CyberWire Daily - Motives behind NotPetya, other operations. Verizon customer data exposed. Industry notes. Licensing hackers in Singapore.
Episode Date: July 13, 2017In today's podcast, we hear about signs that NotPetya was covering up a broad espionage campaign. State-sponsored hacking seems, when not simple spying, to aim at eroding trust. Verizon suffers a ma...jor customer data breach said to derive from a vendor's misconfiguration of an Amazon S3 bucket. Industry notes—venture funding and an acquisition. David Dufour from Webroot on homoglyph attacks. Thomas Jones from Bay Dynamics on federal agencies being required to submit a Framework Implementation Action Plan. Singapore will license white hats. And Russia wants you properly signed into adult sites. Or, at least, one of them, anyway. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Signs that NotPetya was covering up a broad espionage campaign are reported.
State-sponsored hacking seems, when not simple, spying to aim at eroding
trust. Verizon suffers a major customer data breach said to derive from a vendor's misconfiguration
of an Amazon S3 bucket. Industry notes, venture funding and an acquisition. Singapore will license
white hats. And Russia wants you properly signed into adult sites, or at least one of them anyway.
sites, or at least one of them, anyway.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 13, 2017.
Booz Allen has published research that suggests NotPetya may have been in large part misdirection.
The company's CyberForesight researchers think they've discovered signs that telebots, aka Sandworm, that is most believed Russia's GRU, use the destructive campaign to
conceal traces of long-running widespread cyber espionage against a large number of targets.
The evidence they cite, like most such evidence, is circumstantial but subjective. First, over a one- to two-day period, four virus total users uploaded the compiled VBS backdoors
together with other malicious files, including the Telebot's Telegram-based backdoor,
PowerShell post-exploitation scripts, and Mimikatz.
Second, the uploads, for the most part, were conducted months before NotPetya hit on June 27th.
Third, in several cases, these users also uploaded files associated with the ME-Doc
update utility to VirusTotal. The researchers conclude from this that, quote,
ME-Doc-related processes may have facilitated the installation vector for this software,
end quote. Booz Allen conjectures that the threat
actor's goal was to collect information, and that the fig leaf of ransomware was decently thrown
over the operation to conceal that goal. As usual, further work is needed. As Booz Allen's report
puts it, quote, information from incident response activities demonstrating actual
exfiltration of data would need to be made available to check
the hypothesis, end quote. U.S. Energy Secretary Perry said this week that the threat to power
plants, nuclear and otherwise, is real, and that the government and industry are working to address
it. Recent probes have been ascribed to Russian threat actors. Members of Congress are asking for
a report on the matter.
Influence operations as conducted against elections, fishing of critical infrastructure,
as recently seen in the U.S. power grid, and broad malware campaigns like NotPetya may well be motivated by a common goal. According to Darktrace, if you're looking for a common factor,
consider the apparent common aim of fostering general mistrust of otherwise trusted institutions and practices.
Verizon has sustained a major data breach.
Some 14 million subscriber records are affected, including sensitive credentials.
It appears to be a third-party breach.
The data was exposed on an unprotected Amazon S3 server controlled by Nice Systems, a Verizon vendor.
People who called customer service over the past six months are affected.
This is another S3 issue of the sort that's come to prominence over the past two months.
It can be all too easy to misconfigure your Amazon S3 bucket.
An article in The Observer, linked in today's CyberWire Daily News briefing,
runs through the ways in which such configurations can go wrong. An article in The Observer, linked in today's CyberWire Daily News briefing,
runs through the ways in which such configurations can go wrong.
Most of the mistakes involve setting permissions at the right level.
Security firm Detectify suggests that enterprises get themselves into S3 trouble by using APIs or software to create objects and buckets.
In any case, handle S3 with care.
We received some reaction from Jeff Hill of security company Prevalent,
who finds the episode eerily similar to the DeepRoot Analytics data exposure from last month.
It's a pedestrian case, not some exotic hack,
and it illustrates again the value of attention to IT and security basics.
Hill also says it should teach an object lesson in the
importance of monitoring your vendors' security controls. As part of President Trump's recently
signed cybersecurity executive order, all federal agencies are required to submit a framework
implementation action plan, as well as a set of metrics that show how they're protecting their
most valuable information assets from cyberattacks and breaches.
Thomas Jones is a federal systems engineer at Bay Dynamics, and he joins us with an overview of the requirements.
The framework actually comes out of NIST. It's been around for, I guess, about three years now.
And what it does is it actually aligns certain segments of security with certain risk-based metrics. As they go along,
they're trying to move over towards more of a, instead of, you know, secure everything,
patch everything, or criticality-based methodology for approaching cybersecurity incidents,
they're moving to a risk-based approach. How is that going to be implemented in the real world? What kind of effects will that
have on the various agencies who have to implement it?
Well, initially this year, what they had to do by July 14th is they had to actually
turn in their FISMA reports. And the FISMA reports over the last three years
have been realigned to actually fall into the same pattern as the cybersecurity framework.
And what does, I'm sorry, what does FISMA stand for?
