CyberWire Daily - Ransomware updates. Netgear vulnerabilities and patches. Breaking Android pattern lock. Delegated Recovery. Information operations.
Episode Date: January 31, 2017In today's podcast, we review some ransomware developments: the good, the bad, and the ugly. Netgear routers and the mom-and-pop dilemma. Breaking Android pattern locks. Facebook has a novel approach ...to password recovery. Keysight will buy Ixia, and IBM's acquisition of Agile 3 Solutions gets positive analyst reviews. Australia's Data61 innovation shop wants to go all-in for cyber. ISIS makes hay of US immigration policy, but the group shows signs of cracks. Ben Yelin from the University of Maryland Center for Health and Homeland Securty revisits the CoinBase vs IRS case. Ian Cowger from RiskIQ explains malvertising. And remember Shaltai-Boltai. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
We've got ransomware developments, the good, the bad, and the ugly.
Netgear routers and the mom-and-pop dilemma.
Breaking Android pattern locks.
Facebook has a novel approach to password recovery. But the group shows signs of U.S. immigration policy, but the group shows signs of cracks. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 31, 2016.
We begin with some developments in ransomware.
Two relatively new strains are out in the wild.
Trend Micro is describing one they're calling RansomNetics.A.
It's targeting Windows users who also use Netflix, and it's holding their Netflix login credentials
hostage, which is a bit of a twist. But then an effective extortionist holds something you value
at risk. We've heard how Washington, D.C.'s police experienced a ransomware attack on their
surveillance cameras around Inauguration Day. Another police department, this one from Cockrell Hill, Texas,
has also fallen victim to ransomware. In their case, it's thought the infestation came through
the usual spam vectors with links incautiously clicked by recipients. The security firm Acronis
identified the ransomware strain in Texas as Osiris, an evolved version of Locky that
shows an ability to evade most perimeter safeguards. The police declined to pay, instead biting the
bullet and wiping the infected server, accepting the loss of several years' worth of records.
Again, secure backup is your best defense. And the criminals have hit back at the White Hats
in other ways.
Over the past week, ransomware protection companies Emsisoft and Dr. Webb
both sustained distributed denial-of-service attacks,
apparently in retaliation for both companies' good work in offering decryption tools
and other security systems to ransomware victims.
Emsisoft has told Bleeping Computer that they believe the author of MRCR, also known as
Mary Exmus, is the hood responsible for organizing the campaign. Trustwave reports Netgear routers
are susceptible to authentication bypass flaws. They disclosed their findings to Netgear, which
is making security updates available. The bugs can be exploited remotely through the router's remote management option. Michael Patterson, CEO of Plixer International, commended Netgear to us
for not having enabled remote management by default, but there's a dilemma here too. If you
remove the remote access feature entirely, that puts the onus of updating firmware on the user,
and a lot of those users are home users or mom-and-pop small businesses.
Patterson said, quote,
For those mom-and-pop shops who own one of those devices, it would be highly unlikely that they would have the time and expertise to implement updates continuously.
This is why it's very important to monitor all traffic to and from the DNS using NetFlow
or IPFix.
Service providers could easily identify their customers that are reaching out to strange DNS servers.
The problem in the industry is that service providers
are not motivated to take on this responsibility
as the malware isn't impacting their services.
End quote.
British and Chinese researchers have published findings
that show how Android's pattern lock system can be broken.
Craig Young, principal security researcher with security firm Tripwire,
thinks passwords are still your best bet for securing an Android device.
Unfortunately, good, strong passwords are tough to use on a phone,
which is why he recommends phones with fingerprint readers.
Young says, quote,
While biometric security certainly has its limitations,
I feel that it will generally still hold up better against most attack vectors
than a simple pattern or pin-unlock code.
This, of course, is one instance of the more general problem of authentication
that many experts see as a major issue for 2017.
Facebook might have come up with an interesting approach to one aspect of authentication,
password recovery, now most often done by means of email and secret questions.
They announced it at USENIX, and they call it Delegated Recovery.
In Bleeping Computer's account, an online service vouches for a user on another website
roughly like this.
User Bob has an account on Facebook and GitHub.
Bob generates a recovery token with GitHub. Bob saves the GitHub
recovery token inside his Facebook account. Bob loses access to his GitHub account. Bob recovers
his GitHub account using the recovery token stored in his Facebook account. Facebook says the recovery
token is encrypted and no online service that temporarily stores it can read the token.
With all of the news about ransomware and IoT vulnerabilities,
it's easy to lose sight of the fact that malvertising remains a common, profitable attack.
Security company RiskIQ recently published their 2016 malvertising report,
and we spoke with RiskIQ security researcher Ian Calgar.
