CyberWire Daily - DDoS continues to trouble New Zealand’s stock exchange. A glitch, not an attack. New Chinese export controls. Oversharing agencies? Who’s the bank robber? A botnet serving ad fraud.
Episode Date: August 31, 2020New Zealand’s stock exchange continues to fight through offshore DDoS attacks. Sunday’s Internet outage was a glitch, not an attack. China enacts new technology export controls that may impede the... sale of TikTok. Danish authorities investigate allegations of data sharing with NSA. North Korea says it doesn’t rob banks, but Americans do. Caleb Barlow looks at security validation and how it can help manage vendors and SOCs. Rick Howard has the CSO Perspective on Identity Management. And a look at Terracotta, a botnet serving up ad fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/169 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New Zealand Stock Exchange continues to fight through offshore DDoS attacks.
Sunday's internet outage was a glitch, not an attack.
China enacts new technology export controls that may impede the sale of TikTok.
Danish authorities investigate allegations of data sharing with NSA.
North Korea says it doesn't rob banks, but Americans do.
Caleb Barlow looks at security validation and how it can help manage
vendors and SOX. Rick Howard has the CSO perspective on identity management. And a look at Terracotta,
a botnet serving up ad fraud.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 31, 2020.
DDoS attacks against New Zealand's principal stock exchange have continued.
Such attacks effectively shut down the NZX exchange for much of last week.
Distributed denial-of-service attacks have continued into this week.
Reuters reports, however, that NZX has resumed trading
after arriving at an agreement with the Financial Markets Authority
to use alternative ways of
releasing market announcements. According to Reseller News, NZX has brought in DDoS mitigation
shop Akamai to help control the effects of further attacks. MENAFN says that New Zealand's
Government Communications Security Bureau, the GCS, has been called in to help investigate.
GCS has issued a general warning to New Zealand businesses that they ought to be ready for further
cyber attacks. No one has a good read on who's responsible for the attacks. Stuff says the GCS
has no significant leads on who may be responsible for it, although press reporting has coincidentally said that the
attacks came from somewhere offshore. A major internet outage yesterday, which was said by
ZDNet to have affected some 3% of traffic worldwide, was not the result of a cyber attack.
Instead, it seems to have originated with a misconfigured flow spec rule at a CenturyLink data center in Mississauga, Ontario.
The problem appears to have been contained, and while CenturyLink continues its investigation,
DDoS protection shop CloudFlare has offered a timeline and some well-informed speculation about the origins of the outage.
They say it took about four hours to resolve the problem after it was detected.
Forbes puts the duration of the outage at half a day. They say it took about four hours to resolve the problem after it was detected.
Forbes puts the duration of the outage at half a day.
In any case, service was restored Sunday.
China has enacted new export controls on artificial intelligence technology that the Nikkei Asian Review sees as likely to derail any acquisition of TikTok assets by U.S. corporate suitors.
The new restrictions, which the Wall Street Journal reports Beijing announced Friday,
cover such technologies as text analysis, content recommendation, speech modeling, and voice recognition.
ByteDance, TikTok's corporate parent, quickly said that it was aware of
and fully intended to comply with the new
restrictions. Reuters says that Danish authorities are investigating the country's Defense Intelligence
Service following allegations that the service shared Danish citizens' data with the U.S. NSA.
The Danish government has said little beyond stating that its investigation represented
follow-up to a whistleblower's
complaint. Remember last week's discussion by U.S. agencies in which CISA, NSA, and FBI outlined
their reasons for pinning a wave of cyber bank robberies on North Korea's hidden Cobra group,
specifically on the group called the Beagle Boys? It is, of course, a DPRK government threat group that seeks to
redress the country's chronic financial shortfalls through direct theft. Anyway, on Saturday, North
Korea's foreign minister denounced the United States as a mastermind of cybercrime and said
that Pyongyang wasn't stealing, but that Washington was. In particular, the DPRK foreign ministry says
that the Americans are the ones who've been guilty of robbing banks
and doing other stuff like that to the world financial system.
Korea Joong-Ang Daily, a legitimate news organization
and not a North Korean mouthpiece,
quotes, with what we imagine must be a straight face,
Pyongyang's National Coordination Committee
for Anti-Money Laundering and Countering the Financing of Terrorism,
as describing the country's consistent position
as one of opposing every form and shape of criminal acts in cyberspace,
and the integrated and that consolidated legal and institutional mechanisms
are put in place in our country
in order to prevent and eradicate cybercrime of all forms and manifestations.
So there.
And finally, ZDNet reports that Google has removed an undisclosed number of ad fraud apps
being spread by Terracotta, a botnet discovered by bot-hunting security firm White Ops.
Terracotta uploaded apps on the Google Play Store.
The apps promised free stuff to users who installed the applications on their devices.
So what kind of free stuff?
