CyberWire Daily - Patch Tuesday notes. Cyber threats to healthcare, New Helsinki information operations center forming. Updates on WikiLeaks and the ShadowBrokers
Episode Date: April 12, 2017In today's podcast, we discuss April's Patch Tuesday, with news and tasks for Windows, Adobe, and SAP admins. Cyber threats to healthcare include ransomware, breaches, and device hacking. NATO and non...-NATO partners establish an information operations center in Helsinki to contest Russian influence in cyberspace. Analysts continue to pick over the latest from the ShadowBrokers. Emily Wilson from Terbium Labs describes the Dark Web ecosystem. And WikiLeaks Vault 7 seems to out cyber operators as fans of Star Trek, anime, and Ape Escape. No surprises there, eh? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Yesterday was Patch Tuesday.
Cyber threats to healthcare include ransomware breaches and device hacking.
NATO and non-NATO partners establish an information operations center in Helsinki to contest Russian influence in cyberspace. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday,
April 12, 2017. Microsoft yesterday issued fixes for the Office Zero days that have been much
discussed over the past week. At least two of the bugs are being actively exploited in the wild,
which should lend urgency to the patching. Netscope reports that one of the bugs are being actively exploited in the wild, which should lend urgency to the patching.
Netscope reports that one of the vulnerabilities is being exploited by the Godzilla botnet,
and the resurgence of the Drydex banking trojan via Word Zero Days has been widely reported as well,
with much research contributed by Proofpoint.
McAfee and FireEye have said they'd warned Microsoft about the vulnerabilities,
but Microsoft had until now been quiet about the steps toward remediation it planned.
Now Redmond has taken a swat at 46 bugs, 15 of them rated critical.
The exploitation of the vulnerabilities in the wild tended to begin, as it so often does, with phishing.
The phish bait in the case of the word vulnerability reported by researchers at security firm Optiv, being a malicious document that, when opened, executes a script to install
additional payloads. Michael Patterson of security firm Plixer International pointed out to us that
phishing tends to succeed when it becomes more plausible. The ready availability of personal
data to bad actors, whether obtained legitimately via unwise sharing over social media
or illegitimately through breached information traded on the black market,
contribute to successful phishing. The other patched bug being exploited in the wild is an
Internet Explorer flaw that enables privilege elevation attacks. A third zero day, this one
affecting Office 2010, 2013, and 2016, is carried in Word by a malicious EPS image.
This one's not yet patched, but Microsoft has released interim guidance pending a security update.
For its part, on Patch Tuesday, Adobe fixed 59 vulnerabilities, 44 of them code execution bugs.
The affected products include Adobe Reader, Adobe Campaign,
the Creative Cloud app, Photoshop, and Flash Player. And SAP published 27 security notes in
its round of patches yesterday. Most of them are missing authorization checks, but a few are more
consequential. A number of attacks against and threats to medical information and healthcare
providers have been reported.
A tweeter by the screen name of Flash Gordon found, using the Shodan search engine,
information on more than 900,000 elderly diabetes patients exposed online in apparently a telemarketer's database.
And security company Forcepoint sees a trend.
Attackers are using the ransomware-as-a-service platform known as
Philadelphia for commodity attacks against medical targets. Many security experts see the healthcare
sector is still playing cyber catch-up, which is understandable. The sector collects, holds,
uses, and necessarily shares a great deal of sensitive information, and so it faces a tough
challenge. Trivalent's John Suit, for one, told us that recent incidents show that data protection
has been unable to keep up with the sector's rapid digitization.
He recommends protecting data at the file level.
Quote, encryption, shredding, and secure storage,
which renders personal patient data useless to unauthorized parties.
End quote.
Turning to cyber conflict, specifically information operations,
specifically the UK, the US, France, Germany, Sweden, Poland, Finland, Latvia, and Lithuania,
have agreed to establish a joint InfoOp center in Finland.
The Helsinki center is aimed against Russian influence operations,
especially against the prospect that such operations will play a malign role in future elections.
The new center recognizes the seriousness of propaganda,
especially given its technology-enabled increased reach and rapid spread.
It also suggests recognition that aggressive information operations
are usually best addressed by informational means.
For example, RT's coverage of the alleged Kilohoes bot master, in which the Russian
State-Aligned Service claimed the suspect arrested on his Spanish vacation was behind
last year's DNC hacks.
In an interview yesterday with The Hill, former U.S. Director of Central Intelligence and
NSA Director Hayden sensibly cautioned members of Congress against calling election hacking
an act of war.
Not all hostile acts constitute a Cassius Belli.
Hacker House looks at the Shadow Brokers' latest leaks and concludes they suggest the
existence of tools to root Oracle Sun Solaris Unix servers.
