CyberWire Daily - Router vulnerabilities. Hacking around the Hanoi summit. DDoSing an election. Brushing back a troll farm. Crytpojacking an embassy.
Episode Date: February 27, 2019In today’s podcast, we hear that Nokia routers have been found vulnerable to man-in-the-middle and denial-of-service attacks. As one would expect, the US and North Korean summit in Hanoi this we...ek summons up some hacking. Ukraine accuses Russia of DDoS attacks in the service of election disruption. US Cyber Command played some chin music for St. Petersburg during US midterm elections. And if you’re going to hack into an embassy, wouldn’t you want to do more than install a cryptojacker? David Dufour from Webroot with insights on their pending purchase by Carbonite. Guest is Randy Vanderhoof from the Secure Technology Alliance on managing identity and fraud in the payment space. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Nokia routers are found vulnerable to man-in-the-middle and denial-of-service attacks.
As one would expect, the U.S. and North Korean summit
in Hanoi this week summons up some hacking. Ukraine accuses Russia of DDoS attacks in the
service of election disruption. U.S. Cyber Command played some chin music for St. Petersburg during
U.S. midterm elections. And if you're going to hack into an embassy, wouldn't you want to do more than install a cryptojacker?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 27th, 2019. its discovery of six vulnerabilities in Nokia routers that could allow an attacker to launch man-in-the-middle
or denial-of-service attacks, modify or log network traffic,
and spread malware into places that were previously secure.
One vulnerability permits an attacker to disable the firewall
and access a telnet service by sending a modified HTTP request.
Another allows for stack buffer overflows or arbitrary code execution.
Tenable also found hard-coded root credentials in SSH and Telnet services.
The researchers say that Nokia is working on a fix.
If you're a user, keep an eye out for patches.
U.S. President Trump and North Korean unique leader Kim Jong-un
are meeting for their summit in Hanoi, and predictably the sessions have attracted the attention of hackers.
The hackers in this case are probably working for Pyongyang.
EST Security, a cybersecurity company in the Republic of Korea, has come across a spearfishing document last week that poses as an invitation from the Korea-U.S. Friendship Society
to a meeting in Seoul regarding the Trump-Kim summit. The company says the malware delivered
is associated with North Korean hackers. CrowdStrike's vice president of intelligence,
Adam Myers, told Cyberscoop that it's observed the same document lure being used by a suspected
North Korean threat actor it calls
Velvet Chalima. A Chalima is an East Asian pegasus, much used as a symbol of heroic success in North
Korea. The researchers don't reveal who was targeted by the spear phishing, but CyberScoop
notes that North Korean state-sponsored hackers have been known to go after analysts and experts in Korean affairs.
The retail industry faces significant challenges fighting payment fraud
as more and more of our transactions move online.
Payment systems need to strike a careful balance between keeping our information safe
but not slowing the transaction down and inconveniencing the customer or merchant.
Randy Vanderhoof is director of the U.S. Payments Forum and the Secure Technology Alliance.
There's a lot of new technology that's being introduced to address fraud in the online space.
Some of the tools have been around for a number of years,
but weren't particularly effective or well implemented
that are now going through a revision and a refreshment, which are promising to be much more
effective. And that's a standard that has been developed by EMVCO, which is the Global Payment Security Standards Organization,
and the technology is known as 3D Secure, and the newest version is called EMV 3D Secure,
which utilizes additional data elements that are available in the transaction stream,
either from the mobile device, tablet, or from the
computer system that provides additional data that the retailer and the merchant, I'm sorry,
the retailer and the bank can use to determine if they believe the person making that transaction
is the authorized person to do so.
And what are you all seeing in terms of the fraudsters for them upping their game in response to these technologies?
Well, the fraudsters are always quick to adapt and change.
The first thing that the fraudsters typically do is when they see the door is locked at one merchant,
they just go to the next merchant and keep wiggling the handle until they find a merchant that's not protected and then exploit things
the old-fashioned way. But as the more sophisticated retailers upgrade their fraud mitigation
systems and there's fewer and fewer open doors, then they start to change their tactics in terms
of how they go about trying to commit the fraud. Things like taking advantage of the shop online
pickup in store is where someone could shop online with a stolen credential and then five minutes later show up at
the store to pick it up before the fraud group in the retailer has had a chance to review the
payment data that was presented and the person walks out with the merchandise. That's another
technique or tactic that fraudsters adapt to to to leverage the time the merchant has to verify the address information or the payment shopping history of the client to make a determination as to whether or not they should trust that transaction.
