CyberWire Daily - Something Wicked this way comes. Automating wallet pilferage. Office 365 phsihing scams. DPRK hackers remain active. Recognizing alt-coin investment frauds.
Episode Date: May 18, 2018In today's podcast, we hear that a new Mirai variant is out and about: they call it "Wicked." MEWkit automates coin theft. LocationSmart was buggy and leaky. The US Senate has confirmed Gina Haspel a...s Director of Cetnral Intelligence. Relaxed tensions along the 38th Parallel aside, North Korea remains active against South Korea in cyberspace. There's a lot of fraud in cryptocurrency investing, and the SEC would like to help you recognize it. David Dufour from Webroot on threat trends. Guest is Heather Vescent, a futurist and author, describing how she applies her work to cyber security.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new Mirai variant is out and about.
They call it Wicked.
MewKit automates coin theft.
LocationSmart was buggy and leaky. The U.S. Senate
has confirmed Gina Haspel as director of central intelligence. Relaxed tensions along the 38th
parallel aside, North Korea remains active against South Korea in cyberspace. There's a lot of fraud
in cryptocurrency investing, and the SEC would like to help you recognize it. Plus, my conversation
with futurist and author Heather Vessant.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, May 18, 2018.
Researchers at security company Fortinet have found a new variant of the Mirai Internet of Things botnet in the wild.
They call it Wicked and say that it uses three modules, Scanner, Attack, and Killer.
Unlike the original Mirai, which brute-forced its way into vulnerable connected devices,
Wicked makes use of known exploits to establish access.
Wicked makes use of known exploits to establish access.
It scans ports to establish a connection with its targets and uses an exploit appropriate to that connection.
Wicked seems to be the work of the same coder
who produced the Sora, Owari, and Omnibotnets.
Security firm RiskIQ has a report out on MuKit
and the Russian mob behind it.
MewKit is an Ethereum phishing tool that makes novel use of automation in its attacks.
MewKit is interesting in the way it uses automation in the service of theft.
It begins with a phishing email that's designed to induce the victims to go to a phony MyEther wallet.
The landing page harvests credentials in the old,
familiar way. Where MuKit represents an advance comes next. It has a module that automatically
uses the credentials to drain the victim's real EtherWallets into the hood's accounts.
As RiskIQ explains, MuKit combines traditional phishing with an automated transfer service to take advantage
of what RiskIQ calls the relatively loose security of MyEtherWallet. The specific gang
behind MuKit is still unknown, but the IP addresses in use and certain linguistic quirks
in the scam suggest that it's a Russian group, or at least a Russian-speaking group.
Krebs on Security says that LocationSmart,
a U.S. company that aggregates cell phone location data, has been leaking that data
through a buggy demo page on its website. The flaw granted access without requiring authentication.
LocationSmart took down the relevant portions of its site yesterday afternoon
upon being informed of the
problem. AT&T, Sprint, T-Mobile, and Verizon customers could have had location data exposed.
Office 365 is proving increasingly popular as fish bait. The scam usually takes the form of
an email purporting to be from the service, telling the recipient that their access to Office 365 will be suspended if they don't reset a password or simply click a link to
verify their account.
It's all bogus, of course.
Microsoft no more sends out that sort of email than it has a boiler room call you at home
to say they've detected malware in your Windows machine.
But the emails are reassuringly boring, and they're perhaps the
kind of thing the unwary and the unfamiliar might fall for. The U.S. Senate yesterday confirmed
Gina Haspel as Director of Central Intelligence. She succeeds Mike Pompeo, now serving as Secretary
of State. Haspel is a career CIA officer with a background in operations.
Representatives Langevin and Liu, Democrats from respectively Rhode Island and California,
introduced legislation in the House that would require the White House to reinstate the recently disestablished post of cybersecurity advisor. No one really expects the bill to go anywhere,
but it does register discontent with the administration's move.
White House cyber coordination responsibilities will devolve upon National Security Advisor Bolton.
Hopes that reduced nuclear tensions on the Korean peninsula would moderate North Korean hacking seem to be on their way to being dashed.
South Korean sources say that DPRK cyberattacks have continued essentially unabated.
The Straits Times reports an interview with Chao Sang-myung,
director of software firm Wari Inc.,
and advisor to South Korea's police and national intelligence service.
Choi notes that Pyongyang is interested in capacity building.
He says that DPRK hackers have been sent to both China and India for advanced training.
Much of their recent activity is directed toward espionage, information gathering.
But we're roughly at the one-year anniversary of WannaCry,
and Choi says he wouldn't rule out a repeat performance.
In what amounts to a dog bites man story,
the Wall Street Journal says a lot of crypto coin investment offers are scams.
You think?
Yeah, we thought so too.
Anywho, the Journal is on the side of the angels with respect to this one.
They combed their way through 1,450 coin offerings.
