CyberWire Daily - Daily & Week in Review: Yahoo! breach, infected torrents, insider threats.
Episode Date: September 23, 2016In today's podcast, Yahoo!'s really bad breach. We hear about Raum, a malicious tool the Black Team is offering in select criminal markets on a pay-per-install basis. In industry news, we learn that V...ista Equity Partners is taking Infoblox private. Webroot is acquiring CyberFlow Analytics, Oracle has bought Palerra, and Elastic has acquired Prelert. White Ops closes a $20 million Series B round.  Emily Wilson from Terbium Labs explains the importance of reputation on the Dark Web. RedOwl's Brian White outlines insider threats. A new third-party risk management coalition forms. NATO-themed phishbait hooked German politicians. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bad news for Yahoo! Really bad.
Realm finds its space in the black market.
M&A news and a new third-party risk management coalition,
NATO-themed fish bait,
and a conversation with Red Owl's Brian White
about insider threats.
I'm Dave Bittner in Baltimore
with your Cyber Wire summary
and week in review for Friday, September 23, 2016.
That cloud over Yahoo, security industry people have had their eye on
boiled up yesterday afternoon into a metaphorical derecho.
At least 500 million users have had their accounts compromised,
which makes this one of the largest data breaches so far recorded
and probably the largest ever from a single site.
Yahoo! disclosed that in 2014 what they describe as a state-sponsored actor,
no state mentioned, but we're betting it's not Maryland or even Virginia,
exfiltrated names, phone numbers, dates of birth, security questions unanswered, and hash passwords.
Yahoo does say that no financial information was compromised.
The company is in the process of notifying its many affected customers,
and it advises all who haven't changed their password since 2014 to do so as soon as possible.
In early August, the hacker known as Peace said that he or she had some 200 million Yahoo
credentials for sale. It's not known yet whether that claim is connected to the breach disclosed
yesterday. According to the Wall Street Journal, Verizon, which has been in the process of acquiring Yahoo and disentangling the acquisition target from its stake in Alibaba,
said it had been notified of the incident within the last two days, but that it was not yet
informed enough to comment. Investigation by both Yahoo and law enforcement authorities is in progress.
A new malicious tool on offer in the criminal market is drawing some attention.
Called Realm, it distributes malware through torrent files.
That's not entirely new. There have been malicious torrents before.
What is innovative is the criminal's business model.
The gang responsible, thought by security researchers at InfoArmor
to be the Eastern European mob known as Black Team,
not only has what CSO calls a slick interface,
but they've got an advanced pay-per-install model.
They're also selective about their criminal-to-criminal clientele.
InfoArmor says the underground markets that sell Realm
are accessible by invitation only,
with very strict virtual bouncers at the door.
Black Team's customers are bundling the tool with malicious games and using it to infect
users of both PCs and Macs.
Those who frequent sites like the Pirate Bay and Extra Torrent are thought to be particularly
at risk.
The malicious payloads have included ransomware like Cryptex, the Drydex banking trojan,
and password-lifting pony spyware.
The Cyberwire heard from Lastline's CMO Bert Rankin,
who thinks one takeaway from the incident should be the insufficiency of signature-based defenses.
Quote, this is exactly the type of pernicious, evasive malware that cross-contaminates
enterprise organizations. Because it bypasses firewalls and legacy perimeter defenses,
it's likely to get into the enterprise through BYOD
and even corporate assets used off the corporate domain, end quote. He thinks Realm provides a
strong use case for security defenses that identify malware by its behavior.
Looking back at the week, there's been a lot of movement in the security industry.
Some big consumers of security products, including Uber, Twitter, Pivotal, Dropbox, Palantir, Square, Atlassian, GoDaddy, Docker, and Airbnb, have formed a coalition aimed at improving cybersecurity standards.
The new Vendor Security Alliance, inevitably to be known by its acronym VSA, will seek to improve the security posture of third-party vendors.
seek to improve the security posture of third-party vendors.
Vista Equity Partners took network control shop Infoblox Private in a deal worth $1.6 billion.
Colorado-based security company Webroot
has acquired machine learning company Cyberflow Analytics
for an undisclosed sum.
Oracle has acquired cloud security vendor Palera,
also for an undisclosed amount.
