Uber sustains a major data breach. Notes on the underworld. A large DDoS attack is stopped in Eastern Europe. An FBI alert and a brace of CISA advisories. Congress deliberates cyber policy.
Dave Bittner: Uber suffers a data breach. Social media executives testify before Congress. A large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyberattacks against health care payment processors. Policymakers consider new OT security incentives. Malek Ben Salem from Accenture on future-proof cloud security. Our guest is Diana Kelley from Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity. And if you've been hoping for a LockerGoga decryptor, you're in luck.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 16, 2022.
Uber suffers a data breach.
Dave Bittner: Uber is investigating a breach of its systems, The New York Times reports. Yesterday, the company said in a tweet, we are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. The Times reports that the breach looks to have compromised a multitude of Uber's systems, with the hacker sending The Times images of email, cloud storage and code repositories. Sam Curry, a security engineer at Yuga Labs who was in contact with the hacker, says, they pretty much have full access to Uber. This is a total compromise, from what it looks like. The threat actor reportedly compromised a worker's account on the company's internal messaging service Slack, saying, I announce I am a hacker, and Uber has suffered a data breach.
Dave Bittner: Two employees, who weren't authorized to speak on the situation publicly, have said that they were told not to use Slack and that other internal systems were inaccessible. The breach utilized phishing and social engineering through sending a text to a worker convincing them to send a password that would gain the hacker access. An Uber spokesperson says that the breach is under investigation by the company and that law enforcement officials are being contacted.
Fraud in the C2C market.
Dave Bittner: Once again, we see that there's no honor among thieves. Digital Shadows reports an interesting example of faithlessness in the criminal-to-criminal marketplace. Two admins working in a carding ring in the Altenet forum scammed their prospective affiliates with an address baited to induce the marks to feed cryptocurrency into wallets the scammers of thieves themselves controlled. May they all get caught. May both sides lose.
Social media executives testify before Congress.
Dave Bittner: Social media executives from Meta, Twitter, TikTok and YouTube testified before the Senate Homeland Security Committee, TechCrunch reports. And apparently, they didn't overshare. The hearing, intended to dive into the impact social media has on national security, took place on Wednesday, covering topics ranging from domestic extremism and misinformation to connections with China. The testimony was, as it so often is before a Senate committee, guarded. When asked by committee chair Senator Gary Peters to disclose the number of employees working full-time on trust and safety, the only answer offered was by Twitter general manager of consumer and revenue Jay Sullivan, who said 2,200 people were working on trust and safety across Twitter. But it is unclear if all those employees worked only on trust and safety. Senator Alex Padilla asked Meta executive Chris Cox, in your testimony, you state that you have over 40,000 people working on trust and safety issues. How many of those people focus on non-English language content, and how many of them focus on non-U.S. users? The senator didn't answer. The question was then directed to the other executives, who also didn't offer an answer.
Dave Bittner: When TikTok COO Vanessa Pappas was asked about the social media giant's connections with China, specifically where Chinese-based parent company of TikTok ByteDance is based, she fumbled, answering the question by saying that, the company is distributed and doesn't have a headquarters at all. Slate reports that Senator Jon Ossoff said to Pappas when talking about Chinese connections, "I'm going to humbly and respectfully ask you not to give me the topline talking points." Pappas also denied reports that the parent company's employees were regularly accessing private data on U.S. users of the app, despite leaked audio saying otherwise.
Using the dark web for sanctions evasion.
Dave Bittner: Cybersixgill reports that Russian operators in the dark web are turning their skills at handling contraband to exploitation of the shortages international sanctions have induced in Russia. While it doesn't work for perishables like McDonald's cheeseburgers, it works just fine for durable goods, particularly consumer IT hardware. Cybersixgill says, our research has found that Russian actors are using the dark web to circumvent sanctions, enabling them to transfer funds and purchase goods from beyond Russia's borders. Thus, while Russians can no longer enjoy a meal at McDonald's or a coffee at Starbucks, savvy users of the underground can still get their hands on technology products produced by Apple, AMD, Intel, Microsoft or Nvidia, even though they suspended sales in Russia and Belarus. Their skills have also proved well-adapted to getting around bans on purchases major bank cards have imposed, stating, and despite the fact that Visa, Mastercard and American Express prohibit Russian cardholders from purchasing items outside of Russia, actors on underground forums can procure cryptocurrency or virtual and prepaid credit cards in order to make purchases abroad.
Large DDoS attack stopped in Eastern Europe.
Dave Bittner: Akamai says that it stopped a record-setting distributed denial-of-service attack against an unnamed Eastern European customer this week, stating, on Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 mega packets per second in an aggressive attempt to cripple the organization's business operations. The attackers command-and-control was unusually supple. Akamai offers no attribution, but the target selection and the choice of DDoS as an attack technique are suggestive of recent Russian offensive activity.
FBI observes increased cyberattacks against healthcare payment processors.
