The CyberWire Daily Podcast 2.28.19
Ep 790 | 2.28.19
Third-parties can misconfigure, too. Coinhive goes out of business. Intel decides 5G project with Chinese partner is too hard. Bronze Union. Clearing Facebook data. Proper disposal of lawful intercept tools.
Transcript

Dave Bittner: [00:00:03:09] A misconfigured Amazon Web Services database exposes a risk screening database, and it seems the exposure itself was an instance of third-party risk. Farewell to Coinhive, long a favorite of cryptominers everywhere. Intel Pulls back from a 5G project with a Chinese Partner. A quick look at Bronze Union and what the threat actor's up to. Facebook will soon help you clear your data, and if you have a lawful intercept tool you no longer need, please don't sell it on eBay.

Dave Bittner: [00:00:40:07] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge. With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7, 365 security operation center support around the globe, and over 300 security experts in-house, Akamai surrounds and protects you users wherever they are, at the core, in the cloud, or at the edge.

Dave Bittner: [00:01:20:21] If you're going to RSA this year visit Akamai in the north hall, booth 6153 to take part in their crack the code challenge, for an opportunity to win a new 3D printer. Akamai, intelligent security starts at the edge. Learn more at akamai.com/security. And we thank Akamai for sponsoring our show.

Dave Bittner: [00:01:48:14] The CyberWire Podcast is made possible in part by RSA Conference, taking place March 4th through the 8th at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference with a world top security. Learn more and register today at rsaconference.com/cyberwire19.

Dave Bittner: [00:02:10:12] From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, February 28th, 2019.

Dave Bittner: [00:02:18:15] A misconfigured AWS database has induced another data exposure. Security researcher, Bob Diachenko, discovered the Dow Jones risk screening database residing on a publicly-accessible Elasticsearch cluster, TechCrunch says. The watch list contains open-source data on more than 2.4 million potentially risky individuals and business entities. The data includes personal information as well as extensive notes, for each entry, detailing the reasons for its inclusion on the list. This data is used by companies to screen clients and identify illegal behavior, although TechCrunch notes that people can end up on the list based on flimsy evidence. While the data itself was compiled from public sources, the fact that a person or entity is on the list is highly confidential, and could damage the reputations of some people who might not deserve it. Diachenko says the list contains, "The identities of government officials, politicians, and people of political influence in every country of the world."

Dave Bittner: [00:03:23:15] A Dow Jones spokesperson said the leak was due to an "unauthorized third-party's misconfiguration of an AWS server." A similar incident occurred in 2016, when a security researcher found Thomson Reuters watchlist, containing 2.2 million profiles, in an Apache database that was configured for public access from the Internet by a third party. These incidents serve as a reminder that companies need to take responsibility for their database deployments, even if they outsource some of the work.

Dave Bittner: [00:03:55:17] Researchers a Cisco recently took a close look at a close look at data privacy and security in their 2019 Privacy Maturity Benchmark Study. Michelle Dennedy is Chief Privacy Officer at Cisco, she joins us to share their findings.

Michelle Dennedy: [00:04:10:12] Last year was really the run up to GDPR, the General Data Protection Regulation in Europe, and we specifically asked folks, "Are you ready? Do you feel like you're in compliance that such as that is, as well as is known. We found that about 60% of our respondents feel good today that they are ready for GDPR, it is a law and it is in force, and about 97% of them felt that GDPR did apply to them and their business. This is a global study, countries as far flung as Japan, Hong Kong and Australia all feel that the impacts of GDPR are hitting them as well, and they're also preparing and getting ready for this. I think that was kind of the ah-ha! Number one is that even sectoral laws have global application in the digital world.

Michelle Dennedy: [00:05:01:07] I think the other big ah-ha! Moments are the recognition of what I call data friction, or sales slow-down, is growing. Last year we found about 65% of our companies were coming back and saying, "Yes. We are seeing that business is being slowed down or even stopped by questions of security and privacy". And this year it was about 87% of respondents recognizing that questions of cybersecurity and privacy are actually slowing business. That's where the really interesting correlations start to begin.

Dave Bittner: [00:05:37:22] Now this survey is obviously, and I think justifiably, based around GDPR and their push is for similar type of legislation to be coming to the United States. There are folks who are pushing for a national data protection law, rather than going state by state. When you look in your crystal ball, when you look toward the horizon, what do you see coming?

Michelle Dennedy: [00:06:00:09] Yes, so I'm one of those folks, and you can see it's not just me alone as the privacy person who has obviously got personal investment in that. Chuck Robbins, our CEO, has announced his support. I think that if I look in my crystal ball, it took ten years for GDPR to become a law, the Twitter answer is, "Oh let's import GDPR." And that's adorable, but when the real work is done, first of all most of the countries in the European theater are civil law countries, and not common law, which is a distinction that has meaning. We are a common law nation, so that means that we start with principles and we build out with used cases, which our case laws are judiciary. That doesn't mean we don't have laws, it means that each principle actually has quite a bit of impact. Essentially a civil law country tries to cover all use cases as widely as possible, and then figures out how that law is applied over time. Both schemers are compatible, but that doesn't mean that you can just pick up one law with all of the negotiations and hearings and cultural specificities including data protection agencies that exist in all the member of states.

