CyberWire Daily - Daily: Ransomware and hospitals. Why random numbers matter. Stolen certificates.
Episode Date: March 28, 2016In today's Daily Podcast we talk about how "Google-dorking" may have helped the Rye dam hackers find a vulnerable system. If you're pushing propaganda, why the Dark Web probably isn't for you. Symante...c finds stolen SHA-2 certs in malware. Trustwave finds XSS flaw; Zen Cart patches same. Carbon Black identifies PowerWare, a new ransomware variant. We talk to Bufferzone about hospitals and ransomware, and the University of Maryland's Jonathan Katz explains why random numbers matter. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The indictment of seven Iranians in the Rai Dam hacking case
suggests that the attackers used Google dorking to find a vulnerable system.
The dark web apparently isn't the best place for propaganda.
It's just too slow and user-unfriendly to serve as a mass medium.
If you use ZenCart for your online customers, update it to the latest version.
Stolen SHA-2 certificates are turning up in banking trojans.
A new strain of ransomware is out, and we hear why hospitals seem susceptible to this form of attack.
And we'll learn a bit more about why random numbers matter.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 28, 2016.
Details of how hackers allegedly got into the control system of that dam in Rye, New York,
emerged from the U.S. Justice Department's indictment of seven Iranians.
They're said to have found the dam's vulnerable systems by Google-dorking,
and then working their way through there.
Google-dorking, which name, by the way, shouldn't be taken to imply any nefarious intent or negligence
on the part of the Mountain View search giant,
is a technique of searching for
poorly protected or exposed systems online. It's a form of pre-attack reconnaissance that uses
search parameters somewhat more complex than typical searches. A common parameter might be
file type, which would return files with certain specified extensions, such as doc, pdf, xls, or so
on. Another parameter might be site, which would return files located on a particular website
or on a particular domain. An insecurely configured network is likely to expose its
vulnerabilities to Google dorking. Once the hackers located a vulnerable system,
the Bowman Street Dam, it was a matter of applying an exploit, and Rai can take much
comfort as it may in realizing that their flood control dam was just a target of opportunity.
ISIS is said to be responding to reverses on the ground by first conducting increasingly violent propaganda of the deed outside its core territory.
This it celebrates online, and ISIS received some sad competition this Easter from its jihadi rivals in the Pakistani Taliban,
who claimed responsibility for a massacre targeting Christian parents and children in a Lahore park on Sunday.
Second, within territory still under ISIS control, the caliphate seems to be withdrawing from the
internet, using more easily controllable legacy media to spread and reinforce its message.
So inspiration stays online, but operations seem cellular and locally controlled,
and much recruiting in the West appears to have moved into prison populations.
Interestingly, ISIS appears not to be particularly active in the often-discussed,
much-feared dark web, those precincts of the internet not indexed by standard search engines.
The dark web, as Defense One points out, is proving, quote, too slow and annoying for terrorists, end quote.
A study conducted at King's College London found relatively little jihadi activity on the dark web.
Apparently, the dark web is good for running black markets, so you'll find a criminal presence there,
but as far as propaganda and communications go, the dark web just isn't well adapted to getting the word out.
After all, if you want the curious and the impressionable to find your message,
it's much better if they can just Google your inspiration.
Trustwave researchers describe a cross-site scripting vulnerability
in the widely used open-source online shopping cart app ZenCart.
ZenCart has patched the problems Trustwave disclosed to them,
and users of the app are advised to upgrade to the latest version of Zenkart 1.5.5.
Note that it's the sellers, not the buyer, who are the ones needing to upgrade.
SHA-1 may be on its way out and SHA-2 on its way in,
especially after Microsoft updated its crypto libraries in favor of SHA-2 last year.
But as all of us adapt to newer hashing systems, so do the criminals. Some
Antec researchers are finding that the authors of the Carburp banking trojan are now signing
their code with stolen SHA-2 certificates. The lesson for users is to not trust certificates
blindly. Consider the file's source and take other precautions. And while you're at it,
safeguard your own certificates against theft, too. Researchers at Carbon Black are warning of a new ransomware strain, PowerWare,
which is fileless and written in the Windows PowerShell scripting language.
Word documents crafted to induce victims to disable the Word preview sandbox
and execute malicious macros are the vectors.
Hospitals are particularly affected.
Ransomware does indeed appear to represent a growing threat to the healthcare sector.
We talked about this with BufferZone CEO Israel Levy.
Given the fact that the information stored on each and every computer in the hospital
typically is very sensitive and it's needed as much as a life-threatening situation if you lose it. I believe attackers would go after this kind of information and encrypt it and try and blackmail the people holding it,
given the high price of not obtaining this information.
Second thing is, given the fact that some of the hospitals already released information about the fact that they've been attacked
and the attack was regarded as
successful. It may draw some other people to try and get to the same segment given the success of
the initial attack. I think everyone experiences it, but hospitals are more open about it.
Levy says healthcare providers need to take a practical approach.
Our recommendation is, you know, address and map all your inflow
of information to the company.
And make sure that you know where
you have threats flowing in.
Typically, it will be your web browsers and your email
attachments.
So what you need to do is just segregate, separate, keep this information that comes from the outside world in a secured container.
And then once you decide you want it in, you need to have the means to bring it in in a way that will not allow the bad guys to get in.
BufferZone's website is BufferZoneSecurity.com.
In industry news, the insurance sector continues to approach
offering cyber insurance with some caution. Premiums are high, but the lack of actuarial
data still worries insurers. It's hard for them to be sure how much risk they're actually assuming.
Apple is apparently familiar with Celebrite, the company widely believed to be helping the FBI
open the iPhone implicated in the San Bernardino Jihad case. Observers think the Bureau will eventually have
to disclose how they got into that iPhone, assuming that the Bureau succeeds. The AP reports that
Apple is a Celebrite customer, using its products in some of its stores. But if Celebrite's already
in the Apple store, how might that disclosure be news? So listeners, belly up to your local Genius Bar and ask the geniuses on duty what they think.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
off. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. Joining me once again is Jonathan Katz. He's a professor at Thank you. Why are random numbers so important to cybersecurity? Well, random numbers turn out to be vital for various applications in cryptography.
And the easiest example of that is just the example of generating a cryptographic key.
When you generate a cryptographic key that you're going to share with some other party with whom you're going to communicate,
you want that key to be random so that an attacker in particular won't be able to guess it.
And the less random your key is, the easier it will be for an attacker to guess it.
And once they guess it, of course, all the security of your encryption or authentication or what have you is going to be lost.
Are there methods for proving that a number or a string of numbers are truly random?
Well, that's interesting.
That gets into the question of what it even means for something to be random, at least for the purposes of cryptography.
it even means for something to be random, at least for the purposes of cryptography.
And the fundamental measure here is entropy, which relates to exactly how hard it is for an attacker to guess the value of your random number.
And so you want to make sure that any random number you're using for those purposes is
really unguessable to the attacker.
There have been some advances in the last couple of years, actually, on quantum mechanical
methods for generating randomness,
where the device can be proven to output random numbers that are unguessable to within a particular
degree. Now, what about using a number like an irrational number like pi as a source for a random
number? Does that get you anywhere? Yeah, that's kind of interesting. I hear that often. And the
problem is that it doesn't really give you the randomness that you need for cryptography. So there might be some notion of randomness or chaotic behavior
in, for example, the digits of pi, but they're not at all random because the digits of pi are public.
So if you're going to be picking your key based on some consecutive digits of pi,
and if an attacker knows that, then it would be trivial for the attacker to figure out exactly
what your key is.
So those kind of numbers would not be suitable for cryptographic purposes.
All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.