CyberWire Daily - Collection #1 and the threat of credential stuffing. Cryptojacker disables some cloud security tools. Don’t chat with strange bots. Facbebook shutters more Russian coordinated inauthenticity.
Episode Date: January 18, 2019In today’s podcast we hear that Collection #1 is big but not the end-of-the-world. Still, be on the lookout for credential stuffing attacks. Rocke cryptojacker can disable some cloud security serv...ices. Beware of Telegram bots. Facebook shuts down a few hundred inauthentic Russian pages, and Sputnik shows up as either a free-speech paladin or another troll farm—take your pick. Epic Games closes a vulnerability that exposed data of Fortnite players. Malek Ben Salem from Accenture Labs on power grid vulnerabilities to botnets. Guest is former U.S. Secretary of Homeland Security Michael Chertoff discussing his book Exploding Data. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Collection number one is big, but not the end of the world.
Raka Crypto Jacker can disable some cloud security services.
Beware of telegram bots.
Facebook shuts down a few hundred inauthentic Russian pages.
And Sputnik shows up as either a free speech paladin or another troll farm.
Take your pick.
Former U.S. Secretary of Homeland Security Michael Chertoff joins us to discuss his new
book, Exploding Data.
And Epic Games closes a vulnerability that exposed data of Fortnite players.
From the CyberWire studios at DataTribe, I'm Dave Bittner
with your CyberWire summary for Friday, January 18th, 2019.
Yesterday, Troy Hunt, proprietor of Have I Been Pwned, announced to considerable eclat
the discovery of a large trove of credentials for sale in a dark web market.
A number of people pointed him in the direction of the files.
He calls the breach collection number one, after the name the seller assigned to the folders,
and it's very big indeed, some 87 gigabytes of data.
Hunt observes that the passwords and email addresses came from an indeterminate number of breaches
running back probably 10 years, since there are some indications in the material
that it derives in part from incidents going back to 2008.
The hoods offering the material for sale goes by the name Sanixer.
Krebson Security contacted Sanixer and concluded that much of the material is indeed relatively old,
gleaned from various sources, and possibly worth every cent of the $45 Sanixer is charging,
which is to say it's probably not worth very much.
773 million unique email addresses and 21 million unique passwords
are a lot of credentials, to be sure,
but Motherboard is probably right to point out that Collection No. 1
is not the devastating blow to Internet users
that's been giving some media outlets the yips over the past couple of days.
Good job by Mr. Hunt and Have I Been pwned in finding collection number one and in
offering a measured non-alarmist assessment. It should serve as a nudge toward better digital
hygiene. In particular, Hunt notes that avoiding password reuse and using a password manager are
two sound practices. He warns that the principal threat of misused collection one poses is that of
credential stuffing, the rapid checking of misused Collection 1 poses is that of credential stuffing,
the rapid checking of as many possible user ID and password combinations across a wide variety of sites.
Palo Alto Networks warned that the Raka coinjacking malware is able to disable five Tencent Cloud and Alibaba Cloud security products
that would otherwise prevent it from operating in
infected systems. Tencent and Alibaba's tools are mostly used in China, but the appearance of
coinjacking malware that can find and disenable cloud security software is a disturbing harbinger
of things to come, especially as more people come to depend upon the cloud for their security.
Security firm Forcepoint has been looking at the encrypted messaging app Telegram
and found that the service is susceptible to use by malware
that exploits the Telegram bot API for its command and control channels.
In essence, the risk to users is that of a man-in-the-middle attack,
where a bot's messages can be replayed to yield the history of messages
sent or received by that bot. Since bots and human users often share a group chat, the risk to users
is clear. Forcepoint recommends that if you use Telegram, you neither use bots nor participate
in group chats with them. Facebook made another sweep of coordinated inauthentic sites, pulling down 364 Russian pages yesterday.
The pages targeted were judged to not only be inauthentic, but also have engaged in information operations.
The accounts were linked, Facebook says, to the Russian news agency Sputnik.
The sites were involved in two distinct influence campaigns, neither one targeting the U.S.
