CyberWire Daily - KRACK attacks. Iran's growing capability in cyberspace. Swedish and Polish targets probed by state-directed cyber ops. QR code security issues. Russia to introduce official cryptocurrency.
Episode Date: October 16, 2017In today's podcast, we hear about how KRACK attacks get past secure wi-fi protocols. Probes and distributed denial-of-service incidents in Poland and Sweden have the look of state operations. East ...Asian threat actors moving on from cyber espionage to supply chain attacks. Iran blamed for June's hack of UK Parliamentary email. QR codes may pose security issues. Do FSB social media trolls really train against US targets by watching House of Cards? Johannes Ullrich from SANS Technology Institute and the ISC Stormcast podcast on scammers taking advantage of disaster. And can the CryptoRuble really complete with VopperCoin? Investors want to know. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, and we think you'll find it valuable, too. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Interested in the latest research in cyber security? Our new Research Saturday podcast highlights research being done in industry, universities, and governments. Hear from people who are discovering threats, uncovering vulnerabilities, and devising the security measures to keep cyberspace as safe as it can be. Check it out. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Crack attacks get by secure Wi-Fi protocols.
Probes and distributed denial-of-service incidents in Poland and Sweden have the look of state operations.
East Asian threat actors move on from cyber espionage to supply chain attacks.
Iran is blamed for June's hack of UK parliamentary email.
QR codes may pose security issues.
Do FSB social media trolls really train against US targets by watching House of Cards?
And can the crypto ruble really compete with the Vopper coin?
Investors want to know.
I'm Dave Bittner in Baltimore with your CyberWire summary
for Monday, October 16, 2017.
Researchers at KU Leuven, a leading Belgian research university,
have announced discovery of a
key reinstallation attack vulnerability that affects Wi-Fi connections hitherto believed
to be secure. They're calling it a crack attack from key reinstallation attack. It works roughly
like this. An attacker within range of the intended victim could get around the four-way
handshake used in the WPA2 Wi-Fi protocol
by inducing the victim to reinstall a key that's already in use.
Success enables the attacker to access information assumed to be securely encrypted.
The problem lies in the protocol itself and not in any particular product,
which means that there's no easy set of patches or upgrades that will secure users from crack.
which means that there's no easy set of patches or upgrades that will secure users from crack.
The researchers say that crack is most effective against Android, Linux, and OpenBSD devices.
Windows and macOS are also susceptible, albeit at a somewhat lower risk.
Matty Van Huff, the principal researcher, wrote in his report,
this can be abused to steal sensitive information such as credit card numbers, passwords,
chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it's also possible to inject and manipulate data.
For example, an attacker might be able to inject ransomware or other malware into websites.
End quote.
We heard by email from Dr. Stephen Murdoch,
innovation security architect at Vasco Data Security and principal research fellow at University College London.
He explained that in cryptographic protocols,
a NUNCE, that is a number used once,
should never be repeated,
but sometimes design flaws in the software
implementing a protocol permit this to happen.
It's easy to complain that a bad designer made some buggy software,
but Murdoch thinks a problem with Nuntz reuse is likely to crop up again elsewhere.
He said, quote,
I think a better approach is to redesign protocols to be more resistant to Nuntz reuse,
which we know how to do, albeit with a slight loss of efficiency, end quote.
He added that Nunt's reuse will be even more serious in next-generation Wi-Fi encryption,
GCMP, where it could permit data to be tampered with as opposed to being simply intercepted and
read. So, should we be worried? Yes and no. The attacker has to be physically close to the device they want to exploit for a crack attack to work.
Murdoch calls the vulnerability serious in that if successfully executed, it can compromise sensitive traffic.
But he also thinks that, quote,
the more valuable the network, the more likely it is criminals will make the effort to carry out the attack,
so businesses are at a higher risk than average home users,
end quote. The issue is likely to persist for years in devices that have a long, slow expiration.
Android smartphones and Wi-Fi routers will probably be most affected.
Frederick Menes, also of Vasco Data Security, advises that users not only be on the lookout for patches, but also consider using cryptographic protocols at the transport or application layer,
like SSH and TLS.
They should also consider using virtual private networks.
A variety of probes and nuisance attacks surfaced in Europe late last week.
Poland's defense minister says the country successfully parried
a Russian cyberattack of unspecified nature and scope.
In Sweden, denial-of-service campaigns affected transportation, especially rail transportation,
in western regions of the country. There's no attribution of the DDoS attacks against
Swedish targets, but Russian operators are widely suspected. British security researchers
have concluded that Iran was behind the June 23 brute force attacks on Parliament's email system.
Moscow had been the original and usual suspect, but Whitehall has determined it was Tehran.
A number of researchers are warning of an increase in the tempo of cyberattacks against targets in East Asia.
These no longer seem to be confined to espionage, but appear to pose a fresh
threat to supply chains. A confusing set of Chinese and North Korean actors are named in dispatches.
Turning to information operations, the odd-duck Russian television station
Dost, or Rain, has broadcast an interview with one Maxim, face obscured, who claimed to have worked in the Internet Research Agency's St. Petersburg troll farm,
disseminating fact and opinion about the U.S. 2016 presidential elections.
