CyberWire Daily - Daily: Dogs still not barking in Panama. (But ransomware bites.)
Episode Date: April 13, 2016In today's Daily Podcast we continue our follow-up on the Panama Papers' investigation. Ransomware, DDoS, and malvertising continue their win, place, and show finishes in the criminal sweeps. Patch Tu...esday addresses Badlock and other vulnerabilities. Some M&A news in the cyber sector. And the FBI may not have used Cellebrite's services to unlock the San Bernardino jihadi's iPhone after all. Plus, Johns Hopkins' Information Security Institute's Joe Carrigan warns us about phony calls claiming to be Microsoft tech support. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More speculation on what happened at Masak Fonseca,
much of it turning on social engineering and buggy software.
Victims may be prematurely paying ransomware extortion demands.
Patch Tuesday addresses the much-feared badlock bug,
which turns out to be bad enough but not exactly devastating.
Researchers take a look at the current state of the cybercriminal black market,
and the FBI may have hired a small crew of white and gray hats to crack the San Bernardino iPhone.
of white and gray hats to crack the San Bernardino iPhone.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, April 13, 2016.
The Panama Papers' unnamed but widely looked-for dogs in the night still haven't barked, but speculation about how the leak happened continues,
with social engineering of email server credentials, buggy WordPress plugins, and an outdated Drupal instance heading the list.
Ransomware attacks are still popular, proving easy to execute, and many corporate victims are ponying up the ransom rather than fighting through to get their assets.
But not everyone caves in. After all, MedStar seems to have recovered without paying its extortionists.
White Hat researchers continue to release decryption tools as they develop them.
It's good to remember in this context that criminal coders aren't perfect, and they don't have to be.
They only have to succeed a fraction of the time for their crimes to pay.
In some respects, ransomware recovery tools tilt the familiar attacker's advantage toward the good guys.
If the criminal's encryption has a flaw, crypto flaws can be exploited for good as well as evil.
A large malvertising campaign has hit nearly 300 popular sites in the Netherlands.
Fox IT saw the attack developing in its early stages Sunday,
and the campaign has now affected some of the country's largest media sites.
Recovery is underway. Distributed denial of service attacks also retain their popularity.
Many of these are conducted by hacktivists for political reasons, as we've seen this week in
the Baltic. The United States, by the way, has just eclipsed Turkey atop the DDoS leaderboard,
according to the score NexusGuard is keeping. But they also affect businesses, which sees service disruption as one of the principal risks they face,
and the insurers who cover those businesses tend to agree.
Mark Gaffin, Imperva's vice president and general manager for the company's Encapsula product line,
commented on this threat.
Quote,
DDoS tools are inexpensive and widely available, and can cause great damage to organizations, he said. Once a new technology is widely adopted, legal or not, End quote.
Observers of the black market continue to see an increasing professionalization of cybercriminals,
who are finding ways of offering their services for hire.
The individual hoods seem not to be getting rich doing this.
Their secret would appear to be volume,
to judge from the price lists that have emerged from the dark web this week.
But the bosses are making money,
and that's a familiar freakonomic lesson about criminal markets generally considered.
Hewlett-Packard Enterprise researchers have an interesting
insight into the black market. Credit card theft is serving as a kind of angel investment for
Eastern European, especially Russian, cyber gangs. There's an extensive criminal supply chain of
reseller fraud in which items are purchased with stolen credentials, dropped, then resold and
reshipped to places where Western, especially American companies, won't do business,
precisely because of the high rates of credit card fraud.
Yesterday, of course, was Patch Tuesday, and Microsoft released a baker's dozen of fixes,
what ThreatPost calls a Lucky 13.
Among the updates is a patch for the much-feared, some-complain-much-hyped, Badlock vulnerability,
which turns out to be less
catastrophic than its logo may have suggested. Samba also addressed Badlock.
So what is Badlock, beyond the much hyped, screaming red logo that branded the mysterious
bug about a month ago? Essentially, it's a serious flaw in the distributed computing
environment remote procedure call, DCE-RPC. It affects both Windows and Linux machines.
Indeed, any platform using DCE-RPC is vulnerable. Most worrisomely, the bug could permit an attacker
to gain access to Active Directory. Craig Young, a researcher with Tripwire,
offered this perspective. Quote, if Badlock is successfully exploited, the attacker would be
able to impersonate other users and subsequently retrieve password hashes, shut down services, As most observers have noted, the vulnerability is likely to require either a malicious insider
or a successful man-in-the-middle attack for exploitation.
While this may not be as
severe as a remote code execution vulnerability, Young said, the fact that an attacker on the local
network can likely exploit it through well-known techniques such as ARP spoofing makes it a
critical vulnerability, end quote. So, admins, look to your defenses against man-in-the-middle
attacks and, by all means, patch.
Cybersecurity stocks are showing mixed results so far this week, with analysts divided over their prospects. There is one bit of M&A news. Optiv Security, itself formed from the merger
of Acuvant and Fishnet Security, has picked up identity and access management shop Advansive.
What Optiv paid has not yet been disclosed, but the company says the
acquisition aligns with their long-term strategy to position themselves as a leader in identity
and access management. According to the Washington Post, the FBI didn't use Celebrite to unlock the
San Bernardino jihadist's iPhone after all. The Post says they hired a small mixed crew of white
hat and gray hat hackers to do the job,
and some people find the participation of gray hats disconcerting. For definitions of white hat
and gray hat, see the Cyber Wire's helpful definitions at our online glossary, thecyberwire.com
slash glossary. It's all there. Finally, we're struck by how many in the industry press
seem disappointed that Badlock turned out to be less devastating than they'd feared.
But we say, hey, settle down, gang.
There's plenty of gruesomeness out there to satisfy the most Hitchcockian digital ghoul.
So be happy that bright red logo didn't, after all,
turn out to be the destructor you all feared, or hoped for.
In any case, do patch.
And stay safe out there.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joe Kerrigan joins me once again.
He's from the Johns Hopkins University Information Security Institute, one of our academic and research partners.
Joe, you had to help your mom out a little bit with some computer problems recently, yes?
Yeah, that's right. I got a call from her last week where she asked, she said there was a message on her computer and I didn't understand what that meant.
And then she held the phone down and her computer was actually playing a sound file that said, your computer is infected.
You need to call this number to have the infection removed.
This is something that she's managed, some kind of malware that she's managed to get installed in her machine that needs to be removed.
But the actual malware is what's playing this file. So it really points to the fact that it's really easy to
inadvertently stumble across one of these malware traps. Yeah, it is. If you go to the wrong site,
have a drive-by download, or even click on an email attachment or a malicious word file,
there's all kinds of vectors to get these things into your computer. A vector is just,
when we say vector, it just means a way that the malware get these things into your computer. A vector is just, you know, when we say vector,
it just means a way that the malware can be installed on your computer.
However, that's not the only fraudulent way that people are being exploited.
Just last week, there was also a phone message on my answering machine at home
saying that it was from Microsoft.
It was an automated voice.
And they were saying that all of your Microsoft products will be deactivated if you don't call
this number. Now, of course, that's a fraudulent message as well. Microsoft doesn't make a habit
of calling people and say, we're going to shut your Microsoft products off.
Yeah, we got one recently that said we were days away from having our electricity shut off
for non-payment.
And if we called this number and paid right away, well, you know, we wouldn't get it shut off.
And, of course, we pay our bill on time every month.
And BG&E usually doesn't call you with these sorts of things.
They send you a letter.
That's right.
And if you do get the message, then you should never call the number that they leave for you.
You should call the number that you can find either in the phone book or on the company's website and call their billing department.
Good advice.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.