One operation targeted Ukraine, and the second involved Central and Eastern Europe, the Baltics,
Central Asia, and the Caucasus. The campaign against Ukraine resembled the activity St.
Petersburg's famous troll farm, the Internet Research Agency, conducted against U.S.
populations during recent elections.
The other campaign is described as a content amplification effort tied to themes pushed by
Rossiya Syevodnaya, which is Russian for Russia Today. Much of the content amplification is said
by the Atlantic Council's Digital Forensics Research Laboratory to have pushed stories
generally favorable to authoritarian
political figures. Sputnik is a subordinate brand of Rosia Syevodnaya, whose formal mission
statement says the news service's purpose is to secure the national interests of the Russian
Federation in the information sphere. Sputnik says, well, that's not their mission, but come on.
Sputnik also says, rather brassily, that, well, sure, some of the accounts were their people's,
and, yeah, they didn't always give their true names, but that what Facebook did to them is just wrong.
It's just censorship, straight up, says Sputnik, and a violation of free speech.
In fairness to Sputnik, it does seem reasonable to conclude that they and their
sister brands probably know a thing or two about censorship and violations of free speech.
At any rate, we say, bravo Facebook.
And finally, winner winner chicken dinner. Game Daily reports that Epic Games has patched
the Fortnite flaw that exposed some 200 million gamers' data. Checkpoint found the cross-site scripting problem
and disclosed it responsibly to Epic Games,
not even making them rifle through a bunch of random loot boxes for the information.
The flaw could have placed at risk credit card data,
personal information, and voice chat audio.
In principle, the game's entire user base might have been affected,
and the lesson here, again, is to use multi-factor authentication and strong passwords,
which you promise yourself you'll never reuse.
Monday is Dr. Martin Luther King Jr. Day here in the U.S.,
and we'll mark the federal holiday by taking a day away from publishing.
Both the CyberWire's daily news briefing and our daily podcast will return as usual next Tuesday.
And tomorrow marks officially the third anniversary of the CyberWire daily podcast's public launch.
You can check out that episode on our website, thecyberwire.com, for a walk down memory lane.
And thanks to all of you for reading and for listening.
and for listening. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Ben-Salem.
She's a senior R&D manager for security at Accenture Labs.
Malek, it's great to have you back. We wanted to talk today about some vulnerabilities with power grids
and specifically ways to use botnets against them.
What do we need to know here?
Yeah, so we've heard about the Mirai botnet, right,
that has showcased how IoT devices can create huge disruptions to our networks.
Similar things could happen by leveraging those types of botnets,
IoT device botnets, against power grids.
There is some awareness there, but we've never done the research about exactly what could happen
to those power grids if we launch a large-scale attack using IoT devices against them.
So the research shows that, you know, three things could happen or three types of attacks could be launched.
Number one is attacks that can result in frequency instability.
Switching on or off many high wattage IoT devices can result in an imbalance between the supply and demand,
and this imbalance results instantly in a sudden drop in the system frequency. So if you think about an adversary who's exploiting a vulnerability in an air conditioner device that is Wi-Fi connected,
they can create this sudden increase of demand
on a hot summer day that could result
in this type of frequency instability.
A second attack is an attack that could cause
the line failures and result in cascading failures.
So in this case, the imbalance between the supply and demand after the attack is not
significant, but the frequency of the system is stabilized by the primary controller or
the generator.
But because of the way power is transmitted in the power grid, we can see the failure cascade throughout the network.
And that could result in an entire blackout.
And then the third type of attack is an attack that just increases the operating costs of the power grid. By creating that new demand for power, this forces the power grid
administrators to use some reserve generators. And those reserve generators are usually,
you know, cost more. They usually have high prices than the normal generators that are committed as part of the day ahead planning.
The adversary does not require a large botnet size.
So for the critical frequency drop, all they need to get a hold of is about 200 to 300 bots that consume on average 1,000 megawatts.
So you can think of a water heater or an air conditioner.
