CyberWire Daily - Crimeware kits, ransomware, and source code breaches. The Internet conduces to organic radicalization. Russia in Finland. Snooper's Charter notes. Crypt armistice or just key escrow?
Episode Date: April 27, 2018In today's podcast we hear that Rubella hits the shelves of the criminal black market—it's the crimeware kit, not the German measles. Necurs gets shifty by going retro. iPhone unlocking specialis...ts endure an apparently minor breach. The sad story of structural extremism on the Internet. Finland says the Russians are coming there, too. Snooper's Charter setback. Proposed bill would make it easier for DHS to clean US Federal networks. Crypto Wars modus vivendi said to be just key escrow. Dr. Charles Clancy from VA Tech Hume Center on the 5G mobile network rollout. Guest is Merike Kaeo from Farsight Security, discussing DNS data as an early warning system for cyber threats. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Rubella hits the shelves of the criminal black market.
It's the crimeware kit, not the German measles.
Nikors gets shifty by going retro.
iPhone unlocking specialists endure an apparently minor breach.
The sad story of structural extremism on the Internet.
Finland says the Russians are coming there, too.
Snoopers charter setback.
A proposed bill would make it easier for DHS to clean U.S. federal networks.
And the latest crypto wars agreement is said to just be key escrow.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, April 27th, 2018.
Flashpoint describes a cut-rate criminal kit, Rubella, that offers some point-and-click
builder functionality
and generates malicious payloads for spam.
It's not sophisticated, but skid criminals can rent it for just $40 a month.
Rubella, the crimeware, not the German measles,
is another symptom of the ongoing commodification of what's being sold in the criminal-to-criminal black market.
The venerable Nekors Botnet,
whose masters control millions of compromised machines
they use to pump out spam,
has gotten a little more evasive by going a little retro.
Nekors has been emailing archive files
that unzip to a file with a.URL extension
that opens a page directly in a browser.
It's old school, but on the other hand,
email scanners that hunt for more complicated new school infection chains are liable to miss it.
It will take a little time for many scanners to readjust, which opens a window of opportunity
for the bad guys. Grayshift, the iPhone unlocking specialists who've sold their Gray Key to law enforcement agencies,
has been the victim of code theft.
Unknown parties apparently got the source code snippets from a customer site
where Grayshift's user interface was briefly exposed to the Internet.
The hackers demanded ransom, which Grayshift refused.
The company thinks the software that was lost, judging from what the hackers have posted,
is just code used to show messages to a user.
Thus, it seems unlikely that the underworld will soon be unlocking iPhones left, right, and center.
Still, like any data breach, this one is at least mildly upsetting.
A piece about online inspiration in the New York Times concludes that by their nature,
social media tend to breed
extremism. Quote, attention, praise, and a sense of importance and agency, end quote, are easy to
come by online. And who wouldn't want those, especially if you're young, frustrated, and
feeling no count. And worse yet, the algorithmically discerned rate of engagement is self-reinforcing,
serving more like-minded messages until the recipients come to believe
that what they're reading is good, normal, mainstream, common sense.
Even if that common sense has induced them to seriously consider
ramming a car into a crowd of people,
the driver is convinced our enemies are all that's good, normal, and mainstream.
It seems a pity that the old U.S. State Department
Think Again, Turn Away campaign was widely derided
as ineffectual before its abandonment.
Think Again and Turn Away seems exactly what one would hope for,
but the good, normal, mainstream common sense on the Internet
said that whole slogan was nothing more than
just tired, warmed over, just say no.
That's what we read, anywho.
We might add to the observations in the Times
the strange disinhibition that grips people when they get behind a keyboard.
That disinhibition is on display right now
as the arrest of the alleged Golden State killer
after decades of futile investigation shows.
One is happy indeed that police in California finally collared a man
who is alleged to have been an unusually vicious serial killer
with crimes going back to the 1970s.
What's beyond unfortunate is the trope of amateur detectives
who are hounding the accused man's family with preposterous accusations of complicity.
This is so much easier online than it would be in person,
but increasingly the ground separating cyberspace and physical space looks depressingly like a slippery slope.
