CyberWire Daily - ISIS messaging. Intel will roll out new Spectre/Meltdown patches. Identities for sale on the dark web. IDN spoofing. SpriteCoin ransomware, with a malware chaser. Three Sonic games may be trouble.
Episode Date: January 23, 2018In today's podcast we hear that ISIS is howling "we are in your home" as they lose their own home. Intel says a new patch for Spectre and Meltdown is coming to fix instability problems. Babies' s...ocial security numbers and other data are for sale on the dark web. So are email credentials from top-500 British law firms. Look closely at urls—IDN spoofing is out and about. Satori expands the reach of its botnets. New ransomware strains surface. SpriteCoin is no coin at all. Joe Carrigan from JHU responding to listener mail about disabling links in email. Chris Webber from SafeBreach on using simulations to test for Meltdown and Spectre vulnerabilities. And Sonic the Hedgehog fans watch out: three popular games may expose you to hacking. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ISIS howls, we are in your home, as they lose their own home.
Intel says a new patch for Spectre and Meltdown is coming to fix instability problems.
Look closely at URLs.
IDN spoofing is out and about.
Satori expands the reach of its botnets.
New ransomware strains surface.
Spritecoin is no coin at all.
And Sonic the Hedgehog fans, watch out.
Three popular games may expose you to hacking.
hacking. I'm Dave Bittner with your Cyberware Summary for Tuesday, January 23rd, 2018.
ISIS is seeking to inspire lone wolf terrorists and frighten infidels with the slogan,
We are in your home. The slogan appears with an online picture of a jihadist wearing an ISIS-branded schmog,
only his pixelated eyes visible, posing in front of a snowy shot of New York's Central Park.
This sort of campaign can be expected to continue as the caliphate dwindles into its online diaspora.
Intel tells users to disregard its recent Spectre patch. A new, less troublesome version is due out soon. The chip
giant says it's figured out why machines based on its Broadwell and Haswell platforms reboot
and become unstable after they've applied the patch Intel issued earlier this month
for Meltdown and Spectre. So, don't apply them. They'll have a new, better version out soon.
Linux creator Linus Torvalds has been serving as a goad to better patching at Intel,
whose approach to fixing the vulnerabilities he calls complete garbage. He's told his Linux
kernel mailing list, quote, they do literally insane things. They do things that do not make
sense, end quote. Intel feels a bit picked on, asking if everyone could be less shouty,
but admits that Linus may have a point or two.
The recent revelations of the Meltdown and Spectre vulnerabilities have led to a great
deal of uncertainty as users continue to sort through their real-world practical implications.
Chris Weber is a security strategist at SafeBreach, and he takes us through their efforts
to make sense of the situation. The vast majority of computers, that's servers, that's end-user computers, are going to be
affected by this vulnerability where either an application or a specific wrong user can
get protected data from places it shouldn't be able to get.
So it is a little concerning in that way that it's so widespread, certainly.
And we also know that some of the patches that were pushed to try to fix this were pulled back as they were maybe rushed out a little hastily and caused more harm than good
in a lot of ways. And I think where we're at right now is that we're sort of at the tipping point to
see whether we're going to be able to get out ahead of this or whether it's going to linger
for quite some time. Now, one thing you all are doing there at Safe Breach
is you're running simulations for these attacks. Can you take us through what that means and what
the benefit is there? Sure thing. So that's part of what Safe Breach does. You're exactly right.
As we simulate attacks or exploits, we simulate ways to take advantage of vulnerabilities,
just like an attacker would. So in this case,
though we haven't seen any real attacks out in the wild, we can create our own attacks that take
advantage of this vulnerability. Written simulations that try to get simulated application data,
simulated protected data from the kernel space out of that machine to our simulators. Now, we're not trying to get any
real data, not any real customer information. We make up the data, we put it in there, and we see
if we can get it out. And in that way, you don't have to just patch and hope. You can actually
patch and validate that the patches worked as you expected. And are there any specific insights that
you all have gained from running these simulations? On the right kind of machines, you know, Intel-based servers for sure running the right operating systems. The patch from Microsoft,
for example, actually did help mitigate this, which early on there was some concern about.
