CyberWire Daily - Daily: DARPA CTF: Mayhem (win), Xandra (place), Mechphish (show). Blame it on Rio.
Episode Date: August 8, 2016In today’s podcast we hear about Bifinex’s recovery from its recent heist and the possibly temporary haircut its depositors got. We also follow the related Ethereum hard fork. News on Olympic hack...s and risks of hacking from Booz Allen Hamilton's Brad Medairy and Grey Burkhart. Trustwave reports home smart thermostat bugs. Checkpoint discloses Qualcomm Android Quadrooter firmware vulnerabilities. More signs that Fancy Bear was prancing through the DNC. A look back at Black Hat, and notes on DARPA’s AI capture-the-flag challenge. Jonathan Katz explains the Etherium fork. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hard forks and digital currencies as Bitfinex recovers from its big heist,
cybercrime and hacktivism versus the Rio Olympics,
HVAC vulnerabilities, quad-router Android chip firmware issues, Thank you. at Black Hat, and DARPA's AI Capture the Flag results are in. Mayhem to win, Zandra to place,
and Mechfish to show. I'm Dave Bittner in Baltimore with your CyberWire summary for
Monday, August 8, 2016. Bitfinex, the digital currency exchange that lost nearly 120,000 Bitcoin, about $63 million, to theft recently,
is beginning its recovery by spreading the losses among its customers.
About 36% will be shaved and losses recorded to a BFX token that will either be redeemed or exchanged for iFinex stock at some future time.
iFinex, Bitfinexx Corporate Parent is working through its recovery
from the theft. Some of that recovery will involve a hard fork of the Ethereum public
blockchain-based distributed computing platform. We'll hear more about what that fork amounts to
a bit later from our partners at the University of Maryland. The other major cybercrime news comes
from Brazil, where the Rio Olympics are in full swing. Anonymous,
to no one's surprise, is conducting denial-of-service operations against various Brazilian government
sites to redress a set of grievances connected with the Games. In the anonymous view of the
matter, the Olympics essentially paper over poverty, violence, and police misconduct in
and around Rio de Janeiro. Another group, the New World Hackers, took down swimmer Michael Phelps' website
shortly after he won his 20th gold medal.
They say they're doing it to expose the vulnerability of high-profile celebrity websites
and, by extension, other websites.
But their concurrent offering of the Bangstressor DDoS tool suggests that this is criminal marketing
and not altruistic vulnerability demonstration.
If you're down in Rio, what's the cybersecurity situation actually like? A mess, basically.
We spoke with Gray Burkhart and Brad Maderi from Booz Allen Hamilton about the cybersecurity
situation in Rio. First up is Gray Burkhart. This is going to be a target-rich environment. Brazil has the most robust internet infrastructure on the continent,
the most bandwidth, the most proliferation of both wired and wireless broadband access.
The cybercrime environment in Brazil is pretty grim.
Enforcement, first of all, the legal framework is very weak.
The criminal elements in Brazil are very prolific, very well developed.
They're known for a wide variety of schemes.
What would be most dangerous to travelers will be ATM skimming, point-of-sale breaches
where they'll actually get inside point-of-sale systems
and steal credit card, payment card information when shoppers make a purchase, and also various
kinds of Wi-Fi fraud.
The Olympic Games folks are setting up a dedicated Wi-Fi network around the Games venues in anticipation
of having so many people with so many Wi-Fi devices.
And this is a great opportunity for criminals to set up their own Wi-Fi networks, mimicking
the Olympic networks and therefore becoming men in the middle and stealing whatever information
is being passed from your device to the network. Brad Maderi warns visitors to be particularly
vigilant when it comes to phishing attempts.
And I think there's going to be a lot of scams in terms of, you know, people looking for tickets,
people looking to purchase other types of services.
You know, I think that, you know, being very, very prudent in terms of what sites you're visiting
and what emails that you're clicking on.
You know, I think that, you know, with all the public Wi-Fi's down there,
being sensitive to visiting unsuspecting and malicious websites,
using HTTPS and secure connections.
And it's not just visitors to the games that should be on alert.
Here's Gray Burkhart.
I'd also point out that Brad mentioned phishing and malicious websites,
and that's not just limited to travelers.
That's anybody who has an interest in the Olympics,
and we expect there to be a lot's anybody who has an interest in the Olympics.
And we expect there to be a lot of people who want to buy memorabilia,
or be attracted by live streaming of some event which turns out to be a watering hole,
and they click on a website and they're infected.
So this is potentially a global threat.
That's Gray Burkhart and Brad Maderi from Booz Allen Hamilton.
Trustwave's Spider Labs reports vulnerabilities in the Trane residential ComfortLink XL850 thermostat. This is a smart thermostat that lets users set their heating and cooling schedules
remotely from a mobile device. Unfortunately, it also exposes a great deal of information
over weakly secured and easily compromised interfaces.
It would be possible for an ill-intentioned third party not only to control heating and cooling,
possibly damaging a building in addition to simply causing discomfort and inconvenience, but also to gain information about the occupancy times,
which of course is interesting to those who wish to schedule burglaries.
Trustwave says the train was receptive to the vulnerability reports
and has fixed the issues Spider Labs found.
Checkpoint has said it's found four issues with Qualcomm chips widely used in Android devices.
They're calling the set of vulnerabilities QuadRouter
and say they could be used to trigger privilege escalation
and ultimately to gain root access to the affected devices.
