CyberWire Daily - HBO offered Mr. Smith a bug bounty, but no takers. Fancy Bear's in hotel Wi-Fi. DNC leak argument resumes. Locky and Mamba ransomware are back. ISIS on eBay. NotPetya arrest. WikiLeaks dumps more from Vault7.
Episode Date: August 11, 2017In today's podcast, we hear that Mr. Smith turned down HBO's offer of a $250,000 bug bounty. Fancy Bear uses EternalBlue tools against hotel Wi-Fi networks. Argument over who leaked DNC emails las...t year flares again. New versions of Locky and Mamba ransomware circulate in the wild. The US Department of Defense is ready to use rapid acquisition to buy cyber tools and services. The FBI says a Maryland man used eBay and PayPal to receive ISIS funds for possible terror activity. Ukraine makes an arrest in the NotPetya case. David Dufour from Webroot on basic cyber hygiene. Barmak Meftah, President & CEO at AlienVault, with his thoughts on the state of the industry. And WikiLeaks dumps video intercept tool CouchPotato.  Supported by E8 Security, Johns Hopkins University, and Domain Tools. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Mr. Smith turns down HBO's offer of a quarter-million-dollar bug bounty.
Fancy Bear uses eternal blue tools against hotel Wi-Fi networks. An argument
over who leaked DNC emails last
year flares again. New versions
of Locky and Mamba ransomware
circulate in the wild. The U.S.
Department of Defense is ready to use rapid
acquisition to buy cyber tools and services.
The FBI says a
Maryland man used eBay and PayPal
to receive ISIS funds for possible
terror activity.
Ukraine makes an arrest in the NotPetya case.
And WikiLeaks dumps the video intercept tool CouchPotato.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 11, 2017. The HBO hacker, or hackers, going by Mr. Smith,
released an email yesterday from HBO that offered them, Variety reports,
a bounty payment of $250,000 as part of a program in which
white-hat IT professionals are rewarded for bringing these types of things to our attention.
Mr. Smith wasn't buying. The hackers want millions.
So it appears that one of the following happened.
Either HBO offered ransom covered by the fig leaf of a bug bounty,
or HBO hoped to finesse the hackers into becoming harmless white hats,
or HBO hoped to wrap them up for delivery to law enforcement.
Whatever was going on, the hackers spit the hook and called Variety.
Mr. Smith's demand for a salary is curious,
but an article in the Register suggests some interesting background.
The ransom note HBO received indicated that Mr. Smith has an annual budget of $500,000,
which it uses to buy Zero Days.
So they're investing in tools that will enable them to compromise corporate networks,
which would make them a zero-day broker gone rogue,
using tools themselves as opposed to selling them to, for example,
governments who might want them for lawful intercept purposes.
In any case, HBO and Mr. Smith appear for now to be at an impasse.
Fancy Bear is back in the news.
FireEye reports that the threat actor,
who comes courtesy of Russia's GRU, has undertaken an ambitious program of spying on high-value hotel guests through hotel Wi-Fi systems. Fancy Bear is apparently using Eternal
Blue tools, believed to have been leaked from NSA and posted online by the shadow brokers, to propagate surveillance code across targeted networks.
The attacks, which affected moderately high-end hotels in seven European and one Middle Eastern
capital, began as usual with phishing. Once access was gained by phishing, the attackers
used Eternal Blue to move swiftly through the networks, and then, once the servers were compromised, installed the Responder tool.
Responder both monitors traffic across a network
and harvests credentials from machines connected to that network.
FireEye began noticing the hotel attacks in late 2016.
They say an important piece of circumstantial evidence pointing to Fancy Bear
is the discovery of two GRU-connected malware strains, GameFish and X-Tunnel, installed on victim devices.
The company also says it's got more dispositive evidence in the form of observations they've made of the incident's command and control,
but for now, FireEye is holding that evidence close.
FireEye is holding that evidence close. Fancy Bear, along with its FSB colleague Cozy Bear,
are generally believed to have gotten into the systems of the U.S. Democratic National Committee and the Clinton presidential campaign during the 2016 U.S. election cycle.
Emails damaging to both the DNC and the campaign were publicly exposed by WikiLeaks,
and it's been generally thought on circumstantial grounds
that WikiLeaks got the material it released from Russian intelligence services.
WikiLeaks' Julian Assange has denied this,
but few have given the denials much credence.
The principal alternative theory of the leaks
is that they originated with disgruntled insiders,
perhaps supporters of Senator Sanders' campaign.
This has been largely a partisan theory, advanced by opponents of the Clinton presidential run.
