CyberWire Daily - Daily: The Shadow Brokers say trick or treat to the Amerikanski. Are free elections like free beer? Google wants faster patching. The state of Mirai.
Episode Date: November 1, 2016In today's podcast we hear that the Shadow Brokers are back, and again mangling English like a bad scriptwriter doing Ensign Chekhov fan-fiction. Russian leaders continue to scoff at American election...s, and WikiLeaks continues to leak. Microsoft doesn't patch fast enough to suit Google. Researchers consider the scope, threat, and mitigation of the Mirai IoT botnet. We welcome Rick Howard from Palo Alto Networks to the show. Ferruh Matvituna explains how Content Security Policy can protect against cross site scripting. And Furby's back, but this time it's connected. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The shadow brokers are back and again mangling English
like a bad script writer doing Ensign Chekhov fan fiction.
Russian leaders continue to scoff at American elections and WikiLeaks continues to leak. Microsoft doesn't patch fast enough to suit
Google. Researchers consider the scope, threat, and mitigation of the Mirai IoT botnet.
And Furby's back, but this time it's connected.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, November 1st, 2016.
The Shadow Brokers came back for Halloween.
You'll remember them as the group responsible for their successful late-summer doxing of the Equation Group
and their unsuccessful attempt to auction off lots of what they said was NSA attack code.
The auction was so ill-conducted that it's difficult to read it as a serious criminal
attempt.
In any case, the shadow brokers dumped an archive they called Trick or Treat online.
The dump is represented as, and may well be, a revelation of server-stage infrastructure
used by the Equation Group.
That is, it shows servers that may have been compromised in order to accomplish various
cyber campaigns.
The equation group is thought by most observers to be, roughly speaking, an NSA contractor.
The Shadow Brokers are still writing their communiques in completely implausible broken English.
A sample, quote,
The Shadow Brokers is having special trick-or-treat for Americanskis tonight, end quote.
No one actually writes or speaks like that, except in fiction,
where either complete ineptitude or broad comedy would be on display.
Flashpoint, who's suffered through the present participles,
absence of articles and matey malapropism, so the rest of us don't have to,
thinks the goofy writing reveals a false flag.
Which false flag is unclear?
Presumably some guys in Eastern Europe
who are hacktivist Robin Hoods. But Flashpoint also notes the shadow brokers tend to mirror
Russian President Putin's jibes at the American political system. In the trick-or-treat dump,
for example, the brokers deride American elections as free, as in free beer, a one-liner that aspiring
stand-up Mr. Putin delivered recently at the St. Petersburg Economic Forum,
either there or at open mic night at the Chuckle Hut.
We don't exactly get it, since free beer seems no joking matter,
but perhaps it plays better in the original.
The shadow brokers, by the way, say they've still got lots of Equation Group stuff to sell if you act now.
The evident connection between the shadow brokers and
Russian security services feeds ongoing concerns about U.S. elections. Russia is generally believed,
especially by the U.S. intelligence community, to be actively engaged in attempting to influence
the vote. Forty-six states have now asked for federal help securing the elections they're
constitutionally responsible for conducting. Officials are more worried about interference with voting than with direct manipulation of the tally.
WikiLeaks has continued to release discreditable emails,
with presidential candidate Clinton's manager John Podesta remaining the big catch
in what appears to have been a successful phishing expedition.
More doxing is expected before next Tuesday's voting.
fishing expedition. More doxing is expected before next Tuesday's voting. The FBI's newly resumed investigation into candidate Clinton's State Department-era email practices
also continues.
Google has publicly disclosed flaws its researchers discovered in Microsoft Windows and Adobe
Flash. The Windows Zero Day Google disclosed is both unpatched and being actively exploited
in the wild. It's a kernel vulnerability that allows an attacker to escape from sandboxing and execute
remote code on the affected system.
Google found the problem on October 21st and, in accordance with Google policy, made its
discovery public after seven days.
That policy, in place since 2013, gives vendors 60 days to patch a privately disclosed flaw
if there's no active exploitation, but only a week if an exploit is out in the wild.
There's no patch yet from Microsoft, and Redmond isn't happy with Mountain View.
But Google is sticking to its commitment to go public within a week of discovery
when there's active exploitation in the wild, whether or not the vendor has a patch ready.
Adobe did patch the Flash problem Google found, and they did so last Friday.
Some sources say that the Windows flaw required the Flash exploit before it could itself be exploited,
and so while Microsoft is still expected to fix the problem soon,
the severity of the Windows bug is much reduced by the Adobe patch.
Researchers continue to consider approaches to cleaning up Mirai and similar Internet
of Things threats.
One proof of concept, a white-hatted worm that crawls through IoT devices and changes
their default passwords, is unlikely to pass legal muster, but the demo shows the way some
people in the security industry are thinking.
Nominium released their Fall 2016 Data Science Security Report yesterday,
and among the issues they address is the October 21st distributed denial-of-service attack on Dyn.
Nominium's head of data science and security, Yuri Uzofovich,
told the Cyber Wire that the attack was, quote,
a wake-up call that put a spotlight on the importance of DNS
and the impact of IoT-based attacks on the Internet and on service providers and enterprise networks.
He thinks enterprises should use this event as an opportunity to consider their readiness
to weather a DNS attack and to think through the implications of other kinds of
Internet-of-Things-based attacks on their networks.
There are many bad actors out there trying to take advantage of vulnerabilities where they find them.
