CyberWire Daily - Influence operations in Catalonia? IcedID banking Trojan. The Shadow Brokers: an intelligence service or a bunch of moles? Patch notes.
Episode Date: November 14, 2017In today's podcast, we hear that Spain sees foreign influence operations in Catalonia. IBM's X-Force warns of a new banking Trojan. There may be a mole hunt going on in NSA—and somewhere the Shadow... Brokers are smiling. Anti-virus companies fix the AVGater vulnerability. Firefox and Google both commit to security upgrades. Johannes Ullrich from SANS Technology Institute and the ISC Stormcast podcast on the challenges of random number generation. Steve McGregory from Ixia on the challenges of dealing with the virtually infinite computing power and bandwidth of cloud computing. Tenable urges people to avoid breaches through good hygiene, and Carbon Black wishes we'd stop calling attackers "hackers." Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com. Dragos is leading a webinar on November 21st that will help enable industrial control system (#ICS) security teams to defend their environments appropriately. Check it out at thecyberwire.com/dragos. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Spain sees foreign influence operations in Catalonia.
IBM's X-Force warns of a new banking trojan.
There may be a mole hunt going on in NSA, and somewhere the shadow brokers are smiling.
Antivirus companies fix the AV gator vulnerability.
Firefox and Google both commit to security upgrades.
Tenable urges people to avoid breaches through good hygiene.
And Carbon Black wishes we'd stop calling attackers hackers.
as we'd stop calling attackers hackers.
I'm Dave Bittner with your CyberWire summary for Tuesday, November 14, 2017.
Spain's government has warned the European Union that a disinformation campaign aimed at influencing the Catalan separatist movement appears to originate in Russian territory,
with much of it being repeated from Venezuelan territory.
The Spanish defense minister stopped short of formally accusing the Russian government
because, of course, attribution is difficult.
It's also risky in a time when influence operations
are coming to be considered dangerously close to an act of war.
Security researchers from IBM's X-Force have spotted a
new banking trojan, which they're calling Iced ID. It's new and apparently still under development,
but it appears capable of using both redirection and web injection attacks. Until now, Drydex had
been the only prominent banking trojan to employ both kinds of attack. X-Force thinks Iced ID is using Emotet's botnet infrastructure to distribute itself.
The NSA mole hunt continues as a long piece on the shadow brokers the New York Times published
over the weekend is still drawing a great deal of comment.
Observers tend to make a couple of points.
First, the leaks that have reached the world through the shadow brokers
cast doubt on any organization's ability to safeguard sensitive information.
Second, every enterprise should bring its patches,
particularly patches for mobile devices, up to date,
as many fear a wave of mobile system hacking.
Suspicion centers on either Russian intelligence services
or on some group of disgruntled insiders.
A question some pundits are raising and answering is this.
If the shadow brokers are indeed run by Russian intelligence services,
why would they have leaked NSA tools to the world?
Why wouldn't they simply have used them, quietly, to work their damage against U.S. targets?
This is being cited by some as grounds for thinking,
in fact, the brokers aren't really the Russians at all, but some sort of disgruntled insiders.
CBS This Morning, for example, yesterday interviewed their in-house national security
contributor Michael Morell, a former acting director of Central Intelligence, who said he's
not sure. He said, quote, if Russia had access possibility, and intelligence services everywhere are notoriously sensitive about doing or saying anything that could reveal sources and methods.
notoriously sensitive about doing or saying anything that could reveal sources and methods.
Indeed, their wariness about doing so is a common source of frustration on the part of the operators,
who are the intelligence services customers. But there are at least three other points worth making.
First, releasing tools that came rightly or wrongly to be generally attributed to NSA was a hard shot at the agency's reputation. An article in Esquire this week has the sophomoric but representative title,
The NSA Still F-ing Up.
And a reputation for F-ing up is not a good thing for anybody,
still less for the premier U.S. SIGINT shop.
But don't take it from Esquire. Take it from Sputnik, too.
The Russian news outlet Primly said Monday that,
"...the NSA was dealt a severe blow by a massive infiltration that resulted in the
theft of cyberweapons by unidentified hackers calling into question its value to U.S. national
security."
