CyberWire Daily - Daily: Shadow Brokers warn 'Wealthy Elite'--new cyber cold war? And cybercrooks are still out there.
Episode Date: August 17, 2016In today's podcast we follow the continuing story of the Shadow Brokers and their claims of having got their hands on Equation Group attack code (as bizarre as their story is, a lot of informed observ...ers think the code they've posted is the real deal). Many see the Shadow Brokers incident as an escalation of a cyber cold war between Russia and the United States. More banking Trojan activity in South America. DNSSEC is exploited in DDoS attacks, and Cerber is still number one in the ransomware-as-a-service market (where Shark is a dodgy upstart). Kensington's Rob Humphrey shares the results of their recently security survey, and Johns Hopkins University's Joe Carrigan weighs in on securing your devices in the real world.  And yes, more Pokémon stuff. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and a high-stakes investigation unfolds. Starring Sterling K. Brown, James Marsden, and Julianne Nicholson.
Paradise is streaming January 28th only on Disney+.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of
signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with
detailed reports so you know exactly what's been done. Take control of your data and keep your
private life private by signing up for DeleteMe. Now at a special discount for our listeners,
today get 20% off your DeleteMe plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way
to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout.
That's joindeleteme.com slash n2k code n2k.
N2K.
More on the shadow brokers,
equation group, and what the encryption algorithms are suggesting to people.
Crimeware, hacktivism, or cyber
cold war. We're thinking door number three.
More banking trojans in Brazil
and Colombia. DNSSEC
and its exploitation in DDoS.
Cerber holds its criminal market share as ransomware as a service,
and crooks don't quite trust shark ransomware,
Airbus says no to Pokemon, at least on the factory floor,
and don't follow Charizard into a minefield.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 17, 2016.
The news today continues to be dominated by the Shadow Brokers, the group that dumped a bunch of code on GitHub,
claimed it was a sampler of NSA attack code, and offered the rest for sale to anyone who'd care to pony up one million Bitcoin.
The released code is represented as a teaser, a loss leader.
But there may be more going on here other than simple criminal or even hacktivist money-making.
Several observers have noticed, like us, how stagey and clumsy the shadow broker's language is.
In a quick test of a hypothesis that the pros came from lazy use of Google Translate,
our linguistic staff ran
some Russian text through the free tool, which gives us a very rough and ready and often comical
rendering into the target language. But our staff couldn't come close to replicating the style.
It's difficult, others have also pointed out, to see how one could write like that without craft
and intention. Here's a fair sample worth quoting at some length.
It's addressed to Wealthy Elite. We want to make sure Wealthy Elite recognizes the danger
cyber weapons this message our auction poses to their wealth and control. Let us spell out for
elites. Your wealth and control depends on electronic data. You see what Equation Group can do.
You see what Crypto Lockers and Stuxnet can do. You see free files we give for free. You see what Equation Group can do. You see what CryptoLockers and Stuxnet can do.
You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there
is Equation Group version of CryptoLocker plus Stuxnet for banks and financial systems.
If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic
data go bye-bye, where leave wealthy elites? Maybe with
dumb cattle? Do you feel in charge? Wealthy elites, you send bitcoins, you bid an auction,
maybe big advantage for you? So there. Stuxnet is speculated to have some connection with the
equation group, an outfit described last year by Kaspersky Labs and widely believed, although Kaspersky is as usual coy about the attribution, to be an NSA operation.
Cryptolocker, of course, is criminal ransomware no one has connected with Equation Group
or anyone outside of cyber gangland.
The same can be said of Swift Bank transfer fraud.
The suggestion that NSA is preparing an attack on global wealth
is to be sure as provocation as it is on the face of it, implausible.
So is the notion that alleged U.S. government attack code would easily find its way into criminal hands.
Still, the insinuation is more plausible than, say, the stuff that's widely believed about chemtrails or Sasquatch.
Kaspersky Labs thinks the samples are genuine pieces of equation group code.
The biggest tip-off they see, as expressed in their Secure List blog,
is an unusual implementation of RC5 and RC6 encryption algorithms.
This evidence is, of course, circumstantial,
and attribution remains as notoriously difficult as ever.
Speculation about the leakers inevitably turns to Russia. Tensions between that
country and the U.S. have been rising, and the timing seems appropriate given the current uproar
over hacking the U.S. Democratic and Republican parties have sustained. But as Edward Snowden
has tweeted, it's more noteworthy that the intrusion has been made public than that it was
made at all. Any intelligence service like NSA is an obvious collection target,
but you wouldn't talk about collecting unless you were interested in making a point
or communicating a threat.
The incident moves experts to rafish and demonic commentary.
Thomas Ridd calls the shadowbroker's dump a big middle finger
hoisted in a generally American direction.
Dave Itell writes, explaining why he thinks it was the Russians,
quote,
no team of hackers would want to piss off Equation Group this much. That's the kind of cajones that could only come from having a nation state protecting you, end quote.
So, wealthy elite, take your head out of your Pokemon and see, observers are telling us,
the dawn of a new cyber cold war. Did we mention Pokemon? Why, yes, we did. Airbus has told its employees
to knock off playing the game at work, and the U.S. State Department has advised travelers not
to play Pokemon Go while visiting countries prone to having marked fields of uncleared landmines,
especially Laos, Cambodia, and Vietnam, even if you think you see a Hawlucha.
