CyberWire Daily - Dow Jones AWS S3 bucket exposed. FedEx 10-K and NotPetya. Game of Thrones torrent virus. Securing voting. Botnet defense research. M&A and VC notes. Initial coin offering hacked.
Episode Date: July 19, 2017In today's podcast, we hear about how another tippy AWS S3 bucket spills its contents over the Web. The FedEx 10-K report indicates it may never fully recover systems and data hit by NotPetya. Viru...s hides in Game of Thrones torrent. Harvard's Belfer Center wants to secure electronic voting. Departments of Commerce and Homeland Security consider moonshot research to take out botnets. M&A and venture funding notes. Justin Harvey from Accenture on fileless malware. Robert Hamilton from Imperva Incapsula on DDoS attacks on video game servers. And an initial coin offering gets hacked. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Another tippy AWS S3 bucket spills its contents over the web.
FedEx's 10K report indicates it may never fully recover systems and data hit by NotPetya.
A virus hides in Game of Thrones torrents.
Harvard's Belfer Center wants to secure electronic voting.
The Departments of Commerce and Homeland Security consider moonshot research to take out botnets.
We've got some M&A and venture funding notes.
And an initial coin offering gets hacked.
notes, and an initial coin offering gets hacked.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 19, 2017.
Another unsecured Amazon Web Services S3 bucket has been found.
You'll recall the three most recent instances of this sort of misconfiguration. The National Geospatial Agency, the Republican National Committee, and Verizon were all victims of third-party contractors or vendors who inadvertently exposed sensitive data.
The latest open bucket belongs to Dow Jones, which says 2.2 million customers were affected.
Security firm UpGuard offers a higher estimate, suggesting the possibility that around 4 million records were affected. Security firm UpGuard offers a higher estimate, suggesting the possibility that
around 4 million records were exposed. Chris Pearson of ViewPost commented about this most
recent AWS S3 issue. He said, quote, even after the news of RNC and Verizon having open access
to data stores in S3 buckets at AWS, companies have yet to actually scan their networks and
permissions in the cloud.
It was just announced that Dow Jones had its online storage configured to allow
any authenticated AWS user to see the data they were storing.
So scan your AWS buckets for secure configuration.
A 10K filing from FedEx says that the shipping company doesn't yet know how long it will take to restore systems affected by the NotPetya attack,
and that it's possible the company's TNT unit, the one directly affected, may be unable to ever fully recover.
As FedEx put it in their 10-K,
We cannot yet estimate how long it will take to restore the systems that were impacted,
and it is reasonably possible that TNT will be unable to fully restore all of the affected systems Securities and Exchange Commission Form 10-K is an annual report publicly traded companies in the U.S. are required to file with the SEC.
It details company financial performance.
the SEC. It details company financial performance. In its extended treatment of the NotPetya incident,
FedEx added that, in addition to financial consequences, the cyber attack may materially impact our disclosure controls and procedures and internal control over financial reporting
in future periods. So, the NotPetya story isn't over, and FedEx is far from the only company that
will be affected.
If you were planning to illegally stream Game of Thrones, think twice.
There are reports of a virus lurking in Pirate Bay torrents.
Anyway, here's all you need to know about Season 7.
Spoiler alert, winter is coming.
A virus hides in the torrents of Pirate Bay.
That actually sounds like showrunner dialogue, doesn't it?
If you're a competitive online gamer, it's tough enough to stay at the top of the leaderboard without other players using questionable means to try to knock you off or put you at a disadvantage.
Online gaming companies battle their own specific kinds of DDoS attacks,
and Brian Hamilton, product marketing manager with cybersecurity company Imperva, shares the details. People that provide video game platforms are typically
connecting hundreds, if not thousands, maybe even tens of thousands of individuals to a pool
of servers. And unlike other servers, often gamers or people that create the gaming platforms, are relying on proprietary protocols.
That is, they've written the sort of communication protocol that's being used to communicate with the person playing the game on the other end.
or the typical web server that relies on the HTTP protocol, which we call the application protocol,
to communicate back and forth between a browser or a mobile client.
So these are typically proprietary protocols that support a large number of users concurrently.
And so when they get attacked, how does it take shape? What the attacker is trying to do is they're trying to overload the server with simulated players.
So what they're trying to do is they're creating little attack bots that pretend to be people playing the game, but playing the game in a way that no human would ever play it,
creating a lot of commands, in other words, a lot of activities. And they're attempting to overload
that gaming server so that legitimate players, the real humans, can't get in and can't play the game.
And of course, these online games rely on connectivity to make their
money. Oh, absolutely. They're only making money when real people are playing the games. They don't
make any money off of these attack bots. And so what's the motivation for the attack? Is it a
competitor? Are they holding them for ransom? Why are they doing it? Typically, what we found in the past is it's a game.
By its very nature, it's competitive.
And a lot of the people that play these games are also really into computers.
