CyberWire Daily - Panama Papers assassination? Black Oasis exploits Flash Player. DPRK hacked TV show. Patching KRACK and ROCA. WikiLeaks prepping something? DHS BOD 18-01. SCOTUS to rule on data warrants.
Episode Date: October 17, 2017In today's podcast, we hear about the assassination of a reporter who covered the Panama Papers. The Black Oasis threat group is found distributing FinFisher by exploitation of a bug in Flash P...layer. North Korean hacking is said to have been responsible for cancellation of a projected television show. Infineon patches a firmware flaw that could be exploited in a Coppersmith's attack. Vendors work to close the KRACK in their wi-fi products. WikiLeaks appears to be preparing for a large dump. The US Department of Homeland Security mandates improved email and website security across the Federal Government. David DuFour from Webroot discussing Bluetooth vulnerabilities. Neil Murray from Mimecast on cyber resilience. The US Supreme Court will review a significant cloud data decision. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, and we think you'll find it valuable, too. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Interested in the latest research in cyber security? Our new Research Saturday podcast highlights research being done in industry, universities, and governments. Hear from people who are discovering threats, uncovering vulnerabilities, and devising the security measures to keep cyberspace as safe as it can be. Check it out. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A reporter who covered the Panama Papers is assassinated in Malta.
Black Oasis is found distributing Finn Fisher by exploitation of a bug in Flash Player.
North Korea hacking is said to have been
responsible for cancellation of a projected
television show. Infineon
patches a firmware flaw that could be
exploited in a coppersmith's attack.
Vendors work to close the crack
in their Wi-Fi products. WikiLeaks
appears to be preparing for a large dump.
The U.S. Department of Homeland Security
mandates improved email and website security
across the federal government,
and the U.S. Supreme Court will review
a significant cloud data decision.
I'm Dave Bittner in Baltimore
with your CyberWire summary for Tuesday, October 17, 2017.
One of the reporters who had been most active in pursuing leads into corruption and money
laundering surfaced by the Panama Papers was killed yesterday in a car bombing.
Daphne Caruana Galizia, a journalist working in Malta who had been called a one-woman Wikileaks,
died when a powerful bomb destroyed her car Monday afternoon.
No one has claimed responsibility.
Galizia's reporting had for the past two years focused largely on chasing down stories suggested in the Panama Papers,
as leaks from the Moussak Fonseco law firm have come to be called.
Her post to her running commentary blog had made enemies in both of Malta's principal political parties,
the ruling Labour Party and the
opposition Nationalists. She had also earned the enmity of organized crime. Galicia had filed a
police report two weeks ago concerning death threats she had received. Investigation of the
murder is in its early stages. Major political parties have condemned the killing and called for calm.
Yesterday, Adobe patched a Flash Player Zero Day, CVE-2017-11292, that Kaspersky Lab discovered being exploited in the wild. The exploitation, attributed to the little-known and less understood
threat actor Black Oasis, was installing FinFisher spyware into selected targets.
FinFisher is famous as the lawful intercept tool that's been controversially used by governments around the world.
Black Oasis is thought to be a threat actor operating from somewhere within the Middle East.
They have tended to select their targets from Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia,
Saudi Arabia, Iran, the Netherlands, Bahrain, the United Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia,
Iran, the Netherlands, Bahrain, the United Kingdom, and Angola.
Microsoft tracks Black Oasis under the name Neodymium.
They tracked the threat actor last year, also using a Flash Player exploit to distribute FinFisher.
The targets then were for the most part located in Turkey.
Black Oasis exhibits a broad range of interests, but they tend to center on Middle Eastern politics,
including UN operations, opposition figures and activists, regional news reporters, and of course the oil industry,
which would seem a possible explanation for some of the out-of-area targeting.
It's been revealed that a 2014 North Korean cyber attack against British
production company Mammoth Screen prompted cancellation of a projected television series.
The show, Opposite Number, had a plot revolving around the imprisonment of a British nuclear
scientist in the DPRK. This is the second major known hack of a media company related to Pyongyang's objections to media content.
The other case, of course, is the Sony hack. A firmware patch from Infineon closes a vulnerability
that could be exploited to reveal private encryption keys in a fast prime attack.
A proof of concept uses a variant of the coppersmith's attack, ROKA, for return of
coppersmith's attack. Coppersmith's attack is
an old one, and users of devices with Infineon chips are advised to apply the firmware patch
as soon as possible. Much advice is being offered on protection from the crack Wi-Fi vulnerability.
