The CyberWire Daily Podcast 2.26.19
Ep 788 | 2.26.19

Sino-Australian, Sino-American cyber tensions. Threat trends. Bare-metal cloud issues addressed. USB-C and memory attacks, Credential stuffing in tax season. Twitter hijacking.

Transcript

Dave Bittner: [00:00:03] Updates on suspicions of Chinese operators, some trend reports from IBM and NETSCOUT, bare-metal cloud services get reflashed, USB-C ports may be more vulnerable than thought to direct memory access attacks, credential stuffing attacks hit users of online tax preparation services, and that missile attack on Tampa was not a drill. In fact, it never happened at all. And congratulations to the citizens of Florida for recognizing a hack and a hoax when they see one.

Dave Bittner: [00:00:38] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? Akamai's edge security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the north hall, booth 6153, to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai - intelligence security starts at the edge. Learn more at Akamai. That's akamai.com/security. That's akamai.com/security. And we thank Akamai for sponsoring our show. The CyberWire podcast is made possible in part by RSA Conference taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.

Dave Bittner: [00:02:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 26, 2019.

Dave Bittner: [00:02:14] Investigation of the wave of hacking Australia's Parliament and major political parties sustained continues. Speculation - and it's important to note that the speculation, while informed, is determinedly unofficial. Well, speculation has centered on Chinese intelligence services. Some are calling for the Australian government to just go ahead and get the attribution over with, but their deliberation is commendable. Attribution is notoriously tricky, but eventually the investigation will reach a conclusion. The question, as a note in ZDNet points out, is whether the investigators will be willing and able to show their work.

Dave Bittner: [00:02:52] Australia has already taken steps to keep Huawei out of its 5G networks before this latest round of incidents - none of which, by the way, seemed to implicate Huawei. In the U.S., there are calls in Congress to go even farther than that and ban the company's hardware from even legacy networks. Huawei continues to insist that the Americans have no - zero - evidence that there are any security problems with their devices. IBM's X-Force released its 2018 Threat Intelligence Index report this morning. They found that ransomware declined while cryptojacking rose.

Dave Bittner: [00:03:27] The researchers also found that misconfigurations continue to be a problem for organizations, with public disclosure of such incidents up by 20 percent over 2017. Scammers continue to make heavy use of business email compromise, so watch out for social engineering. And attackers are taking a much greater interest in the transportation sector. That industry was the second most attacked in 2018, rising from the 10th place it occupied in 2017.

Dave Bittner: [00:03:56] NETSCOUT also released a trend report today. They find an increasing threat to the Internet of Things, with IoT devices coming under attack as soon as five minutes after their installation. Much of the attention attackers give these devices is done to mount distributed denial-of-service attacks. NETSCOUT also thinks they're observing more involvement of nation-states in the conduct of such DDoS campaigns.

Dave Bittner: [00:04:22] Security firm Eclypsium this morning released a study of potential security issues that arise with bare-metal cloud services. IBM, among the vendors affected, responded yesterday by requiring that all baseboard management controllers, quote, "be reflashed with factory firmware before they are re-provisioned to other customers" - end quote. Eclypsium says it's pleased to learn of this mitigation but that they disagree with IBM's assessment of the vulnerability as low severity. Eclypsium thinks it more serious than that.

Dave Bittner: [00:04:55] Do dongles make you nervous? Do you worry about that thumb drive? How about USB chargers? Well, worry. New research from the University of Cambridge and Rice University shows that computers with USB-C ports are more vulnerable to direct memory access attacks than previously thought. Current protection provided by input-output memory management units, or IOMMUs, was found to be insufficient. As a result, Cambridge says many computers running Windows, Mac OS and Linux can be compromised by peripheral devices like chargers. Complete remediation will require changes in system design on the part of the technology companies, which the researchers say is in progress. Until then, users are advised to avoid connecting untrusted devices to their platforms.

Dave Bittner: [00:05:45] Looking toward the business side of cyber security, the sector as a whole continues to be hot with venture capital investors. We checked in with Gaurav Tuli, partner at F-Prime Capital, for his take on the market.

Gaurav Tuli: [00:05:58] We see funding in security as really robust, you know, and it's been steadily growing from kind of $1 billion to $2 billion per year several years ago to now it's approaching $5 billion a year. And it really - it'd make - today, security is one of the largest areas of investment in venture capital. And that's a pretty big statement considering how much money is going into private companies.

Gaurav Tuli: [00:06:19] The common wisdom, and, you know, I think it has still yet to be refuted, is that, you know, cybersecurity has been effectively an evergreen area in that, although, you know, we look at the market today and there's thousands of companies and it feels overfunded, the reality is that it's really hard to be an enterprise and win. And you're fighting against attackers that are incredibly sophisticated, technology incredibly sophisticated, experience potentially backed by governments. It is a monumental task to keep up. And at the same time, you've got a very, very rapidly expanding threat landscape.

