CyberWire Daily - Daily: Banks are vulnerable to more than carding and transfer fraud. Ransomware updates. Lessons for users from the Three Mobile hack. Biometrics (with hedgehog). Election hacking retrospective.
Episode Date: November 22, 2016In today's podcast we hear about the FBI's warning that cash-spewing ATMs could be coming to a strip mall near you, courtesy of the Russian mob. Bad news and good news about ransomware. Another Androi...d backdoor is reported. Exploitable security cameras get a patch. The Conficker worm's still crazy after all these years. Lessons for users from the Three Mobile hack. Biometrics meets the Wind in the Willows? (Fujitsu Biometrics' Derek Northrope provides a reality check.) Palo Alto's Rick Howard discusses the disconnect between the board room and the tech crew. China's new Internet law. And what have Fancy and Cozy Bear been up to? Hibernating? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Bad news and good news about ransomware Another Android backdoor is reported The Conficker worm still crazy after all these years
Lessons for users from the 3Mobile hack
Biometrics meets the wind in the willows
China's new internet law
And what have Fancy and Cozy Bear been up to?
Hibernating?
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 22, 2016.
Since July, ATM hackers, probably affiliated with the boot trap mob, have been at work mostly in Thailand and Taiwan,
stealing cash by inducing installation of a bogus firmware update that directed the machines to empty themselves.
Taipei police realized something was amiss when they started receiving reports of cash lying around ATMs.
This isn't conventional carding, but a direct manipulation of the ATMs themselves.
Boot Trap has spawned at least one associated gang, Cobalt, which has been active in Europe,
and the FBI warns U.S. banks that they could
be at risk as well.
The Cyber Wire heard from Lev Lesokin of security analytics and risk prevention shop Cast Software.
He thinks the boot trap capers, and others like them, show what can happen to financial
institutions once their perimeter is breached.
Quote, as seen with the cyber attacks on ATMs in Taiwan and Thailand, once the perimeter
is broken, it is far easier for the attackers to carry out simple commands that drain the
institution of consumer money and possibly sensitive information like social security
numbers. End quote. Lesokin would like to see more attention devoted to application security.
Quote, the danger with internal application-based attacks is that malware
can be sitting dormant within your system for months, if not years, before the hackers choose
to activate its malicious properties. End quote. And if you're curious about what can be done to
protect data at the application level, Lissokin thinks the code quality standards the Consortium
for IT Software Quality put out are worth a look.
Some good news and bad news on ransomware.
First, the bad.
The strain of ransomware known as C-E-R-B-E-R is back in the news.
We spell out the allusion to the three-headed hound of Hades to avoid distressing the many listeners who reprehend our pronunciation as somehow Spanish.
I'm looking at you, Phil.
Researchers find that Pluto's guard dog has now begun to target high-value database files
for encryption and extortion.
But here's the good news.
ESET has released a free decryption tool for crisis ransomware.
So bravo, ESET.
Anubis Networks finds another Android backdoor,
this one associated with software from Regentech Group.
The backdoor enables potential exploitation of over-the-air updating.
In IoT news, a patch fixes exploitable issues with Siemens-branded security cameras.
Checkpoint scans the malware landscape and finds that Configure remains number one.
Eight years after Configure spawned, it's still the worm that roared.
We followed up with Ballybit's Daniel Bago about the lessons the 3Mobile hack should teach us.
He points out the two easily overlooked role customers, who are, after all, the users,
have to play in security.
Quote,
We as users also need to take actions in securing our personal information,
and the best way to do so is to be constantly aware.
Users must remember that the Internet comes with the same amount of benefits as dangers.
End quote.
He offers three bits of advice worth bearing in mind,
particularly as the holiday shopping season arrives.
First, pay close attention to where you share personal information,
and yes, do read those terms and conditions.
Next, blind trust is always a bad idea.
Be suspicious and look for signs that an apparent innocent link or request might not be legit.
And finally, don't forget that no one's more interested in your security and privacy than you are.
And play your part in staying safe.
Among the fixes for securing devices and data,
biometric technology figures prominently among the near-term replacements for passwords and pins, and biometric identification has now
been shown to extend to our animal friends as well.
A proof-of-concept video being widely shared by Motherboard, and what's the internet for
if not to share videos of small animals being adorable?
A pet hedgehog is shown
enrolling his paw and using it to unlock an iPhone. It's almost as if Rat and Mole from
The Wind in the Willows were visiting the Genius Bar at the Thames Banker's local Apple store.
We're not entirely sure this represents an improvement over the Piper at the Gates of Dawn.
Anyway, pretty cute. All cuteness aside, biometrics are indeed serious business when it comes to security.
We spoke with Derek Northrup, head of biometrics at Fujitsu, for his take on where things stand.
In certain industries, for instance, policing, border security and things like that,
it's quite a mature technology. It's been around for a while. It's been used for a long time.
It is quite robust.
When we start to move into the consumer space,
biometrics has been around for a while.
It never really had major mainstream adoption until things like Touch ID.
But the interesting factor about things like Touch ID is that
because you can still
use the PIN instead, it's not necessarily an increased security factor, it's more of a
convenience factor. I think a lot of us, when we think of biometrics, we think of things that we
see in movies and in Hollywood with, you know, retinal scans and people holding their hands up
to scanners that scan their fingerprints and so forth.
