CyberWire Daily - Cryptojacking through an AWS S3 bucket. Threats, risk, and unintentional mistakes. Crime and punishment. Industry notes. Alien hackers?
Episode Date: February 27, 2018In today's podcast, we hear that CoinHive was installed via a misconfigured AWS S3 bucket. Unintentional password collection. Threat and risk trends for 2018. Avalanche phisher king rearrested in K...iev. Huawei says it's being picked on. Apple makes nice with Beijing. Industry notes—controlling interests and an ICS security Series B round. Reality Winner wants her confession suppressed. Hal Martin's packrat defense may have received an unexpected boost. Johannes Ullrich from SANS and the Internet Stormcast podcast, on hacked third-party cables. Guest is Terry Dunlap from Refirm Labs on firmware vulnerabilities. And could alien signals be alien hacks? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. bucket. Unintentional password collection? Threat and risk trends for 2018. Avalanche
Fisher King is rearrested in Kiev. Huawei says it's being picked on. Apple makes nice with Beijing.
We've got some industry notes. Controlling interests and an ICS security series B round.
Reality winner wants her confession suppressed. Al Martin's pack rat defense may have received
an unexpected boost. And could alien signals be alien hacks?
I'm Dave Bittner with your CyberWire summary for Tuesday, February 27, 2018.
The CoinHive crypto-jacker found last week in the Los Angeles Times has an explanation.
It was apparently introduced by a hacker who
simply exploited an unsecured Amazon Web Services S3 bucket. The hacker obfuscated the CoinHive
code, making it more difficult to detect. Another illicit but more amiable visitor deposited a
helpful note in the bucket for the LA Times administrators to find. It says, quote,
Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong.
Anyone can write to this bucket. Please fix this before a bad guy finds it. End quote.
An editor, perhaps at the Times itself, would amend this to be before another bad guy finds it.
Amazon has been working to help its customers make better security choices.
Users of Amazon Web Services would do well to inspect how their buckets are configured.
Princeton University researchers conclude that website analytics services have been
unintentionally collecting passwords. The researchers began by looking at the
AutoTrack data collection service used by the product analytics shop Mixpanel.
AutoTrack is described as a comprehensive user data collection service.
The researchers found that AutoTrack had been collecting password data unintentionally,
even though the service incorporated heuristics designed to prevent just that.
They then determined that other services were also unintentionally harvesting passwords.
CrowdStrike released its 2018 global threat report yesterday.
Among the findings are the rise of supply chain compromise and cryptocurrency-related fraud
as significantly expanded attack vectors.
Another interesting finding is the speed with which successful attackers are able to pivot laterally
from an initial compromise, just under two hours.
Haystacks this morning released its 2018 insider threat predictions.
They see ordinary employees eclipsing privileged users as insider risks, and they see behavioral
monitoring becoming the new normal.
An Adobe Flash bug patched earlier this month has resurfaced in malicious Microsoft Word files
as criminals seek to repurpose the exploit against vulnerable systems.
A few quick industry notes.
Huawei continues to protest that it's being singled out unfairly as a security risk by U.S. authorities.
Apple has quietly acceded to Chinese government requests that it grant access to Chinese iCloud accounts.
In happier news, South Korea's SK Telecom has taken a controlling interest in Swiss quantum encryption shop ID Contique.
And Boston-based CyberX, the critical infrastructure defense shop,
announced today that it's received $18 million in Series B funding from investors led by Norwest Venture Partners.
Ukrainian authorities have again arrested Gennady Kapkhanov, said to have been the leader of the Avalanche fishing gang.
Mr. Kapkhanov was arrested in Poltava in November of 2016, but was released under shady circumstances and has been on the lam since then.
Police scooped him up in Kiev this Sunday.
When it comes to securing systems, hardware and software are likely top of mind for most people.
But what about firmware?
Terry Dunlap is co-founder and CEO of ReFirm Labs,
where they specialize in IoT security, specifically vetting and validating firmware.
where they specialize in IoT security, specifically vetting and validating firmware.
What we've been able to find in a lot of our research when we look at the firmware of IoT devices is insecure coding practices using a lot of stir copies that create buffer overflows,
command injection attacks, things of that nature,
that if somebody was actually educated or took the time to thoughtfully program a lot of
the functions that are in these IoT devices, we wouldn't be in the situation that we're in today.
