CyberWire Daily - Daily: ShadowBrokers update. More consequences of the Yahoo! breach. Other sites suffer data compromises. US investigations of, plans for retaliation against, Russian influence operations proceed.
Episode Date: December 19, 2016In today's podcast, we hear about how the ShadowBrokers are stocking their discount rack with Equation Group bargains. Yahoo's data breach attracts regulatory, investor, and due diligence scrutiny. Ya...hoo's stolen data is also being offered for sale on the dark web. Multiple other data breaches come to light, and skids hit online games with DDoS attacks. Ben-Gurion University's Yisroel Mirsky describes vulnerabilities of the US 911 system. US investigation of Russian election influence operations continues, and the US says it's planning some sort of retaliation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash regulatory, investor, and due diligence scrutiny.
Yahoo's stolen data is also being offered for sale on the dark web. The U.S. investigation
of Russian election influence operations continues, and the U.S. says it's planning
some sort of retaliation. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, December 19, 2016.
Having had small success with the auction they've been trying to run since this past summer,
the shadow brokers have now put the Equation Group code they've obtained on their discount zero-net retail shelf.
The code could, if purchased or released, afford various bad actors newly
commodified modes of attack. Stolen Yahoo data has now appeared for sale on the dark web.
They're initially priced around $300,000, which is on the high side for a data breach,
but perhaps not overpriced given the sheer reach and volume of the stolen material.
Observers note the data is valuable for either criminal or
espionage purposes, fraud, or compromise. The former motive, fraud, has appeared and continues
to appear in other breaches committed by organized cybercrime. The latter motive,
traditionally operating in an intelligence services, can be seen behind earlier enormous
breaches like the one achieved at the U.S. Office of Personnel Management.
The two markets also touch one another, with criminals sometimes selling to security and intelligence services, and the services sometimes making use of criminal organizations.
Looking at the consequences of the Yahoo breach in the marketplace,
Yahoo itself faces growing hostile scrutiny from both regulators and investors.
The U.S. Securities and Exchange Commission is said to be looking into the breach,
as are information commissioners in Ireland and the United Kingdom.
The company's stock price has taken its foreseeable hit,
and there are multiple reports that Verizon is reconsidering
its planned acquisition of Yahoo's core assets.
The U.S. telecom giant may back out entirely.
At the very least, it seems likely
Verizon will expect a steep discount in the ultimate purchase price. Some other notable
compromises came to light late last week and over the weekend, although they do seem small potatoes
compared to the unfortunate standard set by the Yahoo incident. Turkey's Akbank was targeted via its Swift money transfer interface.
The bank may be liable for up to $4 million, but it says that no customer information was
compromised. It also says that its losses should be covered by insurance. The financial firm
Ameriprise inadvertently exposed customer accounts on an internet-connected backup drive.
LinkedIn has reset 55,000 passwords on its
lynda.com online learning platform. Sports site Bleacher Report suffered exposure of an
undisclosed number of user accounts in a November hack. Fitness company PayAsYouGym sustained a
compromise of some 300,000 customers' data. And successful phishing of more than 100 Los Angeles County government employees may have
exposed more than three-quarters of a million citizens' information.
Distributed denial of service also remains with us.
The skids at Phantom Squad have hit servers for the popular online game Battlefield 1.
Expect more of the same as people try out games they receive over Christmas.
This is what counts as lulls for a few hackerweight of bad actors.
The U.S. Election Assistance Commission continues to work with security and law enforcement agencies
to investigate the compromise it sustained over the past year. Recorded Future connected a known
criminal Rasputin to the caper. Rasputin is
selling a sequel exploit derived from the hack on the dark web. Investigation of Russian hacking of
U.S. elections continues, now also goaded on by bipartisan congressional attention.
The issues roughly are these. First, few seriously doubt that Russian intelligence
services compromised the Democratic
National Committee and also made attempts with mixed success on the Republicans. Second, there's
a general consensus that the disconnected state-run elections in the U.S. system were effectively out
of reach of direct foreign manipulation. The Election Assistance Commission hack isn't
countervailing evidence. That small agency is a voluntary, standard-setting,
and advisory body and does not run voting. Third, and most interestingly, how WikiLeaks
actually received the emails perceived as so damaging to the Clinton campaign remains less
clear. As recently as November 17th, U.S. Director of National Intelligence James Clapper told the
House Intelligence Committee that, as highly confident as the intelligence community is that Russian services successfully compromised
the DNC, quote, as far as the WikiLeaks connection, the evidence there is not as strong and we
don't have good insight into the sequencing of the releases or when the data may have
been provided.
We don't have as good insight into that, end quote.
Theories as to how WikiLeaks got the emails include,
they got them from the Russian security services, WikiLeaks explicitly denies this,
they got them from a group that was fronting for Russian security services,
they hacked into the DNC themselves, this is mostly journalistic a priori speculation,
or they got them from a disgruntled DNC insider.
