CyberWire Daily - Daily: Looking back at RSA. "Transparent Tribe" and "Pawn Storm" expand target sets. Mac ransomware found, blocked. Apple's amici.
Episode Date: March 7, 2016Daily: Looking back at RSA. "Transparent Tribe" and "Pawn Storm" expand target sets. Mac ransomware found, blocked. Apple's amici. Plus, Jonathan Katz from the University of Maryland on SSL browser se...curity and Jay Botelho from Savvius on their Vigil 2.0 packet capture tool. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Proofpoint finds Transparent Tribe,
an active cyber espionage campaign against Indian diplomatic targets.
Black Energy's role in the Ukrainian grid hack still isn't fully explained. Pawnstorm spreads to Turkey. Thank you. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, March 7, 2016.
Proofpoint finds an active cyber espionage campaign targeting Indian diplomatic and military personnel.
Transparent Tribe, as they're calling it, seems most active against Indian missions to Saudi Arabia and Kazakhstan.
Several Pakistani IP addresses are said to be involved in the campaign,
which uses a mix of phishing and waterhole attacks
to distribute the MSIL Crimson Remote Access Trojan.
There's no attribution offered in the reports
beyond the circumstantial implication of the Pakistani IP addresses. The correlation of Black Energy espionage malware with December's attacks on
the power grid in western Ukraine is well known, but what causation might lie behind that correlation
remains obscure. The likeliest link would still appear to be Black Energy's involvement in
credential theft. Macs have so far enjoyed a degree of immunity to ransomware.
No more. The legitimate BitTorrent application transmission has become enmeshed in what appears
to be the first ransomware campaign directed against Mac users. The strain is being called
Corranger. Palo Alto Networks reported the attacks to Apple last week, and Apple took quiet steps at
week's end to interdict the ransomware. Once those measures were in place, Palo Alto made a more general disclosure.
Trend Micro has identified another new form of ransomware,
Cerber. They say it speaks English, literally. It repeats, attention, attention, attention.
Your documents, photos, databases, and other important files have been encrypted
in a robotic female voice.
But, anglophone or not, it's being sold as crimeware in the Russian underground.
Cerber offers payment instructions in the form of images,
which suggests its authors are taking a page from the old Reviton playbook.
TrendLab says Cerber looks easily configurable by criminal users,
and thus that we can expect to be seeing more of it in the future.
Observers marvel, with varying degrees of informed surprise, at last week's announcement by U.S.
Defense Secretary Ashton Carter that the Americans have offensive cyberweapons and intend to use them,
at least against ISIS. In DoD descriptions, that use has sounded a lot like jamming,
adapted and updated for use against Internet-based command, control, and communications.
Some of the worries are of the potential for collateral damage,
but the comparisons, too, in contrast with the early years of the nuclear age, seem overheated.
Apple draws more industry support in its dispute with the U.S. FBI over unlocking the San Bernardino jihadist iPhone.
As tallied by Apple Press Info, 17 amicus briefs and three
letters to the court have been filed in sympathy with Apple's case. And you may have heard that
the San Bernardino District Attorney weighed in last week on the side of the FBI, expressing his
fears that the phone in question contained a lying dormant cyber pathogen designed to infect the
county's networks. He's since clarified, Ars Technica
reports, that it's a claim unconnected with any particular evidence. The DA would just like to
be sure there's nothing to it. From time to time, we like to share new products that catch our eye
here at the Cyber Wire. Packet monitoring can be an important part of protecting a network,
but higher speeds and fatter pipes can make long-term storage of packet data impractical.
Savias has launched a product called Vigil 2.0,
which they tell us allows you to capture suspicious packets from before and after an alert.
Jay Botello is director of product marketing at Savias.
Vigil knows what is suspicious based on usually systems that customers already have in place.
So they have an intrusion detection system or an intrusion prevention system,
and they are looking for known threats. And what Vigil does is Vigil monitors
all of those alert feeds. And in addition, it is always capturing packets. So it has storage of
packets. So when it sees an alert, then Vigil goes into the buffer, extracts the packets that it's already saved
around that conversation, and then continues to save packets for that conversation for the
configured period of time. And that's one of the key elements is, you know, not only are we able
to do it for a long period of time, but we're able to actually get the packets from before the alert
was actually triggered. And that's quite important because there's just a lot of processing delay in these alerts.
The alerts see something of importance, but by the time that processing is done,
the real packets that cause the alert would have already gone by.
But with Vigil, we've captured those so that we can go back and get that important data
that was really the data that triggered the alert in the first place.
There's more information about Vigil 2.0 at Savias.com.
We'll be taking a look back at RSA this week.
We'll have three special reports on the conference beginning tomorrow when we discuss what we heard about cyber threat intelligence.
This will be followed later in the week with reports on emerging technologies and on trade and investment.
In the meantime, see the links in the RSA section of our daily news brief
for late-breaking announcements and retrospective takes on the conference.
Finally, a hail and farewell to Ray Tomlinson, the godfather of email,
who passed away Saturday at the age of 74.
Tomlinson implemented the first email program on ARPANET back in 1971,
selecting the at sign to separate user from host.
Our thanks to him and our condolences to his family and friends.
Remember Ray Tomlinson whenever you use the at symbol
and think of a life well led.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. www.microsoft.com SSL browsing. I think most people, when they see the little lock icon on their browser, they see that and they assume that they're safe.
How accurate is that assumption?
Well, it's a complicated question, actually.
The protocol itself at a high level is pretty secure.
It's been cryptographically vetted in various ways.
And the components of it at a high level are by now pretty well understood.
The challenge with SSL is that there's this entire ecosystem around it,
and there are so many different points at which things could go wrong
that unless you're completely sure about what's being implemented
both on your browser as well as what's being implemented
on the other end on the server,
and checking for this lock icon on your computer,
you do run the risk that something can go wrong.
So let's dig in a little bit on that. What kinds of things can go wrong?
Well, just as an example, so the SSL protocol is supposed to ensure that you, the computer user,
know for certain that you're speaking to the entity at the other end, let's say Google.
And the fundamental piece of information that lets you verify that is an authenticated copy
of Google's public key.
And so you have this entire public key infrastructure that's developed around making sure that you, the computer user,
are able to obtain an authentic copy of Google's public key.
And one of the issues with that is that current browsers ship with these hard-coded public keys for certification authorities
that are supposed to vouch for the validity of other people's public keys, like Google.
But in reality, if you look at the set of certification authorities
that are included in modern browsers,
they include all kinds of companies from all kinds of countries,
including outside the U.S., that we know really nothing about.
And we don't know anything about their security practices.
We don't know how easy it would be to coerce them or bribe them to issue a fraudulent certificate. And ultimately, if they're
able to be subverted in that way, and you end up as the user getting an incorrect copy of Google's
public key, then all bets are off, and even the best protocol in the world won't protect you.
Obviously, browsing securely is better than not, but how safe should
we feel? Well, I think that the modern browsers do a reasonably good job. They're very good also
about fixing any flaws that are identified by security researchers. Like I mentioned earlier,
the user does have to check and make sure that they're accessing a site by HTTPS and not by HTTP.
The user, of course, also has to verify that they're accessing the site that they intended.
ETP. The user, of course, also has to verify that they're accessing the site that they intended.
A lot of phishing scams rely on just changing one character in the name of a well-known website.
And then if you're not careful and say you go to a website with G00GLE rather than GOOGLE,
then you might be accessing a site and authenticating to them and you believe that they're who they say they are. But in fact, you're not authenticating to Google,
you're authenticating to another company. But modular things, I think overall,
the average user is safe. Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.