CyberWire Daily - Daily & Week in Review: Not all experts agree you should resign yourself to being hacked. The state of fraud, 2016. Ransomware and DDoS updates. The Kremlin gets doxed.
Episode Date: October 28, 2016On today's podcast, we hear that ransomware is still with us. A new study of online fraud is out, and one lesson is, it's better to take some, any, precaution than to whistle and hope for the best. Th...e Australian Red Cross suffers a data breach affecting more than a million blood donors' records. Windows seems to suffer from an exploitable vulnerability—how serious it may prove remains to be seen. Mirai botnets continue to sputter across the IoT. Signs point to a public-health approach to mitigating DDoS. Ben Yelin reports on a Maryland surveillance hearing. Duo Security's Dug Song thinks it's time to get back to basics. Not everyone believes you need to resign yourself to being hacked. And those doxed Kremlin emails? Apparently real. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware is still with us.
A new study of the state of online fraud is out,
and one lesson is it's better to take some, any precaution
than to whistle and hope for the best.
Windows seems to suffer from an exploitable vulnerability.
How serious it may prove remains to be seen.
Mirai botnets continue to sputter across the IoT.
Signs point to a public health approach to mitigating DDoS.
And those doxed Kremlin emails?
Apparently, the real deal.
Apparently, the real deal.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, October 28, 2016.
With all the recent concern over distributed denial-of-service attacks,
it's worth recalling that the ransomware threat hasn't gone away.
It's just been eclipsed a bit in the news cycle.
Netitude Labs, which is keeping an eye on the RIG exploit kit,
reports an increase in RIG alarms.
The kit is delivering Crip-Mic ransomware,
taking over distribution after Cisco's Talos unit shut down the earlier vector,
malvertising using the Neutrino exploit kit.
RIG is also being used, Netitude says, in pseudo-dark leech and EI test malvertising campaigns.
And the SANS Institute shares work by itself bleeping computer and malware bytes into the continuing distribution SareBear,
so the ransomware threat is still out there and still active.
The fraud protection shop Easy Solutions this morning released Fraud Beat 2016,
its annual study of trends in online fraud.
Mobile applications and social media, of course, figure prominently in the current attack landscape.
One of the findings suggests that taking some, any protective measures on mobile systems is better than doing nothing and hoping for the best.
The study found that organizations that installed no protective measures were between four and
nine times likelier to be attacked than those who had some precautions in place.
Multi-factor authentication reduces the incident of phishing attacks by a factor of three.
Social media, of course, are rife with bogus profiles.
Facebook, Twitter, and Instagram, between them, are infested with more
than 80 million fake profiles, and these, of course, figure in many attacks. One mildly surprising
finding in Easy Solutions' study is that four out of five Google searchers click sponsored AdWords
links as opposed to organic search results, and more than a third of those clickers don't even
realize that there's a distinction here. It has driven a rise in search engine ad poisoning activity.
Finally, of course, personal identifiable information, PII,
continues to have value in the criminal markets,
especially when it can be monetized through creation of false identities.
Personally identifiable information can be stolen from many sources.
This week, a big compromise has come to light in Australia.
The Australian Red Cross has suffered a data breach,
possibly through inadvertent leakage as opposed to hacking,
although that's unclear at this time.
A file containing blood donor records going back to 2010
and including more than a million donor records
was found exposed on a public-facing website.
This is believed to represent the largest single breach in Australian history.
The Cyber Wire heard from Ilya Koloshenko, CEO of web security company Hitech Bridge.
Commenting on the Australian Red Cross breach, he said,
quote,
He sees skid hackers as a kind of second-order source of carelessness. of data leakage in this particular case, but frequently human negligence is the main reason.
End quote.
He sees skid hackers as a kind of second-order source of carelessness.
Quote, it can also be a consequence of a previous breach.
Sometimes inexperienced hackers put data archives on the website to download or share with others and forget or just don't bother to delete it afterwards.
End quote.
Security company N-Silo has reported finding a code injection vulnerability
affecting all Windows versions, including Windows 10.
They're calling it atom bombing.
According to EnSilo, the flaw could enable an attacker to bypass security products,
access encrypted passwords, steal desktop screenshots,
and exploit browser sessions with man-in-the-middle attacks.
Since atom bombing exploits Windows Atom Tables,
provided by the operating system to enable applications to store, share, and access data,
EnSilo believes the issue arises from the design of the Windows OS,
and isn't susceptible to patching.
The direct mitigation answer, EnSilo says,
would be to tech-dive into the API calls and monitor those for malicious activity.
To return to the aforementioned DDoS threat, no, we haven't forgotten it,
Mirai botnets are continuing spurts of activity against targets that strike observers as selected more or less randomly.
Since Mirai's source code was released, Arbor Networks has been tracking its mutations.
