Dave Bittner: Ransomware hits a major data center provider but appears to have left service unaffected. There's a thriving criminal market for website defacement tools. Vandals can be consumers, too. CDRThief does what its name implies. ByteDance tried negotiating TikTok's American future. Ireland's Data Protection Commission starts enforcing Schrems II against Facebook. Awais Rashid outlines software development security pitfalls. Our guest is John Morello from Palo Alto with insights from their new State of Cloud Native Security report. And China's ambassador to the U.K. has his Twitter account hacked.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, Sept. 10, 2020.
Dave Bittner: Ransomware continues to hit large and potentially lucrative markets. Late yesterday, the data center giant Equinix disclosed that it had sustained a ransomware attack. The company said that the incident, which it says left its customers' data and operations untouched, involves ransomware on some of our internal systems. ZDNet says that Equinix's statements to the effect that customers haven't been impacted seemed correct. In any case, there are no reports of service outages, and the usual drumfire of social media complaints about problems hasn't begun. The company is working with law enforcement to investigate the incident.
Dave Bittner: Comparitech's look at the cyber underworld and its criminal markets has led it to conclude that some eighty-six vulnerabilities in content management systems affecting more than 100,000 sites are being actively traded. Many of the vulnerabilities are zero-days, and they're exploited for the most part in website defacement attacks. Defacement is common, Comparitech thinks, because hackers want to count coup. They want to be noticed.
Dave Bittner: Researchers at security firm ESET this morning released a study of CDRThief, malware that attacks certain Chinese-manufactured Voice-over-IP switches. CDRs are call detail records, data like caller and callee IP addresses, starting time of the call, call duration, calling fee, and so on. CDRThief, as its name suggests, is an information stealer. ESET doesn't know for sure what the spyware's purpose is, but the fact that it exfiltrates sensitive information, including metadata, suggests to the researchers that it's probably a cyberespionage tool. It could also be used for Voice-over-IP fraud, specifically for International Revenue Share Fraud, a scam in which grifters get access to an operator's network in order to bring traffic to phone numbers they've obtained from an international premium rate number provider.
Dave Bittner: The Washington Post says that ByteDance, TikTok's corporate parent, is in discussions with the U.S. government to determine if U.S. security concerns can be allayed by anything short of the sale of much of the social platform to American companies. It's unclear what alternative arrangements might satisfy the U.S. government, but ByteDance's general line appears to be that banning TikTok will have unintended, unexpected and undesirable consequences. One of those alleged consequences seems to be, surprisingly and counter to general impressions, that TikTokers tend to skew conservative and that a ban would leave the social media field open to progressives. That's ByteDance's story anyway.
Dave Bittner: Ireland's Data Protection Commission, the EU's one-stop GDPR shop for many American companies, has told Facebook to stop transferring data about its European users to the U.S., the Wall Street Journal reports. The directive was issued pursuant to the July ruling by the European Court of Justice that invalidated the Privacy Shield arrangement between the EU and the U.S.
Dave Bittner: And finally, the Twitter account belonging to Liu Xiaoming, China's ambassador to the United Kingdom, was apparently hijacked earlier this week, the BBC reports. Mr. Liu's account displayed likes that included tweets highly critical of Beijing's repressive policies towards several of its domestic groups and regions. The false tweets also linked to what we must call, for SEO reasons and also because we're a family show, "saucy, adult-content video."
Dave Bittner: None of this has figured in Ambassador Liu's social media presence, so the claim that his account was hijacked seems pretty clearly to be true. China's embassy in London yesterday denounced the hijacking. They called it the work of anti-China elements and called for Twitter to investigate. The embassy tweeted, quote, "Recently, some anti-China elements viciously attacked Ambassador Liu Xiaoming's Twitter account and employed despicable methods to deceive the public. The Chinese Embassy strongly condemns such abominable behavior," end quote. A follow-on tweet said, sounding a bit like a Shadow Broker bucking for employee of the month, quote, "The embassy has reported to this Twitter company and urged the latter to make thorough investigations and handle this matter seriously. The embassy reserves the right to take further actions and hope that the public will not believe or spread such rumor," end quote.
