CyberWire Daily - Macro-less malware. Metacriminals and botnet herders. Hacking ships and airliners. Cryptocurrency glitch. Congratulations to the SINET 16.
Episode Date: November 9, 2017In today's podcast, we hear that there's no honor among thieves, or botnet herders, either. Reaper still seems quiet. Macro-less malware is a problem, Microsoft warns. Researchers show you can hack an... airliner's avionics. The maritime shipping sector worries that Maerk's experience with NotPetya isn't just a one-off. Ether—the cryptocurrency—is disappearing into the aether (at least this once). Justin Harvey from Accenture on the importance of not failing the basics. Guest is David Barzilai from Karamba Security on the security of embedded systems in automated cars. And we congratulate this year's SINET 16. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's no honor among thieves or botnet herders either.
Reaper still seems quiet.
Macroless malware is a problem, according to Microsoft.
Researchers show you can hack an airliner's avionics.
The maritime shipping sector worries that Merck's experience with NotPetya isn't just a one-off.
Ether, the cryptocurrency, is disappearing into the Ether.
And we congratulate this year's Cynet 16.
I'm Dave Bittner with your CyberWire summary for Thursday, November 9th, 2017.
There's no honor among thieves, and unfortunately sometimes that's a bad thing for the rest of us.
According to a report in Bleeping Computer, researchers at New Sky Security discovered one hacker who realized that the hype and fear surrounding the Reaper botnet,
call them script kiddies or wannabes or skids or whatever other leet-speak terms of contempt you'd care to apply,
to look for ways of ringing the bell on the Reaper gravy train.
So the criminal who saw opportunity here, perhaps we can call him a metacriminal,
wrote some PHP script designed to attract skids who wanted to scan
for IoT devices vulnerable to being roped into a Reaper-like botnet.
That script, however, was backdoored.
It would indeed scan for you, but it was also backdoored, so that any hood who used it would
get his version of Reaper, but that little Reaper would in turn be roped into the metacriminal's
own big chitin botnet.
So not good news for the skids, but also not good news for the rest of us who might be irritated by a big botnet.
The Reaper botnet, by the way, is still keeping itself quiet, apparently.
Not many signs of activity, but it's still out there.
We've heard, and it bears repeating, that Microsoft has warned of macro-less malware,
this malware that exploits a recently discovered vulnerability in the company's dynamic data exchange, DDE protocol.
The approach is troubling because even if users take the precaution of not enabling macros,
exploitation of DDE can still affect them through Word documents, Excel spreadsheets, or Outlook files. And of course, one threat actor using this attack vector in the wild
is Russia's GRU, Military Intelligence Service,
which you'll know as our old acquaintance, Fancy Bear.
Concerns about the vulnerability of transportation modalities to hackers continues to rise.
A team of researchers drawn from industry, universities, and the U.S. government
has demonstrated the possibility, in a non-laboratory environment, as they say, to rise. A team of researchers drawn from industry, universities, and the U.S. government
has demonstrated the possibility, in a non-laboratory environment, as they say,
of hacking a Boeing 757 airliner. The demonstration is troubling because the hack didn't require
physical access to the aircraft. The researchers were able to establish remote presence in
non-cooperating systems. And the systems they got into weren't
just in-flight entertainment stuff, but the avionics, the electronic systems that control
the aircraft. There are also concerns at sea. These aren't based on a demonstration, but rather
on experience in the wild. Many in the maritime shipping sector now believe that shipping giant
Maersk's experience with NotPetya pseudo-ransomware
demonstrates that merchant vessels are clearly vulnerable to cyber attack,
and that the industry needs to up its cybersecurity game.
One series of mishaps at sea, the collisions the U.S. Navy has been involved with in the
Western Pacific over the course of the past year, has proven not to be cyber-related.
Many observers, and not a few admirals, thought there were too many collisions for coincidence,
and the Navy initially entertained fears that its ships had been hacked,
but investigation hasn't borne this out.
The U.S. Navy has reached the painful conclusion that the accidents weren't induced by cyber-attacks,
but rather by an erosion of seamanship.