The Federal Information Security Modernization Act. So yeah, FISMA has been around for ages,
10, 15 years. Over the last three years, they've been aligning everything with NIST's cyber
framework, which is a risk-based management framework. It ties to two
other NIST documents, 800-36 and 37. The idea is shifting to a, you know, we see a critical patch
on a not very important system. We give it the same level of resources as we would for a system
that happens to house the keys to the kingdom, crown jewels
of the organization. Or under the cybersecurity framework, you identify what systems are in the
environment, how they relate to the valuable assets in your environment, and you supply resources
based on the importance of those systems. Now, it's my understanding that President Trump's
recently signed cybersecurity executive order puts in place some new accountability for people as well.
Yeah, that's actually one of the biggest changes coming out of the OMB mandate.
He's actually spelled out that he either wants the heads of the agencies or he designated high level individual within the agency to be responsible for producing the metrics and managing the overall implementation of the cybersecurity framework
within the organizations themselves. And so what's been the reaction to these changes within folks
who have to deal with them? At a low level, most of this has been going on for 10 or 15 years.
The rank and file don't see a huge change. What this really affects is a very high level within
the organization where people are actually being held accountable, where it now becomes very
important to actually meet your cap requirements and those are cross-agency
priorities that were set back in 2015. So those cap requirements actually have
percentages you're supposed to achieve in terms of things like how many people
are using PIV cards or two-factor authentication as opposed to username and password.
And now there's some level of accountability there for
the people higher up. Overall, the response has been pretty good.
That's Thomas Jones from Bay Dynamics.
Taking a quick look at our CyberWire event calendar, if you're headed to Black Hat
at the end of the month while you're in Vegas, stop by our event sponsor Deep Instinct and say hello.
You'll find them at booth 873, and there are links for more on the CyberWire's event tracker at thecyberwire.com.
Speaking of Deep Instinct, a feature in today's industry news having recently raised $32 million.
NVIDIA is reported to be a major investor.
The social media risk management experts, our Baltimore neighbors at ZeroFox,
have also attracted significant funding, $40 million in Series C.
OwnBackup, a software-as-a-service backup firm, has received $7.5 million in Series B.
And Cisco upgrades its own security capabilities
with the acquisition of observable networks.
Finally, there are two new licensing initiatives worth noting.
Singapore's comprehensive cybersecurity legislation
contains a provision to put the legal behind the ethical of ethical hacking.
If you're going to work as a white hat, you'll need a license.
Hacking without
a license, even for the best of motives, will get you up to two years in the pokey and a fine that
could run as high as $36,000. And in Russia, if you want to surf over to Pornhub, not that you
would, you'll henceforth have to log in with a registered social media account. So if you're
asked to sign in with your Vokontaktia profile,
it's not because Prime Minister Medvedov is concerned for your soul,
but rather because he doesn't want you watching a couple of less than flattering
and not fully enthusiastic short films about himself
that critics have posted to the well-known adult content site.
Pornhub offered the Russian government internet watchdog Roskomnadzor
a free account if they left them alone,
but the authorities are reported to have said
spasiba nyet.
Maybe they got a preferred alternative
in broadband out to the Dasha.
Who knows?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is David DeFore. He's the Senior Director of Engineering and Cybersecurity
at Webroot. David, welcome back. We wanted to cover homoglyph attacks today. Let's
start from the beginning. What are we talking about here? Describe what's going on.
Sure. Thanks for having me back, David. You know, a homoglyph attack, they've been around a while,
and it's a little bit technical, but they're super interesting from a purely threat perspective.
A homoglyph attack is when someone may register a URL in a non-Western character code like, you know, Korean, Japanese, Chinese, even some German characters.
And when they register that, it's in a Unicode format.
Unicode represents, you know, thousands of characters so that we can type in different languages in our computer.
Well, the older coding format most of your listeners
will know was called ASCII. And so when I register, let's say a Chinese URL in a Unicode format with
a Chinese character, and it gets converted to Puny code or an ASCII format, it's possible that I'm
going to get a popular website like Google or Amazon or some social media site that's going to show up in my browser.
So they figured out how to register some random URL in a foreign language and have it show up in your browser as what appears to be a legitimate site with proper SSL encryption and all of that.
So from the user's point of view, I'm seeing everything that I would expect to be and to be correct?
That is exactly right.
So if you look at it, it's going to look like you're at the proper site.
And where we're seeing this used is in our favorite topic, phishing attacks, where someone's going to send you a link in an email and it's going to say www.thewebsiteiwanttogo2.com
and your friend's going to say, hey, go check this out.
And you're going to click on it and it's going to pop up a URL
that in your browser may look like the proper URL.
So you're going to enter your credentials.
But in fact, because of this type of hack,
you're actually at a site that's trying to fish those credentials from you.
And is there any way to
defend against this? Well, many of the common browsers were susceptible to this. Most of them
have resolved that. So from a browser perspective, you're going to be relatively safe now moving
forward. But like with all phishing attacks, the number one way to prevent this is to type URLs
into that address bar. Don't click on those links that come
in emails. So make sure you're running the latest version of whatever browser you use.
Yes, that's correct. All right, David DeFore, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.