And what they want to do is they're using DDoS attacks as a sort of a competitive weapon,
either to keep their competitors from playing the game or to
give themselves an advantage where they're playing the game and the people that may be trying to play
the game can't get in. So to a large extent, we believe it's individuals that are, through their
competitive nature, are trying to knock the site off or slow it down.
We have seen in the past attacks where one gaming company might attack another gaming company
to give itself a competitive advantage.
But it's mostly individuals that are trying to make life hard for other people that are trying to play the game.
And so the people who are providing the game, how do they defend themselves against this?
The people that are providing the games will look for a system or a service that can identify
who's a human and who's not.
They're basically capable of blocking the non-human traffic, only letting the human
gamers go through.
That's Robert Hamilton from Imperva.
In the U.S., a bipartisan initiative to secure electronic voting spins up at Harvard's Belfer
Center. It's led by former Clinton and Romney presidential campaign managers.
Its advisors include security leads from Facebook, Google, and CrowdStrike.
The U.S. Departments of Homeland Security and Commerce have commissioned studies,
looking into the possibility of a moonshot challenge for combating botnets.
In industry news, Awake Security emerged from stealth this week with $31 million in funding.
The startup's technology has been compared to near-unicorn Darktrace.
ScaleFT has closed a $2 million seed round. And there's some M&A news. Rapid7 has announced
its acquisition of security orchestration startup Command for an undisclosed amount.
Cybercriminals hacked Israeli cryptocurrency startup CoinDash's initial coin offering,
stealing many of the tokens on sale.
It's thought that the currency taken was worth about $7 million.
The thieves were able to divert investors' Ethereum to the wrong address.
Ilya Kolachenko of security company Hitech Bridge told us in an email
that it's another reminder that blockchain technology in isolation
doesn't necessarily increase security and may even increase risk. As he put it, quote,
Many users, fooled by investors and so-called serial entrepreneurs, blindly believe that
blockchain, particularly cryptocurrencies, can make a digital revolution and provide an
unbreakable security. Unfortunately, this assumption is wrong and leads to a very dangerous
feeling of false security, end quote. If the crooks cash out intelligently, they may go uncaught.
Kolachenko added, victims of this hack will be quite unlikely to get their money back,
as technically speaking, it's virtually impossible. And law enforcement is also
unlikely to be able to do very much. So, any advice for those who would invest in cryptocurrencies?
Kolachenko is something of a skeptic.
He calls such investment a very profitable but risky game,
like investing into North Korea.
Better to place your cash into Apple or Google stock
if you have no financial experience.
Wait, there are profitable investment opportunities in North Korea?
If you're a member of the wealthy elite and have a high tolerance for risk, well, good luck.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the
world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader with Accenture.
Justin, welcome back.
We have heard a lot lately about fileless malware. First of all, let's go through here and just describe to us,
what are we talking about with fileless malware?
Let's go through here and just describe to us, what are we talking about with fileless malware?
Well, fileless malware really has two types of categorizations.
The first would be truly fileless.
Something comes in through a document, an attachment, or something you get through a web transaction, and it is executed and resides in memory. There's another definition which we use in the industry where fileless malware could also be executable-less malware.
And that type of fileless malware is delivered usually via some sort of scripting language,
VBScript, PowerShell are the two most frequently used.
And those types, while one could argue,
yes, they are scripts, they could be files, a lot of times they don't touch the file system.
They come in through a Word document or Excel document or some sort of attachment that enables
the attacker to trick the user into hitting enable macros. The enable macro function runs
an auto start script. Typically that's programmed in VBScript. It goes out to the internet. It goes
to a hosting site that has a malicious PowerShell. It pulls that down and then it executes it. Now,
both of those types are what we consider fileless malware.
And the notion being that when there's no file, that makes it harder for the AV software,
which would be looking for a file, to detect it.
Correct. I think this is one of our biggest areas of concern in cyber defense today is,
what do we do about scripts? It's very easy to take an executable and create a signature from it. Or if there's
polymorphic malware, be able to identify, well, it's this type of packer, or it has to persist by
getting inside of the registry and working with these keys or performing these sorts of function
calls we know to be malicious. Scripting is a lot harder to be able to put some controls around, and that's why
we're seeing a lot more PowerShell type of malicious attacks. And is this a situation with,
because the malware is residing in RAM, in terms of persistence, if you reboot, does the malware
then get wiped clean? Yes to no. In a normal fileless attack, normal, meaning the first
definition, meaning that there was an
executable or something that came down that's resident within the memory, yes, when you reboot
the system, it is gone. For that first type where an executable is used and it doesn't persist,
the adversary needs to either work quickly to get secondary or tertiary methods of getting
onto that system, or they need to get the data off as fast as they can.
The second definition, so a PowerShell type of attack,
there are methods and means to persist even after reboot using that scripting language,
but they're not as obvious as an executable, let's say, in the startup folder, for instance.
All right, interesting stuff. Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.