CyberWire Daily - It's the first of June, and the ShadowBrokers' exploit-of-the-month club is open for business (exploits to be delivered to subscribers in July).
Episode Date: June 1, 2017In today's podcast we discuss the ShadowBrokers and their new exploit-of-the-month club, now open for subscription. We get some industry reaction, and it seems unlikely that the ShadowBrokers should b...e taken at face value. Plus, Webroot's David Dufour give us the dirt on worms. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's June, and the shadow brokers say they're open for business.
Do you know where your exploits are?
Do you know where your exploits are?
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 1st, 2017.
It is the first of June, and at such times our minds turn to the shadow brokers.
We touched on them briefly yesterday, but there's more to say.
June is the month when having tried direct sales and auction and crowdfunding since their first equation group dumps last August, the shadow
brokers turned to an exploit of the month club. For $22,000 in Zcash, a member will get an
unspecified exploit said to have been stolen from NSA. Zcash is an alternate cryptocurrency
the brokers are using instead of their former medium of exchange, Bitcoin.
They added a helpful set of fact this week, which includes a not-so-reassuring take on Zcash.
To the sensible, frequently asked question, is Zcash safe and reliable?
The brokers replied as follows.
We've edited slightly because we're a family show, but you get their demotic drift.
F no. If you care about losing 20k in euro, then not being for you.
Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments.
Playing the game is involving risks.
Zcash is having connections to USG, DARPA, DOD, Johns Hopkins, and Israel.
Why USG is sponsoring private version of Bitcoin?
Who the F is knowing? In defense, Tor is originally being by similar parties. The shadow broker is not fully trusting
Tor either. Maybe USG is needing to be sending money outside from banking systems. If USG is
hacking and watching banking systems, Swift, then adversaries is also hacking and watching
banking systems. Maybe is for sending money to deep cover foreign assets.
Maybe is being Trojan horse with cryptographic flaw or weakness only NSA can exploit.
Maybe is not being for money.
Maybe is being for ZK Snark's research.
Maybe, F it, let's be finding out.
This month the shadow broker's using Zcash.
If being not good, then maybe the shadow brokers doing different for July.
We confess to a certain local pride in Baltimore's own Johns Hopkins being mentioned in dispatches.
Beyond that, however, note the way the shadow brokers have turned their message to recent
news coverage, much of it prompted by themselves, connecting NSA to insecurities in the global
financial system. If you, like us, is not fully trusting Shadow Broker's romantic self-presentation
as big-time little guy Davids,
fighting and beating the big-time big guy Goliath of Equation Group,
you is maybe thinking they too artful and aligned with some big guy foreign intelligence service.
Or maybe it's just wise guys from Anonymous runs their words back and forth
through Google Translate to sound funny,
like our friends at KnowBefore told our editor the week before last.
It's only fair to point out that the shadow brokers say they intend to include sensitive data
from Russian, Chinese, Iranian, and North Korean sources.
The North Korean material, the brokers suggest, is touching on Pyongyang's nuclear program.
All this may be real, or it may be misdirection,
but the shadow brokers do seem to have given NSA the lion's share of their attention.
Here's the industry reaction we've been receiving.
Security company Balabits, Saba Krezne, counsels healthy skepticism,
but finds this whole business scary and says that it should serve as a wake-up call for governments.
He says, quote,
On one hand, if the exploits are really existing and someone or multiple parties buys them,
we may be faced with another WannaCry campaign,
as we can be sure that the buyers will monetize these exploits.
On the other hand, if the whole story is not true,
Shadow Broker's questionable reputation may suffer,
and it may seek to prove trustworthiness in another destructive way.
End quote. Krasny thinks there's a lesson here for governments.
Whatever the truth is, it's clear now that the governments should handle their cyber
weapons in ways similar to the handling of their weapons of mass destruction.
Otherwise, perhaps a disgruntled, privileged administrator might steal one, or perhaps
someone may simply forget to delete it after use in an operation.
Those codes shouldn't get to a shadow broker-like group, and this is a government responsibility.
We note that who the shadow brokers are, how they got their hands on what Microsoft and others have publicly said are NSA exploits,
remain unknown, at least to the general press and public.
