A global Microsoft outage takes down Outlook and Minecraft. The US Senate passes The Kids Online Safety and Privacy Act. Lame Duck domain names are targets for takeovers. A GeoServer vulnerability exposes thousands to remote code execution. China proposes a national internet ID. Email attacks surge dramatically in 2024. Columbus Ohio thwarts a ransomware attack. When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold. Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo, discussing the issues that security teams face when dealing with data control and data orchestration. Was it really Windows 3.1 that saved Southwest Airlines?
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo, discussing the issues that security teams face when dealing with data control and data orchestration. You can read more here.
Selected Reading
Microsoft apologises after thousands report new outage (BBC News)
Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks (Bleeping Computer)
Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content (SecurityWeek)
Don’t Let Your Domain Name Become a “Sitting Duck” (Krebs on Security)
Hackers Actively Exploiting GeoServer RCE Flaw, 6635 Servers Vulnerable (Cyber Security News)
China Wants to Start a National Internet ID System (The New York Times)
Email Attacks Surge, Ransomware Threat Remains Elevated (Security Boulevard)
Columbus says it thwarted overseas ransomware attack that caused tech shutdown (Dispatch)
Gold rush for data: Paris 2024 Olympic apps are eavesdropping on users (Cyber News)
No, Southwest Airlines is not still using Windows 3.1 (OSnews)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Sound of seagulls] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com/tech, all lowercase, that's shopify.com/tech. [Music] When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at Vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. [Music] [Music] A global Microsoft outage takes down Outlook and Minecraft. The US Senate passes the Kids Online Safety and Privacy Act, lame duck domain names or targets for takeovers. A geo-server vulnerability exposes thousands to remote code execution. China proposes a national internet ID. Email attacks surged dramatically in 2024. Columbus, Ohio, thwarts a ransomware attack. When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold. Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo discussing the issues that security teams face when dealing with data control and data orchestration. And was it really Windows 3.1 that saved Southwest Airlines? [Music] It's Wednesday, July 31, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. [Music] Thank you for joining us here today. It is great as always to have you with us. Microsoft experienced a global outage impacting services like Outlook and Minecraft lasting nearly 10 hours. The company attributed the issue to a cyber attack compounded by a defense implementation error. This incident follows a similar outage two weeks prior caused by a flawed update from CrowdStrike, which affected 8.5 million systems. This DDoS attack overwhelmed Microsoft's defenses, amplifying the outage's impact. Services like Azure, Microsoft 365, Intune and Entra were affected along with external services relying on Microsoft's platforms. Microsoft issued an apology, implemented a fix, and continues monitoring to ensure recovery. The outage occurred just before Microsoft's financial update revealing slower growth in its Azure cloud services leading to a 2.7% drop in after hours trading. Despite this, the company reported a 21% rise in intelligent cloud revenue and a 15% overall revenue increase, totaling $64.7 billion. Additionally, Microsoft has warned of ransomware gangs exploiting a VMware ESXi authentication bypass vulnerability. Discovered by Microsoft researchers and fixed in a June 25th update, the flaw allows attackers to create an ESX admins group with full administrative privileges on the ESXi hypervisor. Exploitation requires high privileges and user interaction but leads to full admin access, data theft, lateral network movement, and encryption of the hypervisor's file system. Ransomware groups like Storm 0506, Storm 1175, Octo Tempest, and Manatee Tempest have exploited this flaw, deploying Akira and Black Basta Ransomware. These attacks have targeted ESXi hypervisors causing significant outages and disrupting business operations. Microsoft noted the doubling of such incidents in the past three years. With a 91-3 vote, the US Senate passed a bill aimed at protecting children from harmful online content. The Kids Online Safety and Privacy Act (COPSA) promoted by parents of children harmed by online bullying, mandates that tech companies take steps to safeguard minors. This includes requiring platforms to default to the safest settings and exercise a duty of care. The House has not yet acted on the bill, but strong Senate support may prompt action. President Biden has urged the House to pass the legislation quickly. The bill would be the first major tech regulation in years, potentially paving the way for future privacy and AI laws. It requires companies to prevent harm from bullying, violence, and other dangers, and to offer minors protections like disabling addictive features and opting out of personalized recommendations. While some tech companies support the bill, others like meta-platforms prefer different approaches, critics including the ACLU warn of potential censorship and privacy risks. Researchers from infoblox have revealed that over a million domain names, including those registered by major companies, are vulnerable to takeover due to authentication weaknesses in