CyberWire Daily - Satori botnet is awake (and it's not engaged in enlightenment). State-sponsored spyware campaigns. ISIS threatens cyberattacks.
Episode Date: December 6, 2017In today's podcast, we learn that the Satori botnet flashed into existence yesterday with 280,000 bots. Is there a router zero-day out there? Insecure cryptocurrency apps aren't deterring speculat...ors. How much energy does Bitcoin use? About as much as Denmark. Ethiopia's government is said to be using spyware against journalists. Iran's Charming Kitty espionage group is looking at media, academics, activists, and political advisors. ISIS threatens cyber havoc this Friday. Joe Carrigan from JHU on breach fatigue. Cat Coode from Binary Tattoo on social media safety. And the IOC takes a poke at Russia. Expect Fancy and Cozy Bear to poke right back. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. 80,000 bots. Is there a router zero day out there? Insecure cryptocurrency apps aren't deterring
speculators. How much energy does Bitcoin use? About as much as Denmark. Ethiopia's government
is said to use spyware against journalists. Iran's charming kitty espionage group is looking at media,
academics, activists, and political advisors. ISIS threatens cyber havoc this Friday,
and the IOC takes a poke at Russia. Expect Fancy and Cozy Bear
to poke right back. I'm Dave Bittner with your CyberWire summary for Wednesday, December 6,
2017. Security firm Kihu360 NetLab reports that a big Mirai-derived botnet, Satori,
awoke yesterday, perhaps exploiting
a Huawei Zero Day to herd 280,000 bots.
Classic versions of Mirai, if we can call something a classic that's been around for
less than a year and a half, use telnet scanners to find vulnerable devices.
Satori does not.
Kihu 360 Netlabs says the botnet has two embedded exploits that seek to connect with
devices on ports 37215 and 52869. As Bleeping Computer points out, quote, effectively this
makes Satori an IoT worm, being able to spread itself without the need for separate components,
end quote. Kihu360 NetLabs thinks the exploit that connects to port 37215 is a zero-day.
They've been tracking it and have it under analysis, but they're unwilling to discuss it further for now.
CenturyLink thinks the botnet may be abusing a zero-day in Huawei Gateway home routers.
There's less mystery surrounding the exploit that's hitting port 52869.
that's hitting port 52869. That one is for a well-known and relatively old bug in some Realtek devices, CVE20148361, if you're keeping score. A lot of
Realtek devices have been patched for this one, which would suggest why this
exploit has been the less successful of the two. There are some similarities
between Satori and the Mirai variant that hit Argentina over the weekend,
but researchers are tracking it as a distinct threat.
And nothing yet, by the way, from Reaper, which has remained curiously quiet since its discovery.
Do you overshare online?
It's hard not to these days, thanks to social media,
and there are specific risks to businesses that are easy to overlook.
CatCode is the founder of Binary Tattoo,
a firm that helps companies and executives evaluate and protect their online profiles,
and she offers advice on calibrating just how much you share.
It's a trade-off, right?
So every time you're giving away your information,
because of course if you're not paying for the product, you are the product.
Every time you're giving away the information, you're getting something back for it,
and the currency is your information. But I think what's happening is everyone is
so used to now getting things done for them. Like if I'm going to download an app and it needs my
contact book, well, why not? Because I want the app. And then they realize they don't want the
app and delete it. And they've now given away all their contact information. People don't consider
that before. Do I really need the service in exchange for my
information or not? And they're just giving away the information all the time. So if you had to
actually pay for something and you were being offered something and I came to your door and I
said, would you like this? You would have to consider whether or not it was the right thing
for you to purchase before you spent your money on it because you appreciate you can't get that
money back again. But when it
comes to online data as a currency, people don't consider that. They just keep giving it away and
giving it away. And then if they don't like the product, they get rid of the product. But it's
too late because they've already given the data to that company. So when you're out and about and
you're educating people on these sorts of things, are there things that come up that continues to
surprise you? The personal information always surprises me.
The birthdays, the names of pets.
Like when you think of the questions that you would get asked if you lost a password,
like what is your mother's maiden name?
That amount of information is so easily found.
So one of the things I do, I joke I'm an online professional stalker.
One of the things I do is I look for people online in order to tell them what their public identity looks like, so that they can go
in and fix it and take away the stuff that they don't want shared. But I always find those the
answers to those questions. Again, pets names, the street you grew up on, people will say,
hey, look, the house is for sale that I grew up on. And I'm like, great, now I can answer that
question. Or things about their grandparents is like, look, my maternal grandparents, and there's
their mother's maiden name. That information, you don't need to share that. You don't need to share
your birthday or your children's birthdays. None of that information is required online.
