CyberWire Daily - Rebooting routers against VPNFilter. Canadian banks compromised? Cobalt gang is back. 51% attacks on blockchains. "Courvoisier" sentenced. NATO looks at Russia's weaponized jokes.
Episode Date: May 29, 2018In today's podcast we hear that the FBI recommends rebooting your routers against VPNFilter. Data extortion hits Canadian banks. The Cobalt Gang is back. 51% attacks fiddle with cryptocurrencies. ...BackSwap banking Trojan is tough to detect. Coca-Cola discloses data theft by a former employee. Courvoisier—the hacker, not the cognac, gets ten years. Facebook continues to work on its content moderation, and Papua New Guinea may block the platform for a month of study. NATO studies humor, very seriously. Ben Yelin from UMD CHHS on police attempts to use a deceased person’s fingerprints to unlock a phone. Guest is Mike Benjamin from CenturyLink on their recent threat report covering IoT and DDoS. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI says reboot your routers.
Data extortion hits Canadian banks.
The cobalt gang is back.
51% attacks fiddle with cryptocurrencies.
The back-swap banking trojan is tough to detect.
Coca-Cola discloses data theft by a former employee.
Kavasie gets 10 years. That's the hacker, not the cognac.
Facebook continues to work on its content moderation.
And Papua New Guinea may block the platform for a month
of study.
And NATO studies humor very seriously.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, May 29, 2018.
for Tuesday, May 29, 2018.
The FBI has issued a formal warning against VPN filter,
the Russia-linked campaign that's affecting routers.
The Bureau advises everyone to reboot their routers.
Their warning is short and to the point.
Quote,
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. So there you have it,
direct from the feds. In what appears to be an extortion attempt, pay up or everybody gets to
see your customers' data, two Canadian banks were hit by hackers over the weekend. The Bank of
Montreal and the Simpli Financial Direct Banking brand of the Canadian Imperial Bank of Commerce, are believed to have
been affected. Some 90,000 customers' data was apparently accessed by the attackers.
The information exposed included both personal and financial information. In both cases,
the hackers contacted the bank Sunday and told them they'd stolen the data. The motive appears
to be extortion. The hackers have threatened to release the data online. The affected banks are working with law enforcement agencies.
The Cobalt Gang is back at work despite its leader's arrest in Spain two months ago.
Researchers at security firm Group IB have found spear-phishing emails from the thieves
pretending to be alerts from Kaspersky lab
employees of Russian and Eastern European banks are being targeted the email is nicely if bogusly
branded it tells the victim that they've detected unspecified illicit activity from the victim's
machine and it threatens the victim with actions that will be taken against their employer's online resources if they don't click the link provided and explain themselves within 48 hours.
Needless to say, clicking the link is not a good thing to do.
It will install the Cobbent Trojan.
A wave of attacks hit cryptocurrencies Verge, Monocoin, and Bitcoin Gold last week, inflicting
more than $20 million in damages. The incidents are said to have been 51% attacks. In a 51% attack
against a blockchain, the attackers are a miner or a group of miners who have obtained control of
more than half of a network's mining hash rate. Doing so gives them ability to reverse transactions,
and thus to double-spend coins.
Motherboard notes that the attacks came shortly after the airing
of an episode of the TV show Silicon Valley,
in which the character's fictional cryptocurrency Pied Piper coin
not only flopped its ICO, but sustained a 51% attack as well.
This is either coincidence, simultaneous invention, or inspiration,
a case of life imitating art.
CenturyLink recently released their 2018 threat report,
sharing the insights they've gained from their perspective
as a major telecommunications company and provider of security services.
Mike Benjamin is Senior Director of Threat Research at CenturyLink.
The report that we developed looks broadly at threats across all categories,
goes beyond botnets and DDoS,
and really tries to break down the trends we've seen in terms of geographies
and volume of attacks on the Internet.
And so we were able to track throughout 2017 195,000 threats per day, so threatening hosts in the Internet that we tagged as militias in some manner.
We saw them interacting with over 104 unique – excuse me, 104 million unique victims, which is a pretty massive impact to the overall global internet. And it comes as no shock, but it's important for everyone to be reminded that the top source of the malicious traffic was the United States.
And so a lot of folks tend to believe that the maliciousness comes from places with maybe less stringent laws and other things.
