CyberWire Daily - Infrastructure security, especially power, finance, and elections. Preparation pays off. Proofpoint warns of new AZORult malware. Check Point tracks Master134 malvertising. Crime news.
Episode Date: July 31, 2018In today's podcast we hear more warnings about Russian cyber operators in the North American power grid. The US Department of Homeland Security announces formation of a National Risk Management Cente...r. Cosco's preparation may have rendered the shipper more resilient to the cyberattack it sustained. Congress worries over election hacking and deep fakes. Electronic warfare is back. An alt-coin platform is hacked, a carder goes to jail, an alleged sim-swapper is arrested, and coaches behave badly.  Johannes Ullrich from SANS and the ISC Stormcast podcast on TLS 1.3 implementation. Guest is Mark Orlando from Raytheon on critical infrastructure security. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_31.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More warnings about Russians in the North American power grid.
The U.S. Department of Homeland Security announces formation of a national risk
management center. Costco's preparation may have rendered the shipper more resilient to the cyber
attack it sustained. Congress worries over election hacking and deep fakes. Electronic warfare is back
and an altcoin platform is hacked. A carter goes to jail, an alleged sim swapper is arrested,
and coaches behave badly.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 31, 2018.
Warnings about Russian compromise of the U.S. power grid continue.
Warnings about Russian compromise of the U.S. power grid continue.
Again, nothing has happened yet to disrupt electrical power generation or distribution,
but it's worth noting that the cyber battle space seems to have been prepped.
Attacks that destroy equipment are more worrisome than are attacks that amount to short-term power outages,
as Control Global's Unfettered blog points out, one hopes the power industry takes preparation to heart.
The U.S. Department of Homeland Security is announcing today the formation of a National Risk Management Center.
Secretary Nielsen introduced the center during a government-sponsored conference in New York City.
It's seen as a response to growing recognition that cyberattacks by sophisticated nation-state adversaries
can cause systemic failure across society at large.
One of the critical infrastructure sectors of most concern is, of course, the power industry.
DHS personnel will work both in a new headquarters and embedded with industry partners.
Here's one encouraging story about the benefits of preparation.
The cyber attack that hit shipping firm Costco at its port of Long Beach Terminal
seems to have been contained and overcome without significant operational disruption.
The Journal of Commerce credits this to Costco's advanced preparation for dealing with just such
an attack. Go and do likewise, power industry.
When a lot of people hear critical infrastructure,
they think about the electrical grid.
That's Mark Orlando.
He's chief technology officer with Raytheon's Cyber Protection Solutions Group.
Critical infrastructure encompasses far more than that.
Everything from life safety systems and telecommunications
to oil and gas systems to many, many other industries.
So it's a very large space to protect. And unlike the IT world, the information technology world,
there's not a lot of standardization in that domain, in the critical infrastructure domain.
So understanding the threats, how we can gain visibility into those threats, and then how we can defend that infrastructure is much more of a challenge than it is in the IT world.
Well, let's walk through some of the steps that would be taken if someone were looking to do us harm from a critical infrastructure point of view.
Where do they begin?
Right. So the first step in any attack is reconnaissance.
And in most cases, reconnaissance does not involve touching or
connecting to the target system. It involves gathering information, doing research about the
target system, doing research about the organization in which that system resides,
organizations connected to that organizations. So suppliers research into who the business
partners or suppliers, or in some cases, the customers and
users of that system, where they reside, how data traverses those different environments,
how control systems interact with that target system, really attempting to understand not only
how that target system works, key pieces of information like the manufacturer,
if it's running any kind of software,
what kind of control systems are in place, but also how it's situated within the environment.
So for example, if we're talking about a control system in the electrical grid, power distribution,
for example, is that system connected in any way to an IT network where you might have user systems?
Are there supplier networks where you might have a third party coming in to do maintenance
on that system? These are all things that an attacker will attempt to uncover during that
research phase. And so once they gather the information that they think they need and they
move on to actually starting their attack, what happens then?
In most of the successful attacks that we've seen, it's actually a chain of attacks where an attacker is hopping through various systems, various networks to get to that end state,
that end target. In many cases, that involves compromising, again, either a third-party network
like a supplier network. It involves, in many cases, targeting users with social engineering attacks,
like spear phishing, for example, to gain unauthorized access to those third-party systems.
