CyberWire Daily - Daily: Pokémon Go is out, with troubles in its popular trail. Cybercrime & hacktivist miscellany.
Episode Date: July 11, 2016In today's podcast we hear about possible hacks of NATO websites during last week's Alliance meetings. South Asia's scissors-and-paste cyber espionage campaign is surprisingly effective. ISIS and al Q...aeda vie for jihadist mindshare, and Anonymous hits government sites in Zimbabwe and South Africa. A hacker/hacktivist dumps what he claims to be Kindle credentials, but analysts are dubious about their provenance. Eleanor Mac malware targets webcams. State Department emails remain under investigation. Chris Gerritz from Infocyte tells us about threat hunting, and Charles Clancy from the Hume Center at Virginia Tech shares concerns about data privacy. Plus, Pokémon Go seems to be catching 'em all—Ash Ketcham, call your office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. This full scissors and paste cyber espionage campaign seems to emanate from South Asia. ISIS and Al-Qaeda vie for jihadist mindshare online.
Anonymous hacks targets in Zimbabwe and South Africa.
A reported Kindle credential breach may be largely bogus.
Eleanor, Mac malware and its privacy threat.
State Department email scandals remain under investigation.
And Pokemon Go seems to be catching them all.
So, Ash Ketchum, call your office.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, July 11, 2016.
NATO meetings last week addressed a wide range of security issues,
but prominent among these were concerns about cyber operations, especially insofar as they figure in transnational threats, like those posed by ISIS and in the hybrid warfare practiced by an increasingly assertive Russia.
Several of the alliance's websites sustained outages during the meetings.
NATO is investigating whether these were hacks or just glitches.
Two sites were affected, both associated with NATO's Allied Transformation Command,
which is based in Norfolk, Virginia.
As is often the case, evidence is ambiguous at best,
but a lot of suspicious eyes are being cast towards Moscow.
In South Asia, these scissors-and-paste exploitations of an array of known
and for the most part long-patched Microsoft vulnerabilities
are revealed to have enjoyed surprising success, showing that attackers can innovate without
innovative zero days. Symmetria last week identified the threat group behind the attacks
as Patchwork, a name which is evocative of the threat actor's approach. Kaspersky is calling
the actors Dropping Elephant or China Strats. It's an espionage campaign whose
principal targets are Chinese, but which has also prospected organizations in Australia,
Pakistan, Sri Lanka, Uruguay, the U.S., and Bangladesh. Attribution is still unclear,
but most speculation has turned toward India. ISIS is stepping up its online presence and
targeted recruiting in out-of-area operations.
This bears out the predictions of several observers who have foreseen that loss of the
terrorist group's core territories in the Levant would drive it towards other geographic
areas.
ISIS is recruiting jihadists for projected campaigns in the Philippines, and it's also
launched a newspaper designed to appeal to Malaysian expatriates.
The caliphate's principal rival,
Al-Qaeda, is also upping its online presence as one of the late Osama bin Laden's sons is threatening belated vengeance for the U.S. raid into Pakistan that killed his father in 2011.
Anonymous is back and active against targets in Zimbabwe and South Africa. One operation,
hashtag Shutdown Zimbabwe, has rendered some government websites in that country unavailable.
People claiming to speak for the hacktivist collective say more hacks are to come.
In other action, this one marked with the familiar hashtag OpAfrica, South Africa's Arms Corps was breached.
Arms Corps is a procurement arm of South Africa's defense establishment.
a procurement arm of South Africa's defense establishment.
Information apparently taken from Arms Corps' networks has appeared online,
and it includes details of various arms transactions with international suppliers.
Someone claiming to represent Anonymous says they accomplished the breach through a SQL injection attack.
A hacker going by the handle OX2Taylor,
who also claimed responsibility for last week's breach of the Baton Rouge police,
dumped a bunch of data he claims represents Amazon Kindle credentials.
But what those data actually are remains unclear.
They may be fake or they may be bot accounts.
OX2Taylor has tweeted that Amazon is a big wealthy company that ought to have better security and that besides, they ignored his request for $700 in exchange for keeping silent, so there.
Several researchers who've looked into the data conclude that, at worst, it's premature to get too worried about the claimed breach.
Network defenders are talking a great deal about threat hunting.
We hear from Chris Gerrits, InfoSight's CEO, about what this approach entails.
Well, hunting threats is the focused effort to try
to find adversaries that are already penetrated the network. Hunting for malicious software that's
installed in our systems, or it's hunting for the malicious use of credentials, such as an
administrative account being used by a hacker. Most technologies today that defend a network are designed to prevent attacks, trying to alert on an attack in progress. So they'll use different behavior
models to do that. Really what we're doing is building our wall higher and higher. And what
we've come to realize is no matter how big that wall we create, our networks are incredibly
complex and people are going to get through. Garrett says there are a variety of approaches
to threat hunting. One of them involves analytics. Our security software today and our networking
topologies, they're collecting a lot of data. They're collecting logs. They're collecting
alerts that we may or may not be looking at because there's so many of them. So let's apply
analytics to that and see if we can get additional context out of that data to find those events.
So that's a model that a lot of ex-NSA
guys are coming out and doing because they have a lot of experience with analytics and large
caches of data. A different model is to look at the workstation or server device itself.
My particular expertise is looking at a device and seeing what software is running on there,
what software is triggered to run, and then if there's any logs or indications or artifacts
that someone has used this system maliciously, either currently or in the past.
And so, you know, a direct look at a device,
going beyond what just a nanovirus is going to scan for,
to verify what's on that system. That's another way of hunting.
