CyberWire Daily - Daily: Ransomware updates. IP camera vulnerabilities. Steganography makes a comeback. Controlling content, with or without Internet autarky. Zo replaces Tay? 

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try DeleteMe. I have to say, DeleteMe is a game changer.

Starting point is 00:00:59 Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me. Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.

Starting point is 00:01:56 More network security cameras are found vulnerable to bot herding. Unpatched flash bugs incorporated into exploit kits. New ransomware strains are out. Russia announces a new national internet strategy as Canada and the EU grapple with the complexity and ambivalence of controlling extremist content. Steganography is back, alas, and in your banner ads. And Tay's kid sister Zoe makes her debut. debut. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, December 7th, 2016. More targets for exploitation have presented themselves to Internet of Things bot herders.

Starting point is 00:02:48 This time around, the problematic devices are IP cameras. Sony has issued a firmware update intended to slam shut back doors discovered in about 80 models of the company's networked security cameras. The Austrian security company SEC Consult reported the vulnerability, which enables a remote attacker to open one of the usual suspects, a telnet port. Researchers at Cyber Reason have independently discovered vulnerabilities in a large family of white-labeled security cameras, not Sony's, that are widely sold under a variety of brand names. In this case, the cameras are both shipped with a common, easily guessed password, which is of course now a known password since it's been published in several places, and also a default peer-to-peer communication capability. That latter capability yields access to the camera even if it's behind an effective firewall.

Starting point is 00:03:30 Providing the unique camera identification from a device enables remote access via the manufacturer's website, and apparently those unique IDs can be easily guessed through that manufacturer's website. It's worth noting that these reports of vulnerabilities have not yet, as far as we've heard, been exploited for distributed denial-of-service attacks by the Mirai botnet that's run wild in the wild since October. But the fear is that they soon could be. The release of the Mirai source code opened up DDoS opportunities, and criminals in probably not just a few nation-states are clearly testing and exploring opportunities for disrupting the Internet. Recorded Future warns that the Flash zero-day Adobe patched in an emergency October update

Starting point is 00:04:13 has been incorporated into seven exploit kits. When it comes to threats to our data, who do we fear most? AlertSec is an encryption-as-a-service company, and they did a survey of Americans to find out who's top of mind. Ebba Blitz is AlertSec's CEO. Our survey shows that in this order, they're most afraid of Russia. They're afraid of Anonymous. They are afraid of the petty thief that might steal their information.

Starting point is 00:04:41 And then comes China. And we can see that this has changed over time. But I think that on the scale, I think that the fear of hacks has increased overall. Yeah, the survey really showed that 2016 was a bit of a wake up call for people. I certainly think so. And I think that, you know, before we've heard of hacks, how they have attacked large organizations, but this year it became personal. I think that the Yahoo attack was one of these hacks where people started to think that, wow, this is actually affecting me. But I think that what made people think is that what happens when they attack something that really is crucial for the nation.

Starting point is 00:05:27 So I think that was a bit of a wake-up call and scared a lot of people. Now, you're the CEO of AlertSec, which is a company that provides whole-disk encryption. How does that tie into the results of this survey? What are the benefits of people to consider full-disk encryption as part of their defense against these sorts of attacks? Yeah, I mean, it would be great if there was one service that covers everything. But unfortunately, there isn't. I mean, you have to look at a lot of things. We store data either in our cloud applications or we store data at the endpoint.

Starting point is 00:06:02 So that would be our laptops or our phones and such. And we need to keep these safe because if someone finds our laptop and hacks it, they can have access to, of course, anything that's stored on the laptop itself. But that can also be the gateway to anything that's stored in the cloud as well. So we need to make sure that this data is protected and encryption is, of course, the absolute best way to keep it safe. We must also look at the communication between our endpoints and our cloud services. And that is a protection that we need VPN tunnels for, which encrypts this communication. I think that anyone doing anything sensitive on an application should also have multi-factor authentication.

Starting point is 00:06:50 And I think that we must understand that IT security is a whole array of features that just need to be in place for us to be fairly safe. But there will always be new threats. And we need to up our game. We need to listen to what's going on. And we need to be really adamant in patching security holes and, you know, do all the updates and upgrades that are out there. Don't delay. Don't postpone. You know, we have to be really agile here.

Starting point is 00:07:19 That's Ebba Blitz from AlertSec. As security analysts look toward the new year, they're tending to predict more of the same in 2017. The IOT will offer a fertile field for criminal activity, and ransomware can be expected to persist as well. Observers also foresee a surge in cyberattacks by nation-states. There's been an update on one such attack, the apparent North Korean intrusion into ROK military networks. South Korean sources now say that some information was successfully exfiltrated during the incident. Steganographic threats return as ESET reports a campaign that uses malicious banner ads to install malware in Internet Explorer user systems.

Starting point is 00:08:00 They call the attack campaign appropriately Stegano. Stegano aims at credential theft and it affects primarily Internet Explorer users. The Petya-Misha ransomware combination has been updated, researchers tell Bleeping Computer, into a GoldenEye version. The malware targets German-speaking enterprises coming across as a Bewerbung, that's an application, as in a job application. So if you're working in HR or recruiting in Germany, please beware. The installer is typically a malicious Excel file attached to an email. Last week, San Francisco's Muni light rail hung tough against the extortionists who hit it. Not every victim makes that same cost-benefit calculation, as some are still finding it easier to pay up than fight extortionists. The Allegheny County State Prosecutor's Office in Pennsylvania

Starting point is 00:08:51 coughed up $1,400 to get rid of Avalanche. Not much, and they surely calculated that it was worth it. The EU has put big tech firms on notice that they will be expected to promptly take down content officially regarded as hate speech. And in Canada, Google is fighting a requirement that would appear to give Canadian regulators authority to direct Google to remove specified content worldwide, and not just in Canada. Do you remember Tay, the potty-mouthed chatbot Microsoft unwisely let hang out on the internet street corners, where she picked up a lot of ways that just aren't right.