And then from that point, jumping off and pivoting and looking for a way into that operational network
where you can connect more directly to that target system.
These systems are quite often one-offs, and I could see there being two sides to that. I could
see that being, you know, for both the attacker and the defender, it could be a roadblock.
Absolutely. Not only for the attacker and trying to gather information about a system that
may not be as well documented, but also, as you said, for a defender, it's also a significant challenge because now we have to come up with a good way to
instrument these systems so that we can understand when someone is gaining access, when someone is
causing a troll system, for example, to send a signal to another system that might not be
expected, but might otherwise look normal. Instr know, instrumentation and making it so that
we can detect these kinds of activities is also quite a challenge. But I think we definitely have
a long way to go in terms of understanding at a very technical and a very tactical level
how we can harden these systems to attack, how we can identify and quickly respond to
attacks when they occur. That's Mark Orlando from Raytheon.
Worries about influence operations or direct manipulation of midterm voting also continue.
Senator Shaheen, a Democrat of New Hampshire,
says that officeholders and political parties are often targets of phishing attacks
and that the experience reported by Senator McCaskill, a Democrat of Missouri, isn't an outlier.
Other senators are interested in seeing what can be done about deep fakes,
convincing but concocting video, audio, or imagery
that are thought to be the future of influence operations and black propaganda.
The U.S. Army is undergoing one of its periodic rediscoveries of the importance of electronic warfare.
This time, the precipitating cause is Russian jamming of U.S. forces operating in and around Syria.
What's that, officer? No, we're not up to anything. It's just us out here on the police beat.
And we see there's been another cryptocurrency theft.
on the police beat.
And we see there's been another cryptocurrency theft.
Kik ICO lost $7.7 million
to creative destruction hacking
of its tokens.
The story has a happy ending so far.
The platform says
it has recovered the stolen tokens
and is in the process
of returning them to their owners.
The method the thieves used,
however, is interesting.
Security measures used
to detect theft of altcoins often rely on detecting quick, unexplained changes
in the number of tokens available on the market.
And this, in fact, is what Kik ICO's security did.
To avoid detection, the thieves obtained the cryptographic key that controls the platform's smart contracts
and used it to destroy existing coins and recreate them in the same amount.
Kik ICO became aware of what was up when users complained that all of a sudden their wallets were empty.
The complaining users reported the loss of an aggregate of about $800,000,
but upon investigation it turned out that the criminals were more ambitious by an order of magnitude.
it turned out that the criminals were more ambitious by an order of magnitude.
Checkpoint reports that a criminal going by the name Master134 is running a successful malvertising campaign across the high-bids advertising platform.
Master134 has redirected stolen traffic from more than 10,000 compromised WordPress sites
and resold it to Adsterra,
which in turn sold the traffic to advertising resellers.
The malicious advertising carries ransomware,
Trojans, and so on.
The hijacked traffic gives an initial appearance
of connecting to legitimate sites and well-known brands,
so beware.
Proofpoint describes a new version of Azio Ralt
it's observed in the wild. ASIO RALT is an
information stealer and downloader first noticed in 2016, where Proofpoint found it as a secondary
infection of the Chthonic banking trojan. This version retains the original functionality but
seems improved in every respect. Shortly after it appeared on the black market, it was seen distributing Hermes ransomware.
As an effective downloader,
it can of course be used to install any variety of different payloads.
Russian debit card fraudster Mikhail Mulyikin,
who took a guilty plea back in 2016, has been sentenced.
The judge, presiding over his case in the U.S. Federal Court for the Central
District of California called his crime reprehensible and sentenced him to 70 months
in prison. Molyneken's theft, amounting to some $4.1 million, affected third-party administrators
of Flexible Spending Accounts and Cobra Services, one of the companies he and his five criminal associates hit was driven out of business. Mulyikin will also forfeit ill-gotten gains to wit,
$1.3 million in cash, $22,000 in gift cards, several gold bars, and a classic pony car,
a 1966 Ford Mustang. California police have arrested one Joel Ortiz, a college student from Boston,
on charges alleging that he used SIM swapping to hack phone numbers
and thereby steal more than $5 million in cryptocurrency.
