CyberWire Daily - Daily: A look back at Vegas. Rio's rogue Wi-Fi. Cyberwar & actual war.
Episode Date: August 9, 2016In today’s podcast we look at an APT group that’s been active since 2011. We hear about the Quadrooter Android vulnerability. We take a look back at Black Hat, and look for some sensible perspecti...ve on cyber risk. We also read some discussion of the differences between espionage, crime, and warfare. The US Marshalls will auction SilkRoad’s forfeited Bitcoin later this month. Dr. Charles Clancy from Virginia Tech's Hume Center tell us what to expect from 5G cellular technology. And yes, there’s more Pokémon-themed malware in the Play Store. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Strider, or is it Sauron, seems to have taken a leaf from the Flamer APT playbook.
Quadrooter sounds bad, but there are still no reports of exploitation in the wild.
Carbonac Group may have hit Oracle
point-of-sale systems. Rio Olympics
seeing rogue Wi-Fi hotspots.
Acts of war in cyberspace are
just cyber espionage and cybercrime.
U.S. Marshals to auction Bitcoin
seized from Silk Road. And more
Pokemon malware is found in the Google
Play Store.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 9th, 2016.
It's evidently Lord of the Rings week in the APT world,
or at least was when the coders were writing back in 2011, or thereabouts.
Symantec and Kaspersky independently warn of a new threat group they're calling either Strider, that's Symantec,
or Project Soran, as Kaspersky calls them.
It appears to be engaged in a highly targeted campaign
against organizations in Europe, Asia, and Africa,
with Belgium, China, Iran, Russia, Rwanda, and Sweden
particularly mentioned as geographical areas of interest.
The Strider-Soran project group is thought to be state-sponsored,
but so far there's no attribution to any specific government.
Kaspersky says the APT has operated against government agencies, telecommunications firms,
financial organizations, military, and research centers since 2011.
The group seems particularly interested in encryption software.
Symantec reports that Strider uses REMSEC malware to establish backdoors.
They also say that features of its approach are reminiscent of that taken by the Flamer group,
discovered and disclosed in 2012.
Flamer was itself linked to Stuxnet, at least insofar as they shared some of the same source code.
Kaspersky agrees that there are some similarities between Project Sauron and Flamer,
but isn't entirely convinced they're the work of the same group, whoever that group might be.
This week's other risk with a fancy name is QuadRooter,
a firmware vulnerability checkpoint discovered in the Qualcomm chipsets powering Android devices.
checkpoint discovered in the Qualcomm chipsets powering Android devices.
QuadRooter is worrisome since in principle it exposes Android devices to privilege escalation exploits that could give an attacker root access to the device.
But matters may not be as bad as initially reported.
There are so far no clear signs that QuadRooter is being exploited in the wild.
And the widely quoted figure of 900 million vulnerable devices is
almost certainly greatly overstated. Qualcomm has been pushing updates to manufacturers since April
that in all likelihood have fixed the problem in many devices. A general patch is expected next
month. In the meantime, if you're curious about your own device, Checkpoint has an online text
you can run to determine whether it's vulnerable. As we consider the mobile world, it's worth reflecting on where,
considering risk and security, 5G cellular service will take us.
We spoke with Dr. Charles Clancy from our partners at Virginia Tech's Hume Center,
and we'll hear from them after the break.
The Olympics so far seem to have been affected by crime,
notably the rogue Wi-Fi hotspots SkyCure and others have
been warning about, and a bit of hacktivism, directed mostly at Brazilian government websites.
If you're in Rio, you should take the sorts of precautions you would have taken last week at
Black Hat or DEF CON. Both The Guardian and E-Week look back at last week's conferences in Las Vegas
and conclude that things aren't as one might wish in security.
While the Guardian's indelicate characterization of the situation is no doubt overstated for effect,
still a lot of enterprises seem not to be learning what EWIG calls Security 101 lessons.
That well-known commodity attacks continue to succeed is of course as familiar as it is lamentable.
There are a lot of reasons for that. Enterprises have a lot to do, their resources aren't unlimited,
and for small and medium-sized businesses, as well as for private individuals,
it's easy to fall into a kind of learned helplessness in which whistling past the graveyard and hoping nothing happens
becomes a default security posture.
It might be worth quoting some perspective we received
from Entrepid's chief scientist, Lance Cottrell, last week.
He notes that many of the things people worry about are Hollywood hacks.
Reflecting on his participation in panels on Internet of Things security, he said, quote,
We tend to look for the extreme movie plot threat scenarios.
What if they hacked your car and drove you off a cliff?
And how likely is it that someone would go after you in such a Rube Goldberg fashion?
If they were rationally evil and not in it for the Baroque Blofeldian lulz, wouldn't they just
hire a hitman? Cottrell suggests that it's useful to think about what he called the attacker's
mind space. Quote, what are their goals? They want to generate money. Why is ransomware suddenly a
thing? Because it's hugely lucrative. Why DDoS? Because it works and can be easily monetized.
And he noted, some once-common attacks are fading because of black market forces.
There are fewer attempts to steal credit cards in part because stolen paycard numbers
have now become so commoditized that it's hard to make money from them.