200 to 300 of those can create that type of critical frequency drop.
For a line failure and cascades attack, all they need is 4 to 15 watts.
And for increasing the operating costs for
the power grid all they need is about 30 to 50 bots now is this a worst-case
scenario I guess I'm wondering what is the practicality of this is this a I
mean obviously they're they're they're considering this in a in a theoretical
kind of way but how practical would this actually be to execute?
So if you think about the limited size that's needed, 300 to 500 bots, and if you think about
how vulnerable the IoT devices that we deploy are, you know, we know that a lot of them are, you know, widely accessible,
remotely accessible, are using still, you know, default passwords. These types of attacks,
I think, are feasible, you know, and we may see them anytime. What we need to do is to do a lot of work on securing those devices.
They're growing in numbers now. So we know that a lot of these, you know, air conditioners and
are now Wi-Fi enabled, right? And even the older appliances can be remotely controlled
by adding Wi-Fi enabled peripherals, such as Taito and Aquanta to them.
In terms of number of devices, while today we don't have enough devices out there
that are high wattage devices, right? But very soon we'll have enough of them
for adversaries to be able to conduct these types of attacks.
All right, Malik Ben Salem, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
You know Michael Chertoff as a former federal judge and the second U.S. Secretary of Homeland Security. Nowadays, in addition to being a founding principal of his namesake Chertoff Group,
he's also a member of the advisory board for the Global Cyber Innovation Summit,
which we're looking forward to this spring in Baltimore as media partners.
Secretary Chertoff joins us today to discuss his recently published book,
Exploding Data, Reclaiming Our Cybersecurity in the Digital Age.
He joined us by telephone from his office in Washington, D.C.
I remember in the wake of the Edward Snowden episode, there was a lot of concern about government surveillance and the way government was accessing and using data.
As I reflected on it, I thought that people actually did not understand that the private sector collects and uses data much more substantially than the government does and with much less restraint.
And the government largely does it because we're dealing with protection of life, whereas in the private sector, it's often simply for commercial purposes. So it seemed to me that I needed to lay out for the public, for the educated public, exactly what is going on with
data, the way it's transformed our society, and to suggest that we need to maybe reset our laws
and our policies so that it fits with the current technological situation.
Yeah, and one of the things you go through in the book is
something you refer to as these different states of data collection. You call them data 1.0,
2.0, and 3.0. Can you give us an overview? What were you getting at here? Sure. I was trying to
explain that, and maybe this is a lawyer, our laws have tended to deal with evolving technology
Our laws have tended to deal with evolving technology by first trying to fit the technology into the old categories.
And then finally, people say, you know what, the old categories just don't work anymore.
We've got to rewrite the categories.
So 1.0 is the kind of data collection that occurred when people either spoke or wrote.
So you got a letter or you had a book or something of that sort. And at that period of time, the way we looked at the issue of privacy was in terms of property. You had a right to have
your books and possessions in your house protected against arbitrary searches. And all of the laws
around what the government could do and couldn't do or what private people could do and couldn't do, or what private people could do or couldn't do, was based on your property rights.
About 150 years ago, as we developed photography,
and then afterwards you got telephony,
we began to experience government and the private sector
using that to collect data in a way that was much different
than had been the case previously.
So, for example, there's a famous case
where someone took a photograph of their girlfriend and without her permission, put it on bags of flour to be sold
commercially. Or we had wiretapping, which for the first time could take place not by invading your
home, but by simply tapping onto an outside telephone wire. So when people raised objections,
the initial reaction was, well, if you don't have
a property right or your property wasn't invaded, you have no complaint. But eventually the courts
and the legislature said, you know what? Protecting property is not really what it's
about anymore. It's about protecting your right to own your own image for commercial exploitation.
And it's about the right to have a confidential conversation.
So that was what I call 2.0.
3.0 is what we have now, where the amount of data we generate
and the ability to store and collect it is so vastly greater than before
that even things that in the past occurred in public, which we felt were kind of trivial,
now are part of a mosaic that can be put together that can really have an intrusive effect on the way you live your life.