Gaurav Tuli: [00:06:53] So the ability for incumbents - you know, the large - typically large security vendors or diversified technology vendors to keep up and continue to supply enterprises with the technology they need to protect themselves and - that's a really difficult problem to solve. And that's why startups have been so important and I think will always be important in cybersecurity. That's why this - the investment continues.

Dave Bittner: [00:07:18] Now, the companies that you're seeing at F-Prime Capital - what are the things that set the folks apart - the ones that catch your attention, the ones you want to spend time with? What are the differentiating factors for them?

Gaurav Tuli: [00:07:31] It's a great question. So, you know, we are very long-term optimistic on the space. I think we continue to see lots of areas of innovation and security, lots of companies that we like. And the questions we ask ourselves in security are similar to the questions we ask ourselves in many other areas, which is, you know, let's understand the founder and their motivations. Let's understand how this company will exist and its environment, the product, the defensibility around it and, you know, finally, like, how is it doing?

Gaurav Tuli: [00:08:00] There are very few enterprises - you know, less than 1 percent - that have the luxury of, you know, massive IT budgets, massive, potentially unlimited security budgets. I put Bank of America and J.P. Morgan and Citigroup in the bucket. Their very well-paid CSOs, large security engineering teams - they're building custom protection, custom monitoring, custom response security operation centers that are heavily staffed. But, you know, outside of this kind of Fortune 500, Global 2000, most companies frankly have very little. And, you know, we speak to many of these companies, and they'll have a designated IT guy as their informal CSO. And it's a really daunting job if you're alone and if you're new to security.

Gaurav Tuli: [00:08:40] So we look for interesting solutions that can both solve this problem - which is, you know, how do I help organizations that just can't scale up on the human resource side to manage, you know, more security alerts or more vendors? - but at the same time protect them; allow them to respond efficiently and quickly; and understand their environment. So the kind of companies that can do that - and, you know, I think we have several in our portfolio that we're really excited about - that really catches our eye because not only can you solve the problem for that 99 percent that don't have the resources to do it, you can scale up and still help very large enterprises, which, you know, tend to have the larger budgets.

Dave Bittner: [00:09:22] Do you have any advice or words of wisdom for that person who's, you know, sitting in their garage or basement, thinks they - think that they have a better mousetrap, a better way to solve some of these problems? Any tips or words of wisdom for them to prepare themselves to be properly prepared for going out and speaking to folks like you?

Gaurav Tuli: [00:09:43] Ultimately, it's - I think it's the most important consideration any security entrepreneur should have, and I think the best ones do - is around understanding the customer and understanding the customer need. And that's what all of - you know, we believe all of our companies are guided towards that kind of true north, which is, what is - how do we significantly improve the lives of our customer?

Gaurav Tuli: [00:10:07] And that can come through many areas, but I - you know, to your point about a better mousetrap, there's lots of exciting technology you can throw into a security product today. But at the end of the day, you know, you have to remember that CSOs and security teams are overwhelmed with the amount of technology, the amount of jargon, the amount of companies that are coming at them.

Gaurav Tuli: [00:10:28] And what they really need is someone to help them solve their problems. Sometimes that's just basic blocking and tackling, and they need a more efficient way of doing it. And sometimes it's, you know, innovative new threat factors that they need to wrap their heads around. But you really have to spend time with the customer to understand their needs, understand how they think about things and understand their real problems before you can take a better mousetrap and turn it into a company.

Dave Bittner: [00:10:49] That's Gaurav Tuli from F-Prime Capital.

Dave Bittner: [00:10:54] It's tax season in America and in some other places, too. It had been reported that TurboTax had been breached, but that seems not to be true. The popular online tax preparation service wasn't itself compromised, but a number of users were. Credential stuffing attacks appear to have hit an undisclosed number of accounts.

Dave Bittner: [00:11:15] And finally, no, the mayor of the city of Tampa is not a delusional lunatic rampaging wildly through social media. He does have a Twitter account, and someone did hijack it. The still-unidentified hacker got control of the account for about five hours last Thursday and used it to post a series of vile and threatening tweets, including a fake ballistic missile warning. The tweet read, ballistic missile inbound thread inbound to Tampa Bay area. Seek immediate shelter. This is not a drill. That's thread, not threat, friends, which is - that's thread, not threat, friends, which would've been redundant in any case since an inbound missile is as close to a threat, by definition, as anything ever is in this vale of tears. Of course, the tweet was in all caps, presumably so everyone would get the urgency because nothing says call to action like Caps Lock.

Dave Bittner: [00:12:11] Tampa's City Hall responded by saying, earlier this morning, we noticed someone hacked Mayor Buckhorn's Twitter account. This was clearly not Mayor Buckhorn. Upon noticing the hack, we immediately began investigating these reprehensible tweets. So what was reprehensible behind, oh, a false alarm announcing nuclear Armageddon? Well, beyond inbound missiles, the hijacker said that he, she or they had put a bomb somewhere and looked forward to seeing minorities die. There was a range of sexist and racist invective, along with particularly repellent child abuse content tagged with what Naked Security calls personalities in the gaming community.

