CyberWire Daily - JenX botnet and DDoS-for-hire. RoK CERT warns of Flash Player zero-day. Cryptocurrency mining and scamming. ICS security trends. Twitter cleared in terror trial. The Nunes Memo is out.
Episode Date: February 2, 2018In today's podcast, we hear that the JenX botnet will conduct DDoS-for-hire, if you've got twenty bucks. South Korea's CERT warns of an Adobe Flash Player zero-day being exploited in the wild. Bitco...in's price drops below $9000, but miners and scammers are still after this and other cryptocurrencies. BeeToken's ICO is used to phish for Ethereum. ICS security reflections in the wake of the Triton/Trisis attack. The 9th Circuit rules that Twitter didn't provide material support to ISIS killers. Rob Lee from Dragos on the security of wind power systems. Guest is Dana Simberkoff from AvePoint, with a discussion on women working in privacy, and why it’s one area where we are doing well at getting and equal number of women engaged. And the Nunes Memo is out, declassified and unredacted. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Gen X botnet will conduct DDoS for hire if you've got 20 bucks to spare.
South Korea's CERT warns of an Adobe Flash Player Zero Day being exploited in the wild.
Bitcoin's price drops below $9,000, but miners and scammers are still after this and other cryptocurrencies.
B-Tokens ICO is used to fish for Ethereum.
ICS security reflections in the wake of the Triton Trisis attack.
The Ninth Circuit rules that Twitter didn't provide material support to ISIS killers. And the Nunes memo is out, declassified, and unredacted.
I'm Dave Bittner with your CyberWire summary for Friday, February 2, 2018.
Radware has located a new Internet of Things botnet whose functionality they liken to Mirai.
The botnet is being called GenX.
They've traced the host to a hacking group, San Calvisie, which operates a server in the Seychelles.
San Calvisie hosts the venerable online game Grand Theft Auto San Andreas in an environment that enables players to create and share mods.
They're also in the denial-of-service protection racket and will keep you operating for just
$16 a month.
They offer denial-of-service-as-a-service, too.
You can direct Corriente Divina, that is, Divine Stream attacks, against a target of
their choice for $20.
against a target of their choice for $20.
San Calvisie initially offered a tax at 100 gigabits per second.
That offer tripled to 300 gigabits per second as the hacking group began to build the Gen X botnet Monday.
Radware says that the size of Gen X is harder to gauge
than was the size of the Mirai botnet.
They do, however, think it could well run into the hundreds of thousands.
Rockstar Games, producers of the base Grand Theft Auto game,
didn't offer any comment to CNET when they were contacted,
and it's probably worth observing that San Calvisie isn't Rockstar.
It seems worth noting that Mirai's creators, now enjoying a sabbatical at Club Fed,
were similarly interested in gaming.
In the case of Mirai, their game was Minecraft.
Sancavissier is interested in GTA.
Their advertisement for Gen X-enabled attacks says,
God's wrath will be employed against the IP that you provide us.
The chest-thumping blasphemy suggests a certain gamer detachment from the kinetic realities
of meatspace.
Radware thinks it likely that the attacks would be for the most part hired by hosts
interested in taking down rival services.
The prices seem low, which suggests either bad business acumen on the part of San Calvisie
or that they make their profits on volume.
We hope it's the former.
South Korea's CERT warns that an Adobe Flash Player Zero day is being exploited in the wild.
Adobe is moving to patch its much-exploited, often-fixed product.
Many security experts say the best patch for Flash Player is to simply disable it.
Many observers think the exploitation, apparently in progress for two months,
is the work of North Korean hackers,
but that remains at the moment a speculative and circumstantial judgment.
Bitcoin's price has hit a two-month low,
falling yesterday to just under $9,000 per coin for the first time since November.
Ars Technica sieves a wave of bad news stories contributing to the drop,
Facebook's announcement that it will restrict cryptocurrency ads,
the Securities and Exchange Commission's clampdown on Arise Bank,
and rumors that Tether may be on the verge of insolvency.