271 of those offerings raised clear red flags, like plagiarized investor
documents, promises of guaranteed returns, always a problem as connoisseurs of the pink sheets can
tell you, and executive teams that, when they're not missing altogether, are often simply fake.
The U.S. Security and Exchange Commission is trying to help educate investors to the risks
the altcoin investment mania presents.
They've set up a bogus coin offering site to show the public what the hokum and bunkum in the market look like.
Their coin offering they call HowieCoin, a travel-focused coin, and wow, does it sound like a good deal.
Here, give it a listen.
Quote,
Here, give it a listen. investment, or both? Well, sign me up. Where do I go to surrender? You can check it out at HowieCoins.com. That's H-O-W-E-Y-C-O-I-N-S. We especially like the celebrity endorsements near
the bottom of the page, so read the whole thing. And expect the SEC to come to an open mic night
at the Chuckle Hut near you. Nicely done, SEC.
and Mike Knight at the Chuckle Hut near you.
Nicely done, SEC.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back.
We wanted to go through some of the threat trends that you all have been tracking there at WebRoot.
You've got some stats to share with us.
What do you have?
You know, our annual threat report comes out this time of year, and we're always following and looking at what the trends are.
Some of them are new and exciting, and some are just the old basics that, you know how we say sometimes, David,
the more mundane it is, the more important it probably is to look for. It's just some fun stats. 74% of the companies that we see impersonated out
there are financial institutions. So that doesn't probably surprise anyone. But if you're getting
emails from your financial institution or some financial organization like the IRS or things
like that, you want to be doubly sure where those emails or that
communication is coming from. And just be aware because, you know, that's where we see a lot of
that impersonating people trying to steal information, et cetera. Now, speaking of
impersonations, it was interesting to me that you saw one name popped up particularly often
when it came to impersonations? UPS.
And we saw that 52% of the time as well.
I guess that has to do with trying to track packages,
things like that.
I can't exactly tell you why that's happening,
but we do see UPS quite a bit.
And probably because they're more involved with shipping and things with Amazon exploding like they are
and online purchasing.
UPS, people are trying to get information about being able to track packages and things of that nature.
That's just a guess on my part.
And it was interesting to me also, you saw a really significantly high percentage of the malware was unique.
Take us through, what are the implications of that? That's back to, you know, our good friend polymorphism, where it's become, you know, it's almost table stakes anymore if you're writing malware to make sure that that malware is polymorphic.
And polymorphic malware is where every time a file lands on a new computer, it changes itself.
So the signature looks different.
So that older methodology of looking up signatures just doesn't work anymore.
We're seeing 93% to 95% of malicious malware on one machine only because of the nature of that polymorphism.
So you have to have something that does more than just check signatures.
It needs to look for behaviors, and hopefully you're not letting it get on the machine in the first place.
And hopefully you're not letting it get on the machine in the first place.
Yeah, I saw another interesting stat you sent over was that a whole lot of the phishing attacks came from a limited number of domains.
Yes. So 62 domains in our report handled 90% of the phishing attacks that we saw in 2017. team. That denotes, you know, hack domains or a lot of, you know, free or social domains that
are out there where it's easy to create phishing websites that are easy to get on and drive people
to. So, you know, if you're aware of these domains and you block those domains, it's a pretty good
method of preventing attacks. The one thing I would say is it's the long tail that's the real threat.
It's, yes, we've seen 90% of phishing attacks
came from those domains,
but those other 10% are coming from very small domains
that we still have to be able to protect.
So in terms of what you're seeing
in terms of overall trends
and how that should
inform how people manage their resources,
what would your advice be?
Well,
you know,
again,
you've always got to have the basics in terms of an antivirus that does file
scanning and analysis,
but a lot of effort needs to be put into protecting your users when they're
online using,
you know,
threat intelligence to
block people from going to malicious websites, using phishing tools that help identify phishing
websites to prevent those types of attacks from occurring. And then one big thing we're seeing
arise in that we do encourage is getting training for your employees and try to get that training
as close to the actual event as possible so that it becomes
contextual in nature rather than, you know, having training once a year on PII or PCI. Try to get
that training a little, you know, delivered at the time that maybe a phishing attack happens
because then people tend to remember, oh, oh yeah, now we need to be paying attention.
David DeFore, thanks for joining us.
Thanks for having me, David. It's always great.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
My guest today is author and futurist Heather Vessant. Her research on cybersecurity, cyber economics, and cryptocurrency
have been featured in the New York Times, on CNN, CNBC, and Fox, and she's spoken at conferences
including South by Southwest, TEDx, and The Future of Money. I kicked off our conversation
by asking her to explain what exactly is a futurist. A lot of people think the future
is like the past and the present.