Dave Bittner: Some of the tweets Mr. Liu was represented as liking were straightforward political attacks on Beijing's record with respect to the repression of Uighurs, Hong Kong, Tibetans and so on. The tweeted responses to the Embassy's denials, harrumphing and calling for redress of grievances, tended to be at least literally sympathetic, offering support for Mr Liu's leisure time appreciation of adult content, evidently something to do with feet, it seems. They urged the ambassador to own it and not to feel pressure to deny a hobby that some of the tweeters implied they themselves might be given to enjoy. One tweeter did express concern. Looking at adult foot content may be fine as an avocation, but doing so on government time with government equipment is problematic, to say the least, and should be looked into by HR or somebody.
Dave Bittner: It's hard to tell when someone's being ironic, but there does seem to be some such intent gurgling around all this intentionality. The few who expressed unalloyed support for the Chinese government? We're not so sure. They may really mean the outrage they express about British lies and propaganda slandering the People's Republic. Some of them went so far as to say they intend to write their MP to complain. Takes all kinds, right?
Dave Bittner: Upon regaining full control of his account, Mr. Liu confined his response to a proverb - a good anvil does not fear the hammer. Well, of course, it doesn't. It's always the anvil that breaks the hammer, not vice versa. The anvil's always good to go.
Dave Bittner: John Morello is VP of product, container and serverless security at Palo Alto Networks. He comes to us with insights from their latest report on the state of cloud-native security.
John Morello: Well, I think one of the goals we had - probably the primary goal we had - was just to understand not why cloud is being adopted but how cloud is being secured as it is adopted. And I think, you know, there's no argument at this point that cloud is both sort of the present state as well as the future state for the majority of most organizations' infrastructure and applications. And there's been a lot of written about, you know, people concerned about security and haven't moved to the cloud because of that. But I think over the past few years, it's really declined, as you've seen, the providers and just the industry itself.
Dave Bittner: Well, I mean, based on the information you've gathered here, based on those insights, what sort of recommendations do you have for folks to get a better handle on all this?
John Morello: Well, one of them I think is - and we saw this reflected in the data as well - is to really start thinking about security as not something that happens once you deploy your application or you turn on that service but, instead, something that needs to be there from the very beginning of your design and development of that application. You know, this notion of shift-left that I'm, you know, sure you've heard of or DevSecOps or DevOps - I mean, they're all kind of different flavors of the same general philosophy, which is - I want to make sure that I don't first evaluate an application or a service for security the day that the developer actually turns it on in production. Instead, I want to make sure that as I'm designing and building that service, that those security guard rails are built into it from the very beginning.
John Morello: And, you know, a very common, basic example that is - every time I'm building my application, every time I'm, you know, creating a new container image, for example, that runs that application, I want to make sure that every one of those build jobs includes an assessment of that application for vulnerabilities and compliance configuration so if there is a problem, I can notify the developer right then and there, and they can fix that problem before it ever goes into production. You know, the old world, if I wanted to run an application with five servers or something, somebody - some dude went into the data center and physically racked, you know, five pizza boxes or something...
Dave Bittner: (Laughter).
John Morello: ...And cabled them together, you know? That was the way that that - that it was done. Well, now, of course, with cloud providers, not only are you not, you know, touching physical hardware, but in most cases, you're not - or at least you should not - be going through some kind of graphical user interface and pointing and clicking the things where people can make mistakes and have insecure configurations. Instead, you want to declare what that infrastructure should look like - again, in Terraform or Ansible or Puppet or any one of these other tools that are very common today, and using that declaratively to say, this is what the infrastructure should be.
John Morello: And when you do that, not only do you have a guaranteed more consistent end result, but you also have the opportunity to have a much more secure configuration because similar to the way that we just talked about being able to scan that application software that's being built by the developer, so too can you scan the infrastructure's code template that's being used to declare the infrastructure.
John Morello: So, for example, you could say when somebody's deploying this app that has that S3 bucket as part of that cloud formation template, I want to make sure that that S3 bucket is not configured for anonymous access. And as part of that same deployment or build job, you can check that infrastructure's code in just the same manner that you check the application code which you offered as well.
