CyberWire Daily - Someone is after Tehran’s hackers. GitLab misconfiguration. AI’s attack potential. Amazon pursues hackers who defrauded sellers. DeepDotWeb indictments. Evil Clippy. Lunch hacks in San Mateo.
Episode Date: May 9, 2019The Green Leakers release more information about Iranian cyber operators, including details about MuddyWater and the Rana Institute. A misconfigured GitLab instance exposes data used by Samsung engine...ers. Thoughts on how AI can shift the advantage to the attacker. Amazon is after hackers who defrauded sellers. DeepDotWeb proprietors are indicted. “Evil Cippy” does VBA stomping. And a food fight in San Mateo’s corner of cyberspace. Justin Harvey from Accenture reviews cyber insurance. UVA’s Mariah Carey shares her experience as captain of the championship winning NCCDC team. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Green Leakers release more information about Iranian cyber operators,
including details about Muddy Water and the Rana Institute.
A misconfigured GitLab instance exposes data used by Samsung engineers.
Thoughts on how AI can shift the advantage to the attacker.
Amazon is after hackers who defrauded sellers.
Deep.web proprietors are indicted.
Evil Clippy does VBA stomping. And a food fight in San Mateo's corner of cyberspace.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 9th, 2019.
There's been another exposure of Iranian hacking operations.
There's been another exposure of Iranian hacking operations.
Last month, an unknown actor going by LabDuktegum dumped code and other information belonging to the OilRig APT.
This week, another actor, perhaps independently,
but more probably acting in coordination with the earlier leakers,
dropped information via Telegram and various websites
that describe other Iranian cyber operations.
This new group calls itself the Green Leakers.
The material released includes information on other Iranian cyber operators,
specifically the Muddy Water APT and the Rana Institute.
The latter has not hitherto been connected to Iranian hacking operations.
This material doesn't, as the earlier leaks did, include source code,
but it does include screenshots and some information about the threat actors and their victims.
Who the leakers are remains publicly unknown,
but it appears that someone is actively working against Tehran's cyber operators.
According to TechCrunch, Samsung engineers inadvertently exposed code from sensitive internal projects
on an instance of GitLab hosted on a Samsung-owned domain, VandevLab.
It's another instance of data exposure in a poorly configured service
whose owners unwittingly left it exposed to inspection on the Internet.
This particular case was discovered and disclosed to Samsung
by researchers at the Dubai-based security firm SpiderSilk.
We continue our coverage of last week's Global Cyber Innovation Summit with two pieces,
linked in today's issue of the CyberWire Daily News Briefing. Among the presentations discussed
is a keynote on the dark side of artificial intelligence by Sean Tursky, who currently serves as the National Security Agency's
Senior Executive Representative to the Department of Homeland Security.
Tursky pointed out that it's relatively easy to get into a network,
but once you're in, knowing where you are is considerably more difficult.
Figuring out where you are and what you can access usually takes a human operator.
But suppose, Tursky asked,
using the analogy of physical robots that use sensors and artificial intelligence to explore
and map physical spaces, that we deployed thousands of bots, all of them artificially
intelligent, inside a network. If that were done, he said, quote, exploits would go through the roof,
end quote. To be sure, you might consider automated patching,
but when Tursky asked the audience who would be willing to take an automatically generated patch
and apply it in their enterprise, he had no takers.
So, Tursky argued, proliferation of AI and machine learning
will dramatically increase the number of capable threat actors
and decrease defenders' ability to detect those threats.
This will increase the threat actor's willingness to attack.
He concluded, I think offense wins.
You can read more at thecyberwire.com in our daily news briefing for May 9, 2019.
Colleges and universities from all over the U.S. organized cyber defense teams to compete
in the annual National Collegiate
Cyber Defense Competition, which this year was sponsored by Raytheon. Mariah Kenney is a
graduating senior at UVA, and she was team captain of the team that won the national championship.
There's three rounds. There's the qualifying round, and then there's the regional round,
and there's nationals. There's 10 regions across the country. And then the winner of each region then advances to nationals.
So we're from the mid-Atlantic region.
And the premise of the competition is that there's a fictional business network that the students are in charge of defending.
So the students are the blue team.