How much do those perceptions of biometrics align with reality?
With a lot of those spy and crime and all those sort of things,
they have unrealistic expectations about the performance of biometric systems.
If I walk past a TV scanner, it tags my photo, it's not going to know what I had for breakfast.
It's not going to know my first high school friend and all that sort of thing.
It's not magic.
It doesn't know these things.
Essentially, it can't recognize me unless I'm already in the system.
And so for a lot of these instances, there's all these unfounded fears about this biometric system is going to take over the world and do this sort of stuff.
And it's like, well, it can't, because this country is not going to share that information
with that country.
There's no centralized system.
There's not these sort of things.
On the flip side of that, they're super easy to spoof, and we cut people's hands off,
and everything's fine.
We can break into the system.
Also not quite right.
And so an understanding of how the different biometrics work is very important in determining what type of biometric to use.
What about the concerns that your biometrics don't change, where I can cycle through multiple different passwords,
my fingerprints are my fingerprints, and they're going to be mine for my whole life?
And so it's one of those things that a biometric in and of itself for high security applications should never
be the only factor. The things like logging into your phone, you only use one finger, you can change
finger, you can do all those sort of things. But for criminal justice and things like that, yeah,
it doesn't change. But for high security applications, you should be layering factors on top of each
other. So if one factor is compromised, the chain of trust is compromised,
and people don't gain access to the information.
That's Derek Northrup from Fujitsu Biometrics.
In industry news, Oracle announces it will acquire Dyn,
recently famous as the victim of October's Mirai-herded IoT botnet denial-of-service attack.
Telstra is buying security analytics shop Cognivo,
one of the pieces of the dissolving New Zealand security firm Wynard.
Recent Chinese moves to either restrict the Internet or bring the mandate of heaven,
depending on how you look at it,
appears to critics likely to inhibit innovation in that country's tech industry
and elsewhere as well.
George Hauer, professor of technology and innovation management at IMD, is among those critics.
He thinks the new law will require a level of intellectual property exposure
during the certification process that should trouble any company with potential Chinese competitors.
Hauer hopes Chinese companies themselves will recognize the ways in which the Great Firewall holds them back, too,
and will push for a more open Internet regime.
Finally, in a look back at election hacking, it's worth noting that for all the crying of havoc
and legitimate concerns about interference with U.S. voting, other places probably had it worse.
Consider Montenegro's experience, as described by WAPAC Labs, in which the country
experienced DDoS and heavy information operations, even an insipid coup d'etat, directed against the
pro-NATO ruling party. So concerns in France and Germany about upcoming elections may not be
misplaced. Russian intelligence services, of course, remain the prime suspects, but we have to say we haven't heard from Fancy Bear or Cozy Bear in a couple of weeks.
Shh! It's late November, so maybe they're hibernating.
Heaven knows they've been two busy, busy bears,
and must have a lot of sleep to catch up on.
Fancy? Cozy?
If we've been disturbing your slumbers, have a nice bowl of porridge and roll back over.
There's a good bear.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Rick Howard.
He's the CSO at Palo Alto Networks.
Rick, we talk a lot on the Cyber Wire about this notion of there being a communications gap between the technical teams in an organization and the CEO.
Do you agree this is an issue that needs addressing?
Yeah, it's a problem that our industry's had for a long time. And one of the reasons
is that most of the, especially the security people, they've come up through the ranks,
usually through the technical lane. They used to be Unix administrators or network administrators
and things like that. And they think about problems in different ways than, you know, the way that most C-level executives do.
What I think we've done wrong here in our approach to the problem as we communicate risk to the business is
we know that the C-levels, they manage risk as their job description.
That's their job.
They manage all kinds of risk, and they're making decisions every day about the risk to the company. And I think one of the problems the network
defenders have done is tried to make it out that cybersecurity is some sort of special thing.
And it's not. It's just another kind of risk. And we don't talk about it like that to our bosses.
You know, in my younger days, I used to think it was really fun to grab a spreadsheet of the latest
vulnerability scan and run it up to the leadership and say, hey, look at
all these bad things I found. And they looked at me like I had a horn growing out of my head, like,
what am I supposed to do with this? What we've got to learn to do as an industry, as a network
defender community, is learn how to convey business risk to these C-level leaders and also to board
members. One of the ways I've heard it leaders and also to board members.
One of the ways I've heard it described is that the board members tend to think in terms of dollar signs, and the technical teams tend to think in terms of red, yellow, and green.
Yeah, it's true. And I've been known to make that mistake in my career. It's a high,
medium, and low risk. And if anybody asked me how I got to high, I'd do something like blah, blah, blah. You know, I've been doing this a long time. You should pay
attention to me. But, you know, that's probably not the best way to do it. And it's hard for
cybersecurity practitioners, network defenders to put a monetary value on risk. Right. So here's a
hint, though. I think that we should focus on material risk to the
business, right? And that will help us focus our efforts on talking to these kind of leaders,
because there are so many threats out there, and we can kind of get lost in the weeds trying to
deal with every single one of them. But if you can focus on material, what is material to the
company? I think you'll have a better shot at this going forward. All right, Rick Howard,
thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.