Reports alleging this generally point to a disgruntled supporter of Senator Sanders'
failed campaign for the Democratic nomination. In any case, investigation proceeds.
As far as the Cozy Bear and Fancy Bear intrusions into the DNC are concerned,
the best guess is that they were accomplished through phishing. Indeed, last week someone If the because, well, it works. This past year's Verizon data breach report concluded that about 30% of phishing messages
are opened by the mark less than four minutes after receipt.
The Cyber Wire heard from Plixer CEO Mike Patterson on the risk of phishing
and what can be done to mitigate it.
He advises testing and anomaly detection.
Quote, all organizations should continually test employees
by sending phishing attacks to internal users.
These test emails alert security teams about employees who clicked a link thinking it was safe
when they should have deleted the message.
Security teams should also use NetFlow to baseline end-user behaviors
and trigger for abnormal traffic patterns like a jump in the transfer of data.
If security isn't monitoring for these types of behaviors, they can slip right past defenses.
Detailed attribution of the DNC incidents, suitable for, say, an indictment,
is of course different from a well-founded intelligence conclusion,
and here U.S. authorities have been explicit and forthcoming.
They see the activities of Fancy Bear and Cozy Bear,
as the GRU and FSB have come to be known in cyberspace,
as a direct Russian influence operation intended to influence the U.S. election.
U.S. President Obama, in the last month of his presidency,
faces growing pressure to do something.
He's indicated that he intends to, and that the response will be proportional.
There's no shortage of experts weighing in on what proportional ought to mean,
with many of them suggesting that some goose sauce in the form of transparency
be ladled back onto Mr. Putin and his senior colleagues in the Russian government.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Israel Murski. He's a researcher and project manager at the
Cybersecurity Research
Center at Ben-Gurion University. Israel, you've been doing some research on some vulnerabilities
with the 911 system, the emergency response system. What can you tell us about that?
Sure. So a little bit of background first. So the emergency response system, i.e. the 911
services, has saved countless lives since it was implemented in 1968.
And the system has since evolved in what's referred to as the E911 system, which is the enhanced 911 system.
And the enhanced 911 system enables police, fire and medical service to be reachable from a single network.
It's its own kind of separate private network from the telephony network, but bridged over.
So when you dial 911, it routes your call directly to this emergency services network. But the real issue is
that unfortunately, the E911 system is a circuit switch system, which means unlike the internet,
which is packet switched, which can bring over a large amount of data very efficiently,
circuit switch systems are resource limited. In other
words, when you make a call, it ties up the entire line. So this is a serious problem because there's
a certain kind of a denial of service attack called a T-dose attack, in which the attacker
makes continuous calls to the service, in other words, the call center, and ties up all the lines
of that's denying service service to legitimate callers.
So we performed extensive simulations on models of the United States' existing E911 infrastructures,
and we found that it would only take about 6,000 infected smartphones to effectively
T-dose the state of North Carolina, and or approximately 0.0006% of the U.S. population to TDoS the entire country.
And we shared this information with the U.S. Department of Homeland Defense,
which then in turn shared it with NENA, which is the National Emergency Number Association.
And their response was pretty much said that we're pretty optimistic.
In other words, that they feel that even the situation is more dire than we expected.
And it may even sound kind of like fiction, but a few months ago, or right after our publication,
a man from Arizona posted a link on Twitter which caused iPhones to repeatedly dial 911.
And thousands of people who clicked this link caused T-doses across the nation.
So to make this even more serious i know i
keep on building up on this but we found another attack or variant of the malware in our labs with
mordechai guri and professor yuvalovich a version of the malware that is unblockable and basically
what it does is it hides its network identifier to the network, or basically randomizes it,
thus preventing it from being blacklisted or blocked at the entry to the network
or at the call centers themselves.
So we've published all sorts of different countermeasures
of how to possibly try and mitigate this kind of threat.
But we're still actively looking for a better solution,
perhaps within the next generation 911 system that's being deployed currently.
Are there any plans on the horizon to update the 911 system so it wouldn't be vulnerable to these sorts of attacks?
the fact that the FCC put out a ruling that all calls, whether they have an identifier or not,
be forwarded to the nearest call center in case of emergency. And this is a very useful feature because you have families or victims of abuse who have these kinds of free phones that have
no identifiers within them, and they can place calls to abuse hotlines
to request help.
They have to basically make a decision.
Either they have to block all these what's referred to as NSI calls and therefore stop
the service and try to find some other solution, or they have to enable it and thus allow the
possibility that anybody can try and call without an identifier on the network and place a 911 call.
It's kind of like the case where your phone hasn't quite registered on the network yet
or doesn't have a SIM card in yet.
It can still place 911 calls.
That kind of idea, but a little more advanced.
Israel Murski, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.