CyberWire Daily - Daily: A look at markets, legitimate and criminal. ICS proof-of-concept exploit.
Episode Date: June 2, 2016In today's podcast we hear about online censorship in China, and an espionage campaign directed against Taiwan. RiskIQ finds that many large companies are riding for the same fall Mossac Fonseca took... with the Panama Papers. We talk to Trustwave about that alleged Windows zero-day being sold by cyber criminals, and we hear about some smaller potatoes in the ransomware market. Industry news highlights US Federal contract wins and recent M&A activity. The University of Maryland's Jonathan Katz highlight some new research in random number generation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete, Beijing. Old versions of WordPress and Drupal
may be setting some big companies up for a big fail.
More on that alleged Microsoft Zero Day.
The security industry sees some big contracts
and a bit of M&A activity.
And a look at the criminal market
finds some shaky product being pushed towards some dumb money.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 2, 2016.
Some apparently state-directed activity out of China this week.
Tumblr seems to be inaccessible in China, at least for now, as Saturday's anniversary
of the Tiananmen Square massacre approaches.
China, of course, doesn't publish detailed information about such restrictions, still less their rationales, but the monitoring group GreatFire.org
thinks the outage looks like an attempt to interdict social media during the anniversary.
Online censorship in China, generally called the Great Firewall, may serve the government's
interests in social control, but Chinese scientists increasingly complain that the policy is biting back at the country's drive toward greater capacity for rapid innovation.
FireEye reports that Taiwan's ruling Democratic Progressive Party has been receiving the
attentions of a cyber espionage group that's redirecting traffic to sites hosting malicious
code. The apparent goal of the campaign is to profile visitors to the DPP's sites in an effort
to gain insight into the party's policies with respect to Taiwan independence. As usual, there's
no attribution in the case, but signs do point towards Beijing. FireEye has reported finding
some industrial control system malware that's being called IronGate. Some are calling it son
of Stuxnet because,
like Stuxnet, it too targets Siemens Programmable Logic Controllers, or PLCs, but that's probably
misleading. IronGate has been found in Siemens PLC simulation environments, not operational ones,
where it executes a man-in-the-middle attack on some custom PLC SIM code. IronGate looks like a proof-of-concept exploit used by security testers.
As Dark Reading points out, the malware has been around since 2012, but only began to
come to light, and that gradually, late last year.
It's a sign of some of the ways penetration testers are attending to industrial control
systems.
No one seems to know who's behind IronGate, and security experts remind
everyone that this should serve as yet another wake-up call for SCADA risk awareness.
WordPress and Drupal bugs are being called the vulnerabilities that could enable the next
Panama Papers-sized leak. The bugs are in. Researchers at RiskIQ scanned companies on
the old FT30 index to see what software large companies are using to
establish their web presence. What they found was disturbing. Just over a thousand sites were using
either WordPress or Drupal. Of the 773 cases where they could identify the specific versions of the
content management system in use, 307 were using old versions susceptible to exploitation through
known vulnerabilities.
RiskIQ primly notes that Masek Fonseco, the law firm at the heart of the Panama Papers leak,
was using outdated versions of Drupal and WordPress.
The alleged zero-day Russian cyber-mobsters are selling on the black market is still looking like a legitimate threat.
Bidding starts at $95,000, not that you'd be interested in this particular auction,
except of course conceptually. Researchers at Trustwave's Spider Labs have been looking into
the case, and we caught up with Trustwave's Ziv Mador for their take on what's going on here.
Zero-dane windows of this magnitude is quite rare. There are some strong indications in this post
that make us believe that most likely it is legit.
The cybercriminal offers to use the services of an escrow.
And the escrow he suggests to use is the admin form, which most likely is a well-respected cybercriminal in their community.
And the second one is the fact that he released two videos to demonstrate how it works.
Again, the videos don't show the fine details and that he did it in purpose because he doesn't want to reveal them.
But when we looked at the videos, it looks like they were taken in one shot.
So it doesn't seem like they were manipulated.
It doesn't seem like they were manipulated.
And he first shows how he has all the most recent patches, the patch Tuesday from May,
installed on the local Windows 10 computer.
And right after, he shows how the exploit works. And so combining all that, that's a strong indication that probably the seller has a working exploit.
This particular exploit is not only chilling because of how many systems it could potentially infect,
but also due to what it's capable of once it's in.
