CyberWire Daily - Natanz pre-emptive sabotage updates. NAME:WRECK DNS vulnerabilities. Tax phishing. ATM cards and advance-fee scams. Ransomware-induced cheese shortage.
Episode Date: April 13, 2021Updates on the sabotage at Natanz--whether it was cyber or kinetic, Iran has vowed to take its revenge against Israel. NAME:WRECK vulnerabilities affect DNS implementations. Tax season scammers are ph...ishing for credentials. If you liked the investment opportunities those Nigerian princes used to offer, you’re going to love their loaded ATM cards. Ben Yelin looks at data protection and interoperability. Our guest is Jules Martin from Mimecast on the importance of security integration. And in the Netherlands ransomware is inducing a shortage of cheese. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/70 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on the sabotage at Natanz.
Whether it was cyber or kinetic, Iran has vowed to take its revenge against Israel.
Name-wreck vulnerabilities affect DNS implementations.
Tax season scammers are fishing for credentials.
If you like the investment opportunities those Nigerian princes used to offer, you're going to love their loaded ATM cards.
Ben Yellen looks at data protection and interoperability.
loaded ATM cards. Ben Yellen looks at data protection and interoperability. Our guest is Jules Martin from Mimecast on the importance of security integration. And in the Netherlands,
ransomware is inducing a shortage of cheese.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 13th, 2021.
The BBC points out that the cause of the explosion at the Natanz power distribution system remains unclear.
Natanz has been the target of both cyber espionage with Stuxnet and physical sabotage, the Homeland Tigers bombing.
Most coverage, like that in Slate, is treating the incident as a probable Israeli cyber attack
and is citing Israeli media reports in support of that conclusion.
The Guardian notes that the incident displays the vulnerability to sabotage of industrial systems
like those in the centrifuge facility at Natanz.
Iran says it intends to retaliate where, when, and how it chooses.
WION quotes a spokesman from the Iranian Foreign Ministry as
saying, Iran's answer will be to take revenge against the Zionist regime at the right time
and place, end quote. Press TV, Iran's English language news service, explains Tehran's policy
more colorfully, quote, Israel awaits Iran's response, terrifying days ahead
for Zionist entity, end quote. The U.S. administration said that it had, of course,
seen reports of the Natanz incident, that the U.S. was not involved in any manner,
had nothing to add to public speculation, and that it expected this week's nuclear talks involving Iran to proceed as planned.
Researchers at Forescout and JSOF today reported their discovery of nine vulnerabilities,
collectively NameRec, in DNS implementations found in four widely used TCP IP stacks.
The researchers particularly note NameRec's effect on FreeBSD and Siemens
NucleusNet. The researchers offer an explanation of their choice of name for the family of
vulnerabilities. NameRec, they write, refers to how the parsing of domain names can break
REC DNS implementations in TCP IP stacks, leading to denial of service or remote code execution.
In total, the four TCP IP stacks affected are FreeBSD, IPnet, NetX, and NucleusNet.
The range of attacks possible through exploitation of NameRec vulnerabilities
range from garden variety information theft through sabotage of building control and industrial process control systems.
Researchers say that they want to provide advice on fixing the issues they discovered.
Patching, of course, is the first step.
FreeBSD, NucleusNet, and NetX have all recently been patched,
and vendors using the software should be providing updates to their customers.
If an organization is patching FreeBSD servers or network appliances, it should identify the
operating system it's running on them, get the versions of the installed packages, and update
the vulnerable systems. But patching isn't always easy, and in some cases, especially with respect to IoT devices, may not even be
realistically possible. Many of those devices aren't centrally managed and are difficult to
access. There may also be problems taking them down temporarily for patching, and some of the
firmware may run unsupported versions of their real-time operating systems. Should patching not
be possible, Forescout and JSOF recommend the following mitigation steps.
Discover and inventory devices running the vulnerable stacks,
enforce segmentation controls and proper network hygiene
to mitigate the risk from vulnerable devices,
monitor progressive patches released by affected device vendors,
and devise a remediation plan for your vulnerable asset inventory
balancing business risk and business continuity requirements.
Configure devices to rely on internal DNS servers as much as possible
and closely monitor external DNS traffic since exploitation requires a malicious DNS server
to reply with malicious packets.
And finally, monitor all network traffic for
malicious packets that try to exploit known vulnerabilities or possible zero-days affecting
DNS, MDNS, and DHCP clients. Anomalous and malformed traffic should be blocked,
or at least alert its presence to network operators.
Forescout and JSOF's executive summary concludes
with a glum warning about DNS as a whole,
quote,
This research is further proof that DNS protocol complexity
leads to several vulnerable implementations
and that the community should act to fix a problem
that we believe is more widespread of what we currently know.
