CyberWire Daily - Election influence and election security. Threats to power grids. Ransomware and phishing updates. Loyalty program risks.
Episode Date: January 17, 2017In today's podcast we hear warnings that electrical utilities should regard hacks of Ukraine's power grid as a wake-up call (the squirrel threat notwithstanding). Various nations work to shore up thei...r defenses against Russian government hacking and influence operations. Russia protests its innocence, but there are some reliable reports of Fancy Bear sightings in Norway. Cyber criminals are back, except for those behind Locky ransomware, who seem to still be on holiday break. New approaches to ransomware and phishing. Dale Drew from Level 3 Communications tell us about the BGP Flowspec. And a loyalty program at the Golden Arches may be proving problematic. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Hacks of Ukraine's power grid are seen as a wake-up call for utilities,
the squirrel threat notwithstanding.
Various nations work to shore up their defenses
against Russian government hacking and influence operations. Russia protests its innocence,
but there are some reliable reports of fancy bear sightings in Norway. Cyber criminals are back,
except for those behind Lockheed Ransomware, who seem to still be on holiday break.
New approaches to ransomware and phishing, and a loyalty program at the Golden Arches
may be proving problematic.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 17, 2017.
Last month's takedown of portions of Ukraine's power grid remained spooky, prompting a number of it-could-happen-here stories,
as observers fear that the hack was a dress rehearsal for an attack with widespread consequences.
Contrarian observers make the sound point that squirrels have caused thousands of blackouts,
while hackers seem responsible for about two.
There's surely some breathless fear, uncertainty, and dread around,
but it's worth noting that botnet-driven distributed denial of service
with widespread effect was also seen by some as FUD
until Mirai hit last September and October.
Russian authorities continue their pious denials of hacking
in the service of espionage and influence,
but few other governments take such protestations of good global citizenship
with the seriousness the Russians would wish.
France and Estonia, in particular, are working to shore up defenses.
France is particularly concerned about its May 2017 elections.
Guillaume Poupard, director of the French security agency ANSI, is quoted by France24
as saying, quote,
We're clearly not up against people who are throwing punches just to see what happens.
There's a real strategy that includes cyber, interference, and leaked information, end quote. Commenting on French preparations and concerns,
Ilya Kolachenko, CEO of web security firm Hitech Bridge,
told the Cyber Wire that he thought hardening election systems against attacks was clearly a good idea,
but he thinks it unlikely that cyber threat actors would change an election's results in a highly developed country like France.
Kolachenko said, quote, obviously they can cause minor disruptions. However, saying that hackers
can fraudulently elect a new president is like saying that gangs in a Paris suburb can defeat
the French army, end quote. He added that influence operations, however, are highly probable.
He added that influence operations, however, are highly probable.
Estonia has long been concerned with good reason about the neighborhood in which it lives,
especially since its victimization in the 2007 cyber riots.
The U.S. is still mulling its own responses during this final week of presidential transition.
There have also been reliable sightings of fancy bears snuffling and pawing through Norwegian military and foreign ministry targets. Security services throughout NATO are looking to their bear traps. Other threat actors, prominently including criminals, have also stirred
to new activity. Palo Alto has identified and is following a second wave of shamoon attacks.
Intel security notices that some apps available on Google Play
are stealing Turkish users' Instagram credentials and collecting them in a remote server.
At least three unnamed Indian banks are reported to have sustained attacks on their Swift transfer systems.
The Reserve Bank of India has been notified and is advising that banks take steps to mitigate the threat.
Early reports indicate that no financial losses have been sustained, but the investigation
remains in progress.
The attackers who hit MongoDB last week have apparently turned their attention to Elastic
Search servers, more than 2,500 of which have been infected with ransomware.
This round of attacks suggests that ransomware operators are honing their techniques and adapting to newly perceived opportunities.
The Cyber Wire heard from Terry Ray,
Imperva's chief product strategist about this latest round of attacks.
He shakes his head, metaphorically speaking,
at the way enterprises continue to fail at privilege management.
Quote,
There's no reason why a company with even a basic data security strategy
should allow an administrator to access,
much less delete,
all information from a database
without some level of oversight
or workflow controls.
End quote.
He also finds it noteworthy
that the criminals behind these attacks
seem to think there's more money
to be made through extortion
than there would be for sale of the data
on the dark web's black markets.
There is some quiet, however, on the ransomware front.
Lockie seems to have gone on an extended holiday.
It would be premature, however, to say goodbye to this particular ransomware strain.
Perhaps Lockie's masters simply wanted to spend more time with their family
and will return soon enough.
A sophisticated Gmail phishing campaign is in progress.