And with its sights set on market leader Splunk,
big data search and analytics house Elastic has picked up Prealert,
which specializes in unsupervised machine learning.
Venture capitalists continue to be more selective in which cybersecurity startups to back,
but there's still money coming into the sector.
White Ops, for example, has just closed a $20 million Series B round.
And finally, it's worth returning to the recent intrusions into the networks of German politicians.
It involved a spear phishing campaign, which is increasingly the norm in cyber attacks aimed at
espionage. The fish bait in this instance consisted in large part of spoofed emails
purporting to be from NATO. Those with long memories, that is, memories extending back to early July,
will recall doxed emails from a former Supreme Allied Commander Europe
that appeared to reveal a campaign to pressure the U.S. administration
into a harder line against Russian actions in Ukraine.
Those emails appeared in DC Leaks, a site now regarded by many as Moscow-run.
Thus, NATO-themed emails would be appealing bait. appeared in DC leaks, a site now regarded by many as Moscow-run.
Thus, NATO-themed emails would be appealing bait.
So, if you get an email in which, say, the Supreme Allied Commander Europe says that he would like to share an unexpected inheritance with you,
he just needs some wire transfer information so the funds can be credited to your account,
well, you've been warned.
It's not likely General Scaparrotti really sent you that request.
And that's news you can use.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, when it comes to dumping data on the dark web,
reputation makes a difference, yes?
It does.
There are certain personalities that tend to favor toward one type of information or another,
you know, certain signatures that you tend to look at it and think, I believe you. I think if this
was unsigned or if this was anybody else, I wouldn't believe that this is real data. But
because it's you, I'm going to trust that. People who have come to, you know, be prolific in one
particular type of data dump or another.
One of the interesting things that we see that I still can't quite wrap my head around is that we see people who kind of have their Hacksaw 89 Twitter handle
and they're re-dumping information that's several years old.
So you have a famous dump of some kind and then someone six months later, a year later, two years later is coming back and saying, hey guys, I hacked the FBI. Or hey guys, I hacked Sony. Check out my Twitter.
on a broader scale, individuals or names that you come to trust. And then you have these people who you can only imagine are, frankly, 15 year olds bragging to their friends on the internet about
how they hacked the government. But they didn't. They're recycling old information.
They are. They're recycling old information. If I had, you know, a dollar for every time I saw
someone reformat information from kind of one of the major government dumps and claim it was their own.
And does the rest of the community respond to this
and turn their noses up to these people?
No, oddly, they're broadly ignored.
It's not really worth my time.
I don't know, the dark web community is an interesting one
because you kind of have your factions.
You have people who are there primarily for drugs, people who are there primarily for fraud, and they don't think very kindly of each other.
But then they all turn kind of a snide eye to anyone who's there asking for, you know, hey, where can I find the scary, super gory details that people tell me are on the dark webs?
And obviously anyone who's asking for kind of material related to exploitation
is rather soundly told to walk away.
People tend to think of the dark web as this scary, frankly very dark place
full of criminal activity, and it's not that.
It's like a dark alley
that you wouldn't want to wander down.
Right. That's actually the odd thing
is that it's frankly just a harder
to access platform for e-commerce.
People are just doing business.
People rely on reviews and reputation
and having a better product
or a better price or faster shipping
or better shipping than their neighbors.
It's not that scary.
All right.
Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Brian White.
He's the chief operating officer at Red Owl,
a company that provides information security and regulatory surveillance products.
He joined us in our Baltimore studios to discuss the challenges of defending organizations from insider threats,
both malicious and accidental.
We have email, chat, phone calls we make, activity we do on the network, what we do
on an endpoint, what we may do with a physical badge, where we go, and all that data exists.
But the problem has been is it's been very difficult to pull it into one place and then,
you know, really find some meaning within that data. So the founding vision was how do we pull
together structured data, and that is the network data that I'm talking about, as well as the unstructured data, that being the email, the comms, the voice, and put it into a platform and then apply analytics on top of it.
And the use cases that we solve are really around how do you mitigate human risk?
What are you doing around the insider threat?
And we define that
very broadly. So one broad set of use cases for us is for the information security community,
where we help those organizations really look to uncover if they have a malicious,
compromised, or negligent employee. And maybe during this, we'll go a little bit deeper into
those. But the other use case that's germane is what we're doing in trader surveillance.
