CyberWire Daily - Dutch DDoS arrest. Pyongyang is interested in cryptocurrency. So is the US SEC (in a different way). Uber explains its breach disclosure. New wrinkle in the "Microsoft" Help Desk scam.
Episode Date: February 7, 2018In today's podcast we hear that Dutch police have made an arrest in last week's financial sector DDoS case: it's a teenager. North Korean interest in stealing cryptocurrency remains high. Adobe pat...ches the zero-day Pyongyang had exploited against Seoul. Hardware wallets found vulnerable to man-in-the-middle attacks. Crytpojacking trends. US regulators take a hard look at alt-coins and how they're traded. Uber says it regrets not coming clean sooner about its breach. Justin Harvey from Accenture on ransomware, to pay or not to pay. Guest is Yassir Abousselham from Okta on their 2018 Business at Work report. New trends in an old help desk scam. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Dutch police make an arrest in last week's financial sector DDoS case, and it's a teenager.
North Korean interest in stealing cryptocurrency remains high.
Adobe patches the zero-day Pyongyang had exploited
against Seoul. Hardware wallets
are found vulnerable to man-in-the-middle attacks.
Crypto jacking trends?
U.S. regulators take a hard look at
altcoins and how they're traded. Uber
says it regrets not coming clean sooner
about its breach. And there are some new
trends in an old help desk scam.
I'm Dave Bittner with your CyberWire summary for Wednesday, February 7th, 2018.
Dutch police have made an arrest in the distributed denial-of-service attack that disrupted some of the country's financial institutions last week. It's an unnamed teenager from Osterhout who rented a booter service for unclear reasons.
His alleged and allegedly confessed use of those booter services may explain the Russian
IP addresses that ESET and others reported seeing associated with the attack traffic.
Adobe has issued a quick fix for the Flash Player exploit that's been used in the wild against mostly South Korean targets.
The attacks have been generally attributed to North Korean operators.
North Korean cyber operators are also believed to be engaged in an ongoing campaign
to steal cryptocurrency that continues during the run-up to the Olympic Games.
South Korean authorities think it possible, and are investigating this possibility,
that Pyongyang's hackers were responsible for last month's raid on the Japanese cryptocurrency
exchange Coincheck. The DPRK's interest in cryptocurrency closely trailed the dramatic
run-up in prices that peaked, for a while at least, at the end of 2017.
While they're mulling this over, altcoin mavens should look to their wallets.
Most of the big recent heists have come in the form of raids on hot wallets, that is
repositories for the cryptocurrencies that are themselves connected to and resident in
the internet.
Security experts concerning themselves with Bitcoin and other blockchain-based media of
exchange have accordingly recommended using hardware wallets, basically
external detachable drives that can be used to store your altcoin. These two, however,
have their issues. The Ledger brand of hardware wallets, among the most popular on the market,
have been found susceptible to man-in-the-middle attacks. There will be no patch for them,
says Ledger, as it responds to researchers' disclosure of the flaw.
Instead, Ledger invites users of the cryptocurrency product to verify your receive address on the device's screen by clicking on the monitor button.
The run-up in price has also driven a rising interest in cryptojacking, the practice of
installing cryptocurrency mining software in non-cooperating devices, like your Android
phone.
Whether in-browser or
server-based, cryptojacking uses victim device resources in a mining pool that delivers coin
to the master miners. The drain on resources can be sufficiently serious to noticeably degrade an
enterprise's IT performance. Compromised WordPress sites seem to be growing in popularity as dispensers
of cryptojacking malware.
Cryptocurrency speculators were able to take a bit of comfort at midweek as prices of some of the more prominent alternative coins surged up to 20%. That's still off their peaks,
and it will take some time before it's clear if this represents a return to what will prove a
secular bull market, or a return to a short-term speculative bubble,
or if it's all just a dead cat bounce.
One form speculation has taken is the initial coin offering.
The U.S. Securities and Exchange Commission, or SEC,
has been skeptical of ICOs, stopping a few of them as fraudulent,
and objecting to others as offering, in effect,
unregistered and unregulated securities.