So develop a realistic understanding of what you have that might be of value to an attacker,
and then manage your risk accordingly.
Not every attack is out of skyfall.
Whenever an enterprise is breached, Cottrell noted,
the first press release talks about how extremely sophisticated the attackers were.
Of course it would.
Quote,
You don't want to say some script kitty used a well-known exploit against our unpatched browser from two years ago to own us,
but that's actually what happened most of the time, end quote.
As the U.S. considers enhancing the status of U.S. Cyber Command,
observers suggest that the world collectively, and its security and defense sectors especially,
need to devote some thought to reaching clarity about conflict in cyberspace
and how it relates to actual lethal kinetic warfare.
ThreatPost is running a long, thoughtful op-ed on the topic in which important distinctions
are drawn.
In particular, it's worth remembering that espionage and propaganda aren't, generally
speaking, acts of war, and that it's a stretch to call the tools used to accomplish them
in cyberspace weapons.
Nor is crime, or even organized crime, generally warfare.
We'll add two more metaphors to the discussion, both of which derive from American history but have broader applicability.
For all the talk about a cyber Pearl Harbor, we would also do well to recall the difficulty of attribution,
and worry also about a cyber-tonking Gulf incident, lest nations perceive acts of war where none exist.
A Russian organized crime mob, thought to be the same outfit behind the Karbanek APT,
has compromised Oracle's Micros point-of-sale system.
Oracle has advised affected customers to reset passwords.
Other remediation is underway.
Brian Krebs reports that security researchers told him, on background,
that they observed a micros customer support portal
communicating with a CarbonX server.
How the gang got access to the system is for now unknown,
at least publicly.
In law enforcement news, Ireland's Garda upgrades its defenses
after the cyber attack it recently sustained,
Australia sets up a cyber unit to track terrorist funding,
and the U.S. prepares to auction off Bitcoin seized
from Silk Road. That's some 2,719 Bitcoin, and you don't have to be Satoshi Nakamoto to know
that's worth a bit of change, around $1.6 million, just to ballpark it for you. The auction will be
held August 22nd. If you're interested, you'll have to register by August 18th.
Finally, there are still more Pokemon Go issues.
More malicious Pokemon apps have been found in the Google Play Store.
A number of them are serving up the Droid Jack Rat.
And trust us, that's no Blastoise.
Be careful out there.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Dr. Charles Clancy. He's the Director of the Hume Center for National
Security and Technology at Virginia Tech. Dr. Clancy, we all use our mobile devices and we're dependent on the data that those devices use.
The next thing coming down the pike is 5G cellular technology.
What are we talking about when we're talking about 5G?
So 5G is a number of different technologies that are being aggregated together
that are building on top of the current 4G LTE standards
that we all use currently in our smartphones.
Some of the key features of 5G are a new spectrum.
So there's a lot of spectrum that is available that's currently in use,
typically by the U.S. military, but not widely used here in the United States.
And the White House has asked the U.S. military to look at how it might share those bands
with commercial cellular service.
And then we also have the millimeter wave spectrum up at much higher frequencies that also has some interesting properties
but could enable extremely high data rate communications.
So a new spectrum is one key part of 5G.
In addition to this notion of cognitive management and software-defined networking and the ability to almost treat your cellular network as an elastic resource
for communication from a wireless device into the cloud.
And so what are some of the specific security challenges with 5G?
Well, there's a number that we're looking at right now in the area of new spectrum bands.
So the first band really that's being looked at is the 3.5 gigahertz band,
which here in the United States is used by the U.S. Navy.
And in that band is a Navy radar that's used for air traffic control purposes.
So for the last year, I've been chairing a standards committee within the Wireless Innovation Forum that's been looking at how we can share that band
between the U.S. Navy and the cellular commercial ecosystem in such a way that the privacy of
the Navy operations are not inadvertently revealed to the public as a part of that interaction.
So there's some new standards that have actually just been published by the Wireless Innovation
Forum that define the operational security and privacy protections that this ecosystem
will have.
That's one particular aspect that I think is really interesting.
The second is in the area of millimeter wave,
where you have very high data rate and very high frequency signals.
And the technology that's being employed there, I think,
provides a unique opportunity from a security perspective.
Much of these signals are such high frequency that they generally don't penetrate walls.
So unless you're in the same room as the access point, you may not be able to receive a signal from it,
which is obviously good from a security perspective in terms of limiting potential exposure.
Also, technology being used, massive MIMO, where you've got many antennas,
and these antennas are all transmitting signals that cohere at your specific physical location,
also prevents someone that's in a different physical location from being able to intercept or receive your signal.
So I think that's a unique opportunity that will help improve security with 5G cellular.
Is there any sense for what kind of timeline we're on when we may be seeing 5G in our personal devices?
Well, as with all of the different cellular standards,
it's kind of an incremental process.
So I think that we're going to see some of the frequency bands
becoming incrementally available over the next two to three years.
Technologies like millimeter wave are still in the R&D stages.
There have been demonstrations that they will work and will work at scale,
but so far they're nowhere near ready for commercial product development.
All right, Dr. Charles Clancy, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your