Starting point is 00:09:28 Well, Tay's kid sister is making her debut. Her name is Zoe, and she's being called the Mechanical Millennial. Zoe is said to crack wise with charming puns, but early observers say Zoe seems to get confused and go off on tangent. Ah, these virtual kids today. Would Hal have gone off on a tangent? Well, alright, there was that whole problem with Dave en route to Saturn, but hey, even if Hal terminated the crew's life functions,

Starting point is 00:09:53 Hal always spoke professionally. Finally, alert listeners will have connected the name GoldenEye with the James Bond film franchise. Alert listeners will be right. The criminal responsible for Petya Misha, and thus for Goldeneye, goes by Janus, which is an apparent homage not to the double-faced Roman god of doorways and portals, but rather to the Janus Syndicate, the villains 007 thwarted in Goldeneye. Janus is a sharp-elbowed competitor, he's said by Bleeping Computer,

Starting point is 00:10:24 to be the guy who took out a competitor by releasing decryption keys to the Chimera ransomware. Janice is a sharp-elbowed competitor, he said by bleeping computer, to be the guy who took out a competitor by releasing decryption keys to the Camara ransomware. Thus, Janice. We hope that his decision to take the name of a loser foreshadows a takedown by the authorities. If not Bond, James Bond, perhaps another representative of MI6. May Janice be shaken, not stirred. Paradise is an all-new series set in a serene community inhabited by some of the world's most prominent individuals. But this tranquility explodes when a shocking murder occurs

Starting point is 00:11:01 and a high-stakes investigation unfolds. Starring Sterling K. Brown, James Marston, and Julianne Nicholson. Paradise is streaming January 28th only on Disney+. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this.

Starting point is 00:11:32 More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.

Starting point is 00:12:03 Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, you know, when it comes to research and development and developing solutions in cybersecurity,

Starting point is 00:13:29 we have this sort of dual-use need for both federal and commercial needs. But there are some challenges associated with that, making things so that they can function in both of those environments. Exactly. The federal R&D environment is focusing increasingly on cybersecurity with the need to address major technology needs within the federal government. But those needs within the federal government are not unique. The commercial industry sees the exact same challenges on their infrastructure and on their networks. But as the federal government seeks to invest its R&D resources, It's doing so in a way that's consistent with how it's always invested such resources.

Starting point is 00:14:08 The defense R&D ecosystem is designed to build something unique for the federal government because historically the federal government has had unique challenges in technology. And it is designed to do that over a decade, right? We're good at doing R&D to build a new aircraft carrier or a tank with timescales of decades. But in cybersecurity, you just can't operate on that timescale. The threat is moving entirely too quickly. So at Virginia Tech, we're very interested in finding ways where we can adopt more commercially oriented models for addressing research and development in cybersecurity.

Starting point is 00:14:47 Is there any sort of institutional resistance to this of, you know, overcoming longstanding methods and ways of handling things within the federal government? I think that obviously there's the acquisition processes by which the federal government operates. That is always going to cause slowdowns. And there are some attempts to try and reform that. But I think really it's how the government looks to mature technology. They'll invest basic research, often at universities or national labs, and that basic research needs to find its way into a government program of record, is how the government knows how to buy these things. And at Virginia Tech, we've found that if we have some innovative R&D that we've done at the university,

Starting point is 00:15:38 finding some big government program of record that's going to mature is not always the best path. The government wants to increasingly buy commercial solutions in the cybersecurity space. So a few years ago, we looked at, well, how can we take this research that the federal government invested in, in the cybersecurity domain, and turn it into a commercial solution? Well, that involves spinning it off into a startup company that can do that commercialization and productization, not finding some big government program to move the technology into. So over the last three years, we've spun off three companies that are working in this domain. Collectively, they took about $10 million worth of research that was invested by, that was funded by the federal government, and then raised $60 million to actually commercialize and productize

Starting point is 00:16:17 it. So these companies are now in a position to sell back to the government a shrink-wrapped, in a position to sell back to the government a shrink-wrapped, fully completed product without having to go through that long transition process that is increasingly ill-equipped in the cybersecurity space. And I'm hopeful that the federal government will look to institutionalize these approaches and figure out ways to work more closely with the venture capital community, particularly in the cybersecurity domain, where the need for solutions is critical and the timescale within which they're needed are orders of magnitude shorter than the government is used to operating within. All right, Dr. Charles Clancy, thanks for joining us.

Starting point is 00:17:03 And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.

Starting point is 00:17:39 Learn more at blackcloak.io. And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Daily: Ransomware updates. IP camera vulnerabilities. Steganography makes a comeback. Controlling content, with or without Internet autarky. Zo replaces Tay?

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.

CyberWire Daily - Daily: Ransomware updates. IP camera vulnerabilities. Steganography makes a comeback. Controlling content, with or without Internet autarky. Zo replaces Tay? 