CyberWire Daily - Daily: Australia's census clogged. Iran ups its offense? Ransomware and file deletion.
Episode Date: August 10, 2016In today’s podcast we follow developments in nation-state hacking, from Hainan to Tehran. Australia’s online census is taken offline—the Bureau of Statistics cries DDoS, but observers aren’t s...o sure. A new strain of ransomware under development in the underworld skips encryption and goes straight for deletion. Issues with Oracle’s MICROS point-of-sale systems may be the root cause of recent store and hotel breaches. Google says, thanks Check Point, we appreciate it, but most of QuadRooter has already been mitigated (they’re working on the rest of it). Joe Carrigan from Johns Hopkins University warns us about side-loading Android apps, and Leemon Baird from Swirld describes a new trust-based peer to peer software platform. And we note that yesterday was Patch Tuesday. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Spyware in the South China Sea from guess whom?
And Iranian exiles and dissidents get spearfished by guess whom?
Australia's census suffers from either insufficient bandwidth or DDoS attacks.
In any case, it had to be taken offline yesterday.
A new ransomware strain skips encryption and goes for destruction.
Oracle's micros point-of-sale system issues may underlie a wave of retail breaches.
Quadrooter might not be as bad as feared, and yesterday was Patch Tuesday, so get patching.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 10, 2016.
International cyber conflict news today returns to the South China Sea,
where Vietnamese security researchers continue to track spyware that's infested that country's network since June at least of this year.
The compromises seem to have originated from a spoofed version of a Vietnamese Communist Party website.
The spyware incidents are generally believed to be connected to ongoing conflict between China and its neighbors over disputed territorial waters in the South China Sea.
between China and its neighbors over disputed territorial waters in the South China Sea.
The Philippines have seen similar incidents,
also suspected to be associated with the Chinese intelligence services.
Iran is also believed to have significantly increased its cyber attack capabilities in the wake of the international agreement that sought to arrive at a peaceful arrangement
with respect to the Islamic Republic's nuclear ambitions.
The annual report on Iranian military capabilities the U.S. Department of Defense renders to
Congress concentrated on conventional kinetic capabilities, but it alluded to a growing
ability to carry out operations in cyberspace.
Bloomberg reports that the document echoes conclusions of a study by the Washington Institute
for Near East Policies' Michael Eisenstadt,
who describes Iran's cyber operations as having evolved, quote,
from a low-tech means of lashing out at its enemies to a pillar of its national security concept, end quote.
Not all those enemies are foreign nation-states.
Amnesty International reports that actors probably directed by Iranian security services
have been conducting an extensive spear-phishing campaign against exile and dissidents. Amnesty International reports that actors, probably directed by Iranian security services,
have been conducting an extensive spear-phishing campaign against exile and dissidents.
Some of the fish bait is presented as email correspondence from U.S. immigration authorities concerning the target's green cards.
The Australian Bureau of Statistics took its census website offline last night
after sustaining what it characterized as multiple
distributed denial-of-service attacks. The Australian Signal Directorate has trained its eye,
one of the famous five, on the incident, and the Bureau of Statistics says it will bring the census
site back once it can do so safely. Not everyone's convinced the problems were the result of an
attack. Industry sources are wondering publicly if the Bureau provided enough bandwidth to handle the traffic of citizens logging on after supper
to beat the reporting deadline. AVG reports a new strain of ransomware,
Hitler, that continues a criminal trend toward file deletion. Thomas Pord, director of IT and
services at Plixer, told the Cyber Wire that the ransomware appears to be in its testing and development phase.
A string found in the malware, he said, contains the German words, Das ist ein Test, this is
a test, as well as some prominent misspelled words.
This, he told us, suggests that we will likely see a more mature version popping up shortly.
The Hitler malware isn't crypto ransomware.
Poore said, quote, It's interesting that victims may feel they have little choice but to pay,
since the alternative would appear to be deletion of all their files when they reboot after crashing.
since the alternative would appear to be deletion of all their files when they reboot after crashing.
The breach of Oracle's micros network of retail point-of-sale systems is now suspected of providing the common factor behind a recent wave of breaches at stores and hotels.
Itzik Mantin, director of security research for Imperva, told the CyberWire that
it's entirely possible that the data stolen in this breach, including user credentials, told the CyberWire that, quote, He adds that no system is immune to breaches and advises planning to detect and contain point-of-sale breaches,
especially those involving stolen or compromised credentials.
Google thanks Checkpoint for discovering QuadRouter,
but says most of the risk from this Android vulnerability
is already mitigated by Verify apps and SafetyNet features.
More extensive patches are expected next month.
A company calling itself Swirlds recently came out of stealth
and with a round of seed funding led by Ping Identity,
hopes to make its mark with a technology they believe will solve the challenges in creating trust within
peer-to-peer networks. We spoke with Lehman Baird, the founder and CEO of Swirls.
So Swirls is a platform that people can build apps on top of, and those apps then get distributed
consensus, distributed security. So we can do things like cryptocurrencies, like Bitcoin.
We can do distributed smart contracts.
A stock market can be distributed.
So there's no central server.
Basically, anything you would normally do with a server, you can do just distributed.
