CyberWire Daily - SHA-1 is broken. Grizzly Steppe and Carbanak. M&A notes. Linux patched. Arrest in Deutsche Telekom hack. The insecurities of connected cars.
Episode Date: February 24, 2017SHA-1 is broken, for real. Grizzly Steppe threat actors seem to have a lot in common with the Carbanak gang. Bitcoin exchange hit by DDoS. Linux patches an old vulnerability. Reuters says Symantec was... in talks to buy FireEye, but the companies backed away from a deal. An arrest in the Deutsche Telekom hack. Dr. Charles Clancy from Virginia Tech's Hume Center explores the designation of election systems as critical infrastructure. Jason Porter from AT&T decribes the newly formed IoT Cybersecurity Alliance. And what the vulnerability researchers found when they looked at connected cars. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
SHA-1 is broken for real.
Grizzly Step threat actors seem to have a lot in common with the Karbanek gang.
Notes on Distrack, also known as Shamoon.
There's a Bitcoin exchange hit by DDoS.
Linux patches an old vulnerability.
Reuters says Symantec was in talks to buy FireEye, but the companies backed away from a deal.
An arrest in the Deutsche Telekom hack.
And what the vulnerability researchers found when they looked at connected cars.
found when they looked at connected cars.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 24th, 2017.
Every cryptographer who's been telling people to abandon SHA-1 can feel vindicated this week.
Google announced the first successful collision attack against the algorithm.
In the unlikely event you're still using SHA-1, well, please move to something better.
Truestar looks at additional information on Grizzly's step the U.S. Department of Homeland
Security has released. They've found that its operators, by consensus Russian intelligence
services, have much in common with the Karbanak gang, including not only code, but also command and control infrastructure.
This isn't to say that the Russian government wasn't behind the Grizzly Step operations,
but it does suggest again the complexity of attribution.
See, for example, NSA Director Rogers' recent comments on this attribution.
Essentially, sure, the Russians went to work during our election.
The Russian organs have long made effective use of criminal organizations,
and this week Moscow revealed that its investment in cyber warfare and information operations
has been larger than many defense intellectuals suspected.
The level of effort deployed in information operations has especially raised eyebrows.
Some say it exceeds even the propaganda
campaigns the Soviet Union mounted at the height of the Cold War. Bitfinex, a major Bitcoin exchange,
was hit earlier this week by a significant denial of service attack. The disruption occurred on
Tuesday as Bitcoin's value was reaching new highs. There's been a pattern of such disruption when
Bitcoin speculation is hot, and various
black hats have said they've been hired to organize DDoS against larger exchanges, but no one seems
quite sure of the motive. Bleeping Computer, for example, says it's an urban myth that smaller
trading platforms hire digital button men to make their bigger rivals unavailable to drive trades
their way. In patch news, the Linux project closes an 11-year-old vulnerability.
A Google intern, Andrei Konovalov, discovered and disclosed it.
He'll release a proof-of-concept exploit showing how an attacker could gain root access,
probably next week, after people have an opportunity to patch.
Many, perhaps most, analysts expect to see a round of consolidation in the
security sector over the next couple of years, but it's not arriving all at once. Yesterday,
according to Reuters, parties familiar with the negotiations confirmed that about six months ago
Symantec had been in preliminary talks to acquire FireEye. Those negotiations came to nothing.
This particular acquisition is now said to be off the table.
A British subject has been arrested for last year's Deutsche Telekom hack.
UK police collared the unnamed gentleman in London, executing a German warrant.
The suspect is being extradited to Germany, where he'll stand trial for allegedly attempting to compromise Deutsche Telekom's service to recruit devices into a Mirai botnet.
And finally, there was a fair bit of talk concerning automobile cybersecurity last week at RSA.
We found the research particularly interesting when it touched on the risks associated with the increasingly connected and autonomous car,
which you might think of as another big big moving thing in the Internet of Things.
Kaspersky looked into the security of Android apps used by seven car manufacturers.
Three of the apps unlocked the doors. The other four not only unlocked the doors,
but started the engine too. This has inevitably been covered with screamer headlines saying
car thieves can hack your car. It's not quite that bad, but the apps are vulnerable,
saying car thieves can hack your car.
It's not quite that bad, but the apps are vulnerable,
and their security, while more than zero, is still penetrable.
The researchers singled out two particularly meretricious design practices they say are accidents waiting to happen,
using either SMS messages or voice commands to control a car.
IBM's X-Force also got into the act.
They've determined that a lot of these convenient apps, like the ones that let you honk your
horn to find your car in the crowded lot at Walmart, well, those apps continue to work,
even after you've sold your car.
We leave the security issues of this as an exercise for the listener, particularly those
listeners in the market for a pre-owned ride.
So driver beware, especially if you buy your cars used.
What would it take to get you into a compromised device today?
This one has just one owner.
A little old lady from Pasadena who didn't do anything with her onboard systems
except click every link in the email she read on her tethered unpatched Android phone.
We mean, of course, Pasadena, California.
The little old ladies of Pasadena, Maryland generally have mad hacking skills, but come to think of it, that might be a problem in its own
right. One owner only. She just drove it to church on Sundays. Her grandkids said she did like to
compile a lot of Python from the CAN bus. Whatever that is. I think it's some kind of long sugar Did we mention that we finance? faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous
film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And joining me once again is Dr. Charles Clancy. He's the director
of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We wanted to
touch base today about this notion, this push to have election infrastructure categorized as
critical infrastructure. What can you tell us about this? Yeah, so right after the 2016
presidential elections and the controversy associated with potential Russian hacking,
controversy associated with potential Russian hacking, or so-called hacking of that election,
the Department of Homeland Security decided to announce the designation of election infrastructure as one of the segments of critical infrastructure, which is kind of a really interesting outcome.
