CyberWire Daily - Daily: Russia's cyber long game, SWIFT fraud, hack physics (not metaphors), and more.
Episode Date: September 1, 2016In today's podcast we hear about a successful business email compromise caper, and some more SWIFT fraud. Vanya the RIPPER is on the lam from Thai police. iMessaging issues surface. Cerber ransomware ...is being spread by Word documents. Adobe's hot fix swats a Cold Fusion bug. Rowhammer attacks are shown to be a real possibility. Election hacking and influence operations. Centrify's Corey Williams weighs in on the Sage Software data breach, and Jonathan Katz from the University of Maryland explains an iMessage vulnerability. And a tip: if you look good for your mugshot, you won't be tempted to Facebook a more flattering one to the authorities.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K and enter code N2K at checkout.
That's joindelete me.com slash N2K code N2K.
Business email compromise scores big in Central Europe.
More Swift fraud and a security ultimatum from Swift to its members. Business email compromise scores big in Central Europe.
More Swift fraud and a security ultimatum from Swift to its members.
Vanya the Ripper is on the lam from Thai police.
iMessaging issues surface.
Sarebare ransomware is being spread by Word documents.
Adobe's hotfix swats a cold fusion bug.
Rowhammer attacks are shown to be a real possibility.
Election hacking and influence operations.
And a tip.
If you look good for your mugshot, you won't be tempted to Facebook a more flattering one to the authorities.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, September 1, 2016.
Two revelations of fraudulent fund transfers lead cybercrime news.
The first is a variant of the familiar yet still very dangerous business email compromise.
In mid-August, German wire manufacturer Leone AG lost roughly $44.6 million when personnel at a Romanian facility followed instructions in a spoofed email.
The money apparently wound up in accounts in the Czech Republic.
The incident is noteworthy because Leoni had a number of safeguards in place
to prevent exactly this sort of loss,
but the criminals had done their homework and crafted an email
that not only appeared to be from an executive authorized to make such a request,
but also gave every appearance of having passed through the company's policy
and security gates. And SWIFT, the Society for Worldwide Interbank Financial Telecommunications,
is back in the news. Earlier this year, the financial sector's international funds transfer
network witnessed fraud against member banks in Bangladesh, Vietnam, and Ecuador, with some of
the attempts also touching German and U.S. banks.
It has now, Reuters reports, again warned its members that more fraudulent money transfers
have been observed and that some of them were successful.
The scope of the latest attacks is unknown, but Swift has given its members an ultimatum,
update to the latest version of Swift's software by November 19th or be reported to regulatory
authorities and banking partners.
Reuters says that weak local security was exploited to compromise local networks
and then send bogus messages requesting money transfers, some of which were apparently filled.
Such incidents offer a number of lessons, not the least of which are the importance
of network segmentation and privileged account management.
Commenting directly on the Swift disclosure and warning,
Shane Stevens, Vasco Data Security's Director of Omnichannel Identity and Trust Solutions,
told the CyberWire that, quote,
Swift got a wake-up call finally for its decision to stay with passwords, end quote.
Stevens noted that while Swift has worked to strengthen passwords,
the password itself represents a dead-end line of development
in three decades of authentication technology.
He also commented that organizations like Swift present a large attack surface.
Quote,
With so many attack vectors, it was just a matter of time
before Swift became a focal point for cybercriminals.
End quote.
He characterized the financial sector as more reactive
than one would like to see them be.
It seems that hardly a week goes by without news of a new or newly discovered data breach.
We spoke with Centrify's Senior Director of Products, Corey Williams, about data breaches
and his insights on the recent Sage Software data breach.
Well, Sage is an interesting company.
They're one of the largest software companies in the UK with over 6 million small and medium sized businesses.
And they provide software for things like payroll and accounting and CRM.
What we've heard so far about the Sage data breach is that it's affected the information related to somewhere in the neighborhood of 280, 300 of those individual businesses.
Although that number may change as it's very early on in the investigation.
And allegedly, the breach was conducted using a Sage employee account.
So it's not known whether this was indeed some sort of insider doing something that they shouldn't be doing
or whether it was some sort of outside attack that was leveraging a compromised employee
account.
What are the ramifications of this breach?
Well, it's interesting.
Sage has been on a tear lately.
If you look at their stock price, it recently hit a 16-year high, and they've been performing
very well in the market.
Just the news alone has caused the share price to dip 4%, 5% at last glance.
And so at a minimum, it's affecting the shareholders of Sage.
But interestingly, there's probably longer-term ramifications.
Centrify recently did a study with over 2,000 participants in the U.S. and U.K. basically said that over two-thirds of the respondents
of consumers are likely to stop doing business with organizations that have been breached. So
potentially the damage to this could last for a while. And so what are some of the things that
Sage could have done to protect themselves against this sort of thing? Many of these data breach stories, and it appears that Sage is the
same, it has to do with the misuse of someone's credentials. They're logging into systems they
shouldn't have access to, whether they're an insider or they're a malicious outsider.
So one of the first things you can do is immediately establish better what we call
identity assurance. It's sort of the lowest hanging fruit to ensure that people are logging in as themselves. And passwords just aren't
sufficient for that anymore. Our modern companies today are using multi-factor authentication
everywhere that they can. And the nice thing about multi-factor authentication is a password by
itself can't be used to compromise access.
You actually have to have the user's device or some other fingerprint or so on.
And so that's sort of the lowest hanging fruit is to immediately use MFA everywhere.
