live in a really small jurisdiction, a small town that's not already listed in this Atlas. You can write in and say, well, I know that our local police department uses, you know, predictive policing. This is how they do it. Here's a news article on it. And they'll actually post it on this Atlas. So it's a way for people who care about this stuff to get involved. 

Dave Bittner: Yeah. All right, well, the website is atlasofsurveillance.org. If nothing else, it is fun to play with, so check it out. 

Ben Yelin: Absolutely. Geek out on these maps. 

Dave Bittner: There you go. 

Ben Yelin: I certainly have myself. 

Dave Bittner: Right. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you all here tomorrow. I think I'm going to go find myself a slice of cake.