CyberWire Daily - Hybrid warfare objectives and tactics. Physical threats, lost and found. Vulnerability and threat recap.
Episode Date: March 29, 2017In today's podcast, we pass on what we've heard at ITSEF about Russian hybrid warfare: it aims, experts say, at redressing the loss of the Cold War. Microsoft Internet Information Services (IIS) 6.0 f...ound vulnerable to a buffer overflow attack. Cerber ransomware evolves to evade detection. Bugs found in Siemens ICS products. VMWare patches vulnerabilities. Laptops with sensitive information lost in Hong Kong and New York. Joe Carrigan from the Johns Hopkins University Information Security Institute reviews a teddy bear who can’t keep a secret. Peak10’s David Kidd outlines compliance advantages of the cloud. Malicious USB sticks strewn around a Canadian university campus. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ITSEF offers a look at Russian hybrid warfare.
It aims, experts say, at redressing the loss of the Cold War.
Microsoft Internet Information Services 6.0 is found vulnerable to a buffer overflow attack.
Cerber ransomware evolves to evade detection.
There are bugs found in Siemens ICS products.
VMware patches some vulnerabilities.
And malicious USB sticks are strewn around a Canadian university campus.
University campus.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 29, 2017.
Cynet's 12th Annual IT Security Entrepreneurs Forum, most often known by its acronym ITSEF,
convened yesterday in Mountain View, California, with sessions continuing today.
ITSEF describes its goal as bringing together policymakers and security technology innovators to discuss ways in which they can cooperate to the benefit of their stakeholders.
We'll be publishing detailed accounts of this reciprocal illumination beginning tomorrow.
But today we've been hearing a great deal about Russian hybrid warfare.
A panel of cyber threat intelligence intelligence, and foreign affairs experts
was asked to comment on Russia's motivation and goals in information operations.
The panel's take on the matter was brief, clear, and not offering much ground for hope.
Russia, and in particular its president,
resents its loss of position caused by the fall of the Soviet Union at the end of the Cold War.
They seek to recoup their place in the world and regain the world's respect,
which they believe has been damaged through the insult of defeat.
They do not see a clear line between war and peace.
They see themselves as always in a state of war with the U.S. and Western Europe,
and that to fail to damage their adversary through cyber attack,
and especially information operations, would constitute negligence.
They do not see the political, economic, and personal domains as distinct,
and will use cyberattacks to damage the opposition in any of those spheres.
They make extensive use of criminal gangs,
since after all, economic damage to the enemy is counted again.
And they have a long history of effective propaganda and
disinformation. Coincidentally, the Finnish Security Intelligence Services have released
their annual report on national security. The cyber threat, especially from Finland's large
Russian neighbor, receives prominent attention, and the report, linked in this morning's CyberWire
Daily News Brief, is worth checking out. A few new developments in the threat and vulnerability spaces have come to light at midweek.
Security vendor Trend Micro reports that Microsoft Internet Information Services, IIS 6.0, is vulnerable to a buffer overflow attack.
This zero-day is thought to have been exploited in the wild in July or August of 2016.
thought to have been exploited in the wild in July or August of 2016.
Trend Micro also reports that Cerber ransomware has shown signs of evolution into a more evasive form.
It now has loaders delivered by self-extracting Dropbox files,
which seem designed to avoid detection by machine learning security tools.
Researchers at the German security firm Cure53 have disclosed bugs in Siemens' rugged-com
ROX VPN industrial communication endpoints and firewalls.
There are no patches, but Siemens has issued advice on mitigating the vulnerabilities.
VMware has issued patches for moderate to critical vulnerabilities found in three of
its products, ESXi, Workstation, and Fusion.
Users should heed the security bulletin.
Election hacking, or at least a big compromise, has come to Hong Kong.
The Chinese city's registration and electoral office has disclosed that the loss of two
laptops taken from a locked room in the Asia World Expo Conference Center exposed the personal
information of some 3.7 million voters.
The laptops are said to have been encrypted, but how strong that encryption might be is unknown.
Many organizations are moving more and more of their IT infrastructure to the cloud,
and data security and compliance are an understandable concern.
David Kidd is VP of Governance, Risk, and Compliance at Peak10, a national IT infrastructure
provider. He makes the case that shifting much of the burden of compliance to an outside cloud
provider is worth a look. When you think about an IT professional and the burdens that are under
just every day keeping systems up and running, IT professionals are systems guys. These are
men and women that deal with technology and making new systems and making them work.
They're not attorneys. They're not folks that are up on all of the latest regulations and up on
those standards. The basic level and driver of IT professionals is always to push for the new technology.
And security professionals are a little more cautious, as are the regulators that they
have to answer to and those that define the industry standards that they have to answer
to.
So when the technology guys said, hey, this is some really neat technology, we want to
play around with this and see what we can do.
And looking at virtualization and cloud services and the flexibility and the ability to scale up and down
and the disaster recovery benefits of virtualization and living in the cloud,
that was just really appealing to the technology guys.
