CyberWire Daily - Daily: Yahoo's big breach—industry reactions. Spyware circulates in the wild. Investigation of election hacking continues. Hacktivism and "faketivism." The ShadowBrokers are back.
Episode Date: December 15, 2016In today's podcast, we hear about Yahoo's disclosure of a record-setting breach—over a billion customer accounts are affected. CyberWire editor John Petrik collects industry comments on the breach.�...�Microsoft reports finding "FinFisher-like" spyware in the wild. US investigation of Russian election hacking continues. The case for and against Fancy Bear is being made by observers, but the Intelligence Community says it will keep its conclusions to itself until the investigation is complete. ThreatConnect describes "faketivism." And the ShadowBrokers are back, and their broken English hasn’t gotten more convincing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Yahoo discloses a record-setting breach.
Over a billion customer accounts are affected.
Microsoft reports finding Finn Fisher-like spyware in the wild.
U.S. investigation of Russian election hacking continues. The case for and against Fancy Bear
is being made by observers, but the intelligence community says it will keep its conclusions to
itself until the investigation is complete. Threat Connect describes fakedivism, and the
shadow brokers are back, and their broken English hasn't gotten more convincing.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, December 15, 2016.
Late yesterday, Yahoo! disclosed that the company was breached in August 2013,
with more than a billion customer accounts compromised.
This incident is said to be distinct from the breach disclosed in September of this year,
and that earlier breach affected 500 million customers.
Quote, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5,
and in some cases encrypted or unencrypted security questions and answers, end quote.
That's the official statement from Yahoo.
This incident is regarded as being the largest breach on record in terms of the number of individuals affected.
The company's investigation concluded that an unauthorized third party in August 2013
stole data associated with more than one billion user
accounts. The company has not been able to identify the intrusion associated with the theft,
but believes this incident is distinct from the one the company disclosed on September 22nd of
this year. Yahoo also reports that an unauthorized third party accessed Yahoo proprietary code to
forge cookies, and that this third party seems to be
connected to the unnamed state-sponsored actor Yahoo believes is responsible for the breach,
the company reported in September. The company doesn't know how the breach was accomplished,
but does believe the culprits were state-sponsored. Who that sponsoring state might be remains
unspecified. Other observers who've looked into the matter, notably the security firm InfoArmor,
which investigated the earlier breach, take issue with that conclusion,
saying the breaches look like the work of criminals,
albeit criminals who may have had nation-states among their customers.
Yahoo says it's working with appropriate law enforcement agencies
and that it's notifying affected customers.
Observers expect this latest breach disclosure to affect Verizon's planned acquisition of Yahoo's core assets.
Security industry experts have weighed in with their views on what happened
and how such attacks might be prevented or mitigated.
We'll talk a bit later with the CyberWire's editor, John Petrick,
who will give us an overview of some of these reactions.
the CyberWire's editor, John Petrick, who will give us an overview of some of these reactions.
Microsoft reports finding Finn Fisher-like spyware in APTs on European and Turkish systems.
Finn Fisher is a controversial lawful intercept tool that's been connected with surveillance by various repressive regimes. U.S. investigation of Russian election hacking continues.
The Department of Homeland Security says the vote wasn't manipulated,
and many observers has read this as contradicting assertions by the CIA
that Russian operators did indeed seek to influence the election.
In fact, however, they're talking about two different kinds of hacking.
Homeland Security is saying that the vote count itself wasn't interfered with,
that there's no evidence that voting machines or vote tallying were compromised.
The CIA's claims refer to the doxing that released various discreditable emails
from senior figures in the Democratic Party and the Clinton campaign.
This was election hacking, if you will, but hacking in the service of influence operations, not vote fraud.
The intelligence community is investigating this apparent Russian activity
and says it will have little further comment until the investigation is complete.
The Intercept has a useful skeptical rundown of the case against the Russian intelligence services.
They acknowledge that there's plenty of circumstantial evidence that Cozy Bear and Fancy Bear
indeed took an interest in the U.S. presidential election,
but they argue that such evidence would fall short
of what an indictment would require.
The threat intelligence firm ThreatConnect
offers an account of how influence operations
are likely to work in practice.
Such operations commonly involve false flags
and front identities long familiar in covert operations.
ThreatConnect has concluded that Fancy Bear, the Russian intelligence agency known as the GRU,
uses these fakedivist fronts in its work. Cyber Caliphate, fake ISIS sympathizers.
Cyber Berkut, fake Russian sympathizing Ukrainian separatists.
Guccifer 2.0, a bogus homage to the well-known Romanian hackers,
DCLeaks, a phony WikiLeaks subproject, and Ann Poland, which purports to represent the
Polish branch of the Anonymous Collective.
The shadow brokers, the hacktivists or fakedivists, you can take your pick since there seems something
fishy about them however you cut it, who've been trying since this summer to auction out what they claim plausibly to be Equation Group attack code resurfaced this week.
They're reconsidering their sales model, giving up on the auction and returning to retail.
A site has come to light that's now offering Equation Group tools for sale to all comers.
No word yet on how sales are going.
