Have you read Gartner’s 2019 Market Guide for Network Traffic Analysis yet?
The week that was.
Venezuela blames power outages on sabotage and cyberattack.
Specifically on a yanqui "demonic electromagnetic attack." But most observers think the explanation is reaching. It's surely possible to take a grid down with a cyberattack (the Russians have done it twice in Ukraine), and there's little love lost between the Chavista regime and the US (indeed, little love lost between the Chavista regime and most of the Western Hemisphere) but an attack seems unlikely. Instead, the best explanation seems that the blackout is the result of corruption, neglect, and mismanagement (Business Insider).
Still, Maduro's story has found, if not many believers, at least some willing to suspend disbelief (as, arguably, with Green Left and Citizen Truth), or use the incident in the service of larger goals (as, arguably, with Sputnik or Tasnim). China has expressed its sympathy and offered to help with both investigation and recovery (Reuters).
So while taking down a power grid by cyberattack is certainly possible, it would seem that Venezuela's tottering infrastructure needed no such push to bring it down (Anatoly Kurmanaev). There's also the question of motive and national strategy, and neither of these seem to fit the US attack Maduro insists the US has made.
But Venezuela's current agonies are instructive nonetheless (New York Times). They show the widespread suffering a long-lasting interruption of electrical power can impose. Consider loss of lighting and its effect on public safety, or loss of refrigeration and its effect on food storage. An account in WIRED of the difficulty of a black start, that is, bringing a dead grid back online, illustrates the consequences of infrastructure collapse. Load balancing is particularly tricky, and a lack of understanding of what caused the outage in the first place renders it trickier.
The US State Department withdrew its remaining diplomatic staff from Venezuela this week. President Maduro shortly thereafter ordered them expelled (Reuters).
Experiencing poor performance with your legacy antivirus? Try CB Defense.
Terror attack in New Zealand announced online, then live-streamed on Facebook.
At least forty-nine people died in Christchurch, New Zealand, yesterday as anti-Muslim terrorists shot up two mosques during Friday prayers. The intent to carry out the massacre was announced online shortly before the murders began. A manifesto seeking the sadly familiar goals of terror and depraved inspiration also linked to a shooter's Facebook page, where some seventeen minutes of the massacre were subsequently live-streamed. The video was apparently taken by a camera worn by the shooter, and it included the shooter’s own repellent commentary offered as he gunned down worshipers.
The manifesto is a strange mix of anti-immigrant hatred, admiration for both earlier nativist killers and for the Chinese government, and an oddly green concern for the environmental degradation overpopulation is said to bring. The author self-identified as an "ethno-nationalist eco-fascist" (Sydney Morning Herald) and many ask why social networks were slow to recognize the content as threatening (Washington Post). But the manifesto should probably be read as very much a product designed within and for the Internet, providing the "anons" as Bellingcat puts it, with "lulz and inspiration." The Atlantic calls it trolling, but this is trolling with tragically kinetic effect.
Police promptly charged one man with murder, released another after concluding he wasn't involved in the attacks, and continue to investigate two more suspects. The inquiry continues amid widespread condemnation of the attacks. The shooter's video has been taken down, and authorities urge anyone who may have it to refrain from sharing (New York Times).
Outsmarting Attackers with Deep Learning
Misconfigured Box accounts leak companies' data.
More than ninety companies, including Apple, had internal data exposed due to misconfigured Box enterprise storage accounts. The companies misunderstood the way Box URLs worked. Users can share URLs, which make files or folders publicly accessible to anyone who has the link. The service also lets users set custom URLs, which can be relatively easy to brute-force (Naked Security). Researchers at Adversis discovered this by guessing the Box URLs of popular companies, which, they said, "began returning results faster than we could review them." Among the data were passport photos, Social Security Numbers, passwords, and bank account information.
The amount and sensitivity of the information varied from company to company. Apple had non-sensitive internal folders exposed, for example, while the Discovery Channel revealed millions of customers' names and email addresses. "If your company uses Box, there is a good chance you are leaking sensitive data already and you may want to finish reading this after you disable public file sharing," the researchers said.
It's worth noting that this isn't a flaw in Box's system—its documentation explains how these URLs work (Engadget). In response to Adversis' findings, however, the company took steps to make public URLs harder to misuse. These include disabling public custom URL sharing by default, and requiring administrator privileges to change this setting. Box is also working to make the URL-sharing functionality more clear to customers (Box Blog).
Get comprehensive information about securing the DIB supply chain
US Navy report on Chinese espionage: "under cyber siege."