Touching as Sputnik's concern for good government and U.S. national security may be, it's not
a good look for Fort Meade.
So reputational damage hurts an intelligence agency
as much as it hurts, say, a credit bureau or a telecom company.
Maybe it hurts even more,
especially when legal authorities like Section 702
are under consideration by Congress.
Section 702 gives NSA authority to intercept foreign signals
subject to oversight by the FISA court.
This authority is widely regarded within the U.S. intelligence community as essential to the IC's ability to do its job.
Section 702 skeptics see the law as a threat to privacy and domestic civil liberties,
and hope for its sunset at the end of the year.
Such damage obviously works to the advantage of nation-state adversaries
who surely have their own reasons for disliking Section 702.
Second, one of the most damaging things any security service can undergo is a molehunt.
The most famous one that's broken out into public awareness is the still controversial
molehunt that tore through the CIA during the later tenure of Langley's legendary
counterintelligence chief, James Angleton. A mole hunt at Fort Meade, with the attendant
mistrust, suspicion, and fear it could engender, could also likewise work to the advantage of a
nation-state adversary. Third, it's worth noting that the shadow brokers started to sell,
or more accurately dump, their material in August of 2016.
This is some months after an as-yet-publicly-unnamed NSA worker was found to have highly sensitive material on a compromised laptop.
If a foreign intelligence service became aware that their operation had been blown,
that would change its calculus about sources and methods, possibly tipping the balance in favor of disclosure.
calculus about sources and methods, possibly tipping the balance in favor of disclosure.
If you'd had an in at NSA but had it no longer, why not go for the confusion and reputational damage?
It's been reported that some widely used antivirus software products are vulnerable to a proof-of-concept exploit, AVGator, that could bypass their protections.
Researcher Florian Bogner found the problem and privately disclosed it to the affected vendors.
Emsisoft, Icarus, Kaspersky, Malwarebytes, Trend Micro, and Checkpoint have patched.
The exploit's not trivial to use, since it requires admin access,
but then admin access has been achieved by hoods in the past.
and admin access has been achieved by hoods in the past.
In other update news, Firefox 57 will introduce more capable sandboxing in its next version,
and Google has put Android app developers on notice that it will kick anything found misusing accessibility services out of the Play Store.
We've been reporting ongoing troubles with organizations misconfiguring their Amazon AWS buckets, exposing sensitive information online.
There's a frightening asymmetry there that an incorrect setting can lead to such exposure.
And of course, once the information is gone, it's gone for good.
is Senior Director of Applications and Threat Intelligence at Ixia, a Keysight company,
and he makes the case that cloud providers need to simplify their offerings and help cut through the noise. I think what we've done with the cloud and what we've introduced is basically infinite
processing and bandwidth. It's not really infinite, we know that, But if you go back 10 years ago to get access to a lot of
bandwidth or, you know, you had co-locations, you'd have to take ownership of those systems
and manage it yourself. But today at the fingertips, we can scale massively around the globe
very easily. At the same time, it's grown in complexity for the network, you know, people who need to use it.
It's a complex environment, especially in the security world.
Take us through that. What sorts of things are people finding themselves up against?
It's the unknown. So in the security industry, I've always said that we have a great problem, which is lack of awareness.
People don't know what's out there that can harm them.
When you go to the cloud, there's a
great bit more of that potentially. You've sort of opened up your attack surface without knowing
possibly. One employee could accidentally leave off an access control list, let's say, could
easily just forget to limit that control or access to that system to the IPs that they want to. And because of the way
today you can scan the internet in literally minutes, that system will be found and probably
compromised within a matter of minutes. It's easier to say it will be than just probably.
What we see is the same old, same old happening over and over again.
What we have here are a lot of opportunities in the security and in the cloud industry to simplify the solutions, remove some of the difficulty in these technology that we're putting together.
that we're putting together. And the opportunities for the security people is to reduce the noise and point to the areas where people need to focus. What I'm saying is that instead of relying on
people to be the primary point that's going to make a decision to make something safe,
that system or infrastructure or software application should be safe from the
get-go. So when you say simplify, take us through what do you mean by that?
