CyberWire Daily - Daily: Lessons from recent incidents. Russia says, it's not us, it's you, and more.
Episode Date: September 13, 2016It's Patch Tuesday, and time to apply the latest fixes from Redmond. Symantec's August Security Report is out. Middlemen make it tough to track exploit sales. GovRAT continues to afflict networks in t...he wild. Lessons from private key exposure. Russia says the international order isn't the same thing as the American order. The US and the UK conclude a cyber cooperation agreement. More bogus apps for Pokemon-GO. We welcome Emily Wilson from Terbium Labs to the show, and Tony Dabhura from Johns Hopkins University's Information Security Institute tells about their upcoming conference for senior executives. And could people soon be asked to stand and remove their hats for "City Escape?" Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
It's Patch Tuesday and time to apply the latest fixes from Redmond.
Cementek's August security report is out.
Middlemen make it tough to track exploit sales. GovRat continues to afflict networks in the wild. Thank you. And could people soon be asked to stand and remove their hats for city escape?
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 13, 2016.
Today is Patch Tuesday, and the latest updates from Redmond are out.
Microsoft has released a total of 14 security bulletins for September.
Seven of them are rated critical, Microsoft's highest severity rating, and the other seven are rated important. All versions of Windows are affected, as are Microsoft Office, Microsoft
Exchange Server, and both of Microsoft's browsers, Internet Explorer and Edge.
Microsoft is revamping its patch distribution policy in October. This is the last patch Tuesday but one to follow the old policies.
Beginning with October, Microsoft will distribute pre-Windows 10 patches in a cumulative roll-up.
Windows 7, 8.1, Windows Server 2008, and Server 2012 are all affected.
The new policy is controversial among some, principally app developers,
who will no longer be able to pick and choose which patches to apply. Microsoft says the new patch delivery system will be easier
on users and will help admins avoid the fragmentation of different devices patched
at different levels. Whether you agree with Microsoft or the dissenters, remember that
patch management is one of the most important steps an enterprise can take toward better cyber hygiene.
Symantec has released its August Security Trends report.
It finds a rise in the number of malware variants circulating in the wild.
It's difficult to count these, but by Symantec's reckoning, there are some 45.5 million variants
out there, and there's a drop in attacks.
The disruption and decline of various old standby exploit kits appears to account for
this trend.
Observers are looking at recent incidents and drawing some lessons from them.
Those who've been interested in tracking the sale of the Pegasus iOS lawful intercept tools
found on the phone of an Emirati dissident have tracked the product itself to Israeli firm NSO Group,
determining who actually bought and used it is cloudier.
It's generally believed that the spyware was installed on the iPhone in question
by the government of the United Arab Emirates,
but the sale proceeded through middlemen in ways that Motherboard says are difficult to untangle.
This is thought by many to be a general problem with the lawful intercept and exploit broker markets.
The GovRat Trojan info armor described last November is now out and afflicting U.S.
government personnel in a version 2.0. It's more difficult to detect than earlier versions of the
malware. GovRat can, InfoArmor says, intercept files users download and replace them with malware.
StealthBits Technologies' Brad Busse shared some thoughts on the malware with the CyberWire.
Quote, GovRat and GovRat 2.0 are highly sophisticated malware packages
that feature the ability to steal files, remotely execute commands,
upload other malware variants, and monitor network traffic, he said.
The malware is particularly effective because it uses stolen certificates as an aid.
The GovRat database also contains about 33,000 stolen credentials from a wide variety
of accounts. Busse advises AV vendors to replace digital signatures and certificates on the grounds
that they can't know which have been compromised. He advises enterprises to have users reset
passwords. Quote, until passwords have been globally replaced with a new identification system,
web and application hosts need to become part of the solution
to protect against credential abuse.
End users will rarely preemptively change passwords unless forced to do so.
End quote.
We also heard from Balabit Chabakresne.
Quote, GovRat 2.0 once again highlights the password threat again
as it exfiltrates such data from network traffic.
End quote.
The lesson he draws
from this incident and others is the necessity for monitoring behavior on networks, especially
given the frequency with which credentials are compromised. Turning to the threat of the recently
disclosed MySQL flaws, patched by some but not all affected vendors, CSO thinks the incident
affords an object lesson in the importance of permission management.
And the large number of private keys exposed on publicly accessible web servers indicates,
says Naked Security, that those who develop firmware for embedded devices shouldn't share
or reuse private keys, enable remote administration by default, or let users activate new devices
until they've set the necessary passwords.
or let users activate new devices until they've set the necessary passwords.
Our reporters are on site in Washington today covering the 7th Annual Billington Cybersecurity Summit.
They'll have a full report for us tomorrow,
but for now they're sharing what they heard in the morning keynote by U.S. Federal CIO Tony Scott.
It's clear that he thinks the biggest IT and security challenges federal agencies face across the board is their dependence on legacy IT systems. He said that adherence to three outdated paradigms, as he
called them, are imposing significant economic and security costs on the government. These he
identified as technology, organization, and funding. He argues that a large-scale upgrade
and modernization of federal systems would constitute the most important steps the government could take
to improve not only its IT, but its cybersecurity posture as a whole.
We'll have more tomorrow on the Billington Cybersecurity Summit.