Dave Bittner: The FBI reports that they've observed an increase in cybercriminal attacks against healthcare payment processors, redirecting victims' payments. Threat actors rely on personally identifiable information that is public, along with social engineering, to impersonate the victims and gain access to files, healthcare portals, payment information and websites, going so far as even changing direct deposit information to the attacker's own. Security Week says that in February 2022, $3.1 million was redirected after the direct deposit information was changed. The same thing happened again, and the actor stole $700,000.
CISA issues eleven ICS advisories and updates its Known Exploited Vulnerabilities Catalog.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has released eleven Industrial Control Systems Advisories. In addition to these advisories, CISA has also added six new entries to its Known Exploited Vulnerabilities Catalog. Federal civilian executive agencies falling under CISA's remit have until October 6, 2022, to take action to identify and mitigate them.
Policymakers consider new incentives for OT security.
Dave Bittner: Policymakers and federal agencies are considering new incentives for operational technology security in hopes of getting critical infrastructure companies to prioritize cybersecurity and replace old technologies, SC Media reports. The House Homeland Security Committee held a hearing on the topic Thursday. Representative Yvette Clarke, chair of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, said that focusing on IT systems at the cost of OT systems is simply not an option in today's threat landscape, as OT becomes more internet-connected, integrating with IT systems and attractive to our adversaries. Many OT systems are outdated, running either old software or unpatched software, which allows for hackers to easily target the systems, as even the most minor change can cause significant disruptions to necessary services. Michael Dransfield, a senior technical executive for control systems cybersecurity at the NSA, highlighted the increasing age in workers familiar with OT security, which has caused many companies to transition to vulnerable automated systems.
Dave Bittner: After the break, our guest Diana Kelley from Cybrize discusses the need for innovation and entrepreneurship in cybersecurity. And Malek Ben Salem from Accenture on future-proof cloud security. Stay with us.
Dave Bittner: Diana Kelley is CSO and co-founder of security workforce development company Cybrize, and she also is one of the judges of the upcoming DataTribe Challenge, where startup hopefuls compete for up to $2 million in funding. The CyberWire is a media partner with DataTribe. Here's my conversation with Diana Kelley.
Diana Kelley: Yeah. I think it's a really incredible time in cyber right now in terms of innovation because there have been a lot of advances in technology that have now enabled us to create and to come up with - just ideate really new ways to use that technology. So what do I mean specifically - the cloud. We talk about digital transformation, and we're all going to be multi-cloud. And now we're here. We are in the cloud. Organizations take huge advantage of all that's offering - all the offerings in the cloud. And that means that security now can take that step of, we don't always have to sit on premise. We can now go into the cloud, go into multiple clouds, get that signal, that information, the economies of security scale, as I like to call it. And that's really just driving a lot of innovation and adoption. We've also seen other advances that are helping in terms of things like the technologies. We just have faster computers. We have more compute power that's available to all of us. We have always on, which is not something that has been, you know, a reality. Even now you can be on Wi-Fi on the plane, like it or not. But you can literally work anywhere, any time. So it's a really great time right now in security. And the other thing that's driving the innovation is this, you know, forcing factor of, we need to be able to manage not just our own organizations but also our entire system, our ecosystem, which includes our partners and consultants and vendors that we work with. And that means that there's this real big drive for automation because we just can't do all of this, you know, manually.
Dave Bittner: What does that mean for the folks who are out there looking to innovate, for those hopeful people who think they have an idea that may change the world and are looking to get the word out and tell people about their ideas?
Diana Kelley: Well, there's a lot of - I don't want to say noise. That's - I just said it, though. But there are a lot of voices who are competing for attention. And you've got some voices that are very loud because they've been here for a long time. And they're very - you know, they've been contributing to security and have a - you know, a fairly big megaphone. So as new or innovative companies, you need to find a way to have your voice vibrate at the right level so that you can be heard above some of this, you know, conversation that's going on - an important conversation that's going on. So it's really about differentiating. It doesn't need to be a blue ocean anymore. You know, if you remember that book where - you know, try to find the blue ocean. You don't need to find a pure blue ocean, but do understand what may have gone wrong if the ocean's already red. And what I mean by that is that you look at - we seem to sort of improve and optimize in this cyclical way in security. So SIEM, security event information managers, were introduced to the market a little over 20 years ago. And over time, we've seen next-generation SIEMs come out that are smarter, easier to use, cloud-aware or functioning in the cloud, very importantly are using things like machine learning to be better about the information in their analysis and the alerts that they're sending. So it doesn't have to be a space no one's been in before. There's a lot of next-generation optimization that's going on in existing tool categories. And then there are also new and emerging tool talent for - is to keep up with the pace of technology.
Dave Bittner: You're going to be participating in the upcoming DataTribe Challenge. Why is this something that you feel as though is worth your time that you want to contribute to?
Diana Kelley: Because it - again, it's very hard to get your voice heard if you're a new, exciting idea but there isn't a market space or a niche for you, and you just haven't gotten the funding. So I really love that DataTribe is doing this where, you know, three finalists are going to split the $20,000. But then there's an up to $2 million in seed capital that's available potentially for the winner. And I think that, you know, it can be very hard to get an idea off the ground. And I love that DataTribe is going out saying, let's just let everybody come in. And we see sometimes that can be, as in anything in life, it can be a little bit of a who you know. And in this case, it's not a who you know at all. It's open to everyone. That's why we've got a judging panel to look at what's submitted. So I just love that it's a very open, democratic process to help give funding and support to these ideas that may not have been heard yet.