Gerritz compares the reports we get from much of our defensive software to weather reports.
People are naturally, when they hear a weather warning, like a tornado or something like that,
they're going to look out their window, they're going to turn on the TV because they want to know,
is this a threat to me and is this threat real? Storm warnings and storm predictions are typically
not that reliable. And so what we're seeing today is alerts that are produced by our security
software are typically unreliable.
And so we have to be able to verify those alerts.
Are they real?
Hunting kind of picks up the slack of being able to verify so many alerts that are being generated by our software.
He also advises that organizations not be intimidated by the term threat hunting.
This is a trainable process, and this is something that organizations can't adopt,
just like they adopted security operation centers
over the last few years.
This is something that can be taught
and can be effective in their network.
That's Chris Gerrits.
He's the CEO of InfoSight.
There's now some hard evidence
car thieves are turning to hacking tools
to make off with vehicles.
Security cameras in Houston, Texas, have caught someone stealing a 2010 Jeep Wrangler using a laptop.
The theft took more than 10 minutes, so the crooks are well behind the Hollywood gone-in-60-seconds standard established in 1974.
But the security footage is evidence of what's probably, alas, a coming trend.
Little steps for little feet, but they'll get faster.
More is out on Eleanor, the Mac malware whose existence researchers disclosed last week.
In a scare headline, Naked Security reports that Eleanor, quote, tries to hook your webcam
up to the dark web, end quote, webcam and dark web being the operative scary words.
We trust most of you have placed opaque tape over your webcams.
Inquiry into the U.S. State Department email scandals isn't over,
even though the Justice Department decided last week not to indict presumptive Democratic presidential nominee
and former Secretary of State Hillary Clinton.
State has reopened its own internal investigation.
Congress wants to hear
more of what the FBI described as lax security culture at Foggy Bottom, and Republicans look
forward to keeping the scandal alive through November. Finally, you may have noticed people
walking around outdoors more absorbed in their mobile devices than ever. And by people, I mean
my entire family. The explanation is that Pokemon Go is out and it's very popular.
Our technical editor gives the game two thumbs up, by the way.
It involves geocaching and augmented reality.
As entertaining as the game may be, its release is also accompanied by some security weirdness.
In one case, a Wyoming player was led to climb a fence and approach a river where she found, to her dismay, a drowning
victim. Pokemon Go is also being spoofed by a rat. Proofpoint has found the familiar android
remote-access trojan Droidjack packaged as a bogus version of the game. Should you download
Pokemon Go, don't do so from dodgy sites. Use official, relatively well-vetted app stores.
If you're playing Pokemon Go, you're probably not worried about an encounter with Squirtle,
or even Squirtle's Wartortle evolution, or even Wartortle's Blastoise evolution, and
you, Pokemon Trainer, are probably not too interested in the extensive permissions the
game requires.
It really needs to know a lot about you for the geocaching to work and be engaging.
But those permissions are interested in you.
Police in O'Fallon,
Missouri say muggers have used a combination of social media and geolocation data to target
absorbed and inattentive players. Philadelphia cops are also warning of Pokemon Go-connected
robberies. Ash, Serena, Misty, and Red were unavailable for comment. And it's unclear whether
police will be mirandizing muggers they collar with the words,
I choose you. You have the right to remain silent.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Dr. Charles Clancy.
He's director of the Hume Center for National Security and Technology.
They're part of Virginia Tech.
Dr. Clancy, there's a lot of concern with privacy of data,
particularly concerning the Internet of Things and medical data and data in the cloud.
This is an area where you're doing research there at the Hume Center, correct?
Yes, we are.
This is an area where you're doing research there at the Hume Center, correct?
Yes, we are.
Significant growth of data within the Internet of Things is creating significant opportunities for new industries.
For example, as we see the growth of smart grid, it's incentivizing power operators to push their data to the cloud in order to use big data techniques to more efficiently manage the grid itself
and get more efficiency out of the grid.
So there's a significant financial incentive for companies to begin to push data to the
cloud, but at the same time, it creates a potential threat vector for cyber risk.
We're seeing some very interesting research in the area of homomorphic encryption, which
essentially allows you to encrypt that data before you send it to the cloud.
And the cloud operator and the owners of the infrastructure
never actually are able to see the data.
However, you're able to execute encrypted operations
on the data and get back an encrypted result
that only you are able to decrypt.
This basic new technique is not yet efficient.
There's still orders of magnitude slowdown
in using homomorphic
encryption, but it's a promising tool that I think could unlock significant potential in terms of
privacy-preserving analytics within the cloud. So what about the aspects of this dealing with
the medical industry? Well, certainly compliance with frameworks such as HIPAA require protection
of data in the cloud, but we're seeing entirely new applications, particularly in the area of genomic medicine,
where services like 21andMe will allow you to sequence your own DNA.
And there are services that allow you to just essentially put your DNA in the cloud
for researchers to use for medical research.
While this is really exciting, it opens a lot of opportunity for data to be available
to researchers, it also is a significant vector for compromising privacy.
Whereas you as an individual may feel comfortable sharing that data, you must realize that your
DNA breakdown is 50% correlated with that of your parents and 25% correlated with that
of your siblings.
And therefore, not only are you compromising your own data by putting it in the cloud,
you're perhaps compromising the privacy of your relatives.
So some of these new approaches to homomorphic encryption actually allow you to encrypt that data
in such a way that it would not negatively impact your privacy or the privacy of your family members,
but still allow medical researchers the ability to execute queries against it
that they could use to look for biomarkers for cancer, as an example.
All right. Fascinating stuff. Dr. Charles Clancy, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.