CyberWire Daily - A look back at Patch Tuesday. Classic games on Android serve malware. Cryptocurrency speculation. Info ops updates. Phony hitmen. Guilty pleas in Mirai case.
Episode Date: December 13, 2017In today's podcast we hear a reminder about yesterday's Patch Tuesday. Classic Android games are serving malware. Crytpocurrency speculative fever continues to rise. More unwelcome miners are p...ulling Monero out of streaming video services. Ransomware extortionists are finding Bitcoin prices sometimes rise too fast for comfort. False hit-man spam. A Russian hacking defendant, in Russia, says Putin made him do it. Robert M. Lee from Dragos on the security of the water supply. Guest is Evan Dornbush from point3 security on the disconnect between employers and educational institutions. Guilty pleas in the Mirai case. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
2017's Last Patch Tuesday has come and gone.
Android gamers, beware of malware serving classic games.
Cryptocurrency speculative fever is still rising.
Not even DDoS or overtaxed exchanges put a damper on it.
More unwelcomed miners are using the unwary and unwitting to pull Monero out of streaming video services.
Ransomware extortionists are finding Bitcoin prices sometimes rise too fast for comfort.
False hitman spam.
A Russian hacking defendant in Russia says Putin
made him do it, and there's some guilty pleas in the Mirai case.
I'm Dave Bittner with your CyberWire summary for Wednesday, December 13, 2017.
Yesterday was Patch Tuesday, the last one of 2017.
Flash issued its traditional monthly fix for Flash Player.
Microsoft pushed out a number of fixes.
20 critical, 12 important, which observers are calling a relatively light update.
As always, patching is vital to digital hygiene, so take a look and listen to your sysadmins.
Those of you who play classic games on your Android device,
Tank and Bomber, Battle City Super Tank, Retro Brick Game, Classic Bomber, and so on, beware.
App Authority has found an infestation of malicious code appearing as a payload inbound from the Gold Duck server.
The cryptocurrency inflationary bubble continues apace.
DDoS attacks against Bitfinex have been impeding Bitcoin trading this week,
and rival currencies Litecoin and Ether are absorbing some of the speculative pressure that's seeking an outlet.
The Ethereum trading exchange Coinbase may also be under denial of service attack,
or it may just be clogged by traders. It's difficult to tell.
attack, or it may just be clogged by traders. It's difficult to tell. Coinbase's CEO Brian Armstrong warned speculators not to expect to be able to trade on Coinbase during busy periods,
and indeed it appears that heavy usage is what's bogging down the site. It's a popular service.
The Coinbase app has recently been among the top free downloads available online.
Bitcoin has been extraordinarily popular among individual speculators in Asia, millions of
whom have taken a flyer on the cryptocurrency.
South Korea has displaced Japan and China as what the Wall Street Journal calls the
latest hotspot.
Some deny that this is a classic bubble, but it certainly looks like one.
Most observers think a correction is inevitable.
It would seem to be on the grounds of the high electrical power consumption being drawn by
Bitcoin miners and other panners for crypto gold, and not a few of them think that correction is
likelier to be a hard than a soft landing. When ordinary people without the resources to follow
or perhaps even understand a market jump into speculation,
and when they're wagering their savings on the promise of big, big returns, well,
as Ars Technica writer Timothy B. Lee notes, the current wave of speculators is less sophisticated than those that drove earlier Bitcoin booms in 2011 and 2013. As Lee puts it, quote,
the market is starting to feel like the final month of the dot-com boom,
where people started getting tech stock tips from their taxi drivers, end quote.
With all that money in play, criminal interest in cryptocurrency remains high.
Security researchers at AdGuard have noticed that popular video streaming sites
have been using visitors' devices surreptitiously to mine Monero.
That this mining is done without the user's permission or even knowledge is obvious.
The affected sites are OpenLoad, Streamango, RapidVideo, and OnlineVideoConverter.
Almost a billion users are thought to be affected each month.
But a spare thought for the poor crooks who are pricing their ransomware extortion in Bitcoin.
One way an institutional victim like, say, Mecklenburg County, North Carolina, But a spare thought for the poor crooks who are pricing their ransomware extortion in Bitcoin.
One way an institutional victim like, say, Mecklenburg County, North Carolina,
is going to look at a ransomware attack is as a cost-benefit proposition.
They might, might consider paying if the cost isn't too high.