And it may be that the people with their fingers on the keyboards were in those locations, but the actual server's infrastructure endpoints doing the
attacking, we saw coming from the United States as the top origination point.
Was this surprising to you all, or did this reflect the type of things that you track every day?
Yeah, it was in line with the data that we've been collecting, I should say, for a number of years.
And so very consistent where we see large economies
with large infrastructures of available footprint
and a lot of bandwidth to be able to support
reliable attack infrastructure, so to speak.
And in terms of trends from the reports,
since this is not your first year doing this report,
are you seeing any shifts, any evolution
in the way that these are being spun up?
Well, with the focus on IoT DDoS attacks this time, we were able to share quite a bit more granularity and visibility into that threat area.
And what we saw from a trend perspective was actually a very interesting trend around which malware families were utilized.
If you were to read what's going to publish and what people are sharing, you'd see a lot based on the Mirai malware.
And interestingly enough, we actually saw more command and control of these botnets
sourced on the Gafget malware. We found that it was, in some cases, easier for the malicious
actors to deploy, quicker for them to stand it up. And of course, as we work to take them down and impact
them, the actor has wasted less time standing it up before we force them to go on and stand up
another one. Now, in terms of people's ability to defend themselves against DDoS, where do we stand
with that? Is DDoS still the serious threat that it was in the past few years? So yes and no.
DDoS attacks, even a small scale, can impact certain infrastructures.
We tend to look at it both from our customer perspective as well as the internet as an
overall infrastructure.
And we'd be happy to report that from the IoT botnet perspective, the work we've done
along with a number of other partners to impact and track
these botnets, they haven't grown to the scale that we've seen in the past in order to knock down
critical parts of the internet, as we saw in the multi-terabit attacks. However, the sort of
overall spectrum of DDoS attacks also includes spoofed attacks, reflected attacks that may not
be sourced from these particular botnet types.
So we saw just recently this spring attacks that were based on the UDP reflection and amplification vector with memcached. A number of people were using the lightweight caching
service as part of their web app development. They were left exposed to the internet and they had a
sizable amplification vector. And we saw well over a terabit attack launched through that vector, taking down GitHub.
And so still a sizable impact to the Internet that can be sourced by DDoS attacks.
But we are happy to say that at least from the IoT DDoS botnet perspective, we, along with the broader community, have been able to minimize the impact that that has had.
That's Mike Benjamin from CenturyLink.
Security firm ESET warns of a new, harder-to-detect banking trojan, BackSwap.
It works entirely within the Windows graphical user interface and avoids the more usual browser
process injection.
Coca-Cola disclosed that it sustained a data breach.
A former employee took a hard drive containing about 8,000 employees' records.
The incident happened in September of 2017,
but Coca-Cola delayed disclosure and notification of affected persons at the request of the law enforcement agencies who were investigating.
Facebook continues to struggle with content moderation.
Motherboard publishes guidelines the platform has given its content moderators
on how to handle postings that feature alt-right appropriated cartoon character Pepe the Frog.
Pepe in an SS uniform?
Nine, donka.
Papua New Guinea is considering blocking Facebook access across the country as it looks into
Facebook's reach, influence, and operations, and tries to get a handle on the platform's
possible use to disseminate fake news.
Finally, did you hear the one about the NATO staff that looked into humor as a tool for
information operations?
They found it in the janitor's closet. humor as a tool for information operations?
They found it in the janitor's closet. It's a subversive buffer.
Well, okay, sorry, that's a lousy punchline. But then we've just read the study and we weren't around for the research that was doubtless conducted at the Chuckle Hut in Riga, the
Latvian city where the Atlantic Alliance's Strategic Communications Center of Excellence is located.
We often have occasion to talk about information operations,
and humor is a subtopic whose time has come.
So take the Center of Excellence, please.
When you're on the NATO staff, every joke looks like aggression,
incongruity, or arousal safety.
Seriously, it's an interesting study, but it's totally devoid of any actual jokes.
And trust us, our joke desk has been through all 156 pages without a snort or guffaw.
Western readers unfamiliar with Russian TV
might be surprised to learn of the Russian proclivity for situation comedy
and late-night talk show-style zingers,
not to mention the Uncle Vanya drive-time talk radio.
Come on, Riga, toss us a bone.
The analytic framework is great, but how's about some laughs?
This reminds us, as so many things do, of the history of philosophy.
There's a long tradition of looking at jokes along the Baltic coast.