several web hosting providers and domain registrars. According to Krebs on Security, this issue involves so-called lame DNS records where authoritative name servers lack sufficient domain information, making these domains easy targets for cyber criminals. Attackers can exploit these weaknesses to hijack domains, potentially using them for phishing, spreading malware, or impersonating brands. Infoblox and eclipsium researchers found that some compromised domains originally registered by brand protection firms were hijacked due to misconfigured DNS settings. This problem persists despite previous exposure with domain takeover facilitated by weak or non-existent verification processes. Some providers like DigitalOcean and Hostinger are working on solutions, but broader cooperation and improved practices are necessary to mitigate these vulnerabilities and protect domain registrants and Internet users. A critical vulnerability in GeoServer, an open-source Java-based software server, exposes thousands of servers to remote code execution. Hackers can exploit this by sending malicious post requests, gaining full control over affected servers. Approximately 6600 GeoServer instances are at risk, impacting sectors like urban planning and emergency response. GeoServer has released patches and recommends users update immediately. In China, anonymity online is already challenging due to mandatory phone number verification tied to personal IDs. Now, the Chinese government proposes a national Internet ID to simplify verification and enhance privacy, aiming to prevent fraud and limit personal data collection by companies. This proposal by the Ministry of Public Security and Cyberspace Administration would be voluntary for websites and apps and open for public comment through the end of August. While some support reduced data collection by multiple apps, critics fear increased government control and surveillance. Legal scholars warn of excessive monitoring, likening the system to the COVID-19 health code app. Concerns include potential harm and fear of using the Internet. This proposal has sparked significant online debate highlighting the tension between privacy protection and social control. Email attacks and ransomware incidents have surged dramatically in 2024, with a 293% rise in email attacks and a 47% increase targeting organizations, according to research published by Acronis. Ransomware remains a critical threat, particularly to SMBs in government and healthcare with a 32% rise in detections from the fourth quarter of 2023 to the first quarter of 24. Lock-bit, black-basta, and play are major culprits, experts advise adopting a zero-trust model, network segmentation, and AI-driven threat detection. Cyber criminals are increasingly using AI for social engineering and automation attacks, making traditional defenses less effective. Acronis recommends enhancing security measures and continuous monitoring to counter these evolving threats. City officials in Columbus, Ohio say they thwarted an overseas ransomware attack, shutting down much of the city's technology for 10 days to prevent data encryption. Mayor Andrew Ginther revealed that the attack involved a sophisticated threat actor and resulted in potential data theft. The city's Department of Technology with the FBI and Homeland Security recommended severing affected systems from the Internet, mitigating the risk. The cyber outage affected email, website updates, and emergency dispatch systems. Columbus is restoring services and has strengthened its tech defenses to prevent future attacks. The official Paris 2024 Olympics app is raising significant privacy concerns due to its invasive data collection practices. While marketed as a personal companion for the games, providing schedules, breaking news, metal results, and event insights, the app's capabilities extend far beyond these functions. It tracks users extensively, collecting web browsing history and sharing it with advertisers and big tech companies. Downloaded over 10 million times, the app requires multiple dangerous permissions, granting it access to deeply personal data on Android devices. The International Olympic Committee openly acknowledges collecting personal data, building user profiles and sharing information with advertisers, including major companies like Facebook, Google, and Apple. This extensive data collection is justified by the IOC as necessary for providing the best possible experience for users. Permissions requested by the Paris 2024 Olympics app include access to precise location, camera, audio, media files, and high sampling rate sensors. These permissions can track detailed user activity and movements, painting a comprehensive picture of the user. The app's privacy policy outlines extensive use cases for collecting data, including fan analysis, marketing activities, user profiling, and targeted advertising. Security researchers and privacy advocates emphasize the need for users to remain vigilant about the permissions they grant and to revoke unnecessary ones. The widespread use of these invasive apps, combined with state-sponsored threat actors targeting the Olympics, increases the risk of unauthorized access, identity theft, data breaches, and other cyber threats. Users are urged to prioritize their privacy and be cautious about the data they share with apps, especially during high-profile events like the Olympics. [MUSIC] Coming up after the break, my conversation with Rakesh Nair, senior vice president of engineering and product at Devo, we're discussing the issues that security teams face when dealing with data control and data orchestration. Stay with us. [MUSIC] And