CyberWire Daily - Daily: Australia confirms foreign intelligence service hacked Bureau of Meteorology. TV5Monde and its false-flag hack. Trojan hitting SWIFT. Patch Tuesday notes. US-Russian cyber showdown.
Episode Date: October 12, 2016In today's podcast we take a quick look back at Patch Tuesday. Amazon gets solid reviews for a password reset campaign. A new Trojan is caught manipulating SWIFT fund transfer logs. IoT botnets worry ...ecommerce sites, and the EU's proposed stickers seem unlikely to allay those concerns. Australia confirms a foreign intelligence service hacked its Bureau of Meteorology, but it won't say which foreign service that was. TV5Monde offers details on its experience with a false-flag hack. Jonathan Katz from the University of Maryland describes obfuscation techniques he saw at a recent crypto conference. Quortum's Joey Alonzo provides tips on mobile device security. And, says the US to Russia, ready or not, here we come. (Maybe.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A quick look back at Patch Tuesday.
Amazon gets solid reviews for a password reset campaign.
A new Trojan is caught manipulating Swift fund transfer
logs, IoT botnets worry e-commerce sites, and the EU's proposed stickers seem unlikely
to allay those concerns.
Australia confirms a foreign intelligence service hacked its Bureau of Meteorology,
but it won't say which foreign service that was.
And, says the US to Russia, ready or not, here we come.
Maybe.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 12, 2016.
Yesterday, of course, was Patch Tuesday, but with a difference.
As announced, Microsoft has moved away from its pick-and-choose patching regime and toward a new take-it-or-leave-it approach.
This month's Hobson's Choice addressed five zero days in Internet Explorer, Edge, Windows, and Office.
Adobe issued 81 fixes to Acrobat, Reader, and Flash.
Several of the vulnerabilities closed could afford attackers remote code execution in affected machines.
Oracle is expected to revamp its own patching practices in the near future as well.
Amazon is asking its retail customers to reset their passwords.
The requests are targeting those consumers whom Amazon has reason to believe may be using
compromised passwords.
The company has identified possible password reuse from its inspection of recent
big credential breaches. The response to Amazon's move from the security industry has been, as far
as we can tell, overwhelmingly positive. They see the reset campaign as a positive, proactive step
from a company that hadn't itself sustained a breach. Here's a sampling of what people are
telling the Cyber Wire. StealthBits' Brad Busey
offered enthusiastic approval bordering on rapture. Praise Amazon, Busey said. This act is exactly
what organizations need to do to look out for their customers. John Gunn of Vasco Data Security
calls it an incredibly smart move. It essentially says that even if your other online providers
won't protect you, we will. He sees it as Amazon showing their innovative mindset and customer-first business philosophy.
Peter Gongiosi, product manager of Blindspotter at Ballybit, said,
What's interesting in Amazon's action is that it's probably one of the first cases
when a large online company takes a proactive measure in resetting passwords.
He sees this as being a bit risky, insofar as Amazon's
letter confirmed that passwords had been reused. He also thinks it's another wake-up call to move
toward personal password managers, multi-factor authentication, and behavioral analytics.
Vasco's gun agrees on the shortcomings of the password, which he characterized as a
30-year-old technology with increasingly obvious limitations.
Kunan Anand, co-founder and CTO of Prevotee, said,
He calls Amazon scanning for compromised passwords a win-win as Amazon's notification to its customers.
The Swift funds transfer system is again under attack,
this time by either CarbonX masters or someone very much like them.
A Trojan, Odinaf, has been observed manipulating Swift logs.
IoT botnets continue their service-disrupting probes of various networks.
E-commerce sites are held to be especially vulnerable
since their business depends upon high availability.
The EU's announced plans to certify the cyber safety of IoT devices
is derided by naked security as an attempt to fix the problem
by affixing stickers to connected stuff,
which for now seems unkind but fair enough.
Further fairness would note that this probably represents
little regulatory steps for little regulatory feet
and that the policymakers will have to toddle a bit before they can run.
With more and more business being done these days on mobile devices,
and many businesses opting for bring-your-own-device policies,
how do you ensure your proprietary information isn't being compromised on devices you may not control or own?
Joey Alonzo is president of Quartum, an insider threat and risk management company,
and he has some advice
drawn from his own experience. I recently left a large third defense contractor on good terms
and noticed a month or so later when I went through my download file and my picture files
on my phone that I still had sensitive type information that I used my phone for reviewing,
probably while I was at meetings,
or maybe when I was in my car or riding on the train. I think about my own iPhone, and if I
back it up to my desktop computer, you know, if I had a bunch of files on there from work, those
files would get backed up to my desktop computer. And now we've sort of extended the attack surface
where now my desktop computer is a target or could be a target as well.
Yes?
Absolutely.
So what you've now done is you've put your company's data at additional risk by being placed onto your home computer that you may insert a flash drive.
Your 12-year-old hops on there, grabs something, heads over to a friend's house, different types of malware that are able to be accessed on your computer, all the data, all the information. And you probably
at home do not have the same type of network security requirements or software or a team of
20 to 25 people protecting your home computer system. What happens when your kids hook up their iPhones to it and back up?
