CyberWire Daily - Mirai variant establishes proxies. Buggy smart contracts. Banking glitch. Studies from Verizon, Thales. FTC addresses credential stuffing.
Episode Date: February 23, 2018In today's podcast we hear, OMG, that Mirai is out in a new and improved form. Researchers find buggy smart contracts on Ethereum. A Chase glitch briefly exposed banking customers' information to o...ther banking customers. Hacktivists continue to hit spyware companies. Verizon's Mobile Index warns that mobile security is being traded for business efficiencies. Thales looks at data security and finds that data breaches seem to have risen with cloud migration. The FTC doesn't like credential stuffing. Emily Wilson from Terbium Labs with an update on Dark Web markets after last year’s Alpha Bay takedown. Guest is Andrea Little Limbago from Endgame, discussing her blog post, “The March Toward Data Localization.” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Oh my, Mariah's out in a new and improved form.
Researchers find buggy smart contracts on Ethereum.
A chase glitch briefly exposed banking customers' information to other banking customers.
Activists continue to hit spyware companies.
Verizon's Mobile Index warns that mobile security is being traded for business efficiencies.
Talos looks at data security and finds that data breaches seem to have risen with cloud migration.
And the FTC doesn't like credential stuffing.
cloud migration, and the FTC doesn't like credential stuffing.
I'm Dave Bittner with your CyberWire summary for Friday, February 23, 2018.
A new variant of the Mirai Internet of Things botnet has been seen in the wild.
Fortinet reports that this version is capable of establishing proxy servers in infected IoT devices.
They're calling the strain OMG because its configuration table includes strings that contain OOMGA.
Why is this development significant?
We heard from Gabriel Gumbs at StealthBits Technologies,
who compared illicit proxy servers to a criminal fence, a dealer in stolen goods.
Once they're set up, they can be used for any number of illicit purposes.
They could be used to stage denial-of-service attacks, or they could be used to drive disinformation campaigns. The fence will handle whatever goods the hoods want to move.
We also heard from Sean Newman of Carrero Network Security, who has some related thoughts on what OMG might be capable of.
He said, quote,
We're used to seeing Mirai variants being used to commandeer IoT devices.
And once the botnet's been assembled,
it can run denial-of-service attacks against a particular target.
But OMG seems to be nosing out vulnerable IoT devices in an organization,
and once it's found them, it puts in the proxy
so that device can serve as a gateway into the organization.
Once that gateway is established,
attackers can exploit it against the victim organization in any number of ways,
reconnaissance, data exfiltration, and so on.
Mirai, of course, came to notice when it was used by some gentlemen in New Jersey
to take down much of the Internet in the eastern United States
in a distributed denial-of-service attack on DNS service provider Dyn.
Three young men took guilty pleas this past December
in crimes related to the use of Mirai in DDoS attacks against a range of targets.
Since 2016, the Mirai code has become widely available,
and it's continued to evolve into new forms.
Like OMG.
University researchers in Singapore and London have determined that there are a lot of buggy smart contracts on Ethereum.
Essentially, they create a private fork of the Ethereum blockchain and ran various permutations with live smart contracts.
Ethereum blockchain and ran various permutations with live smart contracts.
They found just over 34,000 contracts vulnerable to undesired actions.
They were able to verify and reproduce these trace vulnerabilities on some 3,000 smart contracts that hold about $6 million in Ether cryptocurrency.
It would be difficult for criminals to do likewise and steal the money, but the researchers note that it wouldn't be impossible.
As one of the researchers noted to Motherboard, the whole business is mucky.
University College London's Ilya Sergei said, quote,
We're dealing with applications that have two very unpleasant traits.
They manage your money and they cannot be amended, end quote.
and they cannot be amended, end quote.
A glitch in Chase Bank's customer-facing systems is said to have presented some customers with other customers' data.
The glitch persisted for about two and a half hours Wednesday evening,
but appears to have been corrected.
Chase stresses that the incident was not a cyber attack.
Some observers speculate, to Krebs on Security,
that there may have been caching issues at the root of the problem.
Motherboard reports hacktivist break-ins at two surveillance software companies, Moby Stealth and Spymaster Pro.
Hacktivists had earlier hit Flexispy and RetinaX, so this particular subsector is receiving unwelcome attention.
The report characterizes the two outfits as spyware companies,
selling privacy-invading stalkerware to private citizens
who use it to keep tabs on children, spouses, and other persons of interest.
Motherboard also sourly observes that a number of the customer accounts
revealed in the data breaches are linked to email addresses
from various U.S. federal agencies.
DHS, TSA, ICE, FBI, and various military services, especially the U.S. Army.
Several reports are out on the state of security.
Verizon's Mobile Index for 2018 concludes that many companies
are willing to sacrifice some mobile security for business reasons.
The 2018 Data Security Report from ThIS notes that increased government migration to cloud
services has been accompanied by a 20% jump in data breaches.
These are perhaps connected, maybe coincidental.
You'll find links to both reports in today's CyberWire Daily Briefing.
