CyberWire Daily - Daily & Week in Review: Responsible disclosure & why the cool miscreants are on Twitter.
Episode Date: May 6, 2016Today we hear about what's going on with proof-of-concept exploits. Ransomware continued its run this week, but DDoS shouldn't be forgotten, either--it's good for both business interruption and misdir...ection. Thoughts on those 270 million email credentials. A couple of big security companies post Q1 results, and Adrian Turner, CEO of Australia's Data 61, explains the future of that nation's domestic cyber sector. Dale Drew from Level 3 Communications shares the news of a new DDoS technique. The LAPD succeeds in cracking an iPhone 5s. And where in the world is Satoshi Nakamoto? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Proofs of concept.
The bad guys are loving them, and they're now on Twitter.
Some considerations of what to do in the wake of that Russian boy's sale of 270 million
email credentials. Ransomware continues its run, but the bad actors haven't forgotten DDoS either.
Notes on the security marketplace with a particular look at cyber innovation in Australia.
The LAPD cracks a locked iPhone 5S, and that's tougher than what the FBI had to do with the San
Bernardino iPhone 5C. And it seems that there's one more guy who isn't, in fact, Satoshi Nakamoto.
I'm Dave Bittner in Baltimore with your CyberWire summary
and week in review for the week ending Friday, May 6, 2016.
Yesterday, Recorded Future released a study of proof-of-concept exploits.
While proofs of concept are often developed by legitimate white hat security researchers,
Recorded Future has found that their production and distribution by black hats is surging.
They've also found that Twitter seems to be replacing Pacebin as a favorite venue for sharing exploits,
which suggests that the border between the digital world and its underworld continues to become more porous.
We spoke with Recorded Future's Nicholas Espinoza about the report,
and he outlined some of the motivations for creating proof-of-concept exploits.
Sometimes, he says, it starts with curiosity.
In our own data, we've observed people talking about proof-of-concepts
being developed for ICS and SCADA systems just to prove how vulnerable they are
on some of the world's most critical systems.
In addition, you know, they might be developing these proof of concepts to force a vendor to develop a critical patch.
This is usually a name and shame sort of example.
So a vendor, X, Y, Z, might not have paid to a critical vulnerability.
So a researcher or a gray hat or black hat might develop and disclose an exploit for this particular vulnerability to essentially light a fire underneath them and force them to develop something quickly.
In addition, people are using these proof of concepts to showcase their own skill set.
So this might be someone showing their proficiency in a particular area, usually for bragging rights, kind of building camaraderie against a hacker crew
that might be aligned with.
And then, of course, people also do this to actually hunt down jobs.
Then finally, this is a little bit rare, is when people develop proof of concepts and
vaguely obfuscate code or include comments to make it non-functional.
So this is plausible deniability for developing a workable exploit.
So people will maybe throw in a disclaimer saying,
don't use this, or barely fuzz some of their work.
And this is usually the most concerning example that we've seen in our data sets.
One of the things the report outlines is how social media has become a dominant mechanism
for distributing proof-of-concept exploits.
We're trying to hone in on the conversations where individuals are sharing proof-of-concepts
and the trends within those conversations.
An example, you know, at a basic level is,
hey, I've got a proof-of-concept for XYZ vulnerability.
Check it out here at my GitHub, and then they'll throw in a link.
Social media is being used to amplify the discussion and visibility
of those proof
of concepts at those sites. Espinoza cautions that the pace of POC exploit development is
only getting faster, and it's important to track multiple sources of information.
I think the key takeaway is, you know, there is an entire discussion on the open, deep,
and dark web that a lot of organizations aren't paying attention to point
blank. These conversations develop at the speed of social media. Case in point being,
most of our content comes from Twitter on this particular bit of research. And for organizations
like NIST who try to track exploits and if they exist for a vulnerability, NIST is not going to
be able to keep up with the pace that these discussions are occurring at.
The vendors are also unable to kind of keep tabs on this in real time.
And then, of course, the organizations that actually deploy the hardware and software
are ultimately left kind of with the burden of looking for these exploits.
