The CyberWire Daily Podcast 8.19.21
Ep 1400 | 8.19.21

T-Mobile outlines what it’s offering customers hit by its data breach. Taliban on good T&C behavior? Apple’s CSAM. OS bug may affect medical devices. A report on 2020’s US Census Bureau hack.

Transcript

Dave Bittner: T-Mobile describes what it intends to do for those who may have been affected by its big data breach. The Taliban is taking care not to get banned from social media. Apple defends its CSAM measures against a technical objection, but advocacy groups see a slippery policy slope. The U.S. FDA warns of vulnerabilities in an OS used by medical devices. A report on a 2020 incident at the U.S. Census Bureau. David Dufour shares a few surprises from Webroot's 2021 Threat Report. Our guest is Brandon Hoffman from Intel 471 on cybercriminals creating turbulence for the transportation industry. And a Bitcoin tumbler cops a guilty plea.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 19, 2021. 

Dave Bittner: T-Mobile has responded to the breach it confirmed two days ago with a range of customer protection and reassurance measures. The most serious risks appear to be, as WIRED reports, identity theft and SIM swapping. 

Dave Bittner: As WIRED summarizes, quote, "T-Mobile says that of the people whose data was compromised, more than 40 million are former or prospective customers who had applied for credit with the carrier," end quote, which is to say they're not presently customers at all. An obvious question is why the mobile carrier maintained the data in the first place. What use did it have for prospective customers' Social Security numbers and driver's license information, for example? 

Dave Bittner: WIRED adds, quote, "Another 7.8 million are current postpaid customers, which just means T-Mobile customers who get billed at the end of each month. Those roughly 48 million users had their full names, dates of birth, Social Security numbers and driver's license information stolen. An additional 850,000 prepaid customers who fund their accounts in advance had their names, phone numbers and PINs exposed." So the current tally of individuals affected is somewhere above 48 million. While that's a lot by any reckoning, it's far short of the 100 million victims the crooks who offered the data in an underworld market claimed. 

Dave Bittner: It's not clear how the attackers gained access to the data in the first place. T-Mobile was alerted to the problem by the hackers' woofing on the dark web. To its customers the telco is offering two years of McAfee ID protection as well as access to T-Mobile's own Scam Shield and Account Takeover Protection. The company advises customers to change PINs and passwords, even though it says these don't appear to have been compromised, and that they consider putting a freeze on their credit if they think they're likely to be the victims of credit fraud. 

Dave Bittner: The Washington Post shrugs that the general public has entered a period of learned helplessness with respect to big data breaches, and that no doubt the T-Mobile affair will be largely forgotten within a week or so. It lists five major data breaches that have, it thinks, done their bit to inur people to the problem - JPMorgan in 2014, which had 83 million victims; Adult Friend Finder in 2016, with 400 million victims; Yahoo in 2013, but disclosed in 2017, with 3 billion victims; Marriott in 2018 at 500 million victims; and Facebook in 2021 at 533 million victims. 

Dave Bittner: Against this background, having your credit card stolen is an inconvenience - not good, but we get over it. Fifty million people's PII exposed - that's not even an inconvenience. It's a statistic. 

Dave Bittner: As social media platforms consider how to respond to the Taliban conquest of Afghanistan, the Washington Post says that the Taliban itself seems to be punctiliously toeing the line drawn by those platforms' terms and conditions. We'll have more discussion of the topic in this week's Pro Disinformation Briefing, out later this afternoon. 

Dave Bittner: Apple defends its proposed Child Sexual Abuse Material detection technology, telling Vice that the version it will deploy isn't susceptible to the hash collision vulnerabilities researchers claim to have demonstrated. 

Dave Bittner: The proposed system would, under certain circumstances, scan for CSAM images flagged by a small set of international child-protection clearing houses, but critics remain unmollified. Reuters reports that various privacy and rights advocacy groups - the Center for Democracy and Technology among them - fear the technology could not only subvert end-to-end encryption, but could be readily adapted to screening for other content, and that there are insufficient protections against abuse by repressive governments. If, the critics ask, Apple moves against scanning for CSAM images in iCloud and messaging services, this puts them on the slippery slope to backdooring their systems under governmental pressure and of putting larger censorship programs in place. 

Dave Bittner: The objections raised by the Center for Democracy and Technology aren't confined to adult civil liberties. THE CDT is, to some extent, speaking in loco parentis, seeing as it does a large issue in LGBTQ+ children having their identities exposed to parents who may prove unsympathetic and giving that issue particular prominence in its post on the matter. The letter explains, after remarking on the unreliability of the algorithms used to identify CSAM content - quote, "Though these capabilities are intended to protect children and to reduce the spread of child sexual abuse material, we are concerned that they will be used to censor protected speech, threaten the privacy and security of people around the world and have disastrous consequences for many children," end quote. 