Not every problem is a cyber problem.
We're down in Washington today for the annual Cynet Showcase.
The Cynet 16 are being recognized today.
We'll have a full report on our website after the conference's conclusion.
In the meantime, you can follow conference-related tweets with the hashtag CynetDC.
And our congratulations to this year's Signet16,
innovative companies
who've won recognition
for new solutions and
new approaches to those
challenges and trends.
They are, in reverse
alphabetical order,
Vertru, Versiv, Verodin,
V-Armor, Twistlock,
ThreatQuotient, ProtectWise,
Prevotee, Phantom,
PatternX, Menlo Security, iProve, InfoSec Global, Haystacks
Technology, Fireglass, and Centripital Networks.
Well done all.
Accidental code deletion has rendered a lot of Ether digital currency, about 214 million
pounds, inaccessible, Perhaps frozen. Perhaps gone.
So watch out. You don't want your ether to disappear into the ether.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1, dollars off. on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet
fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous
film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, great to have you back.
We want to sort of take stock today.
And I wonder, are we gaining on the problem here?
It seems like we're spending billions of dollars every year on cybersecurity,
and I don't really get the sense that we're gaining on the problem.
Yeah, no one likes taking vitamins or working out. At least I don't. I think that what we're
encountering here, and I'm seeing a really big growing trend of companies that are failing the
basics. And what I mean by failing the basics here is to do the stuff that no one really likes to do.
It's the grunt work. It's the knowing where your sensitive data is in your HVAs, your high value
assets. It is. And I got to tell you, Dave, just that that sentence alone, knowing what your assets are for the multi-billion dollar companies is nearly
a whole team's responsibility, is making sure that they understand the digital assets
within the organization. And then on top of that, even if you did know where all of your data,
your sensitive data lives and where it's traversing and ensuring that it's being securely communicated, then you've got
to know what applications and what versions all of those are on. And then, of course, on top of
that, you've got to be able to synthesize and curate and monitor the open source. So when
Microsoft releases a new patch or Oracle releases a new patch for a web server, you've got to be able to know that that's been released.
You've got to know if it affects you and then what the net effect of that is within the business.
Because, as you know, security does not own the operational responsibility for applications and operating systems, typically.
These are the basics that companies are struggling
with. I think that some of the companies today and organizations that are doing security are
getting a little bit, they're losing focus because they see these new savior technologies like AI
and machine learning and the ability to automate a lot of things. But if you're not doing the basics,
if you're not, if you don't know where your sensitive data is and where it's traversing
and or your assets and the ability to keep them patched and monitored, then how can you move
toward automating that? Is this a matter of properly setting priorities? Yeah, I think that one of the patterns that I see a lot is the board gives the C-suite the funding.
And then, of course, the C-suite is comprised of the CEO, CFO, chief risk officer, and then the CIO, the chief information officer. And I've seen a pattern develop where if the CISO reports in to the CIO and there's not a
really good partnership there, the CIO's job is to foster innovation, to manage the information
flow within a corporation, and to, in many times, reduce expenses or reduce the overhead. And security is seen as one of those cost pockets,
if you will, or cost sinks that the CIO, he or she could say, well, I'm trying to fund security,
but it's never ending. They always need more money and I'm not really reducing my expenses.
I think that one of the ways that we've been successful at Accenture is
working with the board and working to get them to understand the risks and the threats on a macro
level and to understand that security, cyber defense security, information security, not only
should be taken seriously, but it can have a direct effect to the bottom line,
to the customers, etc. And once you get the board bought into this model, they are then able to then
task the C-suite and it cascades down even to the lower levels around compliance, budgeting,
and at least having a much better understanding of the risks associated
with not properly funding the security team.
Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is David Barzilai.
He's the executive chairman at Karamba Security,
a company that provides endpoint security for connected cars.
I began our conversation by asking him about the mixed blessing of cars becoming, more and more,
networks of small computers connected to the Internet.
So, first of all, the benefit is fantastic.