So I think this is an opportunity for a potential investment in cybersecurity resources, for example, in R&D resources from DHS, to look at how we might design more secure election infrastructure.
states in particular who feel as though this designation will somehow interfere with their ability to kind of deploy and operate the election infrastructure that they have right now.
So it's kind of an interesting debate. I think one issue with it is that many of the other
critical infrastructure sectors that are designated by DHS do not have federal jurisdiction. For
example, the telecommunications infrastructure is perhaps regulated by the FCC, do not have federal jurisdiction. For example, the telecommunications
infrastructure is perhaps regulated by the FCC, but not operated by the government. So I don't
know that I quite agree with the state's opinion that it's federal overreach in terms of such a
designation. On the other hand, I don't know that it really would have made any difference
in the most recent election, given the sort of alleged attacks against our
election process had nothing to do with the voting infrastructure itself, but rather the
perception of the voters as they walked into the ballot booth. Many people look at the way that our
election system is distributed among the states and the amount of control that the states have
as actually being a feature of the system that makes it more resistant to a broad
base hacking. Indeed, yeah, that was, of course, one of the claims that the states made in their
pushback against the DHS finding that this should be critical infrastructure, was that it's already
a very distributed process that doesn't rely heavily on internet infrastructure, but rather
local jurisdictions making phone calls with
election counts sort of upstream to state voting authorities. So as long as there's, I guess,
strong authentication in those processes, we'll be fine. But it'll be interesting. As we see in
many technology sectors, the push to modernize involves more and more automation and reliance on Internet-connected
infrastructure. So we'll have to see as voting technology matures and states adopt
more sophisticated techniques, whether or not that impacts the overall system's
security posture. All right, Dr. Charles Clancy, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io. My guest today is Jason Porter. He's vice president of AT&T Security Solutions, where he's leading a team that's taking part in a new IoT cybersecurity
alliance. In addition to AT&T, the alliance includes IBM, Palo Alto Networks, Symantec,
and Trustonic. We know that it takes a community to solve really important challenges like securing IoT.
We need the best of breed when it comes to areas like managing devices and endpoints.
We need leaders in securing data and applications. We need people
with a history of managing connectivity and understanding threats and how to manage those.
And so we formed this alliance to go after this challenge together as a community.
So take me through what are some of the goals that you're hoping to achieve with the alliance?
Yeah, absolutely. As an alliance team, we are really focused on education, trying to understand
really what are the most problematic issues facing IoT security and educating the industry and
customers on what can be done to make IoT more secure, what those challenges are and how we
might solve them. We also want to influence over time through that education, standards, policy, you know,
regulations, potentially, ultimately, that help to make IoT security the forefront and standard in deployments. And then we also obviously, where appropriate,
will come up with solutions that really solve IoT security. And we're looking at it
largely from a vertical viewpoint. Take industrial IoT, that is very different than, say, connected car or wearables.
So each community has different challenges, different attack vectors, a different attack surface area
that we've got to be able to understand and communicate those challenges,
communicate solutions, and even potentially develop solutions for.
So take me through the process of how the group is planning to work together.
Yeah, so we work very much like our foundries.
We took the model after our AT&T foundry model.
So at the foundries, we bring a collection of, you know, really talented folks together to work on solving problems.
And so in this situation, we're bringing together a targeted community, and we'll get together and bring in customers who have real needs and issues, and between that community, understand what are the highest priority items that we need to go solve for, really work collectively in sort of, in agile development
terms, it's like a scrum team working together to go develop, you know, to go solve a problem.
And from the outside, for those of us, you know, keeping tabs on what you all are up to,
will there be, will you be publishing? How do we track your progress? Yeah, absolutely. So we do have
milestones. We haven't published our milestones, obviously, but you can expect to hear from us.
We will be publishing results. We will be communicating research so that it's really
there for the broader industry's benefit. And obviously,
you'll start to hear more about our next steps, whether it's moving towards standards or
solutions. You'll continue to hear a steady drumbeat of that. You'll also hear about us
beat of that. You'll also hear about us expanding the alliance because as we continue to move forward, we expect that we will need to bring in more members who can help us fill gaps and special challenges, take defibrillators in health care or insulin pumps or oil rigs, right?
We're definitely going to need to expand our expertise in these other areas as we continue to solve and tackle new challenges.
You know, looking at the list of participants in the alliance,
it strikes me that there are areas where some of you are probably healthy competitors with each other.
Why do you think it's important for organizations to join together as a community
to try to tackle these big problems?
Yeah, this is one of those areas that really it's beyond competition.
We've got to go solve industry problems for our economy, for in customers. We really need to
not be encumbered by traditional competitive lines and really go solve problems. And that's why we've collected, as you mentioned,
some might view some of the participants as competitors,
but in this environment, we're all committed to go solve challenges
that we think raise the collective vote
or raise the opportunity for the industry as a whole, protecting financial integrity
and even physical safety in many cases.
Not every company can invest at the levels of the alliance team members to go and tackle cybersecurity at this scale.
And so we really need to help support companies that maybe don't have those resources,
don't have data scientists and threat platforms and multiple stocks and analysts.
And so really it's an obligation of those who do to participate in
these kinds of alliances to help protect maybe those with more limited resources.
That's Jason Porter. He's Vice President of Security Solutions at AT&T.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.