CyberWire Daily - AWS S3 misconfigurations. Kaspersky's report on the Equation Group affair. Cybercrime notes. DPRK cyber campaigns. The VEP reviews continue positive. Amazon Key has issues.
Episode Date: November 17, 2017In today's podcast, we hear about more misconfigured S3 buckets (these in Australia). Kaspersky Lab protests its innocence as it releases a study of Equation Group leaks. Notes from the world of crim...e: dual-purpose Trojans, fake-news-as-a-service, and how the cops are keeping the robbers hopping. Some thoughts on Hidden Cobra, and what it means for ICS operators in particular. More positive notices for the VEP. Chris Poulin from BAH on AI ethical conundrums with self-driving cars. Jeremy Wittkop from InteliSecure on the trouble with Social Security Numbers. And Amazon Key may unlock more than one would like.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Misconfigured S3 buckets down under.
Kaspersky Lab protests its innocence as it releases a study of equation group leaks.
Notes from the world of crime. Dual-purpose Trojans, fake news as a service, and how the cops are
keeping the robbers hopping, some thoughts on Hidden Cobra and what it means for ICS
operators in particular, more positive notices for the VEP, and Amazon Key may unlock more
than one would like.
would like. I'm Dave Bittner with your CyberWire summary for Friday, November 17, 2017.
Another misconfigured Amazon Web Services S3 bucket leaks. This one belongs to the Australian Broadcasting Corporation. Amazon continues its efforts to nudge customers to more mindful use of its cloud services.
Kaspersky has released the results of its own investigation of the alleged NSA leaks
that appear retrospectively to have played a role in prompting the U.S. government
to eject Kaspersky products from its systems.
Kaspersky says a laptop with a Baltimore-area IP address
and protected with Kaspersky software was found to
have been infected with what appeared to be equation group tools and that those were the
files Kaspersky uploaded for inspection. Kaspersky says the fact that there turned out to be classified
files in the mix was unknown at the time and that such files were promptly deleted as soon as
recognized. Kaspersky also says the laptop,
which is thought to have been used by an NSA worker or contractor, was thoroughly compromised
by other sources. Dark Reading says the device in question suffered from 121 problems.
Some quick notes from the world of cybercrime. Bitdefender warns that the Terdo banking trojan
is a very capable information
stealer, one that would be easily adaptable into an espionage tool. Inevitably, for the usual
Willie Sutton-esque reasons, concerns about fake news are being monetized by cybercriminals.
Some of them are now offering fake news as a service, often in the forms of spoofed legitimate sites.
Late Tuesday afternoon, two separate but related warnings issued from the U.S. Department of Homeland Security and the Federal Bureau of Investigation.
They want people to be on their guard against two active campaigns they say emanate from
North Korea, Fallchill and Volgmer.
DHS and the Bureau are explicit in saying that these are the work of the North
Korean government, not simply some random gang of hoods with connections to people north of
the 38th parallel. Specifically, they call out the Hidden Cobra threat group, which is also
commonly called the Lazarus group. Hidden Cobra is after some specific sectors. They're showing
a particular interest in finance, aerospace, and critical infrastructure, and that interest is fairly well distributed
geographically and is by no means confined to the U.S. Fall Chill is a
remote administration tool, a RAT, that's used to establish presence in the
victim's network with a view to enabling further exploitation. The other malware
circulating, Volgmer, is described as a
backdoor Trojan that's designed to provide covert access to a compromised system.
It's worth noting that infestation of either Volgmer or Fallchill is likely to be accompanied
by other North Korean malware. That malware could be used for either information theft,
monetary fraud, or destructive attack. We heard from Phil Nire, Vice President of
Industrial Cybersecurity at CyberX, who offered us some perspective on the incident. He started
with the many names the threat actors roll with. Quote, whether you call them Guardians of Peace,
the Lazarus Group, or Hidden Cobra, North Korean cyber attackers are getting more sophisticated
every day. End quote. They're not to be discounted.
These aren't skids or wannabes, and they've shown the ability to do some damage.
As Nire put it, quote,
The group is known for being discreet and meticulous in covering its tracks,
as previously shown in the Swift and WannaCry attacks.
And the latest DHS FBI alert shows the continued evolution of their evasionary tactics.
End quote.
The attack tools DHS and the FBI warned against aren't new. Fallchill, according to Nireh,
is a descendant of Hidden Cobra's manuscript malware that was first detected in 2013.
He characterizes Fallchill as sophisticated, a rat that does a good job with hiding and evasion
through encryption and the use of multiple intermediate proxies.
What Fallchill does once it's in should be of particular interest to operators of industrial control systems.
Nire told us, quote,
Once deployed to a target host, it can be used as a launching point for cyber reconnaissance
and further attacks on other systems.
Critical industrial infrastructure systems, such as SCADA workstations,
are ideal targets because most industrial sites
are still running legacy unpatched versions of Windows,
and half aren't running antivirus programs
that would detect known malware like FallChill."
