CyberWire Daily - Alleged BND surveillance of news organizations. Snake Wine in Japan, for disinformation? Singapore military phished. Google discloses more Microsoft unpatched bugs. Cloudbleed update. CloudPets may have privacy issues.
Episode Date: February 28, 2017In today's podcast, we learn that the BND may have been listening to the BBC, but not in a good way. Cylance reports on Snake Wine, a curiously familiar vintage sniffed in Japanese networks. Singapore...'s military sustains a phishing campaign without sustaining apparent damage. Google discloses more unpatched Microsoft vulnerabilities, these in IE and Edge browsers. Criminals claim to have exploited Cloudbleed, but the jury's still out. Joe Carrigan from the Johns Hopkins University's Information Security Institute helps us understand Cloudbleed. Steven Grossman from Bay Dynamics reviews New York State's newly enacted cyber regulations. And watch your language around those networked stuffed animals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
The BND may have been listening to the BBC, but not in a good way.
Silance reports on snake wine, a curiously familiar vintage sniffed in Japanese networks.
Singapore's military sustains a phishing campaign without sustaining apparent damage.
Google discloses more unpatched Microsoft vulnerabilities, these in IE and Edge browsers.
Criminals claim to have exploited Cloudbleed, but the jury's still out.
And watch your language around those networked stuffed animals.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, February 28, 2017.
Spiegel reports that Germany's foreign intelligence service,
the Bundesnachrichtendienst, has since 1999 conducted surveillance operations against a number of news agencies, including Reuters, the BBC, and the New York Times.
Spiegel says approximately 50 telephone, faxes, and email addresses were on the surveillance list,
many of them apparently associated with the Bureau in South or Central Asia.
The story has stirred up the opposition in the Bundestag,
reviving suspicion that the BND was engaged in some sort of unseemly espionage
in cahoots with other services, like GCHQ or NSA.
The alleged surveillance would have begun under Chancellor Merkel's predecessor,
Social Democrat Gerhard Schröder,
which suggests that surveillance is
as much a center-left game as it is one for the center-right. In any event, it will be Angela
Merkel answering the questions. Silance has found a threat group operating against business and
government targets in Japan. They're tracking the campaign as snake wine, but the operation looks a
great deal like APT-28, also known as
SOFACI, which of course became famous over the past year for its involvement in apparent attempts
to either influence or discredit the U.S. elections. Snake wine has a lot in common with
attacks attributed to Russian intelligence services, particularly in its registration style,
which Silance calls eerily similar.
But in this instance, there's a degree of ambiguity,
since some aspects of the campaign seem to be marked with China's spore,
and even using some infrastructure that's made itself available to a number of actors,
including the Republic of Korea's intelligence services.
That's South Korea, not North Korea.
The threat actors have adopted a variety of measures to baffle attribution.
Their goal is a matter of speculation, but Silance thinks there's a good chance snake wine is ultimately aimed at disinformation. The snake wine campaign began in August 2016.
So far, all of the attacks that have been detected appear to be the result of phishing
members of the targeted organizations. So again, click with care.
Personal data belonging to about 850 members of Singapore's military service
have been stolen in an apparent attempt to penetrate that country's defense ministry.
The theft was successful, but the penetration wasn't.
Authorities in Singapore believe the culprit is some state actor,
with most signs pointing, this case to China.
As of March 1st, New York State will be the first to implement new cybersecurity regulations for financial services organizations.
We checked in with Stephen Grossman from Bay Dynamics to find out what these regulations might mean.
The intent of the regulations in the first place were really to get everybody
in New York State that's within financial services at a common baseline for their cyber security,
right? So establish a minimum standard so that customers and the community in general can have
confidence from a cyber point of view that the institutions they're dealing with are operating
in a secure manner and protecting their information and their transactions to the highest level
possible. Can you give us some examples of some of the new regulations that caught your eye?
You'll see things, for example, when it talks about having to do pen testing and vulnerability
assessments, for example, it'll say based based on the risk assessment, and actually one of the other things that it adds in,
which I think is key, is continuous monitoring.
What you see in many companies for many other kinds of regulations, PCI, for example,
where they have a particular requirement that needs to be reported every quarter,
you'll see companies going through a big scramble every quarter,
trying to do scans
and assess vulnerabilities and dump things out to spreadsheets and create reports and email them
around and try to make sure that everybody is compliant at that point in the quarter so that
they can have the satisfactory reporting done at the right time. But then, you know, as you move
further past that reporting period,
things tend to slack a little bit until the next reporting period. What they're calling for here
is the ability for continuous honoring, which means that, you know, each and every day of the
week, you should understand what your posture is and be remediating on a daily basis so that,
you know, your quarterly reporting is really no big deal.