Since Mirai's source code was released, Arbor Networks has been tracking its mutations.
Hackers, dismissed by Motherboard as wannabes, have been adding buggy features to that code.
The DDoS attacks against Dyn a week ago were very large, perhaps exceeding a terabyte per second.
Various proposals for dealing with botnet-driven distributed denial-of-service attacks by ISPs include increased filtering and blocking, controversial
because of the potential for censorship or other misuse, and notification to customers
of device compromise.
ISPs have tended to hesitate to notify customers of botnet activity unless it affected their
own network performance, but there's growing acceptance of a public health model that would
encourage them to warn users of infected devices in the hopes of containing botnet formation.
You remember Vladislav Surkov, the Putin advisor who doesn't use email?
He uses email after all, or so it seems.
Several of the very large number of documents hacked and released by the Ukrainian hacktivists
of CyberHunta have been confirmed by third parties as genuine.
Some of the emails indicate Russian government contingency plans
to force a shutdown over Ukraine's Donbass region as early as next month.
Meanwhile, Mr. Putin dismisses claims that Russia is meddling in U.S. elections,
despite those claims being widely believed and strongly supported.
He accuses American officials of acting like a bunch from
a banana republic, and that they're trying to whip up hysteria. On that whole banana republic thing,
we think President Putin has the dismissive stereotype of a small Central American government
in mind, and isn't referring to the clothing retailer. But who knows. If a lot of orders for
cargo shorts go out from the Kremlin on Black Friday, we'll be the first to acknowledge
we've misunderstood you,
Vladimir Vladimirovich.
And finally, okay,
we know you're tired of hearing this,
but National Cybersecurity Awareness Month
is now in its final full week.
The theme is
Our Continuously Connected Lives.
What's your aptitude?
It's aptitude as in app.
Get it? So seriously,
spare a moment to think about how you're choosing, downloading, and using apps.
The digital exhaust you save could be your own.
Paradise is an all-new series set in a serene community inhabited by some of the world's most prominent individuals.
But this tranquility explodes when a shocking murder occurs and a high-stakes investigation unfolds.
Starring Sterling K. Brown, James Marsden, and Julianne Nicholson.
Paradise is streaming January 28th only on Disney+.
Do you know the status
of your compliance controls
right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes
to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, earlier this week, there was a session where Maryland lawmakers heard arguments over police surveillance technologies.
The hearing took place in Annapolis, the state capital.
But my understanding is that you were actually on the scene.
Yes, I was more of a part player in this whole performance, but I was there.
So this was a hearing convened by the House Judiciary Committee. Normally, they're not in
session this time of year, but I think this was a topic of sufficient importance that they decided
to hold an out of session hearing. And they reviewed three surveillance programs and looked
at both the law and policy issues of all of them. The first is the aerial surveillance that was discovered a couple months ago,
which consists of the Cessna flyovers started by a private organization in Dayton
that was just uncovered in the news a couple of months ago.
They also discussed Stingray devices, which I know you and I have talked about a good deal on this podcast
and your listeners are very familiar with.
And also they looked at facial recognition technology. There was a realization recently that
Maryland State Police use facial recognition technology, and they don't just get the images
from criminal arrests or criminal records. They're actually also matching images to MVA records,
which I think rubbed a lot of civil liberties advocates the wrong way.
There was representatives of both sides of the issues. The ACLU and the Office of the Public Defender talked about what they thought was necessary legislation needed to protect against overreach by law enforcement. And they thought there had to be specific legislation to curb the abuses of each
of these technologies, but broader legislation to make sure that there are public hearings and
public notices to make sure the public is sufficiently aware of the programs and has
an opportunity to comment on it. And that's actually important from a legal perspective.
We know based on Fourth Amendment jurisprudence that a person, there's not a search
for Fourth Amendment purposes unless a person's reasonable expectation of privacy is violated.
And it's hard to know whether you have a reasonable expectation of privacy if you're
never given a chance to be aware of some of these programs. Certainly, if we walk out on the street
and see one of those blue light cameras, we're aware that they're doing video surveillance in
our neighborhood. But for something like overhead surveillance, where a Cessna plane is flying up to 25,000 feet
above the city of Baltimore, it would be hard for a person to even contemplate a scenario
of them or their vehicles being surveilled by overhead devices. And as a result, that would
be a violation of one's reasonable expectation of privacy. And that would mean that to do that, the government would have to have a warrant or an equivalent of a warrant.
I thought that the discussion on the Stingray device was particularly interesting.
We had a case here in Maryland at the Court of Special Appeals a few months ago, the Andrews case, that held that a warrant is required before the government uses Stingray devices
to get location-identifying information from individuals.
So the legislature was sort of grappling with that new standard.