So you could have a game, but instead of having a server run the game, it's just running on everybody's computers. Just the players are running it. And yet,
the rules are enforced. You could have something like an auction that's being run where everybody's
computers are sort of jointly deciding what order the bids came in and who gets the prize or who
gets the thing. Same thing with the stock market
it's there's no central server it's just all the traders are running this thing and so the the
underlying technology behind what you're doing is this is this something of your own development or
is this something that's uh you know that that's a that's a known protocol no it's a new thing. It's called hashgraph. It is a graph rather than a chain.
And it is remembering who has talked to whom, which is a very strange thing. It's gossiping
about gossip. The result is we have a math proof that this is Byzantine fault tolerant.
And what that means is that even if almost a third of the group are trying to attack and they're trying to
collaborate in their attack and collude in their attack, and even if they can control the internet
in some very powerful ways, they still can't break the system. The way that you have the system
distributing everything to all the users, how do you keep it from collapsing under its own weight?
So we have an incredible amount of efficiency.
What we end up sending over the internet is not votes.
It's not mining stuff.
It's just the transactions themselves with a tiny bit of overhead over it.
Very little extra.
So to be efficient, to keep it from collapsing,
just your home ISP connection is fast enough to handle the entire Visa network of 4,000 transactions per second.
There's digital signatures everywhere.
There's encryption everywhere.
So the digital signatures prevent spoofing.
The encryption prevents eavesdropping and other problems like that.
There are cryptographic hashes tying it all together.
And we have math proofs
of the Byzantine fault tolerance. So we have solid math and solid crypto at every stage.
So you can't game the system because it's using strong crypto and strong mathematics to prevent
that. That's Lehman Baird from Swirls. We've been hearing and reading a lot about Black
Hat these days, and the prevailing mood was one of foreboding and dismay about the opposition's
agility and capabilities. Now, we should say that at a security industry conference, this is hardly
what the lawyers would call an admission against interest. It's in the nature of the security
sector to be unusually aware of and sensitive to threats, and a high level of fear, uncertainty, and dread has long provided the community with
its background noise as well as much of its signal. Bear this in mind as you consider reports
from Las Vegas. It's also important to bear in mind that commodity attacks continue to succeed.
Enterprises have a lot to do, their resources aren't unlimited,
and for small and medium-sized businesses, as well as for private individuals, it's easy to
fall into a kind of learned helplessness in which shutting your eyes and sticking your fingers in
your ears and hoping nothing happens becomes a default security posture. So don't neglect the
obvious. If Cozy Bear and Fancy Bear, or even Sauron, even wanted to pwn your mom and pop shop,
there's probably not much you could do about it. But that doesn't mean you should give up trying
to keep out the skids and script kitties. After all, they're the ones probably rattling your locks,
mom and pop. And did we mention that yesterday was Patch Tuesday? It was relatively light,
just nine patches from Microsoft, five of them rated critical,
and Adobe patched two, but for once there was no patch for Flash Player.
So mom and pop, get that niece or nephew who knows computers to come on over and get patching.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, you've got a tale to tell us about a friend of yours with a kid,
not unusual these days, who was interested in Pokemon Go. That's right. I got a phone call from a friend of yours with a kid, not unusual these days, who was interested in Pokemon Go.
That's right.
I got a phone call from a friend of mine the other day,
and one of her children, an older child, had figured out how to essentially sideload Pokemon Go on a phone
that the Android store, the Play Store, said wasn't supported by the app.
So she had a phone that was too old to load Pokemon Go, and this kid found a workaround.
Correct.
She found a way to install it with what's called sideloading, which is anytime you go and you get an app that's not from the Google Play Store, it's called sideloading.
And there's a number of ways you can do it.
You can use a secondary marketplace.
Amazon has a marketplace that will let you do this. You have to go into your developer options
in the phone and allow this to happen. The problem is that you don't know where this app is coming
from and you may not have the trust level for it. Amazon, you probably have good, you can probably
trust that, although probably not as much as the Google Play Store itself.
And even the Google Play Store has had its malicious problems.
Code has gotten through their review process.
But when you go out to a third party
and you start downloading apps
and allowing them to operate on your phone,
you have no idea where that's coming from.
So we've covered this on our show,
that it may even be an app that to you looks like it's running fine.
Right.
But in the background, it's doing bad things.
Right.
Yeah.
If I'm a malicious actor, then it's relatively easy for me to get a hold of what's called
the APK, which is the Android application, and alter it to do something I want it to
do and then put it out into a different marketplace or a different area and alter it to do something I want it to do and then put it
out into a different marketplace or a different area, make it available to people and just
wait for them to install it and then conduct my malicious activity.
So what was your advice to your friend?
I said that she shouldn't be doing this, that she should, if they really want to play Pokemon
Go, maybe it's time to upgrade to a newer phone.
These phones age or hardware ages. It's time to upgrade to a newer phone. These phones age.
Your hardware ages.
It needs to be replaced on a regular basis.
It's just part of the cost of maintaining your security on these devices.
So that device, the one that had Pokemon Go sideloaded, should that device now be considered a compromised device?
That was my advice.
I told her that you have no idea where she got the app.
She might not even know where she got the app.
And yeah, you don't know what it's doing on your phone.
All right.
Stuff to watch out for.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.