CyberWire Daily - Fancy Bear finds Berlin just right. RedDrop Android blackmail malware. Another AWS S3 exposure. FTC settles; SEC investigates. Blockchain radix malorum?
Episode Date: March 1, 2018In today's podcast, we hear that Fancy Bear has been busy in a sensitive German government network. RedDrop Android malware is built for blackmail. Another exposed AWS S3 bucket is disclosed. Int...el issues another Spectre fix. The FTC reaches a settlement with Venmo over privacy, security, and availability of funds. The SEC is investigating a number of initial coin offerings. Johannes Ullrich from SANS and the ICS Stormcast podcast, with information on the Memcache DOS issue. Guest is Rami Sass from WhiteSource on open source software.  And Mr. Gates is no fan of cryptocurrencies (and it seems cryptocurrency mavens are no fan of Mr. Gates). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear gets busy in a sensitive German government network.
Red Drop Android malware is built for blackmail.
Intel issues another Spectre fix.
The FTC reaches a settlement with Venmo over privacy, security, and availability of funds.
The SEC is investigating a number of initial coin offerings.
And Mr. Gates is no fan of cryptocurrencies.
And it seems cryptocurrency mavens are no fan of Mr. Gates.
are no fan of Mr. Gates.
I'm Dave Bittner with your CyberWire summary for Thursday, March 1st, 2018.
The bears appear to have shown up in Berlin, and for that matter, in Bonn.
German authorities say yesterday that they are investigating a cyber espionage campaign against federal networks.
The attack was detected in December,
but the threat actors are believed to have been present in the networks
for about a year before they were discovered.
The campaign is attributed, not officially,
but by anonymous sources close to the investigation,
to Fancy Bear, Russia's GRU military intelligence service.
Deutsche Welle describes the network, the IVBB,
which was the hacker's
target, as a dedicated secure platform used only by, quote, the chancellery, the German parliament,
federal ministries, the federal audit office, and several security institutions in Berlin and Bonn,
the former German capital where some ministries still have offices, end quote. Fancy Bear gained
notoriety as the threat actor that snuffled through the U.S. Democratic National Committee,
the International Olympic Committee, the International Anti-Doping Organization,
French President Macron's campaign, and a large number of other targets of official Russian ire.
This isn't the first visit to Germany, either.
Fancy Bear is believed to have compromised Bundestag networks for more than a year.
Security firm Wandera is describing RedDrop,
a strain of Android malware
distributed for the purpose of blackmailing its victims.
RedDrop combines the functionality
of spyware, Trojan, and data exfiltration.
It's troublesome, but apparently not terribly sophisticated
or difficult to guard against.
If users take apps only from reputable sources
and enable Google Play Protect, they're probably safe.
Still, Android users take RedDrop as one more incentive
to straighten up and fly right.
Intel continues to address the Spectre and Meltdown vulnerabilities
that have bedeviled its CPUs.
It's issued new fixes for Spectre to Broadwell and Haswell chips.
The U.S. Federal Trade Commission has reached a settlement with PayPal subsidiary Venmo over the company's practices.
The root of the problem, according to the FTC, lay in Venmo's representation that funds transferred would be immediately available to their owners,
when in fact such funds could be and sometimes were frozen while Venmo investigated underlying transactions.
The FTC said this caused a number of customers undue financial hardship.
The company was also in hot FTC water over its privacy and security practices,
especially in the way it communicated those practices to its customers.
Acting FTC Chair Maureen K. Ohlhausen drew a lesson for the financial sector as a whole.
Quote,
The payment service also misled consumers about how to keep their transaction information private.
This case sends a strong message that financial institutions like Venmo need to focus
on privacy and security from day one, end quote. It's common practice for software developers to
rely on varying degrees of open source software in their work. Rami Sass is CEO and co-founder
of Whitesource, a company that helps developers manage and secure their open source assets.
The default choice today is to not develop yourself what you can find in an open source
project. And that's a trend that we've seen develop over at least the last decade,
or has become extremely prominent over the last decade. It may have started
two or more decades ago. But today, every software engineering group anywhere that's working
on commercial software is actually relying very, very heavily on open source components
and spends just a small portion of their, I wouldn't say time exactly, but the minority part of their software that
gets shipped to the customer or gets deployed is actually a net new software or proprietary
software that's being developed by your own engineers. More than 50% of it is comprised
of open source components, so much so that there is a big trend today
talking about how software is composed and not written.
So can you take us through what are some of the benefits
and what are some of the potential vulnerabilities of this approach?
Right, so the benefits are enormous and fairly well discussed
in the sense that the open source itself is free to use, readily available
at large scale, usually very well maintained by the open source community and can save you a lot
of work while still giving you very high quality product or very high quality results very easily.
So the benefits are primarily around saving time, saving money and saving energy,
while conserving all of these resources to really focus on the new innovative parts that you are now bringing to the world rather than having to do
the same mundane task for the thousandth time that someone else has already done.
