CyberWire Daily - Daily: To disclose or not to disclose…in public. A look into the dark web. Chrome and Firefox disallow shaky certificates. Anonymous gets an incomplete. The Shadow Brokers are still after the Wealthy Elite.
Episode Date: November 2, 2016In today's podcast, we hear about the Microsoft and Google disagreement over public vulnerability disclosure (with a side of Fancy Bear). We also get some industry reactions to the dispute. Terbium ta...kes a good look at the dark web and finds it's not as uniformly sinister as many believe. Google and Mozilla move to reject dodgy certificates. NIST releases a job map. Anonymous gets a grade of incomplete in its trolling of ISIS. Identity Guard's Jerry Thompson describes new technology for protecting your identity online. Ran Yahalom from Ben-Gurion University explains hiding data in USB devices. And the Shadow Brokers' news seems a bit old. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft and Google disagree about when to publicly disclose a vulnerability.
We get some industry reactions to the dispute.
Terbium takes a good look at the
dark web and finds it's not as uniformly sinister as many believe. Google and Mozilla move to reject
dodgy certificates. NIST releases a job map. Anonymous gets a grade of incomplete in its
trolling of ISIS. And the shadow broker's news seems a bit old.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 2, 2016.
Microsoft says the Windows Zero day Google publicly disclosed this week is being actively exploited by APT28,
the Russian threat actor also known as FancyBear, a GRU operation best known for recent incursions into U.S. political organizations.
Britain's MI5 is also raising an alarm about Russian intelligence services' growing activity in cyberspace.
Microsoft is upset with Google over the disclosure,
which Redmond says has needlessly exposed Windows users to attack.
A patch won't be available until next week at the earliest.
Industry reactions are of two minds on this, as observers see both companies' points of view.
The Cyber Wire heard from Fidelis Cybersecurity's John Babinek, who thinks in general the public
is better served by disclosure even if a patch isn't available. However, as he goes on to say,
quote, there will always be a risk with
acknowledging weakness. Even releasing patches can give adversaries the very clues needed to
weaponize an exploit. This was very much true with Microsoft patches years ago, which have been
largely mitigated by automated patching and rebooting within 24 hours of release, end quote.
In general, he'd like to see disclosure go hand-in-hand with mitigation
strategies wherever possible. EnSilo's CTO and co-founder Udi Yavo draws the lesson that
regulatory requirements should come to guide disclosure practices. He thinks the industry
practice of allowing 90 days for mitigation until public disclosure should become a regulatory
requirement. Google's researchers disclosed the vulnerability
earlier because they saw it being exploited in the wild, as has been Google's company policy.
Yabo gets the point, but thinks the quick public disclosure was unwise.
To me, this doesn't ultimately help achieve everyone's goal, which should be keeping
consumers and their data safe. By disclosing a vulnerability early without allowing time for a patch,
Google opened up the small pool of people who found the vulnerability and knew how to exploit
it to all, end quote. Terbium Labs has a report out on the sinister sounding dark web,
which became famous in the popular mind during the Silk Road prosecutions. But while there's
certainly bad stuff going on there, sales of
contraband, nasty adult content, and so on, most of the activity on the dark web is perfectly innocent
or at the very least legal. It's just the Tor accessibility that makes the dark web dark.
You can find Terbium's report, The Truth About the Dark Web, at terbiumlabs.com
slash darkwebstudy. Mozilla and Google are in the process of revoking trust from certificates issued by WoSign and StartCom.
RiskIQ gives the CyberWire a satisfyingly precise tally of the number of websites using certificates belonging to those two CAs.
They put it at 762,649.
You may begin to see, if you haven't already, secure connection failed warnings coming up for sites that depend on WOSIGN or STARTCOM.
The concern is that inadmissible SSL certificates can expose users to man-in-the-middle attacks,
domain squatting, and redirection to phishing or farming sites.
Any of these, of course, present the risk of compromise or data loss.
This week, in conjunction with the National Initiative for Cybersecurity Education meetings in Kansas City,
NIST has released CyberSeek, an online tool showing where the security sector's jobs are.
NIST worked out this online interactive map with CompTIA.
It's an interesting look at the labor market. Check it out at CyberSeek.org.
When it comes to keeping personally identifiable information safe online,
many people have turned to identity protection firms to keep an eye on their online identity,
to make sure crooks aren't opening accounts in their names, and so forth.
Identity Guard is one of those companies,
and we spoke with Jerry Thompson about a new offering they're calling Privacy Now,
which makes use of IBM's Watson technology to try to stay one step ahead of the bad guys.
The challenge with identity protection is that it's reactive.
We're monitoring and scouring, but when we find you, the damage is already done.
So about 90% of all the data that's available about you on the internet is called
unstructured. It's in places that, like social media, like professional website, there was no
ability for us to monitor that, nor anybody else, unless we use a technology like Watson from IBM,
which is an artificial intelligence technology that allows us to funnel massive amounts of data through that artificial intelligence engine to find the pieces of information about you that we can glean so that we can do predictive or proactive protection for you. And we know from all of the algorithm and the models that we run that with about 98%
certainty, we can predict identity malfeasance or privacy intrusions for you or your family members
if we're running it through the IBM Watson model. Can you take me through an example of where,
of how the system would work,
of sort of a sample attempted attack,
and how this system could catch things that previous methods couldn't?