And I think the representatives from law enforcement and their representatives from both Baltimore
County and Baltimore City were trying to show the process that they go through and tried
to argue that they actually, each search not only complies
with the law as articulated by the Court of Special Appeals, but actually goes through
a series of four separate judicial proceedings before a person's location identifying information
is retained.
So it was a particularly interesting hearing.
I think we'll definitely need to pay close attention when the state legislature comes
back in January to see if they attack some of these problems head on and what kind of legislation
they look to adopt. All right, well, stay tuned and we'll check in as the story develops. Ben
Yellen, thanks for joining us. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Doug Song.
He's the CEO of Duo Security, where he's a strong advocate for a back-to-basics approach to cybersecurity.
He also rejects what he describes as a learned helplessness reaction to cyber threats and thinks users can be empowered by better systems with better design.
I'm a 20-year veteran of network security.
Most of my career, what people know me mostly for is some of the open source software that I used to write.
So back before I did any companies, I was something of a software communist.
If you look at your SSH man page, I was one of the authors of SSH,
If you look at your SSH man page, I was one of the authors of SSH, but also a bunch of exploits like Dsniff to go capture people's credentials, passwords.
Well, actually, I tried to get out of security for a while.
I felt like security was something of a lemon market where vendors would sell you a box, the box would sit in your network, and it wouldn't really do anything.
And the customers would say, well, geez, am I any more secure?
The person said, of course you are.
See, nothing's happened.
And the customers say, well, nothing happened before.
But that was sort of the quality, I think, of a lot of, unfortunately, sort of security products back in that day and age. Or, again, like the best thing to ever happen on someone's watch of a CISO's career is that nothing happened.
And I think, you know, today it's sort of changed a little bit
where security now has to enable a lot of the things that people want to do, whether it's
cloud or mobile or have you. And I think a lot of the ways in which
security has been constructed for networks, for systems, for applications
has not scaled to the way that organizations actually needed to
where today, again, I think the biggest security exposure we all have is people.
Attackers don't go over systems so much as users.
And in an age of hyper-connectedness, there's been so much discussion about how preventionists
failed and almost this sort of learned helplessness, right?
That actually, oh, there's nothing I can do to stop the attacks.
It's not a matter of if, but when.
And in fact, our money is better spent or your money is better spent,
as is usually a story told by vendors,
on things like threat intelligence
and other kinds of fairly esoteric kind of security functions
that most organizations will never be able to operationalize.
And so what kind of solutions are you advocating?
We believe that we have to democratize security.
And by that we mean that we have to democratize security. And by that, we mean that we have to make security
something that is inclusive of everybody.
That when your users, your end users,
are the ones who are actually much more responsible
for your security than maybe
your average security professional.
And by that, I mean that, you know,
if your users don't want to jump through
your corporate VPN, right,
to use your corporate file server
to share a file with a colleague, they will upload it to Dropbox and do this instead.
Right.
And no amount of policy necessarily will really solve these kinds of issues for a lot of organizations.
A different approach is required.
And so, you know, in democratizing security, our perspective has been that we have to make
security easy in order for it to be effective.
That is, in fact, security is not designed for people,
instead of being designed for networks, designed for systems, designed for applications,
it won't be adopted by end users.
And so we have to actually make security something that is a design-led operation
where today's security professionals have to be almost more like public health professionals.
We're thinking very carefully about how they align user incentives
toward the organizational outcomes that they're seeking to achieve.
Because you can tell people to stop smoking,
but sometimes you have to find other ways to lead them there.
And so the kind of solutions that Do was focused on,
and I think increasingly more and more the security industry has to has to come to are ones that actually respect the end-user, you know systems that actually are thoughtful about how they
Automate a lot of what the organizational workflow is for companies have better things to do right and then deal with putting out security fires
and so between those two things we can you know a strong focus on
Between those two things, between a strong focus on user experience and design, as well as on automation, to make the administrative side of security really, really simple,
I think these are the core things that almost any new security technology has to be thoughtful about.
Because, again, if users don't like it, they will simply reject it. And there's so many new ways around these organizational boundaries of IT today that again, most CISOs, they'll never have a fighting chance unless they build the kind of security that people want. How would this work
with something, for example, like a password? How is a design approach going to increase our
credentialing? Yeah. So I think some things that you see is to afford convenience to users with the trade-off in being able to provide more security.
And so, for instance, things like single sign-on, the ability to use one single password and have that login carry across automatically all the applications that you might need to access.
That's a strong degree of user convenience that, you know,
actually end users want, but actually benefits security, right? Because you have less passwords
to govern, you have more ability to audit in a centralized way, the accesses that happen between
applications, but you also have then the vantage point to provide other kind of inspection and control. And that
affordance of security, like delivering convenience, I think is one of the core
principles that more and more security operators are going to have to think about.
That's Doug Song from Duo Security. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.