CyberWire Daily - Payment system hack investigated. Patch weaponization. Medical zero-days for sale. Responsible disclosure. Bad bots attack. Car hacking. Trends in phishbait.
Episode Date: May 1, 2018In today's podcast, we hear that a possible bank payment system hack remains under investigation in Mexico. Medical zero-days for sale, and not on the black market. SamSam continues to spread. What ...to look for in bad bots. Patched vulnerabilities are being weaponized at higher rates. Proof-of-concept car hacking demonstration shows in-vehicle infotainment system vulnerabilities. And when you see these phishbait phrases in an email subject line, be sure to spit the hook. Emily Wilson from Terbium Labs on recent takedowns of content on Reddit. Guest is Patrick Peterson from Agari on Brand Indicators for Message Identification (BIMI), a proposed standard to better secure email. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Payment system intrusions are investigated in Mexico.
Medical zero days are for sale and not on the black market.
SamSam continues to spread.
What to look for in bad bots. Patched vulnerabilities are being weaponized at higher rates.
Proof of concept car hacking demonstrations show in-vehicle infotainment system vulnerabilities.
And when you see these fish bait phrases in an email subject line, be sure to spit the hook.
in an email subject line, be sure to spit the hook.
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, May 1, 2018.
Mexico's central bank continues its investigation into a possible cyber attack against payment systems.
Connections between the central bank and three financial institutions, continues its investigation into a possible cyber attack against payment systems.
Connections between the central bank and three financial institutions,
two banks and a brokerage, appear to have been disrupted in a cyber incident.
Again, the central bank itself believes it was unaffected,
and the three institutions are thought to have swiftly contained the attack.
Here's a story that shows both the worrisome dual-use nature of testing tools and the very divergent perspectives on researchers' disclosure practices.
Moscow-based security firm GLEG, which Boing Boing breathlessly calls a cyber-arms dealer,
offers an annual subscription service with which customers receive zero days for healthcare-related
software.
The annual subscription charge is $4,000.
GLEG offers at least three different subscription packages.
Agora consists of zero days for general-use web software.
SCADA PlusPack has exploits for industrial control systems.
And MedPack, of course, holds vulnerabilities in software used by hospitals.
An annual subscription gets you 25 exploits, most of them zero days. Motherboard points out that the
zero days are marketed for use in conjunction with penetration testing, specifically with
security canvas tool. This isn't a black market operation, but it does highlight the very different perspectives circulating concerning disclosure of vulnerability research.
Glegg's Yuri Gorkin gave their perspective on proper practice in an email to Motherboard.
As he put it, quote,
So, a question for the industry.
So, a question for the industry.
Would well-structured, well-compensated bug bounty programs effectively induce brokers like Gleb to participate in them,
or would they simply fuel the digital equivalent of a bandit economy,
maybe moderated with some inflationary pressure on the bandits?
SamSam ransomware continues its malign spread,
rapidly propagating copies of itself across targeted enterprises.
The goal is to infect as many devices in an enterprise as possible and then offer a volume discount on the decryptor, which they hope the victim will fork over.
SamSam really did give the city of Atlanta fits, and those fits have proven both expensive and enduring.
city of Atlanta fits, and those fits have proven both expensive and enduring.
Distil Network's 2018 Bad Bot Report is out.
The company's research finds that account takeover attempts jump roughly by 300% in the wake of a major publicity-announced breach.
So here's not only news you can use, but a way of using the news.
Distil's Senior Director of security research anna westelius
puts it this way in the company's announcement quote every time a breach comes to light and
consumer credentials are exposed any business with a login page should prepare themselves for a swell
of volumetric credential stuffing attacks end quote some of their specific findings are interesting
Some of their specific findings are interesting.
About half of the account takeover attempts Distil saw were volumetric credential stuffing attacks.
These bad bot attempts look like a fast spike in requests.
The other half are harder to recognize, what the researchers call low and slow credential stuffing and credential cracking.
About a fifth of the attacks Distil analyzed were preceded by a small test round a few days before the main event.
Such a test should show up as a deviation from the customary baseline of failed logins.
And when do the bad guys hit?
On Fridays and Saturdays, probably because they expect security personnel to be likelier
to be off on those days.
Phishing emails often find success in imitating popular well-known brands, fooling the email
recipient into thinking they've received a notice or important message from a brand they
trust.