And finally, researchers at Symantec and elsewhere continue to pick over the WikiLeaks' last Vault 7 round of alleged CIA hacking documents,
connecting the tools noted therein to the Longhorn campaigns that appeared in 16 countries beginning in 2011.
The Hill and others make something of pop-cultural references that appear in the doxed files.
They're said to be loaded with allusions to Star Trek and anime, but closer inspection
reveals that there's less here than meets the eye, so the name-check reporting might best be
viewed as so much fan service for langlophobes. Mr. Spock gets a couple of shout-outs, but so
do Flash Gordon, Ape Escape, Bad Lip Reading, and Brazilian Jiu-Jitsu. The homage to anime seems to
extend little farther than Guy and Shu,
who you'll no doubt remember from the series Guilty Crown. Or so a friend tells us.
All of this seems innocent enough, as naming conventions go, and even to argue for a pleasantly
broad range of civilized curiosity on the part of the alleged, we stress alleged, cyber operators.
We confess one of our stringers has spent the day noisily advocating for Babylon 5 over Star Trek,
but in matters of popular culture tastes vary.
But had it been all Sailor Moon all the time, we would have feared for the Republic.
A quick question, though, for retired DCI Hayden.
General, if you don't mind sharing, what was your high score on Ape Escape? It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You know, the dark web is its own ecosystem. There are markets that come and go.
People set up shops, shops close. You know, take us through that ecosystem, the evolution of that
ecosystem. Sure. I mean, you think about, you know, kind of the standard conversation there
is you have something like a Silk Road, right, that kind of existed and was very popular and then was taken down.
And I think we are on Silk Road three or four now.
And with each iteration, you know, less trust and less of an expectation of it coming back to its original levels, you know, new ownership, for example.
Then you have other markets like the Real Deal, which really built up a reputation,
like the Real Deal, which really built up a reputation, especially kind of in the latter half of last year as being a place for some of these major databases for sale or some of these
major exploits in comparison to other markets like Alphabay, which is kind of more of a general
market. You can get your drugs or your fraud or what have you. I think the volatility there is
definitely difficult for sellers to navigate or for buyers to navigate for that matter. I don't
see too many conversations about vendors and where they're moving when markets go down, but buyers
definitely. And buyers follow their vendors. When you find someone you trust, you're going to follow
them wherever they go. And so if they're only on one market and that market goes down, there's a
vacuum. And what is there in terms of barriers of entry for setting up a shop?
For setting up a new market? I think there's a fairly decent barrier to entry there. I mean,
first, you need to have a site that is going to be technically sound enough that vendors and buyers
are willing to go there. And there definitely have been standards set in the market. People
are trying to differentiate themselves enough to draw people
away from other markets, but at the same time, there are these security constraints, which is
why when new markets are available, people will typically put them up and ask the community to
assess them and try and pull new vendors in saying, we are just as secure, but we do these
things differently. Not all that different from the kind of competition we see in regular retailers. So in terms of the markets coming and going, how volatile is it? Are there,
you know, ones that have been around for a long time and they're the tried and true markets and
then, you know, fly by night? How does it work? Sure. I mean, Alphabay is definitely the kind of
the clearest example of something that's been around for a little while and definitely has
earned a reputation for being fairly stable. You know, they have uptime and downtime, just like the rest of
kind of the dark web. You know, they faced DDoSing. They were down for a couple of hours yesterday.
Every time these sites kind of come up and go down, the major markets in particular,
you have to ask yourself, is this the exit scam? You know, Nucleus, people held out hope for a
while when Nucleus first went down. And so then
in addition to, you know, kind of the major markets going up and down, it's trying to make
a judgment call on these new markets when they pop up. Are they gaining traction? Are they going
to ever become truly popular? And would they become popular in their own right? Or is it going
to be a result of some other market going down and that's the next best thing? Trying to judge what the next best thing will be is difficult, I think, when
you have something like an Alphabay and really there's not an equivalent.
So it can really be sort of an ethereal thing. A site might come up and have that special
something that'll attract attention and others simply won't.
Sure. And then you have to ask yourself, you know, if this site goes down,
are we going to see the vendors split into, you know,
the drug vendors will go focus on something that's more like the Majestic Garden,
which is just a psychedelic site.
And the fraud vendors, will they go over to kind of carding specific sites?
Or are we going to see an exodus to, you know, another fairly large market like Hansa or Valhalla? Or are we going to see people maybe take to, you know, another fairly large market like like Hansa or Valhalla?
Or are we going to see people maybe take up, you know, take up banners on some of these newer markets?
It's a different world. Emily Wilson, thanks for joining us.
And now a message from black cloak did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home black cloaks award
winning digital executive protection platform secures their personal devices home networks
and connected lives because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.