CyberWire Daily - Phishing with a big worm (and other lures). Botnet mining cryptocurrency. Blackmoon upgraded. Aadhaar troubles in India. Passwords, security questions, and Grand Moff Tarkin's CISO.
Episode Date: May 4, 2017In today's podcast, we hear about how OAuth abuse rushed a worm around Google Docs, and how the good guys swiftly contained the attack. Bondnet discovered mining cryptocurrency. The Blackmoon financia...l malware gets an upgrade. Carbanak is still out there, trickier than ever. No-phishing season at Gannett. India's national biometric ID system runs into security and legal trouble. Rick Howard from Palo Alto Networks previews the Cyber Canon awards ceremony. Andrew Chanin describes the upcoming Cyber Investing Summit. And reflections on passwords yesterday, today, and tomorrow, both here on earth and in a galaxy far, far away. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. guys swiftly contain the attack. BondNet is discovered mining cryptocurrency. The Black
Moon financial malware gets an upgrade. Carbonac is still out there, trickier than ever. No
fishing season at Gannett. India's national biometric ID system runs into security and
legal trouble. And reflections on passwords, yesterday, today, and tomorrow, both here
on Earth and in a galaxy far, far away.
both here on Earth and in a galaxy far, far away.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 4, 2017.
Another OAuth abuse exploit hit this week.
Plausible-looking emails with a Google Docs sharing notification and carrying a worm circulated widely yesterday.
Google and Cloudflare responded quickly, containing the incident in about an hour.
This is being widely praised as a blue team win,
but all would do well to remain on alert and to remain suspicious of unexpected sharing.
A Google engineer noticed discussion of the incident trending on Reddit,
and within an hour of the first complaints, Google was able to block the app from its OAuth screen.
Cloudflare also assisted, taking down domains associated with the attacks.
There do not appear to have been any additional malware payloads distributed by the worm, but a number of observers have noted the similarity of approach, OAuth abuse, to a tactic Trend Micro recently described as part of Pondstorm's
toolkit.
Pondstorm is, you'll recall, Fancy Bear, Russia's GRU, but there's nothing so far to indicate
any particular state actor behind the Google Docs incident.
Whoever was responsible, their motive is so far as obscure as their identity.
Two interesting discoveries were announced this morning.
GuardaCore Labs has identified BondNet, a botnet said to consist of thousands of servers.
So far it's been applied to mining cryptocurrencies, but it seems ready for
weaponization into a distributed denial-of-service platform. And Fidelis Cybersecurity has reported
the reappearance of the Black Moon banking trojan,
now with a new man-in-the-browser framework. Black Moon has so far afflicted mostly South
Korean financial services. Trustwave reports that the Carbonac gang has refined its intrusion
techniques, using phone call follow-ups to see whether phishing marks have opened and swallowed
the fish bait. Carbonac has also come under suspicion in recent restaurant hacks
affecting the Chipotle, Baja Fresh, and Ruby Tuesday chains.
USA Today has reported a fishing attack that compromised some 18,000 accounts
belonging to employees of the paper's corporate parent, Gannett.
The attack appears to have been straightforwardly criminal in nature.
It was discovered when Gannett's financial team noticed a compromised account
used in an attempt to transfer money fraudulently.
That attempt was stopped, and Gannett believes the incident is contained
and that personal information of current and former employees is not at risk.
Those employees will nonetheless be offered free credit monitoring,
just to be on the safe side. The Cyber Wire is proud to be a media partner at the upcoming Cyber Investing Summit,
May 23rd, at the New York Stock Exchange. We spoke with Andrew Channon about the event.
There are thousands of conferences around the world that focus on cybersecurity.
the world that focus on cybersecurity. However, they tend to fall into two kind of tracks.
One where they focus on the technologies and the services and the solutions where they're really promoting kind of the products that are out there. And the other type kind of is more
educational and teaches kind of best practices and cyber hygiene. However, from my background, helping to create the world's first
cybersecurity exchange traded fund, I realized that there was a huge interest in investing in
cybersecurity, yet not too many avenues for doing it or for discussing. And with that in mind,
I partnered with family to create the Cyber Investing Summit, which really tries to highlight the potential investing opportunities
in both the public as well as the private side of the cybersecurity industry.
So take me through, what can people expect if they come to the summit?
I think they can expect experts in the cybersecurity space, both from the vendor side,
from the acquirer side, and from the investment
community as well. Private equity companies, VC companies, those that are publicly traded
cybersecurity companies, those looking to raise capital as well, as well as the financial advisory
and other family offices and hedge funds, individuals looking to learn more, gain insight as to
potential investing ideas for getting exposure to the cybersecurity sector.
And so who are you targeting here? Who would be the ideal person to come to the summit?
I think anyone that's looking to learn more about the industry, not necessarily as much about how each of the products work,
but really the trends in the industry, the market, the areas for potential growth,
the drivers and potential catalysts for the overall industry, those looking to potentially
raise capital for their own businesses, those looking to deploy capital for investment into
this industry. That's Andrew Channon. The Cyber Investing Summit is coming up May 23,
2017 at the New York Stock Exchange.
Cerber ransomware now has VM and sandbox evasion capabilities, but extortion is nowadays less
confined to ransomware than it had been.
