CyberWire Daily - Daily: Stealth Falcon, OEM issues, black market trends.
Episode Date: June 1, 2016In today's Podcast, we hear about Citizen Lab's discovery of an apparent cyber espionage campaign operating under journalistic cover (and targeting journalists). We discuss the state of the black mark...et for both zero-days and stolen data, and get some recommendations for identity protection from the experts. Venafi talks about the implications of the coming SHA-1 expiration, Joe Carrigan from Johns Hopkins tells us what's wrong with public photo-printing kiosks, and some University of Michigan researchers have a clever, insidious hardware backdoor proof-of-concept. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Citizen Lab describes Stealth Falcon and bids journalists beware.
An apparent Windows Zero day is for sale on the Russian black market.
Data breaches are getting bigger, but stolen data isn't exactly making the criminals rich.
Software installed by some OEMs is showing signs of crypto fails.
University of Michigan researchers demonstrate an insidious hardware backdoor proof of concept.
We hear about the risks of public photo printing kiosks,
and we learn about the implications of the coming SHA-1 CERT expiration deadline.
And if you're a street criminal, you might want to stay off Facebook,
at least if you're working in the English Midlands.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 1, 2016.
State security and intelligence services have long made use of journalistic cover,
but a report released early this week by Citizen Lab at the University of Toronto
describes one such apparent effort, which Citizen Lab is calling Stealth Falcon.
The evidence is circumstantial, but the researchers think it likely that the United Arab Emirates government
was using, among other tools, sock puppet journalists whose email and Twitter correspondence
with other actual journalists served as a vector for installation of spyware.
The apparent goal was monitoring of dissident activity.
Citizen Lab notes the possibility that they're observing criminal as opposed to state-directed
activity, but thinks the evidence strongly suggests a security service.
Foreign Policy notes that Citizen Lab has reported similar campaigns in Iran,
Bahrain, and left-leaning Latin American states.
Cyber criminals are offering what they claim is a very damaging Windows Zero day,
almost amounting to a crimeware killer app.
The purported vulnerability, and we stress purported because as Microsoft points out,
the bug is yet to be verified,
is said to enable an attacker to obtain admin privileges on any machine
running any version of Windows from Windows 2000 through a fully up-to-date Windows 10.
The hacker's initial asking price was set at $95,000.
The original Dear Friends, I offer you a rare product offer
appeared in a Russian criminal forum on May 11th.
Payment would be made under escrow.
Whether the hacker's claims are legitimate or not, the case is interesting for at least two reasons.
First, whoever discovered the flaw, again, if it is a flaw, it's still early,
apparently they thought they could make more money hawking it in a crimeware bazaar
than by using it themselves or selling it quietly to big buyers,
as other zero-day vendors are known to do.
Second, zero-days may be on their way to the sort of commodification
long seen in the data theft racket.
The fact that they're being offered to well-heeled but poorly skilled skids, however,
can't be a good sign.
Trustwave's Spider Labs is following the story closely.
We'll hear from them tomorrow. That stolen data has become inexpensive commodities may be seen
in the continuing story of the MySpace breach. To offer almost half a billion of even old
credentials for about $2,800 suggests it's a buyer's black market. Balabit's Istvan Sabo notes that passwords shouldn't be an account's principal or only protection.
He recommends monitoring activity, especially privileged users' activity,
and applying behavioral analytics as a check on this sort of threat.
He told the CyberWire,
User behavior analytics can help detect, alert, and block access to an organization's data automatically if an attacker attempts to use the stolen credentials. Tumblr is also recovering from an old breach dating to 2013.
The compromised information is worth even less than the stolen MySpace data.
The hacker selling it, Peace, is asking only $150.
As Peace told Motherboard, he's essentially selling just a list of emails.
We checked with Andrew Komaroff, chief intelligence officer at InfoArmor,
who confirmed to the Cyber Wire that Tumblr's having hashed and salted the passwords
makes them very difficult to crack and thus of little black market value.
Beyond the value of salted hash, these incidents suggest several lessons about securing information.
Last-line security expert Craig Kesnick observed to the CyberWire that enterprises should, again, consider using multi-factor authentication.
For individuals, he told us, the advice is, don't ever use the same passwords across multiple accounts, do change them on a regular basis, and definitely consider licensing a password manager.
do change them on a regular basis, and definitely consider licensing a password manager.
A little bit of paranoia, Kensick says, goes a long way in information security and identity protection.
Digital certificates are one of the key technologies that make the Internet useful, by allowing users to have a high degree of confidence that the website they're visiting is actually the website they intend to visit.