Tether is a cryptocurrency pegged to the U.S. dollar
that many Bitcoin traders use as a dollar surrogate,
but there are reports that Tether has had difficulty
gaining the banking system access it would need to convert Tether to dollars.
But for all this, cryptocurrency miners and scamming continue unabated.
B-Token speculators were just winkled out of another $1 million in Ethereum
after succumbing to phishing attacks baited with B-Token's ICO.
Note that B-Token isn't the fraudster here.
Rather, cybercriminals are taking advantage of its initial coin offering
to dupe eager speculators. Threats to industrial control systems grow with the attack surface.
A study by Positive Technologies finds that industrial systems are increasingly networked,
but that many industrial IoT devices continue to be regarded as too unimportant to receive
much attention, let alone serious security.
Among their examples are building control systems for such functions as HVAC.
It was, of course, through HVAC that Target was breached in 2013.
A Monaca survey of operators shows some surprising results with respect to industrial system safety and security.
ICS security maven Joe Weiss participated in the webinar
during which the survey was conducted.
The topic was the Trisis or Triton safety system hack,
so participants were likely to have this recent incident in mind.
The respondents thought production downtime and personnel safety
were the most serious effects of an ICS attack,
and Weiss found that answer reasonable and refreshing.
What surprised him was that none of the respondents thought firewalls and network filtering were
ways of improving defenses against ICS attacks.
On the other hand, a 41% plurality thought that hardening endpoint devices and gateways
was an important defensive measure.
This came after an explanation that Level 3 and Level 1 endpoint devices,
process sensors, actuators, and drives, lack security or authentication.
In legal news, the U.S. Ninth Circuit has ruled in favor of Twitter in a lawsuit that sought damages from the social media platform on the theory that it culpably enabled terrorist
inspiration. The ruling was in connection with a suit that alleged giving Twitter accounts to ISIS terrorists
violated the Anti-Terrorism Act.
The plaintiffs, representing the estates of two American contractors murdered by ISIS,
claim that the network's provision of accounts amounted to material support for the terrorist
group.
The House Intelligence Committee's controversial staff memo on surveillance practices, the Nunes memo, has just this afternoon been released over the objections of the FBI.
The memo, dated January 18th and originally classified top-secret no-forn, meaning that disclosure to foreigners was prohibited, was officially declassified today.
was officially declassified today.
The memo says its findings, quote, 1. Raise concerns with the legitimacy and legality of certain DOJ and FBI interactions
with the Foreign Intelligence Surveillance Court, the FISC,
and 2. Represent a troubling breakdown of legal processes established
to protect the American people from abuses related to the ISA process, end quote.
people from abuses related to the ISA process, end quote.
Essentially, the memo's findings come down to FBI and DOJ reliance on the uncoraborated Steele dossier as its grounds for seeking a surveillance warrant against a former advisor
to then-candidate Donald Trump, their use of news stories sourced from Christopher Steele
as corroboration of the dossier he prepared, and their failure to disclose to the FISA court the payment of $160,000 to Christopher Steele by the Clinton
campaign and the DNC.
Other findings cover what the memo characterizes as evidence of political motivation on the
part of FBI and Justice Department officials.
The FBI disputes the findings, as does the Democrat Minority Mem memo, which is expected to be released next week.
The memo released today is brief and can be found in its entirety on Document Cloud by searching Nunez Memo.
You'll also find an annotated copy on the Washington Post site.
The minority memo isn't out yet, but you can read the press release on it at democrats-intelligence.house.gov slash news. a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You and
I have been working our way through some of the various ICS categories, talking about security
issues with them. And today we're going to talk about wind power. Bring us up to date here.
about security issues with them.
And today we're going to talk about wind power.
Bring us up to date here.
Yeah, what a cool time in history.
So we're seeing diversified energy resources like never before.
And one of those big sources of energy into national economies and these national grids now are wind resources.
And they operate kind of like, you know,
you'd expect with a SCADA environment and control systems
and physically controlling the environment
and measuring and all that good stuff,
but they do have their own additional challenges.
So each turbine, as an example,
has its own computer,
has its own controller there with it.