Dave Bittner: What's your advice to that hopeful startup, someone who's out there trying to get noticed? Any words of wisdom?
Diana Kelley: Define the problem. You know, founders can decide there's a problem, but they don't really understand that. And so define the problem very, very clearly and make sure that you've researched it and that you actually have a solution that is a problem and not just a solution looking for a problem. So be very clear, on time, as ever (ph). And focus the message. It's not uncommon with founders - you kind of want to solve everything and do everything. And very often when you go out and you start talking to investors or potential buyers, they'll say, but what about this? What about that? Got to stay laser-focused in your message, laser-focused as you explain what your solution is to the judging panel. And then the other thing that's really important is to make sure that you've differentiated. Understand who the competitors are. You got a problem. You're very focused. But also, who else is solving that problem, and why do you do it better?
Dave Bittner: That's Diana Kelley from Cybrize. You can find out more about the upcoming DataTribe Challenge on their website, datatribe.com.
Dave Bittner: And it is always my pleasure to welcome back to the show Malek Ben Salem. She is the security innovation principal director at Accenture Security. Malek, welcome back. I want to touch base with you today on some stuff I know you and your colleagues have had your eye on, and that's machine language, security and safety. What can you share with us today?
Malek Ben Salem: Yeah, I think this is a problem that - or an area of security that does not get enough attention, which is why I'd like to talk about it again on this podcast. As you know, you know, AI and - powered by machine learning is being deployed in high-stakes environments - right? - in medical devices and medical settings and for autonomous driving. So these are environments that are obviously high stake, that include some safety aspects, you know, with the AI interacting with a physical environment or has - where it may have an impact on the safety of the individual or the people in their surroundings. So it needs to be built in a secure and safe manner.
Malek Ben Salem: The other aspect or factor that makes it difficult to build AI that is secure and safe is, you know, the lack of modularity or encapsulation when building these AI-powered systems. They're unlike, you know, traditional applications - we're familiar with how we write code. You know, there are, you know, I would say, object-oriented code where everything is - we have abstraction principles. We have modularity principles. That's not valid for machine-learning models - right? - or these neural network architectures. So that makes them very complex, very hard to understand - right? - for humans. And it makes it hard to know, what output can we expect by giving these AI systems certain inputs?
Dave Bittner: Yeah, help me understand here. I mean, is it - to what degree are they kind of black boxes, where you put stuff in, and, you know, quite often, it could be to your surprise, delight or horror what comes out the other side?
Malek Ben Salem: To a very high degree, I would say...
Dave Bittner: Yeah.
Malek Ben Salem: ...Which is why there are certain research communities working on explainability for these systems or for these machine-learning models - so developing certain techniques to make them more explainable. Obviously, that is important, but that in and of itself has its own security implications because the more you explain, the more transparent you make these models, the more they become vulnerable, as well, to adversaries because now they know how they are working. They know the inner workings of these models. And that may help them attack them even easier, in an easier fashion. So it's really a tradeoff. Yeah, we need to make them explainable for the developers so that they're able to make them more robust but not necessarily expose them or make them transparent to adversaries and threat actors.
Dave Bittner: And are there any standards for dialing that in? I mean, are there frameworks that have been adopted?
Malek Ben Salem: Yeah, that's the big challenge, right? I think we have different communities working on making these machine-learning models more robust, but we don't have, you know, widely adopted frameworks. Or at least the frameworks that we have may be lacking. When I talk about robustness, I - you know, there's two aspects of robustness, right? There's the aspect of making these machine-learning models be able to work in an environment where they see an - or overcome an unusual event, right? That's one form of robustness.
Malek Ben Salem: And the other aspect of robustness is being robust to adversarial attacks. So that's another aspect. And, sometimes, these two goals may not go hand in hand, right? If you build your model to be able to react in certain events - and let me give an example. You know, let's say you were building an autopilot on a self-driving car. It's supposed to recognize stop signs, right? And when it recognizes a stop sign, it's supposed to stop. But what happens if that stop sign is - shows up in a - say, a traffic bar, right? - that is - like, on a parking entry, right? And that bar is risen. You're not necessarily supposed to stop at that point. Or what if somebody is wearing a T shirt with a stop sign? That car stopping at that point may be a hazard, right?
Malek Ben Salem: So recognizing those unusual events and having the autopilot system respond to them in a proper manner is a challenge. But as I mentioned, the adversarial case, as well, is important to recognize. So what if a passerby wears that T-shirt advertently - right? - in order to create some chaos? So again, you know, the problem is not easy to solve. There are certain defenses that I can talk to or proposed ways of responding or mitigating this problem. But I think they do require definitely more research and more attention by ML engineers.
Dave Bittner: Yeah. All right. Well, interesting stuff. Malek Ben Salem, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Sam Crowther from Kasada. We're discussing their work, "The New Way Fraudsters Bypass Bot Management." That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.