For us as consumers, it means that cars are far more convenient being connected. We can browse the web.
We can download.
We can make phone calls from the car and so on and so forth.
When cars are self-driven, then it makes it even better because we are less exposed to safety risks when we do not see someone crossing in front of us.
The car will stop by itself.
But the problem is that we have this kind of like a consistent pattern that when systems become connected, they also become target for hackers.
Give me an idea what's going on underneath the hood in cars. Are there standard operating systems independent of the brand of cars or is there a variety similar to how there are various desktop operating systems? How do car manufacturers choose what's going to be running underneath the hood?
That's an excellent question.
So first of all, cars are somewhat complex. They are complex by virtue that what we have is we have several, it's called ECUs, meaning electronic control units.
These are small embedded systems that each one of them, each one of these ECUs is responsible for different functionality of the car.
So when we steer the steering wheel, in essence, we make the ECU of the steering wheel turn the wheels to the right or to the left.
Same goes with the windshield wipers.
Same goes with the infotainment, the airbags, telematics, meaning the GPS, and anything like that.
So what do we have?
We have in each car a network of about 100 ECUs, 100 of those embedded systems.
Each one of them is responsible for a different functionality of the car, and they're all
connected.
That means if I hack into one of those ECUs, in essence,
I have access to all others. Those small controllers run either, it's called real-time
operating systems, schedulers, those that are more heavy, those that run the infotainment system,
which is the entertainment, the radio, if you may, the GPS, the gateway
of the car.
So they run operating systems that they're very familiar with.
They run Linux.
They run QNX.
So what you see is a network of about 100 controllers.
Each one of them is responsible for a different functionality of the car. They are all connected,
and each one of them is running an operating system or a scheduler. That means that when we
look at the car as the target for cyber hack, then the idea is that some of those 100 ECUs are externally connected.
They have connectivity.
And not too many of them, by the way.
It's about four to five.
But the point is that those externally connected controllers, once compromised, hackers could use the network connectivity from these gates to the car and get into the safety systems of the car.
This is how, with quite a famous example, the infotainment system was hacked and then the car went overly crazy.
And then the car went overly crazy.
The windshield wipers started to go on and off.
The radio volume went out of control.
And then eventually the car was halted on the middle of the highway.
Help me understand here, because in this case, I mean, this was a vehicle that was being sold.
It was on the streets and I mean, surely the vehicle manufacturer would have taken that vehicle through various safety
tests and would have, you know, had the software tested to make sure that these sorts of things
couldn't happen. When they shipped this vehicle, they thought that this was a safe vehicle. It
turned out to not be the case. You're right. They had a very good reason to assume it's a safe vehicle because every car goes through rigorous quality assurance tests, including safety tests, and now also cybersecurity tests.
The problem is what hackers are doing is to exploit security bugs.
So the bottom line is that unfortunately, there are always bugs,
always some of those security vulnerabilities escape us, they're hidden, they cannot be
uncovered with even the most rigorous quality assurance test. And this is what hackers are
looking for. The good thing is that car manufacturers are gearing up to the risk and to addressing it. So the idea is that
almost every, actually all car companies, at least those that we are aware of, all of them have
integrated in-house security teams. Secondly, they also do what's called pen testing, which is
penetration testing for the car. So they try to raise the bar.
In addition, we also have the government.
So we have NHTSA, the National Highway Traffic and Safety Administration.
NHTSA published about a year ago, something like that,
some guidelines of what should be done.
But you're right that cybersecurity is not part,
currently, it's not part of the five-star safety system or the safety ranking.
One of the reasons for that is that cybersecurity risks have just started.
That's the first reason. Second reason is that unlike consumer products, meaning laptops or mobile phones, where we as consumers bear the liability for protecting our own devices, here vendors, that's a good thing, vendors, the providers see themselves as liable. So they're putting money, they're trying to embed cybersecurity software and hardware into
the new generation of cars. And they also, with the intent to make it seamless for us as consumers.
That's David Barzilai. He's from Karamba Security. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.