The CyberWire Daily Podcast 8.5.24
Ep 2122 | 8.5.24

TikTok in the hot seat...again.

Transcript

The justice department sues TikTok over alleged violations of children’s online privacy laws. Bad blood between Crowdstrike and Delta Airlines. The UK once again delays upgrades to their cybercrime reporting center.Apache OFBiz users are urged to patch a critical vulnerability. SLUBStick is a newly discovered Linux Kernel attack. CISA releases a handy guide to help software suppliers manage security risk. StormBamboo poisons DNS queries to deliver targeted malware. The White House looks to help close the cybersecurity skills gap with $15 million in scholarships. Our guest US Congressional candidate from Oklahoma, Madison Horn, speaking with my Caveat co host Ben Yelin about national security and cyberwarfare. Chewing on rumors of Olympic sabotage.

Today is Monday August 5th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The justice department sues TikTok over alleged violations of children’s online privacy laws. 

The U.S. Justice Department has filed a lawsuit against TikTok and its parent company, ByteDance, accusing them of violating children's online privacy laws. The complaint, filed in collaboration with the Federal Trade Commission (FTC) in a California federal court, alleges that TikTok failed to obtain parental consent before collecting personal information from children under 13, violating the Children's Online Privacy Protection Act (COPPA). It also claims TikTok ignored requests from parents to delete their children's accounts and retained personal data despite knowing users were underage.

The lawsuit also highlights that TikTok allowed children to create accounts without verifying their age and shared user data with other companies, like Meta’s Facebook and AppsFlyer, to engage "Kids Mode" users. Despite having technology to identify and remove underage accounts, TikTok reportedly failed to utilize it effectively.

TikTok disputes the claims, stating that the allegations are based on outdated practices and that they have since enhanced privacy measures for minors, including age-appropriate experiences and privacy protections.

The complaint calls for fines and an injunction to prevent future violations. This lawsuit adds to the scrutiny on social media platforms regarding their handling of children's data, echoing past legal actions against companies like Google, YouTube, and Meta.

Bad blood between Crowdstrike and Delta Airlines. 

CrowdStrike is disputing allegations made by Delta Air Lines, which claims the cybersecurity firm was responsible for a significant flight disruption following a system outage. Delta's CEO, Ed Bastian, said the outage cost the airline $500 million and indicated that Delta might pursue legal action against both CrowdStrike and Microsoft. The outage affected millions of Windows machines globally, but Delta's recovery was notably slower than other airlines, leading to an investigation by the U.S. Department of Transportation.

CrowdStrike asserts that it repeatedly offered assistance to Delta during the crisis, including offers for onsite support, but these offers went unanswered. The cybersecurity firm argues that the threat of litigation promotes a misleading narrative about its role and points out that competing airlines resumed operations much quicker. CrowdStrike reiterated its commitment to addressing the issue responsibly and mentioned that its liability is limited, promising to defend itself if legal action is pursued. Delta has not yet commented on these assertions.

The UK once again delays upgrades to their cybercrime reporting center. 

Action Fraud is the UK’s national reporting center for fraud and financially motivated cybercrime, managed by the City of London Police. It has faced criticism for being ineffective, with the House of Commons Justice Committee labeling it “not fit for purpose.” The system has been criticized for poor victim support and failing to manage the rising levels of fraud across the UK.

A replacement service, initially scheduled to launch in April 2024, has now been postponed to spring 2025, according to Nik Adams of the City of London Police. The new system, the Fraud and Cyber Crime Reporting and Analysis System (FCCRAS), promises improved intelligence capabilities and better communication with victims. Companies PwC and Capita are involved in its development, with the project cost estimated at £31 million ($39 million). The new system aims to rebuild public confidence and encourage reporting.

Apache OFBiz users are urged to patch a critical vulnerability. 

Organizations using Apache OFBiz [oh-eff-biz] are urged to patch a critical vulnerability, CVE-2024-38856, affecting versions through 18.12.14. The flaw, discovered by SonicWall researchers, could allow unauthenticated remote code execution due to a flaw in the authentication mechanism. While SonicWall has not observed exploitation of this vulnerability, another Apache OFBiz flaw, CVE-2024-32113, discovered in May, has been targeted. The SANS Technology Institute reported increased exploitation attempts of this path traversal bug in July, potentially linked to variants of the Mirai botnet. Apache OFBiz is a free ERP framework used by major companies, especially in the U.S., India, and Europe. Despite being less common than commercial alternatives, its security is crucial due to the sensitive business data it handles.

SLUBStick is a newly discovered Linux Kernel attack. 