Shoes, sneakers, and boots were the most common fish bait,
but Terracotta, which White Ops says they began tracking late last year,
sometimes offered tickets, coupons, and expensive dental treatments.
Dental treatments are surprising, aren't they?
If we were going for tooth implants, veneers, or tooth whitening,
the Play Store wouldn't be our first stop.
But then dental plans evidently differ.
Once you were incautious to download the proffered app,
you would have been
asked to wait two weeks to receive your new kicks or your coupon for a free gum scraping.
Of course, these don't materialize. What did materialize was WebView, which ZDNet describes
as a stripped-down version of Chrome. WebView would run quietly and continuously in the background,
racking up bogus page views to pull in money for worthless ad impressions.
At the end of two weeks, it's hasta la vista and seek elsewhither for periodontist treatments
or those demonia men's ankle boots you were jonesing for.
Of course, by then, Terracotta has made its masters their money.
Why should users care?
Well, not you, of course.
We mean the selfish users without either public spirit or fellow feeling,
who don't care who gets stuck as long as it's not them.
Those guys.
Well, there are several reasons.
For one, it drains batteries.
For another, it eats up the user's mobile bandwidth.
So before you hit the Play Store, you may just want to check your dental plan.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining us once again is Rick Howard.
He is the CyberWire's chief analyst, also our chief security officer.
Rick, it's great to have you back.
On CSO Perspectives this week, you are tackling identity management.
This is something that I can't say I'm an expert in.
This is one of my weak points.
And so what I do when I try to learn something new,
I try to figure out the history of it,
is figure out how we got to where we are today.
And it turns out that the history of identity management
is fascinating and convoluted and full of internet drama,
which I just love.
All right, well, take us through some of it.
All right, so the first part is we get passwords in 1960.
The guy that invents the use of passwords is a famous founding father for
computer science and the internet. His name is Dr. Fernando Corbato, and I always mispronounce it.
But he's the guy that decides that we're going to use passwords to log into systems.
He's also famous for inventing timesharing, if you remember that back in the day.
Yeah, before timesharing, it was all batch processing.
And he was responsible for coming up
with the original Multics operating system.
This is a failed experiment
to build a better operating system,
but it turned into Unix.
So the things they learned at Multics
made Unix what it is today.
Okay, so, but Dr. Horbito, all right, he invents passwords
and thus gives bad guys a never-ending list of things
to go after to.
So in fairness to him though, okay,
the weakness of passwords didn't really show up
for like 30 years, you know,
when the internet started getting humming, all right.
So anyway, passwords, 1960s.
We get access control lists in the 70s and 80s.
We get MIT inventing Kerberos, okay,
which is an authentication system in the late 80s.
And LDAP in the early 90s.
And then Microsoft decides to combine LDAP and Kerberos
into their famous Active Directory,
which still exists today. It's just one of the most used kind of systems altogether.
And then after that, we get two authentication and identification processes. One is SAML,
and the other one is OpenID combined with OAuth, right? And that's where the internet drama is.
I'm not going to talk about it today.
You should listen to the episode to figure it out.
Okay, but the one I want to talk about is federation.
And you and I were talking before the show.
We both sort of knew what this was before,
but not really, right?
That's not, you didn't really know about it.
Yeah, yeah.
So federation is this idea
that you're going to have a partnership
with authentication and identity.
So, here's Helen Patton.
She's the CISO for Ohio State University.
She's going to explain it to us.
One of the things I really like about being in higher ed, there's always been a need for researchers from different institutions to be able to collaborate.
So, we've always had federated identity.
Well, not always.
We've worked early on having federated identity, well, not always, we've worked early on having federated
identity management options.
So, for example, if I'm visiting my friends at the University of Michigan, I can go up
there and log in with my OSU credentials and get access to the things that those credentials
allow me to have on the U of M campus. Whether
or not you're authorized to get into an application still happens at the local level, but
the identification of who you are is federated. It's interesting, but okay, so you've got
federation. What does that do for you in terms of granularity? Yeah, exactly, right?
The way I look at it is it's kind of the associative property for zero trust, okay, or for just trust.
Because essentially if Ohio State University trusts the University of Michigan and Ohio State University trusts Helen,
that means by default the University of Michigan trusts Helen. That means by default, the University of Michigan trusts Helen. So that's all fine and
great, but the granularity there is not that fantastic. She either gets all or nothing. There
is not a whole lot of in-between. The good news is, okay, that the local administrators of the
campus or the networks, they do grant control to those individuals. So there is some, but it is
not a perfect solution. All right. Well, looking forward to this one. It's identity management
over on CSO Perspectives. You can check that out on our website, thecyberwire.com. It's part of
CyberWire Pro. Rick Howard, thanks for joining us. Thank you. Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergistic.
Caleb, it's always great to have you back.
You know, there's that old chestnut of a saying of trust but verify.
And I think that comes into play when we talk about security and validation of our security measures.
And I know this is something that you talk about a lot, particularly when it comes to some of the higher-ups in an organization.