Michelle Dennedy: [00:07:12:12] We have Attorney's General. They are not the same as DPAs but they act as DPAs in many significant ways. It's a long-winded way of saying, "I don't think it's going to take the ten years it took GDPR to be negotiated and implemented." But I do think it's going to take some time, and the time is now to get government leaders behind, not a quick fix, but a real fix. That's what we're really pushing for. Clear privacy by design, privacy engineered. Understanding what is good, understanding how to get to a risk-based situation that is inoperable, not just with GDPR but with what the Brazilians have passed recently, the Japanese have passed, our neighbors to the north in Canada have had PIPEDA for a very long time. And we have gone sector by sector, but we're finding the example is that I often reach to is the pacemaker. If I have a pacemaker implanted in my body, and I travel from Massachusetts to California, the IoT safety and security laws in one jurisdiction may not match the healthcare law and data of another. This is one person, with one device, and we need to make that safe, and secure, high fidelity, high integrity. That is our mission.

Dave Bittner: [00:08:31:11] That's Cisco's Chief Privacy Officer, Michelle Dennedy, the report is the 2019 Privacy Maturity Benchmark Study.

Dave Bittner: [00:08:40:02] ZDNet reports that the Coinhive cryptomining service, notorious for its widespread use in cryptojacking campaigns, will shut down in March. Coinhive was an in-browser service that let websites use their visitor's computers to mine Monero. The company said in a blog post that the project is no longer "economically viable", due to a recent hard fork and the gradual devaluation of Monero. A hard fork is what happens when a blockchain protocol is changed, requiring all users of the protocol to upgrade to the newest version. Monero seems to ban the use of application-specific integrated circuits, or ASICs, by implementing multiple hard forks each year. Each hard fork causes the currency's mining activity to plummet as the ASICs that have cropped up since the last hard fork are rendered incompatible.

Dave Bittner: [00:09:32:21] Coinhive will cease operations on March 8th, the day before another hard fork takes place on the 9th. While Coinhive was the most popular miner for cryptojackers, cryptomining attacks will continue without it, as there are a number of Coinhive spin-offs, and attackers can always develop cryptominers on their own.

Dave Bittner: [00:09:52:13] Intel has ditched its 5G deal with Unisoc, China's largest mobile chip developer, due in part to worries that the partnership would complicate matters in Washington, the Nikkei Asian Review reports. The deal was announced less than a year ago at the 2018 Mobile World Congress in Barcelona. The US has greatly increased its pressure on Chinese technology companies since then, citing security concerns that the equipment could be backdoored during production. Intel says the decision was mutual, and that there was no political pressure from the US. Nikkei cites a source as saying that Intel's former CEO, Brian Krzanich, who departed the company in July, was the main advocate for the deal. Unisoc, a subsidiary of Chinese state-owned Tsinghua Unigroup, announced on Tuesday that it will design its own 5G modem chip in-house.

Dave Bittner: [00:10:45:23] Huawei, which has borne the brunt of Washington's criticisms, has been ridiculing the US' security concerns at this year's Mobile World Congress. Earlier today, the company pleaded not guilty to US charges of trade secret theft. Canada will decide tomorrow whether to begin extradition proceedings for Huawei's CFO, Meng Wanzhou, who has been charged with fraud by the US. The legal and commercial wrangling will continue.

Dave Bittner: [00:11:14:03] There is, of course, clearly some Chinese espionage afoot, whether Huawei or any other company is implicated or not. Research from Secureworks on a suspected Chinese threat actor known as Bronze Union, or APT27, highlights the group's flexibility and persistence. The hackers use updated versions of tools that have been publicly available for over a decade, as well as custom-made malware, to conduct espionage and theft against political, technology, manufacturing, and humanitarian organizations. Their activities include spying on dissidents and other persons of interest as well as stealing secrets about cutting-edge weapons technologies.

Dave Bittner: [00:11:56:09] Facebook will finally release it's "Clear History" feature later this year, the Telegraph notes. The tool, which was first announced last May, will allow users to delete data collected by Facebook from third-party apps and websites. Mark Zuckerberg said the tool will be similar to clearing one's browser history. The Verge notes that this could this could potentially have a significant negative impact on Facebook's revenue, which relies heavily on targeted advertising, but it would be a positive step towards transparency and granting users control over their data.

Dave Bittner: [00:12:31:19] Smartphone hacking devices from Cellebrite are selling for cheap on eBay, according to Forbes. The tools, which are meant to be used by law enforcement, can be used to hack iPhones and Android devices. Israeli company, Cellebrite, sells the products for $6,000 a piece, but used versions are being sold on eBay for as low as $100. While the devices themselves are dangerous in the wrong hands, a more pressing concern is that the vulnerabilities they exploit will be discovered by malicious actors.