We also heard from Cyfort Labs. Their Mounir
Hahad is prepared to consider what the changes in the shadow broker's nominal business model might be
if they're taken at face value. He sees them as trying various approaches on for size
and seeing which one yields the best margin. He says, quote, they've tried an auction sale,
a direct sale, and now a subscription model. None of these approaches seem to have generated He says, quote, subscription is disturbing because it's affordable. Quote, my concern would be with rogue entities like cyber crime groups,
which now would have more affordable access to weapons of choice.
Some not so well-funded foreign governments may dip their toes in as well.
End quote.
Our financial staff did some quick research and told us that $20,000 would buy you an
entry-level Honda Civic, or if you're in it for the long haul, monthly payments on a foreclosure in Fresno. So the barriers to entry in this particular market do
seem to have fallen to where a modestly funded gang could become a player. He had closed with
some good advice for the security industry. He hopes the shadow brokers won't induce security
companies to subscribe out of fear of being the last one to know. He hopes the industry at large adheres to customary codes of conduct and declines to
do business with the shadow brokers.
Finally, StealthBits Technologies' Gabriel Gumbs wrote in an email that he, for one,
is very skeptical about the brokers' declared motives.
He said, quote,
Of the list of items that the shadow brokers have suggested would be a part of their monthly
data and exploit ordinary web,
but most of the damage is done by compromised networks.
If the shadow brokers really had compromised Swift credentials,
why wouldn't they use them? Why would they sell them? As Gum puts it, quote,
so why would a group of hackers need to peddle exploits and the like if they have, at their
disposal, the means to steal untold amounts of money? I, for one, am very skeptical of the group
and their motives, end quote. The shadow brokers then, if taken at face value, are like
the psychic for hire who offers you lucky numbers for the lotto, or surefire penny stock tips,
all for a modest price. If they really knew, why wouldn't they use the knowledge themselves,
instead of making nickels and dimes selling it? The moral is that whatever their motives are,
a very significant fraction of these motives must be something other than profit.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is David DeFore. he's the senior director of engineering and cyber security
at webroot david welcome back um you know big in the news lately has been the wanna cry ransomware
and of course uh part of the way that it gets its way into people's systems is that it is a worm we
thought we'd check in today with you to find out what does that mean? What is a worm and how does it work? Hey, it's great to be back, David, and I appreciate you having me.
And yeah, it's pretty interesting. Everyone's been focused on WannaCry, how it's ransomware,
and we've not really been talking a lot about how it propagates. And worms have been around for
quite some time. And the big difference between a worm and the now popular fishing
is that worms have been written and coded in such a way that once they've landed inside of,
say, a network or your home, they start looking around to see what other computers that they can
get on. And ways they might do that is by looking at file shares or looking at open ports and maybe dropping a new version of themselves out somewhere where someone might pick them up.
And then that's how they're moving around the network.
Basically, once they get past that first line of defense into the system, then they have free reign to sort of spread out and try to find new places to do their dirty work.
That's exactly right.
Think of it as they're kind of stretching their arms and legs, just seeing where they can get.
And so what's interesting is the folks who created WannaCry, they had to actually add more code that they wrapped around the ransomware.
And that code, as we described, once it lands, it starts looking around to see what it can infect and figure out
how to spread itself. So it's a little more advanced than your typical fishing where it's
just that malicious payload because it has to do more inside that network to do that exploration
and see what exists where it can infect things. And in a situation like this where you have a
worm, is this the kind of thing that your typical antivirus software
would be able to notice and shut down?
Yes, it would.
So an antivirus software would typically be analyzing the worm
once it's landed on the machine.
So it might not be able to detect things sniffing around the network.
That starts to get in discussions around network security and analyzing behaviors that are occurring on the network,
where an antivirus is going to detect it once it's landed on that endpoint where the antivirus is installed.
So just as a general bit of advice, what's the best way to protect yourself against something like this?
Well, the number one way is, of course, have antivirus.
But let's say you're a home user.
Don't have open administrative passwords on your file shares or on your computer.
Make sure you have a password because what those worms do are try to get access to other computers inside of a network.
And they're going to look for administrative access.
And a lot of
people at home just make administrative passwords blank. And all of a sudden, once something's
inside that perimeter, they can own you. So so just make sure you've got passwords. It's that
same, you know, security hygiene. Always make sure you have good passwords. All right, David DeFore, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our
talented team of editors and producers.
I'm Dave Bittner. Thanks for
listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.