CyberWire Daily - A Memcrash kill-switch. Shadow Brokers' leaked "Territorial Dispute" tools. Dutch DDoS, Indian hacks. FBI and backdoors. Notes from SINET ITSEF.
Episode Date: March 8, 2018In today's podcast, we hear that a kill-switch for Memcrash may have been found (and Memcrash may be dangerous for other purposes than denial-of-service). Researchers in Hungary take a look at th...e Shadow Brokers' dumps and speculate about the purpose of the "Territorial Dispute" module. The Dutch Tax Authority sustained another DDoS attack last night. India's CERT renders a troubling report to Parliament. The FBI still wants a non-backdoor backdoor. David Dufour from Webroot on vulnerabilities in cryptocurrency markets. Guest is Richard Henderson from Absolute Software on protecting against insider threats. And some notes from SINET ITSEF. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A kill switch for Memcrash may have been found,
and Memcrash may be dangerous for other purposes than denial of service.
Researchers in Hungary take a look at the shadowbroker's dumps
and speculate about the purpose of the territorial dispute module.
The Dutch tax authority sustained another DDoS attack last night.
India's CERT renders a troubling report to Parliament.
The FBI still wants a non-backdoor backdoor.
And some notes from SINET itself.
Notes from Synet Itsef.
I'm Dave Bittner with your CyberWire summary for Thursday, March 8, 2018.
Researchers at security firm Corero say they've found what amounts to a kill switch that can turn off memcache exploitation for denial of service purposes.
They've notified various authorities and are working to make the remediation more generally available. So bravo Carrero for taking a shot at what's already proven a troublesome DDoS
exploit. Carrero does mix this good news with some less good news. The vulnerability that can
be used for DDoS could also let attackers steal or modify data on affected servers.
University researchers in Hungary at the Laboratory of Cryptography and System Security, that's
Crisis Lab, of the Budapest University of Technology and Economics, have announced the
results of their study of the shadowbroker's leak of what are said to be NSA hacking tools.
Their most interesting conclusions are that the tools in the territorial dispute modules
were particularly adapted to discerning the activities of competing state intelligence services.
Wired looks at the shadow broker's leaks
and particularly laments the widespread dissemination of Eternal Blue,
which has been used in far too many attacks worldwide.
The Dutch tax authority sustained another distributed denial of service attack yesterday.
The disruption lasted about five hours.
No data was lost or compromised, according to the Netherlands Times.
The attack was a service interruption.
The previous DDoS attack was in January.
The suspect in that case was taken into custody last month.
He said he did it for the lulz, as a joke.
No attribution or, of course, arrests
yet in yesterday's attacks.
CERT-IN, India's computer emergency response team, has reported to Parliament that more
than 20,000 of the country's websites, including 114 government sites, were attacked between
last April and this past January. The Indian press is treating this as a serious matter, which it would seem to be.
In legal news, Yahoo is said to have agreed to an $80 million settlement
in a class-action suit shareholders brought against the company
in the wake of the breaches it began disclosing in 2016.
FBI Director Wray, speaking at Boston College this week,
painted a picture of a world effectively
at war in cyberspace.
He also resumed the Bureau's longstanding pleas for responsible encryption, a non-backdoor
backdoor that would enable properly authorized law enforcement authorities to break otherwise
inaccessible devices in the course of investigations.
Few think such a thing is possible. Any backdoor would have to be a backdoor,
and hence an exploitable weakness,
most observers in the tech community believe.
The Bureau, in their view,
may as well be asking for something made of unobtainium.
The attempted assassination of a former GRU officer
and his daughter in the UK over the weekend
appears to have used a nerve agent.
The victims, including at least one first responder, remain in serious condition.
How the poison was delivered is unknown.
Protecting against insider threats is an important part of every organization's security posture,
with phishing attempts on the rise and the simple fact that we're all human
and sometimes we make mistakes.
Richard Henderson is a global security strategist at Absolute,
and he makes the point that when it comes to insider threats,
it may be in your best interest to expand the scope of what you're looking for.
A lot of people are starting to really appreciate the understanding that
what we have traditionally thought of as insider threats only is a small portion of the equation.
The definition of an insider threat is so much more broad in scope than what we've generally come to appreciate as an insider threat.
So, you know, a perfect example, you know, we're all familiar with the Edward Snowdens and people quitting a job and walking out the door with, you know, everything on a thumb drive.
And yes, those are absolutely types of insider threats.
But there's so much more beyond that malicious insider who's intentionally trying to do harm.
You know, you think about the system admin who has decided in a huff that he or she wants to leave the company
and they nuke everything before they go.
You know, those are things you need to worry about.
But at the same time, you know, I was at the Forrester Privacy and Security Summit late last year
and I sat in on a talk that specifically mentioned insider threats.
And there was an interesting statistic that said over half of security incidents in an
enterprise today involve an insider in some shape or form.
And what does that mean?
It means like, you know,
for example, if your marketing team decides that they're going to email off a spreadsheet full of
potentially sensitive customer data to a third party processor, and in some jurisdictions,
they didn't get the exclusive opt in from those customers to share that data with that third
party. Technically, that's, you know, that's an incident. And that is an incident that was
caused by an insider. Someone clicks on an email and they didn't mean to, and they share some
information they shouldn't have. That's a different type of incident that involves an insider. So
there's a lot of attacks out there that are precipitated on by someone on the inside doing
something either they didn't mean to or something
they shouldn't have. Now, of course, you want to realize that people's intentions are good,
and they don't mean to, you know, most of the time intentionally or negligently cause harm to
the enterprise, but they do through their actions or in some cases, lack of action.