A team from Graz University of Technology has discovered a new Linux Kernel attack, "SLUBStick," which has a 99% success rate in converting limited heap vulnerabilities into arbitrary memory read-and-write capabilities. This allows privilege escalation and container escapes on Linux kernel versions 5.9 and 6.2, even with defenses like SMEP, SMAP, and KASLR active. The attack exploits heap vulnerabilities using a timing side channel to manipulate memory allocation, achieving high success in cross-cache exploitation. Although it requires local access and a specific vulnerability, SLUBStick enables privilege escalation, bypassing security defenses, and container escapes. It will be presented at the Usenix Security Symposium. The attack could be used to maintain persistence and make malware harder to detect, posing significant real-world risks.

CISA releases a handy guide to help software suppliers manage security risk. 

The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that software suppliers are responsible for managing security risks, as outlined in its "Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle." The guide consolidates various software assurance frameworks and provides federal guidance, including CISA’s Secure by Design principles and a comprehensive list of questions for evaluating third-party software risk. The guide underscores that supply chain risks affect both open and closed source software, requiring heightened awareness from both buyers and suppliers.

While CISA promotes "secure by design," it stresses "secure by demand" to make informed procurement decisions. The guide includes 77 questions covering supplier governance, supply chain issues, and secure software development, with some questions waived if suppliers provide a CISA Secure Software Development Attestation Form. 

StormBamboo poisons DNS queries to deliver targeted malware. 

Researchers from Volexity have revealed that APT StormBamboo, also known as Evasive Panda or StormCloud, compromised an unnamed internet service provider (ISP) to poison DNS queries and deliver malware to targeted organizations. This Chinese-speaking cyberespionage group exploits insecure update mechanisms in software that do not validate digital signatures. By altering DNS responses for specific domains tied to automatic software updates, StormBamboo ensures that instead of legitimate updates, malware like MACMA (a Mac backdoor) and MGBot (a Windows backdoor) is installed.

Once compromised, the attackers deployed a Google Chrome extension that covertly exfiltrated browser cookies to a Google Drive account. The DNS poisoning was executed at the ISP level, stopping once the ISP rebooted and adjusted network components. StormBamboo's tactics include leveraging CATCHDNS and exploiting an Apache HTTP server vulnerability to spread their malware across multiple platforms, including Android and Solaris.

The White House looks to help close the cybersecurity skills gap with $15 million in scholarships. 

The White House and EC-Council have pledged $15 million to train over 50,000 students in cybersecurity skills through a scholarship program. The initiative aims to address the cybersecurity workforce gap by offering comprehensive training in ethical hacking, network defense, digital forensics, and more. This program will be available at universities, NSA centers of academic excellence, community colleges, and other institutions across the U.S. The EC-Council will provide the curriculum, and the program is part of the White House's National Cyber Workforce and Education Strategy (NCWES). The initiative aims to make cybersecurity education more accessible and prepare students for well-paying cyber jobs. Currently, there are about 500,000 open cybersecurity positions in the U.S. Applications for the scholarship are open now.

 

Coming up on our guest segment, we’ve got my Caveat co host Ben Yelin talking with US Congressional candidate from Oklahoma, Madison Horn, about national security and cyberwarfare. 

We’ll be right back

Welcome back. You can hear Ben’s full interview with Madison Horn on our latest episode of Caveat. There’s a link to it in our show notes. 

Next we’ve got our CSO Perspectives preview with N2K’s Rick Howard talking about how “Cybersecurity is radically asymmetrically distributed.” 

As always, thanks Rick. You can find links to both the CSO Perspectives episodes, for N2K Pro subscribers and also a preview episode for those who are not yet subscribers, in our show notes.   

 

Chewing on rumors of Olympic sabotage. 

And finally, our European varmint desk sent us an urgent dispatch from the Olympic games in Paris. 

In the shadowy depths of the Castle of Vincennes, a dastardly plot was uncovered—or so it seemed. Rumors of sabotage had spread like wildfire after fiber optic cables, crucial for broadcasting the Olympic Games from Paris, were found mysteriously severed. As investigators swooped in, anticipation mounted. Was this the work of a master criminal with a grudge against sports fans? Perhaps an act of international intrigue, foreign agents looking to embarrass the French security teams responsible for securing the infrastructure of the games. Alas, the truth was less sinister but far more amusing.

It turns out the culprit was none other than a curious creature with a penchant for destruction. The sneaky critter, allegedly a weasel-like mammal known as a Marten, perhaps in search of fame or a snack, had gnawed through the cables, not once, but twice around 1 a.m., disrupting the broadcast. The cables were swiftly repaired, and the investigation was officially closed, with no animals brought to justice.

Back in the U.S., cyber squirrels could not be reached for comment. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.