The network is under active attack from the red team who are industry professionals who are basically trying to break into the systems and like take down our services. So the student side, we're trying to
defend the network. And so we're, we have to maintain the services, like maintain business
continuity, basically as if we're an actual company and we had customers that were trying to use
say our website or our mail server or something like that. And then there's also business injects where they basically ask us either to add something to the network
or we have to report to the board of directors about something.
So that's the general idea of the competition itself.
So fictional business network that the students are defending and it's under active attack from industry professionals.
Well, as team captain, what was your role there?
How did you organize everybody and keep your eye on all the goings on?
Sure.
So the first year, we were basically just trying to figure out what the competition
was and what we were supposed to do in the first place.
And so that was a lot of reading the rules and reaching out to people that we knew who
understand the competition a bit better than us, kind of figuring out what we were supposed
to do in the first place.
And then so one of the things that I helped with was basically us figuring out how we
were going to structure our team.
So we ended up breaking it down so that I was the team captain, but then we had the
Windows team who was in charge of Windows systems, the Linux team in charge of Linux
systems.
Then we had a networking firewall admin that was in charge of the firewall and networking
and configuration of the network and everything. And we're still structured like that this year as well.
So what do you suppose gave you all the advantage? What sets you ahead that you were able to win the
national competition? Honestly, our teamwork and communication was our edge. And so last year,
when we won, we were not the most technical team, but we worked together as a team really well.
We obviously did have technical skills and understood those, but we worked together really well and did a really good job communicating.
I think that helped us this year as well.
We are a much more technical team this year.
We definitely learned a lot from last year and took feedback on what we could do better, and we integrated that into our plans.
But again, the communication and teamwork,
it was a huge thing for us because it's a very stressful situation. It's a stressful competition.
You're under attack. You're trying to defend your systems. And so, you know, you have to keep your
cool. And if you need help with something, we would just ask somebody else for help and we
would work together to solve that problem. There's no yelling. There was frustration sometimes,
but we were like, all right, let's take a deep breath. This is the problem. What are we going to do about it? And
who's going to help you do that? And then we just kind of made it happen. What's your advice for
other students who may be considering taking on these sort of capture the flag competitions?
My advice to students that want to get involved in the competition, first off is do it.
Even if you don't know anything, just start. A bunch of our team last year, we didn't know a
whole lot about cybersecurity. We definitely had some people on the team that did, but some of us
really did start at the beginning, especially me. And so having that goal of the competition itself
and working towards that goal and figure out what you need to learn to get there is super helpful,
especially for me. I like to have like a goal or a project to work on to learn along the way. And then learning with each other is really beneficial because you
might know something that somebody else might not know. They know something you don't know.
And so just learning from each other and working together is super helpful. So definitely get
involved and get started no matter where you are, because you'll be able to learn from each other.
You're going to be graduating later this year.
What are your plans?
What do you have your sights set on?
So I'll be working at CrowdStrike full-time once I graduate.
Oh, congratulations.
Thank you.
That's Mariah Kenney.
She was team captain of UVA's national championship-winning cyber defense team.
Bloomberg reports that Amazon has filed a suit in a British court seeking redress for hacking that compromised about 100 seller accounts,
diverting funds from loans and sales to the hackers' accounts.
Between May and October of last year,
criminals managed to compromise accounts in Amazon's Seller Central platform
and change the banking information in them
to the criminals' own accounts at Barclays and Prepay Technologies.
Those financial institutions weren't themselves involved in fraud, of course.
Amazon, which has been investigating the theft for some months,
thinks it most likely that individual sellers were hoodwinked into giving up their confidential login credentials by phishing.
How great the losses were is so far publicly unknown.
The U.S. Justice Department has indicted two Israeli nationals on charges connected with
operating the Deep.web, a general directory that linked prospective buyers with dark websites
dealing in contraband, some of it lethal. The two who were indicted, Tal Prihar and Michael Phan,
are alleged to have made millions providing a gateway to dark web black markets, thereby facilitating the sale of fentanyl, hacking tools, stolen credit cards, and other contraband.
They made their money through kickbacks from the sellers to whom they referred customers. Both the suspects are in custody.
It was an international operation, Prihar was arrested in Paris, and Fan was taken into custody in Israel.
Authorities in several countries cooperated in the enforcement action.
Brazil, France, Germany, Israel, the United Kingdom, and the United States.
