CyberWire Daily - A BadRabbit and Reaper update. EU and cyberwar. DPRK denies WannaCry responsibility. China's cyber espionage shifts. Oracle emergency patch. Buganizer wide open. Influence ops. Heathrow security.
Episode Date: October 31, 2017In today's podcast, we hear about the state of BadRabbit and Reaper. The EU drafts a diplomatic framework for self-defense in cyberspace. Pyongyang denies UK attribution of WannaCry to North Korea.... Threat intelligence types suspect the Sino-US cyber modus vivendi might not be the unqualified success it's been taken to be. Oracle issues an emergency patch. A researcher gets an unauthorized peek at Google's Buganizer. Congress will hear testimony about influence operations in Twitter, Google, and Facebook. Rick Howard from Palo Alto Networks warns that board members might be targets. And USB sticks contain the darndest things. Plus, the Malware Mash. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The state of Bad Rabbit and Reaper,
the EU drafts a diplomatic framework for self-defense in cyberspace,
Pyongyang denies UK attribution of WannaCry to North Korea, Thank you. Facebook, and USB sticks contain the darndest things.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 31st, 2017.
No fresh developments in either the Bad Rabbit ransomware or Reaper botnet stories.
To recap, however, emerging consensus is that Bad Rabbit is a product of the same operators who were behind NotPetya this past spring. The Ukrainian government says those
operators were in the Russian security services, and while Kiev is certainly disposed to believe
the worst of Moscow, most other observers think that attribution isn't unreasonable.
Reaper, on the other hand, an IoT botnet comprised largely of security cameras, and initially
feared to be larger than Mirai in its denial-of-service potential, looks to many like a product of
the criminal underground, specifically of the Chinese underworld, and probably intended
for rental as a booter service in Chinese domestic black markets.
It's also looking much smaller than initially feared,
albeit with some potential for rapid expansion.
Attribution is of course particularly important if you carry a gun or a badge
in matters of criminal investigation or warfare.
The European Union has prepared a draft diplomatic document,
framework on a joint EU Diplomatic Response to Malicious Cyberactivities,
that would recognize cyberattacks under some conditions as acts of war. This is less
path-breaking than some reports would have it. The framework aligns basically with existing NATO
recognition of cyberspace as a domain conflict within which states can legitimately exercise
their right to self-defense.
Observers have pointed out, of course, that attribution remains difficult and problematic.
While attribution may be hard, the UK's attribution to North Korea of the WannaCry infestation
that troubled its National Health Service earlier this year is offered with high confidence.
It drew a foreseeable response from Pyongyang,
denial of involvement and righteous promises of retaliation against the slanderers.
This puts the UK in the same boat as much of the rest of the civilized world,
so when it comes to DPRK retaliation, take a number, Whitehall.
China appears to be shifting rather than limiting its cyber espionage directed against American targets.
Wired reports signs that the Sino-American agreement to limit mutual hacking is being tested by Beijing's recent operations.
FireEye told Wired they'd seen a move toward more industrial espionage in East Asia
and more traditional espionage directed against government targets in the U.S.
That's not to say that industrial espionage has against government targets in the U.S.
That's not to say that industrial espionage has vanished from the American scene entirely.
The sea cleaner back door installed in some Avast security products,
without Avast's knowledge, for example,
was used to put implants into machines in some U.S. tech firm's networks.
Oracle has an emergency patch out for its identity management product. Users are urged by both Oracle and outside security experts to patch as soon as practical.
A security researcher has found a big bug in Google's bug tracker. Mountain View's issue
tracker, the Buganizer, as insiders call it, is the working repository of security and
other issues reported to Google. The researcher found it was accessible by coming up with a bogus
Google corporate email account and then simply requesting access. Google is policing up the
problem. Social media executives from Facebook, Twitter, and Google will testify on Capitol Hill
this week, answering questions about how Russian influence operations may have played out in last year's U.S. elections.
It appears the Russian efforts were cheap, with their effect magnified by intelligent sharing and liking.
Bogus identities established by the now-notorious St. Petersburg troll farm Internet Research Agency
had particularly broad reach.
In Facebook alone, 470 phony accounts purchased about 3,000 ads,
but that's the tip of the proverbial iceberg.
Images, organic posts, events, and so on extended the troll's audience to 126 million people,
viewing about 80,000 bits of content.