now, a word from our sponsor, know-before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no-before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach. And we thank know-before for sponsoring our show. [MUSIC] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [MUSIC] Rakesh Nayer is Senior Vice President of Engineering and Product at Devo. I recently caught up with him for insights on the issues that security teams face when dealing with data control and data orchestration. Here are things that are happening from a trend perspective. One is the data explosion side of Spain, where there's enormous amount of data that companies are collecting, mostly because they're all evolving to data-driven decision-making. The second one is around data conversions, where I believe that some clients are looking at putting all of the data into one central location and then having multiple applications or customers of this consumed data from the same location across whether it's security, whether it's IT operations, or whether even with business intelligence, they all want to take advantage of these two trends. As we are pulling in enormous amount of data, and as all this data is converging into one place, not all data are the same. They don't have the equal value, so there is definitely a notion of what should be in the hot storage, what should be in warm storage, and what can be kept in cold storage, so the ability to control that aspect of what is the cost or TCO associated with each data source, as well as filtering out some noisy messages or key value pairs from certain logs to be able to manage the overall cost. Now, here's another trend that we're seeing. So, primarily around filtering and routing data to different places, not as an AP. Is it fair to say that some of these folks find themselves with just too much data? Absolutely. I think one of the predictions that I've seen from God lately is that in the next six or seven years, the amount of data each of these enterprises are collecting is going to increase by 23/4. That's a lot of data coming into that I've still managed, governed, and then analyzed to seek intelligence out of some of this data. What about the tools themselves? I mean, the things that folks use to kind of make order out of this data. My understanding is that for many organizations, the number of tools, it kind of keeps growing and growing. Yeah, I think the data convergence aspect of the one aspect that I mentioned is the world being primarily around this notion of bringing all of the data into one place and then be able to generate or create vertical applications. There's a lot of companies doing their own ML data science teams within those companies. So, there is an notion of let the data sit in one place, but have vertical applications be able to take advantage of it. When I see a third friend that I see is around technology convergence is within this vertical. So, for instance, we take the security operations and the workflows. I see a lot of conversion starting to happen. If you look at general across the same market to see some of the companies that are being merged or being acquired, that is this whole push for bringing kind of technology convergence to each of those vertical labs that can perform at a much better, much more automated, in a much more interesting way within that vertical. What about the people themselves, the folks who are staffing these socks? Is it the age-old story of there not being enough people, of them being overworked and under-provisioned? I think it is true. I think for a security analyst to be really useful for a company, they have to be within the company for two to three years. And there's a lot of turnover in the industry around security analyst mostly because there's still a lot of shortage for such brutal talent across the industry. Can we talk about some of the potential solutions here? I mean, what do you and your colleagues there at Devo? What do you consider to be some of the ways to solve these issues? I think the one of the, again, going back to my trends definition around data explosion, for instance, orchestration, the ability to filter out and manage the different data sources differently and bringing that control to the enterprises themselves is very crucial. Around data conversion side, I think I'll focus more on the openness of the system, the ability to pull data, applying various filters to understand it. Or if you need to do some analytics, being able to go to the data set and bring the specific data out to do more analytics on top of it. So kind of a more open data analytics platform is much more needed. And the third friend around technology conversions, when you look at primarily from a security operations standpoint, if you've been seeing the trends of your behavior being consumed into your same platform. And you can see that sort of being consumed into the same platform. So one of the things we're trying to do is kind of build that unified workflow that not only bring some of these technologies together, but they have a lot of automation and capabilities infused into it. But the operations on security operations software of the system is telling the customer what is happening from a narrative, a story perspective, instead of generating graphs and one of alerts and the security operations teams have to go and analyze all of these alert back to back. Can you give us an example of how automation comes into play here? I mean, that strikes me as being a real potential time saver. Absolutely. I think one of the things that we're launching as part of blackhead is around kind of a number of them called set link, which