CyberWire Daily - 2019’s first noteworthy breach. Update on the Tribune Publishing hack. reCAPTCHA defeated in proof-of-concept. Dark Overlord should avail itself of the right to remain silent.
Episode Date: January 3, 2019In today’s podcast, we hear that prize for first big breach of 2019 goes to Australia, but the year is young. Ryuk “artisanal” malware implicated in newspaper print-plant hacks. reCAPTCHA ge...ts captchu’d, again. The Dark Overlord teases some pretty dull stuff, a step ahead of the law and Pastebin content moderators. PewDiePie followers continue to pester Internet users. And there’s a new play about Reality Winner, the alleged NSA leaker. Johannes Ullrich from SANS and the ISC Stormcast podcast on cold boot attacks on laptops. Guest is Sarah Squire from Ping Identity with results from a survey on consumer response to breaches. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2019_01_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The prize for the first big breach of 2019 goes to Australia, but the year is still young.
Ryuk Artisanal Malware's been implicated in
newspaper print plant hacks. Recaptcha gets captured again. The Dark Overlord teases some
pretty dull stuff, a step ahead of the law, and Pastebin content moderators. PewDiePie followers
continue to pester internet users. And there's a new play about reality winner, the alleged NSA leaker.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, January 3rd, 2019.
Pride of place in the 2019 data breach sweepstakes right now goes to Australia,
where according to Computer Business Review, the state government of Victoria is first out of the gate and off to a lead.
Information about some 30,000 civil servants was compromised, stolen, in a phishing incident that enabled the hackers to access a directory.
enabled the hackers to access a directory. The data lost are fairly anodyne in themselves.
Work emails, phone numbers, job titles, no financial or banking information.
But even work emails, phone numbers and job titles, of course, could be further exploited
to lend credibility to other social engineering attacks.
So citizens of Victoria, think twice before taking action on communications you receive
from people working for the state. As Security Week and others report, it's become increasingly clear that the malware involved in the weekend's attack against U.S. newspaper printing plants was a Ryuk variant.
Ryuk has appeared in a number of extortion campaigns before, and it's said to be well-adapted for tailoring against specific targets and their high-value business processes.
The general approach taken by attackers using the malware is to get into the target network
through compromised remote desktop protocol passwords.
From there, they usually look for administrator privileges, then disenable security software,
and then pivot to encrypt or
otherwise interdict some business-critical data or process. Researchers at security firm Checkpoint
have called Ryuk artisanal as opposed to commodity malware. GandCrab is an example of commodity
ransomware. It's distributed through a big affiliate marketing program, the kind you may have encountered with Mary Kay or perhaps Jungian Analysis.
A hood buys Gancrab, slings it more or less indiscriminately against an array of possible targets,
and takes whatever the victims are prepared to pay.
Usually, that's not much.
But then the hackers probably didn't invest that much
in whatever dark web Tupperware party they bought the code from in the first place.
Not so with Ryuk.
The malware is used to closely target specific organizations by hitting their high-value assets.
In this attack on newspaper print plants,
Checkpoint says it's seen little evidence of automatic propagation capability,
which suggests some significant preliminary preparation by the attackers.
They clearly affected a significant business process, and they don't appear to have had
any interest in stealing, destroying, or manipulating data.
Attribution remains unclear.
Those willing to speculate cite mostly circumstantial code similarities to past attacks.
Even the basic question of whether the attack is state-sponsored
or purely criminal is proving resistant to resolution. There's no clear evidence of a
ransom demand, at least not one that the victims are talking about, which would suggest that this
represents the kind of infrastructure attack that a state might be interested in carrying out.
On the other hand, the state most often mentioned as a candidate for attribution, that would be North Korea, has tended to engage in hacking that delivers a financial return. It might be a botched criminal attempt, or a delayed criminal attempt, or an abandoned criminal attempt. Investigation is in progress.
progress. There's that old saying about how trust can be difficult to earn but easy to lose.
That certainly seems to be the case when it comes to protecting the personal information of customers. The folks at Ping Identity recently surveyed consumers to gauge their attitudes
toward privacy and data breaches. Sarah Squire is senior technical architect at ping identity we've had a lot of
concern in the identity community around privacy and consumer privacy and we've had a few products
some of our customers have tried to sell an extra private service or an extra protection against
breaches and it just doesn't sell right so we know that the market isn't responding to that
but we have no research about what does the market respond to? Why are consumers not buying this?
Do they not care about their privacy? Are they just not willing to pay for it?
What is going on? So we commissioned this survey to ask them directly,
how do you feel about the breaches? How do you change your behavior? How do you respond to the
market when things like this happen? So let's go through it then. What were some of the key findings?
