CyberWire Daily - Brute-forcing Parliament. Election hacking retaliation? Cyberspies hunt IP in East Asia. Microsoft security issues. ISIS hacktivists deface Ohio websites.
Episode Date: June 26, 2017In today's podcast, we hear that the UK's Parliament recovers from a brute-force attack. Reports on election hacking in the US suggest there was some American cyber retaliation last year against Russi...an influence operations. BlackTech goes after intellectual property in East Asia. Windows Defender gets a patch, but Windows 10 source code leaks. Fireball malware's extent is disputed. ISIS hacktivists deface websites associated with the government of the State of Ohio. Webroot's David Dufour offers thoughts on phishing. And how much can we count on common sense? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Parliament recovers from a brute force attack.
Reports on election hacking in the U.S. suggest there was some American cyber retaliation last year
against Russian influence operations. Black tech goes after intellectual property in the U.S. suggests there was some American cyber retaliation last year against Russian influence operations.
Black tech goes after intellectual property in East Asia.
Windows Defender gets a patch, but Windows 10 source code leaks.
Fireball malware's extent is disputed.
ISIS hacktivists deface websites associated with the government of the state of Ohio.
And how much can we count on common sense?
Ohio, and how much can we count on common sense?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, June 26, 2017.
Last Friday, the British Parliament sustained a brute force attack on email credentials belonging to members and staff.
Around 90 accounts are thought to have been targeted.
The principal concern that's been voiced is the possibility of blackmail.
Authorities took down the email service and required password resets,
which itself represented a significant disruption.
Initial attribution was to an unspecified foreign intelligence service.
That service has now, by consensus, been specified.
It's Russia's. What is a brute force
attack and how do you conduct one? The CyberWire's glossary defines it as an exhaustive search for a
cryptographic key or password that proceeds by systematically trying all alternatives until it
hits on the right ones. It can be resource intensive, but it can work, too. We heard from Hitech Bridge CEO Ilya Kolachenko about brute force attacks,
and he pointed out that such attacks can be simple and cheap to organize.
He said virtually any teenager could be behind it,
but he also thinks they can be relatively easy to defend against.
He said, quote,
a simple brute force attack can normally be detected and blocked within a minute.
He draws the lesson that fundamentals are still being ignored by governments that ought to know better.
Those fundamentals, he thinks, include two-factor authentication,
strict password policies and regular audits for weak passwords and non-compliance.
Other measures like advanced IP filtering and anomaly detection would also help.
Inquiry into Russian influence operations against last November's U.S. elections
turns up records that purport to show that then-President Obama,
responding to concerns from Democratic members of Congress,
directed cyber retaliation against Russia using implants that would hurt.
Russia's demonstration of a grid-hacking capability against Ukraine continues
to stir concerns in the power sector. An op-ed in the Moscow Times suggests that publicly expressed
fear of Russian cyber capabilities plays into President Putin's hand. It's a weak hand,
most foreign policy experts think, but Mr. Putin has played it extremely well.
The editorialist calls it dark power, the malign shadow of soft power.
If soft power exerts itself in the form of positive examples,
dark power does so through fear, and this can be seen in cyber operations as well,
more luridly in assassinations.
Researchers at security firm Trend Micro are outlining the activities of the Black Tech Cyber Espionage Group,
which is prospecting East Asia, especially Japan, Taiwan, and Hong Kong, for industrial intellectual property.
They've linked Black Tech, which they describe as active and well-funded,
to campaigns known as Plead, Shrouded Crossbow, and WaterBear.
to campaigns known as Plead, Shrouded Crossbow, and Waterbear.
Black tech is working against bugs in outdated software, especially old Windows versions,
and has been seen using tools leaked from controversial Lawful Intercept vendor Hacking Team.
It's shaping up to be a challenging week for Microsoft.
Redmond quickly patched another flaw in Windows Defender that Google's Project Zero uncovered,
and that's the good news.
Checkpoint has been following the Windows malware that goes by Fireball.
The security company and Microsoft are at loggerheads over just how many Fireball victims are out there.
Checkpoint puts the count at 250 million.
Microsoft says it wasn't nearly that bad.
And anyway, Windows 10 S users were all safe.
Windows 10 S itself, however, may still be susceptible to attack by malicious word macros,
as suggested by a proof-of-concept ZDNet organized. Microsoft has also disclosed that Windows 10 source code, about 10 terabytes of secure code and internal builds, according to
reports, has to reports,
has leaked online, where it's now open to whatever inspection and exploitation can make of it.