Since this is an architectural vulnerability, the industry wasn't sure if a software-only patch was
really going to be helpful. We thought it was always going to have to be a combination of
an operating system patch
and certainly a firmware or microcode patch.
But even the Microsoft patches seem to stop at least some of the vulnerabilities from
being exploited very well.
Now, we've also seen in ensuing days that on the wrong kind of machines, those can be
locked up, prevented from booting with a patch that isn't well executed.
So hopefully we see the trends towards the working side just expand over the next few days. And how do you see this playing
out? I mean, I think rightfully so Meltdown and Spectre have taken, you know, a great deal of
attention. This is certainly something, the scale of which we have not seen before, or at the very
least rarely see. But long term, is this going to be something that
requires our continuing attention or could this even prove to be perhaps a distraction?
I think that's a great question. It is extremely widespread. It's a really big impact and it's at
a very low level. So it's something that we all should focus on. We should understand. We should
try to mitigate as best we can. But like any vulnerability or any
patch, there's going to come a point where we reach diminishing returns. Some operating systems
may never be patched. Certainly there's lots of hardware out there that's no longer supported,
or even some of the supported hardware might be a little arcane and might not be getting those
firmware patches soon. And we could spin around and around on this as an industry for a long time being
worried. But we have to remember defense in depth. If we have systems that we can't patch that might
have this vulnerability, an attacker needs multiple phases in order to get to those systems.
We need to make sure that we've got defenses in the network to stop them from getting there.
We need to make sure that we segregate our networks so that lateral movement's harder. And certainly, if data is compromised, we need to try to make sure it
never leaves our environments, never leaves those machines. So even if we can't fix the
specter or the meltdown problem, we might be able to fix the overall exploitation problem
by looking elsewhere in our environments. That's Chris Weber from SafeBreach.
Security company RepNight says it found a collection of compromised credentials from
top 500 law firms in the UK.
They say that around 1 million email credentials are in the cache, a number which seems very
high indeed.
Some of the data came from the firms themselves, but much of the stolen information originated
in third-party breaches.
In this case, the risk is not so much direct identity theft, although of course that's a possibility too,
but rather the use of the credentials for dangerously plausible social engineering campaigns.
Farsight Security has issued a study of how internationalized domain names, IDNs,
has issued a study of how internationalized domain names, IDNs,
can use non-Latin characters from, say, the Greek or Cyrillic alphabets to craft sites that impersonate URLs that use the more familiar Roman characters.
Spoofed sites are used for more persuasive phishing.
Thus, a Cyrillic soft sign, for example, can be used to spell Facebook,
which might fool the casual eyes of users normally alert to the URLs they follow.
Other examples are easy to come up with.
Companies whose sites have been impersonated in this way include
Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, eBay, Bittrex,
Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo!, Wikipedia, YouTube, and Yandex.
IoT devices containing ARC chipsets are turning up in Satori botnets, which indicates that
botnet controllers have significantly increased the number of Maverick devices they can rope
into their herd.
32-bit ARC processors are power-efficient chips found in automobiles, including electronic
steering controls and entertainment systems, consumer goods like smart thermostats, personal
fitness devices and TV set-tops, and also in industrial control systems.
Arbor Networks, the firm warning of Satori's expansion, estimates that more than a billion
and a half systems with ARC chips ship every year.
estimates that more than a billion and a half systems with Arc chips ship every year. An open-source ransomware project forms the basis of a new family of ransomware, DesuCrypt
and its DeuceCrypt variant now being widely distributed in criminal markets.
Researcher Michael Gillespie has developed a decryptor for infected files, so bravo Gillespie,
and let's hope that this sector of the criminal-to-criminal
market remains largely frustrated.
Security company Acronis warns that Paradise Ransomware, which saw a flurry of activity
this past September, has resurfaced.