The content was fundamentally disruptive
in character, without any consistently discernible positive agenda, following traditional forms of
influence-seeking, gaining trust, exploiting shared interests, surrounding disinformation
with an effective bodyguard of fact, and so on. There are some reports out of the UK that such
political influence operations in a number of cases have amounted to catfishing,
and the Times of London suggests we ought to expect more of that in the future.
The fifth column in the fifth domain.
So, Robin Sage, call your office.
Another story out of London involves that perennial favorite of social engineers
and those who lose sleep over what those crazy employees do by accident.
The USB drive.
A guy found a USB stick on the street and was curious to see what it contained.
So he stuck it into a library computer.
And congratulations, sir, for not inserting it into your work computer, but shame on you, sir, for being a bad library patron.
What did it contain?
Shame on you, sir, for being a bad library patron.
What did it contain?
Well, its 2.5 gigabyte storage capacity held more than 170 documents relating to security at London's Heathrow Airport,
some of which had security markings like confidential or restricted.
The content included stuff like lists of people exempt from security screening, hijacking duress codes,
the Queen's route to the Royal Suite in a hidden part of the airport, and such sensitive physical details as the locations of escape shafts and maintenance tunnels.
It's unclear whether the material belonged to a careless insider or a potential terrorist.
Investigation continues.
News. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks,
and he also heads up Unit 42, which is our threat intelligence team. Rick, welcome back.
Good leadership comes from the top, but when it comes to cybersecurity,
those people at the top, the board of directors and folks up at that higher echelon of a company,
it seems like they can be targets.
They can have particular risks that are associated with them.
How do we deal with that?
Well, you know, as network defenders, we kind of ignore those guys at the top,
but it's probably a blind spot for us all. And so let me just kind of give the
background here. So we all know that stealing legitimate credentials from important people
is a tried and true tactic that adversaries use to penetrate networks. You know, if I was an
adversary, why would I spend hours developing a zero day exploit or, you know, spending hundreds
of thousands of dollars just to buy a good one, when you can legitimately log into the victim's network with real credentials.
Okay, so this is not a new idea. This has been around forever. But the one thing that many of
us have left unattended in this regard is the protection of our company's directors, these high
up people in that rarefied atmosphere, our board members. We may have even deployed some mature
and capable two-factor
authentication schemes and other credential protection technology from great companies
like ours, Palo Alto Networks. Had to get the plug in. But we do this with an eye to protect
our own employees. Now, these board members, they are these rare animals where they have one foot
planted in the company business, the company secrets, but they kind of exist outside the normal protection bubble we afford our regular employees,
right? Many of them sit on several boards on very different companies that have access to
really sensitive information. Now, if I was a cyber adversary, if I would consider the collection
of board members to be a target-rich environment, if you know what I mean. So if you can grab their credentials, you might have access to many companies' material information.
All right, so here we are.
And yet, as a community, a bunch of network defenders, we kind of allow the board members, in many cases, to exchange highly sensitive company information without encryption and through their private email accounts.
Some of these folks are doing it with Gmail and stuff.
So here's the analogy that we should paint here.
This is akin to spending thousands of dollars
on high quality locks for your brand new house,
but leaving the garage door open all the time
to make it easy for your spouse to get into her car.
I mean, well, at least in my house,
my spouse is the chairman of the board
and I do pretty much whatever she says.
So I understand why we're in this situation.
So there are two things you should think about as network defenders.
First, consider extending company security protection to your board members.
They absolutely should not be using their own personal email accounts to exchange company information.
It's pretty obvious when you say it out loud, but that's kind of the situation we're in.
And the second thing you should consider is that for all the people in the company, the board will see some of the most highly sensitive information
that exists. So consider implementing special handling of that kind of data for all board
members that is over and above what your normal procedures are. What about the social factor in
this, the human factor of this? When you get to a board member, you know, this is usually a very
important person. This is a muckety-muck kind of person. And they may say, yeah, I don't
want to do that. How do you deal with that? That has been the bane of our network defender
community for many years. Okay. The good news is board members are becoming more and more aware
of the cybersecurity challenges that we all have. And I think now, even today, they're more
amenable to these kinds of solutions. And in fact, if you help them do it, I think they would be glad to take it on.
All right. Good information as always. Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.