There's one past, there's one present, so there's one future, which is one of the reasons why we
love predictions because predictions set forth one future. But the medium of the future is really
different. The medium of the future is all possibilities. And so what I do as a futurist
is I study the changes that are occurring in our
present time these can be trends these can be technology trends these can be all kinds of
difference you know what's happening in politics cultural social economic stuff so I study all the
changes that are happening in our world today and then I extrapolate them out to various timelines
in the future from that I will create a future, which is kind of like if nothing changes and we push it out, you know, however many years, 5, 15, 50 years, this is what the future could be like.
But nobody has 100% control over all of the variables of the future.
So there's a lot of different other futures that could occur.
And so then I identify what those variables are, you know, twiddle the knobs on them and then come
up with alternate futures or other futures. So it sounds like it's more like being a
meteorologist than say a psychic. Oh my God, it's so not a psychic at all.
It's, I have a master's of science in foresight didn't mean to trigger you
there uh heather actually lots of people get confused about it i am sorry i know scientists
of the future what does that mean do you get a lot of eye rolls at cocktail parties when you say
the word futurist well um more people more polite than me i guess no actually i get two kind of
different responses.
One is people are fascinated and they ask me questions.
And the next thing I know, you know, we're in like a multiple hour long conversation.
Right.
Or people are just not that interested.
And I think I also preemptively, like, I'm like, I'm a futurist, not a psychic.
Right, right.
I don't tell the future.
I don't make predictions.
What led you to your specific interest in cybersecurity?
Well, in the last couple of years, I've had three projects that have really led me into
the cybersecurity space. So I co-wrote the Cyber Attack Survival Manual, and it's really a guidebook
for normal people to be safe and secure online.
At the same time, I was doing a project for the U.S. Army.
I was looking at the future of military learning.
The point of that project was to look at new technology like AR, VR, distributed learning,
tablets, that kind of stuff could be used to do military training.
And this is kind of like the training that everyone would get when they
enlist in the military, when they're learning military leadership skills, as well as the core
competencies that they need to do their job. Cyber war is the newest domain for the military.
And so the whole scenario I put together to show the future of military learning was training for a cybersecurity war game, which then led me to wanting to kick off some research on the future of security.
And I ended up being invited to write this paper that I just finished for the New Security Paradigms Workshop.
And I co-wrote the paper with Bob Blakely, who does security at Citibank.
And the titles of the paper is Shifting Paradigms, Using Strategic Foresight to Plan for Security Evolution.
He brought his security background.
I brought my foresight futurist background, kind of like mash it up to really look at what are some real legit scenarios of the future.
And I was blown away by what
we found out. As a futurist I have lots of different methods available to me and
for this particular research I decided to utilize what I call is a foresight
interview protocol and so there's a way that I like to interview people that
focuses on current trends and then
where it could go in the future. I also like to use a method called appreciative inquiry,
and that focuses on what's positive and already working in the industry to see where things might
grow versus focusing on the problems that we have. I also use a method.
It's one of the best methods and newest methods in foresight studies called causal layer analysis or CLA.
I use a light version of it. It helps you dig into kind of some of the underlying themes and cultural aspects in an industry that you might not otherwise find. And so I used these
methods in conjunction with one-on-one interviews and a standard survey. And one of the things that
was the most interesting to me that came up from the research was this idea that the reason we have
so much, so many black hat hackers these days is because we don't have full employment for everyone
who has these skills. It arises in countries that have really good education, but poor
economic markets or work markets, for example, in the former Eastern Bloc or Brazil,
you have very smart people that have very good education, but they're not able to get jobs. And so instead
of what they're doing is they're using their skills for evil because they're trying to make
a living. And so one of the new paradigms that I discovered was this idea that we have like
attackers and defenders adversarial experience. And so when I wanted to flip that paradigm and think, well, what if there
was no more adversaries? Like, how could we have no more black hat hackers? And I thought, well,
what if everyone who has the skills is fully employed? Then they don't need to go out and find a way to monetize their skills.
They don't have so much time and no money.
And so thus the meta and the motivation to be able to like break these things, that changes the world dramatically.
And then we kick that up even more and thought, well, then who would be hiring like the actual
hackers to hack into things?
Well, then maybe it's only going to be
nation states that are going to be hiring these super high skilled people to do, you know,
cyber warfare at the hacker level. And we really kind of came up with this whole idea of a Cold
War 2.0. So, you know, that's just kind of an example of one of the more kind of far out there things we came to.
And I suppose it's challenging for some people to imagine what the possibilities might be, either good or bad.
Absolutely. As a futurist, it's a lot easier for people to think about the negative consequences of technology.
But that actually doesn't ever really happen
because if it did, we'd stop building technology.
Technology and all of the new things that we come up with
inevitably make our lives better and more interesting.
And they also give us a whole new set of problems to solve.
We're going to solve our old problems
and we're going to create new problems.
And that's just kind of what we do as humans.
That's author and futurist Heather Vessant.
You can learn more about her work on her website,
heathervessant.com.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.