CyberWire Daily - Another warning of DNS hijacking. B0r0nt0k ransomware is out and about, and in too many servers. Whitelisting a controversial CA. Blockchain security. Bots get on the consular calendar.
Episode Date: February 25, 2019In today’s podcast, we hear that ICANN has warned of a DNS hijacking wave, and is urging widespread DNSSEC adoption. Security firms see Iran as a particularly active DNS hijacker. A B0r0nt0k ranso...mware outbreak infests Linux servers, but Windows users might be at risk as well. A request for whitelisting in the Firefox certificate store arouses controversy. Technology Review raises questions about blockchain security. Bots keep people from getting consular appointments, and people don’t like it. And telling minotaurs from unicorns. Rick Howard from Palo Alto Networks with tips on moving data to the cloud.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. urges DNSSEC adoption. Security firm C-Iran is a particularly active DNS hijacker.
A Borontok ransomware outbreak infests Linux servers,
but Windows users might be at risk as well.
A request for whitelisting in the Firefox certificate store
arouses controversy.
Technology Review raises questions about blockchain security.
Bots keep people from getting consular appointments,
and people don't like that. And telling minotaurs from unicorns.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, February 25th, 2019.
The Internet Corporation for Assigned Names and Numbers, that's ICANN, warned Friday that
the domain name system, DNS, is dangerously vulnerable and urges swift and widespread
adoption of DNSSEC, domain name system security extensions.
ICANN explains DNS hijacking as an attack in which unauthorized changes to the delegation structure of domain names are made,
replacing the addresses of intended servers with addresses of machines controlled by the attackers.
While DNSSEC is, as ICANN is careful to point out, no panacea, deploying it would thwart this kind of attack.
thwart this kind of attack. But, as ICANN's CTO David Conrad told AFP, there's no single tool that will defeat what he characterized as an assault on the Internet's infrastructure as such.
Both the U.S. Department of Homeland Security and Britain's National Cyber Security Center
warned last month of a surge in DNS hijacking, so ICANN is far from alone in expressing concerns.
DNS hijacking, so ICANN is far from alone in expressing concerns.
Some of the DNS hijacking of the last few months appears to be state-directed.
Security Week quotes security firm FireEye as attributing a significant fraction of such activity to Iran, with Tehran taking a particular interest in Middle Eastern website registrars
and ISPs.
The typical immediate goal of such attacks appears to be credential theft.
Security Week heard a similar assessment from security firm CrowdStrike.
Bleeping Computers' online forum is discussing an outbreak of Boron Talk ransomware.
Details are sparse, and analysts are, as of this writing, still looking for samples, but the infestation is known to have appeared on Linux-based servers.
Windows users may also be susceptible.
The ransom demands are running at about $75,000, payable in Bitcoin,
although there are indications that the hoods are open to negotiation.
The words Vietnamese hacker appear in the payment site's source code, but this,
like the.uk top-level domain used, means very little, so it would be unwise to jump to any
attribution. Bleeping Computer says it's reached out to the extortionists to find out what they're
up to and will share whatever they learn. There are already some suggestions in circulation on
other sites about how to get rid of Borontoc infection,
but regard them with caution and consult a security expert before jumping to use the techniques.
Better to prepare for recovery should you sustain this or any other form of ransomware attack by regular secure backup.
UAE-based security firm DarkMatter has asked Mozilla to whitelist DarkMatter certificates into Firefox's certificate store.
The request, as ZDNet points out, is controversial.
On one hand, DarkMatter is known as a vendor of surveillance tools, and so the Electronic Frontier Foundation and others mourn against giving the company what could amount to an ability to intercept traffic without triggering errors in some Linux systems.
As the EFF puts it on their blog, quote,
Dark Matter has a business interest in subverting encryption, and would be able to potentially
decrypt any HTTPS traffic they intercepted, end quote.
On the other hand, as ZDNet observes, Dark Matter does seem to have a clean record as a certificate authority,
and therefore, the company asks, why should we be treated differently from any other CA?
MIT Technology Review reports that blockchains can in fact be hacked.
The theoretical possibility wasn't unforeseen, it's the long-discussed 51% attack in which an actor
gains control of a majority of a network's mining power and forks the blockchain to defraud other
users. The 51% attack, as we've heard it discussed by various blockchain experts, was a known issue,
as the help desk would put it, but at least in the early days of blockchain adoption had usually
been mentioned as a kind of marginal case,
practically too difficult to amount to a realistic threat.
But that may have been whistling in the dark.
Since the latter part of 2018, Verge, Monocoin, Bitcoin Gold, Vertcoin, and Ethereum Classic have sustained 51% attacks,
facilitated by hash rate black markets, where attackers can rent computing power.
Smaller cryptocurrencies proved more susceptible.
Security flaws in ancillary systems, notably smart contracts, have also been exploited.
None of this should be taken to mean that the blockchain is a fraud or fundamentally
flawed, but rather that it's a technology with its distinctive strengths and weaknesses.
but rather that it's a technology with its distinctive strengths and weaknesses.
The story should serve as a reminder that cybersecurity, like war,
is waged against a thinking human adversary who sees, reacts,
and will find any vulnerability they can.
Cryptocurrencies, and these are still the most widely used blockchain applications,
of course continue to attract broad interest and support.
