CyberWire Daily - BioWatch info potentially exposed. Scammers indicted. Ukrainian cryptojacking exposed sensitive data. Social engineering notes. Boo birds and lawsuits. Data use and privacy. Low-earth orbit hack.
Episode Date: August 26, 2019BioWatch info exposed. Patched vulnerabilities are weaponized in the wild. Romance and other scam indictments name eighty defendants. Cryptomining and data exposure. Social engineering with a sheen of... multi-factor authentication. Suing the boo birds and the people who let them in. The road to unhappiness is paved with mutually exclusive good intentions. And alleged identity theft from low-earth orbit. Craig Williams from Cisco Talos discussing Heaven’s Gate RAT. Guest is Mike Weber from Coalfire on their recently published Penetration Risk Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Abilities are weaponized in the wild. Romance and other scam indictments name 80 defendants.
Crypto mining and data exposure.
Social engineering with a sheen of multi-factor authentication.
Suing the boo birds and the people who let them in.
The road to happiness is paved with mutually exclusive good intentions.
And alleged identity theft from low Earth orbit.
orbit. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 28, 2019. It's good to be back. The Los Angeles Times reports that data concerning
the U.S. Department of Homeland Security's BioWatch program, were exposed for over a decade on a contractor's
unsecured server. The data included some sensor locations, list of bioagents that could be
detected, and some contingency plans. The vulnerable site has been shuttered and the
data moved behind a DHS firewall. None of the data reported to have been vulnerable to hackers
seems to have been highly sensitive, although of course no responsible agency wants such information gurgling around out there on the internet.
DHS doesn't know and is unlikely to ever know whether any unauthorized parties accessed the
information. According to ZDNet and others, attackers are weaponizing vulnerabilities in Webmin servers, Pulse Secure, and Fortinet VPNs.
Users are urged to patch.
Security Week reports that the U.S. Department of Justice unsealed an indictment,
naming some 80 defendants in a range of online frauds ranging from business email compromise to romance scams.
The two lead defendants and several co-conspirators are Nigerian nationals.
Internet UA says the crypto mining rig Ukraine's SBU dismantled at the South Ukraine nuclear power station
apparently exposed data about the plant's physical security.
Such data are sensitive and in Ukraine they are considered state secrets.
Phishing attempts are mimicking multi-factor authentication login screens,
Naked Security says.
They aren't really multi-factor authentication screens, of course.
They're simply malicious links.
But the appearance is more convincing than what's usually been seen in earlier attempts.
Sophos advises avoiding email links, being aware of domain names,
and foregoing any shortcuts to determining whether accounts are being misused by some third party.
Mike Weber is vice president at Coal Fire Labs,
and we caught up to discuss the most recent release of their annual penetration risk report.
But first, he shared some of the trends he was tracking at this year's Black Hat conference.
I would say that most organizations, they know what they want to expect, but they don't
want to get stuck doing what others have done.
So one of the things that we've seen in faults of organizations with solutions in the cloud
are different.
What we're finding in vulnerabilities through our penetration testing, they're changing
a bit.
So when we look at what we saw over in past
years, 2016, 2017, we're finding the traditional vulnerabilities across enterprises and software.
There are soft, weak security mechanisms on the inside of a company. Perimeters are reasonably
robust and application issues are your traditional OWASP top 10. Now that we see these companies going to the cloud,
we're finding more of the misconfiguration vulnerability as the top of the heap.
Organizations that are trying to deploy a cloud solution, they're trying to be cloud provider agnostic. So if they want to move from Amazon S3 over to Azure Blob or whatever they want to do,
they want to make it so that it's very flexible in that solution so they can change it. You know, so they're not completely tied to a provider. I get it. It's great business reason.
However, in building those and deploying them, sometimes you're not leveraging the security controls that are inherent in some of these services or in the suite of services you can get from a single provider based on whether or not understanding that it isn't available or there isn't an equivalent or the equivalent is something different and has a different nomenclature. And it can get very confusing when developing
these solutions for the cloud, particularly when using hybrid clouds or mixed providers.
We saw that reflected in our penetration risk report.
Well, let's dig in a bit and talk about your Coal Fire Labs penetration risk report.
What are some of the key findings? What did you discover by
putting the data together? Well, last year, we found this sweet spot. We thought that what we're
going to see is we're going to see, you know, from a company size perspective, you know, large
companies, lots of money, small companies, no money, medium sized companies, you know, growing
or whatever. We found that the medium sized companies were in this sweet spot. They were more secure, by the way, we define secure through the collection of the data, that mid-sized
companies were more secure than their large or small brethren. This year, when we looked at it,
it's sort of flipped on its head. So this year, we found that these large companies have improved significantly within our data set.