Dave Bittner: The U.S. Food and Drug Administration has warned that medical devices running some versions of BlackBerry's QNX Real Time Operating System may be vulnerable to certain cyberattacks. The FDA says it has no evidence of exploitation in the wild but that it's advising vendors and developers to use appropriate caution. 

Dave Bittner: The U.S. Commerce Department's inspector general has released a report that concluded the Bureau of the Census mishandled a January 2020 incursion into its servers. Quote, "Specifically, the bureau missed opportunities to mitigate a critical vulnerability which resulted in the exploitation of vital servers. Once the servers had been exploited, the bureau did not discover and report the incident in a timely manner. Additionally, the bureau did not maintain sufficient system logs, which hindered the incident investigation. Following the incident, the bureau did not conduct a lessons-learned session to identify improvement opportunities. We also found that the bureau was operating servers that were no longer supported by the vendor," end quote. 

Dave Bittner: The name of the vendor is redacted in the published reports, but the Record thinks the internal evidence points to Citrix servers used to give employees remote access to bureau resources. The damage appears to have been limited. As the report puts it, quote, "The exploit was partially successful in that the attacker modified user account data on the systems to prepare for remote code execution. However, the attackers' attempts to maintain access to the systems by creating a backdoor into the affected servers were unsuccessful," end quote. And there seems to have been no corruption of 2020 census data. 

Dave Bittner: And finally, a Bitcoin mixer who shuffled funds for contraband traders through a double-blind system to help them remain difficult to track has taken a guilty plea in a U.S. federal court. The Washington Post reports that Larry Harmon, 38 years old and a resident of the state of Ohio, yesterday admitted to a D.C. court that between 2014 and 2017, he operated a service called Helix that tumbled hundreds of millions in Bitcoin. Mr. Harmon acknowledged that he sought the business of drug traffickers and others who sought to evade law enforcement and says he now intends to cooperate with federal investigators looking into other money laundering operations. 

Dave Bittner: Mr. Harmon arrived at his plea after the court rejected his earlier defense that he couldn't be guilty of money laundering because Bitcoin wasn't really money. But Chief U.S. District Judge Beryl A. Howell was having none of it, ruling, quote, "Money commonly means a medium of exchange, method of payment or store of value. Bitcoin is these things," end quote. A sentencing date has yet to be set. The feds want to see how cooperative Mr. Harmon will be before they pencil him in on the calendar. 

Dave Bittner: Brandon Hoffman is chief information security officer at Intel 471, and he and his team recently took a closer look at threats targeting the transportation industries. I checked in with him for the specifics. 

Brandon Hoffman: When we talk about transportation, there's kind of commercial transportation, which is, you know, airlines and kind of hotel companies and stuff. Then there's transportation companies that are more kind of almost considered critical infrastructure in the sense they're more like the trucking industry or the shipping industry and things like that. In this case, we were talking mostly around commercial transportation. And, you know, they have a lot of the same problems that other companies do. They are dependent on a significant supply chain. They have lots of footprint on the internet. They have places where customers can log in. They have places where their employees log in that are exposed to the internet. So there is a large attack surface available for the industry at large. 

Dave Bittner: And so what were some of the specific things that you all were looking at here? 

Brandon Hoffman: Yeah, so specifically here we were looking at kind of a surge in traditional initial access, so access to their networks, so people selling access to these networks or, of course, compromised credentials. Compromised credentials are - have always been but are now even becoming potentially the No. 1 initial access vector that we're seeing - abusing transportation systems for cashing out other activity or even kind of the basis for monetization through kind of gift cards. And, of course, nobody is safe from this these days is ransomware. 

Dave Bittner: Yeah. Can we dig into some of the stuff you found with gift cards? I think that's an interesting aspect that a lot of people don't always consider. 

Brandon Hoffman: Yeah, absolutely. So, you know, cashing out through gift cards - specifically before cryptocurrency was around, you know, moving a lot of money around, of course, is difficult in traditional fiat currency systems. And so gift cards is one of these kind of gray areas where you can buy gift cards. Nobody's tracking where the money comes from. You can use a gift card. And, you know, largely the organization whose gift card it's for, they're not checking, you know, if you're authorized to use that gift card because, you know, to a degree they want it off the books. It's money out there that they have to account for day over day, year over year. They want it spent because they want to account for that money spent. And so cybercriminals have long used that to, of course, launder some money. But also in this case, specifically stealing points, rewards miles, turning them into gift cards. 