We checked in with Faramavi Tuna from NetSparker to learn about cross-site scripting
and how a feature called Content Security Policy helps thwart the baddies.
Cross-site scripting is a vulnerability that allows an attacker to hijack a session.
So, for example, you are logged into an application and there's a cross-site
scripting vulnerability in that application. An attacker can send you a link. And when you click
that link, that attacker will steal your current session and they will be able to do stuff that you
can do as a logged in user. So if you are on end, let's say if you are using Gmail and if there's a cross-site
scripting in Gmail, right after you click a link, attacker will be able to access your emails.
So it's pretty dangerous. And it's a huge problem. It's a massive problem. So content security policy
is a protection against cross-site scripting. If your website is completely secure against cross-site scripting,
in theory, you don't need content security policy
because you're already safe.
It won't add any value to you.
But in reality, we know it's very rare.
The chances are you are vulnerable.
And also as a best practice, we always say unit defense in depth.
CSP is something applied on the browser levels.
So it's something your browser and the web server tells the visitor's browser, look, you can only
load resources from these websites, a whitelist. You can say, never load any JavaScript from any domains but from my own domain or but from these whitelisted
specified domain lists. And also, CSP can say and generally should say, don't execute JavaScript
written directly on the page. They need to be referenced. So, they need to be used script
source element on the HTML instead of having inline JavaScripts,
which generally used in cross-site scripting attacks.
So effectively what CSP does, it tells your browser,
do not execute JavaScript from another domain
and do not execute inline scripts.
And you got very granular control on these domains,
these rules, and a bunch of other rules.
It's very complex, actually, CSP.
But when you do it right,
even if you have a cross-site scripting,
you can survive.
It can be because you have proper CSP definitions,
your browser will not execute the JavaScript,
so attack will fail,
despite of the fact you have a cross-site scripting
on your
website. So it's a very nice defense in depth feature. It's highly recommended because of
how common cross-site scripting is and how hard it is to protect your website against it.
So explain to me how someone would implement content security policy. The implementation is generally through HTTP headers.
You can also use meta tags, but HTTP headers is the most common way and generally recommended.
That's Fero Mavituna from NetSparker.
You can learn more about content security policy at content-security-policy.com.
dash security dash policy dot com.
Finally, listeners of a certain age will recall the Furby,
a fuzzly gremlin or troll-like toy that gained notoriety around the turn of the millennium for its unprepossessing looks, its wide eyes, its fuzzy hair,
and its propensity to repeat things said in its presence.
Well, the Furby is back in a new, more connected form just in time for the holidays.
We assume Furbies are still banned from Fort Meade and its environs.
Check before you bring one to work, kids.
Loose chips sink ships.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to welcome to the show Rick Howard.
He's the CSO at Palo Alto Networks.
Rick, welcome to the show.
By way of introduction, why don't you tell us a little bit about yourself?
Well, thank you for having me.
It's a great joy to be on here. I'm a big fan of this podcast, and so I'm glad to be here. I've been doing cybersecurity for a long time. I'm an old Army retiree guy, did IT and
cybersecurity for the Army. My last two, I ran the Army CERT for a couple years, where I coordinated
offensive and defensive operations for the U.S. Army, which is a lot of fun. Went to the commercial sector and did a bunch of things, and now I ended up here being the chief
security officer for Palo Alto Networks. And you all have a fun name for your threat intel team.
You call it Unit 42. Tell us, first of all, how you came up with that name, and then what kind
of stuff does Unit 42 work on? I love that i work at a place like palo
alto networks and we can do stuff like this so i got hired to form their first public facings
cyber threat intelligence team and so when i got on board and i had to write all the documents
about what the team was going to do and uh you know what kind of skill sets we were going to
need and what kind of equipment we were going to need. And I was typing in Word documents, right?
And so if you type Palo Alto Networks Threat Intelligence Team, that takes up an entire line on a Word document.
I don't know if you know that, but it is true.
So I got tired of doing that, and I'm kind of a sci-fi geek, kind of a fantasy geek.
And as a joke to myself, I started calling it Unit 42 in reference to the old Hitchhiker's Guide to the Galaxy book, where they have a running gag about what the meaning of number 42 is.
And if you've read the book or you're a fan, you know that it's the answer to life, the
universe, and everything.
So I amused myself and put it into the documents.
Well, our chief marketing officer is a bigger sci-fi geek than I am, and when he saw it
in the draft documents, he said, oh no, that's what we're calling it.
So there you go, Unit 42.
But what kind of stuff does Unit 42 do?
Well, I mean, the reason we decided
to make a public-facing threat intelligence team
is that we have all these high-end
cybersecurity researchers at the company,
but they were mostly focused on making the product better
and understanding new threats coming down the road.
We weren't really telling anybody about what we knew.
And so as a community project, my boss, the chief executive officer, Mark McLaughlin, wanted a way for us to tell the world about what we knew about the threat.
And it kind of goes with our philosophy in the company that we want to give intelligence to anybody who can consume it.
company that we want to give intelligence to anybody who can consume it.
Our idea was to take a bunch of high-end researchers and put them onto the data that we collect through our platform collection grid
and then make something useful out of it and tell
our customers and anybody else in the world what we think about the threat and how
they can prevent those threats from attacking their networks.
Rick, welcome to the show and we look forward to hearing from you again soon.
Thank you very much, sir. I'm looking forward to it.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you.