So, Dave, that's an interesting question. Let me tell you, I sit on a public board, right? I run a public company. And this is a huge challenge for the C-suite and for the board.
You know, are those investments you're making, are they actually showing a return when it comes to
security? But there's a new class of tools and services that I think really holds a lot of
promise. It's something called security validation. And remember, you know, on average, your typical
company's got about 47 different security solutions from probably, you know, equal or more vendors.
And you always wonder, do they really work when put to the test? Well, this whole journey kind of starts off with people testing, you know,
kind of environments either in a cyber range, which, you know, a lot of people know I've done
a lot of work in, or, you know, or let's say even just a tabletop exercise. Let's go through a mock
drill. Does it really work? You know, do our plans actually come into place? And then engineers at
Netflix actually came up with a fascinating idea about 10 years ago, something called the chaos
monkey. Have you ever heard of this, Dave? I have, I have. Go on. Well, you know, the cool thing about
the chaos monkey for Netflix was it was a way of randomly terminating sessions in production
to make sure their tool could work. And, you know, you could watch the latest episode of your favorite show.
But some security professional started to apply the chaos theory to security.
And literally, let's throw inoculated malware into our production environment and see if the team detects it.
And the early tools were, well, frankly, they were a bit clunky, right?
You'd throw something in and, you know,
you'd wait and see if anybody set off an alert or whatever.
But these new class of tools,
well, what they did is kind of magical.
They linked not only the ability
to send inoculated malware between two agents
and, you know, effectively walk your way down
the MITRE ATT&CK framework,
but they connected to the logs of all your security devices. So they're connected to the IPS and the
SIM and everything in between. And what they're doing is actually going and saying, all right,
we're going to launch this inoculated piece of malware between these two agents.
We're going to see, you know, did Palo Alto detect it? Did FireEye detect it? Did
CrowdStrike detect it? Oh, look, they did pick it up. Did it show up in, you know, QRadar or another
SIM? And then they're going to say, well, how long did it take for the eyes on glass to open a
ticket? How far did they go with the investigation? So the great thing about this new class of tools
is you can actually measure not only the performance
of your overall defenses,
but you can also measure the performance of your team.
Now, does this also give you the opportunity
to have insights on perhaps what tools you've got
up and running that never really kick in,
that never do anything,
the stuff that you're throwing money at,
but maybe you don't even need? Or worse yet, the stuff that you're throwing money at, but maybe you don't even need.
Or worse yet, a tool that you think is working right,
but maybe isn't configured properly
for one form of an attack.
And I was talking about this with my team,
and one of my guys gave me a really good analog.
And he said, this security validation thing,
he said, it's a lot like a medical or a surgical timeout.
So when a surgical team is getting ready to operate on a patient, you know, they have literally a timeout, right?
They got a lot going on and say, all right, let's just pause everything.
Is this, you know, Mr. Finn?
Yes.
What are we operating on?
We're taking out his appendix, not his gallbladder, right?
And they go through a series of checks to verify that everything is in the right place.
Security validation kind of does the same thing.
You're forcing a scenario in
and you've got the ability to pause and go,
okay, did the IPS detect it?
Did it route it to the SIM?
Did the SIM properly correlate all of the rules?
Did it elevate to the SOC?
How long did it take the SOC operator to get eyes on glass on this and start investigating it?
Did they escalate it properly?
And now you've got the ability to go back to your C-suite and say, hey, we tried these 10 fundamental tasks, including that new attack that came out last week, we tried that too.
And we did really good in these areas. We didn't do so caught in this one area,
and that's where we need to invest and have some proactive action.
I suppose it also provides a little bit of a translation layer for them that you're able to
put things in the terms, those risk terms that they enjoy so much.
Well, think of it this way, right? So if I go in and do a security assessment on a company,
I'm giving you a score that's usually going to the board of how well your architecture,
your decisions, your procedures lay out. But what I don't know is,
do they actually work when put to the test?
This gives me the next layer to say,
okay, your assessment said A and B and C,
and then I was able to validate,
and yes, A and B and C are actually working.
Those controls are operational
and performing exactly as they're designed.
And that is a big vote of confidence.
Anything to look out for here?
Is it possible to go into this with best intentions,
but come up short?
People go down this path,
but for one reason or another,
end up not getting the information
that they were hoping to get?
Well, look, I mean, you always run the risk
of actually finding out
that the emperor has no clothes and your security systems don't work
as you had them designed.
But I would argue that's probably something you really want to know.
And at the end of the day, yes, these tools are very new.
This is a whole new area.
But I really think this has the opportunity to take things like security assessments
as well as even training, you know, cyber range, tabletops,
all those types of things to a new level,
because we can actually try some of these cases in production.
Hmm. All right.
Well, Caleb Barlow, thanks for joining us.
Thanks, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, and it won't leave you stranded by the side of the road.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.