CyberWire Daily - Daily & Week in Review: Breach reactions. Attention grid substations: squirrels, and snakes, and monkeys, oh my...
Episode Date: June 10, 2016In today's podcast we hear from the experts on how old data breaches can cross-contaminate users' other accounts. Point-of-sale problems seem ready to grow in the recent Wendy's incident. Ransomware's... shifting landscape sees Locky's distribution botnet vanish (for unclear reasons), Crysis replace TeslaCrypt, and CryptXXX jump exploit kits. Some startups get some nice VC rounds. We hear about the law surrounding mobile location data, and we're reminded of cyber-physical threats to security systems and critical infrastucture. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security reviews an important circuit court privacy decision, and researcher Wesley Wineberg warns us about embedded security cameras. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Thank you. we hesitate to even think about what the cameras around electrical substations might show us. I mean, now we've got to worry about monkeys?
I'm Dave Bittner in Baltimore with your CyberWire summary,
and we can review for Friday, June 10, 2016.
Old breaches, those at LinkedIn, MySpace, and Tumblr in particular,
continue to show new life, turning out to be bigger and more exploitable,
to some extent because of widespread user practices like password reuse.
Some companies, Netflix prominently among them, are proactively looking through the
millions of compromised credentials to find email addresses and passwords reused by their
customers, and they're warning the customers whose data they find to change their passwords.
We've received a number of reactions from security experts to the fallout of these old breaches.
The case of Twitter is one they find particularly interesting,
given Twitter's clear statements that it hasn't been hacked itself.
Last line's Craig Kensick told us, quote,
It would take more than 140 characters to give comprehensive advice to Twitter account holders.
Have strong, unique passwords for each site.
Change passwords on a regular basis.
Use multi-factor authentication.
Use a password manager.
As an aside, we applaud Mr. Kensick for putting that advice into 139 characters.
Other experts give similar advice.
Brad Buzzy, director of product management at StealthBits Technologies, told us,
If what Twitter is saying is true about not being breached,
we have an aggressive form of endpoint malware on our hands, end quote.
He thinks the incident offers a wake-up call about the value of password managers
and multi-factor authentication.
Remember, he tells us, there are bots on the Internet
that are trying usernames and passwords from other breaches 24-7
to see where else the credentials might grant access.
And we also received some reassuring perspective from InfoArmor's chief intelligence officer, Andrew Komarov.
Komarov's aware of the risks, but he advises people to stay calm and remember that crooks are crooks.
He told us, quote,
All this data is from third-party sources and botnets, and in 80% it is fake or generated, He told us, quote, He says that the best way to understand this sort of incident is as a form of criminal speculation.
The crooks, after all, are in it for the money.
It's not as if they're disinterested security researchers.
There's been another large breach reported, by the way, this one from the
uTorrent forum, which has told its members to reset their credentials. A database containing
385,000 usernames and passwords has been compromised.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
can keep your company safe and compliant.
And joining me once again is Marcus Roschecker.
He's from the University of Maryland Center for Health and Homeland Security.
Marcus, I saw an article recently in Engadget,
and it was outlining how courts are saying that police don't need warrants for phone location data.
What can you tell us about this development?
Yes, the U.S. Court of Appeals for the Fourth Circuit came down with an important decision.
It now gets the Fourth Circuit in line with the other circuits in the country.
The decision basically said that cell phone location data is not subject to Fourth Amendment protections. As you might know, when a user of a cell phone makes a call or text,
that data, of course, gets transferred over a cell phone tower. And a service provider like
Sprint or AT&T or Verizon will be able to see the rough location of where a call is coming from,
of where a cell phone that's being used to make the call or to text is located based on which
tower that cell phone is connecting to. So that kind of information now, according to the Fourth
Circuit Court of Appeals, cannot be protected by the Fourth Amendment. That is available to
the government. The government can get this information from the cell phone service provider
without a warrant. And in the article, it said that volunteering your position information means that you've
given up what is referred to as a reasonable expectation of privacy.
And I see that phrase used in a lot of these legal briefings.
But is that sense of a reasonable expectation of privacy, is that something that's evolving
as our mobile devices learn more and more
about our personal lives? Yeah, so you're quite right. This reasonable expectation of privacy
is the general test of whether or not a warrant is required by the government. So generally speaking,
if a person has a reasonable expectation of privacy in certain information, then the government will
need a warrant to get access to that
information. The government can't just come in and take that. A good example, of course,
is our home. We have a reasonable expectation of privacy within our home. Government can't just
come in and search our homes without actually getting a warrant first. That is what the Fourth
Amendment protects. So when we're talking about technology, this concept of what is a reasonable expectation of privacy
certainly seems to be evolving.
