CyberWire Daily - Payment processors probed with BGP exploits for redirection attacks. WhatsApp vulnerable to manipulation? Deterrence and retaliation. Anonymous vs. QAnon. Notes from Black Hat.
Episode Date: August 8, 2018In today's podcast we hare that Oracle has warned of BGP exploits against payment processors. Check Point says it's found vulnerabilities in WhatsApp that could enable chat sessions to be intercepted ...and manipulated. Germany, Ukraine, and the US independently mull responses to hacking and influence operations. Anonymous announces it wants to take its shots at QAnon. Notes from Black Hat, including observations on grid hacks, AI, and the gray hat phenomenon. David Dufour from Webroot with a look at the year in review. Guest is Travis Moore from TechCongress describing their fellowship programs. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_08.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. payment processors. Checkpoint says it's found vulnerabilities in WhatsApp that could enable
chat sessions to be intercepted and manipulated. Germany, Ukraine, and the U.S. independently
mull responses to hacking and influence operations. Anonymous announces it wants to take its shots at
QAnon. Notes from Black Hat including observations on grid hacks, AI, and the grey hat phenomenon.
From the Black Hat Conference in Las Vegas, where it's a dry heat,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 8, 2018.
Oracle warns that attacks in July sought to exploit the Border Gateway Protocol in an attempted DNS redirection attack against U.S. payment processors,
DataWire, Vantiv, and Mercury payment systems.
There had been an earlier series of attacks in April
that worked the same exploit against cryptocurrency wallets.
Security firm Checkpoint says it's found vulnerabilities in WhatsApp's cross-platform messaging app.
The issues which Checkpoint disclosed to WhatsApp could, the researchers say,
be used by an attacker to intercept and manipulate group chat sessions.
WhatsApp told the New York Times that Checkpoint's discoveries amount to seeing its app function as designed,
so the company's response to the disclosure remains unclear.
Such an attack could have various purposes,
but the one most commented on is the possibility of exploiting WhatsApp
to spread disinformation.
The app has come under criticism in India
because users abused the service to foment unfounded outrage
that resulted in lynchings.
German security services have been thinking through the problem of deterrence and retaliation.
They believe they now in fact have the legal authorities necessary to conduct retaliatory
cyber operations in response to an attack.
Whether they would do so remains a policy decision.
Ukraine's President Poroshenko has directed the country's security services
to undertake a serious push to deflect attempts at election influence operations.
U.S. Defense Secretary Mattis, pointing out that the military is there to defend the Constitution,
says that the Department of Defense certainly has a role to play in defending off attempts
to subvert influence or otherwise compromise elections. The principal threat is perceived as Russia,
also said to be after the power grid. Tech Congress is an organization that aims
to bridge the gap between the tech community and policymakers in Washington, D.C. They offer
Congressional Innovation Fellowships for tech-savvy individuals to work directly with
members of Congress. Travis Moore is founder and director of Tech Congress. We place technologists
to work with members of Congress through this one-year fellowship. This is a residential
fellowship. You have to relocate to Washington DC and show up in the congressional office for a year. Our goal is to really infuse technical
expertise into the policymaking process. And, you know, you go to work directly for a member
of Congress and work on a whole range of issues we could talk more about, but anything from
encryption and investigating the OPM breach and the Equifax breach and every other breach to government surveillance and a whole range of other stuff.
For the Tech Congress Congressional Innovation Fellowship, we're looking for essentially three things.
One is someone with a technical ability.
So we do look for people that either formally or informally have technical skills.
You're an engineer or a developer or
study computer science. So someone with technical ability, someone that can translate difficult
technical concepts for a very layman's audience. Many members of the United States Senate don't
even use email. So it's kind of that level of dumbing it down, but ability to translate too.
And then three, we're looking for people that are really entrepreneurial problem solvers and work well on teams because Congress is a collaborative place.
One of the things that we're trying to accomplish is to think differently than traditional DC
institutions. New America is very much a do tank, not just a think tank. We want people that have
been in the trenches working on latest cybersecurity challenges.
And our goal is really to elevate people and to give them access to not only a broader community of practitioners, but also the leading policymakers in Congress, in federal agencies, at think tanks.
Our goal is to bring doers into the policymaking process, not just write policy papers.
We really want people that are executing in the field.
We see connecting practitioners to the people that are making policy as a really, really, really, really essential part, if not the core part of our mission.
So if you're in the trenches, we want you.
So come and we hope you'll apply. countering foreign black propaganda online. The challenge is difficult, but Facebook's ongoing work on content moderation,
painful and expensive as it's been, may hold long-term benefits.
The more lawyers and money it throws at content moderation,
the wider Facebook's moat becomes against upstart disruptors.
Some recent studies in the U.S. suggest that viral political messages
may be less effective than political campaigns think, hope, or fear.
Whether national espionage services will reach the same conclusion is an open question.
The online operation that Anonymous has just announced against QAnon
may provide an interesting case study,
although Anonymous ops have tended to fizzle over the last several years.
Black Hat's preliminary meetings and social events have run through last night.
The conference opened its exhibit floor at 10 a.m. Pacific time today.
The presentations in the arsenal began at about the same time.
We're making the rounds through the briefings and the booths,
and we'll have notes and observations over the course of the week.
There are a great many products and solutions being announced and pitched at the event, as is always the case.