The Netflix hack is seen as a bellwether. Criminals are increasingly threatening to
either take a network down through distributed denial-of-service attacks, or saying they'll
release sensitive, embarrassing, or otherwise valuable information if they're not paid off.
India's Athar National ID system is in trouble.
Not only is the system's legality under challenge before India's Supreme Court, but it's proven leaky.
Already more than 133 million individuals' biometric records have been exposed.
Today is Password Day, as you may have heard, and the trade press is filled with ruminations over the past, present, and likely future of the password as a cornerstone of security.
It's an old approach, to be sure.
Consider the Book of Judges, chapter 12, verse 6, where the war between the men of Gilead and the men of Ephraim is described.
To identify spies from Ephraim, the Gileadites made suspects say Shibboleth, a word the Ephraimites inevitably
pronounced Sibboleth. So passwords and countersigns, not to mention security questions,
have been around about as long as we have written records. Their use continues into the 20th
century. U.S. Marines fighting on Guadalcanal used passwords with lots of L's in them,
like lollipop or lollygag or hallelujah, because
of the difficulty Japanese speakers were thought to have had distinguishing the liquid consonants
L and R. Every language has its phonemic pitfalls. Native speakers of English, our linguistics desk
informs us, are usually not even capable of distinguishing a hard from a soft L, and that's a distinction that's obvious to every native speaker of Russian.
We have to trust them.
We can't hear the difference no matter how often they pronounce the two.
They gave up on us, shouted something like,
and left in frustration.
Security questions are old wheezes, too.
Who hasn't seen the World War II movie,
where the plucky GIs stop
the SS infiltrators because the infiltrators, despite their American disguises and fluent
English, can't answer simple questions like, what's a Texas leaguer? Or who's Olive Oil's
boyfriend? Of course, today's another holiday, Star Wars Day, or may the fourth be with you.
It makes us wonder why the Empire was so cover-your-eyes-awful at identity management.
I mean, their authentication practices would have made any self-respecting man of Gilead blush.
And biometrics? Forget about it.
Defeated by the opaque face masks worn by stormtroopers and Death Star crew members?
We could go on, but we'll leave it at that.
Just one question.
Who was Olive Oil's boyfriend, really?
Popeye or Bluto?
Ask around the next time you're on Tatooine or Scarif.
But first, see if the Jawas in the cantina
can pronounce Rumpelstiltskin properly.
Oh, teeny!
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant
and I'm pleased to be joined once again by Rick Howard
he's the chief security officer at Palo Alto Networks
and he also heads up Unit 42 which is their Threat Intel team
Rick we've spoken before about the cyber security, and you all have an awards ceremony coming up, yes?
Yes, it is true.
It is that time of year again.
Palo Alto Networks is hosting the fourth annual Cybersecurity Canon Awards ceremony in beautiful downtown D.C.
In other words, it is Oscar night for cybersecurity book lovers.
Wow.
Talk about your niche market.
I know. I'm wearing a tux and a tied up bow tie. I don't know.
Will there be a red carpet? Will we ask who you're wearing?
Absolutely. It would do. I'll send you the photo.
Okay. Very good.
So as you know, we have set this up like a rock and roll hall of fame.
Today, there are about 30 books on the candidate list.
And each year we add more books to it. And each year we choose two or three to be inducted into the hall of fame. So over the three years we've been doing it so far, we've put about 10
books into the hall of fame. And that's kind of exciting. Now, in order to get onto the candidate
list, some practitioner has to write a book review, making the case that this is a book that
all of us should have read by now. Now, we have a committee of network defenders. These are CISOs, some practitioner has to write a book review making the case that this is a book that all
of us should have read by now. Now, we have a committee of network defenders. These are CISOs
and journalists and cyber lawyers and lots of other kinds of people who review all the submissions to
see if they're worthy. And if they are, they go on the candidate list. Once there, the candidate
committee meets once a year in a secret bunker somewhere in the Alaskan tundra to decide which book will place into the Hall of Fame that year.
That meeting happened last December.
Past winners have been We Are Anonymous by Parmi Olson.
That is the most fantastic book on hacktivism that has been out there.
Spam Nation by Brian Krebs.
If you want to learn about cybercrime, that's the book to read.
Brian Krebs. If you want to learn about cybercrime, that's the book to read.
Countdown to Zero Day by Kim Zetter, all about the Stuxnet attacks, both technical and political.
Fantastic book. And my favorite out of the 10 that are in there is Cuckoo's Egg by Clifford Stoll.
It's rather long in the tooth, but everything he talks about in there is still true today. So I guess we haven't learned our lesson. Cuckoo's Egg was the book that got me into security, so it's one of my favorites. This is a free resource to the network defender
community. Just look up canon, as in canon of literature, not canons that blow things up,
and Palo Alto Networks, and you'll find the site. Click on the book cover of your choosing and read
the book review, and if you don't like to read that much, there's even an executive summary.
And if you don't like to read that much, there's even an executive summary.
So stay tuned.
All bases covered.
All bases covered.
Now, the actual awards ceremony, is that a public event or is that invitation only?
It's invitation only because we have a very small facility this time. But they're bringing in students from the local universities.
We're flying in the winners, the authors that are the winners,
and some local government luminaries. So we can all shake hands and sing Kumbaya. So I'm very much looking forward to it. All right. Well, we'll look forward to hearing who the
big winner is this year. Once again, Rick Howard, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.