The CyberWire Daily Podcast 7.12.18
Ep 639 | 7.12.18

Timehop refines its breach disclosure. Speculative execution side-channel attacks described. Tech manuals offered for sale on the dark web. Twitter versus bots.

Transcript

Dave Bittner: [00:00:00] What's that? You say you still haven't subscribed to our new Hacking Humans podcast? Well, get on it, friend. We released a new episode today.

Dave Bittner: [00:00:13] Timehop releases more information as its breach investigation proceeds. Two speculative execution side-channel attacks are described - in the lab, not yet in the wild. The U.S. Senate's flesh creeps over bug disclosure practices. Someone uses a Netgear exploit to get some U.S. technical manuals. And Twitter goes to work against bogus accounts.

Dave Bittner: [00:00:40] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 12, 2018. The Timehop breach disclosed over the past week seems to have gotten worse. The service acknowledged that dates of birth, gender of customers and country codes were also compromised. For GDPR purposes, the records that fall within the scope of the European privacy regulation include 2.9 million name and email address combinations, as well as 2.2 million name, email address and date of birth records.

Dave Bittner: [00:02:25] The timeline of the breach is interesting. The incident began on December 19 of last year, when an unauthorized party used a Timehop admin's credentials to log in to a third-party cloud account. The hacker subsequently created a new admin account and logged in three more times, quietly looking for personally identifying information. By the time of the fourth log-in, enough PII had been moved into the cloud to make it worthwhile. The hacker then waited until July 4 - an American and not a European holiday, one notes - presumably, expecting a relaxed guard over the holidays, and logged in to steal the database.

Dave Bittner: [00:03:04] The case is also interesting for what it will ultimately reveal about how the European Information Commissioner will balance zeal in reporting against completeness of reporting. Timehop disclosed the incident swiftly, shortly after discovering it on the Fourth. But they were forced to issue updates to their disclosure over the last two days.

Dave Bittner: [00:03:23] The Information Commissioner has been blogging, in a spirit of firmness but fairness, that while there's no grace period for compliance, since everyone has had two years to prepare, the EU is committed to being reasonable. As the commissioner's blog puts it, quote, "we pride ourselves on being a fair and proportionate regulator, and this will continue under GDPR. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action," end quote.

Dave Bittner: [00:03:58] The past few years have seen a migration of data to the cloud as organizations take advantage of potential cost savings, security and convenience. But how can you be sure your cloud-based data is fully compliant with regulations, like GDPR? Yaniv Avidan is CEO and co-founder of MinerEye, where they claim their interpretive AI-based technology can assist with these sorts of tasks.

Yaniv Avidan: [00:04:22] Specifically, when looking at the number of companies that are migrating data to the cloud or, generally speaking, adopting cloud infrastructure or services, we see public cloud services are growing, you know, exponentially, year over year - specifically with big companies such as Microsoft, Amazon, Salesforce, and Google and several others. So that's on one hand.

Yaniv Avidan: [00:04:52] We see the race to the cloud, which basically is motivated by, you know, cost saving and productivity, right? On the other hand, we see GDPR that's in a collision kind of route with this kind of vector since it actually limits or provides some regulation on top of data that affects the cloud migration activities.

Dave Bittner: [00:05:17] Now, where do people usually find themselves getting in trouble when it comes to cloud adoption and how that could bump up against GDPR?

Yaniv Avidan: [00:05:26] First and foremost, where is my sensitive data located? So data residency, which is an explicit requirement by GDPR. You need to be able to continuously, at any point of time, point on the data that is a personal data and its location - either for purposeful use proof or for right to be forgotten request or subject request to delete that data or to handover the data and so on.

Yaniv Avidan: [00:05:56] Other requirements have to do with the protection of that data in specific use cases. For instance, if my data is going out of an EU geography, I need - it needs to be protected and handled accordingly, OK? And again, this has to do with the location of the data. Or let's say the data needs to be well-segregated based on geographies - but not just based on geographies but also based on use. So it all comes into the point of identifying the data and its location but with respect to the specific requirement that is defined by GDPR.

Dave Bittner: [00:06:37] So what are your recommendations to make sure that they are in compliance?

Yaniv Avidan: [00:06:41] Raise awareness internally within companies as to personal data handling. Awareness and training is the first thing. People need to be aware that they hold some very sensitive information and be very careful about what they do with it, who they send it to, what kind of use they do with the data.