That is voluntarily shared information. A lot of businesses are finding themselves
victims of spear phishing. And you make the point that a lot of social media accounts,
even if you think
it may be locked down it might not be as secure as you think so if for instance if i were to go
into a facebook account uh and you've got everything locked down a profile photo is always
public always and there's no way to lock down uh the likes on it so in five minutes i can figure
out who you're connected with even if you've closed your friend list off based on that. So if your security settings are not set, I can get some
personal information about you that way. And if not, I can go through your friends. So what often
happens is people will call a second person in the company, or they will email them, and they
will have enough personal information about another member of that company that gives that second
person security that second person
security that this person knows what they're talking about. So I could call, for instance,
an executive assistant and say, hey, I know Bill's on a plane to Italy right now.
I'm friends of his through his daughter's school and soccer club and his wife, Brenda.
And I'm just calling because we're supposed to do this business transaction.
I need it to go in by four.
And so I'm going to send you an email from my company.
I just need you to press this button
and then a bunch of extra information
that makes it sound like I clearly know
who this person is.
Right.
And lots of companies are losing money this way
because they have this trust factor
that there's no way you could possibly know
that much about someone
without having actually known them.
So in that kind of a case, what's to be done? A lot of it is an awareness.
Part of it is the fact that Bill has probably overshared his information online or is unaware of what he is sharing. He's put his own profile at risk by oversharing the information. And the
second thing is to go into these companies. And as part of the cybersecurity training,
we have a lot of amazing software products that come in and prevent regular phishing scams and all that stuff. But it is the human
firewall is so key right now that companies need to make sure that their employees appreciate
the element of human engineering that's happening. And just because someone says they know someone
or seems to have a lot, that's not enough to verify who they are. That's Kat Code. Her company is Binary Tattoo.
Have you ever wondered how much energy the Bitcoin network consumes? Sure you have. We have,
especially since Bitcoin and other blockchain-based technologies are being invoked all over the place
for everything from remittances to IoT security. Digiconomist has taken a look at the question,
and they estimate that annually,
Bitcoin uses about as much electrical power as Denmark,
which suggests to some observers that maybe the cryptocurrency isn't,
as they say, sustainable.
It also suggests why criminals have been willing to take the time and effort
to install miners in Android devices.
Phishing emails are becoming more persuasive,
using mailsploit for greater plausibility,
and incorporating the trappings of encryption
to lure in marks who'd otherwise be wary.
Citizen Lab reports finding evidence that the government of Ethiopia
is using lawful intercept software developed by Cyberbit
to spy on journalists an Isis video
posted online promises to deliver a major cyber attack against the US this
Friday the former caliphate now clearly in its diaspora phase has shown little
ability to do more than low-grade website defacements of indifferently
defended targets and they're probably feeling some pressure to demonstrate serious cyber attack capabilities.
It's a threat worth watching, but so far unsupported by much evidence.
Iranian espionage group Charming Kitten is said by Israeli cyber firm Clear Sky Cybersecurity
to have embarked on a campaign targeting academics, journalists,
human rights advocates, and political advisors. The targets have little in common beyond an interest in Iran and a usually unsympathetic
attitude toward the Islamic Republic. Charming Kitten is said to have established a bogus,
baited news service as Allure, the British news agency.
The International Olympic Committee has banned Russia from the next Winter Olympics
for systemic abuse of the anti-doping system.
Expect Russian security services to engage in some systemic abuse of IOC networks.
The Baer siblings, cozy and fancy, growled a lot after the last Russian Olympic doping scandal.
As we think about threat actors in the news,
we can't help but reflect on the naming customs that have emerged for them.
If it's a kitten, it's got to be Iranian.
If it's a bear, Russian.
Panda, China.
Dragons, for the most part, East Asian.
But our patriotic Amur proper is wounded here.
Surely there are some good animal names people could come up with
that would wink in the direction of the five eyes.
Some seem obvious.
It's hard to imagine Australia and New Zealand without kangaroos and kiwis.
But if those are too obvious, how about dingoes and skinks?
Like dutiful dingo or smug skink.
It's tougher as you move on to the other three eyes.
For Canada, loons and beavers, perhaps.
The UK could go with bulldogs,
or maybe lions. Unicorns seem out because of their financial connotations. The US is a harder case.
The eagle is too obvious. So how about this? Agencies are in all states, and every state has its own patriotic bird, animal, even Maryland at least, where we are, an official dinosaur.
Why not associate actors with the state in which the responsible agency has its headquarters?
Thus, instead of a boring Fort Meade euphemism like Equation Group,
how about something snappy suggested by those Baltimore birds,
the official Oriole, or for the poetically minded, Edgar Allen's Raven.