Pro-ISIS hacktivists, the usual skids belonging to Algeria-based team system DZ,
have defaced sites belonging to the state of Ohio with a message reading,
you will be held accountable, Trump, you and all your people,
for every drop of blood flowing from Muslim countries.
Ohio is almost certainly just a target of opportunity.
We've seen before that Islamist hacktivists have shown a predilection for indifferently defended government sites in the American heartland.
Most of them have tended to be at the municipal level.
The state of Ohio is a somewhat
bigger fish. But ISIS hacktivists still haven't shown the sort of serious offensive capability
many observers have long feared. Finally, there's an opinion piece running in CNET that got us
thinking. The lead says, changing your password needs to become like washing your hands after using the bathroom. A habit.
We're a long way off from that.
This is the editorialist's partial answer to the question posed in the headline,
What will it take for cybersecurity to become common sense?
A lot, one thinks.
It's hard not to sympathize with the writer,
and surely he's right that it's baffling to find that people still think
123456 is a perfectly good password,
and that it could be made even better if they added a 7 for added complexity.
Heck, just ask people hanging out in Parliament's bar in Westminster
what a good brute forcing was like.
But passwords have probably reached their limits,
and changing them is a marginal improvement at best.
And besides, chasing the spread of common sense can be like chasing any other will-o'-the-wisp.
One of our stringers insists that we take the hand-washing metaphor seriously.
He was up in New York all last week, and he says that if hand-washing is common sense,
then common sense is surprisingly lacking in the restrooms at the Port Authority.
We begged him not to go on without success, and we'll spare you the details of his account,
but to summarize, if our hopes for security rest on a widespread outbreak of common sense,
well, Moses may have brought down the Ten Commandments, and no one's exactly nailed those.
SANS gave us 20 controls.
Sure, they're valuable and sensible and need to be taken seriously,
but is the SANS Institute likely to do better than Moses? gave us 20 controls. Sure, they're valuable and sensible and need to be taken seriously,
but is the SANS Institute likely to do better than Moses?
And on that uplifting note,
we hope we at least got your mind out of the Port Authority.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. We wanted to touch on phishing today.
It's that attack vector that just doesn't seem to want to go away.
That's right.
And David, thanks for having me back.
Phishing continues to be the number one way folks get infected and it won't go away.
You're absolutely correct.
Most likely because it's a great business model.
I can blast out a bunch of emails with malicious links that redirect people to sites where I'm
trying to get their account information. And even if I'm only getting a tenth of a percent or even
less of hits, I'm getting a lot of valuable information from people who don't realize
that they're giving it to me. And we've seen some high profile phishing attacks lately.
Yes, we have with people emulating Google Docs, DocuSign, and these are
very professionally done. They look very authentic. And then once you've given out that information,
the nefarious actors are able to breach those sites and get to your information. So it's once
again, it's being very diligent because they're getting very good at this type of attack.
And if I'm someone whose job it is to protect my organization's network,
this is one I think that leaves me scratching my head because what I'm really up against is human nature.
Yes, and David, I might have said this to you before, and the folks around here get really tired of hearing this,
but in 1988 when I joined the U.S. Air Force, one of the
number one ways of attack was someone figuring out how to get your username and password. And
here we are almost 30 years later, and the number one form of attack is someone trying to get your
username and password. Really, this all boils down to teaching the user how to identify a fishing
site and not being drawn in.
This is strictly a user product.
There's a lot of tools we can put in place to try to block those URLs and block those sites,
but they still get through email systems and email filters.
And at the end of the day, if we can educate our users, that's the number one way of prevention.
And what about the notion of the carrot versus the stick,
of rewarding people for doing the right thing versus punishing people if they make their wrong
choice? That's a great idea. And in fact, I think a lot of folks would like to figure out how to do
that better. I don't know what the carrot is, but I do believe that that's probably the better way
so people are conscious and they're more aware rather than being fearful of something.
Yeah, it seems like such a complex problem because on the one hand, you can stand up technical solutions to this and try to defend yourself against, you know, if someone has accidentally compromised your system, that insider threat.
But again, it's just so hard to fight against human nature.
People are curious or
lazy or just will click those links. They will. And the single biggest piece of advice,
if you're going to go to a link, is type it in that address bar. Don't click the link. And I
know it's fun to look at the YouTube video and things, but typing that link in is the most sure way
of getting to where you want to go. All right, David DeFore, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.