All we can advise is, think again, turn away.
Finland has joined the ranks of countries who've found state-directed cyber activity
targeting their industrial and energy infrastructure.
In its report for 2017, the SUPO, Finland's Security Intelligence Service,
details widespread and ongoing attempts to infiltrate networks.
Intellectual property is among the more sought-after targets.
The energy sector and its associated research and development activities are of particular interest to foreign intelligence services.
Traditional espionage involving recruitment of Finns to deliver information also continues,
and, as the SUPO says,
especially Russian intelligence organizations are active in Finland.
The UK's Snoopers Charter suffered a setback at week's end,
as the High Court directed
that the law be revised to require prior independent review before it can access retained metadata.
The Home Office has its take on the decision.
They are pleased to note that the Court has upheld the fundamental tenets of the law,
and they'll be happy to make the minor adjustments the bench has asked for.
The plaintiffs who challenge the law are also pleased. They see
the decision as a significant blow to the surveillance state, albeit a far from lethal blow.
The Federal Network Protection Act, S.2743, would fast-track the U.S. Department of Homeland
Security's ability to pull compromised software and systems from federal networks.
This would enable DHS to rapidly exclude problematic products from government use
without going through protracted interagency review.
The bill is currently before the Senate.
We've seen a number of recent attempts to come up with an approach to encryption
that balances legitimate security and law enforcement interests
with fundamental rights to privacy.
Experts who've reviewed Ray Ozzie's proposed modus vivendi in the crypto wars tend to conclude that it's a form of kiescro.
Some compare it to the late Clipper chip, late and largely unlamented.
Ozzie's approach seems to have left the pro-encryption side of the crypto wars cold.
They see it as just another species in the genus of weakened encryption.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
I wanted to get kind of a reality check from you
when it comes to the 5G rollout.
I think we're starting to see
some of the marketing messages ramp up,
but what's your perspective
on when we might actually start seeing things
affect us in the real world?
I think it'll be a few more years
before we really start to see 5G at scale.
A lot of the marketing right now is around spectrum. I think it'll be a few more years before we really start to see 5G at scale.
A lot of the marketing right now is around spectrum. So the FCC has identified here in the U.S. a few different bands that could be used uniquely for 5G.
But honestly, the standards aren't even finished yet, much less implemented and developed.
The standards basically fall into two components.
There's the radio access network, which is known as New Radio or NR. And the standards for that
are mostly done, I would say at this point. The first thing we will see is a 5G cell tower talking
to a 4G core network. And that will give you faster data rates, but it won't let you take
advantage of all the new features that are part of the 5G core.
The 5G core is going to have all kinds of exciting new capabilities specifically designed to support Internet of Things and other IoT use cases.
So things like network slicing, which allows you to create virtualized layers of the core network specifically for different classes of IoT devices.
Really exciting new capability. layers of the core network specifically for different classes of IoT devices.
Really exciting new capability.
It takes software-defined networking and network function virtualization to a whole new level in the cell phone network.
But those standards are still at the early stages right now and probably still another
couple of years before they're finished, much less implemented and developed and rolled
out.
And so what kinds of security elements are we going to see baked into 5G?
Well, the 5G radio access network has very similar security properties, I'd say, to the 4G network.
There are some interesting things that are being done to try and improve some of the vulnerabilities in 4G.
One example would be the Emsi catchers that are able to act as a fake
base station and cause your phone to provide the unique identifier off your SIM card. Actually,
just last week, there was a set of changes to the 5G standard that were approved that will now
encrypt that identity before it is sent to the network, which will prevent those IMSI catchers from being able to be effective against 5G phones.
Are those the popularly known as stingrays? Is that what we're talking about?
Exactly. Yeah, that's the brand name that's associated with it most frequently.
But it's basically sometimes called a base station emulator, but it is essentially a
device that acts like a cell phone base station and engages your phone in a conversation in order to get your phone to reveal its identity.