You've told us about your children as part of the process of getting to know you.
And we see that your son or daughter is posting fairly innocent, innocuous Snapchatchat videos but it's not snapchat it's another service and they're not just going to a friend
they're going out to the wider internet and while they're not you know there's
nothing wrong with them your kids are being exposed because they're now
identifiable you know to a larger community on the internet so we'll tell
you that hey while the while the videos are okay, you know, be careful
and cautious because, you know, thousands of people are seeing these and they can, you know,
they could potentially target your children. Because we can scour the internet and look for
all this identifiable data, we can give you pieces of information that will help protect you and your
family members from any kind of malfeasance that's
out there. What about my personal information being scooped up and sold online? If somebody's
going to hack a major medical provider, we can't stop the hack, but we can identify your exposure
in near real time. Near real time is 30 seconds to 3 minutes. As soon as that information hits the dark web and is for sale, we can identify it.
We're very confident we can identify it, and then we can work with you to mitigate that exposure.
That's Jerry Thompson from Identity Guard.
ISIS territory continues to shrink, and its opponents turn to information operations
against the caliphate's coming diaspora.
Various anonymous affiliated hackers have been after ISIS for some time.
It's unclear, says Motherboard, with what effect.
Give anonymous an incomplete and note that the hacktivist collective is predictably skittish about being seen as too cozy with governments,
even its allies of convenience against ISIS.
is too cozy with governments, even its allies of convenience against ISIS.
Analysts have now sifted through the shadow brokers' trick-or-treat data dump and find it mostly old news.
The servers listed apparently weren't in equation group use after 2010.
The shadow brokers are still grumping about the wealthy elites,
how somebody ought to do something about the U.S. elections,
and maybe the shadow brokers will.
And above all, how come no one's bidding on all those equation group exploits
the brokers are auctioning off?
Come on, sheeple, take your heads out of the sand.
Or so the brokers might say, you Americansky, you.
Anyway, free elections, free beer, so we here.
And if you're taking orders, brokers, make ours a natty bow.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Ron Yohalem from Ben-Gurion University.
Ron, I know a lot of your research has to do with USB devices,
and I thought today we'd talk about ways that people hide data on USB devices.
Okay, well, there are some very simple, basic data-hiding tactics.
For example, you can always write malware that writes into the master boot record of partition devices or alternatively into a volume boot record.
There's not a lot of space there available for writing.
But, for example, you can override the boot sector or other different areas.
And those are pretty basic attacks.
They're useful for holding certain values, but not a lot of data.
Other methods include maybe writing inside reserved sectors, for example, on a FAT partition, if it has any reserved sectors.
And even a more complex method would be to write into certain clusters on the partition and then just go back to the fat table and for example mark them as
bad clusters or used clusters so they might go unnoticed by the operating systems driver
and you can also sometimes if you really want to hide your data you can go to the root directory
table and then just you know delete the entries that lead to those clusters.
And then it won't be visible.
There have been more complex methods. For example, let's consider the Fanny malware.
According to Kasparsky's lab's global research and analysis team,
Fanny is a computer worm that is thought to have been created by the Equation Group way back in 2008
and distributed throughout the Middle East and Asia.
Now, its main purpose was apparently to map air gap systems
and was able to spread by exploiting the same vulnerabilities
that were exploited by the famous Stuxnet or Flameworm.
So when a USB stick is infected by FANI,
FANI creates a hidden storage area on the stick
using its own FAT file system driver.
If an infected stick is plugged into a computer without an internet connection,
Fanny will collect basic system information and save it onto the hidden area of the stick.
Later on, when the stick containing the hidden information is plugged into an internet-connected computer,
the data will be scooped up from the hidden area and then sent to a random control center.
How exactly is this done?
Well, Fanny simply changed entries in the root directory table so that they would be ignored by the file system drivers as if it were a data corruption or a bad block.
is not visible in Windows, Mac, OS, or Linux. And it's probably not visible to all other implementations of any FAT driver.
However, the FANY malware is able to recognize those entries
because it marks them using the magic value.
So with the help of its own FAT driver,
it looks into the root directory and locates the entry,
which starts with the magic value.
Then it navigates to the address directory and locates the entry, which starts with the magic value. Then it navigates to
the address on the partition that appears right after a special flag value in that entry. And
this address will have a different magic value serving as a marker for the beginning of the
hidden storage. So you see it's a very complex attack, all done by manipulating the FAT file
system. Are there any ways that people can protect themselves from these sorts of attacks?
It pretty much usually goes undetected because it's very hard to detect these things,
even by conventional or non-conventional forensic tools,
because you simply don't know what you're looking for.
The Equation Group is widely known for using encryption to protect its data.
Specifically, the FANI didn't make an effort to encrypt data, but had it done that, you
would not be able to distinguish between actual corrupt data, binary data, or encrypted data.
So it's very hard to detect these things.
Rania Halim, thanks for joining us.
Rania Halam, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.