End quote.
Armor Blocks warns of a tax season W2 scam of what we currently know. and it includes, as such fishing does, the usual dressings of business communications
like reference numbers, plausible subject lines, home loan is one representative subject,
and data that seems to fall in the ballpark.
The email, and it's typically come from a hotmail address, so recipients beware,
seeks to induce the sense of hurry and emergency that fishing normally does.
seeks to induce the sense of hurry and emergency that phishing normally does.
One wrinkle that's unpleasant for the unwary is the use of what Armor Blocks describes as security themes,
such as helpful, albeit anodyne, notes as a link that says,
learn about messages protected by Office 365.
And in this case, the link actually takes you to a real Microsoft-hosted page
that contains security information.
And finally, the page where you're asked to enter your credentials is hosted on Typeform,
a familiar and legitimate service that unfortunately also lowers the bar for cybercriminals to launch successful phishing attacks.
In fairness, it's not just Typeform that's being misused in this way.
ArmorBlock says, quote,
We have also observed attacks exploiting Google Firebase, Box, Webflow, and Google Forms in a similar manner, end quote.
So be cautious during tax season, which in the U.S. this year has an extra month to run.
to run. Security firm Avanon notes, with an air of weariness, that the old Nigerian print scam is still with us and still reeling in plenty of fresh fish. It's not, in the narrowest sense,
a Nigerian print scam, since classically that scam represents itself as an investment opportunity.
This one still has a Nigerian connection, but it involves a missing ATM card that, hey hey, just happens to have a million bucks or so on it.
Come on, you want to say, and you're right.
But why do these scams continue to circulate?
Because someone, somewhere, bites on them.
And finally, here's a consequence of ransomware that we may not specifically have foreseen.
Cheese shortages.
Leaping Computer reports that Bakker Logistik,
a Netherlands logistics company that provides air-conditioned storage and transportation services,
has sustained a ransomware attack that's disrupted its operations enough
to induce a shortage of cheese in Dutch supermarkets.
The logistics firm was unable to
process orders from customers, and it was unable to sort through the inventory held in its warehouse
to make deliveries. These processes are all highly automated and therefore are in principle
susceptible to disruption by cyber attack. So has cheese replaced toilet paper as a hard-to-get commodity? Cue the gastrointestinal
jokes and lame puns about Gouda, if you must. But the incident is a warning shot across the
food distribution systems generally considered. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. as you find yourself managing multiple platforms and alerting systems from different vendors.
Jules Martin is Vice President of Ecosystems and Alliances at Mimecast,
and he advocates a strategy of security integration using open APIs.
If you look at malware as a service and the increase in that particular type of model,
then you look at the campaign days. Before, we were seeing campaigns
run over a number of months, sometimes six months, 12 months. Then the proliferation of ransomware
and sender impersonation, those types of attack vectors have grown. We've then seen an increase
in the attack volumes, really responding to either geopolitical sort of shifts in the global landscape or things
like the pandemic as well. So the actual speed and delivery of these types of attacks is the
first problem we're all facing now. And has there been a sufficient response to that? Are the
defenders able to keep up? I think it's a challenge for all the defenders
because if you look at the traditional approach to IT security, you've got a mixture in some cases
of still on-premise and they have flexibility and cost associated with running that. You've then got
multiple consoles to manage. And what we've found in this mobile workforce we've all been forced to
adopt is that people are now buying more and more equipment.
And that means there's more to manage
and the efficacy levels drop, meaning people miss threats.
Then if you combine that with the human error
from literally Zoom fatigue and the constant meetings
we're having on Teams and what have you,
people do miss threats both at the management layer
and at the user layer.
Then if you then add into all of that, there's a skill shortage.
It depends who you speak to.
There's about 3 million open heads, I believe,
people looking for skilled cybersecurity experts as well.
So there's a whole number of things all coming together at the same time.
So you advocate integrating some of your security tools,
taking advantage of APIs.
Can you describe for us how does something like that play out?
Right.
So if you look at the traditional challenge, as a business, we've made our name and established
leadership position in the market around email.
And years ago, we've been protecting that email environment.
Traditionally, it was on-premise.
Now it's very much cloud-based.
But if you look at the IT operations that run that messaging platform, they're looking after
messaging, the performance search, the archiving, the backup, the continuity, so on and so forth.
That's the IT operations role. And here at Mindcast, we actually have that team in the UK.
But our SOC, who manages the security operations, so the prevention, the detection, the response and remediation, etc., they're based in the UK, here in the US, and down in Australia as well.
