CyberWire Daily - BlueLeaks updates and fallout. Hidden Cobra hunt. Hacking leads to trade wars. What the crooks are watching, from their home and yours.
Episode Date: June 24, 2020Twitter permanently suspends DDoSecrets for violating its policy with respect to hacked material. DDoSecrets explains its thinking with respect to BlueLeaks. A quick look at a Hidden Cobra hunt. Sino-...Australian dispute over hacking may be moving into a trade war phase. Lessons on election management. What do cybercriminals watch when they binge-watch? Joe Carrigan explains the Ripple 20 vulnerabilities. Cybersecurity Canon week continues with Joseph Menn, author of Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. And some notes on the most malware-infested movie and television fan communities. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/122 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Twitter permanently suspends DDoS secrets for violating its policy with respect to hacked material.
DDoS Secrets explains its thinking with respect to blue leaks.
A quick look at a hidden cobra hunt.
Sino-Australian dispute over hacking may be moving into a trade war phase.
Lessons on election management.
What does cyber criminals watch when they binge watch?
Joe Kerrigan explains the Ripple 20 vulnerabilities.
Cybersecurity Canon Week continues with Joseph Min, author of Cult of the Dead Cow.
And some notes on the most malware-infested movie and television fan communities.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, June 24, 2020.
Twitter told ZDNet that the social network has permanently suspended
the DDoS Secrets Twitter account,
an account belonging to the group responsible for blue leaks,
because DDoS Secrets violated
Twitter's policy against distribution of hacked material. Wired reports texts from DDoS Secrets
founder Emma Best, who explained in response to the observation that there's not a lot of
illegal police activity on display in BlueLeaks. This shouldn't be surprising, she suggested.
In DDoS Secrets' view, the value of the material is that it shows that legal and normal police conduct is itself problematic,
especially in terms of its tone and the attitudes it expresses.
Best attributes the attack to Anonymous, to Anonymous with a capital A, as she puts it,
and that's always a bit of a hand-waving attribution since Anonymous is more brand than
organization, more like being a New England Patriots fan than being a New England Patriots
player. But this does seem to be the biggest operation credibly attributed to the anarchist
collective since the 2011 operations of what Wired calls the Anonymous subgroup Antisec,
who took and leaked law enforcement data in support of
Occupy Wall Street. Best compares Blue Leaks to the work of Jeremy Hammond, currently still
serving a 10-year sentence for his own hacktivism. A number of bloggers who've commented on Blue
Leaks don't like what they see because what they see is a relatively indiscriminate revelation of
names, addresses, phone numbers, license plates,
banking information, allegations of crime, and so forth. Best told Wired that, due to the size of
the data set, we probably missed things. I wish we could have done more, but I'm pleased with what we
did and that we continue to learn. Security Boulevard published a sample of reactions to
BlueLeaks under the headline, BlueLeaks is a huge fail for Anonymous and DDoS Secrets.
They basically painted huge targets on an unfathomable amount of private citizens,
said one representative comment.
Unfathomable is an exaggeration.
It's a finite database, after all, but the number is certainly a big one.
Security firm Reversing Labs offers a walkthrough the tools North Korea's Hidden Cobra,
also known as the Lazarus Group, uses.
The lessons the researchers draw is that it's possible to develop a rich picture of a threat actor
from a starting point of publicly available intelligence.
Channel News writes that Beijing is expected to retaliate for Canberra's strong hint that Chinese intelligence services are hacking targets in Australia on a large scale.
The response is expected to take the form of tariffs and bans on certain Australian exports.
The Washington Post calls Kentucky's primary elections yesterday a success story worthy of emulation.
Kentucky's primary elections yesterday, a success story worthy of emulation.
The three lessons the Post draws for the security and successful conduct of U.S. November elections from Kentucky's experience this week are the importance of bipartisan cooperation, lots of upfront planning,
and, perhaps most important from the point of view of security, no hasty introduction of novel and unfamiliar voting machines.
hasty introduction of novel and unfamiliar voting machines.
A lot of people during the lockdowns and stay-at-home plans most of us are living with during the pandemic have turned to indoor amusement to pass time, like watching far
too much television, for example. And so, the use of streaming services has grown during the
emergency. That's true not only in the world at large, but in the underworld too.
Digital Shadows has noticed an interesting development
in the Anglophone cybercriminal platform Nulled.
Its gangland proprietors have begun offering
a live streaming service, Nulled Flicks, to its members.
The service offers television, blockbuster movies,
and various memes.
It comes with a chat feature
through which members can exchange tips, comments, and various memes. It comes with a chat feature through which members
can exchange tips, comments, and so forth. Nulled Flicks is free to forum members, which probably
means, first, that there's not a lot of money to be made from it, and second, that the proprietors
are interested in building their brand and developing member loyalty. So what are they
watching in the underworld? Maybe shows that provide a sympathetic take on the life of crime,
you know, like Sons of Anarchy, The Sopranos, Breaking Bad, or maybe even Dexter.
But actually, no.
