CyberWire Daily - Greek and Turkish hacktivists swap defacements. Process Doppelgänging in the wild. GDRP is coming (like winter, for you Game of Thrones fans.) Profiling infosec enthusiasts.
Episode Date: May 8, 2018In today's podcast we hear that hacktivist lightning is flashing across the Aegean, hitting Greek and Turkish TV stations. Process Doppelgänging is observed in ransomware circulating in the wil...d. Unstructured data could expose enterprises to GDPR regulatory risk. So might transitive data sharing. Big US companies are ready to follow GDPR standards in North America as well as Europe. Older Lantech industrial servers appear vulnerable to remote code execution. Vandals hit security cameras in Japan. And teachers, don't necessarily leave those kids alone, but maybe that cultist is actually an infosec enthusiast. Emily Wilson from Terbium Labs on third party data showing up on the dark web. Guest is Chris Dollase from Mimecast on the role of the threat researcher. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. and hits Greek and Turkish TV stations. Process doppelganging is observed in ransomware circulating in the wild.
Unstructured data could expose enterprises to GDPR regulatory risk.
So might transitive data sharing.
Big U.S. companies are ready to follow GDPR standards in North America as well as Europe.
Older land tech industrial servers appear vulnerable to remote code execution.
Vandals hit security cameras in Japan.
And teachers don't necessarily leave those kids alone, servers appear vulnerable to remote code execution, vandals hit security cameras in Japan,
and teachers don't necessarily leave those kids alone, but maybe that cultist is actually an InfoSec enthusiast. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 8, 2018.
National pride and traditional resentments manifest themselves around the Aegean
as rival teams of Turkish and Greek activists take wax at one another's national media outlets.
The two contending groups are the Akin Silar invaders from Turkey and anonymous Greece.
The former accused the latter of support for Kurdish terrorists.
The latter accused the former of conniving at Kurdish genocide.
This sort of hacktivism flares periodically
where long-simmering ethnic rivalries are found.
It's seen now and again across the India-Pakistan border, for example.
It's something security practitioners might keep in mind.
The reaction of Greek security authorities in this case was almost blasé.
The incident, they said laconically, had been contained.
Synac Ransomware, not to be confused with Synac the security company,
has been observed using process doppelganging in the wild.
Process doppelganging executes code by abusing the Windows loader.
Thus, it doesn't need to write to disk, which makes it more evasive and difficult to spot with technical screens.
This has been known to be possible for some time,
but the use of process doppelganging by malware in the wild is relatively novel.
Process doppelganging by malware in the wild is relatively novel.
Have we mentioned to you that the EU's General Data Protection Regulation takes full effect on the 25th of this month?
Little doubt remains that the GDPR will affect data protection,
collection, and privacy standards worldwide.
A recent study by Varonis Systems took a look at unstructured data in particular.
They investigated a sample
of 130 companies, inspecting about 5.5 petabytes of data. They found that, in general, far too
much sensitive data is made accessible to far too many employees. On average, 21% of a company's
folders were accessible to all employees. That's a lot, and the risk of breach brought about by credential theft should give everyone pause.
GDPR will expose companies to substantial regulatory penalties if personal information is breached.
Apple, Facebook, Twitter, and Sonos are some of the larger companies
who plan to adhere to GDPR standards in North America as well.
The Wall Street Journal calls regulation the hot import from the EU, and there's something to that.
One concern some people are worrying about, TechCrunch has a short think piece on it,
is transitive data sharing, the kind of sharing that got the alleged Golden State killer caught
and that eventually proved the downfall of Cambridge Analytica.
Transitivity is familiar to all of us from grade school arithmetic, right?
You remember it.
In one example, if A is greater than B and B is greater than C,
then A is greater than C.
Or if A is less than B and B is less than C, A is less than C.
Social media connections tend to be transitive. That's how, says Anshu Sharma, writing in Tech
Crunch, Cambridge Analytica came to learn so much about so many people who never used that quiz app
in Facebook. Some of their friends did, and that's all it took. Holding information shared in such
transitive relationships
by people who never actually shared it is worth some reflection.
There may be some good there,
but there may also be some exposure to regulatory risk.
Does your organization have a threat-hunting team?
Do you know what they're up to and how they're doing?