The Johns Hopkins University Information Security Institute,
along with Compass Cybersecurity,
is hosting the third annual Senior Executive Cybersecurity Conference
here in Baltimore, September 21, 2016.
The Cyber Wire is a media sponsor for the event, and we checked in with Tony Abura,
the Executive Director of the Johns Hopkins Information Security Institute, to learn more.
The event is really targeted to executives and senior leadership from pretty much every industry.
Everyone is so concerned about cybersecurity, namely protecting
their data and defending against intrusions of their systems. And those are the topics that we
cover in this event. We go over different types of cyber threats and statistics. We talk about
different types of attacks. Especially this year,'re going to go in-depth into social engineering and phishing attacks.
We're going to talk about emerging technologies, including cloud storage, data encryption.
And we're also going to talk about a really important topic, which is the human element of cybersecurity in the enterprise.
So it's going to be an information-filled day.
We try to make it a one-stop shop for people to really get a great idea of what's going on out there in cybersecurity.
And you've lined up quite an impressive array of speakers.
Give us some of the highlights, some of the names of people who are going to be speaking.
We've invited some of the heavy hitters, for instance, Laurie Cranor,
who is with the Federal Trade Commission and also with Carnegie Mellon. And the Federal Trade Commission is playing an increasingly important role in cybersecurity policy and regulations.
We have Donald Goode from Navigant. We have Bob Olson from our partner on this from Compass, talking about the security landscape.
We have a couple of people from the Applied Physics Lab at Johns Hopkins talking about, this is fascinating, the anatomy of a breach, which I'm really looking forward to.
This is what they do day and night down there, study these types of attacks.
We also have several panels in the afternoon covering different events. We'll have participants from different industries such as insurance, banking, financial, and high-tech industries.
So who's your target audience?
Who are the people for whom this should be a can't-miss event?
The key people that should attend this event are leaders in companies who really need to get a lot of information, be able to survey the landscape in one day. That's what this is designed for. Tony Abura from Johns Hopkins University Information Security Institute.
The event is the third annual Senior Executive Cybersecurity Conference taking place in Baltimore
on the Johns Hopkins University Homewood campus, September 21st, 2016. And we at the Cyber Wire
are pleased to be media sponsors of the event, and we hope you'll check it out.
U.S. discontent with Russian behavior in cyberspace, especially with what are generally taken to be Russian influence operations,
intended to call the legitimacy of U.S. elections into question,
recently led Defense Secretary Carter to warn Russia against attempts to undermine democratic institutions and the international order as a whole.
His Russian counterpart, Defense Minister Sergei Shoigu, hit back yesterday,
Russian counterpart, Defense Minister Sergei Shoigu, hit back yesterday, you too, he said,
in effect, and said that the international order mustn't be mistaken with the American order.
Part of that international order, of course, is the long-standing tradition of close cooperation between the United States and the United Kingdom. That relationship grew stronger this week with
the conclusion of an agreement of increased cyber cooperation, the two nations concluded. We feel somehow we've been neglecting Pokemon Go, not having mentioned
it for a few days. Did you miss your Pikachu gossip? Well, there are fresh warnings from
Trend Micro that bogus apps are redirecting Pokemon trainers away from the Google Store
and into what Wired called spammy rogue app stores. Catch them all, but don't catch
anything else. And finally, since everyone's worried about elections, let us give you something
else to worry about. Online petitions. Did you know that a petition has reached the White House
with sufficient signatures to require action on a request to change the United States national
anthem from the Star-Spangled Banner to Sonic the Hedgehog's City Escape music.
We don't know, but one of our stringers is disturbingly interested in this.
He says he wants to make America fast again.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to welcome Emily Wilson. She's the Director of Analysis at Terbium Labs,
one of our research partners. Emily, welcome to the show. This is your first time with us. So
by way of introduction, tell us a little bit about yourself.
Sure. Thank you for the introduction and happy to be here. I am Emily Wilson,
as you mentioned, kind of director of analysis at Terbium Labs. I didn't come to kind of dark
web data intelligence by whatever you might think of as the normal route. I have a degree
in international relations from the College of William and Mary, spent a lot of time looking
at Russian foreign policy,
and now, thankfully, Russia has come back into focus.
It certainly has.
That's worked well for me.
So, yeah, I direct a team of analysts over at Terbium,
and the work that we do is based on the idea, we like to say,
that defense, while necessary, is no longer sufficient.
The idea that dark web data intelligence isn't kind of a single problem
you need to manage. It's an ongoing issue and that more likely than not, your information probably
will end up online somewhere where it shouldn't. So give me an idea of the types of research that
you all are doing there at Terbium. Sure. Great question. We are actually in the process right
now of putting together a formal research paper, kind of demystifying the dark web and looking at the realities of the information that appears there.
One of our technologies that we use at Terbium is this kind of massive scale dark web crawler.
And so using that same technology, we're able to go through and ask interesting questions.
You know, what is the dark web? What kind of content appears there? Is it legal? Is it illegal? Is it mostly drugs or weapons or fraud?
Or questions we get often, you know, are the terrorists there?
You know, can I do human trafficking through the dark web?
And so we're putting out this research paper to answer some of those questions.
All right. Well, Emily, welcome to the show.
We'll look forward to talking to you again soon.
And now a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.