On the risk side, there are some risks that all derive essentially from the fact that you are
bringing in some third-party piece of software and embedding
it into your own software and then selling it or deploying it out into the world as if
it is your own.
So you essentially become accountable for all potential issues that may be hiding in
the open source components. usually they are not malicious.
So we rarely, if ever, see cases where people try on purpose to provide you with faulty open source components.
some stories from the espionage world, from certain countries I will not name, that may be doing some of these things as part of sort of intelligence efforts.
But besides those fringe cases, most of the problems are a derivative from the fact that
open source is just software in its own right at the end of the day, and it gets written by human beings, flesh and blood, who are software engineers and may
make the same kinds of errors that people working on commercial software make.
And that in turn means that there will be or there are several known security vulnerabilities in open source projects.
There could be quality issues.
And to add to those, there sometimes can also be legal issues in the sense that open source,
while free, will always come with some strings attached. So you cannot really distribute code freely
without attaching some kind of copyright waiver. And when people waive their copyright, they would
normally add some terms and conditions under which they waive their copyright, which in turn become
licenses. So all open source, just to be open source, needs to have some license attached to it.
And some licenses start adding additional conditions and requirements from the developers that if you don't adhere to, if you don't pay attention to, could sometimes get you into legal trouble.
That's Rami Sass from WhiteSource.
legal trouble.
That's Rami Sass from Whitesource.
The U.S. Securities and Exchange Commission has begun investigations into multiple ICOs.
The Wall Street Journal reports the SEC has issued dozens of subpoenas to tech companies who've held token sales and their advisors.
TechCrunch notes that the money raised in initial coin offerings amounted to $6 billion
last year and has already hit to $6 billion last year
and has already hit the $1 billion mark in 2018. $6 billion is far from huge, but it's not trivial
either, being a bit larger than the CIA's World Factbook estimate of the GDP of French Polynesia,
Bermuda, Jersey, or Liechtenstein. And finally, Microsoft's Bill Gates is no fan of cryptocurrencies,
which he sees primarily as modes of illicit funds transfer and money laundering,
favorite financial vehicles of drug dealers, contraband peddlers, blackmailers, and other bad people.
He takes it as read that the alternative currencies have blood on their hands.
This week in a Reddit Ask Me Anything session, he said,
quote, right now cryptocurrencies are used for buying fentanyl and other drugs,
so it is a rare technology that has caused deaths in a fairly direct way.
I think the speculative wave around ICOs and cryptocurrencies is super risky for those who go
long, end quote. Alt-currency advocates reacted contemptuously, saying, as for example Bitcoin
developer Udi Wertheimer did, that cryptocurrencies are no more and no less a cause of death than
traditional cash has always been. The general rejoinder has been that cryptocurrency's salient
feature isn't anonymity, but rather immutability and the ability to support trustless transactions.
He may have more of a point about the riskiness of cryptocurrency speculation.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak. Learn more at
blackcloak.io. And joining me once again is Johannes Ulrich. He's from the SANS Technology
Institute. He's also the host of the ISC Stormcast podcast. Johannes, welcome back. You wanted to
touch base today about the Memcache denial of service situation here. What here in some ways is one of these NoSQL databases called Memcache.
Now, Memcache is a very simple database.
As the name implies, it runs all in memory.
With that, there isn't really any authentication or access control for it.
Now, when you ever install it, it usually only listens on the loopback interface in your system.
And in the configuration file,
it actually explicitly warns you
not to have it listen on an open, exposed interface.
That's not firewall and such.
But apparently, and probably no surprise here,
people aren't listening.
The problem with this is Memcache has a stat command or status command. When you
send this command to Memcache, it replies with essentially sort of a dump of its status, which is
quite verbose. So this has been used in denial of service attack. The attacker will spoof a packet that appears to come from the victim
asking for this status and Memcache will reply with a few kilobytes, in some cases hundreds of
kilobytes of data. So this has been used to amplify the denial of service attacks and they
have reached the typical multi-gigabit sizes.
And so how do you prevent this sort of thing?
Well, if you find a Memcache database exposed like this,
well, first of all, fire whoever set it up like this
because that's really sort of non-excusable.
But yes, you never really should expose Memcache to the open internet.
Like I said, you also expose all of your data
because there is no authentication for this database. It's often used sort of in web applications to hold session
data and sort of more ephemeral data. So certainly critical and confidential data. So never really
should be exposed. That's really the big thing here. Now, if you're at the bad end of one of
these denial of service attacks, you can try and filter everything that's coming
from source port 11,000 2011. That's the port
Memcache is listening on. But typically, you'll
need some help from some upstream ISPs, some anti
denial of service service that you need to hire in
order to filter this traffic as far as possible away from the network.
These attacks are so large with like hundreds of gigabits per second
that probably what you're doing on-premise with your firewall won't really work.
All right. That's interesting stuff.
Johannes Ulrich, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. I approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay
abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams, and technologies.
Our amazing CyberWire team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.