CyberWire Daily - NIST SP 800-53 updated. Attack on Scotland Parliament's email system. Consequences of Equation Group leaks. "Mr. Smith" and HBO. Attacks of note: Trickbot, OLE exploits, NetSarang backdoor. Extremist inspiration. BEC.
Episode Date: August 16, 2017In today's podcast, we hear about a new draft of NIST SP 800-53. There's been an attempt to brute-force email credentials in Scotland's Parliament. Fancy Bear's romp through high-end hotel Wi-Fi s...uggests the Equation Group leaks will be with us for some time. "Mr. Smith" remains at large, and still wants to be paid. Trickbot uses unusually convincing counterfeit sites. PowerPoint malware vectors may be part of a criminal test. NetSarang urges swift patching of a backdoor in its software. Extremist inspiration persists.  Ben Yelin from UMD CHHS on privacy concerns with robot vacuum cleaners. Guest is Jeff Pederson from Kroll Ontrack, a data recovery firm, with tips on data recovery.And some guy in Nigeria with more moxie than skills is behind a big business email compromise campaign. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. Domain Tools leverages both human and machine intelligence to expose malicious infrastructure. Learn more in their white paper.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new draft of NIST Special Publication 800-53 is out.
Brute force is used against Scotland's Parliament.
It's email accounts, we mean. This isn't Braveheart.
Fancy Bears romp through high-end hotel Wi-Fi.
Suggests the Equation Group leaks will be with us for some time.
Mr. Smith remains at large and still wants to be paid.
Trickbot uses unusually convincing counterfeit sites.
PowerPoint malware vectors may be part of a criminal test.
Net Saran urges swift patching of a backdoor in its software,
extremist inspiration persists,
and some guy in Nigeria with more moxie than skills
is behind a big business email compromise campaign.
I'm Dave Bittner in Baltimore with your CyberWire summary
for Wednesday, August 16, 2017.
First, some quick news on standards.
NIST has issued a new draft of its influential and widely used Special Publication 800-53,
Security and Privacy Controls for Information Systems and Organizations.
The latest version is noteworthy for the way in which it seeks to incorporate privacy protection
throughout its system of controls.
Turning to cyber attacks, Scotland's Parliament has sustained a brute force attack on members' email credentials.
The campaign is similar to the one Westminster sustained in June, and similar measures are being taken to remediate it.
The attackers are attempting, as they did with the London incident, to get access to email accounts. Security experts continue to react to cyber firm FireEye's moderately confident
conclusion that Fancy Bear has been compromising hotel Wi-Fi networks using tools stolen from
Equation Group and leaked by the shadow brokers. The leaked exploits involve server message block
flaws, SMB. How the brokers got the exploits they leaked in April remains a mystery,
but the SMB flaws they exploit, Eternal Blue, Eternal Romance, Eternal Synergy, and Eternal Champion,
are likely to present problems for some time, according to an analysis published by security company Cylance.
WannaCry and NotPetya were the two malware pandemics to take advantage of the Equation Group leaks.
Both presented themselves as ransomware, but both are now generally regarded as pseudo-ransomware,
disruptive attacks that poses ransomware to cloak their operators' true intentions.
There is, in fairness, some doubt on this score with respect to WannaCry,
which some researchers regard as a genuine but botched extortion attempt,
possibly a money-making scheme by the North Korean government.
Both strains continue to trouble enterprises.
The healthcare sector worries about WannaCry,
given the effect it had on Britain's National Health Service.
And the manufacturing and logistics sectors are still recovering from and paying for NotPetya.
In one case, shipping giant Maersk has pegged its NotPetya-related losses
at $300 million, and the company's CEO has instituted a corporate shake-up
to make the business more resilient.
Here at the Cyber Wire, we like to think we provide a public service to our listeners
by reminding you, repeatedly, to back up your data.
It's easier than ever these days.
Storage is cheap, be it an external hard drive or space in the cloud.