And I suppose if you're going to woof in the general direction of Langley,
then pick a Virginia theme, like the Cardinal, or better yet, the Foxhound.
In any case, we're sure the security community would welcome some guidance on the matter,
perhaps from the agencies themselves.
Let us know what you think.
Even generic suggestions like ferrets, foxes, and squirrels are welcome.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, certainly with hacks like Equifax.
Yeah, that's great, isn't it?
It's great.
And, you know, Yahoo just released recently that it wasn't a million.
I'm sorry, a billion.
It was three billion accounts that were released.
That was from is that from the old breach?
That's from the old breach. Right. So now they're upping that were released. That was from, is that from the old breach? That's from the old breach, right?
So now they're upping that number again.
But I have this feeling of fatigue.
Yeah.
And sort of inevitability.
I just don't know what to do with this.
If all the information is out there, it seems like surely there must be information about me out there.
There must be information about you out there.
The odds are, I feel like we've hit this point where the odds are greater that your information is out there than it's not.
Right.
No, that's probably 100% correct.
Equifax breach happened.
I was actually at a meeting for a project I work on called THAL,
Trustworthy Health and Wellness, with some other institutions.
When they heard about this, he said,
I'm just going to put my social security number on my website.
It's just out there. Well, we've talked about this before, I think offline,
that when I was a student in college,
your student ID was your social security number. Right. And I had an ID at the first college I
attended that had my social security number written on it. Every test I took in college,
I wrote down my student ID number, which was my social security number. So how many pieces of
paperwork, how many, you know, all of the things that for the university to track, you know, the
fact that I went to that school, it's all tied to my social security number.
So I've heard that there are other nations
who have done a better job with this,
that they have adopted a digital version of a social security number,
some sort of secure encrypted kind of thing.
It seems to me like we have to be heading in that direction,
but I've seen little...
We have to move away from
social security numbers as the primary key on on people uh we need we need a a data point a way to
identify somebody that is is can be changed and can is revocable that's the word i'm looking for
yes revocable well i don't know you recall if you if you actually have your social security card i
do have my social security card from i think i was given to me when I was a child.
Yes, I've lost mine.
Yes, most people probably have.
But on the card, it says this is not to be used as a form of identification.
Yeah.
Right.
That's right.
Yet here we are.
Trying to do just that.
If only there were a group of smart people who could come up with some sort of way to replace our,
but, but I guess it's momentum. It's right. Oh yeah. There is a huge momentum problem here.
I don't know that anything's going to change until, uh, until the pain of changing becomes less than the pain of the current state. And for most of us, you know, we're just willing to sit
around and wait until something bad happens. Uh, like somebody opens an account in our name and
then how bad does that hurt? You know, if someone were to call me tomorrow and say, hey, your mortgage on your
property in Florida is overdue, my answer would be, well, go ahead and foreclose. I don't have
a property in Florida. I don't know what you're talking about. Yeah, but you know, you could take
the credit hit, and I don't know. I mean, perhaps you know that someone if someone does a targeted attack on every single member of congress right and only every single member of congress maybe
we'll get their attention you mentioned credit hits right so if if i get enough credit hits
yeah right and my credit score drops right then identity theft stops being a problem right because
nobody wants to open a well they won't be able to right they won't be able to open a credit card
be credit worthy my credit my credit score will be able to. Right. They won't be able to open a credit card. You won't be credit worthy.
My credit score will be like 300 or something. I think that's part of the point, though, is that if all this information is out there,
do all of these services, all the things that rely on this information become sort of meaningless?
Yeah.
I mean, how reliable is the information that's out there?
Right.
And yeah, I can contest a lot of things on my credit report.
So there are anything that's on my credit report.
I can put a document in there.
There are some laws that have made it a lot more difficult to open a bank account.
I remember the last bank account I've opened, which was actually at a credit union within
the past four years, I was astounded at how much documentation I had to present just to
open a bank account.
Yeah. No, that's true.
We opened one for my son recently, and it was a whole, you know, electric bills and proof of residency and so on and so forth.
Yeah.
Well, I don't think we've come up with any solutions here, but we've certainly made our complaints known.
All we do is sit here and complain, right?
I like to come up with a solution.
I like to come up with a solution.
Well, you know, as with many things, I think there are some good ideas being tested in other nations,
which seems to be the way that it goes with many of these things. We definitely need to start moving in this direction.
That is for sure.
It's inevitable.
All right.
Well, as always, Joe, thanks for joining us.
It's my pleasure.
Thanks for joining us.
It's my pleasure. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.