Chris Dulles is Deputy General Counsel and Vice President
at Mimecast, and he recently moderated a panel at the RSA conference titled Swimming in a Sea
of Enemies, the Dilemma of the Threat Researcher. He joins us to share his thoughts from that panel.
Threat research takes many different forms. You know, Mimecast has a bunch of stuff that does
threat research, but what we're really getting into are people that sort of do more, you know, Mimecast has a bunch of stuff that does threat research. But what we're really getting into are people that sort of do more, you know, offensive versus defensive research,
you know, looking at different websites or looking at what attackers are doing or finding where attackers are storing stuff.
And I think it really falls into three buckets.
So the first is compliance with the law.
That can take many different forms and has
different ramifications. The second is sort of the risk to the company that the researcher works for.
And then the last is sort of what was interesting for me, because I'd never really thought about it,
was how the impact is to the actual researcher, the person doing the researcher.
Well, let's work through them in reverse order then. I mean, what is the impact on the researchers?
Especially people who sort of get really into the dark net. There are a lot of bad things in the dark net.
And one researcher, you know, was sort of in a bad place.
We'll say it was hypothetical, a bad place in their life.
And they really kind of, you know, went off the rails and ended up getting sort of involved in child pornography and ended up
getting arrested. People who work for, you know, antivirus companies and things like that who are
exposed to many sort of, you know, bad things are actually closely monitored and given counseling
and things like that, because you can really sort of, once you get into the dark web, you know,
maybe not find your way out as easily as you think you
can. Now, it's interesting. I mean, I think a lot of times, but in a technical field like this,
we don't often think of the emotional components. Yeah, I agree. I agree. I think that's a very
important part of it. And I think, you know, part of that too is like for a company, you want to
make sure you're monitoring, you know, what people are doing. And in addition to monitoring is also sort of auditing what people are doing, you know, because it's very easy to get caught up in and to do something that's completely, you know, non-relevant to the mission of the company in that area.
It strikes me that, you know, if I walk around my neighborhood and go door to door and just, you know, check to see whose front door is
unlocked and who's not, you know, that's going to attract attention.
And I wonder what the equivalent of that is for threat researchers.
I think that actually kind of bleeds a little into the law question.
And, you know, there's a series of laws that we were started, but we really focused on
the Computer Fraud and Abuse Act. The issue we have is that
the attackers, the bad guys, you know, they don't have to follow rules. They don't have to follow
company policies. They don't have to follow laws. It's what they do. You know, the threat researcher
has all those things in scope as they go through it. A violation is knowingly accessing a computer
without authorization.
A bad guy doesn't care about that. If they get caught, they get caught. But that's a sort of a
trap for the white hat hackers. They can still run afoul of that law because it's simply by doing it
and the intent is simply going about to access the computer is all the intent. It doesn't matter
whether you're trying to do it for the good. That can be a violation. And so that's the troubling counseling threat researchers.
They don't quite always get that part of it. You know, anyone who's doing threat research
need to be trained on, you know, what the law is, what the company policies are,
and how best to go about doing research. And There are best practices. I do think what's missing in the industry, as a sort of an aside,
is sort of more guidance to people on how to do things.
I think the second thing is that management and companies
need to be much more aware of what's going on in their threat research organizations
because I think a lot of them have no idea what's going on
and have no idea what the risks are that their company are involved in. And I think the third one is sort of the first point we discussed, which is,
you know, there really is a people side to this and it needs to be closely monitored,
you know, to help with, you know, the other buckets of making sure things are legal and to
make sure that policies and things are sort of done ethically, but also on the human side, which
is that these threat researchers are in a bad place, in a war zone almost, and need to be, you know, cared for as they go through it.
That's Chris Dulles from Mimecast.
Researchers report finding two exploitable flaws in Lantec's IDS-2102 industrial networking systems that could allow remote code execution.
The bugs are present in older versions, ones running version 2.0 and earlier of the firmware.
Landtec told Security Week the vulnerable product was phased out in January and that it won't be patched.
Unpatched Drupal flaws, the so-called Drupalgeddon, continue to be exploited for cryptojacking.
Drupal users should patch and update.
