CyberWire Daily - ISIS war on families. Cryptomining botnets. The weaponization of Spectre and Meltdown. Phishig with bogus emails spoofing Google, Microsoft. Apps that know too much.
Episode Date: February 1, 2018In today's podcast, we hear that ISIS inspiration is increasingly directed at children. Cryptomining botnets use same EternalBlue exploit as WannaCry. Criminals experiment to weaponize Spectre... and Meltdown vulnerabilities. Phishing campaigns exploit well-known services including Google Docs and Outlook. Patch notes. Ben Yelin from UMD CHHS on the National Association of Insurance Commissioners adopting a model data cyber security law. Guest is Shashi Kiran from Quali on cyber ranges and cloud sandboxes. Geolocation and other app-collected info raise OPSEC concerns. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Thanks again to all of our Patreon supporters.
You can find out how you can become a supporter at patreon.com slash thecyberwire.
ISIS inspiration is increasingly directed at children. The Cyber Wire. We've got some patch notes, and geolocation and other app-collected info raise OPSEC concerns.
I'm Dave Bittner with your CyberWire summary for Thursday, February 1, 2018.
Its caliphate may have been extirpated from the territory it once held,
but ISIS continues to recruit and inspire in its online diaspora.
They concentrate on the young, mostly teen and tween boys, feeding them music, slogans, and alas, beheading videos.
Foreign Policy magazine calls it a continuing war on families,
many of whom have already lost mostly sons to terrorist inspiration.
A lot of the fighters killed in Iraq and Syria were teenagers, many of whom have already lost mostly sons to terrorist inspiration.
A lot of the fighters killed in Iraq and Syria were teenagers,
and ISIS has concentrated patiently on wooing boys online over the course of years,
with its promise of transcendence and authenticity.
Jihad's religious appeal is a central part of ISIS messaging.
Anyone who has observed how online gaming, music and video can capture a child's attention will have at least some sense of what Syrian parents are up against.
A very large crypto-mining botnet called Smominru has been in circulation since last May.
It's believed to have infected more than half a million Windows machines and earned its criminal masters millions.
Its coin of choice is Monero,
but the bots it's herded are found mostly in Russia, India, and Taiwan.
The botnet's current daily take is estimated at $8,500.
Researchers at security firm Proofpoint say that
Smo Minru gets its entree into victim machines
through the Eternal Blue exploit, that's CVE-2017-0144.
EternalBlue, dumped by the shadow brokers in what they characterize
as the release of stolen NSA equation group exploits,
is the same one used by the WannaCry ransomware attack last spring.
The WannaMine crypto miner described last week by CrowdStrike continues to circulate.
This fileless malware also uses the EternalBlue exploit.
It appears that Smominru and Wanamine are distinct campaigns run by different threat groups,
but these stories continue to develop.
Hackers are also working on other malware to hit those who haven't yet patched EternalBlue
and other alleged Equation Group exploits the Shadow Brokers released last year.
AMD has, like Intel, announced that its next generation of chips will not be burdened with either Meltdown or Spectre.
In the meantime, patching efforts continue.
The vulnerability has so far not been exposed to threats designed to take advantage of
it, but of course we can't count on that forever. In fact, malware exploiting Spectre and Meltdown
CPU vulnerabilities is expected to break into the wild in the near future. Researchers and a number
of security firms have observed more than 130 distinct samples of malicious code designed to
attack these flaws. The security firms studying the activity, AVTest, Fortinet, and Minerva Labs,
have concluded that exploits aren't proofs of concept, at least not for the most part.
Instead, researchers believe they're observing criminal experimentation with new attack tools.
The experiments appear to be making use of proof-of-concept code publicly released
shortly after the vulnerabilities were disclosed.
We are therefore seeing weaponization of a vulnerability follow the familiar post-disclosure path.
Who's doing the experimenting with Spectre and Meltdown the researchers either don't know or aren't saying,
but some of them are speculating that some nation-states and not cyber-criminals
will be the first to use them once they're ready.
