CyberWire Daily - Laptop restrictions are for physical, not cyber reasons. Necurs is back, pumping and dumping. MajikPOS notes.
Episode Date: March 22, 2017In today's podcast, we hear that laptop flight restrictions spread as security services continue to grapple with ISIS inspiration operations. The Necurs botnet returns, but now it's swapped pump-and-d...ump scams with penny stocks for its usual ransomware payloads. MajikPOS is active in the North American wild. Joe Carrigan from the Johns Hopkins University Information Security Institute reviews lessons learned from the Cloudbleed event. Philip Susmann describes Norwich University's DECIDE cyber simulation platform. And the Bangladesh Bank hack looks like it may have been a North Korean job. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Laptop flight restrictions spread as security services continue to grapple with ISIS inspiration operations.
The NICOR's botnet returns,
but now it's swapped pump-and-dump scans with penny stocks for its usual ransomware payloads.
Magic POS is active in the North American wild,
and the Bangladesh bank hack looks like it may have been a North Korean job.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, March 22, 2017.
Yesterday's news of U.S. restrictions on carry-on electronics in flights originating from a specified number of Middle Eastern airports
is echoed today with similar news from the U.K.
The prohibitions bar large devices like laptops, generally things larger
than mobile phones, from being brought into the passenger cabin. They must go as checked baggage.
The UK's ban affects airports in Tunisia, Turkey, Lebanon, Saudi Arabia, and Egypt.
The UK referenced only evolving terrorist threats. The U.S. cited intelligence indicating jihadist plans to
conceal explosives and electronic devices. Again, both countries' restrictions affect
only flights originating in a relatively small number of Middle Eastern airports.
French police make arrests in connection with the weekend attack at Orly Airport.
Police, researchers, policymakers grappling with the threat from ISIS continue to look for ways of countering the effects of online inspiration on lone wolves.
An op-ed in The Hill argues that the civilized world is losing the cyber war to ISIS.
The editorialists mean ISIS information operations continue to succeed.
And that to win, the civilized world needs to emulate some of ISIS's more successful tactics.
And before they do that, the civilized world's information operators need to buck up on their language skills
and learn something about the appeal ISIS makes in the name of Islam.
Turning to the conventional criminal threat,
researchers have observed that spam surged this week after a global drop-off dating to mid-December of 2016.
The December-to-March hiatus occurred when the Nekor's botnet ceased activity,
apparently at its master's command.
Its sudden return seems due to a pump-and-dump penny stock campaign.
Naked Security says the attempted manipulation involves Incapta Inc.,
a pink-sheet-listed media company, but the scam seems to be a
third-party caper.
The typical features of pump-and-dub spam are all there.
The scammers tout penny stock trading over-the-counter, and in an email sent to thousands, they warn
you that this tip is a big secret.
Don't tell anyone.
Fraud experts say, don't bite.
NICURS had formerly been used mainly to distribute ransomware.
This reappearance of the criminal botnet with a new purpose doesn't mean that ransomware is yesterday's news.
The Sands Internet Storm Center continues to track the new Cerber infestations daily,
and researchers note that both Cerber and the fading Locky ransomware variants are growing harder to detect.
Bear and the fading Lockheed ransomware variants are growing harder to detect.
Norwich University is a private military college located in Vermont, and it's the oldest private military college in the United States, having been established in 1819. They're home to the
Norwich University Applied Research Institute, funded in part by DHS and DOD. One of their
specialties is cyber wargaming and simulation
using a platform they've developed called DecideFS.
Philip Sussman is president of the Norwich University Applied Research Institute.
So the Decide platform, it's distributed environment for critical infrastructure decision-making exercises.
So the first D in decide is distributed.
And when we run an exercise, we have participants in that particular exercise from four continents
that played simultaneously in the event. So you as an organization can play as you fight.
And it allows you to have one large bank, let's say, or a brokerage firm or exchange, and be able to
distribute themselves across multiple organizations, because that's exactly how they're
organized. If something takes place in the marketplace today and you have to respond,
your IT folks may be in one state, your public relations folks in a different headquarters or the main office where the leadership is is someplace else.
And so the capability of the tool set is to allow you as an organization to play in different ways.
It's a virtual tool set.
It's served from the cloud.
And it's not focused as much on the bits and bytes.
What am I seeing on the wire?
It's focused on what are the impacts for my business and based upon the impacts of my business and the indicators that you would expect within your particular role.
And that's the critical piece of what we're doing here.
We're putting in front of the leadership a set of challenges that would be reflective of what you would
see within a cyber event.
There's going to be some messaging that takes place.
There's going to be some indicators and warnings that take place.
We attempt to create decision tension within the individual participants of the exercise
and get them to exercise their internal communications, their incident response plan, and get to that
decision tension that allows both the organization, everyone in the organization, to know what
they're going to do when they face a cyber event, but also to be introspective of whether or not
the way that they're organized, not only from a cyber perspective, but from a business model
perspective, is in the best interest of their risk posture.