And I think that's what we need to focus on now.
And do you suppose we have the tools that we need to focus on that, or is it going to require a similar sort of evolution?
I think we're beginning
to see the changes. So, for example, the Supreme Court used to say that if you followed someone
around in public, they had no right to privacy there in public, so you have no complaint. If it
was a government agency, for example. But in a recent Supreme Court case, the court said, well,
you know, if you actually use modern technology to follow someone 24-7, we're getting to the point now that we might require a warrant or some deeper level of permission.
Likewise, in the old days, when you arrested someone, you could search anything they had on their person and you didn't need a warrant.
and you didn't need a warrant. But in a recent case, somebody had a cell phone, the police arrested them, and then they accessed the cell phone and all the data on the cell phone. And
the court said, you know, that goes further than simply patting a person down for weapons or making
sure they're not going to destroy evidence. You need to have permission for that. So I think
you're seeing the court begin to change
the rules. And I think now in Congress, and particularly if you go out to California in
the legislature, they're now beginning to focus on whether we need to reset our laws.
Yeah, that's where I was going to go next with you. Do you suppose that we have
the political will to go through with something like this?
Actually, this is one of those rare issues in which I think you might get bipartisan
agreement. California has been kind of out ahead on dealing with the issue of privacy and control
of data. But I can say even dealing with Congress, I've heard both Republicans and Democrats
express some concerns about the commercial exploitation of data and how it's used and how
war can be used. And while I don't want to predict there'll actually be any action,
I do think there's interest. One of the chapters in the book deals with cyber warfare.
And it seems to me like that's been a tough thing to have a really firm definition of. It seems as though
politicians are reticent to draw lines in the sand to say, if you cross over this,
we're going to consider that to be cyber warfare. I'm curious, what are your views on that?
Well, I do think you have to be careful using the phrase cyber warfare, because once you
say that there's actually been an active war,
then your response may not just be limited to cyberspace, it may be extended to the physical
world. On the other hand, we clearly have cyber conflict. We've seen attacks on critical
infrastructure, particularly if you look at Russia and Ukraine. For several years now,
the Russians have really attacked the civilian infrastructure in Ukraine.
We've seen what we call information operations, attempts to sow discord and undermine confidence
in democracy as part of an overall strategy to weaken the Western alliance and to promote,
let's say, Russian agendas. We've seen very significant
theft and compromise of technology by the Chinese as they use cyberspace as a way of
competing with us in the economic sphere. Now, I wouldn't say these are necessarily
at the level of an act of war, which to me implies either loss of life or very,
act of war, which to me implies either loss of life or very, very substantial damage.
But I do think it's conflict, and I do think we need to begin to develop some clear rules of the road in terms of how we deter and respond to those kinds of acts of conflict.
And what are your recommendations?
What do you suppose needs to be done as we look towards the horizon in terms of meeting this challenge with dealing with our data privacy?
Well, I think one thing where I have to say the Europeans are somewhat ahead of us is by understanding that the idea of keeping information secret or confidential is going to be increasingly difficult, if not impossible.
confidential is going to be increasingly difficult, if not impossible, largely because much of the information generated about us is not what we put on the internet, but it's what others put on about
us, or locational data, or what we buy at the store, or what our Fitbit is communicating back
in terms of what we're doing. So instead of trying to close the door when the horses are ready,
you left a long time ago. I think as the Europeans have done, we need to focus on
what is your right to control your personal data after it's been generated, and even if it's in
the possession of someone else. So if someone has collected your data, whether you've agreed to it
or not, and they want to use it for a purpose other than that which was, let's say, the original intent, then I think they
need to ask you for permission, and it needs to be real permission and not something buried
in 100 pages of legalese.
The Europeans have a regulation that now begins to do that.
It's somewhat overly bureaucratic. But the point
is the focus needs to change on who controls the data as opposed to how do I keep it secret.
That's former Secretary of Homeland Security Michael Chertoff.
The book is titled Exploding Data, Reclaiming Our Cybersecurity in the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.