Dave Bittner: [00:12:51] There's a good news side to this, and that side is the fact that apparently no one took this nonsense seriously. His Honor Bob Buckhorn normally tweets normal, upbeat stuff, happily boosting Tampa with encouragement for investment, development, home repair, swapping good ideas and so on. Depravity and the gaming community really aren't in his line at all. Apparently, people knew that something was amiss and that it had nothing to do with Mayor Buckhorn. He wouldn't tweet panic, murder and obscenity. This skeptical response is a pleasing sign to some local herd immunity to epistemic contagion.

Dave Bittner: [00:13:28] How did the hijacker get control of the account? Well, the best guess so far is weak passwords, possibly exploited in credential stuffing or a dictionary attack.

Dave Bittner: [00:13:38] What about the perpetrators, you might ask? Here, alas, it's a familiar sounding story. Personalities in the gaming community is probably the key. The skid responsible for the incident sought to shift responsibility to three gamers, one of whom said the whole thing came about in the course of an online disagreement. Some of the gamers tagged have been swatted by other gamers in the past. The city of Tampa is working with law enforcement to find the person or persons responsible. Good hunting to you, we say, and be on the lookout for a half-hacker-weight skid who spends way too much time trading skins.

Dave Bittner: [00:14:20] And now a word from our sponsor, LookingGlass Cyber Solutions. Cyberthreats are a risky business. Criminals are taking bigger risks than ever before to acquire your organization's sensitive data. As pressure increases, you need a partner to help manage and control your digital business risk. Slide into LookingGlass' booth, number 2327 in the South Hall, at RSA Conference 2019, to hear how you can better manage your organization's risky business by leveraging their 20-plus years of investment and tradecraft for an outside-in view of your security posture. Or step away from the hectic expo floor for a demo tailored to your business needs in the LookingGlass meeting suites at the Marriott Marquis. Reserve your demo and learn more about looking glass at RSA Conference or visit their website, lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass for sponsoring our show.

Dave Bittner: [00:15:28] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. You know, you travel all over the world looking at - well, responding to these incidents and looking at how people have been attacked and the vulnerabilities that they have. What are the things that you see out there? What are the vulnerabilities that adversaries are really looking for?

Justin Harvey: [00:15:51] Well, they're looking for any sort of vulnerability they can use to their advantage. And there's been a lot of talk about zero-days, and zero-days are not used as often as you might think in these cases. Adversaries typically have several tiers of exploits that they run. They've got their zero-days. Some of them have their zero-days. They have their best private stuff that they have at the top of the scale. And all the way at the bottom of the scale, you've got your run-of-the-mill stuff that you can maybe download from the web or the dark web, stuff that has been put into antivirus and other protective measures that you might think that may never be successful.

Justin Harvey: [00:16:37] But I'll tell you, there's a golden rule here, and the golden rule or the golden motto of these adversaries is, use the path of least resistance. So you're not going to bring out your best stuff, your highest-tier exploits and capabilities, if it's not needed. We worked a case earlier this year where a nation-state was actually using an extremely old remote access Trojan, one, that had been in the public domain for several years, including the source code. Why did they do that? They used it because it worked. Until organizations can raise their collective level of capabilities within their cyberdefense programs, then you're going to continue to see adversaries using the path of least resistance, doing whatever they can do, starting from the easiest step to get into those systems.

Dave Bittner: [00:17:29] Now, what about on the social engineering side of things? I mean, we talk about technical things. Like, you mentioned zero-days, but how about getting your employees up to speed with training and things like that?

Justin Harvey: [00:17:41] It's an absolute must. The ability to recognize and respond to social engineering attacks is becoming much more mainstream in security awareness programs for organizations. Business email compromise attacks - basically the type of attack where you send a login page to someone and they click it, and they put in their credentials. And that's used later for theft or for malfeasance. That can only exist because of social engineering.

Justin Harvey: [00:18:12] We've also seen password reset attacks using social engineering. We've seen MFA type of attacks using social engineering, meaning someone can call up a call center and say that their multifactor isn't working anymore. And they can impersonate the user and then, of course, work with the help desk in order to reset the multifactor and put it on the adversary's device.

Justin Harvey: [00:18:36] And then not quite social engineering, but in that same vein is impersonation. So impersonation is where an adversary becomes the administrator or becomes the engineer on an OT network by abusing the credentials. Typically, we see adversaries use malware to get in the front door to establish their foothold. They steal credentials, and then they move about in the enterprise, utilizing those stolen credentials. And they - a lot of times, they don't use malware anymore.

Justin Harvey: [00:19:10] So more and more organizations are looking at things like insider threat platforms and the ability to really question your identity logs in the enterprise to see if there is any sort of anomalous behavior by your administrators or by your users. For instance, why is the CFO logging into the development environment? That would be a really good example of the types of breadcrumbs you're looking for from these adversaries.

Dave Bittner: [00:19:43] Now, it's interesting insights. Justin Harvey, thanks for joining us.

Justin Harvey: [00:19:47] Thank you.

Dave Bittner: [00:19:52] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:04] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.