Now, what's interesting is that MFA hasn't been widely deployed because it has a stigma of being hard to use.
But multi-factor authentication in the past year, I believe,
has really grown to be much easier to deploy and manage on a widespread basis.
So there's really no excuse.
Certainly consumers have started to adopt it.
Businesses should be adopting multi-factor as well.
That's Corey Williams from Centrify.
ATM and point-of-sale hacking continues.
Police in Thailand have a be-on-the-lookout alert for a 20-something Russian
they believe was responsible for draining ATMs in that country of about $350,000,
with the use of malware FireEye has called Ripper.
The suspect is unnamed. We'll call him for convenience, Vanya the Ripper.
And he's thought to have had at least two accomplices.
According to FireEye, Ripper is installed using a malicious EMV chip.
Insert, install, and steal.
Microsoft warns that attackers are exploiting Word vulnerabilities.
Weaponized documents are now spreading Cerber ransomware and password-stealing Trojans through Betabot.
It's a new kind of threat, but it's reminiscent of old-school malicious macros.
Adobe patched ColdFusion with a hotfix Tuesday.
Users are advised to apply the patch.
The XML external entity injection vulnerability is a real one.
Several interesting proof-of-concept attacks indicate a shift toward physical exploitation of hardware.
Google researchers showed how a rowhammer attack, exploiting a condition researchers noticed in 2014,
can use electromagnetic leakage across rows of transistors to achieve a degree of control over
a device. In an excursion into cyber metaphysics, Wired observes that we're accustomed to understanding
information systems in metaphorical terms, file, etc but that such newer demonstrations represent a move down and away
from metaphorical abstractions u.s states continue to worry about and possibly improve voting
security vermont thinks it's covered north carolina wants federal help and many worry about
the implications of federalizing elections.
Technology Review thinks that direct manipulation of election results is less likely than most people think, but influencing such results through information operations is a different matter.
Russia continues to play an information operations long game with respect to U.S.
and other Western elections. It seems to be doing so directly and deniably, as through the Guccifer 2.0 sock puppets,
and with the aid of effective fellow travelers. The New York Times observes that independent as
WikiLeaks may be, objectively, as the old Pravda might have put it, Assange's operation is nicely
aligned with Russian interests. And finally, we like to keep up with recurring themes.
Social media are well known for the disinhibition they induce in their users,
and that disinhibition works especially powerfully, it often seems,
on those who've run afoul of the law.
We've heard of burglars posting their next planned capers on Facebook,
of wanted felons responding to notices that a rare Charizard can be found in a police station,
of muggers using stolen phones to ask their victims for dates.
Today's news in this vein comes from Australia,
where a young woman arrested on suspicion of property crimes
took it on the lam, allegedly, we must say, from a Sydney jail.
The police posted a wanted notice, and she politely Facebooked them
to ask that they use a more flattering mugshot.
She helpfully provided a new picture.
There's some closure to the story. She's now back in custody. We hope the magistrate tempers
justice with a little bit of mercy. We await further news from the Sydney PD.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
Cyber threats are evolving every second
and staying ahead is more than just
a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Jonathan Katz. He's a professor of computer science at the University of Maryland,
also director of the Maryland Cybersecurity Center. Jonathan saw a story come by this
week that Matthew Green, a researcher at Johns Hopkins University, has found some vulnerabilities
in Apple's iMessage encryption protocol. What do you make of this discovery?
Well, I think it was quite interesting. Actually, the main attack that they showed was what's called a chosen cybertext attack, where what
they basically considered is a situation where an attacker eavesdrops and gets some cybertext
and can then pose as a legitimate user and send related cybertext to the server, to the Apple
server, and see their decryption. And even though it sounds kind of contrived, this kind of a scenario can occur in practice.
And what Green and his collaborators showed was that they were able to use such an attack
to actually recover the original encrypted message.
And so part of the point they were making in this article and in this research was that
Apple sort of rolled their own when it came to coming
up with this encryption, and that may not be such a good idea.
Yeah, that's exactly right. You know, it's kind of funny because these chosen
ciphertext attacks are something that I give as a course project in my undergraduate cryptography
class, and it's sort of well known by now, number one, that these attacks are possible,
and number two, how to defend against them. And so it's kind of surprising that Apple engineers weren't aware of this, apparently, when they designed their protocol.
And like you said, it's exactly another indication of why people shouldn't roll their own crypto,
but should really be using standardized and off-the-shelf sort of protocols.
And so what are the advantages of using standardized and off-the-shelf protocols?
Well, I mean, basically one of the advantages is, number one, that they have
been designed with sort of knowledge of these various attacks, like these chosen cybertech
attacks, and they've been developed to protect against them.
And more than that, they've also been analyzed by the community.
So they're publicized, they're analyzed, they're constructed in a very careful way in order
to be secure. And with Apple, what they did, they actually not only a very careful way in order to be secure.
And with Apple, what they did, they actually not only did they roll their own,
but they also kept the details of their protocol hidden.
So as part of their work, Green and his collaborators had to actually spend a lot of time
reverse-engineering the protocol just to get it to a point where they could sit down and analyze it.
And if Apple had released the details of what they were doing,
then these kind of attacks might have been found much earlier, maybe could sit down and analyze it. And if Apple had released the details of what they were doing,
then these kind of attacks might have been found much earlier,
maybe even before they started deploying it.
So, you know, those are the advantages you get from relying on things that other people have developed and already studied.
All right, Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.