That's the number one problem that we face in IoT. All these problems that we're facing from a coding
level have been eliminated primarily in laptops and servers and things like that. So we're seeing a regression back to the wild, wild west days of the 1990s
when Windows was always so vulnerable.
But we don't see those problems anymore
because they've been pretty much eradicated in today's desktop and server laptop market.
But we see this resurrection of these problems now in IoT for whatever reason.
And so what do you suppose those reasons are?
Is there insufficient market pressure
to have a watchdog on the programming side of things?
I think the pressure is margin pressure
to get this stuff created as quickly as possible
at the cheapest possible rate.
And so a lot of the firmware that we've analyzed
once we talked to manufacturers,
a lot of it isn't even produced in-house by the manufacturers. It's all outsourced overseas to
Southeast Asian original device manufacturers. Is the message getting out? Are manufacturers
starting to realize that this is something they need to pay attention to? I think they're starting
to notice, but I think a lot of them are still of the mindset,
well, it's not going to happen to me. I think when you look at more IoT or IoT devices, like in
critical infrastructure, people are taking more serious look at what's going on. But if you look
at your device manufacturers, like your low-end IP security cameras, your routers, your switches, some of
the toys now, I don't think there's a lot of focus on security there because a lot of those people,
based on what I can tell, are the mindset, you know, okay, so what happens if, you know, my
IoT internet-connected toy gets hacked? So what? Do you think that, I mean, firmware, it seems to
me, is something that it's
easy to overlook. You know, it's deep down in the system. I think people don't often think of it as,
it's not top of mind. No, it's not, because most people are familiar with the term hardware
and software. Not many people know what firmware is, and I would probably bet a large chunk of
CTOs and maybe even CISOs at large corporations
probably have never considered firmware a threat factor.
So it does require some education.
I think people are starting to understand, especially in the C-suite of a lot of these
companies.
Most of us, everyday Joes, don't encounter firmware that often unless we see an update
for maybe our phone, because our phone
runs firmware. So if you have an iPhone or an Android and there's an OS update, that's basically
firmware that's being pushed to your phone. So if we find a firmware that actually has a hard-coded
backdoor in it, and a lot of the backdoors that we've encountered are usually left there quite
by accident by engineers so they can facilitate
and expedite testing. And unfortunately, maybe they're not following a checklist,
but those backdoors are never removed into the final product. So if a manufacturer notices that,
they can push out a firmware update that will completely rewrite the existing firmware and
remove that backdoor. Now, I'll give you an interesting story here.
A few years ago, we were approached from a foreign telecom company
who was interested in having us evaluate the security of one of their Internet gateway devices.
So we took a look at the device, and we said, yes, there's a hard-coded username and password in there,
probably by mistake engineering.
Here's our report.
Talk to the
manufacturer, your vendor, and see if they can get it removed. So some weeks, months go by,
we get the updated version. We look and we say, yes, the backdoor and password has been removed.
However, it has only been removed. It's been moved to a different location in the firmware.
So this is being done maliciously. What the telecom company decided to do after that,
we didn't get any further information.
But this is the type of trickery that goes on under the hood
depending on who you're dealing with.
So it's hard to catch this stuff.
But there are people out there in rare cases like this one I just explained
where it's done maliciously.
That's Terry Dunlap from ReFirm Labs.
Full disclosure, ReFirm Labs and the Cyber Wire are both located in the Data Tribe startup studios.
This interview came through our normal editorial channels.
The trials of two accused NSA leakers have become a bit stickier for the prosecution.
Reality Winner, the Georgia-based former NSA staffer and former contractor who
admitted to FBI agents that she was the source of highly classified documents leaked to The
Intercept, wants her confession to stealing and leaking classified documents suppressed.
She maintains that she was improperly mirandized by the FBI agents who interviewed her.
She also appears to be positioning herself as a whistleblower,
as various whistleblowing advocates point with alarms to the chilling effect her prosecution
will have on future leakers. Which is, of course, from the government's perspective,
a feature and not a bug. In a federal courtroom in Baltimore, the case of former NSA contractor
Hal Martin is in progress. Judge Marvin Garbus, who's presiding over the case,
has some questions about the degree of proof
the prosecution will need to present to get a guilty verdict.