Barracuda warns that it's found criminals impersonating Google Docs, Outlook, and DocuSign.
They send emails that purport to be from these trusted services
and that claim to remind you that you have unread messages.
The links in these phishing emails are, of course, malicious.
Don't be fooled.
Imagine you've got a system or process you need to test safely in a controlled environment.
One method you might use is a cyber range in a cloud sandbox. Shashi Kiran is from Quali,
a cloud sandbox provider, and he explains the use cases. For those of you who are familiar with shooting ranges or gun ranges
where you're in a position to go exercise arms in a safe and controlled manner,
think of something very similar, but in the context of a cybersecurity environment.
So a cyber range essentially is an environment set up either for testing complex applications, testing certain production scenarios, or for training purposes.
And so setting up a cyber range within a cloud sandbox, what are the advantages for doing that from a security point of view?
A sandbox is essentially a replica of any environment.
It could be an IT production environment.
a replica of any environment. It could be an IT production environment. It could be something that's in the data center that could be in the context of a lab or potentially even
something that represents a physical environment. You could relate this to like an air traffic
control situation, power grids, water supplies, security op centers. No matter what the environment is,
if you want to bring that in the context of a representative simulation of sorts,
then you can create a sandbox which essentially models all of these different components
and exposes them to either developers and testers or to security professionals or to your networking staff,
whoever needs to get exposed to this environment to come up to speed on security posture.
And so the sandbox allows modeling of these environments, bringing them up, and then allows
them to be torn down when this activity is complete. So that's really the notion of the
sandbox. We call it a cloud sandbox because this environment can be deployed onto any cloud.
It could be in a private cloud environment over bare metal, or it could be in a public cloud
environment on Amazon, Azure, OpenStack in a private construct, or even in a hybrid
cloud environment. So that's really the notion of
the cloud sandbox, which is deploying any environment on any cloud, bringing it up and
tearing it down. So if you were to now bring this up to reconstruct a cybersecurity environment
and expose that for either development testing or simulation or training, then it becomes a cyber range.
And that's really where we're seeing a lot of pull from defense institutions,
from larger corporates that want to train their staff and security administrators and professionals,
as well as some of the frontline security staff to just make them very savvy about the entire end-to-end security posture.
And so the benefits for a company to invest in this sort of thing, can you outline that for us?
Yeah, today if you look at the type of threats that are coming in, they're exponentially increasing.
And you also see that the complexity of the environment is also
increasing. Everything is connected, whether it be power grid situations, things on the battlefield.
We have internet of things coming in where endpoint devices and wearables and smart meters.
The more connected things become, the more complex the environment is as the value chain gets fragmented.
And the harder it is to really detect what your end-to-end security posture is and to ensure that environment is reasonably fortified.
This is where we're seeing a lot of interest come in to model such a complex environment, particularly in the context of
larger enterprises and corporations, as I mentioned, but also service providers that want to
take the notion of a cyber range and offer it to their end user customers and allow them to
customize sophisticated protocols quickly or use it for certification and training purposes or to create and test
different strategies as they harden their security posture.
We're also seeing this in the context of defense institutions where they want to, let's say,
take a battle tank, which again is a connected entity or a submarine, and you want to be
in a position to model this and bring this
and ensure that the communication protocols are tested
and your ability to handle certain situations
is done in a very authentic manner.
So these are some of the situations that crop up very frequently, Dave.
That's Sashi Kiran from Quali.
In patching news, Manage Engine has fixed several zero days disclosed to it by Digital Defense.
Mozilla has fixed a remote code execution issue in the Firefox user interface.
Firefox version 58.0.1 has the patch.
Apps that geolocate devices continue to raise OPSEC concerns.