Several vendors have issued patches to deal with it, but it's likely to persist for a long time,
especially in the Internet of Things.
In the meantime, here are the companies that either have or are expected to soon have a fix
for crack attacks, as reported by ZDNet. Aruba has issued a security advisory as well as patches
for its software. Microsoft's Windows products are thought to be relatively little affected,
but the company has pushed fixes out through its automatic updating.
Linux has made a patch available. Intel has also patched. Netgear, Microchip, Microtik, OpenBSD,
Ubiquiti Networks, HostAP, and WatchGuard have all issued fixes. Apple expects to update iOS,
macOS, watchOS, and tvOS within a few weeks. Cisco is looking into the vulnerability, has some fixes out, and is working on others. Ares and AVM are evaluating the situation. Google is in the same
boat, investigating with patches to come as they're developed. Fortinet is working on a fix.
Express If Systems has begun patching its chipsets. FreeBSD is working on patching its base system.
patching its chipsets. FreeBSD is working on patching its base system. Wi-Fi Standard has made a fix available to vendors. And finally, the Wi-Fi Alliance is offering a crack detection tool
to its members. It's also requiring new members to test for the vulnerability.
Wikileaks's Julian Assange has tweeted out some odd code that looks like the insurance code
released in advance of past major
leaks. Nothing is broken yet, but people have their eyes and ears open. Yesterday, the U.S.
Department of Homeland Security issued Binding Operational Directive 18-01. This will require
U.S. federal agencies to adopt DMARC security standards to improve email security. The directive also recommends using HTTP Strict Transport Security, HSTS,
to ensure HTTPS connections and remove a user's ability to click through certificate warning.
There are those who say when it comes to suffering a data breach,
it's not a matter of if, but a matter of when.
Whether or not you subscribe to that philosophy,
it's prudent to plan for the worst and have a resiliency plan in place, a way to ensure that while you're
recovering from whatever may have happened, your business stays up and running. Neil Murray is
Chief Technology Officer at Mimecast, and he offers his thoughts on cyber resilience.
In summary, it's protecting users, data and operations from risks that may arise
due to human error, malicious intent or technological failure. So it's not all about
just a defensive barrier that you may think about when you think of cybersecurity. There are issues
related to things like ransomware, for example, where you might need to recover data.
And that's not a defensive technology.
That's a technology of recovery.
And there are often needs to interact with the systems that are affected whilst an incident is ongoing.
So you have to keep the business running.
That's really the summary of cyber resilience.
How do you deal with all this stuff and keep the business running?
There are additionally human awareness
requirements. So the human firewall is important as part of the cyber resiliency process. And that
is that technology can do a certain amount, but human beings are the weakest link. So you want
to make sure that they're also made resilient through awareness. Yeah. What about the emotional
component of all this? You know, when something bad happens, people get upset. And I think that's an underestimated part of
the equation for many organizations. Sure. And you would have seen in the Equifax
incident recently that a lot of the damage gets done when the reaction is not prepared and planned.
Obviously, there's the preparation.
You know, if companies are found wanting when it comes to preparation,
that's one thing.
But you do need effective communications during these kinds of incidents, and that does take preparation and planning.
You also need to spend a lot of time with your staff trying to educate them
about how these things come about, what may happen in those circumstances. They should feel
confident that you have done the right things, but it gets emotional when it's not done right,
I think is the summary. You know, I remember when I was a kid, of course, we all probably
experienced having fire drills to practice what would happen if in the event that there was a fire.
Do companies need to go through a similar thing when planning out their cyber resilience?
Well, there are great technologies out there
that do drills like this.
There's pluses and minuses to them.
Fire drills is one way,
which is a periodic process of testing your people.
The downsides are that people get caught out,
feel like they were caught out.
So there's a negative that can come from that.
Oh, you tricked me.
I mean, that's obviously the point of it, but some of these tests can be pretty negative.
That's not to say you mustn't do them.
It's just that you have to deal with the fallout that comes from that.
as we take is real-time awareness, which means that as people are clicking on links inside their emails or downloading attachments from emails, we may take a moment on a randomized or periodic
basis to provide a teaching moment to them. In other words, ask them a question about where they
think they're going and ask them whether they think that site is safe or not. And then we'll
tell them whether it is or not, but we want them to make a call on it,
and that raises the awareness in a more or less real-time fashion.
So that's more real-time fire drills, much more periodic.