There's an organization working on making it harder for the bad guys and gals to do
this with a system they call BIMI, Brand Indicators for Message Identification.
Patrick Peterson is executive chairman and founder of Agari, and he helps us understand
what BIMI is all about. Over the last decade, a band of kind of pioneers has come together,
and the first thing they did was they brought us DMARC, Domain Based Messaging Authentication
and Conformance. And that
solved the first half of the problem, which is how do I actually know that that email from
Agari or Aetna or Groupon is really from them? And this next step is now going beyond getting
rid of the phishing and the spoofing to actually put trust back into email to actually allow you
when you wake up in the morning to know is that message really from my health care provider or my daily deals offer and so take us
through how it works as an email user what would be different for me this
assumes that DMARC is the base layer and we actually know that that message from
Groupon is in fact authentic then BIMI comes in and what it changes for the end
user is instead of looking at their email and seeing their offer from Groupon, they now see a trust indicator.
They see the Groupon brand, both when they look at a list of messages to click on, and then when they click on the message, they see in a reserved space that only the email client can put it there, so the bad guys can't place any kind of logos or trust marks there.
They see the Groupon logo.
And so now they know they can engage safely.
They know it comes from a trusted party.
And our research and experience says this is going to dramatically increase the level of engagement over email, the brand trust, and revenue for people who are sending email.
It's also going to make us safer as well.
And in terms of the standard that you all are developing, this is an open standard?
Absolutely. DMARC and BIMI, the two of them together, are both open standards, royalty-free,
anyone on the planet can implement them. And folks like Agari, Oath, Aetna, and Groupon
have made sure that all these contributions will be available for anyone as an open standard. And what's your progress so far? Do you have a buy-in from both the folks
who make the email clients and from brands? We do, very much so. And so the last two years
has really seen us in the lab on those internet mailing lists coming up with standard itself.
And the organizations who have been involved in that have been organizations like Microsoft, Google, Oath, which represents Verizon, AOL, and Yahoo,
as well as some of the big brands also. What's happened in the last couple of weeks
is we've done the first pilot. Basically, we've sat around and said, we're designing the car.
We've done the drawings. We've done the modelings. We've done the wind tunnel testing.
We're really not going to learn more about this car design until we take it out
for a couple laps on the track. And so this BIMI pilot with Oath, Groupon, and Aetna are really
those pilot laps where we're actually testing it for vibrations, you know, seeing if there's things
that we couldn't think of in the lab. And we think that will be a key point of proof for some of
those larger players who have
been very active in the standards development to actually start their own pilot activities as well.
I can imagine with email having been problematic for so long that you're going to run into a lot
of people who are skeptical. When people push back on you, what kinds of things are they saying?
So I think one of the most common misconceptions is that this has not
been designed securely. Part of that is just a misconception. Part of that is there were some
earlier versions that were first sketchy prototypes that may not have had all the security considerations.
The BIMI group has gone through and ensured that in order for you to display your logo,
you have to prove you are who you say you are. You have to prove the logo is yours.
And then there are various cryptographic and secure methods to ensure your logo can be fetched
and applied to your brand. And in terms of vetting the process, the security behind the scenes,
what's that process been like? The first thing is we've actually introduced a new authority
for the internet, for the standard. It's called
the Mark Verifying Authority. Quite analogous, you know, if we want to see a web certificate for
Agari, we have to go get our HTTPS certificate by proving we own agari.com and we are actually
legally the Agari entity. Similarly, Groupon reaches out to a Mark Verifying Authority and says
we are Groupon, we do own these logos, and we do own these domains.
And then the mark-verifying authority verifies that in a secure but lightweight process, and they bind those three things together.
Groupon, Groupon domains like Groupon.co.uk, and their logos.
and their logos.
Then, when they publish those with cryptographic security
and the ISPs verify using DMARC,
this is truly from Groupon.co.uk,
they can fetch the logo
and display it securely.
And there's more on the BIMI website,
but that's really the overview
of how it works
and why we think it's going to be quite secure.
That's Patrick Peterson from Agari.
You can learn more
and sign up for their beta at brandindicators.org.
Hackers are actively scanning for vulnerable Oracle WebLogic servers,
patched earlier this month.
The patch proved incomplete,
and the vulnerability was weaponized with unusual speed.