Mecklenburg County told its extortionists forget about it and has simply bitten the bullet and gone about restoring its systems without
paying. But if the ransom isn't too high, some might well pay. That's become harder. If you ask
for some number X of Bitcoin and by the time the deadline you give the victim expires, three or four
days are common enough deadlines, they'll find that Bitcoin has risen by 25% or 50% or 100% or,
well, forget about it sometimes
it's not easy being a criminal some poor crooks of course don't even deserve a thought we're thinking
of the outrageous creeps who've begun emailing people saying essentially i'm a hitman and your
life is in danger because quote your activity causes trouble to a particular person end quote So, if you get such an email, don't worry, don't pay, market as junk, and move on.
Finding qualified candidates to fill available positions remains a challenge in our industry,
and some companies are taking a different approach to getting talent up to speed,
steering away from traditional certifications and degree programs.
Point3 Security is one of those companies,
and they think they've found a better way to prepare the next generation of cybersecurity professionals.
Evan Dornbush is founder of Point3.
Well, I think when we train for cybersecurity positions or we teach cybersecurity, we're emphasizing the wrong thing.
In America, you have this Victorian-era style teaching model, rows and rows of students memorizing things from canned PowerPoints, canned lectures, multiple choice tests.
At the end of the day, that doesn't really benefit anyone.
And so the way we've approached cybersecurity is more of a returning to,
almost like medieval ages, a craft.
We do journeyman, master, apprenticeship models, teaching the craft,
all hands-on puzzles, no lectures, no multiple choice tests, no PowerPoints,
full immersion into the culture.
And I think that's important.
I think that matters.
And I think the results speak for themselves.
I think there's a certain amount, particularly from the hiring side of things, there's a
certain amount of sort of gatekeeping that goes on with certifications and college degrees
and so forth for people to even get by a certain level of being considered for jobs,
you have to have things that can be checked off on checkboxes.
Yeah, I agree. And I think, again, that's part of the problem and that's part of what we're trying
to change. I think I agree with you, Dave, that there's a huge, again, a huge disconnect between
how human resources really solicits for talent. What we have done in our training program is
demonstrate that hands-on skills are more relevant and more meaningful, more impactful to the end employer than, like you said, a particular certification that's based on knowledge, you know, memorizing a couple definitions here and there for a test or, in many cases, a degree.
So describe to me, what is the approach that you all use?
Yeah, so again, so what we do is we fully immerse
our students into cybersecurity culture. So all hands-on puzzles. We run students through things
like buffer overflows using ALSR defeats and depth defeats, vulnerability research, exploit
development, reverse engineering, malware analysis. Again, these are the niche skills that I think
historically, going back to your gatekeeper comment, Dave, you Again, these are the niche skills that I think historically,
going back to your gatekeeper comment, Dave,
I think there's a conventional wisdom that you have to start
answering the phone in customer support and then proceed to help desk
and then proceed to sysadmin and then become a programmer
and then become a cybersecurity person.
I think that doesn't make sense.
I don't think that's realistic,
and I don't think that's realistic. And I don't think
that's where the talent actually lies. So how does this compare to, for example,
traditional educational systems have things like capture the flag programs?
Yeah, so I love that. Our course is very capture the flag driven. Almost everything is a flag to
be grabbed. And we have an expression that we use that says, you know,
cybersecurity is really no different from going to the gym, right? Very few people want to invest the time to lift the heavy thing up and down lots and lots of times, but everybody wants the muscles.
Cybersecurity is no different. You have to invest in yourself. You have to take time.
You have to struggle. That's part of the growth process. And I think the problem with traditional education is
time constraints, right? Oh, you know, we didn't get the answer, you know, before launch. So I'm
just going to tell you the answer was, you know, 18 and let's go to launch. When we come back,
we'll start a new subject that that doesn't help you. It might feel good that you might feel like,
oh yeah, I could have figured that out, but, but you didn't figure that out. Therefore,
you're more likely to not retain that information, not be able to reach that solution.
That's Evan Dornbusch from Point3 Security.
Russia's been facing a wave of what the Moscow Times is calling telephone terrorism cyber
attacks.
They're essentially bomb threats.
Russian authorities say they've caused two million people to be evacuated since September
and that the threats originate in Syria.
Facebook finds three more Russian-purchased ads
related to information operations surrounding the Brexit vote.
That's not too many, and Facebook has looked only for ads
paid for by the Internet Research Agency,
the now-famous St. Petersburg troll farm.
Google has also looked and says it's found nothing.
Investigation proceeds.
A Russian defendant in a Russian court, one of the members of the Lurk hacking crew,
is said to have claimed President Putin ordered him to hack the U.S. Democratic National Committee.
But both the court and the news source are Russian, and this particular informational
matryoshka should be reviewed with appropriate
skepticism, until more is known.
The Times of London reports that the accused hacker, Konstantin Kozlovsky, may well have
other axes to grind.