Now, will we still have the issue of sort of the backwards compatibility issue of forcing a device
to be able to fall back to some of the older standards? Of course, yeah. So 2G, 3G, and 4G
would all still be vulnerable. So 5G is at a great inflection point right now to begin
to solve some of the problems that we've been wanting to solve for a while in telecommunications
and cybersecurity. But of course, because of the backward compatibility, it will be many more years
before those older technologies are fully phased out and we have the full benefit of these new
security features. All right, Dr. Charles Clancy, thanks for joining us. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
My guest today is Medica Keo. She's Chief Technical Officer at Farsight Security,
a company that offers passive DNS cybersecurity solutions.
Previously in her career, she led the first security initiative at Cisco Systems in the mid-90s and authored the first Cisco book on security.
My background is that I have an electrical engineering degree, and my first job was starting out designing and deploying campus backbone networks.
So the first month on the job was the infamous Morse form that is historically known as the first internet form.
And I would say that started my foray into security because I became very involved as we were designing our backbone to look at authentication, integrity and auditing functions, the basics of security.
And some of the listeners may laugh, but we were changing out software by actually changing out
the e-prompts. So actual chips were how we did software upgrades when there were issues found,
bugs found that now some of them might be classified as security issues.
that now some of them might be classified as security issues.
So as my career progressed and the Internet grew to billions of devices and millions of users,
the criminal and malicious activity also increased. And so I find myself now at Farsight Security since everyone in the company also has a passion
for making the Internet a more trusted and secure and stable means of communicating
and also creating business transactions.
Now, one of the things we want to discuss today was using DNS data
as an early warning system for cyber threats.
Can we start off, can you describe for us where do we find ourselves
in terms of how DNS data is used and what are the implications of that?
Domain names are the basic functions of anything that you are doing on the Internet.
Humans think in names and machines think of numbers.
Every device on the Internet is identified by a name and a number.
The number is referred to as an IP address, and the name is typically the fully
qualified domain names. So what the DNS does, it associates various information with domain names
assigned to a particular entity, and very often you're doing a mapping between the domain name
and an IP address. One item that is extremely important for many to
understand and who may not be so familiar with the domain name system is that the criminals really
have started utilizing the domain name system as a fundamental building block to many of their scams.
There are things called domain generating algorithms where it's a
capability to generate hundreds of domain names a second. And they're designed for resiliency so
that if a domain name gets discovered to be used for malicious use, they just move to other domain
names. And so this is a way that the malicious underground is able to register and
retain control of several botnets that can be used for malicious campaigns.
And so in terms of being an early warning system, how does that come into play?
There are malicious actors who try to impersonate your specific domain name or email address.
So with the real-time information, you can determine whether or not somebody is trying
to impersonate your site and whether or not you're sending your information to like your
banking credentials, username and passwords to a fake banking site
where then the criminal underground can use it to sell your information.
There are numerous breaches of domain registers where domain names have been impersonated.
And so this often happens to luxury brands to create websites for various fraud scams or to any sites where the malicious activity requires a user to believe that a site they are going to is valid.
So these scams used to get usernames, passwords and other personal information.
is also that everybody should be paying attention to how are criminals flying under the radar,
utilizing international domain names, for example, as lookalike domains to try and create email and phishing scams. And also how can you detect IPv6 related spam and phishing campaigns. So I think
everybody has a part in the ecosystem. I'm curious, you know, from your own point of view,
coming up in this industry, do you have any words of wisdom or advice for those who are looking for a career in security?
I do. My advice would be never stop learning and never stop asking questions.
I think security has, it's very complex because there's so many details that are involved.
It's very complex because there's so many details that are involved.
And I think that the more you understand, the more you ask questions, why is this? And even challenging some of the old ideas because we need new input.
We need new ways of thinking.
The old ways of thinking of security are clearly not good enough.
The old ways of thinking of security are clearly not good enough.
So I would challenge everybody to just look at, you know, how are things done?
How can we make things more secure?
How are you identifying somebody?
What information are you logging and auditing?
How do you preserve integrity of information knowing that nobody has modified anything in transit? So it's a very, very large field. And I just encourage people to
look into their passions and never stop asking why and offering solutions.
That's Medica Keo from Farsight Security.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.