So large companies end up being in the sweet spot for this year.
But what's interesting is when you look at our data set, our data set has so many more cloud providers, software as a service solutions, infrastructure as a service, platform as a service, you name it, large companies.
forms of service, you name it, large companies.
Our data set does collect information from the largest cloud providers in the world and also very niche-y small companies that are putting their solutions in the cloud as well.
But when you look at the type of business and how that demographic information has changed,
it also changes the type of work we're doing.
So we're doing more work for these cloud providers, which are generally the larger companies,
which has changed basically the security posture that we've identified
when you remove them we're similar to that sweet spot leaning towards the middle but because
everything's going to the cloud i think this is going to be a change that not only our business
is going to see every uh security assessing assessment company uh is going to see, every security assessment company is going to see as well.
And we need to adapt. As a company, we need to adapt to these changes. And our clientele have
to ensure that they're positioning themselves for this future world that is very cloud-centric.
Based on the information that you gathered here that you're assembling for this report,
what are your recommendations going forward? For organizations that are moving to the cloud, not to disregard the complexities
of these cloud organizations. As an example, within our top vulnerabilities last year,
I think security misconfigurations didn't even make the top five. This year, it's number two.
So understanding how that defense in depth has to be deployed
across a cloud model. Also looking at solutions from a threat model perspective. Classical threat
modeling on applications applied to solution architecture early in the development lifecycle
is key to getting a good understanding of the significance of some of the controls that are
built into these cloud platforms, as well as what
needs to be built into the application or solution to be able to augment it.
That's Mike Weber from Coal Fire Labs. You can find their penetration risk report on their website.
Crown Sterling is suing Informa subsidiary UBM, the well-known trade show impresario whose
offerings include Black Hat.
Crown Sterling, an emerging security company that's emerging into the marketplace from
Newport Beach, California, alleges breach of contract. It's over the poor reception
its presentation received at Black Hat. The boo-birds were out in force.
The presentation that was poorly received, Discovery of Quasi-Prime Numbers, What Does This Mean for Encryption?,
was based on a paper, Accurate and Infinite Prime Prediction
from Novel Quasi-Prime Analytical Methodology,
by Crown Sterling CEO Robert E. Grant
and Crown Sterling physicist and data science consultant Talal Ghanam.
Crown Sterling says it stands by its presentation.
Ars Technica quotes Grant as saying,
quote,
Crown Sterling has announced a legitimate multidimensional encryption technology
that challenges the paradigm of today's encryption framework.
We understand that the discovery completely transforms the way we secure data
and that some members of the security industry are resistant to change
or accepting of new technologies that do not conform to traditional approaches. In a press release announcing their lawsuit, Crown Sterling's Chief operating officer, Joseph Hopkins, said that,
quote, we were assured by Black Hat and its public code of conduct that our presence would be treated
openly and fairly. That did not happen, end quote. The critics call the method Crown Sterling
presented snake oil. Their vigorous assertion of that view prompted the lawsuit. In addition to
naming UBM in their suit, Crown Sterling is also going
after 10 Do's, as in John Doe, a person unknown or at least not named from among the Boo Birds.
In fairness to Crown Sterling, we note that some of the Boo Birds were feisty enough to warrant
ejection from the conference room. In fairness to the Boo Birds, a mathematician published a
proposed refutation of Crown Sterling's results last month.
BuzzFeed reports that Facebook has yet to deliver data it promised academic researchers
to support studies into the effect of social media on democratic institutions and processes.
The problem, according to BuzzFeed, is that Facebook has reneged on its offer
and that it's citing privacy concerns that by implication
are convenient and arguably bogus. It's for research, after all, and research in the service
of democracy. Alex Stamos, now of Stanford University and formerly Facebook's lead security
executive, has come out swinging on behalf of his former company. He's engaged various news outlets,
including Gizmodo, BuzzFeed, and the New York Times,
with tweets about their reporting
of the Cambridge Analytica scandal
and other privacy matters.
If you want to understand why academic research
is being inhibited, he suggests,
look in the mirror, reporters.
It would be easy to dismiss this
as a vaguely Nixonian attack on dishonest journalism,
by which the complainer means journalism I dislike because it makes me look bad,
but actually Stamos has a point.
Of course, Facebook is skittish about sharing data with academics
when such data might involve the company in privacy violations.
The company is in enough hot water over its data handling.
But it's one thing to raise outrage over data handling,
and quite another to complain that data aren't being shared freely enough.
