CyberWire Daily - Daily: Slap leather, Vlad. If cyberspace is the "Wild West," here's the best showdown since Blazing Saddles, and more.
Episode Date: September 6, 2016In today's podcast, we hear about some Pokémon-themed Linux rootkits. An evolved Linux Trojan is herding I0T botnets. Social media monitoring leads to convictions of jihadist plotters in Australia an...d the UK. Pegasus spyware and NSO Group's pricelist. Election hacking on four continents. Are the Shadow Brokers engaged in intelligence or influence operations? (In any case, no one's really bidding on the Equation Group code the Brokers say they're auctioning.) The FBI releases information on its investigation into former Secretary of State Clinton's email. Accenture Labs' Malek Ben Salem describes frameworks for Industrial IoT. And for a while it looked like cyber high noon at the G20 talks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash n2k and enter code n2k at checkout.
That's joindelete me.com slash n2k code n2k.
Pokemon themed Linux root kits are observed, but they're not related to Pokemon Go.
Trojans continue to herd IoT botnets.
Social media monitoring leads to convictions of jihadist plotters in Australia and the UK.
Pegasus spyware and NSO groups priceless.
Election hacking on four continents.
Are the shadow brokers engaged in intelligence or influence operations?
In any case, no one's really bidding on the equation group code the brokers say they're auctioning.
The FBI releases information on its investigation into former Secretary of State Clinton's email,
and for a while it looked like cyber high noon at the G20 talks.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 6, 2016.
Over the long weekend, Trend Micro researchers report finding a Pokemon-themed Linux rootkit
called Umbreon after a dark Pokemon that hides in the night.
The rootkit has a second Pokemon-themed component named after a big-eared Espeon
that backdoors infected systems. Umbreon
hides its outbound traffic from the commonly used TCP dump utility. Malware must die describes
another strain of Linux malware, this one a Trojan called Mirai. An evolution of Bashlight,
the IoT botnet herder recently described by Level 3, Mirai targets IoT devices running BusyBox.
Reports of social media-enabled jihadist recruiting and inspiration continue.
Malaysian security authorities are monitoring the activity of an operator they characterize
as an Indonesian operating from Syria. He's active on social media, encouraging sympathizers
in Malaysia to undertake terrorist attacks in that country.
In Australia, a teenager has been sentenced to 10 years for plotting the murder and beheading of police officers during Anzac Day commemorations.
19-year-old Sevdet Ramadan Bezim, a resident of suburban Melbourne, was convicted of the thwarted plot.
Elborn, was convicted of the thwarted plot. He was in regular online contact with a 14-year-old in Manchester, England, who last October was sentenced to five years for inciting terrorism
abroad. The discovery of Pegasus spyware on an Emirati activist's iPhone and Apple's subsequent
patching of the Trident Zero days in both iOS and, more recently, OS X, continues to excite
comment. According to the New York Times, NSO Group's price list for lawful intercept services
runs to an initial setup fee of $500,000,
with installation fees varying by number and kind of devices to be monitored.
$650,000 will put the tools into 10 iPhones or Android devices,
$500,000 will get them onto five BlackBerrys,
and $300,000 will provide access to five Symbian phones.
Ten additional targets, the Times reports,
can be added for an additional $150,000,
$20,000 for $250,000,
$50,000 for $500,000,
and an even hundred additional devices
will set the customer back $800,000.
The pricing suggests that the spyware would be used as expected for targeted interception of communications
as opposed to bulk collection and surveillance.
Industry sources draw this lesson from the incident.
Watch the traffic emerging from your devices.
Plixer's founder and CEO Michael Patterson shared his assessment with CyberWire.
Quote, there can be a significant gap between vulnerabilities going live in the wild and their
discovery and subsequent remediation, as there seems to have been in this case. During this
vulnerability time and on an ongoing basis, organizations can protect themselves by watching
for anomalies like strange outbound connections. Education becomes more important than ever,
helping people recognize strange messages
and avoid opening links if they seem out of the norm.
End quote.
Other governments are found to be engaged in close monitoring of their citizens' networks.
Cuba, for one, according to Reuters,
is filtering mobile text messages for the appearance of certain keywords,
democracy and human rights prominent among them, and then blocking the traffic.
The internet in that country continues to be tightly controlled,
with home access, licensed by the government, closely restricted to about 5% of the population.
Late Friday afternoon, the FBI released emails and other details from its investigation
of former Secretary of State Clinton's handling of classified information.
It appears that parties unknown engaged in spear phishing against users of the former secretary's homebrew server.
The report also indicates that in 2013, an unknown user wandered through an account belonging to a staffer working for then-Secretary Clinton's husband, former President Bill Clinton.
a staffer working for then-Secretary Clinton's husband, former President Bill Clinton. The investigation also determined that some eight mobile devices used by the former secretary to
access ClintonEmail.com during her tenure in office could not be located or inspected.