The exploit belongs to what's called local privilege escalation class,
which basically allows an attacker to get out of the boundaries of a limited user account
and get full admin access to the computer. The seller claims that because the LPE,
local privilege escalation exploit works, it allows an attacker that would use it to upgrade
the access to that computer and get full admin access to that computer. Not only that, he also
claims that
by using that exploit, they will be able to modify the kernel. The opportunities here for
cybercriminals are very almost unlimited. They can, after using that upgrade of their privileges,
they can install malware persistently, they can change system settings, they can disable
security products on the computer,
get better access to the network, change things in the kernel, such as installing a rootkit, etc.
That's Ziv Mador. He's vice president of security research at Trustwave.
In industry news, there's some acquisition activity.
IBM is buying the application discovery shop EZSource. ServiceNow expands its security capability with the acquisition of BrightPoint, best known for its Sentinel security
intelligence platform, and SolarWinds buys LogicNow as a managed service provider play.
Infoblox has retained Morgan Stanley in what's seen as a defensive move against activist investors
that's likely to delay any acquisition.
Toma Bravo made a run at Infoblox last month.
In the U.S., the White House-led push to shake up and clean out federal cybersecurity
is expected to yield significant opportunities for contractors.
Some large defense contract awards are already doing so.
U.S. Special Operations Command has awarded Palantir
an intelligence software contract for $221 million, and both SAIC and Parsons have received
prime positions in a multiple-award, indefinite-delivery, indefinite-quantity contract
the General Services Administration has let to support U.S. Cyber Command.
This IDIQ is a five-year, multi-billion dollar vehicle.
Finally, Forcepoint takes its own look into the dark web
and finds that Jigsaw, a ransomware variant
that attacks Windows systems, is also for sale.
The malware's authors are selling its source code for $139.
That low, low price doesn't appear to be a special,
nor are there any signs that the boss is on vacation and the boys have gone crazy.
It's worth noting that the sellers think they'll find enough buyers to make it worth their while.
Jigsaw typically demands a ransom of $150 from its victims.
Forcepoint draws the lesson that there's poor product and dumb money in the black market, too.
As Forcepoint puts it, quote,
A mediocre and greedy techie
writes a second-rate piece of malware
that's designed to scare people
into parting with their money.
He or she sells it
to a group of customers
who are not that tech-savvy,
but are equally greedy
and devoid of any morals.
Hardly a happy story.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland.
Jonathan, I know with cryptography, random numbers are very important, of course.
And there are several different methods of generating random numbers.
Yeah, that's right.
And it's important to distinguish here between maybe two different kinds of randomness.
So the best kind of randomness, the most pure randomness, if you will,
is when you have a string of bits that's completely uniform.
So this means that each bit is equally likely to be 0 or 1,
and every bit is independent of every other bit.
And then we've talked about this before, that if you have, say, an n-bit string, an n-bit key
that's completely uniform, then each of the two to the n possibilities is equally likely.
Now, a little bit less good than that is something called unpredictable. And what you have there is
a string of bits where each bit is not necessarily uniform,
and there may be some small correlation between the bits.
But nevertheless, it's infeasible for an attacker to predict the exact bit sequence that you're using.
And so in general, for cryptography, we'd prefer to have uniform sources of randomness,
although a lot of times in practice we can get away with unpredictable randomness as long as it's truly infeasible for the attacker to guess what those random values are.
And we've seen word from the University of Texas at Austin that some of their computer scientists are saying that they've developed a new method for producing truly random numbers.
And they're saying this is a breakthrough.
What can you tell us about that?
This is truly excellent theoretical work. What they've done basically is to take two independent and unpredictable random sources and combine them together in such a way as to produce a uniform source of randomness.
So basically what this means is that you can take potentially two different mechanisms for generating random numbers, neither of which is perfect, but then somehow combine them and derive from them a pure source of randomness.
And so what will be some of the practical applications of that?
Well, it's unclear how much of an impact this is going to have in practice.
It's right now in the early stages.
It's not immediately clear, actually, whether this is going to be needed for cryptographic purposes.
But it does show us the way forward for potentially combining multiple different sources
of randomness together and deriving from them
a perfect random source that can then be used
for cryptographic key generation
or during public key encryption
or other things that you need randomness for
in crypto systems.
All right, Jonathan Katz, thanks again for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. a product's platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.