The Wall Street Journal reported on Tuesday that an internal Navy review has concluded that the US Navy and its partners are "under cyber siege" from Chinese, Russian, and Iranian hackers. These attacks have resulted in "numerous" breaches (Military & Aerospace Electronics). The hackers also targeted contractors and vendors, with the report stating that "critical supply chains have been compromised in ways and to an extent yet to be fully understood" (Business Insider).
What sort of payoff can any espionage service expect from its take? Andrea and Mauro Gilli say that the stolen information can be much harder to figure out than one might think. "To understand and apply this type of information, they first need to build an advanced industrial, scientific and technological base, including product-specific laboratories, testing facilities and specialized personnel," they write in the Washington Post. A piece by the same authors in MIT Press Journals elaborates: "The exponential increase in the complexity of military technology" over the past century "has promoted a change in the system of production that has made the imitation and replication of the performance of state-of-the-art weapon systems harder—so much so as to offset the diffusing effects of globalization and advances in communications." Regardless of the difficulty of figuring out the information, however, Chinese espionage services have been more than willing to take what they can get.
Senior officers are believed to be under particular attack. Admiral John Richardson, the Chief of Naval Operations, said on Wednesday that the threat of cyberattacks was the reason the service stopped publicly announcing promotions last year (Defense One). US universities are also said to have been heavily prospected for defense-related research (Industry News Wire).
10 Incredible Ways You Can Be Hacked Through Email And How To Stop The Bad Guys
A view of the threat as it looks from US Cyber Command.
The US is ready to strike back in cyberspace, according to General Paul Nakasone, the head of US Cyber Command. Speaking during a subcommittee hearing on Wednesday, Nakasone and Assistant Secretary of Defense for Homeland Defense Kenneth Rapuano answered questions about the military's strategy to respond to cyber breaches (SecurityWeek). Rapuano said the US, historically, hasn't adequately responded to cyberattacks, in part because this type of attack didn't warrant a traditional military response. Now, however, the strategy is shifting to a more offensive, deterrence-focused approach. Nakasone said CYBERCOM had learned a lot while preventing Russian interference in the 2018 midterm elections, and it was now preparing for the next election (Military Times).
There are surely many advantages to cloud services: economy, convenience, and indeed security, especially for smaller enterprises. But the cloud isn’t of course either foolproof or failsafe. Proofpoint released a study today in which it outlined how threat actors breach cloud accounts. They’re seeing a more complex and sophisticated approach to brute-forcing, sufficiently sophisticated as to perhaps no longer deserve the name of brute-forcing. Proofpoint calls them "intelligent brute forcing."
Attackers used password-spraying and credential stuffing, made easier by access to large credential dumps. These were followed with phishing for credentials that would give further access to corporate accounts. The goal is internal phishing and business email compromise, always more persuasive than attempts that obviously originate outside an enterprise. The endgame, of course, is usually theft, of either money or data.
Microsoft on Tuesday released patches for sixty-four security vulnerabilities, seventeen of which were rated critical (Threatpost). One of these included a zero-day in Windows 7 and Windows Server 2008 that was being actively exploited with a Google Chrome zero-day that was patched earlier this month (KrebsOnSecurity).
Google patched eleven critical Android vulnerabilities, including a remote code execution bug tied to Bluetooth (Threatpost).
Cisco patched a critical flaw in the Cisco Common Service Platform Collector, which involved a default password that could allow remote access. Two high-rated vulnerabilities were also patched: one in Cisco Email Security Appliances and the other in Cisco Small Business SPA514G IP Phones (Threatpost).
Crime and punishment.
US Federal prosecutors have opened a criminal investigation of Facebook's data-sharing policies. A grand jury in New York has subpoenaed records of two companies with whom Facebook had concluded data-sharing agreements. Facebook says it's aware of the probe and is cooperating fully (New York Times). This investigation is independent of other inquiries into Facebook's involvement with the Cambridge Analytica scandal (Telegraph).
The founder of OneCoin, a multi-billion-dollar cryptocurrency company, has been charged with committing wire fraud, securities fraud, and money laundering offenses (New York Law Journal). Ruja Ignatova, assisted by her brother, was apparently running a massive pyramid scheme using a fraudulent cryptocurrency, the US Attorney’s Office for the Southern District of New York said last Friday. The company made around $3.7 billion between 2014 and 2016 (Verge). Ruja's brother was arrested in Los Angeles last week and charged with , but Ruja herself remains at large (Quartz).
A 21-year-old Australian man was arrested by the Australian Federal Police on Tuesday and charged for selling stolen account details for Netflix, Hulu, and Spotify (CRN Australia). He allegedly made $212,000 from the operation (Threatpost).
