Bennett Moe: [00:00:04] Twitter and Facebook shut down Chinese information operations. A jailbreak for the latest version of iOS is out. Facebook may have known about the View As bug. Vulnerabilities in Google's Nest Cams are patched. Instagram gets a data abuse bounty program. And the FCC released a report on the CenturyLink outage.
Dave Bittner: [00:00:27] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:37] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Bennett Moe: [00:02:05] From the CyberWire studios at DataTribe, I'm Bennett Moe with your CyberWire summary for Thursday, August 20, 2019.
Bennett Moe: [00:02:13] Court filings suggest that Facebook may have known about, and failed to fix, the View As bug. Exploitation of the flaw is thought to have resulted in a theft of access tokens that enabled hackers to obtain sensitive information about roughly 14 million Facebook users and less-sensitive information on some 15 million more. The allegations appear in a filing related to a class action suit opened since the breach was disclosed in September 2018.
Bennett Moe: [00:02:38] Twitter and Facebook both said yesterday that they had taken down Chinese state-sponsored information operations focused on discrediting the ongoing protests in Hong Kong. Twitter suspended 936 accounts on its platform while Facebook removed seven pages, three groups and five accounts. Twitter also preemptively removed about 200,000 mostly inactive accounts that it identified as part of the same network. According to Twitter, the operations were, quote, "deliberately and specifically attempting to sow political discord in Hong Kong, including undermining the legitimacy and political positions of the protest movement on the ground," unquote.
Bennett Moe: [00:03:15] The Facebook pages shared political posts that portrayed the protests in a negative light, including photos comparing the protesters to ISIS fighters and cockroaches. Twitter said that most of the accounts used VPNs, but some used unblocked Chinese IP addresses. Facebook launched its own investigation based on a tip from Twitter and linked the operation to individuals associated with the Chinese government.
Bennett Moe: [00:03:37] The Washington Post notes that this is the first time two social networks have called out the Chinese government directly. Twitter also announced in a separate statement on Monday that it would no longer accept advertising from state-controlled media organizations. The company had recently drawn criticism for running ads purchased by Chinese state-run news outlets. Under the new policy, those media will continue to be able to tweet, just not buy ads.
Bennett Moe: [00:04:00] Motherboard reports that Apple accidentally reintroduced a vulnerability in iOS 12.4 that it had patched in iOS 12.3. Security researchers discovered the bug over the weekend, and one of them publicly posted a jailbreak for the latest version of iOS on Monday. As The Register notes, this is relevant even for users who don't plan on jailbreaking their phones because jailbreaking tactics exploit arbitrary code execution flaws. Such exploit code is now open source in a jailbreak, and it can be repurposed for malicious endeavors. Apple is working on a patch which it will probably release in the next few days, but until then, iPhone users should exercise caution when downloading apps from the App Store.
Bennett Moe: [00:04:41] Cisco Talos discovered and helped remediate eight vulnerabilities in Google's Nest Cam IQ indoor camera. The issues could have been exploited to commit denial of service attacks, code execution and information theft.
Bennett Moe: [00:04:54] Facebook has expanded its data abuse bounty program to include Instagram. The program is meant to encourage security researchers to find and report third-party apps that misuse their data. The company is also launching an invite-only bug bounty program to test Instagram's checkout feature, which lets users purchase products within the Instagram app.
Bennett Moe: [00:05:15] Small businesses are increasingly being subjected to cyberattacks, and they lack the resources to build strong security programs. Dave Bittner talks to John Bennett, senior vice president and general manager of the identity and access management business at LogMeIn.
John Bennett: [00:05:29] We recently just released research - SMB's Guide to Modern Identity research - where we surveyed over 700 IT and security professionals from organizations up to 3,000 employees. And the key takeaway is - and I don't think these are going to be a surprise to anybody - is that 98% of our respondents said, you know, they see room for improvement in terms of how they're managing their identity access management for their employees and securing that customer's sensitive data.
John Bennett: [00:06:00] And so I think where we see ourselves today, especially with small-medium businesses, is that, increasingly, they are being targeted for either ransomware or cybersecurity attacks. And they also are in a position where they don't have those tools deployed that enterprises are increasingly deployed to manage and secure their employees' identity and access to those sensitive systems. I think, you know, the state is there's increased risk, there's increased awareness, and SMBs are looking to deploy better tools and solutions to manage and secure their employees' identity access management. But they also are looking for, you know, solutions that fit, you know, their needs, their size of their business and that are easier to adopt - more cost-effective.
Dave Bittner: [00:06:50] Is cost one of the primary drivers here? I mean, what makes a system more effective for a smaller business rather than a large enterprise?
John Bennett: [00:06:58] That's a great question, Dave. On, you know, what makes a great solution or an effective solution for a small-medium business, I think it's a couple of things. One, if they look at the plethora of solutions that are available to large enterprises today, the first is complexity. It's not just a cost factor. Whether it's single sign-on or password management vaulting or multi-factor authentication or privileged access management solutions, what they look at is - there are all these bespoke point solutions in the market today that - they require deep subject matter expertise not just to select them and evaluate them, but once they've deployed them, they also have to have increased expertise in terms of managing those solutions within their organizations.