Well, to me, the technology is complicated to get started with. It's complex. It's hard for people
to fully know enough about everything. So we have to shift from expecting everyone to be focused on
security to be successful in doing that. We have to build products that don't require that. So
bankers should focus on banking. Accountants get to focus on accounting. But the security world
and the cybersecurity world tends to expect most of the time that we train people to behave
differently, right? And I don't think that that's possible. Humans are humans, and the products that
we provide to the humans have to realize that humans can be swayed or do something wrong,
and they have to be resilient to that. That's Steve McGregory from ICSIA.
For all the justified concerns about foreign intelligence services hacking,
Tenable's CEO, Amit Yoran, thinks that sometimes attempts to blame
state-sponsored espionage services for major data breaches
can be a load of self-serving hooey.
He's been blogging about recent testimony by some current and former CEOs before
Congress, and he points out that a lot of the more spectacular data breaches of 2017 and before
could have been prevented by some sensible application of digital hygiene.
And finally, another security executive, Carbon Black's national security strategist Eric O'Neill,
says we ought to stop calling people who break into enterprises hackers
because he sees a pervasive pattern
of such crime being enabled by espionage services.
So we ask you, listeners,
what should we call the people behind
big-time cybercrime pre-attribution?
Hoods? Gonufs? Bad guys? Black hats?
Maybe we can find something in the comic books.
Hydra, anyone?
We await your consensus.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll be right back. son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast.
Johannes, welcome back.
You know, random numbers are an important part of cybersecurity, certainly cryptography.
You wanted to touch on issues with weak random number generators today.
Yeah, thanks for having me again.
Weak random number generators is just one of these
issues that doesn't seem to go away, in particular as we are talking about in and of things and small
devices. The latest incarnation of this particular vulnerability was this Raka vulnerability
in these Infineon chips. So whenever you're doing encryption,
you have to come up with good random keys.
And the problem here is that,
in particular for these small devices,
it's hard to come up with randomness.
There are some services actually now
that provide entropy as a service,
where you have a network service you can connect to
and you get
random numbers from them but again for these small devices that's not really an option because they
don't have the connectivity to actually do that in a secure way because again you need that stream
of random numbers has to be secured somehow too so it's really one of those catch-22s and like
said the rock car vulnerability is where this came up
recently. It also keeps coming up in wireless networks. And while the crack vulnerability
wasn't directly related to random numbers, there's a very similar issue with these group keys.
When you have a wireless access point and it needs to send messages to all of the clients
connected to the wireless access point
it uses a group key that's the same for all of these clients but this key it is created just as
the access point boots up and at that point in time the access point of course hasn't done much
so again there isn't much randomness and that's another vulnerability that's
often overlooked where you have these devices that have to make up good random keys but they don't
really yet have enough random events to actually create them. What do you suppose is a good solution
to this? One solution is to have some dedicated hardware in these devices that creates random keys.
That has been done in part.
The access points, they're actually having the advantage of having radios in them.
Radios actually make pretty good random number generators.
If you think about it, sort of that radio noise that you have in the air there are some potential issues with this because an adversary that's close to the access point could send particular you know
radio signals then that bias this random number generator but if this is done correctly that's
sort of how this how this can be solved you know also mobile devices often have radios in them
that can be used another very simple random number generator is often a microphone that you can use.
But again, you have to be careful where you collect the randomness from.
Again, the sound in a room could be biased by an attacker.
You have to get permission to use the microphone at all.
Yes, and that's another thing. You have to get permission to use the microphone. So it couldn't really be done at the application
level. It could be done by the operating system properly, but
I think these random number services are
really an interesting option, in particular for in-and-out things,
devices that do not have sort of radios built in necessarily.
Some older Linux kernels, they use network traffic,
but that has turned out to be really easy to bias
and a bad idea to use network traffic sort of as is.
The Linux network, the Linux random generator
actually has been audited by multiple organizations
and is considered reasonably good.
But again, it all depends on the underpinning hardware that's being used.
All right. Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.