Their expert on Russian intelligence services, Andrei Soldatov, thinks that if Kozlovsky
were legitimately illegitimate, if he really were under Mr. Putin's orders, he'd have been
able to provide more technical details that he has. As it is, it's a bald assertion. Soldatov
thinks it likelier that Kozlovsky is just honked off about being prosecuted for lurk
and is maybe looking for some kind of deal. This, of course, doesn't mean that Mr. Putin
isn't involved, just that we haven't seen the other dolls inside the Matryoshka.
An interesting development in the Mirai case, as has long been believed,
it was the work of a couple of guys in Pennsylvania and New Jersey.
Both entered a guilty plea to federal charges involving writing and using the DDoS code this week.
The knuckleheads in question, Mr. Paras Jha, 21, of Fanwood, New Jersey,
and Mr. Josiah White, 20, of Washington, Pennsylvania, are co-founders of Protraf
Solutions LLC, specializing in DDoS mitigation. Krebs says that's like a firefighter committing
arson so he can get paid to put out the fire. That's not a bad analogy. Mr. Jha, at least, has also copped a guilty plea to New Jersey state charges.
What are they teaching these kids at Rutgers these days?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal
instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos.
Robert, welcome back.
We've been going through some of the risk factors when it comes to different ICS categories,
and today I wanted to touch on water, an important one.
Absolutely.
So water, of course, when we talk about any industry it's always
good to note that there are some very very small players and there's also some very considerable
um size players in that community as well so i'll try not to treat it as if it's just one
homogeneous industry to start off with but when most people think of water resources they're
thinking of water distribution and wastewater treatment um basically how do I get water and how do I keep it clean?
There's a lot more to it than that, but that usually comes to the forefront of folks' minds.
And in those environments, there's historically been a very good safety culture, especially when you start dealing with things like chlorine and other chemicals, to make sure that they test even outside of any sort of cyber mechanisms.
There's, you know, there's one wastewater treatment facility I was in recently. They have a routine schedule 24-7 where multiple people are actually testing samples of the water
and making sure that there's not an overloading of chemicals or anything like that.
So even if a hacker got on and dumped chlorine in the tanks, they would notice.
So that's the good side.
The bad side is water industry by far is one of the least invested into industries.
And there's a lot of reasons for this.
I don't mean by their own community.
Again, I don't want to downplay the work that's been done there. But when you think of the infrastructures that get national attention and
grant money and the security industry going after their budgets and all of the research,
you're usually thinking about electric systems, maybe manufacturing, but water isn't one of those
ones that generally comes to the forefront, at least not for a lot of those players.
And they may talk about it, but they don't have the the staff i mean in many water facilities there might be an it guy who's supposed to do it as well as security and he mows the lawn
on fridays right it's like very very resource um sort of tapped um for that reason and the lack of
complexity in the water systems compared to many other systems, there are some particularly damaging scenarios that you could
think about. So as an example, when I try to balance the nuance and try to balance sort of
how attacks would occur, there's usually three variables that I measure or think about. One is
the complexity of the overall system. So where the electric power grid, you have redundant lines,
you have redundant routes, you have substation in Baltimore is everything substation in D.C., let alone different parts of the country.
Right.
There's interconnects.
There's a lot of complexity in that system.
And you can even measure sort of the security investment is adding to that complexity for
the adversary.
The second one is like, what do you actually want to achieve?
The impact is the impact.
You want to have a disruption for an hour.
Is it only have, you know, potentially physical destruction to lead to disruption for a week?
And then the third one is really that scale.
Am I talking about one site?
Am I talking about all across the United States?
So when we look at water, it is an it's still a complex system and the control system environments are still fantastic, but it's not as complex as an electric grid
or one of the larger infrastructures.
So the ability for an attacker to go in
and identify and learn an environment
and do something malicious to it
is not as significant a bar as we'd want.
So we do have to add complexity to that challenge for them
by investing in the right security
to address the right threat landscape.
That being said, there is also sort of the
hilarious reality that there's a lot of tribal knowledge that occurs on how certain plants are
run and operated. And sometimes if you just follow the spec and you follow the engineering guide,
you design an attack off that, it's actually not what's fully implemented. And that can lead to
unintended complexity for the adversary, which means they might do something expecting an outcome
and not achieve that outcome at all. So in short, when I think of the industries that I wish
was able to have more investment into it, water is at the top of the list for me in terms of
needing some attention, also understand what those unique water sort of targeting threats look like,
because we're not doing a lot of discovery there. But as always, I try to balance it with the fact
that yes, we do have really good engineers
and talent, but I would say we are becoming more interconnected. We're becoming more homogeneous
in nature. And the natural complexity of the problem that benefits defenders is not so
substantial and water to lean on. So we definitely got to do more. All right. Robert M. Lee, thanks Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.