It goes back to the great East Prussian philosopher Immanuel Kant,
who shared a bunch of groaners in the chapter on humor in his Critique of Judgment.
Kant was so East Prussian that his hometown, Konigsberg, is now the Russian city of Kaliningrad.
Here's one of the knee-slappers Kant included in his book.
So there's this guy who's hiring mourners to weep in a funeral procession.
But they're not looking mournful enough,
and he's worried he won't get his money's worth of hired grief.
So desperately, he says, look, guys, you've got to cry more convincingly.
He takes out his wallet and says, look, here, I'll even up your fee
and hands over some additional cash.
But, wait for it,
that just makes the hired mourners happier
and they can't hardly cry at all no more.
Oh, man, I'm dying here.
That one gets me every time.
So, see, Nato, be like Emmanuel Kant.
Don't let the joke gap get any huger than it is.
It's not that hard.
It wouldn't kill you to toss a few knock-knock jokes our way.
It wouldn't break your budget.
And besides, they'd arguably be more combat effective than an F-35.
Just kidding, Air Force.
In the meantime, we'll go back to watching Russian sitcoms. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
Interesting story we've got to talk about here today.
This came up in Forbes.
The title of the article is, Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints.
Yeah, I have to admit I didn't realize this was possible until I saw this article.
But apparently there have been one or two instances where a potential perpetrator of a criminal act,
or in one case a terrorist act, has been killed in an incident.
And then in order to gain more information for an investigation, they try and use that dead person's fingerprint to unlock an iPhone.
So obviously that might not work in all cases.
I'm not an expert in the decomposition of the human hand.
So I don't know whether the fingerprint actually is going to
be able to open the phone. I think in this case, they weren't really able to get any valuable
information. But it does present a really interesting legal problem. So once you die,
you don't really, as a dead person, have any expectation of privacy. Your body might be
interred, but you don't have the same sort of sense of Fourth Amendment protection that you do when you're alive.
Who owns the remains?
So a relative or the next of kin might claim that they sort of own the reins of your identity.
But from a legal sense, in terms of Fourth Amendment jurisprudence, that person is not entitled to make a privacy claim about a dead person. In terms of somebody else opening the
phone, you also forfeit your legal expectation of privacy if you've allowed somebody to access
a device. So even if you have no anticipation that you're going to be part of a criminal
investigation, part of a terrorist investigation, and you die, if you've given your wife access to
your phone via her fingerprint or via some other
method, you've also forfeited your expectation of privacy and you lose control of that information.
You know, it potentially could be problematic in a scenario where there is protected information
on a phone. It's the protected information of somebody that's still alive, but it was a dead
person who actually gained access to
that phone, that information could be compromised. Well, let me ask you this. So suppose, you know,
on my deathbed, I say to my lovely and talented wife, no matter what happens, don't let anyone
get access to this phone. You know, you have access to it. You know the passcode, but no matter what
happens to me, don't let anyone access this phone, and I have willed this phone to you.
So now I die, and now the phone is my lovely wife's property.
Go, Ben. What happens now?
I would take the phone if I were your wife, and because she probably could assert her own interests in some of the data stored on her phone,
I would make sure it doesn't get into the property
of law enforcement. Because if law enforcement got the phone and wanted to find incriminating
information on you or your wife, I don't see how they would not have legal authorization to use
your fingerprints. Because the phone used to belong to me. Yes. And that's their interest.
Yes. Now, by taking possession of the phone, your wife now has a property interest
in that phone. I think it would be far more reasonable to expect the government to need to
get some sort of warrant to operate the phone, especially because your wife now has some sort
of proprietary interest. Her information might be on the phone. But if there's some sort of
terrible accident, your wife's not there, nobody knows about her interest in the phone.
In terms of your privacy interest as a dead person, those have been forfeited the moment that you die.
I see.
So, yeah, it's sort of an absurd attenuation of the third-party doctrine, forfeiting a reasonable expectation of privacy through, of course, I mean, I guess this could be
complicated, but generally not your
choice. Although in one of these
circumstances, I think it was a suicide bombing.
But yeah, there's generally
no privacy for the dead, which
I think is an exact quote in this Forbes article.
Yeah, interesting.
Alright, Ben Yellen, as always, thanks for
filling us in. All right. Ben Yellen, as always, thanks for filling us in. Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. For today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.