CyberWire Daily - CrashOverride update. Influence ops harder to disrupt than infrastructure. Samba exploited for cryptocurrency mining. NSO Group for sale. Botnets and fake news. Airliner laptop bans.
Episode Date: June 13, 2017In today's podcast, we hear that CrashOverride looks like a power grid threat, and industry and government are taking it seriously. Cyber operations against ISIS are proving better at collection than ...disruption. Criminals are exploiting vulnerable Samba instances to spread cryptocurrency mining software. NSO Group has put itself up for sale, valued at more than a billion dollars. Well-informed observers of a civil libertarian bent think botnets don't have First Amendment rights.  Johannes Ulrich from from SANS and the ISC Stormcast Podcast on IPV6 security. Kirsten Bay from Cyber adAPT on Wannacry and the importance of a detection-led approach. And if you wondered about that airport laptop ban, here's the rest of the story. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. government are taking it seriously. Cyber operations against ISIS are proving better at collection than disruption. Criminals are exploiting vulnerable Samba instances to spread
cryptocurrency mining software. NSO Group has put itself up for sale, valued at more than a billion
dollars. Well-informed observers of a civil libertarian bent think botnets don't have
First Amendment rights. And if you wondered about that airport laptop ban, here's the rest of the
story. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 13, 2017.
Yesterday's revelations concerning the crash override or in-destroyer malware used against
Ukraine's power grid last
December have prompted a response across the sector. U.S. CERT in particular has begun work
to help utilities stay ahead of the malware ESET and DRAGOS found in the Ukrainian power grid's
takedown. The U.S. Department of Homeland Security's National Cybersecurity and Communications
Integration Center, NCCIC, has distributed a set of indicators of
compromise to the power industry, and they're freely available to any interested parties.
The security firms who produce the research attribute the malware to a threat group,
Electrum, with ties to Sandworm. They stop short of calling out a nation-state,
but Ukrainian authorities have left no doubt that the attacks they sustained were the work of Russian security services. Most observers agree. Dragos and others believe the attacks in
Ukraine may well have been proofs of concept or dry runs for other strikes against critical
infrastructure. Such concerns may of course be overheated and prove unfounded. The Mirai botnet,
for example, was also believed for a time last year to have
been the work of Russian security services, as opposed to the brainchild of a skid entrepreneur
hawking Minecraft in-game purchases. But it's not unreasonable to see a larger threat in Crash
Override. It was carefully crafted to its purpose, and done so as close to scratch as things are,
bearing few of the usual fingerprints in the form of reused code that usually accompany malware.
The power industry continues to consider the implications of this discovery.
We'll be following the story as it develops.
Crooks are exploiting the Samba vulnerability in Linux and Unix machines
to spread cryptocurrency mining software.
Researchers say the criminals have only made about $6,000 so far,
but the mining process is resource-intensive,
and that means that CVE-2017-7494 remains unpatched on a great many Samba instances.
It's fair to say the WannaCry ransomware attack was a big deal,
and it had the potential to be a lot worse.
Many security teams look to it as a cautionary tale or even a wake-up call. Kirsten Bay is
president and CEO of CyberAdapt, and she thinks there are some valuable lessons to be learned from
high-profile attacks like WannaCry. Well, my first thought was, oh my gosh, it's finally happening,
and hopefully this will get people to pay attention such that they think they actually need to do something about it as opposed to going,
wow, that's a really big problem. Hopefully someone does something about that. Fortunately,
it was a relatively old compromise and it was weaponized, of course, by the NSA. But
it certainly does give us the opportunity to look at something that isn't new, but certainly has
changed. And that's really the nature of all
of these types of attacks, right? It's not that anything is particularly new. It's how people are
manipulating it to be more effective in today's environment. But if this were a zero day, this
could have been a real issue. And you all are advocating what you describe as a detection-led
approach. Can you tell us what do you mean by that? Well, it has a number of components to it,
but the detection-led approach, from our standpoint, really being a threat-centric approach,
is to understand both the outside world, that being a threat intelligence world,
the bad guy world, where everything's happening live on the wire, and in the sense that these are
live attacks happening in the environment. But then there's also what's happening on the network,
whether it's just basic network traffic
or something anomalous happening in the network traffic.
And our view is that we really need to understand
the motivation and intent of an adversary
to then identify the indicators of compromise
so that we can be much more effective and efficient
at helping incident responders remediate those attacks,
but also be a little bit ahead and be able to prevent some of them by alerting as they're
hitting the firewall and preventing them from getting in in the first place.
So what kind of advice do you offer for people going forward,
now that this attack is in our rearview mirror?
Well, the key thing for me always is about prioritization. And I come from a risk background.
So I try to take the risk management approach to these solutions, which is first try to understand
what it is that you need to be prioritizing to protect it. Very often I have executives and
security professionals alike asking me, can you please just tell me what to do, which is something
that we've tried to do with our solution. But also what we're really trying to do is help people identify what is the event that
could have substantial ramifications and impact to your business. And then let's figure out how
we prioritize around those events. Because I think for years before now, we had this peanut
butter spread approach to security, which was we'll just deploy everything the same way. It's expensive, and it's not particularly effective.