So in a malvertising instance, whenever you're
delivered an ad on your page there's a long series of redirections where it
reaches out to like from the publisher out to the ad exchange or then goes to
the DSP and then a long series of redirections that pulls in assets from
any number of parts. So whenever you're delivered an ad it actually goes through
a lot of different hands and at any one of those. So whenever you're delivered an ad, it actually goes through a lot of different
hands. And at any one of those points, including both the origin and near the end, any one of those
web assets can be compromised. If one of those are compromised, then they can link out to some
malicious file and either redirect you out your entire user session to something bad,
or they can just drop a malicious file on you.
And who are they specifically targeting?
Are they mostly going after consumers, or is it a wider net than that?
It is really anyone who views an ad as a potential target.
So common scam payloads that they would
drop would be like a fake tech
support scam. Like you have a virus
on your computer, call this number.
And then they create a problem
and solve a problem. Or
they will drop a banking
Trojan onto your device and then they'll
just sit there and listen
for you logging into any of your
banking applications or onto any of your banking applications
or onto any of your banking websites, and they'll capture your credentials and send that back
or harvest any credit card details.
Or even just general spyware these days, just harvesting user information about you
is oftentimes more valuable than even your credit card information.
more valuable than even your credit card information.
Credit card dumps are getting cheaper and cheaper, whereas personal information is getting bought up at a higher price.
I'm surprised that this sort of thing makes it through
some of the large ad networks like Google and Facebook.
Yeah, sadly it does.
But the key important thing there is that there's a lot of sophisticated filtering systems that these guys put in place as a means to evade solutions like ours or other solutions.
So in normal ad delivery systems, there are means to target whichever user you're trying to do.
to target whichever user you're trying to do.
They turn those same sorts of tools around to then try and not serve it to scanning solutions or security researchers,
such as anytime you'll get one payload,
oftentimes they'll never send the payload to the same IP,
or they'll try and use specific calls to figure out
whether or not what they're doing is running inside of a sandbox
environment. The security industry in this space has always been a sort of cat and mouse game of
new techniques are developed and then new countermeasures are developed.
And it's always sort of an evolving space. That's Ian Calger from Risk IQ.
In industry news, Keysight's rumored acquisition of Ixia seems
to be happening, with Ixia fetching $1.6 billion. The acquisition is expected to close in October.
IBM's acquisition of Agile 3 Solutions is receiving generally positive analyst reviews
as a cybersecurity play. And in Australia, Data61, that country's innovation promotion organization,
wants to go all-in on financial technology and cyber security.
ISIS is making information more hay of President Trump's order restricting immigration from seven
Muslim-majority countries. Its narrative suggests, first, that ISIS represents Islam, and second,
ISIS is the victim here.
ISIS messaging, however, is also showing signs that the group may be fragmenting under kinetic military pressure.
It remains to see what that will mean in terms of the threat it poses.
And finally, those following Russia's FSB shake-up may wish to revisit the old interview with Shaltey Boltey.
The Russian Humpty Dumpty
has been a wasp in that government's ear for some time, and last month's FSB arrest suggests
that Humpty Dumpty is having an effect. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home
with her young son. But her maternal instincts take a wild and surreal turn as she discovers
the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures. Stream Night Bitch 24, only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, And I'm pleased to be joined once again by B2B's safe and compliant.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, we talked not too long ago about Coinbase, a Bitcoin currency company, who ran into some
troubles with the IRS.
The IRS wanted to get some records on
Coinbase's customers and Coinbase is pushing back. Fill us in here.
Sure. So this is a story we referenced a couple months ago on the podcast. The IRS back in March
of 2014 issued a guidance document on virtual currency. And they basically said it would be treated for tax
purposes, not necessarily as income, but as property. So it still has to be reported like
any sort of gain in property that someone gets through the year, they have to report on their
income taxes. They would have to do the same for virtual currency. The IRS, of course, in its effort to increase its tax receipts, sent a request to Coinbase to collect the personal data of thousands of its users.
The rationale was they wanted to make sure that all of the property, the virtual currency being collected, was being reported for tax purposes.
was being reported for tax purposes. Coinbase, under its CEO, Brian Armstrong, estimated this past week that it'll cost the company between $100,000 and $1 million to defend its customers
from what he called an overly broad subpoena. And eventually those costs are going to be passed
down to the consumer. I think it's reasonable to say. And, you know, we saw the same issue with Apple and the FBI.
We have these tech companies, and in this case, Coinbase,
advertising to its consumers that their information is going to be protected,
they're going to have data integrity.
And then the government comes in and submits this request.
In this case, the federal judge ruled that Coinbase would be ordered to turn over this data.
It's not only a monetary problem for Coinbase in terms of the legal costs,
but they're not going to be able to represent themselves as somebody who has data integrity.
And that's going to hurt their bottom line going forward.
So take us through the process here.
What's next in terms of Coinbase fighting this order?
So Coinbase has asked to intervene in the court proceedings.
They're going to make their first appearance in front of a federal judge
in the Northern District of California this coming February.
A favorable ruling would mean that there would be a separate proceeding
where Coinbase would be able to argue against the IRS,
against the intrusion into this data.
All right, well, stay tuned. Ben Yellen, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.