So by all means, patch, but everyone should recognize
that patching industrial control systems isn't as simple a matter as updating your laptop with the latest version of Microsoft Office.
Industry experts like NIST and Nire recommend continuous monitoring for behavioral anomalies
as an important step toward securing ICS networks.
The new U.S. vulnerabilities equities process continues to draw generally positive reviews.
The Council on Foreign Relations issued a dignified grade of pass,
while noting that, of course, work remained to be done.
Their blog post on the matter by Robert Naik,
an official who'd worked on the VEP during the previous administration,
had very kind words for White House Cyber Coordinator Rob Joyce and,
quote,
cheered on the comedy
and bipartisanship that continues in cybersecurity, end quote.
Finally, were you ordering something from Amazon?
You were, weren't you?
Well, anyway, if you signed up for Amazon Key, a cyber-physical lock integrated with
a security camera that's designed to let the Amazon delivery person into your house to
drop off your packages inside as opposed to leaving them on the porch, or the doorstep,
or next to the mail slot.
Well, think twice.
It turns out the key is hackable.
While it's not as simple as standing at the front door and shouting,
Alexa, let this nice person in so they can rifle our sock drawers,
it's not exactly equation group stuff either.
Amazon has promised to fix at any moment,
so help is on the way.
But at least in the meantime,
you might consider specifying a delivery option like,
hey, drone, just drop the steak knives off at Dee Dee and Lenny's next door.
That's what we do.
Dee Dee and Lenny are okay with it.
After all, we had Alexa ask their Google Home.
After all, we had Alexa ask their Google Home. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Chris Poulin.
He's a principal director for Booz Allen's Dark Labs, where they focus on IoT security and machine intelligence.
Chris, welcome back. You know, I saw a discussion go by. It was actually on Twitter the other day,
and it was talking about that famous trolley problem. And we were talking about automotive AI and self-driving cars and that sort of stuff. And of course, the problem is,
how does a self-driving car decide if given an impossible situation of who to run over,
what decision do they make? And I
thought, well, I know the perfect person to talk to about that. So Chris, what are your thoughts
on this? How does a car decide? So it is kind of interesting. There's actually a program,
a website that you can log on to, and you can help to train systems to make better decisions.
I think it's called the Ethical Machine Project or something at MIT. I don't have it in front of me right now. But it presents things. If it's a busload of nuns
and a busload of children, which one do you hit? Whatever it is. And so it's kind of interesting
because right now, basically, the AI for cars is largely based upon cameras and subsonic sensors
and things like that, and some LiDAR to some extent.
But those things don't necessarily know what a child or a nun looks like.
And so I think a lot of times we're thinking a long distance into the future,
but it's certainly something we should be thinking about.
The question may not be what's the best decision in that case,
but how are we going to help these things make that decision in the first place? And that means bringing context in. So I think there's kind of two steps.
One is, how do we actually bring in context and say, what is the value of this asset? Because
I think that's how a vehicle considers it from that perspective. So how do we say, what's a child,
what's a nun, what's an inanimate object, which things should you hit?
So that's the first problem to tackle.
The second one is this MIT project, we're sort of training it by making decisions in a consensus form.
So what's the best, what would the majority of people choose if it were down to those two decisions?
And so once that's codified, if we have the context and we've codified what the ethics are of actually hitting one thing versus another, then it's really up to the machine at that point.
I think people give machines too much credit for trying to make a decision that a human wouldn't necessarily make.
But the reality is we're training the machine to make those decisions anyway.
And by the way, it's like politics.
Not everybody's going to agree.
Right.
not everybody's going to agree. Right. I thought it was interesting in this conversation on Twitter that someone made the point that, you know, the vehicle will make the decision that results in
the least amount of liability for the manufacturer of the vehicle. In this case, they said that will
be continuing on the path that they're going in and slamming on the brakes. Well, so it's probably
true that liability is going to factor into it. It may not be the auto manufacturer, because if
you think about it, right, the people who make the machine intelligence in the first place are not
the OEMs. I think somebody said a long time ago that OEMs are no longer in the manufacturing
business. They're in the assembly business, right? They get their parts from everybody else.
So let's just say, for the sake of argument, it's, you know, NVIDIA, who, you know, makes a lot of
these machines for these AI engines for vehicles. I don't think that they're necessarily going to say, look, what results in
the least amount of liability. More to the point, though, I think that, again, because a lot of this
is going to be legislated to begin with, that is going to be percolated up into some legislative
body who says, here are the decisions, and here's how we're going to make them. And that's going to
be the design principles for these AI engines.
All right. Well, it's going to be interesting to see it play out.
Chris Poulin, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Jeremy Witkop.
He's the Chief Technology Officer at IntelliSecure,
an information technology and service company with offices in Denver and London.
The recent Equifax breach highlighted the vulnerability of our personal information,
including our social security numbers.
Jeremy Witkop is one of a growing number of security professionals
who think our system of social security numbers is due for an upgrade.