The attackers work to compromise a Gmail account, thresh through emails until they find one with an
attachment they can use in a screenshot to bait their hook, and then reel in even some security
savvy marks. We've heard from a number of experts on this issue. In general, they see automation as
security's friend. Jeff Hill,
Director of Product Management at Prevalent, thinks that our reliance on email, the sheer
volume of that email, and what he calls the frenetic pace of life, have combined to produce
an attacker-friendly environment. He thinks relying on intrusion prevention is equivalent
to sticking your head in the sand, and that the right approach is to recognize intrusion quickly and contain it before it can access sensitive information.
Lastline's Bert Rankin reminds us that phishing hooks the well-meaning and responsible
as easily as it does the malicious and negligent.
Education and awareness campaigns alone won't do it, he says.
Quote,
It is an imperative that IT put filtering mechanisms in place that use technology, not people,
to sort, test, and eliminate such malicious emails before they even have a chance to test the eyes of employees.
And Balazs Schiedler, co-founder and CTO of Ballybit,
sees this latest campaign as another instance of the way phishing techniques are improving
to the point where even the knowledgeable and security-aware find themselves ensnared. He sees behavioral analytics as the solution.
Quote, the actual user's behavior is the one thing that helps security professionals discover
misused accounts by automatically spotting behavioral differences between an intruder
and a legitimate user's baseline. End quote. And finally, do you want fries with that?
You might, but you probably aren't willing to trade your McDonald's website credentials for a Happy Meal, unless, you know, the toy was a
really good one. It seems there are some vulnerabilities over at McDonald's. Vasco Data
Security thinks again that this is a case in which multi-factor authentication and end-to-end client
server encryption should become standard
practice. Vasco's John Gunn sees a larger lesson. Quote, this distasteful Big Mac attack underscores
the risks of loyalty programs, he says. And, by the way, he's saying that the attack is distasteful,
not the Big Mac, which remains as delicious as ever. Because large dollar transactions aren't
involved in loyalty programs,
both consumers and companies take a far too casual approach to security.
For the 50% of victims that use the same username and password for every account,
hackers just gained login credentials for their bank accounts,
and that will spoil anyone's happy meal.
End quote.
Food for thought, Mr. Gunn.
But no one's asking the important questions.
Is the Hamburglar back and hacking?
And what did Mayor McCheese know, and when did he know it?
Robble, robble.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Stream Nightbitch January 24 only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, you sent me a subject that you wanted to talk about today. It's BGP flow spec. Now,
this to me sounds like something that I would hear at a plumber's convention,
but evidently it has something to do with DDoS attacks. So help us out here. What does it mean?
Welcome to the world of the Internet, where we make everything as complex as we possibly can.
We're actually very, very sort of proud of this implementation.
So BGP is sort of the heart of the internet. It's the thing that tells the network how to route packets across its fabric and tells other network providers what networks it is allowed to come to it and it's allowed to send to it. So it really is sort of the flow, the blood flow of the internet itself.
And we like to think of it as the heartbeat.
blood flow of the internet itself. And we like to think of it as the heartbeat. From a flow perspective, what this allows us to do is this. This allows us to push essentially firewall rules
to the internet via BGP. It allows us to be able to say, if there's a bad guy coming in
from a particular network, we can now have automation that identifies that bad guy,
particular network, we can now have automation that identifies that bad guy, sees where that bad guy is coming from, and automatically pushes out the ability to prevent that bad guy from
putting bad packets on the internet, at least our internet. And so what we're talking about with
other internet providers is this concept or this idea that we could be sharing this data
across the entire backbone ecosystem.
So imagine a situation where backbone providers now have access to enriched IP reputational data
that tells it who the bad guys are, what sort of attacks they're originating in,
which ones are super serious backbone impacting events versus sort of the normal everyday scanning
and churning. And now backbone providers can take proactive steps as a collective entity
to be able to stop bad guys in their tracks across the entire backbone ecosystem.
So it's something that we use to protect our backbone, something that we use to protect our customers.
It's very, very adaptable, and it uses a lot of the existing ecosystem to do it. So this works on 20-year-old routers as well as one-day-year-old routers.
But it's something that we can also communicate out to the rest of the ecosystem.
And so we think it's going to be a major step function in identifying and stopping bad guys globally.
Is there any resistance to it? Is there any overhead that goes along with it that might be an issue for anyone?
I think the devil's in the details, right?
I mean, it's this idea of what's the temperature setting or the barometer setting for a particular ISP that they're willing to block versus another one. One provider might be
a little bit more aggressive in stopping threats more proactively, and other providers may want to
be a little bit more cautious and only do those events that could be potentially backbone,
directly backbone impairing, or are currently backbone impairing. And so we're having a lot
of discussion about how we directly associate the weight of the reputation to the data feeds that we're sending so that this enriched data could be used across all those sort of spectrums of temperament.
And so the whole goal is that once you feel comfortable with it and once it starts to work, we can then, as an ecosystem, have a really good communication channel to be able to focus that for more specific threats.
All right, Dale Drew, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.