Yeah, it seems to me like there's a there's an emotional
component to that as well, that it's natural for someone to think, oh, my gosh, I made a mistake
and now I'm going to get in trouble. I better not say anything. But if you can reward people for
doing the right thing somehow, even if it's just saying, hey, we're really glad you called us in
here to help fix this, that's really setting up that culture where that bigger picture security situation
is top of mind for people.
Well, I mean, ask yourself this question.
Would you rather have an employee come forward and say, look, I think this isn't right and
have it be something totally innocent or something totally innocuous or have them not say anything
at all?
And then something bad happens and you don't find out because it got through your defenses
and it may take a long time before you realize something really bad has happened.
I know what I'm going to pick and I would hope most people would pick that they would rather
have their employees waste a little bit of help desk resources
on the occasional false alarm than not saying anything
and trying to clean up a giant mess later on down the road.
That's Richard Henderson from Absolute Software.
Cynet's annual ITSEF conference wraps up today in Silicon Valley.
The first day's sessions covered, as expected, the state of the cybersecurity industry.
Some takeaways from the conference so far include the rapid maturation of deception technologies,
which are beginning to assume an important role in security architectures.
Executives whose companies have used them
showed a surprising unanimity.
Deception has been good to them,
both effective and affordable.
People view the explosive growth
of the Internet of Things, of course,
with considerable concern,
especially the industrial Internet of Things,
where a general failure to secure Level 0 and 1
render national infrastructures disturbingly vulnerable to catastrophic disruption.
A panel yesterday on the IOT urged schools of engineering in particular
to begin teaching students how to design for a high-threat environment.
As one panelist said, civil engineers design always against gravity.
Now electrical, industrial, and systems engineers
should start designing against an environment rife with attackers.
Another interesting discussion considered regulation and liability. The current regulatory
environment, especially GDPR and recent consent decrees obtained by the U.S. Federal Trade
Commission, has effectively made businesses responsible, fairly or unfairly, like it or not,
for their customers' endpoints. Businesses would do well to come to grips with this new reality.
And the cybersecurity market itself has changed. Vendors find that the CISOs they wish to sell to
aren't so available. They've gone into hiding. Cynet CEO Robert Rodriguez said,
you won't find those CISOs walking the floor of RSA in the old approachable way.
They've secluded themselves in hotel suites.
And Rodriguez thinks tone-deaf vendor marketing is responsible.
No one, as he put it, wants to be approached by some guy on roller skates wearing a gorilla suit.
A comment with which one must reluctantly agree.
So before you strap on those skates and say, step right up, friend,
take some time to listen and understand
what the customer might actually want and need.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at... And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Engineering and Cybersecurity at Webroot.
David, welcome back.
We have seen some crazy stories about cryptocurrency.
The numbers are all over the place, and that attracts the bad guys.
So what's your guidance here?
Should people be wary when jumping into this stuff? You know, David, first of all, thank you for having me. And absolutely.
And we're not going to talk today about whether, you know, buying cryptocurrencies,
the right thing to do or not. You know, we're not investment advisors, obviously. But but what
what really people need to be aware of is where are they buying these cryptocurrencies?
Because, you know, the first big Bitcoin market set up in Japan was set up on such a simple platform that it was easily hacked and the whole thing was blown up.
The guy started it's in jail now.
But it it's a function of are you comfortable and paying attention to where you're actually buying your cryptocurrency?
And real quick, for example, December 6th, there was a crypto site that was hacked.
November 25th, a crypto site that was hacked.
August 22nd, crypto site that was hacked.
July 19th, crypto site that was hacked.
So these sites, and I'm not talking like the good ones.
There's good sites where they're asking you and they're doing good security.
There's a lot of startup sites that don't put security top of mind and they're getting attacked heavily because there's so much money to be made.
So don't get drawn in by the promise of quick profits without doing your due diligence on the security behind the scenes.
That's exactly right. In all honesty, I'm a big
fan of Bitcoin and cryptocurrencies and the idea behind them and not being attached to, you know,
government entities and stuff really opens up markets. But make sure that if you're buying it,
you're buying it from a reputable place. And I'm not going to steer people to New York,
where New York has regulations about this. They regulate
and monitor cryptocurrency exchanges that start up there. But you might spend a little bit of time
understanding how the exchanges work, how they're regulated, what's going on behind the scenes
before you just open up a wallet and buy something. Talk to your financial professional, right?
Well, they might scratch their head, too. I'm going to say they give you a call, David.
Definitely.
We definitely don't want them to do that.
That's for sure.
What about the hardware wallets that I see people selling?
Is this something to explore?
You know, again, it's something to look into.
And I think they're not a bad idea.
Just all of this is so new and it's so
the Wild West. Understand who you're buying it from, what kind of platform it's been built on.
And the thing is, if you're not a highly technical person who's familiar and comfortable
with researching technology, you're going to have to find some third source to trust that you trust
to make a good recommendation because so much of this stuff comes up and down every day.
And I'm theorizing here, David, that you're going to see some hardware crypto wallets that aren't
legitimate hardware crypto wallets that you're going to buy. And then somebody is going to steal
your currency off those, you know, because they're spoofing them. And you just you everyone has to be very conscious of what they're doing.
I know everybody's excited.
They want to get in on, you know, cryptocurrency and in the speculative nature.
And everybody's going to make a billion dollars.
But I just take the time to understand where you're buying, not just what you're buying.
All right.
Good advice, as always.
David DeFore, thanks for joining us.
Thanks for having me, David.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. For more of these stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.