So what we're trying to do is bridge that gap between the legacy security and, I should say, the legacy IT operations and the new SOC that's been formed over the past few years.
So it's bringing those two together.
It isn't just a messaging issue.
This is a business issue.
We need to get these teams talking together.
That's Jules Martin from Mimecast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
but also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
Interesting publication from the EFF, the Electronic Frontier Foundation,
written by Bennett Cyphers and Corey Doctorow,
and it's titled Privacy Without Monopoly, Data Protection and Interoperability.
This is right up your alley, Ben. What do you make of this?
Yeah, it's a really interesting paper,
and the entire thing is available for free on their website, EFF.org, and I recommend reading it in its entirety.
At a very high level, you have this problem of both corporate concentration, which we've talked about in the antitrust context, where a few companies dominate the entire sphere of the internet, stifle competition
in ways that are harmful to the consumers. And you have this issue of lack of user privacy.
And in the view of EFF, these two problems are interconnected. When you have a few companies
that have such dominant control over certain spheres of the internet, they have less incentive
to protect the privacy of their users. So what EFF is proposing is an entirely new framework to
both encourage competition, revitalize competition in this online space, give users more agency over
their own data, and increase what we call interoperability.
So when I send somebody a message from my iPhone
and they have an Android device,
maybe not all of the features on my iPhone
are going to be compatible to what that user sees
on the Android device.
And so that's a relatively minor interoperability concern.
But if you scale that up, you can see how that would be a big issue,
where certain platforms are not compatible with other platforms.
So EFF has turned this notion into some policy ideas.
The first is to have competitive compatibility,
helpfully shortened to COMCOM, which I think is hilarious,
which is a proposal to encourage startups
and other tech companies to interoperate,
and I'm quoting here,
with incumbent services without their permission.
So this would be a way of shutting down the tools
that larger companies use to try and
stifle competition by making their service the only thing that's compatible with some other
service. You have to have a Google device in order to use this particular application.
The second proposal would give companies, or would require companies, rather, to provide a baseline of interoperable access to their services.
So, you know, there'd be some sort of perhaps federal standard
so that you don't have that interoperability problem.
And this is both an issue in terms of data portability,
so that you could access data no matter where that data is transferred
and no matter which companies hold it.
And what they call back-end interoperability,
which would require large companies,
so the Facebooks and Googles of the world,
to, quote, maintain interfaces
that allow their users to interact fluidly
with users on other services.
So this is a way to make the internet
a little more user-friendly.
It would encourage companies or require companies
not to use anti-competitive practices
that shut out their competitors
and make it so that you're required to use their services
if you want the features from particular applications.
And it would do so in a way that would augment
user privacy protection.
So it's a really interesting proposal.
It's not without its concerns,
and one of the sections of the paper,
they go into some of the potential privacy concerns
with their own proposal.
But it's certainly worthy of consideration.
Yeah, it reminds me of back in the day,
those of us who are old enough to remember
the breakup of the big telephone systems
into the baby bells.
And one of the issues there was that
allowing long-distance carriers access
to those local phone lines,
that they had to be able to,
in order to get that call to you,
they had to make use of someone else's infrastructure
and they required that those local phone companies do that.
It seems to me like there might be some parallels here.
Yeah, I think that's exactly right.
I mean, we've done things in all different types of realms
to augment interoperability.
We see this a lot in the emergency management field,
which I'm in, in some of my consulting work, where you have radio systems that were not compatible, that were using different channels.
You know, maybe the police radio system couldn't communicate with the fire department system.
And that creates major problems for the public and the users because it makes these systems inaccessible and it just makes them more difficult to use.
So interoperability is so important.
Having some standardized system
that companies are required to adhere to
really makes the user experience much more fulfilling.
Yeah, it's fascinating.
And it's hard to imagine some of these walled
gardens like Facebook being okay with something like this. So I guess that's where the regulation
part comes in, right? That they wouldn't have a choice. They wouldn't have a choice. I mean,
you kind of shoot for the moon when you come up with a policy paper. Would the current United
States Congress pass something like this? Probably not. But ideas have to start somewhere.
And this is sort of the EFF's, what their dream policy would be to encourage interoperability
and improve competitive practices in the industry.
So it's not like some legislator is going to take this in its entirety and turn it into
a federal statute.
But this is just an idea of how it could be done in the future. Yeah. All right. Well, it's interesting stuff. It's titled Privacy Without Monopoly,
Data Protection and Interoperability. Again, written by Bennett Cyphers and Corey Doctorow
over on the EFF website. Ben Yellen, thanks for joining us. Thank you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
The taste the leading canned
drink can't match.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland out of the startup
studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.