It's almost like each one of them
is their own little island of success and failure
instead of necessarily being dependent on other locations. And even though you're going to harvest the energy off of each one of those
back to a central site, they each operate as like little individual sites. And so a wind farm
has a more diversified approach to their security than many other energy industries.
And there's also the considerations of once you produce that energy, how do you get it
to the grid?
So we're familiar and work with one big wind balancing authority who does a fantastic job
at it, actually, based out in California, where a big portion of their business model
was developing the control center that could serve as the energy management system
for all these diversified wind farms and so basically the mom and pop wind farms can start up
and then connect to them so that they can then balance the electricity that goes and flows into
the grid because there's a whole ecosystem and market there of you know promising you can produce
a certain amount and actually being able to connect it up just because you produce energy doesn't mean you can connect it to the
grid. But if you do produce energy and follow the right guidelines, then you can. And they
basically have built a model on that. What that introduces, though, from a security concept is
really interesting. The centralized control center in of itself is operating like their
own little feudal system, right, doing their own little security. They're dependent on the security taking place at the wind farms.
But these can be mom and pop type wind farms that definitely are not thinking about security.
And more importantly, the specialized skill sets around optimization of wind farms can be remote.
And so there are wind farms that might be managed and maintained, not on a day-to-day basis, but sort of from the optimization perspective or even just from the SCADA environment remotely.
We know of places doing it, like from Spain, as an example, where the physical asset is located in one country, like the United States.
The consumer is located in the United States.
And all the stuff in the middle is the near normal control center and electric grid infrastructure.
So it's if you sort of have this like BYOD kind of mentality, but to your electric resources.
So you can't trust anything in there.
You can't assume that you should assume actually that your Spanish based company is compromised.
You should assume that there's compromises inside of your wind farm itself. You should assume that the control center itself might be compromised
from its own internal assets. There's a lot of risk there from the compromising. Now,
it doesn't mean it all stops. And because these are diversified resources, if you manage to do
an attack to one, it's not like it all goes down. So there's been some research put out there that
was like, oh my gosh, I figured out a way to take down all all solar panels or all wind farms.
And I'm not really.
It's still very difficult in an adversary operations scale, but it's still something to be considered.
So in short, I would say an awesome opportunity for economies.
But it does change the energy diversification and the energy portfolio that we have as a country, which has its own pluses and minuses.
and the energy portfolio that we have as a country, which has its own pluses and minuses.
But at the same time, we've got to make sure that we're introducing security in these locations because as mom and pop type shops can open up or smaller companies and startups can open up
and start producing energy for our grid and open those connections up to locations
that are not necessarily being well monitored, that introduces a lot of information attack space.
So this is also an area where being very proactive and going hunting for the threats
actually makes a lot of sense for the wind farm owners and their operators.
All right. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
My guest today is Dana Simberkoff.
She's the Chief Risk, Privacy, and Information Security Officer at AvePoint,
a company specializing in Microsoft Cloud solutions.
Our conversation centers on the opportunities available in data privacy,
especially with regulations like GDPR coming,
and how privacy is one area of tech where gender equity is close to being a reality. In my role at AppPoint, I serve in a dual function, both as chief privacy officer
and chief security officer. And then working for a technology company, I really wear three hats,
and I'm a woman in privacy, technology, and security. And so as part of my work in the
privacy profession, which I've been a part of for almost my entire career now,
I'm happy to report truly close to gender equity, if not absolute equity. In fact, the
International Association of Privacy Professionals, IAPP, which is the global
industry association that certifies privacy professionals around the world has done a number of studies on this. And
they have found that there are an equal number of women and men in the privacy profession
and an equal number of women and men in senior roles in privacy as well. So I think that's a
very positive note and something hopefully that can serve as a goal for other professions as well. Is there any data behind why that particular
subject area is doing better? Do you have any suspicions for why we find more women in the
privacy area? Well, I have my opinions and I'm happy to share those. I'm not sure that they're
based on anything scientific or that there have been studies but i i think there are a couple of reasons uh privacy is an emerging field it's certainly uh not been around well actually
privacy has been around since the dawn of man so i won't i won't say that but privacy as a as a
profession is a newer profession than security and it certainly. And as such, it's really come to the forefront
over the last, really just the last few years, the last several years. And we see this in terms
of the numbers of members of IAPP and the number of people getting certified, which have just sort
of doubled year over year over year for the last few years. But prior to that, the growth was
relatively slow and relatively new. So that being said, I think that there were more one opportunities that were available in privacy.