But the security and regulatory folks, they took a look at this and said, you know what, we're scared of this. This makes us nervous. We understand
standards where we can look at the box and we can define the limits of the system. We know the
limitations of the network and where those system boundaries are. We can look at physical storage
and we understand those boundaries, but when you start talking and putting it in the cloud, that scares us.
We're frightened of it.
And they really said no and pushed back hard on that for a while.
Some of that was internal with larger organizations particularly,
and some of that was external because, frankly, regulators did not understand the cloud in the early days.
And over time, the financial side started to look at this, and they were
hearing about the benefits. You know, they would hear in the hallways the conversations that those
IT guys would have when they were excited about the new technology and said, well, it helps us
with the refresh costs. It helps us with disaster recovery and makes that faster and cheaper. It
gives us the ability to scale up and down as business needs change.
And that puts some pressure back on the regulatory world and the security world to say,
you know what, we need to come up with a way to make this cloud work and work well
and provide the security that we need.
To be able to take a piece of that burden off of them and
know that the underlying infrastructure that they are building their systems on top of
is not only highly available and highly secure, but to know that it meets the regulatory requirements
and industry standards that they are beholden to is an enormous relief because that's just one piece
that they don't have to chase after and have to get up to speed on. That's David Kidd from Peak10.
Just as physical loss can pose a threat to data and systems, so too can things physically found.
Canada's Carleton University sustained a ransomware attack in November 2016,
but the university has now found another hardware-delivered threat,
USB sticks left strewn about the campus.
The devices contain a keylogger.
It's unclear whether there have been any successful infections,
and it's not known if there's any connection to last year's ransomware incident.
We close today's report with some sad news.
Trend Micro's CTO, Raymond Gennes,
passed away suddenly over the weekend at his family's home in Germany.
He'd been one of those most responsible for building Trend Micro.
He was well-liked and much respected in the security community,
and he'll be missed. He was only 54.
Our condolences to his family, friends, and
colleagues, as people who work in InfoSec look back at a life that, while too short, was nonetheless
well-lived. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, Thank you. approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we got a story that came by on Ars Technica about an IoT device.
This is actually a teddy bear from a company called Spiral Toys. And the line of toys are called Cloud Pets.
Right.
Sounds like a great idea.
There's an indicator right there, Cloud Pets, so we know what's going on with this.
And I guess the notion here is that these stuffed animals could record some kind of a voice message from a grandparent,
and the voice would come out of the bear.
Right.
And the kids could record a message, and the grandparents could get the message out of the bear.
And this all sounds fun and adorable and...
And creepy.
Yeah, probably a little bit creepy.
But they had a problem because, turns out, over 2 million of these messages got leaked online.
Right.
And they were using a very secure password hashing algorithm
called Bcrypt.
Yeah.
There is some debate
about the security I've seen
in the community
about whether or not it's secure,
but I like it.
And mind you,
I'm not a cryptographer,
but one of the things I like
about Bcrypt is,
unlike other hashing algorithms,
you can make it more difficult
as time goes on.
So it's pretty resistant
to brute force cracking.
However, these people at Spiral Toys
didn't enforce a good password policy.
So you could use a single character as your password.
Well, it takes a very short amount of time
to run through every single one-character password.
And whatever percentage of people
are using one-character passwords,
if those passwords are leaked, they're already known.
They're known within seconds of those passwords being leaked
because there are these password-cracking tools.
My favorite is called Hashcat.
Anybody can go out and download this.
If you have a GPU, which is a graphics card for gaming,
even a commodity GPU can crack passwords at an impressive rate.
So in terms of these toys, then because of the
allowance of weak passwords, are they just tossing random things into Hashcat to see if they stick?
How does it work? Yeah. Well, first thing you do is you check the lists of known passwords,
right? So every year somebody publishes the 10 most common passwords, and every year,
1, 2, 3, 4, 5, 6 is one of them, right?
So that's the first one you guess. And then you go through and you'll probably get maybe 0.5% of the passwords will be cracked with that top 10 list. But 0.5% is a significant number
of passwords that you can crack with a top 10 list. And there are password lists that are
hundreds long, 10,000 long, the top 10,000 passwords.
You can just Google these and find them.
You put them as an input file into Hashcat, and it just goes through and brute forces
the passwords using the list.
Then you can apply other things called rules, like common substitutions.
For example, instead of using an A, I'm going to substitute an at sign, or maybe I'm going
to substitute a 4.
Sure.
I can find more passwords.
Maybe I'm going to substitute a 4.
Sure.
I can find more passwords. Just because I've changed the word password to capital P, at sign 55W0RD, that doesn't make it any more secure.
It's still password, and there's only a couple of rules I need to apply to crack that password.
The lesson here that we come back to many times is you can't assume that any of these IoT connected devices are actually secure.
Yeah, we get back to the same problem that we always talk about with the IoT, and that's surface area.
All you're doing when you buy these things and put them in your house is you're increasing your attack surface.
And how many different ways attackers have to exploit things that are on your network.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
have to exploit things that are on your network.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.