That little green lock icon in the address bar of your web browser that lets you know you're browsing securely? That functionality
is made possible by digital certificates. They've evolved over the years as computing power has
increased from the digital fingerprints of the MD5 algorithm to SHA-1, which is currently being
phased out. Kevin Bocek is vice president of security strategy at Venify.
Well, the bottom line, of course, when it comes to cryptography is that it is a battle against time and computing power. And the SHA-1 cryptographic method, this hashing algorithm,
is just a way that it allows to put a fingerprint in one way that in the past you couldn't copy.
in one way that in the past you couldn't copy.
But what we're finding, though, is that the cloud and our increasing computational power is catching up with that.
And nowadays, what used to thought would be impossible,
almost to recreate one of these fingerprints,
you maybe could recreate on Amazon Web Services
in the cloud for $75,000 or maybe
even less. And you know if a bad guy can do it in the cloud for $75,000, you know that intelligence
services like the NSA can do it in their sleep. SHA-1 has been replaced by the more secure SHA-2.
The problem, according to Bocek, is that many organizations have been slow to update. What we knew is at the end of last year that up to 25%
of the top 100,000 websites that were using digital certificates to enable encryption
and authentication were still using SHA-1. The browser community has decided that starting January 1st, 2017,
the padlock that we all know in our browser will not show green, and in fact, in some cases,
will start to show red and not trust the SHA-1 certificates after the 1st of January.
Kevin Bocek also warns organizations not to drag their feet and wait for the last minute.
Chances are, finding and updating all of your digital certificates is no small task.
You may think you have, you know, most of your digital certificates are exposed on the public network,
but in fact, they're all throughout your data center, all throughout your network.
So going about finding them, both in locations you know and don't know about,
is the first step that you've got to do.
That's Kevin Bocek from Venify.
They've got more SHA-2 migration tips on their website.
Researchers at the University of Michigan have demonstrated a disturbing proof of concept,
a microscopic hardware backdoor embedded on an otherwise innocent chip. Detection of such a backdoor would be, they say, difficult to the point of practical
impossibility, especially since the backdoor exploits analog as opposed to digital features
of chip operation. It's essentially a single-cell capacitor. Wired reports the reaction of Google
researcher Yonatan Zunker, quote, this is the most demonically clever computer security tech I've seen in years, end quote.
It's a proof of concept and not something seen for now in the wild,
but chip fabs would do well to look to their manufacturing processes.
Finally, a note on email security.
Our suits tell us they're getting concerned emails from someone calling himself Scooter Coffee. Scooter's attached an invoice from another company and wonders why he hasn't
been paid. The suits wonder if they should open it. All those suits. You'd think the signature
Scooter would put them on guard, but then remember the old adage about what curiosity does to cats.
Scooter, if you're listening, go fish.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Joe, over the weekend, I happened to go by my local CVS pharmacy
and I printed out some photos for a family member. It was very easy.
It was a remarkably easy thing to do. But as I approached
the kiosk with my little USB thumb drive and I inserted
my USB thumb drive into this computer that I knew nothing about,
the thought crossed my mind, have I just made this thumb drive into this computer that I knew nothing about. The thought crossed my mind.
Have I just made this thumb drive disposable?
Probably.
It's not because anybody's being malicious.
It's because thumb drives and USB drives or however you want to call them,
they are vectors for malware distribution.
And, yeah, I don't know that I would call the drive disposable.
If you have a Linux machine at home or an Apple,
it was a Windows machine that you were working with, correct?
I believe so.
I believe it was, yeah.
So that's going to run malware that's designed for Windows.
So if you take that and put it into a Linux box,
you can actually execute a DD command.
DD, I think think is the original
terminology was disk duplicate it was how they would duplicate disks back in the old days when
they needed to make uh backups of master boot records and things of that sort your old floppies
old floppies right exactly um but now it can be used it stays while it still can be used for that, but it also can be used for wiping a disk completely by copying from dev zero, which is essentially just an endless supply of zeros on a Linux device, and writing to the actual physical hardware on that USB drive, which is possible in Linux.
And it's actually pretty easy.
And actually, the Wikipedia page on DD
is very helpful for this. It even has a
section on how to wipe data off
a disk. So this is different from just rewriting
the directory of the file. This is actually zeroing
out all the bytes on the device
from start to finish. It's taking everything
off that device.
You'll need to reformat the device when you plug it back
into a Windows machine.
Alright, good advice as always.
Joe, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.