We certainly seem to be sharing a lot more information
about ourselves online, in social media.
We're texting pictures and other ideas that we have.
We share them all over the place.
So, of course, the courts have said that it's much more appropriate
for Congress to
decide where to draw the line, where this reasonable expectation of privacy rests,
than it is for courts to make that policy. But we'll have to see how things develop as
the technology develops. All right, Marcus Roshecker, thanks for joining us.
Marcus Roshecker, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackLOAK. Learn more at blackcloak.io.
The big four of cybercrime, point-of-sale malware, phishing, DDoS, and ransomware were all in the news this week.
The U.S. fast food chain Wendy's disclosed last month that about 300 of its restaurants had experienced a point-of-sale malware infection,
which the Ohio-based chain
said it had contained.
Unusual credit card activity back in January had flagged a problem, but yesterday Wendy's
announced that the problems appear to extend to many more than the 300 sites it had initially
believed were infected.
Specific numbers aren't known yet, but the company says the number of affected stores
is significantly higher and that the problem may not yet be contained.
Wendy's operates in 5,800 locations, which gives some sense of how higher the tally could rise.
So what can be done about point-of-sale security?
The chip-and-pin technology now being rolled out across North America is a partial answer.
But as Peter Genghese, Ballybit's blind-spotter product manager, told the CyberWire,
But as Peter Genghese, Balibit's blind spotter product manager, told the Cyber Wire,
Europe's used that technology for a good decade, and they still experience credit card fraud on the other side of the pond.
The target may get harder, but criminals will adapt as long as there's money to be made.
Genghese still thinks consumers should use their chipped cards whenever possible, but he has some specific advice for merchants.
He tells us, quote, He also advises watching your admin traffic.
Anomalies should put you on your guard.
Merchants also commonly use physical systems,
security cameras prominently among them, to keep their businesses safe.
Cameras aren't without their vulnerabilities,
as we learned at the last hacking shindig at the Jailbreak Brewing Company in Laurel, Maryland.
We caught up with one of that conference's featured experts,
Wes Weinberg of Microsoft, to learn a bit more about the problem.
Over time, embedded devices have changed in a lot of ways and stayed the same in a lot of ways.
So for security cameras in particular, there's been a shift over the last five, ten years,
where systems that previously used to be entirely analog and have more or less direct wired
connections back to some sort of video recorder
now have switched to a model where they're all IP based and so can still have that same direct
wired connectivity back to a video recorder but can also have connectivity much further
and so that kind of mirrors what I've seen in a lot of other device markets, and that often poses a lot of risk to the people using the device
because now there's much further connectivity that was never there.
It's easy to think of a security camera as a benign device,
sitting out of reach high up on the corner of a building or inside a lobby or waiting area.
Quite a few companies, maybe even the majority of companies,
will put their security cameras on the same network as other building automation systems
or just as their same corporate network.
Since it requires an IP connection, most companies just move to whatever is familiar and convenient,
whether that's their same building automation system or whether that's their corporate network. So now if the camera's on the same network acting as yet one more way to get
onto that network, if someone compromises a camera, they can now use that to talk to all
your other building automation devices as well. Conversely, if it's just sitting on your corporate network, it's a device that's very hard to manage and monitor.
A standard PC, there's lots of software tools and techniques to know what's running on a PC if a user's computer's been infected.
Embedded devices are a much different world for that, yet at the same time have just as much access to your network as any other device.
One kind of compromise for embedded video cameras is, of course, getting access to the video stream itself.
When it comes to commercial security cameras, in many cases,
a lot of the cameras are just pointed at public spaces in the first place.
So while it might be interesting to people to watch their video feeds,
they're not necessarily exposing any private data.
Some companies, of course, will have cameras inside their buildings
looking at more sensitive areas,
but the general use case is more external and perimeter security.
Where it does sometimes get interesting is there was an example
a couple of years ago where a group was targeting point-of-sale systems,
trying to steal credit card numbers and so on,
and they combined that with compromising an IP camera's video feed
so that they could watch people type in their PIN numbers
and then try and correlate that to the card data that they were stealing.