And that is what we do for large investment banks and asset managers that are looking
to surveil their trading activity.
And they're mandated to do it.
But what has happened is that they really have had some very legacy style tools.
And so they are now taking advantage of companies
such as ours to have the capability to look and do their essential supervisory review to make sure
that their employees are compliant, as well as, and perhaps more importantly, use the analytics
to uncover those that may be doing something that they don't know about. And so those are the, to us,
it's the same problem because it's insider risk, but there's two
different people that are interested in the issue. Take me through the insider threat types,
you know, the person who is out to do bad and the person who may just not know any better.
Yeah, no, that's a great point. I mean, the reality is, I think we'll all know about the
insider threat because of Edward Snowden. And, you know, he's one of many and perhaps the most public, especially with, I think, the new movie coming out this week, the Oliver Stone film, about what a committed insider may do.
And, you know, to me, he was clearly a malicious insider and not venturing my opinion on what I think about his actions. The reality is
that he took information and exposed it to people that should not have had it. And I think what he
proved is that, you know, very publicly, the kind of damage that somebody can do when they're
committed to this. And you have not just seen that, obviously, in a public breach there,
but you see that actually across, you know across corporate America day in and day out. And we have been able to catch people
taking information before going to a competitor. And so these happen fairly regularly where an
individual is committed to take information that they should not and expose it to somebody else.
So to us, that individual is a malicious
insider. But there are two other types that are equally as important. One is the negligent insider.
And that is, you know, essentially that is probably a lot of people that may even be
listening to this. Those are individuals that, you know, they may, you know, share a document
inadvertently with somebody. They may access a site that they should not have access to.
They may leave. They may send information somewhere. They may bring it into a cloud service.
And by doing that, they're exposing information and they're introducing more risk. But they don't
set out when they get to work in the morning to do something bad. Those are the negligent users.
And they're perhaps the most concerning because you need to really start to train them on the education and awareness.
And then when you do have a program in place to catch them, you don't want to, you know,
obviously take a termination action against them, but you do want to uncover, okay, what happened here?
What can we learn to do better?
And how is this applicable across the organization?
Because often what they're doing is probably somebody else is making a similar type mistake.
Because often what they're doing is probably somebody else is making a similar type mistake.
And then the third category is really, as you well know here, the compromised insider.
And this is clearly the primary means of access now with spear phishing, running an exploit,
and then going ahead and taking over your account.
And essentially what is happening there is you are doing something that is unlike you.
Because as I always say to people, you know, the cyber threat is sometimes lost in these big words and whether it's the Chinese or the Russians or the APT or whatever term we want to throw in there.
But the reality is, is we've gotten fairly good at, you know, stopping the automated style attacks. And when people are really trying to break in and do harm,
especially to large, sophisticated organizations, it is a person doing it, point one. It's a person sitting somewhere taking remote access and moving around to find out what they're looking for.
But when that person is using legitimate credentials, they are doing actions that are unlike the
legitimate person. For example, when you or I show up at work every morning, we do a lot of things
that are generally the same to us. We open up email, we check the sports site, we read the news,
we then have a lull and we go grab a cup of coffee. We generally show up at the same time at work.
Now, if you are all of a sudden not doing
those actions and accessing source code repositories, seeking to escalate privileges,
that's an issue and that should be flagged. So really what we're trying to do with those
insiders is find them from the inside and prove out that their pattern looks different.
And therefore, this person may be a compromised account and therefore requires some
investigation. What are the parts of what you're doing that are still puzzling to you? What are
the harder parts that if only we could figure this part out, what we're doing would be a lot easier?
I think the story that for some reason is underplayed is the people in the organization
and just what type of, I think there's a study out there that
says that 20% of employees would sell their log on credentials for less than a hundred dollars.
I mean, it's, it's the people are, you know, don't even know that they're necessarily targets.
And I think we need a broader public discussion on this issue. And then, you know, from a company
and from a technology perspective, listen, we're excited with where things are going.
I mean, you know, taking advantage of, you know, data stack, data stores like Elastic, being able to do, you know, some very fun streaming analytics, being able to deploy in AWS.
I mean, you're just taking advantage of a very ripe environment to deploy our type of technology.
And it's fun.
My thanks to Brian White. He's the Chief Operating Officer at Red Owl.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your