They're worth a look.
And finally, the Federal Trade Commission in the U.S. seems moving toward adding
some regulatory risk to the reputational risk credential stuffing already poses. The FTC has
obtained a consent decree from online tax prep service TaxSlayer on the grounds that TaxSlayer
didn't do enough to protect its customers from themselves. Credential stuffing essentially
involves a hacker trying credentials
exposed in one breach against a variety of other sites. Since people unfortunately tend to reuse
their passwords, criminals get hits often enough to make this worth their while. Isn't that the
user's fault, you'll ask, since after all, TaxSlayer didn't expose anyone's passwords?
Well, the FTC says no.
The business should have done more,
like requiring multi-factor authentication,
requiring strong passwords,
and alerting customers promptly whenever a password, address, or security question changed.
Those businesses interested in how standards of care
are shaping up under the FTC's regulatory lash
would do well to consult Hackslayer's experience.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and
showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You know, it's been about six months or so since Alphabay was taken down, the primary dark web
marketplace. So bring us up to date. Where do things stand? Have things come in to replace
that vacuum there? Not quite. It's been an interesting six months on the dark web. Alphabay taken down, Hansa taken down.
This fall, we saw a lot of instability around these prolonged DDoS attacks that went on for several weeks.
We lost a couple more markets in the mix.
We saw a couple of smaller markets come up to prominence.
It's been interesting.
So the brief recap, obviously, Alphabay and Hansa taken down in June and July by international law enforcement.
And then this fall, the remaining markets, which had been scrambling a bit, kind of power not really consolidating with any one of them, no one of them really coming up to take AlphaBay's place.
The markets were attacked consistently and unavailable except for through mirror links for probably about six weeks.
And in that we saw one market kind of quietly close its doors, you know, thank its customers
and, you know, pay out any lost funds. And one market that went down in not at all a respectable
blaze of glory. And so now we have a handful of markets,
not as many as we did before.
We have a couple of older markets that are still stable.
We have some newer ones that are coming up.
We have some alternative markets,
different cryptocurrencies that are being moved around.
Really, we haven't seen anything come in to fill that vacuum.
We've just seen a little bit more skittishness
and people adapting
to increased uncertainty, which really is what the dark web is all about. Yeah, that's what I was
going to ask you next is the sort of tone, the feeling. Is there a sense that the people are
looking over their shoulders more than they did since we've had these high-profile takedowns? I think people definitely were in the kind of first wave of the fallout after Alphabay.
I think people were with the initial uncertainty with the markets kind of going down this fall.
But in general, I think people are adapting, which is what you would expect in this community.
People are adapting to having to use alternative links,
to following vendors around different markets. I think we're just seeing more loyalty to vendors.
I think we're seeing people take a little bit more responsibility for their own security. But
by and large, I think the immediate fear and FUD has kind of died down.
And you say you've seen some interesting trends in some of the fraud markets,
some shifts there. Yeah. So the fraud markets in a lot of ways operate separately as a separate
ecosystem from some of the drug-focused markets. We've seen some markets there go up and go down,
as markets tend to do. But also some of the markets are going to more restricted access or
pay to play. And that's just interesting. I think
people are kind of trying to protect their membership a little bit more, whether it's,
you know, you need to pay to access, you need to get a referral code. I think the community as a
whole is just becoming slightly more skeptical. All right. Thanks for the update. Emily Wilson,
thanks for joining us. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to
partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
My guest today is Andrea Little-Limbago, Chief Social Scientist at Endgame.
In her recent blog post on the Endgame website titled, The March Toward Data Localization,
she outlines the lag between law and policy and technology, and how and how nation states are taking different approaches to data security and sovereignty. So it's one of those things that
I think isn't discussed as much in our community. Obviously, it's not as sexy as the latest hack
or high profile cyber attack that's going on. But basically, as we've seen, there's a lot of
policy and legal frameworks has lagged behind technology across the board in general.
But I think it's especially true in information security where a lot of laws, especially in the U.S., are 20, 30 years old and we just kind of keep piecemeal building on top of them.
But the interesting thing is that that's actually starting to change.
And so after, I'd argue, a couple of decades of slumber, the policy and legal frameworks are starting to wake up a bit.
And I think it's going to really impact cybersecurity for companies and for individual privacy.
There's been so much talk about the GDPR, which is a general data protection regulation that's coming into effect in the European Union in May. And so it's one of the first international regulations that's really had some businesses
concerned with how, you know, whether they actually adhere to that or not, what needs to be done to
comply, those kind of things. And so when these kind of regulations actually start hitting
businesses in the U.S., that's when there starts to be more discussion and buzz about it. And so
that's sort of what got me looking into it a bit more.
And then looking at, you know, the EU isn't the only one, though.
And that's one of the things that, for me, I tend to study more so the other countries out there than the EU as much.
And so what the GDPR is, is just one example of this data localization, which is basically
country-specific data laws for how data is processed or stored within a given territory.