Providing evidence where they're any more needed that idle hands flourish and fidget the world over,
people in Japan with too much time on their hands are hijacking Canon security cameras
to display the message, I'm hacked, buy two, which isn't even good haiku.
Watching cameras while watched by the cameras.
I am hacked, by two.
There we go, we fixed it for him.
Complete with juxtaposition and fruitful ambiguity, five, seven, and five syllables.
In fairness to the idle hands in Japan,
their handiwork is less objectionable
than that of last week's Arizona dipstick, the one fiddling with highway signs. Still,
kids, stay in school and don't hack security cameras. Speaking of the kids, Bleeping Computer
takes a look back at the late 1980s ritual abuse panic, linked with the related repressed and recovered memory panic.
The two panics were serious matters with lives damaged, careers lost, and jail time served.
They're worth remembering as cautionary tales. But what interests Bleeping Computer is a document
found in an old teacher's supply closet. Distributed to schools by police, the document is called Identification,
Investigation, and Understanding of Ritualistic Criminal Activity. So, Bleeping Computer read
this guide with an unexpected frisson of self-recognition. Consider, teenagers who were
regarded as at risk for falling into the clutches of ritual climb covens were associated with fantasy role
play. They were held to be underachieving experimentalists with curiosity beyond norm.
They were intelligent, creative, bored, and suffered from low self-esteem. They may use
computers with access codes, probably much the way you do, gentle listener, and they tended to lock their
bedroom doors, sometimes with padlocks. So, nascent dark side cultists, or just run-of-the-mill
information security enthusiasts? Leaping Computer thinks the latter. And on reflection,
we admit we could probably show you a few hackerweight of security types who fit the profile.
They're okay, though, so don't be too quick to judge the books by their covers.
Our advice is unchanged, kids. Stay in school, be better, and don't hack security cameras,
or attendance rosters, or grades. You get the picture.
picture. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll
be solving customer challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, we speak a lot about third-party security issues,
and I wanted to check in with you on what sorts of things you see on the dark web when it comes to third-party stuff.
Sure. It's definitely been a busy couple of months for third-party breaches and leaks.
Obviously, we're all talking about Cambridge Analytica.
We heard some bad news for Delta and Best Buy and others for this 24-7 AI leak.
One of my favorites recently was the list that came out of PayPal a little bit earlier in the year
about the 600-plus companies they share your data with.
Some of them seem perfectly legitimate.
Other ones you kind of have to squint at.
From my perspective as someone who spends a lot of time
looking at leaked data on the dark web,
and I'm going to specify here leaked data,
not data for sale.
A lot of the information that I see
is coming out of third parties.
Sometimes you will see people who are
going after specific organizations and they're leaking information from that organization and
you're ending up with a lot of first party corporate data getting leaked. That does happen.
More often than not, though, where we're seeing corporate information show up is in third party
leaks. And that can be in one of two forms. On one hand, we can see corporate data show
up from other professional organizations, different marketing or consulting or tech firms that you
might be using, people who have a reason to have your corporate data who just didn't have solid
enough security. And now this data is getting leaked and your employees are getting exposed.
The other side, and I often wince when I see this, is we'll see corporate information
show up for services that have no reason to have corporate signups. So lots of leaks coming out of
music streaming services, video streaming services, sports or gaming platforms, and they're mixed in
with all of the other webmail addresses are corporate accounts. People are using their
professional identities to sign up for these services. And so when they get leaked,
especially if we're talking about password reuse,
that can be a bad day for the company.
So just out of convenience for me or laziness,
I sign up for Spotify or Pandora
or something with my Xbox
and instead of using my personal Gmail account or whatever,
I use my corporate account, reuse my password
and now they've got
me. Yeah. And these types of services, especially I would say in the gaming community in particular,
and also in the music streaming community, these types of services are getting kind of
regularly attacked. And there are a lot of leaks going around. This information is circulating.
And this can be not necessarily new breaches, but stuff from years
ago. And so it continues to be a problem. Yeah. So an interesting insight there in terms of
setting corporate policy for what you can and cannot use your corporate email addresses for,
perhaps. I think that would be a good argument. I think we all of us have been in a rush sometimes,
or maybe you use the wrong autofill, but it's something to keep an eye on because
you really are creating double exposure there. Emily Wilson, thanks for
joining us. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.