CyberWire Daily - Daily: Russian banks suffer IoT botnet DDoS. Fancy Bear's still phishing. Lessons from Tesco fraud. Third-party risk hits Michael Page. Casino Rama data breach. Adult website loses data for 339 million accounts. FTC litigation. Moscow anti-trust case.
Episode Date: November 14, 2016In today's podcast, we follow up on last week's DDoS against Russian banks. Fancy Bear's been poking at think tanks, and ESET has a rundown of Fancy's fancies over the last couple of years. DDoS can b...e low and slow as well as high and noisy. Banks consider cyber lessons learned from Tesco heists. International recruiter Michael Page blames a third-party for data loss. Canada's Casino Rama—that's the casino's name—sustains a breach. A family of sites none of you would visit is also breached—we tell you because you're probably asking on behalf of 339 million friends. LabMD wins a stay against the FTC. Level 3's Dale Drew considers the changing nature of the IoT. And Kaspersky takes Microsoft to court in Moscow on an anti-trust beef. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
DDoS hits big Russian banks, and yes, IoT botnets can reach out and touch you even in Siberia.
Fancy Bear's been poking at think tanks,
and ESET has a rundown of fancy's fancies over the past couple of years.
DDoS can be low and slow, as well as high and noisy.
Canada's Casino-rama, that's the casino's name, sustains a breach.
A family of sites none of you would visit is also breached,
we tell you because you're probably asking on behalf of 339 million friends.
LabMD wins a stay against the FTC,
and Kaspersky takes Microsoft to court in Moscow on an antitrust beef.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, November 14, 2016.
CyberWire summary for Monday, November 14, 2016.
Security camera-driven DDoS attacks have intermittently hit major Russian banks since November 8.
The attacks appear criminal as opposed to state-sponsored.
The botnet was assembled from devices in at least 30 countries, mostly the U.S., India, and Israel.
The identity, and note the location, of those responsible remains unclear.
Not unclear is the identity and location of Fancy Bear.
It's the GRU, probably reachable at the aquarium at the Hodinka Airfield,
not that we'd recommend you actually try to do so.
Security analysts continue to mull Fancy Bear's post-election, post-Microsoft patch fishing romp through U.S. think tanks and other policy wonk targets.
Most see opportunistic targeting of Microsoft Zero days before they're closed. ESET has a study of
Fancy Bear's operations. ESET calls them Sednet, one of at least seven names this threat actor has
been given, and it's striking how active and widespread Fancy's activities have been. ESET lists three of the group's high-profile targets.
In April 2015, TV5 Monde, a major French television network.
In May 2015, Germany's Bundestag.
In March 2016, the U.S. Democratic National Committee.
ESET invites you to draw the inference that Sednet, a.k.a. Fancy Bear,
isn't shy about hitting prominent targets,
and that the group's interests are, as ESET puts it in their blog post,
connected to international geopolitics. It's worth noting that Fancy Bear has noisily drowned out
whatever its cousin Cozy Bear has been up to. Cozy, unlike the outgoing and obstreperous Fancy,
is quiet, but has been observed to establish persistence
in some of the same targets compromised by FANCI, notably the U.S. Democratic National Committee.
Also on the noisy side were October's distributed denial-of-service attacks,
driven by the Internet of Things Mirai botnets.
While these attacks seem to have subsided as widespread availability of the Mirai source code
and competition for devices among criminal botmasters have fragmented Mirai botnets,
there are other DDoS threats out there.
In particular, researchers at Denmark-based TDC Security Operations Center
are describing one, BlackNurse, which is a low and slow yet effective technique
that exploits firewall vulnerabilities as opposed
to IoT botnets.
Certain firewalls are vulnerable to being clogged by a relatively low rate of traffic.
As Ars Technica puts it, quote, one modest laptop can knock big servers offline, end
quote.
A proof-of-concept attack shows that a single laptop could deliver BlackNurse traffic at
180 megabits per second, more than enough to down vulnerable servers.
The firewall companies don't think this is a significant threat.
As Palo Alto notes, Black Nurse works only under certain non-default conditions
that contravene best practices.
In the UK, the number of customers affected by the Tesco bank fraud
has been revised significantly downward from 20,000 to 9,000,
but the incident continues to trouble bankers in the UK, Ireland, and to a lesser but still
significant extent elsewhere. Observers have variously blamed insiders, credential stuffing,
or exploitation of some third party for the heist, but others suggest weak security controls,
especially weak access controls,
lay at the heart of the problem,
and that either internal systems or mobile applications may have been compromised.
The big stick banks would wish to duck in cases like this is the penalties swung by the EU's General Data Protection Regulation,
which they've got to worry about whether they've Brexited or not.
In the US, NIST has released Maritime and small business addenda to its well-received
cybersecurity framework.
The maritime profile specifically addresses the cyber dimensions of securing the transfer
of bulk liquid cargos, many of which are of course hazardous materials.
The U.S. Coast Guard joined NIST in working on the document.
The international U.K.-based recruitment agency, Michael Page, has sustained a data breach
that it blames on a third-party contractor, Capgemini.
Michael Page believes hundreds of thousands of names, email addresses, phone numbers,
and other PII were inadvertently exposed on a development server.