Dave Bittner: [00:13:03:04] Cellebrite's tools presumably take advantage of Zero-day vulnerabilities to yield access to phones. Security researcher Matthew Hickey, who bought twelve of the devices earlier this month, has been trying to find out what information they contain. He says the software is encrypted, but the keys should be extractable from the device, although he hasn't had any luck so far. Hickey was also concerned to find leftover data from the previous owner, including WiFi passwords, which is particularly worrying, considering that most of Cellebrite's customers are government agencies such as the FBI. Cellebrite is understandably unhappy with these developments, and urges customers to return their old devices to the company for proper disposal. And eBay does not count friends as proper disposal. Nor is Craig's List, or an ad in the local Penny Saver, local flea market and so on.

Dave Bittner: [00:14:03:02] And now a word from our sponsor, LookingGlass Cyber Solutions. Cyber threats are a risky business, criminals are taking bigger risks than ever before to acquire your organization's sensitive data. As pressure increases you need a partner to help and manage and control your digital business risk. Slide into LookingGlass' booth number 2327 in the South Hall at RSA Conference 2019, to hear how you can better manage your organization's risky business by leveraging their 20 plus years of investment and trade craft for an outside-in view of your security posture. Or step away from the hectic expo floor for a demo tailored to your business needs. In the LookingGlass Meeting Suites at the Marriott Marquis. Reserve your demo, and learn more about LookingGlass at RSA Conference or visit their website, lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass for sponsoring our show.

Dave Bittner: [00:15:11:09] And joining once again is Malek Ben Salem, she's the Senior R&D Manager for security at Accenture Labs. Malek, it's great to have you back. You wanted to share with us some work that you've had your eye on. This was some folks who've been measuring the commoditization of cybercrime. What's going on here? What can you share?

Malek Ben Salem: [00:15:30:21] Yes, this is a study, conducted by researchers from Delft University. They wanted to look at to what extent cybercrime has been commoditized. We've all observed the increasing commoditization over the last few years, particularly by looking at reports and cybercrime as a service offerings, which included DDoS attacks, starting at $10. But the researchers wanted to investigate whether this spanned beyond DDoS attacks. Whether a cybercriminal could buy everything they wanted if they decided to perpetrate an attack.

Malek Ben Salem: [00:16:07:09] For instance, suppose they wanted to hit a bank with financial malware, could they do so with off the shelf components? So they explored which parts of cybercrime value chains were successfully commoditized, and which ones were not. They also looked at what kind of revenue criminal business to business services generated, and how fast they were growing. Their study covered eight online anonymous markets over six years, it included the original Silk Road, as well as AlphaBay.

Dave Bittner: [00:16:44:05] What did they discover?

Malek Ben Salem: [00:16:45:19] There were some interesting findings. They found that the number of vendors offering these cybercrime products was growing over time. As a matter of fact it grew by 150% between 2015 and 2017. They also revealed that the cybercrime was very much resilient to law enforcement take-downs, which I guess we knew. You take down one of these online markets, anonymous markets, it restarts under another name. They also found that commoditization was not happening across all products. For certain categories there was enough variety and standardization, for example in malware, but for others, such as Exploits, there was a scarcity of various Exploits. There was a focus on Office Exploits, but not enough to cover all types of Exploits.

Malek Ben Salem: [00:17:47:22] Another thing that they found was that a lot of the offerings were related to cash-out offerings, such as credit card numbers. Growing number of distribution vehicles, such as compromised websites that you can use to distribute malware. But there was not enough again around Exploits and other types of cybercrime offerings.

Dave Bittner: [00:18:14:09] If I'm a cybercriminal looking to go out there and do some bad things, but I don't necessarily have the technical skills to spin it up on my own, I might be somewhat limited in what I can go out there and find?

Malek Ben Salem: [00:18:26:24] Exactly, and that's basically the major finding. Overall their findings suggest that, while there is growth in cybercrime, commoditization maybe a part of your phenomenon than what we've previously assumed. Obviously, commodities or cybercrime offerings may be available somewhere else, like in forums. But in those cases forums actually do not necessarily offer the safeguarded structure that online anonymous markets may offer. Therefore they would require more interaction by somebody who's looking to buy something, to buy a service or an offering, which means that whatever is offered there is for the most part a service rather than a commoditized product.

Malek Ben Salem: [00:19:16:12] If we're not seeing traces or evidence for cybercrime commodities in these online anonymous markets, then we're unlikely to see evidence for them elsewhere. What the study concludes is that again, where there is some limited evidence that this market is being commoditized, it's not across the board. It's lowering the barrier for would-be criminals, but these would-be criminals would not be able to outsource everything they need in order to conduct a cyberattack.

Dave Bittner: [00:19:57:10] Yes, it's interesting findings, Malek Ben Salem, thanks for joining us.

Malek Ben Salem: [00:20:02:04] Thank you Dave.

Dave Bittner: [00:20:07:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:20:10] The CyberWire Podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:20:30:12] Our CyberWire Editor is John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.