In testimony before the Senate Banking Committee yesterday,
the heads of two major market regulating bodies,
the SEC and the Commodity Futures Trading Commission, the CFTC,
distinguished the currencies themselves from their use in ICOs
and from the blockchain technology that underlies them.
In brief, they think that consumers who trade in these novel currencies tend to think the
markets are better regulated than in fact they are.
The regulators think that trading platforms should be regulated like exchanges, and that
ICOs are in fact securities and should be treated as such.
They also expressed their conviction that in fact cryptocurrencies could have and did
have real value.
If the hearings are any guide, cryptocurrencies are well on their way to normalization as
financial instruments.
Security company Okta recently released the latest version of their Business at Work report,
highlighting the most popular tools organizations are using to get their work done online.
This year they added a section on security.
Yassir Abusulham is Senior Vice President and Chief Security Officer at Okta,
and he takes us through their findings.
Essentially, we see a lot of countries keep coming back in the headlines
as the sources for cyber attacks.
And when we looked at attack data, and here I have to stop and maybe define what attack means in this context, we focused on both password spraying attacks and brute force attacks against cloud services.
So when we looked at these attacks, we found that they are coming or at least they're originating from pretty much everywhere in the world.
There is some concentration in some specific countries.
Specifically, China has something like 48% of all of the attack traffic,
followed by the U.S. at 7.7%, and then France, 4.5%,
and finally Russia, 3.4% of all the attacks.
What we also found is that 23% of all the attacks were coming from Tor exit
nodes, which essentially tells us how important the dark web has become enabling cyber attacks.
What we also, I guess, have as a takeaway is, and this is more of a recommendation,
is that because these attacks are coming from everywhere, and because we
obviously have limited resources as security teams to maintain
the safety of our services and users, we
need to start either blocking traffic, or at least
or a minimum, stepping up authentication, meaning requiring a second
factor if we were not expecting legitimate traffic to come from some of these sources, for example, a country that we're
not doing business with, then maybe it is somewhat safe to require that any user, any authentication
from that country needs to provide a second factor. If we're not expecting legitimate traffic
to come from the dark web, then maybe we should just lock it all together. So this is kind of the first area. The second one
was around the current state of passwords. We looked at the average password policy across
the Okta ecosystem, and we analyzed passwords that have been previously compromised and published
on the internet. And what we found is that the average password policy is something like eight characters
in length with complexity and lockout.
The second thing that we found by analyzing the passwords that have been previously breached,
obviously they're published on the internet, is that when users are given the choice, they
tend to converge on shorter and less complex
passwords. In fact, less than 4% of the passwords that have been compromised and published would
comply with this average password policy that I just mentioned of eight characters and length and
so on. What that tells us is that companies need to adopt password policies that are adequate for their environment
and the assets that they provide access to,
but they need to enforce those policies.
Obviously, they should not leave the choice
when it comes to protecting critical assets
to the end user to decide whether they want to
have a long password or short and complex password and so on.
And the last thing, last technique we highlighted was
attackers know that, you know,
most users tend to reuse the same password over and over again.
So they capitalize the first letter,
they add numbers at the end,
they add special characters at the end as well.
And so what that does is that it really brings down
that entropy significantly,
and it really allows them to optimize the attack techniques to only focus on passwords that have
the highest chance for success. That's Yaisir Abusulham from Okta. There's much more to their
business at work report than we had time to cover here, including multi-factor authentication
and the brute forcing of passwords,
you can read the complete report on their website.
Researchers at security firm UpGuard, who've been dining out for the better part of a year on their ability to find security problems with cloud services, has found another leaky
Amazon Web Services S3 bucket.
This one belongs to Octoly, a Paris-based firm that connects influencers on Instagram, Twitter, and YouTube
with companies willing to provide them with goods and services for marketing purposes.
You know the sort of thing.
You try the product, and if you like it, you'll presumably recommend it to your friends and followers.
Some 12,000 influencers have had their data slosh out of Octoly's bucket.
In other hearings before the Senate Subcommittee on Consumer Protection,
Product Safety, Insurance, and Data Security,
Uber defended its controversial bug bounty program,
but the company also said it had been wrong to delay disclosure of its 2016 breach.
Critics had thought what Uber characterized as a bounty
looked in certain respects more like a ransom payment.