An important part of cybersecurity is, of course, physical security,
making sure your devices don't get lost or stolen.
Kensington does a good bit of business helping with the physical security of devices,
and their locking mechanism has become something of an industry standard.
They recently took a survey of IT professionals on how they secure their devices in the real world,
and we spoke with Kensington's Rob Humphrey about what they learned.
What we found through the survey was the office continues to be one of the highest places that
laptop theft occurs, which is a big surprise to most people, particularly IT managers,
that people think that the office is a very secure location for office equipment, IT equipment.
And it turns out that the only other place that theft occurs more often is actually in cars or other transportation, like on the train or something like that.
Rob Humphrey said one of the surprising results from the survey was how many organizations had no policy when it came to physical security of devices.
had no policy when it came to physical security of devices.
More than a third do not have policies in place to physically secure laptops. What we see is a lot of organizations just assume that all of the security needs to be placed on firewalls
or virus protection or malware protection and the like, and they forget about the physical aspect.
The other stat that came out that was pretty interesting was more than half, 54%,
of the survey participants failed to use a physical lock for IT equipment.
The survey pointed out 80% of the respondents to the survey do not utilize locks
to lock down the other types of equipment that are sitting on desktops in
conference rooms and other locations. And it's pretty easy to do. And when deploying the locks,
the key management is always a concern. And our study confirmed that, that over two-thirds of
the respondents said, yes, key management is very important to us when we're considering
launching or rolling out locks corporate-wide. So when we mean key management is it gives the
facilities managers or the IT manager a key that can open up any lock in their system. So if a
user forgets their key at home or leaves the organization, takes the key with them,
or just loses the key, the IT manager can unlock that device for them.
And when something like a laptop gets stolen, there's more than just the cost of the device to consider.
You've got to get back to a productive state.
So what kind of hassle is that when that happens?
Our other studies have shown that that takes people days up to a week or more
to get fully back up to speed when they lose something as critical as their personal computer.
Employees may resist having their devices locked down at work,
but Humphrey says many companies have successfully implemented physical security policies.
Having a policy in place and putting some enforcement behind it, such as we know physical security policies. creates a very inconvenient scenario for the employee to pick up the computer.
So it's all about having the policy in place and enforcing that policy to drive home the importance of locking down their equipment.
That's Rob Humphrey from Kensington.
You can learn more about their security survey on their website.
Turning to news of other threats, BlackBerry is the first major manufacturer to release a patch for the quad-router vulnerability.
Brazil is experiencing a fresh wave of banking malware infestations, as Zeus Sphinx joins Zeus Panda.
Some Colombian banks have also been affected by Sphinx.
Noistar has released a study on how domain name system security extensions, DNSSEC, can be exploited in DDoS attacks.
The security company says, quote, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30, end quote.
This is troubling because of the role DNSSEC play in defensive measures.
Cerber remains the dominant ransomware as a service,
but a competitor is up, Shark, whose masters say they work on commission.
Their attack screen says, data on this device were locked.
Thus getting on our editor's good side because the crooks recognize that the word data is plural.
He says things like,
you should honor the Latin plural, blah, blah, blah, blah, and yes, alas, he really does talk
like that. But Symantec, Bleeping Computer, and others who've looked into Shark note that
its purveyors have been booted out of the best criminal fora, fora, that Latin plural again,
and that they're probably just scamming other crooks. Don't let the Latin plural fool you,
kids.
There's no honor among thieves.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts
take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on
the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from
Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Information Security Institute. Joe, earlier in the show, we heard from Rob Humphrey from Kensington about the physical security and securing our devices. We hear stories regularly
about laptops being stolen from cars and so forth. In your opinion, what are some of the
things we can do to pay better attention to physical security? Obviously, don't leave them
in your car. The one case that comes to my mind was a case of somebody who worked for a VA hospital who left a laptop in their car.
I can't remember all the details of it.
It was probably about seven years ago that this happened.
But that constituted a breach of personal health care information.
Basic common sense things.
If you don't leave your laptops in your car, do the physical things.
Protect your computer like it is a valuable item.
Do the physical things.
Protect your computer like it is a valuable item.
But let's say that you've done something or that you manage many computers and you just don't have the faith in humanity that's required to believe that everybody's going to take care of their devices.
So there are things you can do to protect the data that's on that.
Generally, the buzzword or jargon term is called data at rest.
Yeah. So this is any kind of data that's on physical media,
like a hard drive, tape backup. And you can encrypt that device so that even if somebody does
steal the hardware, the device is encrypted and they can't get the data off of it.
Right. So that's an option. I remember the last computer I bought, when I set up the computer,
it asked me, do you want to encrypt the hard drive on this computer?
I said yes.
It didn't seem to be much of a downside to that.
There's really not much of a downside.
It's very transparent to the end user.
There is one issue, and that is at the enterprise level, if you forget a password, then you have to go and have somebody reset it.
then you have to go and have somebody reset it.
So even that way, if someone actually got physical access to, let's say, a laptop and they removed the hard drive from the innards of the laptop
and tried to hose it up to some other machine,
that data is protected because it's encrypted.
Right, it's encrypted and it's encrypted with a key
and not necessarily a password-derived key.
All right, good stuff.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.