Courts and torts.
Facebook filed a federal lawsuit against two Ukrainian men who tricked more than 60,000 Facebook users into installing malicious browser extensions. The men used online quizzes to get victims to install extensions which "were designed to scrape information and inject unauthorized advertisements when the app users visited Facebook or other social networking site as part of their online browsing," the lawsuit states. The investigation cost Facebook $75,000 (The Daily Beast).
A federal judge upheld a jury's verdict that cybersecurity company Juniper Networks did not infringe a malware detection patent held by Finjan Holdings, Inc. (Reuters).
Policies, procurements, and agency equities.
China's National People's Congress (Beijing's "rubber-stamp parliament," as Agence France Presse helpfully if snidely notes) has approved a law said to be intended to inhibit government agencies from forcing foreign companies to give proprietary technology to their Chinese partners in joint ventures. The bill also makes a gesture in the direction of establishing mechanisms for adjudicating disputes over intellectual property among Chinese and international partners. The measure is widely seen as a casual wave of an olive branch more or less in the direction of Washington as trade negotiations enter what may be their last weeks. While the American Chamber of Commerce in China, did say that "the last minute efforts are appreciated," it also regretted that the new law addresses just a "small slice of the overall set of concerns our members have about the uneven playing field foreign companies encounter in China." On balance that seems to be the international reaction: too many loopholes and uncertainties remain for those who would do business in China. Perhaps it's the thought that counts. The vote in the National People's Congress was 2,929 pro, 8 con, and 8 abstaining, which seems a pretty big rubber stamp.
The White House on Monday released its Budget for Fiscal Year 2020. The budget allocates $9.6 billion to the Department of Defense "to advance DOD’s three primary cyber missions: safeguarding DOD’s networks, information, and systems; supporting military commander objectives; and defending the Nation." This is approximately $1 billion more than was requested for cybersecurity in last year's budget. Assistant Secretary of Defense for Homeland Defense and Global Security Kenneth Rapuano told a House subcommittee on Wednesday that most of the $9.6 billion would go towards cybersecurity "to reduce the risk to DOD information systems.” A portion of the funding would also go towards offensive cyber operations. The rest, Rapuano said, will be used to fund the research and development of new tools "so that we can out-innovate our adversaries" (Nextgov).
USCYBERCOM commander Paul Nakasone said that $532 million of the funding devoted to offensive operations would go to CYBERCOM's headquarters, while $1.9 billion would be devoted to building new infrastructure at four locations to support CYBERCOM's operations.
The budget also provides $156 million to the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response to support "early-stage R&D activities that improve cybersecurity and resilience to enable the private sector to harden and evolve critical infrastructure." It also requests $18 million for the cybersecurity of the Treasury department's IT systems.
Fortunes of commerce.
Facebook, under hostile scrutiny, including the scrutiny of a US Federal grand jury, announced that it would undertake a major change in direction, with privacy now the company's focus as opposed to sharing. Two senior executives announced their resignation shortly thereafter. The departures of Chief Product Officer Chris Cox and WhatsApp boss Chris Daniels were not expected (Wall Street Journal), and Cox at least has connected his exit with a lack of enthusiasm for the company's new concentration on private messaging (Times).
There's some reduction, at least in OPM's silo, of the backlog in US security clearance background investigations, but more than a hundred thousand Federal employees and contractors are still working under interim clearances, waiting for their investigation (Federal News Network).
How long, on average, does it take to fill a cybersecurity job? About three to six months (Dark Reading).
More speculation appears on the apparent fit between placement on the autism spectrum and hacking, of both the white- and black-hat varieties. A disposition to hyperlexicity and attraction to problem-solving are thought by some to be particularly valuable traits in the field (Dark Reading).
Mergers and acquisitions.
Investments and exits.
Contrast Security received $65 million in a Series D funding round led by Warburg Pincus, with participation from existing investors Battery Ventures, General Catalyst, M12 (Microsoft’s Venture Fund), AXA Venture Partners, and Acero Capital (Global Legal Chronicle).
This CyberWire look back at the Week that Was discusses events affecting Australia, China, Iran, New Zealand, Russia, United States, and Venezuela.
On the Podcast
Research Saturday is up. In this episode, "ThinkPHP exploit from Asia-Pacific region goes global," Akamai's Larry Cashdollar joins us to describe an exploit he recently came across while researching MageCart incidents. It's a remote command execution vulnerability affecting ThinkPHP, a popular web framework.
© 2019 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.