So you need a mechanism in place, whether it's Recorded Future or something else,
to kind of keep tabs on those conversations and see if your production environments
or software and hardware that you're running
are vulnerable and have working exploits out there today
because you just can't rely on NIST and your vendors
to keep you abreast of that in real time.
That's Nicholas Espinoza from Recorded Future.
Their website is recordedfuture.com.
People are still wondering what to do about that big pile of email credentials
the Russian kids sold to hold security for a buck and a pat on the head.
Some experts are telling NBC News that, just to be safe,
everyone should change their personal email account passwords.
It's generally a good idea to change passwords,
especially if the change also makes them stronger,
and several security companies are advising people to move to passphrases.
On the other hand, lest anyone panic, Wired points out sensibly that there's probably less
to the horrible-sounding 270 million credentials stolen story than meets the eye, as even the
Malchik who sold them admits the credentials in question have leaked out over the years in various breaches. We heard from Lastline about the general problem Compromise of Email Credentials
presents. Brian Lang, the company's vice president, products and business development, reminded us
that free email services, while free, are still a business, and generally the business they're in
is advertising. He thinks those services should up their security game
and induce users to make their passwords stronger and change them on a regular basis.
Multi-factor authentication might also be a nice upgrade.
The users themselves could also do a better job of taking care of security,
especially by using password managers.
But until you, user, are willing to work a bit harder to protect yourself,
Lange has this advice.
Quote, change your pet's name monthly, preferably with a mix of upper and lowercase letters.
To which we can only add, Rover, we hardly knew you.
We mean R0 lowercase v3r exclamation point.
Good dog.
Good dog. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Dale Drew. He's Chief Security Officer at Level 3 Communications.
Dale, you have an interesting story to share about the discovery of a new DDoS vector.
What can you tell us about that?
story to share about the discovery of a new DDoS vector. What can you tell us about that?
So the Level 3 Threat Research Lab recently identified a new attack pattern in the internet backbone where bad guys have found a new way to do what's called a DDoS amplification attack.
to do what's called a DDoS amplification attack.
And this is basically where a bad guy can send a small packet and result in a very large packet return.
And so when they spoof that traffic to make it look like it's coming from the victim,
that very large return ends up hitting the victim,
and it amplifies the amount of traffic going to them.
So what we saw was is we saw a bunch of bad guys who were experimenting in a new amplification attack,
not only developing the code, but beta testing it on a number of victims.
And it used a service called PortMapper.
Now, PortMapper is a Unix-based service where you can query the Unix server and say,
what network-based services are you running?
And it will return back a list of those services.
So I send a very small request, and I get a very large return as a result.
And so we sent out an early warning notice on our blog about it and to a number of our industry partners
because we found about 12 million systems on the Internet that had PortMapper accessible.
So there are 12 million nodes that could help amplify a DDoS attack.
And so our recommendation in this early warning notification was that people really need to make sure that they have firewall rules
really need to make sure that they have firewall rules enabled to block access to traffic from the public Internet,
as well as making sure that they disable all unnecessary services on their systems.
And it really seems like a fairly simple guidance.
I mean, this has been guidance that's been around for decades. But it's really those simple things that have substantial leverage impacts on being able to better protect not only the victims of these attacks, but the Internet backbone as a whole.
All right. Good advice. Dale Drew from Level 3 Communications. Thanks for joining us.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Ransomware has been much in the news this week.
Silance has published a dissection of AlphaLocker.
An unknown white hat has subverted Drydex, substituting dummy files for ransomware payloads.
And of course, Heimdall has exposed the charity team's brassy attempt to nudge its victims into payment
with the promise that the proceeds of the extortion will go to the children.
And how could you be so heartless as to turn down the charity team's appeal? Here's how. Realize
that the chance that a Sasquatch will turn out to be Satoshi Nakamoto is probably higher than
the likelihood that a kid's charity will get the Bitcoin you pony up. So let's see, counting on my
fingers here, it's about the likelihood of getting a winning Powerball number, right? I mean, Satoshi, Sasquatch...
At any rate, other forms of criminal attack haven't disappeared.
DDoS, for one, is still a hacktivist favorite,
as Anonymous hits against the central banks of Greece and Cyprus in Operation Icarus, a test.