There's some really fascinating stuff in here. So 21% of people have been victims of a breach.
And of that 21%, 34% of them experienced financial loss. We found that young people
are more likely to experience financial loss than old people, which was surprising to us.
But young people are much more promiscuous with their information.
They're more likely to give it out online, especially sensitive information like social security number or credit card.
So that kind of makes sense that they would be more subject to breaches simply by the fact that they're more likely to give out their information.
Yeah, there was some interesting stuff in here that I noted.
that they're more likely to give out their information.
Yeah, there was some interesting stuff in here that I noted.
One of them was speaking of that younger generation,
that they are more trustful of brands.
They are, which is surprising, right?
Is it? I don't know.
Because like you said, you know,
it seems like they're more willing to give away information with that. Does that imply that they have a more trusting nature
when it comes to these brands?
Well, they say that they do. In the circles, the communities that I am a part of,
it's very common for us to think that young people are very savvy and they're very cynical
and old people are very ignorant and that they're very trusting. And we found the exact opposite.
Old people are very cynical. They don't trust online sites. They know that they're
likely to be breached, whereas young people are very trusting and they just think that giving
their personal information isn't an issue because companies must be good at security or they
wouldn't be big companies. Yeah, that's fascinating. I wonder how much of that has to do with the
whole notion of being a digital native, that if it's something that you're comfortable with and
familiar with, naturally you're going to be more trusting of it.
Maybe, or maybe they don't watch the news.
Maybe they don't know about breaches.
Who knows?
We didn't ask them why they're trusting.
We just know that they are.
Yeah.
Now, another interesting data point here was that Americans were almost twice as likely to share information with brands as their friends from around the world.
Dig into that some for me.
Isn't that fascinating?
Yes.
So Americans are more likely to share their information and Americans actually have fewer
privacy laws than Europeans do.
So our guess is that Europeans actually have more trust in their government.
We know that in terms of identity laws and privacy protections that are put in place
by government.
in terms of identity laws and privacy protections that are put in place by government.
So we think possibly that the Europeans are more likely to be suspicious about sharing online information because their government will take care of them, right? They have privacy laws in
place, like the General Data Protection Regulation, or GDPR, that will help them have some recourse
if something bad happens, whereas Americans don't
have that. So what in the survey was particularly surprising to you? Was there any unexpected
results that came back? I would say the most shocking result we found was that when people
hear that a brand has been breached, 36% of them stop engaging with that brand altogether.
Hmm. So they do not come into stores and buy things.
They do not call on the phone.
They don't come in online.
Not only that, 78% of everyone we surveyed said that they would stop engaging with a brand that experienced a breach online altogether.
So what's the take-home lesson here? If I'm someone responsible for the
reputation of a brand and I'm interacting with my cyber folks in my company,
what's the message that I need to take to them? The message that we think is most valuable is
that companies spend a lot of money on getting influencers to promote their brands online,
on Instagram, on Facebook, and social
media. They spend a lot of money on marketing, and they don't spend a lot of money on security.
And so what these results show us is that the money you spend on marketing is going to be
completely wasted if you screw up security. So you need to take some of that budget and say,
if we want to have an emotional engagement with our customers, that
can happen through a breach, right? That's a very emotional engagement. People feel violated when
their information is breached and they stop interacting with you altogether. And that can
kill a brand. That's Sarah Squire from Ping Identity. Google has updated its reCAPTCHA system with challenges designed to more readily detect
spam and other forms of automated abuse. The updates were motivated in part by the
unCAPTCHA proof-of-concept in 2017 that demonstrated ways around the screen. But
unCAPTCHA has been updated and it's now said to be able to bypass the improved reCAPTCHA.
has been updated and it's now said to be able to bypass the improved reCAPTCHA.
A readily available speech-to-text API yields about 90% accuracy over the CAPTCHAs,
which is close enough for most purposes.
Industry Comment points out that measures like reCAPTCHA aren't in themselves,
of course, sufficient to ensure security, nor would Google make that claim.
Automated tools will catch up.
Ryan Wilk of New Data Security told us in an email,
Captcha in and of itself is only one piece of the authentication puzzle.
If Captcha is the only security layer, once the puzzle is broken,
then the bad actor has won.
End quote.
The Dark Overlord, the Skids, whom Sophos describes aptly as a well-known group of highly self-amusing cyber-extortionists,
has, as the group promised or threatened, released documents it claims it hacked from real estate and insurance companies.
The group says the firm's engaged in a far-fetched conspiracy to stage the 9-11 attacks.