So what would be your advice for someone who's trying to address this,
someone who's trying to get organized and have a proper plan when it comes to resilience?
who's trying to get organized and have a proper plan when it comes to resilience?
I think there are quite a few good resources online about cyber resilience. It's an emerging term for sure in that we're talking about not just cybersecurity, the defensive part of it,
but something that's a bit more comprehensive. There's obviously a technological component.
You need to go and source vendors, make sure that they have a broader offering than just a defensive portion to their technology.
So you really do need recovery options, continuity options.
Those are the kinds of things that are as critical as the defensive piece.
That's Neil Murray from Mindcast.
The U.S. Supreme Court has agreed to hear an appeal of a Second Circuit decision that exempted data stored abroad from U.S. search warrants.
The Second Circuit's decision in favor of Microsoft found that emails were beyond the reach of U.S. domestic search warrants
when the user whose emails were sought signed up for Microsoft service while he was in Ireland.
The ruling affected warrants issued under the Stored Communications Act of 1986,
a law that's widely regarded as ripe for revision.
The decision the U.S. Justice Department is appealing was widely regarded as a victory for privacy advocates
and the tech companies who offer geographically dispersed cloud services.
Law enforcement saw the ruling as a loss,
depriving them of access to data needed to investigate crimes,
ranging from child exploitation to murder.
In the appeal, the two sides are basically represented by the tech industry,
Microsoft, Amazon, Apple, CNN, and Verizon to take the most prominent companies,
with an assist from the ACLU and the U.S. Chamber of Commerce.
And in the other corner, the Justice Department,
with backing from 33 U.S. states and the Commonwealth of Puerto Rico.
The Supreme Court's decision will have far-reaching implications.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber, that's Vanta.com slash cyber for a thousand dollars off. Expectations, Academy Award-nominated Amy Adams, stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is David DeFore. He's the Senior Director of Engineering and Cybersecurity
at WebRoot. David, welcome back. We wanted to talk today about some vulnerabilities when it
comes to Bluetooth. Well, hi, David. Thanks for having me back. Yeah, Bluetooth's making a lot of noise
here. A little tidbit about me. I'm not going to do this anymore, but I've been spending the last
couple of months on Sunday morning sitting at a restaurant, eat my oatmeal with my Bluetooth
scanner out there looking for people with their Bluetooth devices, with their Bluetooth turned on.
Yeah. And then this news dropped. So it's been advised
to me, I probably want to stop doing that. The trick here is, you know, your Bluetooth,
it's a radio, just like a Wi-Fi device. And a lot of people don't think that it's capable of doing
two-way communication. They think it's a lot more secure than it is. But, you know,
as your listeners know, anything that's software or hardware can be hacked. And there's exploits that abound, Blueboard being one of them, in terms of being able to take advantage of the actual Bluetooth standard and how it's been implemented in many devices.
There's actually the capability through Bluetooth, even if it's connected to some other device, that you could get into a user's device by simply pulling that solution. First off, you're going to
scan for the radio to see if it's on. Then you're going to ping that device to try to make a
determination of what the operating system is, potentially the version, maybe even the hardware
of that. And then from there, a nefarious actor could go out and look for exploits on that device.
To be fair, you do have to be within a pretty tight range. Bluetooth doesn't
have the range of other radio technologies, and it is complicated, but it's becoming more prevalent
as people figure out you can do it. One of the only things you can do to protect yourself is to
make sure that you turn Bluetooth off if you're not using it. Now, what about if I am using
Bluetooth? Let's say I'm in my car and I'm using the Bluetooth connection.
If I'm connected between my phone and my vehicle, am I still vulnerable to someone else, you know, a drive-by attack?
Well, so if you're in your car, unless they're in the trunk and you don't realize it,
they're probably not going to be within range to be able to get between there. But you do ask a great question because if I'm sitting at a table and the person behind me is using their phone to listen to Bluetooth, potentially on headphones, it is possible.
And it's very clear how to do this with BlueBorne.
It's possible to actually get access to that device and exploit it, even if it's connected to a different device.
This isn't a situation where it has to be impairing
looking for other devices. So a lot of people think that it has to be in that state, but no,
the actual flaws are with the Bluetooth implementation that lets you get in if that
radio is on and if it's connected to something else. So is this a hardware problem or is it
software that can be patched? It's definitely software that can be patched,
provided you're running the Bluetooth radio on a device that's updatable
and that your vendor provides a patch for it.
David DeFore, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.