The ride-sharing company's congressional inquisitors heartily agreed with them on disclosure,
saying that delaying disclosure by a year certainly raised red flags.
In industry news, the well-known security company Proofpoint announced that it will
acquire Wombat Security for a reported $225 million.
The acquisition is a significant one,
and it indicates Proofpoint's intention to move into the anti-phishing and general security training market.
Finally, there's a bit of evolution in the familiar Microsoft Help Desk scam,
a scam we hasten to say is not the doing or responsibility
of the Microsoft Corporation.
It's the scam in which a caller from Microsoft Help Desk
tells you over the phone that
they've detected malware on your Windows computer, which they will remove if you let them take
control. In this new wrinkle, reported by researchers at security firm Malwarebytes,
the hoods afflict Chrome by abusing an API, its window navigator MS Save or Open Blob,
to lock a page by repeatedly forcing the browser to save it to disk.
The hack then displays a dialog box telling you, the victim,
that your machine has been blocked by their ISP,
and that to recover, you should call Microsoft Help Desk and help them help you.
What follows is easy to imagine.
So don't call.
Just kill the unresponsive page and get on with life.
For now, this only affects Chrome,
but similar infestations in other browsers
are unlikely to be far behind.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, we talk a lot about ransomware,
and there's a little bit of controversy as to whether or not you should pay the ransom. Law enforcement
generally says don't pay. What's your take on this? Let's just look at the numbers here. There
was a report that came out just recently that the record growth of ransomware in 2017 could hit $2 billion. Now, even, I mean, that sounds really
high to me, but even if it's 10% of that, let's just say it's 200 million, it's still a pretty
bad problem. And many organizations out there are suffering from this. And I used to be of a
different camp. I have to admit, I was actually in the camp of saying, well, let's pay where it makes sense and we should explore it.
And all these companies should have Bitcoin on hand ready to pay in case something happens.
I've actually reversed the position.
I'm actually more in the camp of not paying the ransom for a few reasons.
So there is an exception to this rule, which I'll get to.
But I would say the 80% rule, 80% of organizations should not pay. So for a few reasons. Number one
is you never know who you're paying the ransom to. You could be transmitting monies to a criminal
enterprise. You could be transmitting money to a nation state or even a terrorist group. So it's really important
to discern or, in this case, not pay because you don't know who the money is going to. You could
be funding a terrorist organization. And the second reason here would be, in many instances,
a company that pays the ransom does not get its files back. So there's no assurance that you have
that, A, you're going to
get the decryption key, or in the cases that your data is being held hostage and being threatened to
be leaked, that the data won't already be leaked after you pay that money. So finally, for the
third case here, as we've seen with some recent news within the last couple of months, there could be a public and or consumer
and or stockholder backlash of paying the ransom. If you're paying the ransom, it could be seen as
misuse of corporate funds or in some cases, even breaking regulatory or laws. So therefore,
you should tread with caution. Now, I did mention, Dave, that there's an exception to the rule. And I think that I think that for critical infrastructure, for health care, hospitals,
air traffic control, airlines, things where human lives are at stake, if there's a condition where
there is a chance to get back the data or restore services, I could see that as making the case to
to pay. But again, it's it's a slope I get going through in paying the ransom because there's no guarantee, A, you're going to get the result you want, or even, B, if it reaches the public's ears, there's no guarantee that someone else isn't going to shake you down for the same condition.
And so I guess the lesson here is that you really need to plan ahead so that should you get hit with ransomware, you've got backups in place and you can transition to them as quickly and painlessly as possible.
Exactly. A strong incident response program, strong endpoint detection and response capabilities, including monitoring, using least privilege necessary on your endpoints. So I see many companies taking an easy ride out
and giving everyone domain
or administrative access to their endpoints.
There are ways to get around that
and there are ways to better secure those endpoints.
And finally, keeping all of your endpoints
and applications up to date and choosing a backup solution that's not tied to your network, something cloud-based or something offline-based so that if and when you are hit, you can easily recover without the ransomware encrypting your backups as well.
Good advice. Justin Harvey, thanks for joining us.
Thank you.
joining us. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
And for professionals
and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.