The cyberattacks on Malta's Bank of Valletta, disclosed on February 13th, prompts the Bitcoinists to see in the incident proof of the need for decentralized and stable alternatives to traditional
banks and the fiat currencies they deal in.
TASS is authorized to disclose that Russia's embassy in Vienna has sustained
cyber attacks evidently aimed at disrupting consular services. Bots booked appointments,
which inevitably became no-shows, bots being bots and not natural persons, and so a bot couldn't
show up at the cashier's window even if the bot wanted to. This of course prevented actual natural
human beings from getting appointments,
actual natural human beings being actual natural human beings.
They got mad when they couldn't get in to do their business.
The automated requests originated from IP addresses in Iraq, Thailand, Indonesia,
and a few other countries, but that means little for attribution.
The embassy says it's purged the bots and restored consular services to normal.
And finally, how can you tell a unicorn from a minotaur?
And no, this isn't anything to do with Fantastic Beasts.
It's commerce, kids, so you know the difference won't be in, say, niceness or number of horns.
No, a unicorn is a company valued at $1 billion, but a minotaur,
as they're now saying in Silicon Valley, is a company that's actually attracted $1 billion
in venture capital. If you're a shark tank watcher, here's one way to frame the distinction.
A unicorn's valuation is what the sharks use to figure out if they're getting a good deal
on the proffered investment. A minotaur's value is the actual amount Mr. Wonderful has decided to pony up.
Though no, this isn't about Fantastic Beasts, Boat Truckles, Snifflers, or otherwise.
It's commerce.
But still, Newt Scamander, call your office.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He's the Chief Security Officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team.
Rick, great to have you back.
At Palo Alto Networks, you recently made some important decisions
as to how you were going to choose to run major infrastructure there.
Take us through what you chose and why you did it.
Palo Alto Networks announced that we would be delivering our security services from the Google
Cloud. We have decided that instead of building our own infrastructure and data centers to support
our customers in the future, we will use the Google Cloud to do it? I can't even say that.
It's a tongue twister.
It's a hard word to say, yeah.
I thought it was interesting that a security vendor like us
had gone through the same evaluation and thinking process
that every other type of organization has gone through
or is going through about cloud deployments.
All right, well, take us through.
What made you decide that you didn't want to build out your own infrastructure. Yeah, so let me set the stage a little bit. So besides the
hardware firewalls that our customers deploy in their physical environments and the software
firewalls that they deploy to protect their Amazon, Google, and Microsoft cloud environments
and the software firewalls that they deploy in their data center virtual environments,
we also have a complete set of intrusion kill chain security tools
that are delivered to those hardware and software firewalls
from our own maintain and operate the cloud environment.
That's a lot of stuff I just said there.
Now, we store the data in the cloud and process the data looking for bad guys in the cloud.
Once we find them, we send enforcement decisions to our customers' firewalls
and endpoints, both hardware and software. Now, most people think of us as a hardware company,
which we are. But with all that virtual software running in the cloud, we consider ourselves to
be a SaaS company. So now, not three years ago, we were busy building our own data centers in
multiple locations around the world so that we could better service our customers in those localized regions. And what we discovered was
we couldn't build them fast enough. We could just get one operational in some other country. We want
their very own also. And to build them right took time and resources, and they are expensive to
maintain. And we also discovered that this meat and potatoes effort, this building and maintaining
data centers does not scale, and it distracted us from building better security products.
You know, we consider ourselves a security provider, not an infrastructure provider.
And then it dawned on us, like it has dawned on everybody else, we don't have to be an
infrastructure provider.
There are at least three infrastructure companies, Google, Microsoft, and Amazon, who sell
infrastructure, and they are really good at it.
In fact, they are so good, they are light years ahead of the rest of us who are not infrastructure
companies and who are stumbling along trying to do it the way they do it, right? It just made sense
for us to choose one of those to deliver our services from.
So take me through that decision-making process. Like you said, there are choices out there.
What made you decide and settle on Google?
Well, for lots of technical and financial reasons that I don't want to bore the listeners on here,
okay, it made sense for us to use Google as our cloud provider for service delivery.
Suffice it to say that each of these big three have strengths and weaknesses for cloud services.
For what we were trying to do at Palo Alto Networks, it made sense to go with Google.
That does not mean that Google is the right choice for everybody. The bottom line here
is that even security vendors go through the same thought process about cloud deployments
that every other kind of organization goes through. The network defender community has
been saying for at least five years now that the cloud is inevitable. It is just a matter of time.
Some are moving to the cloud faster than others.
We decided to go now. Take me through the process of establishing in your own mind your ability to trust an outside vendor with these things that are obviously very important for you.
I mean, security is the name of the game here. So I suppose there's a whole matter of reassurances,
sort of a trust but verify thing, perhaps?
Well, exactly.
And I think some of the hesitation from the community is that we're not sure how secure those environments are.
But we are able to put our own security product into all of those big cloud providers.
So it's virtual for sure, but it operates the same way that a hardware platform does back behind your perimeter
and in your data centers. So we have no concerns that it's somehow less secure because we're in a
cloud environment than it is back in your perimeter. We are using the same security
controls in all of those locations. So that was not a big consideration for us.
All right, Rick Howard, thanks for the information. Thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.