That's Philip Sussman from Norwich University.
In the U.S., online tax fraud is in full swing.
The IRS and the Department of Education have suspended the Online Federal Student Aid Tool, that's the FSA,
aid tool, that's the FSA, because the IRS system on which it depends, the data retrieval tool,
may be exploitable to gain information useful in identity theft. The data retrieval tool has itself been suspended as well. Magic POS, a new strain of point-of-sale malware, has been observed
circulating in North America. We've heard from several experts who commented on the threat.
circulating in North America. We've heard from several experts who commented on the threat.
Brian Lang of Lastline offers some encouragement. While more advanced than some of its precursors,
Magic POS is detectable by monitoring network traffic for anomalous behavior. He also cautions,
quote, each time there's a breach like this where public samples are available,
companies need to verify that their advanced malware protection is capable of detecting Robert Capps from New Data Security reminds us that stolen credentials are the black market's preferred currency.
Magic POS is after valid consumer data that can be used in future crimes.
U.S. Armed Services are looking for ways of punishing bad online behavior. Whatever they come up with will no doubt fall under Article 134 of the Uniform Code of Military Justice.
And the NSA has offered its conclusions about the Bangladesh bank heist of February 2016.
As many others have speculated, NSA thinks that signs point to North Korea.
NSA thinks that signs point to North Korea.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. Joining me once again is Joe Kerrigan. He's from the
Johns Hopkins University Information Security Institute. Joe, welcome back. Not too long ago,
Security Institute. Joe, welcome back. Not too long ago, Cloudflare had what we in the biz call a very bad day. I wanted to swing back around and discuss that with you. There's some interesting
lessons here to be learned from what happened to Cloudflare. They're a web hosting company,
and they're a big one. They handle about 10% of the internet's web traffic. And recently,
they had a bug in their code that allowed information to be leaked.
It was found by a researcher at Google.
Yeah, they're calling it cloud bleed because it is reminiscent of the heart bleed vulnerability from a couple of years ago.
The problem is a Boolean operator in the code, somebody used a greater than or equals to as opposed to an equals to.
And that allowed more information to come out.
opposed to an equals to and that allowed more information to come out i'm not sure of all the technical details but it certainly seems like uh something very similar to the heartbleed where
you could ask for more characters than you said you wanted and it would just dump memory
back to you in the response yeah it says it's a memory leak right exactly uh and you know these
boolean operators in in code you you can be reviewing the code and look at it and say, this should
work just fine because you're not considering the edge case where somebody is asking for
more information than they should be asking for, and the program will give it to them.
In fact, these Boolean operator errors, there was a, back in, I think, 2005, there was a
backdoor found in the Linux kernel that was from a very similar operator.
But the problem is that in C, the Boolean operator for equals is two equal signs, but the assignment operator is just one equal sign.
So if you're just reading it casually, you might not notice that that's an assignment operator, not a Boolean operator.
And I'm quite sure the same thing happened here.
operator, not a Boolean operator. And I'm quite sure the same thing happened here. If you're looking at greater than or equals to versus equals to, which is, again, two equal signs,
you could just gloss over that and not even see that it's an error.
And so it'll make it through testing. And certainly this system has been deployed for a while
before anyone noticed there was a problem.
Yep, exactly. It'll make it through testing and code reviews just fine.
So they're saying that one out of every 3.3 million requests through Cloudflare
potentially resulted in a memory leakage.
Correct.
That sounds like an uncommon thing, but when you're talking about a provider as large as Cloudflare, it adds up.
But that's 3.3 million requests.
Requests.
And how many HTTP requests are on the internet every day, and what's 10% of that number?
I bet that's a big number. Yeah. It does add up. And how many HTTP requests are on the Internet every day, and what's 10% of that number?
I bet that's a big number.
Yeah.
It does add up.
So it's interesting.
I mean, the other thing you and I talk about a lot are passwords.
Right.
And they're saying change your passwords.
Yeah.
This is the host for companies like Uber and OkCupid and some other big names.
Yeah.
I'm not sure that I would be – I wouldn't be in a panic telling people to go out and change their passwords, but you certainly cannot hurt yourself right now by changing your password.
You can never hurt yourself by changing a password.
If you follow my frequent advice of using a password manager, it's very easy to do.
Right.
Get yourself on whatever schedule to change those passwords. And then
when you have an event like this, just go out and make sure you can change your passwords again.
All right. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
listener in the thick of the winter season you may be in need of some joie de vivre well look no further honey because sunwing's best value vacays has your budget-friendly escapes all the
way to five-star luxury yes you heard correctly budget and luxury all in one place so instead of
ice scraping and teeth chattering choose coconut sipping and pool splashing oh and uh yeah book by
february 16th with your local travel advisor or at
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.