And also because it wasn't a really high profile job, it wasn't as well known.
I think there were a lot of women that, you know, were there to raise their hands to say this is something I'd like to do or I'd like to try. And there wasn't as much of a sort
of dominance already in that marketplace as there is in other professions. That's one piece.
The other part of it is I think that a lot of people in privacy come to privacy with a legal
background or a compliance background. And because there's also a lot more i think gender parity in that legal
background versus security and it which are traditionally and sort of looking at just even
education and and what students are going into there are less women in those fields and so i
think that there's also that that has helped women be more part of this profession as well
yeah let's dig into that a little bit.
I mean, for either the young woman who's coming up through school or maybe someone who's considering
a career change, what advice do you have for women who are looking for a career in cybersecurity
or data privacy?
Well, I think personally, and this is something that is something I believe in very strongly,
that there should be a
lot more education at the secondary school level, certainly at the college level, and definitely at
the graduate school level in privacy. Privacy is personal. It affects 100% of our population.
So unless you live entirely off a grid, privacy is definitely relevant to you. And so it's something
that I believe very much like constitutional law and basic education so it's something that I believe very much like constitutional law
and basic education. It's something that we should all learn just as part of our everyday lives,
because it's important, as is security. But I think that there are many things that you can do
on your own to learn more about it. Again, I've mentioned IAPP, the International Association of Privacy Professionals. That is the de facto global industry association of privacy professionals. They do a lot of
education. A lot of the education that they do is free and available to students. So whether or not
you're a professional who's looking at expanding your horizons and looking at new careers, IAPP
has some great resources for you. But also,
if you're a student and you're early in your career, they do a lot of professional education.
They do a lot of networking and training. Again, that is free to both members and to non-members
as well. And they're just some great resources. For example, they have newsletters that you can
sign up for, that anyone can sign up up for that just give you information about privacy, privacy news around the world every day.
And I think that's a great way to educate yourself on what's happening in the space and to begin to, you know, explore whether it's a potentially a career that might be of interest to you.
The other advice that I give to everybody, to young women and to young men in their careers, and I do a lot of mentorship both formally and informally in my role at AvePoint and in my work
with IAPP as a member of some of their advisory boards. I think it's important to have mentors,
to find mentors throughout your life, whether they're professional mentors that you have in
your workplace where you actually connect with somebody in a senior position, but that you also have these role models informally in your life
too. I had many in my life. They were both people that I worked with and worked for and people that
I knew through, you know, non-work relationships, people that I modeled myself after. I think even
today in my career, I always think, what do I want to be when I grow up? And finding those people that you can emulate, asking for advice, asking them for coffee and getting guidance is always a really positive thing.
It's a way to grow your career and grow your professional network.
I do think that it's important for, you know, specifically on the topic of women advancing in IT and security.
I think it's important for women to support other
women in their career paths. But also, I always like to add that some of my best mentors and
best managers throughout my career have also been men. So I don't think it's a woman's issue. I think
it's a people issue. And I think it's a question of building a culture in which people are recognized based on
their talents more first and foremost above anything else. And I think it is incumbent on
everybody individually, regardless of whether you're a man or a woman, to do your best at your
job and to make sure that you're your own advocate as well. So this is something I think women
sometimes are not as good at as men. And that is to really be your own advocate, to promote yourself and your work and to make sure that you gain recognition for what you're doing and that you do it in a positive and appropriate way, of course.
But there are many great resources out there for helping to do this, whether you're a young professional man or woman. I think it's important to continue to make those connections and to build your confidence inside and outside
of work. That's Dana Simberkoff from AvePoint. And that's the Cyber Wire. For links to all of
today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.