According to Politico and CyberScoop,
the judge has asked whether the government must show
that Mr. Martin knew he had specific classified documents in his possession,
or if he could be prosecuted under the Espionage Act of 1917 without the government
having to offer such proof.
Judge Garbus has asked both prosecution and defense to address this question in briefs.
This is thought to favor the defendant's case.
His lawyers are essentially representing him as an eccentric but fundamentally well-intentioned
pack rat.
The sheer volume of classified material allegedly recovered from his shed
in the Baltimore suburb of Glen Burnie may give the prosecution difficulty.
It was around 50 terabytes.
Who knows what could be in there?
Maybe not even Mr. Martin.
And finally, we offer some thoughts for the UFOlogical community.
Alien experiencers, you can stop worrying about
abduction and start worrying about malware that's right where once the greys might have been out to
administer an interstellar colonoscopy to learn whatever can be learned from the terran fundament
now it seems more probable you'll face an intergalactic stuxnet that's right we've long
thought that actively sending messages to aliens areare you listening, Mr. Musk?—
was a stupendously imprudent thing to do.
But what harm could just listening for them in traditional SETI fashion do?
Well, a lot, according to astrophysicist Michael Hipke and John Learned,
respectively from the Sonneberg Observatory and the University of Hawaii.
How do you know that signal isn't downloading malicious extraterrestrial code?
I mean, come on, it's not like we're Frank Drake listening for Spacefarer's Morse code
on our Heathkit ham radios anymore.
All of this stuff is networked and automated, which, by the way, is the same reason SETI
volunteers are such good candidates for cryptojacking.
Hipke and Learned conclude at the end of their thought experiment that on balance it's worth
the risk.
But here's how they frame that risk in their paper's abstract.
Quote, a complex message from space may require the use of computers to display, analyze,
and understand.
Such a message cannot be decontaminated with certainty, and technical risks remain which
can pose an existential threat.
Quote,
Well, okay, that's right, if it's just an existential risk, then alright.
If you wouldn't take a USB drive you found in the parking lot and plug it into your system,
why in the name of Gort would you process an alien signal on that same system?
You don't know where that's been.
same system. You don't know where that's been. customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. go searching for the cheapest possible cables online if I need a USB cable or a lightning cable or whatever kind of cable. But you want to make the point that maybe not all these cables are secure. Yeah, in particular, like if you find a cable and may not even pay for it,
there is actually a lot of complex software and hardware that goes into these cables.
If you're, for example, looking at a modern USB-C or Thunderbolt cable,
those cables have firmware inside the cable that, of course, can easily be replaced.
Now, aside from that, there's also another type of cable that I've come across lately.
It looks like a USB charging cable and functions as such, but it also has a little SIM card built in and has the ability with a microphone to listen in on conversations in the room.
An owner of this cable could then also request the GPS coordinates, even though that's fairly rough.
It just uses the triangulation of the cell phone network.
rough. It just uses the triangulation of the cell phone network. These cables are sometimes sold as sort of spy devices and, well, actually act quite well. The idea, according to manufacturers,
that you leave a cable like this as a charging cable in your car. And if your car ever gets
stolen, you can use it to essentially find your car. But actually, they work a lot better as an eavesdropping device than as a GPS. And
that, of course, has all kinds of privacy implications. If you have an innocent looking
USB cable in your office, that could be turned into a microphone at any time via a remote phone
call. Yeah, I've also seen available online devices that just look like a standard USB charger,
a little tiny brick, but inside there's a camera and microphone.
Correct.
Now, they're typically not remotely accessible.
The problem with these cables in particular, that all you have to do is you have to send
an SMS message to the phone number associated with the cable, which will then cause the
cable to call you back and allow you to listen in on any conversations in the room.
Wow. Yeah, it's interesting times, right,
when you have to worry about your cables having their own phone number.
Right, and I would say just if you get a cable you don't quite trust,
you maybe find one in the office all of a sudden.
Usually you can wiggle a little bit at the connectors,
and if the connector comes apart and a SIM card pops out,
that's probably a bad sign.
All right.
Good advice as always.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your