But this week, both Bloomberg and The Nation, neither one a right-wing media operation,
indeed The Nation is decidedly left-wing,
have reported that sources close to the U.S. intelligence community,
some of whom are described as retired intelligence officers,
say there's in fact considerable forensic evidence that the material WikiLeaks received
indeed came from disgruntled insiders. The DNC has told the nation that they're disappointed in
them. Quote, U.S. intelligence agencies have concluded the Russian government hacked the DNC
in an attempt to interfere in the election. Any suggestion otherwise is false and is just another conspiracy theory,
like those pushed by Trump and his administration.
It's unfortunate that the nation has decided to join the conspiracy theorists
to push this narrative.
Bloomberg View argues that the theory and the evidence behind it are worth a look.
The sources, Bloomberg notes, have names and reputations,
and while there's a great deal of evidence pointing toward Russian intelligence services,
it's certainly possible that more than one actor was interested in DNC emails.
The names and reputations of the nation's sources,
members of veteran intelligence professionals for sanity, may be controversial,
but Bloomberg View's op-ed piece thinks them worthy of at least a hearing.
In more ordinary crime news, two familiar strains of ransomware have resurfaced in the wild.
Both Lockheed and Mamba are out in an enhanced, more virulent form.
Mamba is best known for encrypting entire drives.
It's been active mostly against targets in Brazil and Saudi Arabia. Lockheed
has seen widespread distribution. It's now being carried in a large malicious spam campaign.
In the U.S., some Defense Department rapid acquisition tools are coming into use.
Both DIUX and SCO have received enhanced purchasing authority. U.S. Cyber Command will
begin using its rapid acquisition authority by the end of September.
These are of particular interest to the security industry,
since these more agile procurement methods are designed to get quickly advancing technology into the hands of operators.
Security tools figure prominently among the products the Department of Defense has in mind.
among the products the Department of Defense has in mind.
An unsealed FBI affidavit says that a Maryland man arrested last year in connection with alleged ISIS activities
was involved in using eBay and PayPal to siphon cash to the terrorist group.
Mohamed El-Shanawi, a U.S. citizen, is alleged to have pledged allegiance to Islamic State.
The FBI says he had run bogus printer
sales on eBay as a cover for his receipt of ISIS money through PayPal. The funds,
the government alleges, were probably intended to have been used in terror operations in the U.S.
Ukrainian police last week arrested a man in Nikopol for distributing not Petya.
The arrest of the 55-year-old unnamed man
was announced by the Cyber Division of Ukraine's National Police last Saturday.
And finally, WikiLeaks' weekly dump from Vault 7 features documents covering Couch Potato,
said to be a CIA tool that remotely collects video streams. One has to give credit where
credit is due. Couch Potato is a nice name for
a tool that lets you sit back and watch whatever those video streams are showing. Investigation
into where WikiLeaks is getting the contents of Vault 7 proceeds, but so far without publicly
disclosed results. And of course, the same can be said of the shadow brokers, who are expected to resurface around the end of the month. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back.
We wanted to go through some of the basics today,
some of the nuts and bolts sort of basic cyber hygiene that you think people should be paying attention to.
You bet.
And, David, thanks for having me back.
And, you know, with WannaCry and all of this going around, ransomware,
I thought it'd be good if we could just talk about your basic security toolbox and some very simple things that would have prevented you from being a victim of WannaCry.
A little anecdote I like to talk about is, you know, everybody wants to find ways to, you know, reduce traffic accidents and things like that.
But the number one way is if we all
just drove 55, there'd be fewer accidents, right? Right. Put on your seatbelt, right?
Exactly. It's that simple. So in the cybersecurity world, I always am excited to talk about the new
machine modeling or new ways of identifying threats. But it's the mundane things, David,
that actually do the most benefit
for us. What kinds of things are we talking about here? Making sure you've got offline backups so
that those backups can't get encrypted by ransomware. This would be backups of important
files. You know, the world can't live without all those selfies of you, David. So we need to make
sure they're backed up. That's true. In addition to that, we want to make sure we're applying
So we need to make sure they're backed up.
That's true.
In addition to that, we want to make sure we're applying regularly the security patches for our operating system, whether that be OSX, whether that be Windows. Having those latest up-to-date security patches, having backups, ransomware, the WannaCry issue, you wouldn't have even felt it because you would have been prepared to recover from it.
And why do you think people have ongoing consistent trouble with this? It seems like we say this over and over again,
and yet time and time again, people aren't taking care of these things.
Probably it's kind of like going to the gym. You have good intentions, but trying to get there is
the hard thing. It's boring. It's mundane. It's something you have to keep up with all the time.
If you do that and you keep a
good antivirus software up to date, you're going to mitigate almost every security problem that
you will come across. All right. Good advice. David DeFore, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Barmak Mehta.