John Bennett: [00:07:43] A lot of these businesses, you know, they know that they want to increase their investment, but they're looking for, I think, solutions where - they're either a more holistic approach where it's solving more than just securing one point of the access, whether that's single sign-on or multi-factor authentication or PAM or password management vaulting. And then the second piece is I think they're looking for solutions that - with their current IT staff, that these are - that the administrative experience, that the security policy experience is tailored to, you know, a medium or small business where they're able to deploy these tools and get the value from these tools without having to shift, you know, additional headcount into the organization to manage those.
Dave Bittner: [00:08:28] Yeah. I guess that's the trick, really - is being able to dial in that combination of needs specific to that kind of business.
John Bennett: [00:08:36] Exactly. Look. I think we in the industry also - you know, we have a responsibility as we're seeing, you know, this increased threat and the pain point that it's creating, you know, for small-medium businesses. We know that when a small business is hacked, 60% of those - they go out of business within six months of experiencing a breach. And I think we in the industry have a responsibility to make our solutions easier for organizations that have, you know, four to five IT professionals. They wear many hats. They don't have a CISO. They don't have threat analysts in their organization.
John Bennett: [00:09:13] We have a responsibility to also make our tools affordable, easier for them to understand what the cost is for deploying our tools and make it easier for them to deploy those to their employees and manage those and have an ROI that they can justify in their organization. It's - I think it's something we all - all vendors in the organization - I mean, all vendors in this identity access management ecosystem, we have a responsibility to do a better job here in terms of accessibility for mid-market and below.
Dave Bittner: [00:09:41] Yeah. One of the things that your recent research looked at was individual teams within companies. Who's doing better jobs than others? What sort of stuff did you find there?
John Bennett: [00:09:52] Yeah. So, you know, in, you know, some of the key, you know, takeaways - and I think these aren't a surprise - is - and we looked at the research. You know, organizations like finance and IT - like, they're doing a better job in terms of making sure that their employees are following good behavior and good policies in securing that sensitive data in a way that is protecting the organization from external threats. And I think the other thing we learned is that when you look at parts of the organizations within small-medium businesses, whether that's marketing or sales, again, what these employees want to do - they want to be able to use the tools that are available to them, whether they're sanctioned or not sanctioned, to be able to get their job done. And what we see there is the behavior there is, you know, generally high sharing of passwords, using applications outside the organization, password reuse.
John Bennett: [00:10:49] What we found in our research is, in those parts of the organization, they're struggling with the balance of the employees. What the employees want is convenience, and they want - if they're going to improve their security posture, it has to be effortless for them in order to be able to use the tools that they want to. And I think that's not a surprise, but I think it's an area that - there are simple things that businesses can do to improve the security posture for those parts of the organizations - deploying, you know, a password management for - improving that, deploying multi-factor authentication. What we've learned is - we know that employees - there's a high reuse of passwords across the organization, that they're using applications that - even if a medium business or small business has deployed a single sign-on solution - which is using that single password and credentials to access, you know, applications that are supported by that solution - that there's a host of applications that we all bring into the workforce that are not covered under single sign-on.
John Bennett: [00:11:54] And so the other thing that we found from our research is - and I think there's a high awareness, and we're seeing an acceleration the adoption of multi-factor authentication because, again, this is a way where you're using a second set or a third set of either biometrics or credentials or a trusted device that is securing all those access points, whether it's through a single sign-on application or an application outside of that.
Bennett Moe: [00:12:17] And that's John Bennett, senior vice president and general manager of the identity and access management business at LogMeIn.
Bennett Moe: [00:12:24] Lawfare has published an appeal for public engagement with the Cyberspace Solarium Commission. This commission, seen as a successor to the original Solarium council of elders that worked out U.S. deterrent policies in the early days of the Cold War, is trying to do something similar for cyberspace. If you have insights, suggestions or perspectives you'd like to share with the commissioners, drop them an email. Their address is firstname.lastname@example.org, so let them hear from you.
Bennett Moe: [00:12:52] The Federal Communications Commission yesterday released a report on the countrywide network outage experienced by CenturyLink last December. The outage affected 911 systems across 29 states, and at least 886 911 calls were not delivered as a result. The outage was traced to CenturyLink's node in Denver, Colo., which for unknown reasons generated four malformed management packets and sent them to all connected devices. These packets had valid headers and checksums and had no expiration time. Each node that received the packet would re-transmit them to all of its connected nodes. The report explains that, quote, "the exponentially increasing transmittal of malformed packets resulted in a never-ending feedback loop that consumed processing power in the affected nodes, which in turn disrupted the ability of the nodes to maintain internal synchronization. Without this internal synchronization, the nodes' capacity to route and transmit data failed. As these nodes failed, the result was multiple outages across CenturyLink's network," unquote.