Among the discussions gaining early attention surround industrial control system security, that is ICS security, especially with respect to power grids, the prospects of artificial intelligence for cybersecurity
with some skeptical observations on their limitations,
and trends in cybercrime with a newly released study on greyhats attracting attention.
One starting point for power grid security discussions is Cyber Reason's honeypot experiment
in which the company established a dummy power utility presence
online and then observed the focused attention it received from attackers. These attacks ranged
from the usual low-level probes to a focused and patient campaign that apparently came from a nation
state. That this unnamed and probably unknown nation state showed a lower than expected level
of sophistication suggests that it's not the
usual Russian suspects so often mentioned in dispatches. This actor worked hard to get in,
established itself in the honeypot, and then went quiet, presumably biding its time until
the right moment came to attack. And security firm Komodo has issued a challenge to the
antivirus community. They call it the Zero Day Challenge,
and they intend to use it to expose what they regard as overhyped claims
for the efficacy of artificial intelligence in threat detection.
That AI has value in detection would appear to be beyond serious dispute,
but Komodo seems interested in debunking some of the larger silver bullet claims
that would anthropomorphize the popular family of technologies.
In earlier conversations with us, Komodo has said that certain problems of malware detection
are formally undecidable, and it's this problem they think has been overlooked
by some of the less critical and serious proponents of AI as a panacea.
We'll take a look this week and see how the challenge progresses.
A study commissioned by Malwarebytes on the true cost of cybercrime reports a disturbing trend,
the rise of the greyhats, those security professionals who keep their legitimate
day jobs but moonlight in cybercrime, or at least in questionable and dodgy activities.
in cybercrime, or at least in questionable and dodgy activities.
The study concludes that 1 in 20 security professionals in the U.S. are perceived as greyhats, and the fraction is much higher in some other parts of the world.
How close the perception is to reality may be open to debate.
The prevalence of hacker-chic style in the security community may inflate it.
We've lost track of the number of t-shirts we've seen wandering around here
that sport skulls,
the Punisher's logo, and so on.
Not to mention pirate beards
and legible apparel reading
I don't date white hats.
But it's an unpleasant conclusion to contemplate.
And here's a pro tip.
Those who wish not to be mistaken
for gray hats would do well
not to wear a gray hat.
Or a black hat, for that matter.
We speak metaphorically.
Perception isn't reality.
But on the other hand, it is one of several aspects of reality.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is David DeFore.
He's the Senior Director of Cybersecurity and Engineering at Webroot.
David, welcome back. We are just about halfway through 2018. Where did the time go?
We thought it would be a good opportunity to kind of take stock, look back at some of the
predictions we made at the beginning of the year, see how they played out, what lived up to the hype,
what fell flat. What are you all seeing there? Hi, David. Great to be back again, as always. You know, 2018, from a purely security perspective, is turning out to be kind
of a boring year. We're seeing the same problems we were seeing last year in terms of phishing,
ransomware really being the key drivers right now in security. the ransomware providers, as we say, are really honing their game and getting good at delivering ransomware.
Phishing is still, as always, top of mind in terms of way into systems.
So it's kind of a little bit of a replay of 2017 at the moment.
It was still not seeing any huge major global attacks
or anything like that? Nothing major at the moment. I guess we had the router problem here recently.
That's probably the biggest issue we've seen this year. Usually we see some before summer,
then I think the cyber criminals take the summer off and then we'll start seeing some things pop up in September, October timeframe.
So I think it'll be kind of a gentle summer.
But other than the router issue right now, that's really been the big problem.
Now, based on what we've seen so far, what's your advice to people heading into the second half of the year?
Great question.
And it's going to be, as I've said to you before, David, the more mundane, the more applicable it'll be.
I think, you know, as people go on vacation, as they're traveling or, you know, for through the summer and the rest of the year, let's make sure we're really paying attention to our wireless security when we're in public places.
You know, maybe get a good VPN to ensure you're having good point to point
security, as always, patches and backups and things like that. Just practice your basic cyber
hygiene, because right now there's nothing super critical that we haven't seen before that would
tell me to do something more than that. The standard cyber security hygiene packages that
are out there.
Now, what about crypto jacking and cryptocurrency? I mean, we really thought, you know, we were going to run out of electricity for a while, right? That's right, David. We were, all the power
plants were firing up and everything to handle all the crypto jacking power requirements. You know,
first of all, cryptocurrency, the biggest problem there has been the hacking of
crypto wallets and things like that. So just real quick to reiterate with the cryptocurrency, be sure
if you're if you're investing in that, you have a really reputable site that you're investing with
and they have good security because the biggest problem with cryptocurrency is having your wall
attack. But but as for crypto jacking, that's one of my favorite
topics, because all year people have been talking about that. You know, it's the big thing. It's a
big problem. I'm going to kind of go back to I was saying I couldn't figure out how a cyber criminal
would make money off of crypto jacking because most most cyber criminals, they're not multivertical.
They're focusing on ransomware or they're focusing on delivering malicious software, where cryptojacking was people just kind of mining cryptocurrency while they were
on your machine. So I thought it might be a problem in terms of using resources on your
machine, but I didn't believe people would be distributing malicious software through
cryptojacking. So I do think it's going to be something we need to pay attention to,
but I'm not sure that it's going to be something we need to pay attention to, but I'm not sure
that it's going to be this big, horrible thing we all thought it would be.
David DeFore, thanks for joining us.
Thanks for having me, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.