CyberWire Daily - Internet outages were errors, not attacks. Evolving Trojans and botnets. M&A news. Cyber casus belli. Terminators and teddy bears.
Episode Date: March 1, 2017In today's podcast, we hear that yesterday's Internet outages were due to errors in Amazon's S3 servers. Dridex has evolved to become more evasive. The Necurs botnet acquires a DDoS capability. Web ca...che deception attack technique is described. Austrian authorities think they have a suspect in the attempted cyberattack on Vienna's airport. Palo Alto buys LightCyber. Companies continue to grapple with GDPR compliance. Uncertainty about US policy direction expected to drive an increase in foreign cyber espionage. The University of Maryland's Jonathan Katz reviews encryption types. Jon Gross from Cylance explains Snake Wine. Congress thinks about casus belli in cyberspace. And in the IoT, people are worried about everything from Terminators to Teddy bears. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Yesterday's internet outages were due to errors in Amazon's S3 servers.
Drydex has evolved to become more evasive.
The Necker's botnet acquires a DDoS capability.
Web cache deception attack techniques are described.
Austrian authorities think they have a suspect in the attempted cyber attack on Vienna's
airport.
Palo Alto buys LightCyber.
Companies continue to grapple with GDPR compliance.
Uncertainty about U.S. policy direction expected to drive an increase in foreign cyber espionage, and in the IoT, worries run from Terminators to teddy bears.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 1, 2017.
Is the internet working for you again?
Well, it is for us.
Contrary to some initial alarmist screamers,
yesterday's Internet outages weren't caused by an attack,
but rather by problems in Amazon's S3 cloud storage service.
Ars Technica calls the incident sputtering.
The disruption is more properly understood
as outages experienced by a large
number of sites and apps dependent upon S3. The problem originated with errors in Amazon
servers in the U.S. state of Virginia. Outages were widespread, but particularly severe on the
North American East Coast. The incident is a reminder of how much infrastructure is in the
hands of the private sector, especially in the U.S.
Wired magazine sees the outages as evidence that industry consolidation can compromise resilience and compares it to last October's Dyn outages.
The Dyn case was, as it happens, an attack,
distributed denial of service accomplished by the Mirai botnet,
and yesterday's Amazon outages were, of course, a different matter,
but in both cases the effects were widespread. by the Mirai botnet, and yesterday's Amazon outages were of course a different matter,
but in both cases the effects were widespread.
IBM's X-Force looks at the venerable Drydex banking trojan and notices that it's been updated to incorporate a more evasive injection technique, atom bombing.
The new edition of Drydex, version 4, is active in the wild against banks in the UK and is
expected to spread rapidly.
BitSight's Anubis Labs warns that the Necker's spam botnet has been upgraded
with a distributed denial-of-service capability that could outstrip the capacity Mirai demonstrated.
This hasn't, of course, happened yet, but the threat bears watching.
Researchers at the EY Hactics Advanced Security Center in Tel Aviv
have found an issue with caching servers used by major sites.
Should a user access a non-existent resource, the server
sometimes cache incorrect page content. Such content can
include personal information, including credentials, account balances, and so on.
To exploit this flaw in what's being called a web cache deception attack,
an attacker would induce a user to access a URL leading to a non-existent resource,
whereupon the server would cache the page holding personal information.
The attacker would then access the bad URL to get the cached page,
and with it the user's personal data.
PayPal quickly closed this vulnerability in its own services when the researchers notified it, but EYHactics thinks
the problem is likely to be widespread and generally unrecognized. Austrian authorities
believe they have a suspect in the abortive cyber attack on Vienna's airport. They describe the
suspect as Turkish, and maybe the person is,
but fairness demands that we point out that he or she is living in Kentucky,
and of course that he or she is also entitled to the presumption of innocence.
In industry news, Palo Alto Networks has announced its acquisition of security firm LightCyber.
LightCyber's automated behavioral analytics will be added to Palo Alto's next-generation security platform.
Companies that collect data internationally,
and that's essentially any business working online,
have yet to come to grips with GDPR compliance.
The European Union's General Data Protection Regulation
will take full effect on May 25, 2018,
a date that will surely arrive
with haste. The problem of compliance is inherently complex, in this case even more so because of the
jurisdictional lines crossed when one considers how, say, a U.S. firm must negotiate European
requirements. And such standards and regulations can be widely influential even when they're
established by subnational governments.
New York State's new cybersecurity regulations affecting banks take effect today,
and those effects will by no means be confined to the Empire State.
Uncertainty about the direction of U.S. policy is expected to prompt other countries
to try to resolve those uncertainties through increased espionage,
particularly those like Russia and Iran not particularly well disposed to the Americans.
Influence operations are also expected to continue.
Japan seems ready to sustain a significant information operations campaign
if suspicions about snake wine are borne out.