It spreads in a commonplace but nonetheless dangerous way, as a malicious zip file distributed
by spam email.
There are a number of different cryptocurrencies in circulation,
but at least one of them isn't what it appears to be.
In fact, it's not a cryptocurrency at all.
Researchers at security company Fortinet report that SpriteCoin is a bogus cryptocurrency
that's nothing more than fish bait.
It leads the unwary to ransomware.
It also adds not just insult to injury,
but further injury to injury
by not only encrypting victims' files,
but installing other malware
that lingers after decryption.
Once the marks cough up the ransom,
payable only in the genuine cryptocurrency Monero,
Spritecoin's decryptor uploads
a fresh malicious executable
and leaves malware behind on their machines that parses images, harvests certificates, and activates web cameras.
So remember, there is no such thing as Sprite Coin. It's a scam whenever and wherever it appears.
The Muscat securities market in Oman, a stock exchange with a $23 billion market cap has closed a Telnet vulnerability
– Telnet is always bad news nowadays – and also changed the credentials on one of its routers.
Those credentials were, of course, wait for it, username admin and password admin.
Finally, researchers at Pradeo Security Systems have found that three Sonic the Hedgehog games
for Android, all available in the Google Play Store, are leaky.
They could expose users' geolocation, and they could also expose them to man-in-the-middle
attacks.
The games are Sonic the Hedgehog Classic, Sonic Dash 2, Sonic Boom, and Sonic Dash.
The information leaked includes mobile network information,
service provider names, network types,
OS version numbers, and device model and manufacturer.
The problem seems to lie in the use of a third-party library,
Android in MobiD,
which allows campaign monitoring, crash reporting, and software analysis.
The library does so through 11 servers, three of which are insecure. Maybe you're not worried because you're more of the Crash Bandicoot type. Thank you. Again, for now, anyway, is that anthem petition for City Escape still open?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Do you know the status of your compliance controls right now?
Like, right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Hi, Dave.
So we got some feedback from a listener.
This is from Nathaniel Yu.
He's had a couple of ideas about security postures,
and I think they're worth discussing here.
One of them is, instead of teaching people not to click suspicious links,
teach them never to click links in emails,
or even better, disallow links altogether.
This can be done without disrupting internal communication
simply by placing links in a safe site or shared folder,
which the end user must authenticate into,
and then notifying them
that the link exists via email. What do you think? There are systems that you can get for your email
now that will strip links out of the email message because it's just a simple regular
expression. So it's pretty easy to identify a link, particularly if it's in HTML. Anyway,
because they all look kind of similar.
They all have a regular syntax that must be matched in order for the URL to work in the first place.
So matching them is easy, and then taking them out is a simple find and replace.
I know that at the university, we have a system that if the link is identified as suspicious, it will replace that link in your email with a Hopkins webpage
that lets the user know, we think this link is malicious.
You shouldn't click on these links.
So it sort of quarantines it.
Yeah, it kind of quarantines it and takes it out.
Makes you think twice.
I do like the idea of completely removing all the links and telling people, don't click
on any of these links.
I think that's a good idea, actually. And if you get an email from whoever you think it's coming from, let's say you're
doing business with Capital One or Wells Fargo, and you get an email from them that has a link in
it, never click on that link. Just go to your web browser and enter the name of the website that you're going to or use your own links.
Access the web page that way.
Yeah, because even if you mouse over it and it looks familiar enough, they've gotten clever enough that they can make it look familiar enough.
That's right.
They started buying up domains that look similar.
They've replaced Ls with 1s.
And there's a very small chance that you'll notice that the pixel on the L is not aligned with the top of the L.
Instead, it's dipped down one pixel on a serif.
And it's something as simple as that.
Replacing a 1 with an L, or an L with a 1, rather, can totally take you to a completely different website.
Right, of course.
So better safe than sorry.
Yep. All right, Joe Kerrigan, of course. Yeah. So better safe than sorry. Yep.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.