Compromising a camera video feed is one thing,
but Weinberg says this kind of embedded device can open your network to even more serious issues.
With an embedded device like a camera, as long as it continues to function as expected,
it's very unlikely that anyone's ever going to look into whether or not anything might have been changed on the device.
So the end result is that it's completely possible for an attacker to modify the code that's running on a camera, repackage it, update the camera essentially, but at the same time have the camera give no indication that any changes or updates have been made.
an advanced attacker on a network, instead of compromising, say, a user's PC, where,
you know, once the company is trying to track down an infection, they might pull the hard drive from that computer, start to run forensics on it. If you instead target an embedded device
like a camera, first of all, it can be much more difficult to even expect that that would
be a target that was compromised. But second, it's extremely difficult
to recover any traces of what the attacker might have done, because it's just simply not a function
that the camera would typically provide. Many IP cameras are running commonly used operating
systems, which presents attackers with a wide variety of opportunities to compromise a network.
From an attacker point of view, they've got the ideal setup where they can just build their to compromise a network. an architecture that's fairly common, especially these days, and an operating system that's very
well understood by attackers and users alike with, you know, support for pretty much any security
testing tool that you might like. So the opportunities open to an attacker, if they're
able to update the firmware or otherwise gain access to the camera,
are pretty open.
And that was kind of the second part of my findings was,
now if we're not just worrying about maybe persistence,
which is great through the firmware update,
but we just want to have a target on the network that we can compromise,
maybe store our tools on, do that at the point of attack,
a Linux system that you can easily compromise remotely
is always going to be a great thing in the mind of an attacker.
And that's essentially what the camera I looked at was.
It has a web interface, just like many Linux devices do,
or many Linux systems do.
And there were several functions within the web interface
which could potentially be leveraged to gain remote shell access on the device.
Basically, the camera is a vulnerable system on your network, a vulnerable system running Linux.
But unlike the computer systems that you might be scanning for on a regular basis and taking inventory of,
be scanning for on a regular basis and taking inventory of, a camera is very likely to be overlooked as that vulnerable Linux system by a company who's running it.
So if you're using IP security cameras on your network, Weinberg has some advice.
So my big recommendation for what owners of these devices should do is just simply put them on their
own separate network. Whether that's physical wiring or setting up VLANs and firewall rules appropriately
so that really nothing can get to the cameras and the cameras can't get back to anything else
other than the video recording system that they should be talking to.
That's security researcher Wesley Weinberg.
In his day job, he works for Microsoft,
but he asked us to mention that the presentation he gave at the Jailbreak Security Summit was independent research.
To resume our cybercrime rundown, phishing, particularly in the form of business email
compromise, continues to rise in the English-speaking world.
Distributed denial-of-service attacks are also surging, and businesses are well advised
to address this risk in their planning.
And ransomware continues to pay, just ask them up in Calgary,
as its criminal masters shift to different payloads and delivery methods. If you're keeping score at home, Tesla Crypt is out and Crysis is in. Cryptex has jumped ship from Angler to the
Neutrino exploit kit, and Lockheed's fallen off dramatically as the botnet principally engaged
in serving it has apparently vanished from the wild. There's some encouraging industry news this week as venture capital flows to some interesting
startups.
Zimperium, the mobile security company, has received $25 million in Series C funding.
Cylance, whose tools congressional investigators now believe were the ones that detected the
OPM breach, has joined the ranks of the unicorns with $100 million in Series D capital.
Finally, we here at the Cyber Wire have long been trying to draw attention to the risks to
critical infrastructure, especially water and power. We've covered the Bowman Avenue dam hack
in Rye, New York, and the takedown of the power grid in eastern Ukraine by implausibly deniable
Russian cyber goons. But it's often said correctly that squirrels have a power grid takedown track record the
FSB could only dream about.
And we'll continue to add, although none of you seem to be paying proper attention to
the matter, that snakeouts have long been a problem on Guam.
An expert from Tenable has pointed out this week that the North American electrical grid
could be disrupted for months by the coordinated physical destruction of just nine well-selected substation transformers. We hope utility security managers are thinking
about more than just fences, and that they're hardening their other physical security measures,
including those IP cameras Wes Weinberg has been telling us about. But wait, there's more.
If this weren't enough to worry us, as if on cue, Kenya's power grid goes down when a monkey inserts itself into the works. Squirrels and snakes and monkeys? Oh my.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.