He's the president and CEO at AlienVault, a cybersecurity company that claims to be on a mission to provide organizations throughout the universe
with highly intelligent security that is affordable and simple to use.
He's been at the helm there since 2011,
that is affordable and simple to use.
He's been at the helm there since 2011,
and before that served as vice president of the enterprise security products division at HP.
He has over 20 years experience in the industry. I think the big change is the trend towards integration, orchestration, and simplicity in cybersecurity.
I think, you know, for a long period of time,
simplicity in cybersecurity. I think, you know, for a long period of time, the industry has focused on inventing point products to counteract threat vectors that we've observed over the last 20,
30 years. And the problem has become the explosion of these point products. And it's very evident.
I think the easiest way to see that is walk the show floors as a black hat or RSA, and you see sort of the exponential growth of how many cybersecurity companies are out there.
And they're all doing great stuff. skill set, the talent, the affordability to be able to glue and integrate all these point
products together to come up with more of a comprehensive end-to-end security story
for their company.
And so, you know, the big trends that we're seeing is around orchestration, integration
and simplicity and making the complex problem of security more simplified.
And then also on the threat intelligence side,
we're seeing a lot of collaboration in terms of how we can bring the community together to share
threat intelligence and threat data more effectively. So if I'm someone who's walking
around on a show floor and I'm trying to balance my need for simplicity, but also not wanting to put all my eggs in one basket in terms of relying on a
single vendor. What do you think the best way for me is to approach the sort of the tension between
those two needs? It's a great question. In fact, I would actually further that question because the
other question I get often is, you know, if you err on the side of orchestration, simplicity and
integration, are you going to suboptimize best of breed approaches to security? So let me address
those two. So the first is sort of the single vendor approach to security, which is more of
an all in one approach. And I actually don't believe in that. I think you can have an orchestrated
and integrated approach to security without necessarily putting
all your eggs in one basket. The analogy I would use is the operating system. So you typically use
one operating system or the other. There's probably about five or six main operating systems out there.
But that doesn't mean that you have to buy your applications from the same vendor over and over
again. In fact, the App Store, in the case of Apple,
is full of applications that are from hundreds of thousands of vendors out there.
And so what we promote at AlienVault is more of an approach of
having one underlying orchestration platform,
which is very analogous to an operating system,
but then give the ability through a very well-defined extensibility layer, again, like an operating system, to third-party vendors to be able to
build security controls because these threat vectors aren't going to be the same and the
hackers will invent new threat vectors. So there ought to be a way for security vendors to create
innovative solutions around both security protection, security detection, security response,
but without the need to constantly change the infrastructure over and over again.
The biggest cost of security for any company is the infrastructure and the operational cost of security,
of how do you have these security controls talk together in a coherent, integrated, orchestrated way.
these security controls talk together in a coherent, integrated, orchestrated way.
So, you know, there is a way to come up with a very elegant, I would argue, cloud-driven,
orchestrated platform and still give the security vendors the ability to innovate and come up with their security controls because those security controls will change on an ongoing
basis.
On the second thread, you know, this argument that
if you make security orchestration and integration elegant and simplified, and I would argue
affordable, so that every company can enjoy security end to end, somehow you're sub-optimizing
on the security controls and you make the security controls not as good and not as best breed.
It's just a false argument, right? Because the side of
the brain that makes something very elegant and simple doesn't have to necessarily cease to
function to make each security control also extremely good and strong compared to the
alternative. So, you know, we would argue you could have an orchestrated approach to security,
an integrated approach to security, ideally cloud-driven, so it makes it really easy and
affordable for people to use, and not necessarily sub-optimize on the integrity, the strength of
each of these security controls that you're building. As you look ahead toward the horizon,
what are some of the challenges that you see coming towards us, perhaps things that we don't
have to deal with today yet, and how do you think, as an industry, we're going to have to adapt to face them?
Well, you know, the good news is because of the prevalence and more importantly,
because of the press that a lot of these breaches are getting,
the awareness around security is exponentially increased.
I mean, I entered the cybersecurity world late 2002, early 2003. And I got to tell
you, over the last 15, 16 years, the awareness around security, compliance, governance has
increased dramatically. And as you probably have heard from other people, the role of the CISO has
been elevated exponentially in the organization. So I think the first step is the treatment of security
and risk around IT at the same level that a company would treat risk as it's applied to its
own existence. And so that's great that you're getting that position elevated. It's a board
level agenda item now and all that stuff is great.
So I think we're actually going towards the right direction,
which is the elevation of security and risk basically at the highest level.
Our thanks to Barmak Mefta for joining us.
There's an extended version of this interview available exclusively to our Patreon subscribers
at patreon.com slash thecyberwire.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.