Politically motivated hacking, apparently interested in gathering either electoral
intelligence, influencing voter sentiment, or directly manipulating results,
electoral intelligence influencing voter sentiment or directly manipulating results,
continued over the weekend. FireEye tracked APT3, a Chinese cyber espionage group,
in the networks of at least two unnamed Hong Kong agencies in the week prior to this past Sunday's elections in that city. There are also allegations of election hacking in Mexico.
Those come from the now-imprisoned Colombian hacker Andres Sepulveda,
who says he engaged in hacking, spying, and social media manipulation on behalf of Enrique
Peña Nieto's 2012 presidential campaign. Telesor reports that Mexican authorities
declined to investigate what they characterize as a frivolous complaint.
Elsewhere, ThreatConnect found that the same IP address implicated in
intrusions into U.S. state voter databases was also used in incursions into German, Turkish,
and Ukrainian political networks. Suspicion in all these cases continues to be directed toward
Russian intelligence services. The biggest of these hacks, of course, remain the incursions
into U.S. political party and campaign networks, as well as the compromise of Equation Group code claimed by the shadow brokers.
The shadow brokers, who've offered what they call Equation Group attack code in an online auction,
are believed by most observers to be sock puppets for either the FSB or the GRU.
There are some observers who think this unlikely.
Why, they ask, would an intelligence service so readily reveal its successful collection of an adversary's code?
Wouldn't they be more likely to exploit it quietly and keep their sources and methods to themselves?
Thus, NSA watcher James Bamford and some others conclude that the shadow brokers are hacktivists abetted by insiders.
Such an evaluation would be consistent with an ordinary case of collection, but not if
the breach is an influence operation. Sometimes attacks are deliberately noisy, particularly if
they aim at deterrence or shaping public opinion, as opposed to intelligence. In any case, the
shadow brokers don't seem particularly successful or even active as straight-up criminals. Our
partners at Terbium Labs tells us there's not much action in the dark web
or elsewhere in the shadow broker's auction for Equation Group.
As far as we can see, the bidding is apparently stalled at just 1.8 bitcoin,
a little more than $1,000, far short of the half-billion dollars the hackers asked for.
Some bidders are including Rickrolling with their lowball bids.
Some bidders are including Rickrolling with their lowball bids.
Presidents Obama and Putin exchanged starchy words over cyberwar at the G20 summit.
Mr. Obama advised Mr. Putin against turning cyberspace into the wild, wild west,
and suggested that if the two countries had to slap virtual leather, Mr. Putin would find himself outgunned.
Mr. Putin said, via Sputnik News,
that he's got better things to do than fool around with American electoral theater.
He went on to deny any involvement in U.S. political hacking,
but the Russian president did mention late last week,
sounding a little like the man who shot Liberty Valance,
that whoever hacked the Democratic National Committee had performed a public service.
In any case, Agents James T.
West and Artemis Gordon, we hope your private Pullman car has good connectivity. President Grant, we mean President Obama, might want to be in touch.
Miller Lite, the light beer brewed for people who love the taste of beer
and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time.
Learn more at MillerLite.ca. Must be legal drinking
age. Do you know the status of your compliance controls right now? Like right now? We know that
real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet
fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and
wickedly humorous film from Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me is Malek Ben-Salem. She's the R&D manager at Accenture Technology Labs.
Malek, I know there at Accenture, you recently published a framework regarding the security for the industrial Internet of Things. What can you tell us about that?
Yeah, the industrial Internet of Things, as you know, introduces various operational technology
architectures, whether it's healthcare, manufacturing, transportation, or energy
production. All of these industries have different architectures. So at Accenture Labs, as we deal
with clients from various industries, we developed a framework for security for these industrial
Internet of Things domains. And what we focused on is what are the common themes around these architectures and what are the differences between these domains.
One thing we looked at is the edge tier, which we think has to be self-organizing and self-reliant.
variant. Today, we see some solutions, security solutions at the edge that provide some capabilities, some security functionalities, but there is still a gap in protecting all the
devices at the edge. For example, you know, many of these solutions are not vendor agnostic.
So when you deploy them, you have to make a lot of customization
for that particular industry domain.
What we're looking at in our framework
is find mechanisms to detect and prevent
physical or remote tampering with edge devices,
regardless of what the device is.
That's one key security capability that we think is important.
Another security capability that we looked at also is a distributed intrusion detection mechanism
that can optimally assign security functions to the resource-constrained devices at the edge. So some mechanism that
augments that edge layer with additional security capabilities, whether it's an additional device
that is not constrained in terms of its storage and compute capabilities, or whether it's a gateway
at the edge that is responsible for augmenting the security capabilities of the edge devices underneath.
Are we starting to see the development of these sorts of standards with IoT devices or is it still pretty much the Wild West out there?
I think we're starting to see that.
And NIST has a working group that's working on cybersecurity framework and they've published several drafts of their framework.
All right. Malik Ben Salem, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.