John Gross is director of threat intelligence at Cylance. When we started
to do some of our initial investigations and stuff, it looked like it was an old CNAPT group
called MenuPass. But as we delved, I guess, further into the malware, really didn't share
the code similarities that you would expect. It seemed like a lot of work was done to attempt to obscure attribution,
which really I personally haven't seen any other, I guess,
Chinese APT operators attempt to do that ever.
So if it is the Chinese, it would be out of form for them. So and I can just say,
you know, the things that we saw them doing right in addition to using, you know, hosting providers
that accept Bitcoin, you know, or anonymous, you know, payment services, you know, they signed a
large majority of the malware samples that we saw at at least early on, with the stolen hacking team code
signing certificate, which to us really didn't make any sense, right?
Because that's going to be an instant red flag.
And, you know, you would really derive no benefit from that other than, you know, sending guess the culmination of lots of little things
led us to start questioning whether or not this was actually Chinese APT.
I mean, it just didn't really add up,
especially with, you know, what from a research perspective
should have been a clearly cut and dried case.
And what we found was that a lot of the infrastructure to us, it at least seemed like it was inactive, right?
So it's going to potentially be spun up in the future and or, you know, it's just currently being used now.
And we're only seeing what we're seeing. And, you know, as with anything related
to cyber, you only know what you know. So, I mean, in this case, you know, and judging from
the information that we had, it was very clear that someone was attempting to, you know,
obfuscate attribution. That's John Gross. He's director of threat intelligence at Cylance.
The U.S. Congress is currently trying to think through when a cyber attack would constitute an
act of war and what might be done in retaliation. Congress and the administration are required by
legislation passed last year to arrive at some clarity on the issue. It's very much a work in
progress. And finally, there's much worry in the press at midweek over the issue. It's very much a work in progress.
And finally, there's much worry in the press at midweek over the Internet of Things and its security, particularly in the world of robots, where the U.S. Army and others think they discern
a revolution in warfare comparable to the blitzkrieg of the late 1930s. Five Terminator
movies have taught us nothing, moans CSO Online as they report their inquiry into how robot manufacturers seem to be falling short of Asimov's laws of robotics.
But scary stories about the connected home, also with robots, are also being retailed.
As Spiral Toys works with its customers and gets ready to file the breach reports required under California law. See the local regulation angle again?
Their connected cloud pets are still creeping out security journalists.
Until things are sorted out, remember,
the teddy bears may have a big surprise for you, moms and dads.
If a stuffed animal says in its best Austrian-accented English,
I'll be back.
Grab your bug-out bags, head for the hills. buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Joining me is Jonathan Katz.
He's a professor of computer science at the University of Maryland and director of the
Maryland Cybersecurity Center.
Jonathan, I want to take our audience through some of the key concepts surrounding encryption, things like plain text, ciphertext, and key encryption.
What can you tell us about that?
Well, there are two sorts of encryption schemes. There's private key encryption and public key encryption.
In a private key encryption scheme, it's a mechanism that allows two users who have shared some secret information, called a key, in advance, to then use that key to communicate securely.
And the way that works is that these two users have shared their key in advance.
One user who wants to send the information will take their message, called a plain text, encrypt it using the key to get some ciphertext, transmit that ciphertext over a public channel to the other party at the other end,
and they can then decrypt that ciphertext using the key that they've shared with the other party
and recover the original message.
And how does that differ from public key encryption?
Public key encryption is really amazing.
Public key encryption is something that was not even possible until the late 1970s, early 1980s.
And what that allows is for two parties to have
a secure communication channel without sharing any information in advance, without sharing the
secret key. And the way it works is that you have one party generating a matched pair of keys,
one being a public key and one being a so-called private key. The private key is kept secret by
that individual, and the public key can be broadcast
to the world, sent over a public communication channel to anybody else who wants to communicate
with that first individual. Anybody with the public key can then encrypt, take the plain text
as before, encrypt it to get a ciphertext that they transmit to the first party, and they can
then decrypt that using their private key to recover the original message. And this is really
amazing. It kind of blows my mind that it's even possible, because it means that you can have two people standing
at opposite ends of a room, communicating back and forth, with everybody else in the
room listening to everything they're saying, and still not being able to figure out what
message is being transmitted.
Now, it's my understanding that there's been developments related to this with quantum
computing. What can you tell us about that?
People are very concerned about the advent of quantum computers, and the reason for that is that all the current public key encryption algorithms
that are currently used are vulnerable in case a quantum computer is ever developed. So what that
means is that if we have quantum computers becoming a reality within the next 20 years or so, all of
the encrypted communications currently on the internet will be vulnerable. Thankfully, however,
quantum computers are not believed to impact private key encryption as severely.
They may allow an attacker to speed up the time required
to brute force a key,
but they don't fundamentally weaken the algorithm
the way they do in the public key case.
Jonathan Katsch, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.