Inconsistent preferences are never a good thing.
The road to unhappiness is paved with mutually exclusive good intentions.
NASA's Inspector General is conducting an inquiry into what may turn out to be
the first known case of crime committed from space.
The New York Times reported Friday that astronaut Anne McLean told investigators
that she accessed her estranged wife's bank account during a six-month tour aboard the International Space Station.
She denied moving any money from the account and is quoted in Heavy as saying
she simply checked the account to monitor
the couple's finances, as she has done throughout their time together. The astronaut's spouse,
Summer Worden, filed a complaint with the U.S. Federal Trade Commission alleging that McLean
had committed identity theft. Ms. Worden said that she didn't detect any theft from the account.
Worden's parents independently complained to NASA's Inspector General,
alleging that Ms. McLean had improperly
gained access to private financial
records in the course of the divorce
and attendant child custody fight.
So, perhaps
we see something new under the sun,
an allegation of identity
theft committed from low
Earth orbit.
Calling all sellers! theft committed from low Earth orbit. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
BlackCloak. Learn more at BlackCloak.io.
And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco.
Craig, it's always great to have you back. You and your team have been tracking some rats and some stealers using something that you're referring to as Heaven's Gate. There's a lot going on here,
so can you sort of give us an overview?
What are we tracking here? Let's look at why this exists first. And you know,
what's the problem with malware? And what are the challenges that malware authors face?
Well, detection. Antivirus systems, systems like AMP have gotten really good at detecting malware. And so it's basically a cat and mouse game between the good guys and the bad guys.
And this is basically a new loader that's doing some
cool stuff that we wanted to make sure people were aware of. And the reason it's called Heaven's
Gate is an old technique that basically allows 32-bit malware running on a 64-bit system to hide
the API calls by switching to a 64-bit environment. So it's a really weird technique. It works. It's
well known. And so when you combine that with some of
the very sophisticated packing techniques in this malware, you can load known malware samples and
have them pretty much go undetected through a lot of security systems. The things we're seeing it
used with right now are really crypto mining and malware families like Remcos. So it's pretty
common. It's pretty effective.
And so that's why we wanted to make sure that we documented it
so that everyone can be aware of how it works,
our competitors can notice the blog and can fix their detection.
Because at the end of the day, that's what Talos is really out to do, right?
We want to wreck malware's ability to operate.
We want to stop their ability to do business.
And if we have to help our competitors do that, we absolutely will.
And so where are we when it comes to being able to detect this?
Oh, naturally, we're great.
I mean, the Royal we, not the Cisco we.
It depends on where you are when you see it, right? So if you're flying by a wire, like,
say, a firepower appliance or a network intrusion prevention system, this is going to be a tricky
one, right? Because it's packed. But there are certain things you can look for right if
you're looking at the way you know a p executable is built you can look for certain things that
maybe shouldn't be there right and if you have it on the end host well there's definitely a lot
of stuff you can do to look at because normal software is not written like this right normal software doesn't
have all this crazy looping and jumping around it's really only found in malware that wants to
be evasive and particularly the heaven's gate technique is this the sort of thing that we're
seeing more and more of this this um i mean you described it as as sort of an odd uh way to do
something this you know using running 32-bit code and switching to 64-bit mode.
Are the folks out there, by necessity,
getting more and more clever?
Yes, I mean, that's really what it is.
If you have to think about it linearly,
I think the best way to think about it
is a malware author wants to do X, right?
So the malware author designs malware to do X. Well, then the AV company has to stop that because they notice it and it's
a risk to their clients. And so the AV company then designs protection around whatever technique
that is. Well, then the malware author's technique is no longer effective. And so then he has to
evolve his technique in a way that bypasses whatever the AV companies are looking at.
And so it's really just a game of cat and mouse until someone builds the best mousetrap.
And you'll even notice in the blog, there's a list of types of antivirus file names that it's looking for,
and it's not even looking for it in a linear way.
It's doing it all over the code base, so it's much harder to see.
That's interesting.
So even sort of the basics, I guess you would consider bread and butter parts of the functionality of this malware they're being clever with to make it harder to find.
Right.
And what happens is when it does hit that particular check, if it does find that antivirus file, it will terminate and it won't execute you further.
I see.
You can imagine if you're running this in a sandbox, it's problematic.
Or if you're trying to automate analysis, it's problematic because they're checking for those types of tools.
Yeah, interesting.
All right, well, the blog post is titled Rats and Steelers Rush Through Heaven's Gate with New Loader.
That is on the Talos Intelligence blog.
Craig Williams, thanks for joining us.
Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.