Alas, not everyone heeds our warnings, and sometimes things go wrong,
your only copy of that important file gets erased,
or you just never got around to asking IT why your laptop hard drive
was making that horrible clicking sound,
and you find yourself in need of a data recovery service.
Jeff Peterson is Senior Manager of Operations at Kroll OnTrack Data Recovery.
Everything that gets put in place in the world seems to be trying to eliminate the need for data recovery.
And that's been happening since we started business over 25 years ago.
And so backups were going to eliminate the need for data recovery.
RAID systems were going to eliminate the need for data recovery. The cloud was going to eliminate the need for data recovery. RAID systems were going to eliminate the need for data recovery.
The cloud was going to eliminate the need for data recovery. And what we find is that
no matter what gets put in place, as long as humans are running computers and need access
to that data, data recovery is going to be needed on some level. VMware, for instance, and any virtualization makes it super easy for IT administrators
to provision and allocate data for different divisions or departments within a corporation,
but also makes it super easy for them to delete those inadvertently. And so we've had to build
tools and the ability to recover from virtual machines. So what about encryption?
I can see there sort of being two sides to that.
People will say, well, you want to encrypt everything on your hard drive to make it more secure,
but that could make recovery more challenging, yes?
It absolutely can.
And we've had to customize our tools to accommodate for that.
The encryption that's put on, and it matters whether it's put on at the hardware level
or at the software level,
and we're not in the business of cracking encryption or anything like that,
but what we do need to do is to be able to apply the encryption credentials that are used by our customers
and sent to us to then crack open, essentially, and allow us access to the data that's on the disks.
Because without that encryption information, or if a customer forgets their passwords,
we're a professional data recovery company, but we still would not be able to recover that data.
We can read all of the encrypted data that you want, but to get it decrypted, we do need those original credentials.
So as someone who's in the business of helping people recover things that they've lost,
So as someone who's in the business of helping people recover things that they've lost,
what sorts of advice do you have for people to set up ways to, well, not need your services?
Right. We get asked that all the time by our customers is,
how do we not call you back ever again after you've completed?
And so we basically tell them it comes down to vigilance and to basically getting control of your data set,
knowing what data you have, knowing what you absolutely want to back up,
and maybe not backing up your entire local hard drive.
You've got your documents and your pictures potentially or your email.
Whatever you don't want to have to send to us for recovery,
that is what you want to send to the cloud or to a backup device, whether that be a local NAS
device or an additional hard drive. But then much like you do with any of your other protected
documents or highly sensitive documents, you're going to probably send them off site. You're not
going to have them in your
house in the same place where if your house were to have a fire, to have some flood or some incident
happen, that they're going to be in the same physical location. So you're going to send them
off to somewhere else. And so if that's a safety deposit box, if that is somebody else's home,
if that is the cloud where you're going to replicate that data to the cloud
and that's your off-site storage, then we say make another copy. So you have at least two places
where you can go to to find that very important information. That's Jeff Peterson from Kroll
OnTrack Data Recovery. Taking a quick look at a few sponsored events from our CyberWire event
tracker,
we've got the Security in the Boardroom event coming up August 23rd in Palo Alto, California.
That's from the Chertoff Group.
And also, the Johns Hopkins Information Security Institute has teamed up with Compass Cybersecurity.
They're hosting the Cybersecurity Conference for Executives.
That's September 19th, 2017, and that is in Baltimore.
To learn more about the events or to find out how you can have your event listed in our event tracker,
visit thecyberwire.com slash events.
Mr. Smith is getting more strident with his or her or their demands on HBO,
but it's not clear what Mr. Smith may have actually obtained from hacking the entertainment giant.
It is increasingly clear what Mr. Smith is after.
If hackers tend to seek cash or cachet,
Mr. Smith is a cash kind of guy.
Trickbot banking malware is being disseminated
through unusually convincing counterfeit sites.
Even the URL and certificate are right.
PowerPoint vectors may be distributing an OLE exploit as a test,
or so Cisco and Trend Micro researchers suspect.
The exploit attacks unknown vulnerability in Microsoft Office products.