Bennett Moe: [00:13:52] The FCC said CenturyLink could have prevented or mitigated the outage by disabling unused systems, implementing stronger filtering and using processor utilization alarms. Ars Technica notes that the FCC didn't announce any disciplinary action for CenturyLink, nor did it order the company to take steps to improve its network. It's an interesting case of how a small issue can cascade into a larger one. It seems that there was no attack involved.
Dave Bittner: [00:14:23] And now a word from our sponsor, KnowBe4, the experts in a new-school approach to manage the ongoing problem of social engineering. The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place, hackers are still getting through to your end users, making them your last line of defense. KnowBe4 has an on demand webinar featuring Roger Grimes, KnowBe4's data-driven defense evangelist. He'll take you through the cyber kill chain to show you how a single email slip-up can lead to the total takeover of your network, and he'll share actionable strategies you can put in place now to greatly reduce your risk. Go to knowbe4.com/cyberkillchain and watch the free webinar. That's knowbe4.com/cyberkillchain. And our thanks to KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:28] And I'm pleased to be joined once again by Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he also leads their Managed Threat Services intelligence team. Michael, it's always great to have you back. I know one thing that you and your team have been tracking is this notion of quickness to exploit. What can you share with us about that?
Michael Sechrist: [00:15:45] Sure. Yeah. Thanks for having me back. Yeah, so one of the things that is growing is the time to exploit a particular, you know, vulnerability. What we've seen in some cases - obviously, within days, sometimes even before, potentially, the exploit is even announced, there has already been exploitation seen in the wild. And that has to do with the fact that, you know, once, typically - you know, on your typical vulnerability scale, once a patch is released, the kind of malicious actors or even kind of sort of gray hat or white hat actors can typically just do a differential of the patch and the file that's issued and then kind of the current release of the software and find, potentially, the vulnerability and what was changed in the code and kind of reverse-engineer that and try to find a way to reverse-engineer that code into an actual functioning exploit. You know, this is kind of a cottage industry that's obviously been in place for years. But the rise in this and the quickness to publish some of this results, either via a GitHub page or just a blog, has grown significantly and is something that we as an intel organization work hard to try to track for our clients as well as ourselves.
Dave Bittner: [00:16:56] From a practical point of view, does this mean that organizations out there really need to accelerate their patching process?
Michael Sechrist: [00:17:03] It's definitely something for an organization to consider. You know, there's been some discussion that, you know, most Microsoft patches can be reverse engineered in this way within a matter of a few days. I think with other kind of patches that we know are applied to software that is - or even middleware or hardware that's difficult to identify or difficult to patch, you see more actors trying to find exploits and reverse engineer patches for those kind of - to target that software or hardware in that case. The patching process has to speed up, but I think it has to speed up for the software that has a kind of higher likelihood of tag or exploit. Just because a vulnerability exists, and even if it's a high CVSS score, that doesn't necessarily mean that that vulnerability is going to be developed for that vulnerability. It's going to take, you know, a lot of other factors, typically, for a full-functioning exploit to be developed and to be really readily used in the wild.
Michael Sechrist: [00:18:03] Obviously, we've been tracking this BlueKeep vulnerability from the - that Microsoft put out and some of the now-functioning exploits that are in the wild for that because it does have the potential to release another kind of WannaCry event in the industry, and that's something that our clients and basically everybody who works in cyber threat intelligence is concerned with.
Dave Bittner: [00:18:24] What are your tips in terms of organizations setting priorities for ordering how they go about doing their patching?
Michael Sechrist: [00:18:31] I think it's a bit of an art and a science here. A strong patching cycle and having a well-oiled machine to kind of release patches is important so that you can - in times of crisis, when you really need to get a patch out because you know potential exploitation is happening at that moment - potentially even exploitation that you're seeing on other sort of logs and servers - there has to be that kind of reliance on that trust in your organization that we can push a patch out as fast as we might need to. You know, in some cases, that could be less than a day, I would think, for an organization. And that's a significant operational undertaking in a lot of cases. But the other kind of flipside to that is to build an intelligence kind of function that works well with your vulnerability management team so that you're not constantly setting fire drills off in your organization.
Michael Sechrist: [00:19:16] A lot of times, there aren't that many vulnerabilities that you really need to patch in that way. Just because it reaches a certain, like I said, CVSS score or it is something that's even being talked about in the industry, that doesn't necessarily mean that you have to go light your hair on fire and try to patch within a day. But there are, in certain circumstances - and I think this is where the art comes in. There's - obviously, it's based on, you know, kind of your risk posture as an organization, as well as maybe where your critical data is residing. There are some instances where you're going to want to pull that fire drill lever and get kind of the organization, you know, moving very fast to release a patch because potentially, you know, the Struts software platform is vulnerable, and you use - some of your critical apps rely on Struts and are externally facing. Well, that might be a situation that - you want to not only validate whether kind of an exploit would work against those systems, but if it does, you need to patch immediately.
Dave Bittner: [00:20:11] All right. Well, Michael Sechrist, thanks for joining us.
Bennett Moe: [00:20:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Bennett Moe: [00:20:36] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Chris Russell, John Petrik, Jennifer Eiben, Dave Bittner, Peter Kilpe. And I'm Bennett Moe.