He faces 13 counts of identity theft, 13 counts of hacking, and 2 counts of grand theft.
The San Clara County DA invites any other victims to come forward.
This is grand theft, but there's petty larceny stuff out there, too.
If you're a parent hoping to expose your child to good values,
hard work, fair play, and so on,
by getting the little nipper involved in high school athletics,
think twice before sending your child to Braden River
High School in Manatee County, Florida. The county school district has announced the results of an
investigation into Braden River's football program. They concluded that coaches at Braden River
accessed an online service that stores video of high school football so colleges can see
prospective players. Other high schools aren't supposed to
have access to the system, but this particular coaching staff is said to have watched practice
video from four rival schools. The penalty, if any, has yet to be determined. But who do these
guys think they are? The New England Patriots? With all this, it's pleasant finally to close on a positive note.
The Security Industry Association has opened nominations for its 2018 George R. Lippert Memorial Award,
which recognizes distinguished long-term selfless service to the security industry.
Nominations are due by August 24th.
You can learn more at securityindustry.org.
You can learn more at securityindustry.org. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Institute and also the host of the ISC Stormcast podcast. Johannes, welcome back. You wanted to talk today about TLS 1.3.
What do we need to know about this?
Yeah, thanks for having me again.
And, well, TLS 1.3 is sort of in the final stages of actually becoming a real thing.
The standard has been finalized, and it starts to show up in different implementations now.
different implementations now. Now, the problem here is that, according to some people,
TLS 1.3 really pushes things a little bit too far when it comes to privacy and encryption,
making it very difficult for a lot of devices that have to intercept TLS to actually do their job.
Now, that's always controversial, of course. Now, why would you have to intercept a TLS? Well, for example, load balancers have to, or many companies have systems that check for data exfiltration and such. And of course, they have to intercept TLS.
Now, with TLS 1.2, it wasn't really too difficult to set up a proxy that will take care of this.
it wasn't really too difficult to set up a proxy that will take care of this.
TLS 1.3 makes this really difficult because, well, it makes TLS faster.
In TLS, the way we use it right now, it takes about sort of four or five round trips to actually negotiate everything,
set up the TCP connection and set up TLS. With TLS 1.3, we set up the TCP connection and in some cases, ideally, the TLS connection at the same time, which really cuts down this entire round-trip problem.
So, well, on the other hand, now we don't have TCP and TLS separated, and that really breaks these proxies. So lots of problems coming down the pipe here for a secure device
that really try to figure out if you're going to a malicious site
or if you're exfiltrating data.
Now, just to back up a little bit, TLS stands for?
Transport Layer Security, and it's really sort of the newer version
of SSL, Secure Socket Layer.
So that's what we usually use with HTTPS And it's really sort of the newer version of SSL secure socket layer.
So that's what we usually use with HTTPS when we are going to a secure website.
So what do you suspect the consequences are going to be of this rollout?
Well, I think what will happen at first is that a lot of sites just won't support TLS 1.3 because they have to wait for these man-in-the-middle devices to become ready and to really
support this new protocol. So I think it will delay
the rollout, first of all. In the end, we'll have to see if
the added privacy is something people are willing to
pay for in terms of not having all of their favorite websites
work as they expect to.
And will it be seamless to the user? How much is it going to interfere with day-to-day operations?
For the user, it will be seamless if it works. Now, what may, of course, happen is if you run
into these cases where these middle boxes intercept TLS, then, of course, it may just break the site.
And that always has sort of been a little bit of a problem
where what happens if TLS breaks a connection?
That's sort of the intent here.
It wants to alert the user,
hey, you know, someone is trying to mess with your connection.
But one problem has been in the past
that then users try to find a way to get to the site without TLS.
And that's, of course, actually less secure than doing it via TLS 1.2.
All right. Well, we'll see how it rolls out as always.
Thanks for sharing the information.
Johannes Ulrich, thanks for joining us.
Thank you.
joining us. Thank you. Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave
Bittner. Thanks for listening. We'll
see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.