Kaspersky Lab has discovered a backdoor in the update mechanism for NetSerang's widely used server management software.
NetSerang confirms that the backdoor called ShadowPad inadvertently appeared in a
recent build of their product. It's been patched, and since it was discovered Monday that ShadowPad
is being exploited in the wild, NetSarang urges all users to update as soon as possible.
The neo-Nazi website Daily Stormer, kicked out of most legitimate services,
appears to have migrated its unsavory inspiration to the dark net.
Even there, parties unknown may be pursuing it with distributed denial-of-service attacks.
The Stormer, or at least its message, will probably find other outlets,
if long experience with ISIS is any guide.
The caliphate has posted more beheading pictures.
The victim this time is a captured Iranian IRGC fighter.
Finally, a very large business email compromise campaign
that hit major organizations worldwide has been tracked to its source.
The operation was so large that many observers thought
it was a state-directed series of attacks.
But no, researchers at security firm Checkpoint have run it to ground,
and they say it's the work of a not particularly skilled but very brassy 20-something Nigerian guy.
He was armed with the commodity Netwire Trojan and the Hawkeye Keylogger,
and with some fairly clumsy broadcast fishing was able to do some damage.
Checkpoint has shared what they know with Nigerian authorities,
who have taken an interest in the unnamed young man.
His motto is said to be,
get rich or die trying.
Hopefully it doesn't come to that.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We had a story come by about privacy concerns with smart vacuum cleaners.
You know, you got your Roombas and the little robot vacuums like that that wander around your house.
And it turns out they may be collecting information and data on our homes.
Yeah, it seems like there's no limit to which devices can collect data within our homes these days.
But this one was especially interesting to me.
So this article said that Roomba devices, which are produced by iRobot, collect mapping information about your house. So they basically internalize the location
of various rooms, various devices to help get a complete picture. And the fear here is that
iRobot is going to sell this data to third parties, or they could potentially turn this data over to
the government for a criminal prosecution. And in their contract, it says that they have the right
to do that. So as soon as you accept the terms and conditions, when you activate your Roomba device,
you are signing away your rights to this information. You can never know what situation
will present itself in the future. Law enforcement is in a situation where there's some crime where the specific location ends up mattering. I mean, we've seen instances that you and I have talked about, Dave, where Alexa has cut through somebody's alibi just by hearing that person's voice in a recording. So we can see the same situation here. You could get potential incriminating
information from someone based on mapping information that occurs within the house.
To be clear, the reason that the robot is gathering this information for its own use is to,
you know, to do a better job of vacuuming your home. I could certainly see, like you say,
law enforcement using that. If they had a warrant to enter someone's house, it'd be useful for them to be able to know where everything is in that house. But also,
I could see, you know, on the flip side, I could see it being helpful to a fire department. If
they have to come in your house in the middle of the night, if they could bring up a map of
where all the furniture is, where the beds are located, maybe they could do a quicker job of
locating people in a burning house. Yeah, I think that's true. And you
could certainly see the benefits when you think about third parties. I mean, let's say it's just
selling it to Amazon. They can improve the acoustics of the music you listen to based on
data submitted by these Roomba devices. They could know how big a room is so the acoustics can be
better when your Amazon Echo device comes on.
So there are certainly legitimate and potentially good uses of this data.
Yeah, and to be fair, the CEO of iRobot, his name is Colin Angle,
and he says that they would not sell that data without consulting the customers first,
so they're saying you'd have to opt in.
But at the same time, the EULA that you sign when
you sign up to use this technology says they don't have to tell you. Right, exactly. So there's no
legal obligation for them to notify you if they submit your data to a third party. Perhaps there's
an ethical or moral obligation. And more important than that, there could be a business justification.
I mean, we've seen telecommunications companies and all other sorts of companies, companies that produce
all sorts of hardware using their security features as a selling point. You know, perhaps
that can give them a niche in the market for people who are security savvy. So there are
ethical reasons, but also just bottom line reasons to withhold that data.
All right. It's an interesting story. Ben Yellen, thanks for joining us.
Absolutely. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.