CyberWire Daily - Daily: Current exploits and bugs, fraught China-US cyber relations, and industry notes.
Episode Date: May 17, 2016Today we discuss some exploits running loose in the wild. GSA's 18F unit cleans up its Slack implementation and shares its lessons learned from a potential breach. Older Android devices are susceptibl...e to an Accessibility exploit. A million-device clickfraud botnet drains advertising budgets. A new cyber espionage campaign prefers quality to quantity. SWIFT gets security advices. ISIS shifts recruiting focus to Central Asia. Cyber tensions rise between the US and China. Dale Drew from Level 3 shares the perspective of a backbone provider, and Yong-Gon Chon wonder if company's don't overreact to breaches. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
That patched Flash Zero Day is being distributed in the wild.
GSA cuts itself some slack.
Many Android devices are reported vulnerable to clickjacking.
Advertising budgets are being drained by a big click fraud botnet.
A new furtive cyber espionage tool, Furtem, is observed in the wild.
Swift gets some advice.
Apple patches some widely used products.
Cyber tensions rise between the U.S. and China.
And GCHQ joins Twitter.
and China, and GCHQ joins Twitter.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 17, 2016.
The recently patched Flash Zero Day is being actively exploited in the wild.
If you're still using Flash, do patch it.
FireEye warns that the common vectors are maliciously crafted Microsoft Office files delivered as email attachments.
As much as most places might hate to admit it, email in general and Outlook in particular
probably remain the most widely used business collaboration tools.
But even good alternatives carry their own risks if they're not properly configured.
Witness, for example, the GSA.
The U.S. General Services Administration, like many other organizations,
is a Slack user. The staff in GSA's 18F unit, an office that functions effectively as an IT
consultancy for federal agencies, is required by internal policy to use Slack for sharing files,
images, documents, spreadsheets, PDFs, the typical contents of business collaboration.
spreadsheets, PDFs, the typical contents of business collaboration.
To share data from GSA Google Drive and Slack,
18F uses the standard OAuth 2.0 for authorization and authentication.
But according to the GSA Inspector General, there were issues with how 18F configured Slack. On March 4th, an 18F supervisor noticed that their use of OAuth 2.0
permitted full access to more than 100 GSA
Google Drives. This opened the possibility that the documents could have been automatically
exposed to public view. 18F disabled the option, removing Google Drive integration from their Slack
instance. 18F's account of the incident is worth a look, particularly by other enterprises that use Slack. Visit the blog at 18f.gsa.gov for the story.
SkyCure is warning that older Android devices, which is to say most Android devices, are
vulnerable to clickjacking through exploitation of Android's accessibility services and the
ability the system provides to draw over other apps.
Privilege escalation up to control over
a device is possible. SkyCure recommends updating to the latest version of Android and, as always,
downloading apps only from an authorized source. ClickFraud, not to be confused with clickjacking,
is also in the news. Bitdefender notes that a very large botnet has herded in around a million
devices, and that it's successfully burning through advertising dollars by using the Redirector.paco trojan to generate bogus clicks.
N-Silo analyzes Fertum, malware being described as stealthy and paranoid. Now circulating in the
wild, Fertum was discovered by a researcher who goes by the handle at H Firefox.
EnSilo finds that Furtom is noteworthy for the large number of checks it makes
for antivirus measures installed on its targets,
some 400, ranging from commodity security products
to some fairly esoteric protective tools.
Its servers also send the malicious code only once,
thereby limiting opportunities for reverse engineering.
Furtom's purpose appears to be espionage. As Swift users react to last week's attempt on a
Vietnamese bank, foiled, the bank says, observers continue to look at the fund's transfer system and
conclude that its security procedures need an overhaul. Imagine your company suffers a breach,
and it's a big one, messy and public. How should you
react from a technical and public relations point of view? Yong Gong Chan is CEO of a company called
Cyber Risk Management, and he says that many organizations, when faced with this sort of
situation, overreact. It is really manifested in the sociology of feeling vulnerable and exposed. And so if you consider
the American response to 9-11, that response occurred in such a way where it manifested
itself with the creation of the Transportation Security Administration, as well as a wide
ranging enhancements to laws to protect U.S. citizens. If you look at that parallel in the
digital arena, organizations get breached. They overreact to show, whether it's investor
confidence, customer or employee confidence, that they're now taking it seriously and are now
investing a substantial portion of their budgets where if they took a
more balanced approach and a more proactive approach throughout the life cycle, that the
impact associated with the damages may not have been as critical. So while it's important to not
overreact, you do need to get in front of the situation. According to Chan, effective communications
are a key part of that. There's crisis management marketing that lots of organizations need to do to restore investor
confidence, mitigate losses associated with share value if they're a publicly traded firm,
restoring employee confidence, and ultimately demonstrating that they are in control of their business.