The recently patched Drupal vulnerability, CVE-2018-7602, was also swiftly
weaponized and is being actively exploited in the wild. It remains to be seen whether these two
cases represent a new normal in weaponization rates, or if this is just an unfortunate anomaly.
We hope it's the second. Researchers at CompuTest report proof-of-concept hacking of
in-vehicle infotainment systems in the Volkswagen Golf GTE and the Audi A3 Sportback. There's no
suggestion that attackers could pivot to vehicle controls, but they could gain information about
the vehicle's movements. And finally, what's the best fishing bait?
Here, around the Chesapeake, it's usually clams, sandworms, eels, or menhaden.
But the fishing experts from Tampa know before.
Yesterday published their quarterly top 10 fish bait email subject lines.
Staff Review 2017 was popular, as was UPS Label Delivery, with the very specific label identifier 1ZBE3112TNY00015011.
Don't worry, you don't have to remember those numbers, but it's interesting that they came up 10% of the time.
Here's another 10%-er, the saucy Company Policy Update for Fraternization.
And if that don't fetch them, I don't know Arkansas or any other workplace, right? 10%-er, the saucy company policy update for fraternization.
And if that don't fetch them, I don't know Arkansas or any other workplace, right?
Some of the significant also-rans were revised vacation and time policy,
urgent press release to all staff, deactivation of email in process,
please read important from HR, and the more hopeful W-2, which popped up 13% of the time.
And the number one fish bait, edging out change of password required immediately, which came in at a distressingly high 20%, was...
Delivery attempt was made.
So, read them and weep, friends.
But don't open them.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge
of technology. Here,
innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster
with agents, winning with purpose,
and showing the world what AI
was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
And I'm pleased to welcome back Emily Wilson.
She is the Director of Analysis at Terbium Labs.
We had some news come in back in March about some takedowns on Reddit
that had relations to the dark web.
Can you take us through what's going on here?
At the end of March, Reddit decided to enforce some of its existing policies and make it clear
where it stands on some of the illicit communities that had been operating
on these subreddits, these communities on Reddit for years now, frankly. Everyone who
is even tangentially involved in the dark web knows that a lot of these discussions take place in the open and were taking place on Reddit.
And frankly, it's a little surprising it took them this long to shut it down.
But Reddit was a big source of information for not only security researchers, but also law enforcement professionals, academic researchers.
professionals, academic researchers. What Reddit did is they went in and shut down.
And by shutdown, I don't just mean blocked new posts, but actually closed out and locked communities related to not only the dark web, but also sex work and other activities they deemed
inappropriate for their users. And so these communities where people were sourcing information, people were discussing scams and fraud and forgery schemes, people were buying and selling and reviewing drug purchases.
These are all gone now. They're no longer on Reddit.
And so when you say gone, does that mean the archives are gone as well?
The archives are technically gone.
archives are technically gone. Yes, there have been a couple of sources circulating of people who had copies or access to copies, different archiving functions that had been used previously.
But yes, there was a big loss there, not only for some of the more ridiculous things we've seen over
the years, but also a lot of the institutional knowledge building that was taking place there
on Reddit. And I suppose, I mean, this is the old supply and demand thing.
Reddit shuts these down.
Do we expect they're just going to pop up somewhere else?
Have they already popped up somewhere else?
They have already popped up somewhere else.
In fact, this will be of no surprise to anyone.
The dark web really is like a hydra in that sense, right?
You cut off a head and another one, sometimes two, pops up.
in that sense, right? You cut off a head and another one, sometimes two, pops up.
There was a smaller online community that was set up before the Reddit takedowns that has seen a huge influx in users. It went from a few hundred to a few thousand to now over 10,000 just in the
past few weeks. And that's registered users. You can view the site openly without registering. So
I'm sure their actual traffic is significantly higher. It's interesting to me that from a law enforcement point of view,
does this move these folks farther underground? Does it make it harder to keep tabs on what
they're up to? It's an interesting question. I would say that I'm sure there are new struggles,
but I'm guessing there are also benefits and opportunities here
as people scramble to
reestablish themselves, as they
try to figure out what's going on, as they contact
each other, figuring out where things have moved.
I think if you're in the right place at the right
time, this could be good for you.
Alright. Emily Wilson,
thanks for the information as always. Good to see you.
Thanks for the information as always.
Good to see you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.