And if you were hoping that the crooks would go for more improving shows like
Oprah, Bassmasters, Bowling for Dollars, Teletubbies, reruns of the McLaughlin Group,
well, you'd be off there as well.
Judging from the small sample of chatter Digital Shadows shares,
when the hoods aren't on the clock,
they like to kick back with the same sort of stuff other kids do.
Need anime manga suggestions, read one's request.
Hey kid, tried Sailor Moon?
Space Battleship Yamato is pretty good too.
Some chats are open-ended.
Need Netflix suggestion.
Still others are invitations to critical engagement.
Harry Potter vs. The Lord of the Rings.
A tough call, but we're pretty sure that Radagast and the Brown would win in a fight with Albus Dumbledore.
Or Avatar 2 or Avengers Endgame.
Another one that's too close to call, but we will say that neither of them is up to the standard of Ant-Man,
still less to the very high bar set by Ant-Man and Wasp.
Digital Shadows points out that there are probably self-esteem issues at play here.
Members of English-language criminal fora tend to be younger and less professional
than the denizens of other languages' platforms,
and Russian speakers, we're looking at you.
So they can feel shunned and belittled by their more hardened colleagues.
It's like Americans who join the French Foreign Legion.
They've got a reputation as complainers and non-hackers.
Come back and see us when you're ready to march or die, Yankee.
So the underworld apparently has its tender sensibilities, too.
And finally, some have wondered if particular television shows and movies
are more dangerous than others.
Researchers at security firm McAfee took a look at this question
and concluded that, yes, yes indeed, some shows are riskier than others.
They list the top ten titles that could lead you to a dangerous
download. It's actually two top 10s because they have a list for TV and one for movies.
The dangerous TV shows include, in this order, Brooklyn Nine-Nine, which is a police comedy
procedural, Elite, Harlots, Letter Kenny, Poldark, Lost, You, Gentrified, Pen15, and Skins.
The movies, also in order, Warrior, Zombieland, The Incredibles, Step Brothers, Bad Boys,
the 2019 version of Aladdin, the 1994 Lion King, Swingers, Frozen 2, and The Invitation.
A lot of the risk comes from pirate streaming services,
so if you must binge on Poldark, do so from a legitimate source.
And be careful of associated fan sites for these titles too, not to mention their appearance as fish bait.
Why these titles?
Popular culture is market intelligence for the criminal classes.
They follow people's interests, the better to socially engineer their marks.
You want Poldark?
They got your Poldark right here.
As for us, we're sticking to Bassmasters.
We continue our week-long celebration of the winners of this year's Cybersecurity Cannon Awards.
In today's edition, CyberWire Chief Security Officer and Chief Analyst Rick Howard speaks
with Joseph Min, author of Cult of the Dead Cow, How the Original Hacking Supergroup
Might Just Save the World. The CyberWire is celebrating the Cybersecurity Canon Project
this week, in its sixth year identifying the must-read books for all network defenders.
this week in its sixth year identifying the must-read books for all network defenders.
This week, the Canada Committee announced the Hall of Fame inductees for the 2019-2020 season,
and I am pleased to have on the show one of the winning authors for his book called Cult of the Dead Cow, How the Original Hacking Supergroup Might Just Save the World.
Joe Min, welcome to the show.
Hey, thanks for having me, Rick.
So, Joe, why'd you write the
book? Well, I've been writing about cybersecurity for a long time. I wrote a book on it before,
and it's basically, it's a grim picture. And rather than write yet another book about,
you know, why things are so hard, I wanted to try and point to solutions. And the Cult of the Dead
Cow was a great vehicle for that
because they go all the way back. They go back 35 years. They were involved one way or another
in a lot of the inflection points in security. They're in the coordinated disclosure debate.
This is the advent of hacktivism or sort of morally driven hacking, which has come to mean
many different things to different people.
And then the fact that they contributed so much in so many different ways.
So in the public sector,
Mudge worked for DARPA on cybersecurity.
In the private sector,
Dilldog, Chris Rue founded Veracode,
which is a unicorn.
And then in sort of the realm of like volunteers and hacktivists,
they helped push Tor forward and many other things. So you can talk about all the big things
that have happened in security through the lens of this one really interesting group that sort of
had to keep leveling up in terms of their moral capacity as the challenges got bigger.
So because of the pandemic, this interview is a proxy for your acceptance speech of the
Cannon Hall of Fame Award.
Any last words along those lines?
Well, I guess I'd just like to say, first of all, I'm really honored.
I've been a fan of the cybersecurity Cannon Project.
And I actually obliquely mentioned it in the book because
it's really important. The shared knowledge and the institutional knowledge is something that's
precious. And there needs to be common values as much as possible, a common vocabulary. We need to
be talking about the same things in order to really make progress in something as complicated and daunting as
cybersecurity. You know, I think there's been sort of an absence of discussion of moral
issues in the field, but I think it's really important. And one of the important things
that we can learn from the old school hackers is they all develop their own moral codes.
You may not agree with many of them,
but they at least put some work into it
and they're willing to talk to their peers about that.