Yaniv Avidan: [00:07:03] For instance, if this is a customer data, personal data, and me incorporating that into a marketing presentation, this is something that needs to be realized. It needs to be - the customer or the people attending the data needs to be aware of it.

Yaniv Avidan: [00:07:20] Second, we - companies need to shift how they identify and how they store data and understand that these processes need to shift between the manual approaches, or traditional approaches, used up until now to some very advanced approaches leveraging artificial intelligence because we are talking about a huge amount of data, right?

Yaniv Avidan: [00:07:46] And we talk about the major effect on the company once you break the law. And the difference now is that GDPR becomes a law - right? - rather than a directive. So I think a shift in how using and handling personal data, using advanced technologies in order to cover much more areas in unstructured data specifically because this was a black box or weak point for every company - that would be a good start.

Dave Bittner: [00:08:16] That's Yaniv Avidan from MinerEye.

Dave Bittner: [00:08:20] Two new attack techniques similar to Spectre have been identified. These speculative execution side-channel attacks are researchers' discoveries, not attacks being observed in the wild. ARM, AMD and Intel chipsets are all susceptible to the attacks. Speculative execution is a common and important feature of contemporary chip design, so any methods of exploiting it will have widespread impact. Intel, which paid a bug bounty of $100,000 to the researchers, has offered advice on mitigating the issue. ARM says most of its chips are probably unaffected, but it has mitigation suggestions as well. AMD is still considering the matter but will probably have its own recommendations available shortly.

Dave Bittner: [00:09:05] The report of the new speculative execution issues roughly coincides with U.S. congressional hearings on Spectre and Meltdown. The Senate Committee on Commerce, Science and Transportation deliberated the matter yesterday. And the discussion might count as a contribution to the larger issues of responsible disclosure, information sharing and vulnerability equities. While industry had become aware of the issues and discussed it within industry channels, the chipmakers apparently did not inform the U.S. Department of Homeland Security or any other responsible federal agency. The feds found out about it in January, when the rest of us did, at the time of public disclosure.

Dave Bittner: [00:09:45] But customers and partners learned of Spectre and Meltdown first. Intel shared the discovery with Chinese companies it partners with. And ARM's chief marketing officer told the committee directly that they began sharing with affected customers within 10 days of learning about the problem. ARM's Joyce Kim, said, quote, "we do have architecture customers in China that we were able to notify to work with them on the mitigations," end quote.

Dave Bittner: [00:10:11] It's difficult to fault a company for wanting to take care of its customers. And there's little to no evidence that Chinese intelligence services actively exploited either Spectre or Meltdown. But the possibility that some of the Chinese firms would have passed the disclosure on to their government before DHS so much has got wind of it has given several senators an understandable case of the heebie-jeebies. At the very least, it would seem that some aspects of public-private information sharing still need to be worked out.

Dave Bittner: [00:10:41] Manuals covering various items of U.S. equipment have been found offered for sale on the dark web. The systems covered include the MQ-9 Reaper drone and the M1 Abrams main battle tank, two weapons that have been in use for some time. According to Recorded Future, the asking price was only $200. But since sales appear to have been slow, they were knocked down recently to $150. The person responsible, described by Naked Security as a sad sack, apparently had no real understanding of what he or she had, what it was worth or where to sell it.

Dave Bittner: [00:11:16] But the sad sack knew enough to find Netgear routers with password admin and follow familiar steps to exploit an FTP vulnerability, change the password and get access. Some of the material appears to have been stolen from a U.S. Air Force captain. Other material is openly available from defense department sites.

Dave Bittner: [00:11:35] In truth, the material doesn't appear to be particularly valuable or the kind of thing that would be difficult for a determined service to obtain. Although, a hobbyist or buff might want it for a collection. None of it is likely to be classified, but some of it, at least, was restricted from distribution to foreigners. So perhaps hacker sad sack didn't have his or her price point off too far after all.

Dave Bittner: [00:12:00] And finally, Twitter has set about purging bogus accounts and bots spawned from troll farms. If you are among those who pride themselves on the quantity as opposed to the quality of your followers - and we're looking at you, middle schoolers - you may find to your dismay that all those people from St. Petersburg who were hanging on your every word are soon to be gone - gone with the wind. That's St. Petersburg, Russia, of course. Your grandparents in St. Petersburg, Fla., still love you as much as always.

Dave Bittner: [00:12:34] Now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled "More is Not More: Busting the Myth that More Threat Intel Feeds Lead to Better Security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. To find the paper or to register for a free ThreatConnect account, visit threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.