They've offered to sell the documents for Bitcoin,
of course, but so far the teasers they've posted to Pastebin seem for the most part to be old stuff recycled from earlier breaches. Need we add that the files don't remotely add up to evidence of
much of anything, still less a 9-11 conspiracy. The Dark Overlord's posts have been fairly quickly removed from Pastebin,
and Twitter has also blocked at least one account that was hawking the Overlord's wares.
Did we mention that Sophos also called the return of the Dark Overlord
slimy? They did, you know. We're not here to say they're wrong. When the police close in on the
Overlord, as they no doubt will,
having over the last two years pruned some of the group's more obvious members,
we trust that they'll remember to read them their rights.
Speaking of the more unpleasant internet subcultures, followers of YouTube star PewDiePie,
we use the word advisedly since that's what he's called, Those followers, we say, are again taking a break from eating Tide Pods to find exposed Chromecast adapters, smart TVs, and Google Home systems
via a Shodan search.
Once they've found the vulnerable devices, they display a message
urging their victims to subscribe to Mr. Pi's channel.
A compelling recommendation, we guess,
coming as it does from consumers of
wash day products. And this read them their rights thing, well, Mr. Martin's apparent confession was
recently tossed by the judge ruling in the preliminary rounds of the alleged NSA leakers
trial because the judge didn't buy the FBI's claim that they didn't need to Mirandize Mr. Martin because it was a non-custodial interview.
A new play titled Is This a Room? uses the transcript of Reality Winner's
non-custodial interview with the FBI to dramatic effect.
It's like a thriller, says playwright Tina Satter in an interview with The Intercept,
the publication that more or less put Ms. Winner in the position
she now finds herself,
in trouble over a misappropriation
of classified material.
Still, custodial or not,
remember you've got the right
to remain silent.
So, Dark Overlord,
PewDiePie followers,
please avail yourself of that right.
Calling all sellers. Please avail yourself of that right. involving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Cloak. Learn more at blackcloak.io. And joining me once again is Johannes Ulrich. He's the Dean of Research for the SANS Institute. He's also the host of the ISC Stormcast podcast. Johannes,
it's great to have you back. You know, we've been seeing more and more stories about attacks on
laptops, things like cold boot attacks and encryption issues with drives.
What can you share with us? What tips do you have to keep your system safe in the wake of
these new attacks? Yeah, so what these attacks have in common somewhat is that an attacker needs
to have physical access to your laptop. And that's, of course, always a critical issue.
If you're a particular traveling, you can't possibly keep your laptop or laptops in some cases if you're traveling, multiple laptops with you all the time.
You sometimes want to go out for dinner and such and have to leave your laptop in your hotel room, for example.
What it really comes down to is that you probably cannot protect your laptop getting access.
What you want to do is you want to make it more difficult,
and you also want to make it easier to detect that your laptop got access.
So one thing, for example, try to avoid hotel safes.
Hotel safes are notoriously insecure and are usually easily defeated
without you noticing that anything
happened. But what you could, for example, do is first of all, start with a boot password.
If you boot your laptop from a different disk, if you're trying to get the bias settings and the
like, well, you should ask for a password here. That's one layer of defense that you can have.
The second layer would be sort of a better physical protection of your laptop.
What I like are like backpacks
that have a plastic hard compartment attached to them
that you can lock with a padlock.
Yes, the plastic is usually cut through,
but that's something you would notice.
So when you're picking padlocks, for example,
for something like this,
of course, don't pick the TSA approved one. Get a better one that an attacker would have to cut
instead of just pick. And that way, again, you at least would be able to detect what happened.
Yeah, I can imagine folks going through the exercise of trying to find clever places in a
hotel room to hide their laptop.
Yeah, of course.
That's another option that you have.
If you do that, make sure you shut down your laptop.
And certainly it helps.
You don't want to cook it.
Yeah, not only to cook it, but also if you leave it sort of in sleep mode sometimes, Bluetooth, Wi-Fi, and so it stays enabled.
sometimes, Bluetooth, Wi-Fi and so it stays enabled.
And that, of course, could help an attacker
to find the laptop or at least
realize there's still a laptop in the room.
But yes, certainly
the cooking, that's actually
a problem I have had with laptops in the past
where I sort of stuffed them in my backpack
and then when I pulled
them out a couple hours later,
I got the warning that it sort of auto-shut down
because of a heat issue because it didn, sort of I got the warning that it sort of auto-shut down because of a heat issue,
because it didn't sort of properly go to sleep.
Right, you didn't hear the fans running like a hairdryer.
Yes, yes.
All right, well, as always, good advice.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time
and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast
is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.