Dave Bittner: That's John Morello from Palo Alto Networks.
Dave Bittner: And joining me once again is professor Awais Rashid. He is a professor of computer science at Bristol University. Awais, it's great to have you back. I want to talk today about some of the security pitfalls that teams need to avoid in the process of software development. What can you share with us today?
Awais Rashid: So software lives at the heart of our societal fabric. You know, all sorts of systems that we use are built on the software from, you know - from your cars to your Hoovers to, for example, the online communication systems that we are all relying on during this pandemic. And, of course, you know, there is a lot of awareness about vulnerabilities in software, and there is lots of advice around as to how do you fix typical security bugs. So, for example, there is the OWASP Top 10, which talks about the sort of, you know, the top 10 typical vulnerabilities in software and how to mitigate against them.
Awais Rashid: But I think one of the things that I wanted to talk about today was that though those are really important considerations, but they're not the only things that lead to vulnerabilities in software. So it's not just the act of writing the code, but it's a lot of things that developers do and teams do around that act of writing the code, going all the way from their initial conception of the design to how you may consider the testing strategies for your software, even to the kind of plugins that you deploy within your integrated development environments that you're using to develop your software. All these decisions have an impact potentially in terms of the security of your software.
Dave Bittner: And how do you weigh each of those possibilities to keep everything in balance?
Awais Rashid: So I think the key here is that we need to consider that, you know, security is not a one-shot thing, right? So - and most of the software nowadays is not developed in what you call the traditional waterfall model, where you did some requirements and then you did some design and then an implementation is done in an iterative fashion. And we have to sort of really build security into all the activities - security considerations into all the activities that we do.
Awais Rashid: So let's take as an example of, you know, setting up your integrated development environment. So are you utilizing, for example, you know, the static analysis checkers, which would check for particular security violations of security properties as you develop your code, for instance? Or if you are considering testing strategies, you know, are you considering particular types of testing strategies that would actually enable you to explore a wide array of potential security bugs? Or let's consider, you know, mobile app development, for example. If you're using a monetization approach that includes incorporation of ad libraries, do you carefully consider what kind of permissions do those ad libraries require? You know, what would that mean in terms of the security of the resulting app that you are producing?
Awais Rashid: So I think the key point here is to - for both individual developers but also teams to consider that a consideration of security throughout all the various activities that surround the ultimate act of writing code is as important as the code itself. So I'll pick a particular example. You know, how do teams, for example, appreciate the importance of security? And we did some work in this regard and found that actually doing sort of, you know, simple workshops where teams did some track modeling to try and understand, you know, how their software could be compromised actually led to an increased awareness about security issues and then to consider them in the design of their software - or some, you know, sort of constant, sort of gentle reminders through the teamwork that they were doing or challenges from other team members asking questions about that.
Awais Rashid: So it doesn't always have to be a very heavyweight activity. But it has to be - we go back to the sort of the old point about, you know, what is the security culture within your team? But then the question is, if you are largely a solo developer, then, you know, how do you actually benefit from such cultures when you don't have a team around yourself?
Dave Bittner: Yeah, that's interesting. It's always good to have someone to bounce things off of or someone to remind you when you've - I don't know - you've strayed from the path.
Awais Rashid: Yeah. And it's not just that it has to be other people who do security. So one of the interesting things that we found was that it can be challenges from anyone. It could be challenges from, say, the, you know - the product team itself, you know? Or it could be challenges from the testers. It could be challenges from your customers who ask you questions about the software that you are producing. So it doesn't always have to be a security challenge, but it could be a set of challenges that ask interesting questions with regards to security - and let's just stretch that further - and, previously, properties of the software that you are producing that then encourage developers to think about how they are actually going to overcome them.
Awais Rashid: And these challenges could also come from the tools that you deploy. So earlier, I mentioned, you know, static analysis tools. You might be using testing tools like fuzzing tools and so on. And it's really interesting if you start to think about in terms of these challenges. That could be - that is an interesting way of thinking about security but embedded across the lifecycle, whatever matter or process you're using in terms of developing your software.
Dave Bittner: Yeah. No, it's interesting, for sure. Professor Awais Rashid, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it sounds great on vinyl. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.