So think about the information that goes back onto their phones and when they go.
Perhaps you're not the person who hooks up the public Wi-Fi, but guess what?
Your kids probably are if they're stopping at Starbucks or Panera or even a local McDonald's
has public Wi-Fi.
If I'm a company and I'm allowing my employees or encouraging my employees to use their own devices for all the good reasons that people want to do that, what are the things that you recommend?
What we recommend first is to develop a policy and practices and procedures that follow what you think are the threats to your company's mobile device.
We can all tell employees at a meeting, hey, be careful with this, be careful with that.
But if you actually put it out in a policy, if you base it on the legal requirements,
if you base it on your kind of attitude as a leader within a company, if you're kind of laid back,
if you're pretty strict, if you're kind of that hardcore guy or girl who wants things your way and that's the only way, there's something
wrong with that. Just make sure that you convey that to your employees. Make sure that they're
briefed on what you expect for them or from them in order to use their phones. Provide those
policies. People are going to follow those. You're going to have that 95% of people that understand. They're going to let you know. Make sure they understand what to do
when their phone is lost. Make sure they understand what to do if they notice something
odd going on on their phone, if they get unique requests, if they're on a public Wi-Fi,
whether it's a company phone or an employee-owned phone, you as the company owner
need to be aware of what's going on with every device that is handling your company's information.
That's Joey Alonzo from Quartum.
Australian official sources confirm what's long been generally believed. Malware found in the
Bureau of Meteorology was installed in December
2015 by an unnamed foreign intelligence service. That nameless service, which widespread media
speculation at the time of the incident's discovery held to be the Chinese PLA, seems to have been
interested in pivoting from the Bureau to establish persistence in other government networks.
The Bureau of Meteorology also deploys high-performance computers,
themselves sufficiently powerful to be of probable interest to an intelligence service.
In another long-running espionage story, France's TV5 Monde talks about its March 2016 hack.
Those responsible are believed to have been working for Russian intelligence services.
They flew what's now regarded as the false flag of the cyber caliphate.
Foreign Policy recounts the difficult-to-follow spore of the possible Russian information operation
padding around Clinton consigliere Sidney Blumenthal, WikiLeaks, and presidential candidate Donald Trump.
The publication sees it as a sort of house of mirrors bound to splinter the truth
in a Blumenthalism found in the leaked emails
into a variety of conspiracy theories useful in influence operations.
An op-ed in the Christian Science Monitor's passcode
thinks there's room for doubt concerning Russian responsibility for the Democratic National Committee
and that the U.S. intelligence community might consider raising public confidence in the
attribution by revealing more of its evidence.
The intelligence community's statement, short as it may be on specific evidence, is not
at all coy in its attribution.
Look to companies including CrowdStrike, FireEye, and Fidelis for what's publicly known.
The Russians did it, say the IC, and the operation was authorized at the highest
levels of the Russian government. The Moscow Times seems convinced, and in a minority view,
also sees the episode as putting Russian President Putin in a bit of a diplomatic pickle.
U.S. President Obama has said there will be retaliation, and he won't tell the Russians in advance what that retaliation will look like.
A raised-eyebrow op-ed in Lawfare suggests the president's also not going to tell Congress.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center.
Jonathan, you recently attended a conference.
Tell us about that.
So in August, I attended the annual crypto conference out in Santa Barbara, California.
That conference is basically the premier conference for academic cryptography in the United States.
And what are some of the things there that caught your eye?
Well, there were lots of papers, of course.
But one of the things that seemed most interesting were there were several papers focusing on obfuscation.
Obfuscation is a relatively
new idea that's popped up in the cryptographic community. Of course, it's been around for
decades overall. But basically, people have developed over the last couple of years a way
to provably obfuscate software, namely changing it in such a way that even somebody looking at
the source code can't figure out anything about how the program actually works.
And so are there any downsides to using obfuscation?
Well, so it's still in its infancy, I would say, from a cryptographic standpoint.
It sounds great and it sounds like it would have lots of applications.
But for one thing, the current schemes are horrendously inefficient.
And basically, it would take several hours not only to run one of
these obfuscated programs, but even to compile it and generate an obfuscated program. The other big
issue that we're seeing is that the security assumptions that people are using to prove that
the obfuscation is indeed secure are relatively new and they're not very well understood. So,
there's been a sequence of papers over the last several months proposing attacks on obfuscation schemes and then coming up with corresponding fixes against those attacks.
So it's still very much in flux, and it'll be interesting to see how it develops over the next
few months. And what are some of the real-world situations where you would want to use obfuscation?
There are several, actually. I mean, one of them is that companies are very concerned about
protecting intellectual property. So if a company, for example, develops a new algorithm or a new
tool for doing something, they would like to be able to release their code and allow people to
use it, but they don't want competitors to be able to look at the code and figure out the details,
you know, the secret sauce, as it were, of what they're doing. Another case where obfuscation
might be important is releasing security patches.
So very often attackers can look at a security patch and from the patch figure out what the vulnerability was in the first place and potentially exploit it. If you obfuscated that patch,
then it might be possible to allow people to update their software and protect themselves
while not revealing to attackers the exact nature of the vulnerability.
All right. Interesting stuff. Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.