Not all the vulnerability news is necessarily bad, however. Many in the security industry have
long suspected that the U.S. National Security Agency is sitting on a large, undisclosed horde
of vulnerabilities. In imagination, this tends to look like the secret archive shown at the end of
Raiders of the Lost Ark, a vast warehouse filled with everything from Father of Stuxnet
to the results of that hackathon the Illuminati hold at the Bohemian Grove every leap day.
And you didn't hear that from us.
But researchers at Columbia University have looked into it and say, no, really, there's
no such trove at all.
The NSA really isn't keeping a lot of undisclosed bugs from the rest of the world.
Of course, as Russia Today might say, that's what they would say, isn't it?
Speaking of Russia Today, they took strong exception over the weekend
to advice from the Atlantic Council to countries whose relations with Russia are fraught.
The Atlantic Council apparently recommended that countries like Poland
consider developing ways of holding Russian cyber infrastructure at risk.
This isn't an idea welcome in Moscow.
More evidence has accumulated, this time courtesy of ThreatConnect and Fidelis,
that Fancy Bear is indeed a Russian government operation,
and that, yes indeed, Fancy Bear was behind the DNC and DCCC hacks.
Last week's security events in Las Vegas have concluded.
Black Hat, DEF CON, and B-Sides are now in the books.
But the news from them continues.
The people we spoke to in Nevada last week tended to agree on several trends.
First, the biggest challenge to the security industry remains the shortage of skilled labor,
and the technical solutions people are interested in are those that help small staffs increase their productivity and effectiveness.
that help small staffs increase their productivity and effectiveness.
Vendor and venture capitalists seem equally convinced that the need to address labor shortages
will continue to drive the direction of technology's evolution.
Second, that shortage of labor also means delivering products, services,
and solutions that integrate easily and quickly with customers' infrastructure.
There's little demand anymore for difficult-to-implement or operate products
that seem destined to become shelfware.
Third, the Internet of Things remains a big concern,
and here there were many presentations of vulnerabilities in everything from programmable logic controllers
to seismic observatories to personal massage devices.
Did you know those last are often equipped with Bluetooth?
Neither did we, but a team of Australian researchers noticed.
Miller and Valasek followed up last year's well-known Jeep hack with a more disturbing
demonstration that exploited a vehicle's controller area network, the CAN bus.
Open source security described PLC Blaster, a worm that automatically searches for and
spreads among programmable logic controllers.
And finally, DARPA's Machine vs. Machine Capture the Flag competition has a winner,
announced at DEF CON. If you were betting, here are the results. Mayhem from the For All Secure
team took first place, and the $2 million winner's stake. Zandra placed second, paying $1 million,
Zandra placed second, paying $1 million, and Mechfish showed at $750,000.
Get your hacking forms out, Tin Horns. There's a guy that says, can do.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of
the Maryland Cybersecurity Center.
Jonathan, we got word recently that the Ethereum project forked their code.
Let's start off.
Can you explain to us what is Ethereum and what's the significance of the code being forked their code. Let's start off, can you explain to us what is Ethereum and
what's the significance of the code being forked? Well, yeah, basically Ethereum is a generalization
of Bitcoin, or you can view it as a generalization of Bitcoin, where what Ethereum allows you to do
is to write these smart contracts that perform computation and then can transfer coins based on
the results of that computation. And this is all
done on the blockchain. And so what happened a few weeks ago was that there was a fund set up
that exactly allowed people to use the smart contract to invest money. And somebody figured
out a way actually to manipulate the contract that would define the fund, and to manipulate it in such a way that they were able to steal money from that fund.
And so this left the people who operate Ethereum with a quandary of what to do next, and they
decided to fork the code, yes?
Yeah, that's right.
So it comes down really to a question of whether or not to believe that the code defines what's allowed and what's not allowed.
And so there are people who basically maintain that and are continuing to run what they're calling Ethereum classics.
And they basically say, well, you know, somebody was able to find a loophole, as it were, in this contract that was written.
And so by the laws of Ethereum, as it were, that's allowed, and so there's nothing wrong with that.
Whereas the people who forked the Ethereum chain basically looked at this and said,
well, that's not what was intended to happen, and so that's really an immoral or even an illegal act.
And so we want to undo that transaction.
We want to undo the fact that those coins were stolen.
And so they introduced a fork in the chain.
So what's interesting is that you have these two groups of people,
one of whom is continuing the original Ethereum chain,
and one set of which is operating on this fork of the chain.
And there are people who are saying that this is potentially setting a negative precedent.
What's their argument?
Yeah, I think so. I mean, there are two things here.
The first thing is just this question
of whether or not, as I said, whether the code of a contract determines what's allowed
and what's not allowed, or whether there are some rules outside the system, as it were,
that determine what should be allowed and what should not be allowed. And so part of
the ethos of Ethereum is or was that the code should determine what's allowed. And so people
exactly like these distributed currencies,
like Ethereum and like Bitcoin,
because they don't rely on any central government to manage the currency,
and they don't rely on any set of external laws.
You just operate within the system itself.
And so from a philosophical point of view,
it's sort of an interesting question for people who use these cryptocurrencies.
In addition to that, I think it just throws the whole question of the long-term stability of these currencies into question.
If you're going to have a fork every six months, then it leaves people with a question of what their coins are going to be worth in one year from now.
And so this could really shake up confidence in these cryptocurrencies in general.
All right. We'll keep an eye on it.
Jonathan Katz, as always, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.