Such hacktivism aims, of course, at business interruption,
but there are other reasons threat actors engage in denial of service. Misdirection is one of them, and Forcepoint
this week published a study that shows how this can work. The Jakku botnet is now said to have
19,000 zombie machines. While it could be used for conventional spam and distributed denial of
service, its principal purpose still appears to be highly selective attacks, mostly against East Asian targets.
Forcepoint, which has been tracking the Jakku campaign,
notes that the attackers seem to be masking precise targeting in the noisy traffic of a big botnet.
In industry news, FireEye and CyberArk both reported earnings late yesterday.
FireEye posted a better-than-expected loss of $0.47 per share on $168 million in revenue.
CyberArk reported $0.23 in earnings per share on $46.9 million in revenue. FireEye also saw an
increase in security subscription services, which it sees as playing a greater role in its business
strategy going forward. FireEye's CEO Dave DeWalt will move up to the executive chairman role,
with Kevin Mandia filling in behind him as the new CEO.
Cybersecurity research and development and building a strong domestic cyber sector
are priorities for Australia's government, as we learned when we heard Data61's presentation
at Cynet ITSEF last month. Today we hear from Data61's Adrian Turner, who gave us a view from
the organization charged with driving security innovation forward in Australia. This strategy
is a comprehensive strategy that covers aspects of innovation and new industry creation, including
technology transfer from the research sector right through to the other end of the spectrum,
providing infrastructure, threat intelligence, sharing capability and infrastructure for
industry to be able to do what happens organically today in a more structured way.
What we've done is we've identified areas where we think we can make a difference and be world leading.
And then we've gone back into the uni sector and into partners to find people that have domain expertise
and are working on parts of the problem.
So we're taking their fundamental research, bringing market context,
and very focused on the translation of that research into solutions that
can be consumed by the market. An important aspect of Australia's commitment to cyber,
according to Turner, is the recognition of evolving trends in the global marketplace.
It's not just that every industry is becoming data-driven, which it is. It's as those industries
become data-driven, they take on different economic structures and
the shift is as profound as when we move from agriculture to manufacturing now we're moving to
platform economics and the characteristics of those platforms as we've seen with companies
like google and apple and facebook and others is uh that they they tend to have natural monopolistic tendencies.
There tends to be learning algorithms at the center of those that take data feedback loops and
deliver better services at scale. So for Australia, we have a choice. We either be
participants in those platforms or we lead in helping to transform our strength industries like healthcare, mining,
agriculture, and services industries, and develop some of those ourselves. And I think the
opportunity for Australia is global, but it's also regional, Indo-Pacific regional opportunity.
It's a coordinated effort engaging a variety of
stakeholders throughout the nation. The first goal that we have is to drive national alignment
and bring global context to the work that's going on nationally. So for the country,
in the last months, we've had the publishing of a defence policy paper. We've had a national cyber security
strategy policy published. We've had the establishment of a cyber security growth centre,
which is a group to coordinate cyber activities across the country, across the uni sector,
right through to providing infrastructure and programs to drive deeper collaboration in industry and
between industry and government, as well as tax incentives for startups and early stage investing.
So we're at a moment in time where new policies and new strategy are all lining up and we have
a role to bring that together nationally. There is a recognition
in Australia that cybersecurity doesn't have geographic boundaries and it's a shared
responsibility. And so we are being aggressive in partnering internationally. We're engaged in
dialogues with people across the public and private sector in other parts of the world
to make sure that we're also learning from the things that have worked well
at a national level and a system level in other countries in the world.
That's Adrian Turner, CEO of Australia's Data61.
You can learn more about them at csiro.au.
The Los Angeles Police Department succeeded in gaining access to a murder victim's locked iPhone 5S,
previously thought more resistant to cracking than the iPhone 5C used by the San Bernardino jihadist.
They're said to have succeeded by using the service of a forensic expert.
Observers expect this to inform the crypto wars,
making requirements for backdoors or other vendor assistance less urgent.
Finally, Craig Wright seems to have given up, albeit ambiguously, his claim to be Satoshi Nakamoto.
His blog says that he just doesn't feel up to continuing the struggle.
He closes with a simple, I'm sorry.
You decide.
But you can always stand up with the rest of us and shout, I'm Satoshi.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.