is internally a playbook running, trying to look at these alerts find entity relationship between these alerts group them together, when needed invoke additional AI to do deeper investigation and bring back all of this information into a case, where even if the security analysis not that senior is still sees the entire context of what was happening, the walling around an alert. So that, that is one of the examples the most political examples we see are people get tired of fishing, I think around 70% of the sort of time is to spend on fishing attacks. So taking some of those fishing attacks, understanding what the walling is, what the email location is etc and to be able to block the IP address or the domain etc or other entire work flow can be automated as a preliminary step. And then, then we can do deeper analysis on top of it. So some of those things we could have systems handled, actually the systems are trying to take over those kind of the ground work of doing the same thing over and over again. As opposed to forcing security analysts to do that. You and your colleagues are going to be attending the Black Hat Conference this year, coming up in early August here. Should folks stop by to say hello and then check out more about what your offerings there. Yes. Absolutely. Yes, absolutely. I think we have some really good demos that we've set up for Black Hat as well as some beautiful integrations that we have done from our security operations workflow from that our frustration perspective. As well as kind of opening up that analytics platform perspective. That's Rakesh Nayer from Devo. We'll have a link to Devo's research in our show notes. [MUSIC PLAYING] In other words, when you're working on cyber defenses, targeting your executives at home. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. There's cyber security and privacy. Award winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. [MUSIC PLAYING] My dad works in B2B marketing. He came by my school for career day and said he was a big row as man. Then he told everyone how much he loved calculating his return on ad spend. My friend's still laughing me to this day. Not everyone gets B2B. But with LinkedIn, you'll be able to reach people who do. Get $100 credit on your next ad campaign. Go to linkedin.com/results to claim your credit. That's linkedin.com/results. Terms and conditions apply. Linked in. The place to be. To be. [MUSIC PLAYING] And finally, our fact-checking desk insisted we check out the story of one man's journey to debunk a popular rumor that had come to be accepted as fact. Tom Halverda, managing editor at OS News, was scrolling through the latest tech news when a particular story caught his eye. The headline boldly claimed that Southwest Airlines had escaped the recent CrowdStrike event because they were still using Windows 3.1. The story fit perfectly with the current tech narrative, suggesting that sometimes older technology is more reliable. But something about it seemed off to Tom. He delved into the details. The story was widely reported by reputable news outlets and shared extensively on social media. The Tom's instincts told him to question its veracity. He began by tracing the claim to its origins. A tweet from Artem Rusikovsky stating, "The reason Southwest is not affected is because they still run on Windows 3.1." The tweet, though widely referenced, provided no sources or additional information. Digging deeper, Tom found a follow-up tweet from Rusikovsky admitting it was a troll. Stating, "To be clear, I was trolling last night, but it turned out to be true. Some Southwest systems apparently do run Windows 3.1 LOL." However, this claim was also unsupported by evidence. Tom continued his investigation tracing the origins further. His search led him to an article by the Dallas Morning News discussing Southwest's scheduling system issues around Christmas. The article mentioned that Southwest uses internally built systems like Sky Solver and Crew Web Access, which "look historic like they were designed on Windows 95." These paragraphs had been misinterpreted to suggest that Southwest was still using outdated operating systems. Tom realized the misunderstanding had snowballed. The article didn't say Southwest systems ran on Windows 3.1 or 95 merely that they appeared outdated. Additionally, these systems are available as mobile apps, indicated they were not based on decades-old technology. Determined to set the record straight, Tom documented his findings. He highlighted how a single unsourced tweet had sparked widespread misinformation compounded by hasty and inaccurate reporting. His fact-checking revealed that, contrary to the viral story, Southwest Airline systems are not running on ancient operating systems. Tom's investigation underscored a critical issue in online journalism. Reputable sites had failed to perform even basic fact-checking. His thorough, yet straightforward fact-checking process had debunked a widely believed myth in minutes. As he published his findings, Tom hoped his efforts would encourage others to question sensational stories and prioritize accuracy over clicks. In the end, Tom Halverde's dedication to truth illuminated the pitfalls of modern media and the importance of diligent journalism, reminding readers that sometimes the truth is just a few clicks away. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan, our executive editor is Brandon Carr. Simone Petrella is our president, Peter Kilpius, our publisher, and I'm Dave Bitner. Thanks for listening, we'll see you back here, tomorrow. [Music] As September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. [Music]