Chon emphasizes the importance of companies keeping an eye on the big picture from a high level.
An organization needs to take a holistic approach in looking at their financial data
and looking at their financial operating processes, taking a look at their technology,
and then also looking at the operational elements as well.
And it's ultimately about facilitating that cyber-aware culture.
Are you running the right kinds of drills around spear phishing attacks, for instance?
Are you still running penetration tests?
Are you running breach readiness assessments?
If I had to press 911 today because of a suspected data breach,
who do I call? What processes do I need to invoke?
What do I do in the case of a crisis?
That's Yonggong Chan from Cyber Risk Management.
We'll hear more from him in our upcoming special edition covering cyber value at risk.
In patch news, Apple has issued updates for OS X 10.11.5, iTunes 12.4, and iOS 9.3.2.
This round of patches aims at improving both security and usability.
And Sino-American tensions tighten with the release of a U.S. Department of Defense assessment
that shows an increasingly assertive Chinese presence in both cyberspace and the South China Sea. U.S. lawmakers and policymakers debate the appropriateness
and likely effectiveness of retaliation in kind. That's retaliation in cyberspace. No one is
proposing that America construct artificial islands on any continental shelf, as far as we know.
Investors await Cisco's guidance, expected later this week.
Barron's suggests that the company may disappoint, which would further disturb cyber stock prices.
Venture capital for security startups remains available, however. Both Avanon and Elusive
announce new rounds of funding. Finally, we're pleased to welcome a new voice to Twitter.
GCHQ, Britain's intelligence and security organization, is now tweeting a little bit with the handle at GCHQ.
One of the first tweets directed towards Sheltonham came from Langley.
The CIA issued a chipper, hello world.
So hello GCHQ and thanks for listening.
We hope you're listening anyway. Visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And joining me once again is Dale Drew.
He's the chief security Officer at Level 3 Communications.
Dale, Level 3 is a backbone provider, and that gives you a particular vantage point on the rest of the Internet.
I was wondering for our listeners, could you describe to me, what is the role of a backbone provider in relation to the overall topography of the Internet?
Well, if you think about a backbone provider like Level 3, we're like a post office.
People will take their data, put it in an envelope, address that envelope with a to and a from,
and hand it off to their carrier, or in our case, the router. And we analyze that to and the from,
and we route it to the appropriate location based on zip code and then based on address and then based on name.
So we take a significant number of those envelopes a day.
And for most carriers, whether those envelopes contain legitimate data, whether they contain malware, or whether they contain spam, we are just the carrier of that data.
spam, we are just the carrier of that data. But at the same time, you're constantly looking at the data, you're analyzing the data, and what kinds of things are you seeing in that stream of data?
Well, so we don't analyze the actual content of the payload itself. We do all of our analysis
based on the to and the from, and then the relationships that those to's and those from's
have. So we know, for example, some zip codes send more spam than other zip codes.
We know that some zip codes are responsible for more malware than other zip codes, and we pay
more attention to those neighborhoods than we do other neighborhoods. So for example, within our
backbone, we collect 52 billion events a day, and we identify 1.3 billion security events a day.
1.3 billion security events a day. That's about 300 command and control botnets a second. That's about 2,000 phishing attacks a second. It's about 3,000 malware attacks every second. And it's about
10,000 scans a second. So the amount of visibility we have is pretty enormous, but also the amount of
bad activity is significant and rising.
So if you aren't looking at the actual contents of the data, does that mean you're collaborating
with the people who are? Absolutely. We're collecting data from a wide variety of IP
reputational databases that are analyzing things like malware attacks and phishing attacks and
scanning attacks. We also collect this data ourselves. So we have a honeypot
infrastructure where we're collecting that data. And then we also have behavior algorithms that
will analyze that data, look for bad activity. Now, what we do is when we receive IT reputational
information or our honeypot information or the algorithm data, we'll analyze who's being attacked
and then reference that IP address
across the entire network.
So if we know a bad guy is attacking a particular customer, we'll watch that bad guy to see
who else they're attacking and then build algorithms for watching that behavior.
And what we've detected is that a lot of the bad guys have very particular behavior.
They do things in a very particular way, which allows us to categorize not only the actor themselves, meaning the organized crime or the nation state, but even individuals within those organizations.
So we know when a particular person is attacking an industry because that particular actor has very specific habits when they're breaking into systems.
All right. Fascinating stuff. Dale Drew, thanks for joining us.
breaking into systems. All right. Fascinating stuff. Dale Drew, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.