Brandon Hoffman: Because when you think about the initial access vector, something like compromised credentials, if you get compromised credentials that work on an account that has, you know, a bulk of airline miles or hotel points, the easiest thing to do would be to convert that into a gift card, take that gift card and then sell it to somebody else. And you might think to yourself, well, they can track all that. But, you know, there's not a lot of infrastructure that's been designated to tracking that type of fraud as compared to traditional financial fraud. They can't account for it because it hasn't really been spent yet, hasn't been used to - for a service or good. And so they want it to be used, but they don't want their customers to be defrauded, but they're not losing money, right? I mean, somebody is spending that money anyway. So if I steal a gift card from you, Dave - right? - and let's say you had a hundred-dollar gift card for an airline and I steal it from you, and I sell it for $50, and somebody uses the gift card, well, the airline is still getting their hundred dollars worth, right? 

Dave Bittner: Yeah. So what are the take-homes here? I mean, for folks who are in the transportation industry, are there any things that you suppose they should be doing that isn't getting the proper attention it deserves? 

Brandon Hoffman: Well, largely, the takeaway is not all that different from other conversations we've had around, you know, cyber hygiene. No industry is immune to the cyberattacks, whether it's initial access and data exfiltration, whether it's some type of fraud and whether it's ransomware. I mean, everybody who has an internet-connected business is is at risk for these things, these attacks. And, you know, you should do everything you can to take care and at least do the basics from a cybersecurity standpoint to make sure that at least the simplest of attacks go checked, right? 

Dave Bittner: Yeah. Don't don't be the low-hanging fruit, right? 

Brandon Hoffman: Exactly. Yeah, exactly. That's the best way to put it. 

Dave Bittner: That's Brandon Hoffman from Intel 471. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, always great to have you back. You all recently published your 2021 Webroot Threat Report. Can you take us through some of the highlights here? What did you all find in this round of your report? 

David Dufour: Hey, David, great to be back, as always. Yeah. So first of all, let's - where does Webroot get its data? We have 285 million endpoints and sensors out there through our solutions that we sell. So we have a lot of - a very large footprint where we're gathering this information. And we have a strong team who collates it, looks at it and then gives us this information. I personally am not analyzing the data from all 285 million machines. I think my upper limit is around two 200 machines. I wasn't able to handle it after that. 

Dave Bittner: I see. Well, you're only one man. 

David Dufour: Exactly. 

David Dufour: No, seriously, there's a massive team that spends lots of time on this, so my hat off to them. But some interesting stuff like - and it's kind of fun to look at this. Typically, we talk about health care or social media being the top of the scale and everybody better watch out, but it actually fell this time, significantly, year over year, a 41% decrease in those areas being attacked. 

David Dufour: Yeah, and I think some of that has to do with a year ago, we'd all just got home and that - we had COVID and everybody was online. And I think that's really where the attackers focused their efforts. Because as we've talked many times, the nefarious actors really are savvy about what's popular right now. But what we're seeing is a huge, huge push - and this will not surprise anyone - into oil, gas, industrial. And I think a lot of that's stemming from - you know, for the last five to 10 years, we've talked about the crossover with IoT solutions and getting your operational infrastructure plugged into your back-office infrastructure and what's going to happen there. And I think we're really seeing the cybercriminals take advantage of that because they realized I could, you know, lock up Dave Bittner's selfies and no one's going to pay anything for that... 

Dave Bittner: (Laughter). 

David Dufour: ...Or I could lock up an oil and gas company, and I'm going to get, you know, millions and millions of dollars. So there's a big shift we're seeing. 

Dave Bittner: Yeah. I mean, is it that they're becoming much more - or they have become much more - deliberate in who they're hitting, that they're focusing their energy on these high-value targets? 

David Dufour: Well, I would say yes and no. I think they still are opportunistically attacking everywhere and seeing what sticks. But then they've gotten much, much better at saying, you know, that's Dave DuFour or that's Dave Bittner or saying that's an oil and gas company, let's go for them. And so they're - I would say they're still opportunistic. They're not, like, saying I'm going to go, you know, attack this company or attack that company. At least that's not what I'm seeing. They're taking advantage of a very common, popular exploit, but they've really refined who they're going to go get the ransom from. 

Dave Bittner: Any other thing stood out for you in this year's report? 

David Dufour: It's kind of interesting. The top brands are moving around about who's getting hacked and who people are impersonating. And I think it's kind of like you and I still wear all our old '80s clothes because we think they look cool. But some big names are coming back. Like, eBay topped the list of not brands that were hacked but what are being targeted and how they're impersonating. So that tells me people are using eBay more than I realize. And so we're seeing a shift in, you know, hey, maybe it's not the common ones you know today. Maybe it's the little bit older school that people are going to impersonate and try to get in that way. 

Dave Bittner: Yeah, those threat actors are certainly nimble, if nothing else. 

David Dufour: They're very good at what they do. And I'm not - I begrudgingly have to tip my hat to them. They are very good, very savvy, and they continue to become more and more sophisticated. So it is a challenge to protect against them. 

Dave Bittner: Yeah. Well, it's Webroot's 2021 threat report. David Dufour, thanks for joining us. 

David Dufour: Great being here, David. 

Dave Bittner: And that's the CyberWire. To links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.