The basic message, Maxim said, was,
aren't you Americans tired of the Clintons?
But a great deal of the social media trolling was designed to inflame religious, racial,
and gender divisions on hot-button cultural topics.
Maxim said that the trolls were trained by watching House of Cards, which he thought a pretty good guide to American political culture.
Treat this interview with appropriate caution.
There are wheels within wheels in information operations, and even an outlier like Rain TV can't be assumed
to be outside the reach of the official organs. Apple's iOS 11 is said to have an exploitable
backdoor in its associated QR scanner. The problem lies in the nature of QR codes themselves.
They're not readable by humans, at least not by any we know, and so it's possible to replace
legitimate QR codes on, say, merchandise with malicious codes.
Security firm Cyberint, which has described the issue, intends to release a full study within a few weeks.
Pizza Hut was breached. It's less serious than Equifax, but tastier.
The transactions affected occurred early this month,
so if you've recently used
your credit card to buy a large hand-tossed cock-a-doodle bacon pie, well, look to your
statements. Security expert Ilya Kolicchenko of Hitech Bridge thinks the scale of this breach
is relatively speaking insignificant compared to some of the big slips we've seen over the past
month. He said, quote, notification to the victims is indeed a bit protracted, but it can be
explained by the difficulty in properly identifying all of the victims affected, end quote.
And he thinks we should proceed with caution before we blame Pizza Hut until we know more
about what actually happened.
It strikes us that a lot of the interest in this breach is driven by the notorious, perhaps
stereotypical love of pizza associated with information technology.
Pizza is to coders as donuts are to law enforcement professionals.
We'll just say this.
Mr. Kolachenko, if you visit Baltimore, we'll buy you a slice and throw in some Old Bay.
And to return, in a way, to a story we discussed a couple of months ago,
Russia is said to be on the verge of authorizing its first official cryptocurrency.
They're going to call it the CryptoRuble, and unlike other cryptocurrencies,
it won't be mineable or decentralized, but rather issued and controlled by a central authority.
Since these features would seem to be pretty much the whole point of a cryptocurrency,
one is reluctantly driven to ask, what the heck?
What's in it for the rest of us?
We're not going to presume to give advice to the Kremlin, you understand,
but it seems to us that they've already got an indigenous cryptocurrency.
The Voppercoin, Russian Burger King restaurants, began issuing back in August
as a reward for sandwich purchases at any of the franchise's convenient Moscow locations.
By this time, any number of fast food-fancying oligarchs
have doubtless eaten their way to a small and satisfyingly decentralized,
if not particularly liquid, fortune.
Calling all sellers! Thank you. purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He's from the SANS Technology Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, welcome back.
You know, with these recent run of hurricanes that
we've had, with any disaster, there are those who look to take advantage of it. What are we seeing
in terms of scam sites popping up? Luckily, we don't see as many of them as we have seen in the
past. If you remember, Katrina, for example, it had a huge number of fake or at least suspicious donation sites.
We have only seen a small handful of them so far
with the Hurricanes, Harvey and Irma.
So as these Hurricanes approach,
we see hundreds of websites being registered
with respective domain names.
Many of these websites start out just being a park.
We have luckily only seen very few
that solicit donations. Interestingly, a couple of the ones that I would consider more shady in
the sense that they don't appear to be associated with a legitimate charity that solicit donations
in Bitcoin, which has, I guess, a little bit taken over here from PayPal.
The large majority of the websites being registered at this point are also being used by lawyers.
So probably somewhat shady law firms here that are trying to solicit clients using this disaster.
So are the ones being registered by lawyers, does it seem as though they're legitimate lawyers who are trying to capitalize on the event or are they fake lawyers?
That's a little bit hard to tell.
At this point, there are only a couple of them that point to actual law firms.
They appear to be legitimate law firms.
So far, yes, they're actual lawyers.
lawyers. Some of them don't actually appear to be sort of in the business of necessarily injury or lawsuits like that. So it's a little bit hard to tell what the real end goal is.
The big majority of these websites is still parked at this point. So we are monitoring them
to see what will eventually show up on these sites. There's also the possibility that these websites are being registered just in case to resell them later.
There are always many ways to make a little bit of money with a disaster like that.
So the advice to the user is, I suppose, make sure that you're dealing with a reputable charity and try to avoid a middleman.
you're dealing with a reputable charity and try to avoid a middleman. Yes, you should certainly not donate to a charity that you didn't hear about before the disaster came up. The other
little facet that has shown up in particular with Harvey was that there was a number of websites
that essentially asked people to register if they needed to be rescued. Now, many of them, I believe,
are legitimate and certainly something that people just set up in order to sort of help each other
out. But be careful who you give your personal information. In disasters like this, it's all
too easy to give, for example, a charity or someone that offers help, things like a source security number, and why it's not always bad or malicious,
take care that the information is protected properly. So don't let your guard down just
because someone is offering you help. Right. All right. Good advice as always.
Johannes Ulrich, thanks for joining us.
Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.