OPSEC is of course the military acronym for Operational Security, but civilians have related concerns. Thank you. who may be listening, most of us don't necessarily want our location uploaded and made available to
the idly curious, still less to the many who might wish to audit our daily activities for
their own purposes. The Strava fitness app has worried the U.S. Department of Defense for the
potential it had to reveal troop locations in its heat map. You might wonder why Strava would
collect, aggregate, and anonymize user data and publish it in a heat map.
Strava CEO James Quarles explained their thinking,
quote,
Our heat map provides a visualization of activities around the world,
and many of you use it to find places to be active in your hometown or when you travel.
In building it, we respected activity and profile privacy selections,
including the ability to opt out of heat maps altogether.
However, we learned over the weekend that Strava members in the military,
humanitarian workers, and others living abroad may have shared their locations in areas
without other activity density, and in doing so, inadvertently increased awareness of sensitive locations.
End quote.
In any case, U.S. Secretary of Defense Mattis thinks it's enough of a problem
that he's considering banning not only fitness apps but smartphones from the Pentagon entirely.
He's directed Undersecretary of Defense for Intelligence Joseph D. Kernan to explore the
issue and develop an appropriate policy. Since the location of the Pentagon is no mystery,
it's clear that the concerns aren't that a heat map is going to betray its position.
After all, the old, now gone, hot dog stand that used to do business in the Pentagon's central courtyard
had the Cold War nickname, Ground Zero Cafe.
We have to ask if the Secretary has considered the morale effects of a ban.
What will all the Lieutenant Colonels do for stress relief on their breaks if you take away their clash of clans? Walk across Columbia Pike to the mall? That's a hike.
And you'd have to go all the way across the parking lot without so much as a Fitbit to
track your caloric expenditure or a Waze to keep you from getting lost. Don't kill morale.
We don't want to see the joint staff's readiness posture degraded.
want to see the joint staff's readiness posture degraded.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We saw an article
come by from the National Law Review. It was talking about how the National Association of
Insurance Commissioners, the NAIC, are going to be adopting a model data
cybersecurity law in response to some of the hacks that we've seen, specifically the Equifax breach.
Take us through what's going on here. So the NAIC is finalizing what would be a model
data cybersecurity law. It's premised largely on what New York State has done specifically in response
to that Equifax breach. We see this in other areas of the law where you have interest groups.
They want to develop some sort of national standard, but they don't think either Congress is
capable or willing to put it into play at the federal level. And they realize how much power
states have, state agencies have, state legislatures have. So they develop a model
piece of legislation and basically bring it to every state legislature in the country and look
for volunteers to get it enacted. I mean, we've seen that in the criminal context with the model
penal code. And in recent history, we've seen that with a number of pieces of legislation. So I think the approach is
particularly novel, trying to come up with model legislation for the states to adopt.
So is this kind of an end around to get in front of before the feds said to policy that you can go
to the states? It seems like I mean, this is a trade group who's trying to get this done, right?
Yeah. So in some ways, it could be seen in that way.
There are also, you know, we know that Congress only has enumerated powers.
They can only enact laws in areas that are under their jurisdiction.
And while most cyber policies are going to have some sort of effect on interstate commerce,
that's not necessarily always going to be the case.
But more from a practical level, I think, because Congress is so paralyzed, this interest group sees more potential in state
legislatures, you're not confined by filibuster rules or national hot button political debates.
I think it would just be a more expeditious and easier way to enact these minimum standards. And,
you know, I think states are going to be
more amenable after seeing the high profile events that have happened over the past several years.
Now, when these sorts of things get presented to state legislatures,
do they pass through with a few changes or is this just a starting point for a conversation?
I think the less controversial the topic, the fewer changes that you're going to
see. I don't think you're going to have partisan legislatures fighting over the details of minimum
data security standards, especially at state legislatures where many legislators are part-time,
aren't as well-versed and experienced in the issues as members of Congress are.
My hunt is that these
standards are more likely to be rubber-stamped in state legislatures than in our federal Congress,
and that might be the impetus behind undergoing such an effort here.
All right. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced
in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.