Part of what renders the Shadow Brokers' story less than fully convincing
is the screenwriter's broken English they affect in their communiques.
They're again chatting with Motherboard and still sounding like the syllable-chewing crocodiles
in the Pearls Before Swine comic strip.
Here's a sample in which they sort of explain what they're up to.
Quote,
The Shadow Brokers is not being irresponsible criminals.
The shadow brokers is opportunists.
The shadow brokers is giving responsible parties opportunity to making things right.
They choosing no, not very responsible parties.
The shadow brokers is deserving reward for taking risks, so ask for money.
Risk is not being free.
Behavior is obfuscation, no deception. End quote.
So take that, NSA, or whoever the responsible parties are.
Oh, and one more thing.
As Columbo would have put it,
the shadow brokers is not commenting on operation details.
Is bad OPSEC.
Words to live by, kids.
We'd never be in favor of bad OPSEC unless, of course,
you're a bad guy. In that case, be as sloppy as you want to be.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is John Petrick.
He's the editor of the Cyber Wire.
John, we've received a lot of commentary from people around the cybersecurity industry on this Yahoo breach.
Give us a rundown.
What are people saying about it?
Yeah, we have heard a lot. I think we'll start with what Yahoo itself has said, and their statement is worth quoting at a little bit of length.
Yahoo said late yesterday, quote, dates of birth, hashed passwords using MD5, and in some cases encrypted or unencrypted security
questions and answers. The investigation indicates that the stolen information did not include
passwords and clear text, payment card data, or bank account information. Payment card data and
bank account information are not stored in the system that the company believes was affected.
The revelation that perhaps security questions were breached, that's a particular
interest. It is interesting. For example, we heard from StealthBets Technologies who pointed out that
these kinds of questions tend to get used from multiple sites. And in fact, the information
that is embodied in the questions and their answers is difficult to change.
Assuming that you're telling the truth in answer to these questions,
you're never going to have a different kindergarten teacher. Your first pet is
never going to have a different name. He's always going to be Rover. The first car you
owned is not going to change. So a number of people are saying that they think that
this is another reason to move away from the password security question system
towards forms of multi-factor authentication that need to be more widely adopted.
That's the kind of feedback we're hearing on that.
And what about attribution?
What are people saying, you know, in this case, whodunit?
Well, that's interesting.
Yahoo is talking a lot, and they have been talking a lot about state-sponsored actors
without specifying the state who did it. So, you know,
our priori probability says, who are the state-sponsored actors who do this kind of thing?
Well, you know, everybody's going to assume Russia, China, North Korea. But it's not clear
that that's really the case. That Infowarmer, who investigated at some length the earlier breach
that Yahoo acknowledged back in September of this year,
told us that, well, that's Yahoo's theory, but they're not convinced that's the case. They thought that the earlier breach was committed by a criminal group. And they're calling it Group E.
They say they're Eastern European black hats. So think a kind of cyber mob. And they're stealing
it for all the kinds of reasons that criminals steal these kinds
of credentials. They do say, informer does say, that Group E may well have customers who include
nation states, but that they think the actual hacking was done by this criminal group was
probably done by this criminal group. And remember, that attribution is always circumstantial. So this
all to be taken with with an appropriate degree of skepticism. But they do seem to have a point about that.
There's some gray areas in the distinction between criminal groups and state actors.
Last year at the Johns Hopkins Senior Executive Cybersecurity Conference, we heard the U.S. Cyber Defense Advisor to NATO, Curtis Levinson, talk about this very thing.
And people were asking him, well, you talk about Russian hacking, Russian activity.
How much of this is the Russian government and how much of this is criminal mobs?
And he went on at some length and clearly enjoyed doing so to talk about Russia being a criminal nation.
He said, Tsar Putin is kept in power by criminals, is how he put it. clearly enjoyed doing so to talk about Russia being a criminal nation.
He said, Tsar Putin is kept in power by criminals, is how he put it.
So his point is that the Russian government frequently does make use of and tolerates criminal hacking activity
because they can exploit this for intelligence purposes.
So the distinction between criminal gang and state actor may not necessarily be all
that clear. So in terms of recommendations, if you are someone who had a Yahoo account,
what are people saying you should do? Well, we got a list of things to do, a to-do list from
Wind Patrol. They said, before you delete the account, delete all emails and folders,
enter invalid information for security questions,
then delete the account. And they told us they recommend that because they found that when you remove accounts, they've sometimes seen that they're truly not deactivated. And this may be
why there were as many as a billion accounts that were compromised. They also say, obviously,
if you've used the same password on any other site, change it. Don't reuse Yahoo passwords.
If you've used security questions, the same security questions on other sites,
change the answers. Never reuse the answer to a security question. If or when the next hack
occurs, you don't want your answers to be used against you. If you associate your mobile phone
number with your Yahoo account, Wind Patrol says beware. You may become a target of smishes,
those mobile phishing attacks we hear about.
They recommend that you ensure your security software is up-to-date
and capable of blocking attacks. So it's the good common
digital hygiene advice that we hear so often from people.
All right. John Petrick, editor of the Cyber Wire.
Thanks for joining us.
Cyber Wire. Thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.