Those of you of a certain age will remember Clippy,
the irritating anthropomorphic paperclip that cumbered Microsoft products in the 1990s,
offering you unnecessary advice like,
Seems like you're writing a letter. Want some help?
Somehow, Clippy never got to the big questions.
For all Clippy's upbeat winking and chipper tone,
we never noticed Clippy saying anything more useful like,
Looks like as if you need to make a quick buck.
Or, Dude, your job is
dead end. Want out? Or dark night of the soul? Hey, I've been there. Forget it, Jake. It's Redmond.
Anyway, Clippy is sort of back in a undead form, but it's a proof of concept from Dutch
cybersecurity consultancy Outflank, so no harm, no foul. Evil Clippy, as Outflank calls their demo, uses VBA stomping
to prevent most antivirus tools from detecting the macros it's compromised. VBA stomping removes
the Visual Basic for Application source code from a Microsoft document, leaving a compiled version
of the macro behind. Security products that look for macros often do so using the VBA source code, and if
that's gone, they may let a malicious document pass through unnoticed. Thanks, Outflank, because
Evil Clippy sounds like a dream come true. Actually, thanks for real. It's a technique
now being offered to red teamers. And finally, here's another story from the courts. Who has not eaten in a school cafeteria?
We've pretty much all been there.
And now, hacking has come for the lunchroom, because catering those cafeterias is big business.
Last month in San Mateo County, California, whose writ runs in much of Silicon Valley,
one Keith Wesley Cosby, CFO of Choice Lunch, was arrested on two felony counts of illegal acquisition of student data
from the website of Choice Lunch's lunchroom rival, San Carlo-based Lunchmaster.
As the San Mateo County DA tells it, Mr. Cosby's idea was that he'd hack the students' data
and then complain to the authorities that Lunchmaster wasn't properly protecting the kids' PII.
and then complained to the authorities that Lunchmaster wasn't properly protecting the kids' PII.
Presumably, then, the contract for delivering fresh-baked muffins, chicken nuggets, and beef cheeseburgers to young scholars would then be taken righteously away from Lunchmaster, at which point Choice Lunch would pick up the business.
Actually, we don't know if fresh-baked muffins would figure in the lunch wars,
since technically they're a breakfast item at the San Mateo County schools.
But in any case, this seems a dubious business strategy.
So stay hungry, San Mateo County.
And it would never happen in Baltimore.
There's no Old Bay.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
I wanted to touch base with you today on cyber insurance and where we find ourselves when it comes to that.
Sure. through the payment into a pool so that if something in the unlikely event that something does happen, we get assistance for that, meaning a car crash, medical injuries, etc.
Cyber insurance is no different. Companies are looking for ways to offset the risk of cyber
attacks, and they need a little bit more. They need a little bit more from a response
perspective, from an incident response team, from being able to work with PR teams, with legal.
And it's not very common that global organizations have all of this figured out. They have a PR team
ready to go. They have an outside counsel ready to go. They have an IR team on hot standby
with the jet being fueled, ready to go. So cyber insurance is a way to ensure
that when something does go wrong, that there's adequate financial coverage and adequate legal
coverage. Well, what's your advice for folks who are out there shopping for this? Are there any
guidelines, things they should be looking for? Well, I think that one of my main recommendations is find a cyber insurance offering that offers a breach coach.
Now, a breach coach is typically your outside counsel.
So it is a outside legal firm outside of your own general counsel that you are protected through client attorney privilege. And this breach code will actually step you through and guide you through the whole incident or breach.
And they will help you.
They will place you with an incident response firm that's ready to go.
My team actually does this quite a bit.
You will be placed with a public relations firm if it is necessary in order to communicate to your customers.
You may even take their recommendations on reaching out to a consumer credit reporting service in case your business lost consumer identities.
Then they have these services ready to go.
And it's all covered under your policy.
under your policy. So instead of you having to fork out the hundreds of thousands of dollars,
and in some case, hopefully not, millions of dollars to these services individually,
you go with one provider, one breach coach, they bring in all of the ancillary services, and it's covered, all covered under the insurance premium.
Yeah, it seems like one of those pay me now or pay me later situations.
Yeah, I think that there are global institutions out there that are not doing cyber insurance.
They're choosing to kind of roll your own.
They have their own outside counsel, their own IR team, their own legal and PR and so on.
But there is something to be said by having it all integrated under one umbrella.
All right. Well, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.