And how do you see this playing out as we go forward?
Can we continue with these evolutionary steps?
Is there going to have to be some sort of a reset at some point? Well, it's going to be a continuous arms race,
but the digitization of payments is continuingly to reduce the threat surface area for where merchants and issuers do have some control. So things like biometrics and
using mobile devices where they can also track your location and the data elements associated
with the owner of that phone, in addition to their payment information, to have a more data-rich
risk mitigation are ways in which they're fighting the
fraud trends in the market. Big data is used more than just for marketing purposes. It's also used
to screen transactions based on location, based on the device, based on the amounts.
And with that data, plus other knowledge-based resources that merchants and issuers can tap
into about address and phone number and other past experiences, all are helping to manage
the risk. But with each additional step that is taken,
the concern is that we don't add additional friction to the checkout process.
Consumers ultimately decide that if it's becoming too difficult to use one online transaction venue, then they'll abandon it and go someplace
that's simpler and easier, and particularly when they're protected in case that there
was fraud anyway.
So the real challenge is to step up the game in terms of identity and authentication of
who we're transacting with online. And at the
same time, try to do it in the background or allow those that are the most trustworthy transactions
to go through unimpeded and then have step-up authentication when some score associated with
the trust of the data that they're seeing raises suspicions to a level
that requires them to do additional screening.
That's Randy Vanderhoof from the U.S. Payments Forum and the Secure Technology Alliance.
Ukrainian President Petro Poroshenko accused Russia of launching DDoS attacks
against Ukraine's Central Election Commission on February 24th and 25th, CyberScoop reports.
Poroshenko said that defense mechanisms had been developed by the National Security Council,
along with Ukrainian law enforcement agencies and their American partners.
This is the latest in a long-running series of Ukrainian complaints about Russian cyber interference.
The two countries have been engaged in hybrid war since Russia's forcible invasion
and annexation of Crimea in 2014.
We're inclined to think of state-sponsored attacks as involving espionage
or perhaps sabotage against high-payoff or high-value targets like a power grid.
DDoS we're inclined to think of as something hacktivists do.
You want to punish the objectionable people who aren't listening to you
on that cause that's really important to all right-thinking people.
Or that competing underworld figures would do to one another.
You want people to make their in-game purchases from you,
not from that irritating guy in Saskatchewan.
But really, DDoS can be a form of sabotage,
and the kind of activity that states
show signs of increasingly engaging in. DDoS attacks against international affairs targets
increased by 200 percent in the second half of 2018 compared to the second half of 2017,
according to Netscout. The volume of nation-state threat activity increased as well.
The U.S. Justice Department has recently included DDoS among the list of offenses it asserts Iranian state-backed hackers have committed.
So President Poroshenko's claims aren't, on their face, implausible.
The Washington Post reports that U.S. Cyber Command disrupted Russia's Internet Research Agency's networks
on the day of the U.S. midterm
elections and for a short period afterwards to prevent Russian trolls from spreading disinformation
on social media while votes were cast and counted. The campaign effectively cut off the Internet for
the entity, causing the trolls to complain to their system administrators. The strike is generally
viewed as a good thing in the U.S., although some
analysts doubt it will have much of an impact on future Russian information operations.
Security expert Thomas Ridd said that, quote, such an operation would be more of a pinprick,
end quote, than a long-term deterrent. Some defense officials said that grand strategic
deterrence wasn't the objective here. One official told the Post that
part of our objective is to throw a little curveball,
inject a little friction, so confusion.
This seems sensible enough.
A brushback, not a knockdown.
We've heard generals call this sort of thing
letting the enemy know that you care.
Cyber Command was granted the authority
to launch more offensive campaigns
by a Trump administration policy implemented last August.
Finally, security firm Trustwave this morning released a report on their discovery that the
website for the Bangladeshi embassy in Cairo was infected with a coin miner in October and recently
began distributing crypto mining malware to visitors via malicious Word documents.
The site is still compromised, so steer clear.