You know, the other, I think, most significant thing of this regulation or aspect of this
regulation is the fact that very much like Sarbanes-Oxley 15 years ago, you know, the
last page of the regulation is asking for the CISO or the executive officer of the corporation
to sign on the dotted line
if they're in compliance with the regulation.
And that starts to put people's personal skin in the game,
and that I think will raise the level of accountability by executives
to actually be paying closer attention to the fact that they really are compliant
and not just checking the box on compliance, so to speak.
You know, that differentiates this one from many of the other regulations that we've seen.
That's Steve Grossman from Bay Dynamics.
Google has disclosed another set of unpatched vulnerabilities
in Microsoft's Internet Explorer and Edge browsers.
While Google's Project Zero has been reticent about the details,
lest they render
exploitation easy, it's believed the flaws could render users vulnerable to remote code execution.
Google had earlier disclosed vulnerabilities Microsoft was thought to have been ready to
patch two weeks ago. When Redmond omitted those from its monthly round of fixes, Google went
public. Observers speculate that Microsoft will address both sets of vulnerabilities
when it issues March's patches.
The other troublesome issue uncovered by Google,
Cloudflare's Cloudbleed vulnerability,
may be undergoing exploitation by at least one illicit carder forum,
CW2 Finder,
some of whose members have claimed to have obtained paycard credentials by using the bug.
Those claims are currently unconfirmed but warrant watching.
We'll hear later from Johns Hopkins University's Joe Kerrigan about the extent of cloud bleed
and what measures the prudent should adopt to protect themselves.
Naked Security has kind words for both Google and Cloudflare in this matter.
For all the anger the vulnerability prompted, the Sophos News Service argues that in fact the incident shows the system works.
Google found it, told Cloudflare, which patched the problem and began notifying potential victims of their exposure.
Some of the controversy surrounding the bug's discovery and disclosure center on the Google researcher's relatively quick public announcement,
which some observers see as unfairly jamming Cloudflare.
ESET patches its Mac antivirus.
Users of ESET's products are urged to apply the fixes.
And finally, in another report from the island of misfit toys,
there are reports that Internet-connected stuffed animals from cloud pets come with privacy flaws that record and report conversations held in the toys'
vicinity.
Researcher Troy Hunt drew attention to the issue yesterday in his blog Have I Been Pwned?
According to Hunt, the manufacturer, Spiral Toys, left some 800,000 customer credentials
exposed in a publicly accessible site.
They'd contracted with Romanian company M-Ready for storage of the credentials,
apparently emails and passwords, in a MongoDB database.
Criminals are thought to have accessed the information several times in December and January.
Also exposed were more than 2 million voice recordings of parents and children talking to or around their cloud pets.
So remember, little pitchers have big ears, and so do their animal friends,
and their animal friends' manufacturers, and their animal friends' manufacturers' third-party contractors,
and so on, infinitum. Thank you. with purpose and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, security company CloudFlare had what we in the business call a bad day recently.
They're a web hosting company, and they're a big one.
They handle about 10% of the Internet's web traffic.
And recently they had a bug in their code that allowed information to be leaked.
It was found by a researcher at Google.
It's kind of an obscure bug.
They're calling it CloudBleed because it is reminiscent of the Heartbleed vulnerability from a couple of years ago.
The problem is a Boolean operator in the code, somebody used a greater than or equals to as opposed to an equals to.
And that allowed more information to come out.
I'm not sure of all the technical details, but it certainly seems like something very similar to the Heartbleed where you could ask for more characters than
you said you wanted and it would just dump memory back to you in the response.
These Boolean operators in code, you can be reviewing the code and look at it and say,
this should work just fine because you're not considering the edge case where somebody
is asking for more information than they should be asking for, and the program will give it to them.
And so it'll make it through testing.
It'll make it through testing.
And certainly this system has been deployed for a while
before anyone noticed there was a problem.
Yep, exactly.
It'll make it through testing and code reviews just fine.
It's interesting.
I mean, you know, the other thing you and I talk about a lot are passwords.
Right.
And they're saying change your passwords.
Yeah, this is the host for companies like for companies like uber and ok cupid
and some other big names yeah um you know i wouldn't be in a panic telling people to go out
and change their passwords but you certainly cannot hurt yourself right now by changing your
password you can never hurt yourself by changing a password and if if you follow my frequent advice
of using a password manager it's it's very easy to do.
Right. Get yourself on whatever schedule to change those passwords.
And then when you have an event like this, just go out and make sure you can change your passwords again.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.