I think when social security numbers were first created,
it was largely a paper-based exercise and people would have that card
and there wasn't a realistic threat that someone else would know your social security number.
So you could essentially use two forms of identification verbally,
say here's my name, which publicly available people could know,
and here's my social security number.
And if those two things matched at one point, that was a realistic way to verify identity,
especially over a spoken medium like a phone where you can't check a photo ID or something like that.
I mean, I remember when I was in college, the social security number was my student ID. So,
you know, every test I took, every form I filled out had my social security number on it.
Yeah, absolutely. And when I was in the military, it was the same thing.
Some people would even call it your serial number.
Essentially, it was the number you were given at birth that was going to identify you for
the rest of your life, which was okay.
I mean, as soon as you started storing that type of information on computers and connecting
those computers together, it was the beginning of the end.
The situation we find ourselves in now, in your estimation,
are we hitting the point where the social security number just isn't adequate anymore?
In my opinion, it's already obsolete. If you just take the numbers of records that were breached and some of the larger breaches, even the smaller ones, if you just aggregate the number of people
affected by the Office of Personnel Management breach and the Equifax breach, it's realistic to
say that 95 plus percent of
American adult social security number has been compromised. So at this point, I think the idea
to even use a social security number as any form of identification at this point is a fallacy.
People continue to use it. That's the scary part. But being able to use it right now to identify
anybody with any level of confidence is just not there. And so you're seeing more and more people are asking for a Social Security number, but then they're asking for another form of
identification on top of that, which just shows the weakness of the Social Security number as
an identifier. So what sort of options do we have available to us? If we were to switch to something
else, what could we do? So I think the best example that we have right now is credit card numbers.
If a credit card number is stolen, I can shut that credit card number off and I can be issued another credit card number.
Then we could do something similar with national identifiers. It would require more infrastructure.
But when you look at the numbers, it would certainly be then what we're being cost by
identity theft out in the marketplace today. I think in 2015, it was $15.4 billion to the U.S.
economy. 2016, it was $16 billion. It's up to close to $17 billion.
And we're not even done with 2017 yet. So I think there's enough damage to the U.S. economy and to
personal lives being done to justify that we do something a little bit different. It can't just
be that you have this one number for life. And if it's breached, then you're kind of going to have
to monitor your credit for the rest of your life, which any American at this point should be doing.
Just because there's been so many breaches, there's a good chance that that information is out there.
Is it just a matter that there needs to be political will that this because this would not be a small, small job to undertake?
Yeah, I mean, it would require a functional government.
It would require a government that could get something done.
Right. And that's not a shot at either political party or who happens to be in power right now. Yeah, I mean, it would require a functional government. It would require a government that could get something done, right?
And that's not a shot at either political party or who happens to be in power right now. It's just the fact that very little can get through Congress with the partisanship that we have.
And this is not just going to be a theoretical change in the way we do business.
There's going to have to be funding with this, and there may have to be either changes to the Social Security Administration
or a different department that handles the administration of these numbers. But if we
want to continue to have a national identifying number, then we're going to need to do something
like this. And if we want to scrap that idea completely, we have to find a different way to
identify people. So there's no solutions that aren't going to require some change on our part
and likely some money to do it. Are there any other nations that have taken
the lead in this sort of thing? Nobody that's really done anything that I would consider
great, right, in terms of being able to throw something away, making it disposable. But there
are some interesting things being done. Like in Spain, there's an article in their constitution
that says that no one number can identify a person. So they have different national identifiers for
different things. And there's, I believe, six of them. And so if you were trying to verify somebody's
identity over the phone, for example, for the purposes of credit or something like that,
you may ask for two or three of those things. So it makes it harder for you to breach a single
person's identity. You would have to have multiple factors in order to do that. And in the United
Kingdom, there's similar things. They have lots of different numbers. It's not just one. They have a national election roll number, and they have a
driver's license number that's tied to their identity. And then they have a national health
services number. And there's several numbers. But I think the real answer is similar to what
we do with credit cards. Yeah, it strikes me too. I think about, I've become a fan personally of using Apple Pay
because, you know, it takes my credit card number, but then that information is, you know,
is tokenized, and so there's an added layer of security. I mean, is that the kind of thing we,
is that sort of technical solution an option for something like this?
Yeah, I mean, you could certainly apply a multi-factor authentication strategy,
which is really what Apple Pay is doing. It's essentially the token plus your fingerprint
equals your credit card number. You can certainly do something like that with the proliferation of
technology, especially in this country. But we still have to keep in mind that there are still
people who don't have access to that type of technology, even in America. And it's something
that we often forget because so many of us have access to smartphones and things like that. We have to have a solution that fits all
Americans. So if we're going to do something like that, we would have to make sure that there are
programs in place where people who didn't have that technology today could have access to some
way to utilize that technology. It's time for us to do something different. And what that something
is should be the subject of national debate.
And I'm not saying that I have all the answers, but I would love for the conversation to happen and for us to come up with a solution and lead the world on this.
That's Jeremy Witkop from IntelliSecure.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you.