Researchers don't believe a nation-state is behind the activity due to its lack of sophistication,
but they say it serves as a reminder that even low-skilled attackers can hack important government sites.
It's worth noting the pettiness
of compromising such a site for crypto mining purposes. It's more Boris and Natasha than Jim
Angleton, and even Fearless Leader would probably call Boris out for it. But please, madam or mr.
ambassador, look to your security, wherever your embassy may be.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at Webroot.
David, it's great to have you back.
You have some exciting news to share on the business end of things. A few changes going on there at Webroot?
Yes, quite a few. First of all, it's glad to be back here, David.
Webroot is in the process of being acquired by Carbonite, and we're very excited about that.
So take me through, what is that like for you and your team?
When something like this was announced, first of all, did you know it was coming?
Were there inklings of it? Was the rumor mill running? Or was it pretty transparent?
So it was kind of a surprise for us from the engineering side. I think a lot of times
engineering teams are heads down, focused on their product development and things like that.
And we don't spend a lot of time looking at the business or even businesses working with
other businesses. So I don't want to say it was a surprise in the sense that, you know, someone came along and was
interested, but I don't know that we were ready for, you know, the announcement and it did surprise
us to some extent. Yeah. So, but what's the mix of emotions there? Like you mentioned that you're
excited about it. I would imagine if it were me, there'd be a certain amount of anxiety there too, because nobody likes change.
That's true, David. I would say though, surprisingly, from the engineering side of
things, there's a lot more excitement than there is, you know, fear or concern, simply because
we're a cybersecurity company. And as you know, since I've been on the program, I'm almost always in the program with one of the main things you can do is back up a computer to prevent attacks and to recover.
And so as cybersecurity experts, we're super excited to be working with and working for a company that provides that service because it's a fundamental thing to being secure. And on top of that, we're very complimentary from a product perspective. So
the engineering product org isn't feeling a lot of concern because we build endpoint solutions,
cybersecurity solutions, DNS, things like that. And where their focus has primarily been on
data protection.
And so it's a really good fit.
So from a purely engineering perspective, we're very excited because there isn't a lot of threat to people's jobs from the engineering side at all.
So what are the things that you're excited about?
What will this allow you to do?
Does it mean a greater access to funding or resources?
What are you pumped up about? Well, yeah, I'm sure now I'm going to have like people on the bench,
tons more resources, all kinds of money, nothing, you know, nobody's going to care about
lighting cigars with $100 bills. Exactly. Yeah. No, I'm fairly certain we're going to be we're
going to still be running a tight ship as we have moving forward, you know, Carbonite's a publicly
traded company.
So I think one of the big changes for us is we're going to kind of be under the microscope
on our product focus, how we're delivering, where we as a private company have had the
luxury of, you know, keeping that kind of stuff quiet.
But I do believe there's going to be a lot of work we can do and be very creative since
we're both cloud-based companies playing in the same space with different products on how to build better solutions from a cybersecurity perspective
to protect folks. But yeah, I don't think we're going to be sitting around looking for work,
for sure. There's a lot of stuff that the business leaders are already putting together that they
want us to be thinking about. Now, from your position as a team leader, the folks that you work
with, how do you manage a transition like this yourself? How do you communicate to your team
what's coming, what to expect, and to keep people's spirits up and their anxiety down?
Well, that's actually a great question and something that's really important to consider.
And so we have, I personally have folks in five offices.
And in the last two weeks, I've been to four of those.
And I really feel like there's got to be a commitment to getting in front of folks, being very direct with them.
And as I think my team would tell you, I'm pretty blunt about about what I think is happening in general.
And so I try to just be as forthcoming with information as I can.
And then I have to add on top of that, that then you've got to kind of be around in a
way that makes it so people can approach you on the side and get their questions because
maybe they didn't want to ask them in a larger group.
So as engineering leadership, you've got to really consider the audience.
A lot of engineers can be introverted.
So you need to get the information out to the teams.
You need to really spend face time with them.
And then you need to make yourself highly available in a comfortable environment where
they can approach you with questions to mitigate any concerns they may have.
Well, good luck to you and your team.
I certainly wish you the best.
It seems like a good fit.
So David DeFore, thanks for joining us.
It's been great being here, David.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.