We note in passing that such exposure remains the going
theory on how the shadow brokers got that equation group stuff they've been trying to auction off.
Passwords may also have been compromised, although there's some hope the passwords were encrypted.
The Cyber Wire heard from Chris Weber of security shop Centrify, who agreed that it looked like a
case of third-party exposure. Quote, It appears the contractor was using actual customer data on a publicly accessible development server.
While passwords were also stolen, they were at least encrypted,
although we would recommend that people change them anyway,
and if the same password is used for any other website, make sure those are changed too.
End quote.
Another breach was reported at the end of last week.
A big Canadian casino, Casino Rama,
disclosed that various employee, vendor, and customer data were exposed.
And we note in passing that third-party risk runs both ways.
In this case, it appears the casino lost records concerning some of its vendors.
Ontario-based security firm eSentires CEO Paul Haynes told the Cyber Wire that, quote,
overall we've seen a rise in attacks targeting gaming institutions like casinos, end quote.
The lesson is that even organizations as security conscious as gaming companies can fall victim to
increasingly sophisticated criminals. He suggests that casinos might consider continuous eyes-on-glass
network monitoring.
It would be analogous, perhaps, to the kind of surveillance deployed to the casino's physical floors.
Not that you'd be directly affected, but you might want to tell some of your less-proper friends,
all 339 million of them, that there are credible reports of a breach at Adult Friend Finder.
Adam Brown, manager security solutions at the security firm Synopsys,
told the Cyber Wire,
In this case, verification has shown that some data is stored in clear text
while passwords are encrypted with SHA-1,
not enough to thwart today's adversaries.
It's tough to know how an organization,
adult, juvenile, senescent, or adolescent, it doesn't matter,
stores and processes anyone's data in its apps and data stores.
And finally, in legal news, LabMD has scored an appellate court win over the FTC.
The dispute continues, but for now, LabMD has got to stay on the Federal Trade Commission's consent order
in the long-standing dispute over the lab's information security practices.
order in the long-standing dispute over the lab's information security practices.
Kaspersky files an antitrust claim against Microsoft in a Moscow court,
alleging any competitive biases in Windows 10's security bundle.
Did Senator Sherman have a seat in the Duma your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, you know, these ongoing problems with IoT devices, the Mirai botnet, things like that,
are these making us take a different view of how we look at overall security when it comes to the Internet of Things?
You know, IoT security is sort of taking some fairly fundamental shifts in interest, I'd say, here lately.
fairly fundamental shifts in interest, I'd say here lately. You know, traditionally, our concern with IoT security is just how they're becoming more interconnected
across the device ecosystem, where, like, my Apple Watch, for example, can now control
a pretty large number of devices in my home, and that Apple Watch goes with me when I go into work.
And that Apple Watch goes with me when I go into work.
And so our primary concern for IoT used to be focused on how do you secure that overall ecosystem?
How do you make sure that IoT device to IoT device security is protected, especially across vendors?
And so the amount of vendor collaboration, the amount of security agreement on standards is paramount of interest. But IoT security is now morphing into a whole new stratosphere because of the fact that we now have bad guys who are
taking advantage of exposures on what I would call fairly immature IoT developed devices and
compromising those devices and being able to use them for things
like DDoS attacks and ransomware attacks and more traditional sort of hacking on the network
and DDoS on the network.
And the concern with that is, for example, Level 3 discovered a botnet.
One was called Bashlight.
Bashlight, one's called Mariah.
Somewhere in the vicinity of 1.5 to 1.6 million compromised IoT devices.
These are things like IP cameras, home routers, and DVRs.
And so when you have a million and a half devices at your disposal,
the amount of damage that you can
cause in the DDoS space now is unprecedented. It is something that we just have not seen in
the industry before, something of that magnitude and that sort of capability. And so, you know,
IoT device security now means a lot more things. It's not only device ecosystem infrastructure,
but it's the maturity of the device itself. And what I'll say as an example is, you know, a majority of the devices that we
detected in these botnets were developed for their core functionality. They did not contemplate
the overall sort of security ecosystem. So they have no ability to patch themselves. They have
no ability for the vendor to push patch notifications. So a lot of these devices will unfortunately go through a very long existence of never being patchable and therefore
always being a potential compromise to the internet itself. So what we would recommend
is as a consumer of IoT to make sure that you are not deploying insecure IoT devices
is when you get an IoT device, make sure you change the password. Make sure you do not use
vendor default passwords and make sure you don't use the same password across all your IoT devices.
Bad guy breaks into one, he then would then have access to all of them. Do your research. Make
sure that you buy a device that's a bit more from a vendor who's a bit more reputable. And the best way to make
that determination, in my opinion, is to find someone who's what's called hub approved. So,
you know, that's like a Wink Hub or an Apple Smart Home Hub, where the device has to interconnect
with this hub provider, because that hub provider has got security standards associated with things like encryption, authentication, and logging.
And then the last one is I'd recommend if you're deploying these either in your small business or in your home,
is to put them on a separate network, or at the very least create a guest network,
so that when you invite people over to your home and you want to give them access to the internet, that they do not have access to your IoT devices and that your IoT devices
don't have access to the rest of your home network devices. Good advice as always. Dale
Drew, thanks for joining us. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.