And so what I really have been trying to get people to think about is, what are your critical
assets? What are your critical business functions? And how do you secure that in a different way,
where you really put the Fort Knox around that, but then do other elements of securitization
around your
perimeter and inside your network that then give you the layered approach, the defense and death
strategy, really. But prioritization is key to me. That's Kirsten Bay from CyberAdapt.
In industry news, NSO Group, the controversial vendor of the Pegasus lawful intercept tools,
is up for sale. The valuation of the Israel-based
company is in unicorn territory, being pegged as somewhat more than a billion dollars.
NSO Group's products have attracted adverse comment from Citizen Lab and others,
who object to their use by various authoritarian regimes.
There are dissidents in prison who were caught by Pegasus software.
There are dissidents in prison who were caught by Pegasus software.
The New York Times credits U.S. cyber operators with successes against both Iran and North Korea,
but says efforts against ISIS have been less successful.
In this, they perhaps overrate U.S. success against North Korea's missile program,
which are by no means as clear or even as clearly attempted as third-party sources in the UK have said.
But Iranian and DPRK nuclear programs present a very different set of challenges than do the operations of ISIS in cyberspace.
The caliphate isn't running a readily identified and attacked industrial infrastructure.
Instead, it uses cyberspace for recruiting and inspiration.
The networks and resources it devotes to these are reconstituted almost as soon as they're taken down,
and they continue to reach terrorists and impel them to jihad.
This suggests that influence operations are tougher to block than traditional IT or OT hacks.
At the CyberTech Fairfax conference today, we heard a keynote by former U.S. Homeland Security Secretary Michael Chertoff,
who offered an interesting perspective on information operations.
Asked specifically about fake news and what could be done to control or restrict it,
Chertoff identified himself as essentially a First Amendment absolutist.
I'm old-fashioned about the First Amendment, is how he put it.
He offered familiar observations about the difficulty of, is how he put it. He offered familiar
observations about the difficulty of distinguishing fake news from real news, and about the proper
response to bad speech being other, better speech. But he also noted that, quote, botnets don't have
First Amendment rights, end quote. He suggested that rather than devoting attention to censorship,
interesting lines of work might be pursued in authentication and identity management,
in being able to determine that people are in fact whom they represent themselves to be,
and he thought advances that enabled one to readily distinguish robots from natural persons would be welcome.
We'll have more on CyberTech Fairfax in tomorrow's CyberWire.
Finally, to return to ISIS and what can be learned about it
online, governments fighting the caliphate have done better at collection than they have at
cyber disruption. One such intelligence product that's had consequences for air travel is the
ban on carrying laptops aboard flights from specified airports. The origins of that ban
are now known, at least according to the New York Times,
and the Times is telling a plausible story. Israeli intrusion into networks used by ISIS
bomb makers found that the bomb makers were working on fabricating explosives that could
pass undetected through airport x-ray machines. The explosives were being crafted to look like laptop batteries.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He's the Dean of Research at the SANS Technology Institute, and he also hosts the ISC Stormcast podcast.
Johannes, welcome back.
We want to touch base today about IPv6 security.
So to start off just by way of a definition, tell us what exactly is IPv6?
IPv6 is really the next generation of the IP protocol. We currently use predominantly IPv4 or version 4 of the protocol. IPv6 version 6 is the next version. The big substantial change here
is that we will end up with a lot more addresses. Currently, IP version 4 has up to 4 billion
addresses. And if you think about it,
that's less than we have people in the world. So it's not enough to give everybody on the world
an IP address, in particular, considering that we have all these devices now connected to the
internet. With IPv6, for practical purposes, we get an almost infinite amount of IP addresses.
So it's really built to grow and scale the Internet. The real problem that I run into when talking about IPv6 security is that a lot of people who use IPv6 are really not aware of the fact that they're using IPv6.
A lot of our security infrastructure these days is very centered around IPv4.
So a lot of the IPv6 traffic is going unnoticed, in particular on mobile networks.
On mobile networks, carriers have a huge incentive to actually implement IPv6 because they can't get any more IPv4 address space.
And the carrier-crate NAT that they're implemented costs them around
$40 a year per customer. So that's quite a financial incentive to do this. Now, if you
use IPv6 without actually realizing that you're using IPv6, then you may contact sites like Google,
Facebook and the like via IPv6 and essentially bypass all the security infrastructure
that you build up to monitor this traffic.
So how can someone figure out if their mobile devices are actually using IPv6?
That's really not a straightforward question in the sense that a lot of the times the network
configuration screen in these devices doesn't display the IPv6 configuration, only the IPv4 configuration.
But the easiest way to do it is go to a website like test-ipv6.com or go to Google and look up
your IP address via Google and see if an IPv6 address is coming back.
Good information as always. Johannes Ulrich, thanks for joining us. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.