And I think we need to go back to that.
The book is called Cult of the Dead Cow,
How the Original Hacking Supergroup
Might Just Save the World.
And it is now officially inducted
into the Cybersecurity Canon Hall of Fame.
Congratulations, Joe.
And thanks for being on the show.
Thank you so much, Rick.
Our thanks to Joseph Men for joining us.
The book is Cult of the Dead Cow,
How the Original Hacking Supergroup Might Just Save the World.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with
public-facing IPs that are exploited
by bad actors more easily
than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust
plus AI stops
attackers by hiding your attack
surface, making apps and IPs
invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire Making apps and IPs invisible. Eliminating lateral movement.
Connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners. Bye. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, always great to have you
back. Hi, Dave. You know, interesting story came by. This is from the folks at the security company
JSOF. And this is getting a lot of attention. They've released information about a collection
of vulnerabilities they're calling Ripple 20. What's going on here? So what's happening is there's a company called TREC, T-R-E-C-K, that has something that is called a TCP IP stack. And for our less technical
listeners, this is essentially the software that connects the operating system to the network. So
if you look at the layered model, like the OSSI layer model or maybe the Internet model, the five-layer model, there is a stack-like structure for sending data across a network.
And at the very top of the stack is an application, and that takes its information and puts it into the next transport layer that goes down into.
And it's all encapsulated inside of each other like the
Russian babushka dolls, right? So that when you send the big doll across the line, it goes to the
other side and it gets taken apart all the way up to the other application it needs to talk to.
And that's called the TCP IP stack. It's actually more than just TCP IP. It can include some other
protocols. Like for example, your web browser uses HTTP.
That's just above the TCP part.
And in between there, there may be other protocols as well.
This is an integral part of everything that's connected to the internet, to the IP network.
It has to have some kind of TCP IP stack built into it or in the operating system. And what these guys have done is they found a
set of 19 vulnerabilities in the Trek TCP IP stack. Now, this is really significant because
some of these are critical. They can result in remote code execution, which means I can do
anything I want on these devices. But what's most significant about this is how broadly distributed this software is it is in
a lot of devices from a lot of different manufacturers and the reason for that is if i
want to start up a product and i i want that product to be connected to the internet why would
i waste my time writing my own tcp ip stack when i can just go out and get one and license it from somebody else like Trek,
right? It's actually- The internet's version of the red Lego brick that's, you know, two by four,
the standard. Yeah, it's a basic building block that everybody has.
Right. And furthermore, that might be the right thing to do from a security standpoint, right?
Because if I don't have the expertise in-house to write a secure network stack, I'm going to invariably write something with vulnerabilities
and defects in it. And that's what's happened here. I'm not saying that Trek doesn't have the
expertise. They spend almost all their time doing this, I guess. There's a team that is devoted to
this product. But any software product is going to have vulnerabilities in it. Trek is actually
taking this seriously. They have a response on their website as to how they're doing this.
But really, this is going to come down to these individual device manufacturers, whether
or not these device manufacturers have built their devices to be updatable.
Let's say one of the, and I'm going to wage, I'm going to go out on a limb here, Dave.
I'm going to say they didn't do that.
The vast majority of these folks didn't do that.
Yeah. I mean, this library goes back 20 years and is used in all sorts of devices, including
industrial control systems, things like the embedded devices that don't get replaced for
20 years. Right. Yeah, that's right. And the problem with updating this is you can't just go into a system, an industrial control system, and say, we're going to upgrade the TCP IP stack on this device. There's a ton of testing you have to do and configuration management that you have to do before you do that.
actually comfort that a lot of this stuff can't be exploited unless you're on the same network as the device. But if that device is connected to the internet and it's exposed to the internet,
then it's available for exploitation. And getting over that hurdle of getting inside a network
is not that significant of a feat, right? I mean, we see it happen every single day.
The article here from JSOF says that there's one critical vulnerability in the DNS protocol that may potentially be exploitable by a sophisticated attacker over the Internet from outside the network boundaries, even on devices that are not connected to the Internet.
So I don't know how this works.
They're going to do a demo of this at Black Hat.
I really want to see that.
I'm kind of curious. It seems to me like they still
either need a really sophisticated attacker who can compromise a DNS server that they know this
device talks to, or again, they need to get inside the network and make a request, a DNS request to
a server they control so they can send back the corrupted DNS packet that gives them code
execution. That's how it works. A DNS response, a bad DNS response has
to be received. And you can't just send a DNS response to somebody. It has to be in response
to a request. So this is one that people should pay attention to and take a closer look at.
Yeah, this is something that if, you know, everybody should look at whatever Internet
of Things devices they have on their networks.
If they can't be updated,
it might be time to start moving
those things towards disposal.
And when it comes time to replace them,
make sure that these devices
can be updated,
have new firmware flashed to the devices
without causing too much overhead
and consternation for the user.
Yeah, yeah. All right. Well, Joe Kerrigan, thanks for joiningation for the user. Yeah, yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
We'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening. We'll see you back here tomorrow. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.