And they vary
dramatically. So we're starting to see this large patchwork of data localization laws across the
globe. And I just feel like it's something that hasn't been as, you know, it's been making the
rounds, obviously, in more of the legal circles, but I don't feel like it has as much information
in cybersecurity. And so I want to elevate that discussion and bring it into our community,
because it will have a big impact. And then hopefully as well, get more folks in our community with a technical background
to provide some insights on how to shape it so we don't turn out with some of these laws
we've had in the past that are counterproductive to our own defenses.
One of the points you make in this blog post is that there are two major frameworks
that are gaining traction.
You describe the multi-stakeholder model and cyber sovereignty.
Can you describe those for us?
Yes, it's one of those things where I think that we're at an inflection point in the,
you're looking globally at how the international system is starting to shape itself. You know,
if you think about the Cold War, just to sort of frame it as far as some people know more about,
you know, you obviously had the Soviet bloc and you sort of the Western bloc, and that's
with different ideologies and ways of looking at their economy,
how free flow of information, those kind of things.
We're sort of seeing similar ideological divides
starting to emerge, not adhering to those same tenets,
but it's sort of that bipolarity starting to emerge as well.
And so the multi-stakeholder model is one
that tends to be more so among European,
democratic countries, US, Australia, Japan, so forth, that are advocating for more of among European, democratic countries,
U.S., Australia, Japan, and so forth,
that are advocating for more of a free, secure, open Internet,
sort of the foundations for how the Internet was actually,
how it was founded and emerged, sort of more of the utopian
on how the free flow of information can help promote societies,
help economic development, help governance,
provide access to all sorts of information where people previously didn't have that.
So that's sort of on the one hand.
And then within that is a big emphasis on individual freedoms and individual security and privacy.
And so one thing I will say, these are sort of the overarching umbrellas.
And obviously each country kind of adheres to these in different ways.
So it's not just black and white, but these are sort of the two big buckets.
And then the other one would be cyber sovereignty.
And on the surface, ostensibly, it sounds really great.
Each country should have control over data within their own borders.
So it sounds very similar to the notion of sovereignty where governments have control of the laws and the legal frameworks, monopoly on the use of force, those kind of things within their own borders.
And so perhaps it's just elevating that to the cyber realm.
But it's really not there.
It's under the umbrella of that.
But really what a lot of it is, is countries using this notion of cyber sovereignty for
greater control of data.
So accessing data for individuals within the country, it helps justify various forms of
censorship and what does and does not make it onto the Internet.
So really, if you want to think about it, it's government control of the data. So it really is
much more so limiting of personal privacy and more so empowering governments to have control and
access to whatever data they want within a country. And that'd be more indicative of like China,
Russia, but a lot of other ones as well are starting to introduce similar laws.
And so having those two different frameworks, what are the natural tensions that are introduced
between them? Yeah, I mean, that's really interesting. So on the one hand, because it's
been somewhat evolving slowly, and it's really starting to manifest itself quite a bit over the
last few years, the tensions are starting to emerge. And one of the places where you see it a
lot, not unsurprising, is at the United Nations. So as the United Nations was trying to set forth
what some global norms would be for cybersecurity, so what are the appropriate rules of the road that
countries should adhere to? So what may or may not be off limits for an attack? What may or may not
be off limits for accessing data, those kind of things. And so for the UN, who has historically
been there just to help establish international guidelines for country behavior,
and trying to establish those kind of guidelines at the international level for cyber is really, really difficult because for the past five or six years,
the United Nations has a group of governmental experts
that's been trying to pull together these various rules, the roads, and the guidelines.
And just last year, it completely fell apart.
And my understanding is that people who have been in it were in within some of the discussions.
It was this tension between the view of the world from China, Russia, and some of those kind of countries,
those perspectives, in contrast to what European Union, United States, and democratic countries were trying to push for,
for what the norm should be.
And so we saw those discussions just completely fell
apart last year, and so right now
it remains an area of
just, you know, the internet remains largely
an anarchic system where there is
no supernational control,
and so every country is going to be
doing their own thing, which basically means
that so far countries vary
dramatically on what is off-limits for targets,
what's the right behavior, what kind of cooperation is okay.
All those things across the board are just up to every country's whims and up to their own incentives.
So that's probably one of the biggest areas.
But then you also see it a lot as far as bilateral relations between countries.
You're starting to see more and more bilateral cyber agreements going on.
And you see them a lot generally within each of these different areas.
You see the democracies starting to do their own bilateral agreements in cybersecurity and
then the authoritarian regimes. And you do see a little bit, the US and China did do an agreement
along the lines in 2015 of what would be off limits to ban cyber espionage for commercial
purposes. But again, because there's no teeth onto it, there's no repercussions for failing to adhere to that.
It really hasn't had the teeth to actually provide any changes,
long-term changes in behavior.
That's Andrea Little-Limbago from Endgame.
You can read her full report,
The March Toward Data Localization, on the Endgame website.
It's in the blog section.
We've got an extended version of this interview
on our Patreon site at patreon.com slash thecyberwire. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.