CyberWire Daily - Speculative Store Bypass. GPON-based botnet. Customer data exposures. Roaming Mantis gets more capable. Nation-state threats.
Episode Date: May 22, 2018In today' podcast we hear about the Speculative Store Bypass vulnerability that's been found in most current chipsets. GPON-based routers assembled into botnets. Comcast and TeenSafe close vulner...abilities in transmission and storage of customer data. Roaming Mantis banking Trojan acquires new functionality. Is Moscow waiting for the World Cup to conclude before going on cyberattack? How about Iran and China? Will DPRK hacking be on the summit agenda? And GDPR is coming Friday, to some information near you. Emily Wilson from Terbium Labs on the notion of fear vs. empowerment applied to security. Guest is Sam Elliott from Bomgar with a review of their 2018 Privileged Access Threat Report.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The speculative store bypass vulnerability is found in most current chipsets.
GPON-based routers are assembled into botnets.
Comcast and TeenSafe close vulnerabilities
in transmission and storage of customer data.
Roaming Mantis banking Trojans acquired new functionality.
Is Moscow waiting for the World Cup to conclude
before going on cyber attack?
How about Iran and China?
Will DPRK hacking be on the summit agenda?
And GDPR is coming Friday to some
information near you. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Tuesday, May 22, 2018. Another speculative execution flaw similar to Spectre and Meltdown has been discovered
by Google's Project Zero. The vulnerability is exploitable by speculative store bypass,
which could expose user data across a broad range of devices. Intel is calling it Variant 4 and
classifying it as medium risk. Microsoft is even more optimistic, characterizing the risk
to users as low, but variant 4, which has been designated CVE-2018-3639, is being taken seriously.
The issue isn't confined to Intel chips. It affects both Intel and AMD x86 chipsets, Power 8, Power 9, System Z, and some ARM processors as well.
Exploitation of the side-channel vulnerability could allow unauthorized read access to memory on afflicted systems.
Speculative execution is an optimization technique chip designers use to speed tasks by performing some of them before, strictly speaking, they're needed.
It uses a history of branch executions to predict tasks before they've been called for.
This makes more efficient use of processing resources, employing them as they're available
to accomplish tasks that will probably be wanted. The disclosure has been coordinated among Intel,
AMD, ARM, IBM, Microsoft and other tech firms.
Some vendors have already issued mitigations.
Those who face a more challenging patching problem, including Intel,
intend to make fixes available within the next few weeks.
Analysts tell users to expect some performance decline after applying patches.
Intel says tests of the coming fixes have shown a 2 to 8 percent decline in performance.
Security firm Bomgar recently released their Privilege Access Threat Report for 2018,
which shines a light on what are often poorly managed account privilege practices.
Sam Elliott is director of security product management at Bomgar,
and he joins us to share some of their findings.
The thing that's really core to us when it comes to managing privilege access
are those users that actually have the credentials and need them to do their jobs.
And those users we tend to put in two different categories, insiders or third parties.
So insiders being the people that are employed by you and are part of your organization. Third parties would be those folks who come in to help your organization
with technology challenges. So think Microsoft or Cisco or somebody coming in from the Microsoft or
Cisco office virtually to work on the systems where they have applications. So those are the
service providers or third party vendors. We've done this for a few years now, and it's
interesting to watch over time, to watch how the trends are changing, either for the better or,
in some cases, as we discovered in this report, some trends that were kind of surprising heading
the wrong way. I think overall, the research indicates that the majority of the organizations continue to lack just the general
oversight, awareness when it comes to effectively managing privilege access. And so there's a lot of
data in the report that suggests organizations are aware of the challenge, but they're still
playing catch up, I would say, to how do we actually manage this in a meaningful way so we can prevent the types of breaches that we're seeing ending up in the news and, you know, having everybody have to go and get new credit cards or get credit monitoring or something of that sort.
What do you think is guiding those trends?
Well, I think there is this kind of matter of trust that's happening. I mean,
despite knowing that the cyber attacks are, you know, we're in the modern era where it's
increasingly likely that you, if you work in a large organization and you're part of the IT team,
that you're going to have to be defending your organization against cyber breaches.
And I think that we're really seeing that so many
of the breaches that happen stem from a compromised credential, or maybe an unsecured
remote access connection out to the internet that would make it easy for a threat actor to
connect to and then move into an organization's internal and hopefully more well-protected part of their organization.
With the velocity of these attacks happening and being more visible,
that organizations are really starting to take notice.
Hey, we've been doing all this very clever stuff out on the perimeter of our organization's defense in depth security posture,
organizations defense in depth security posture, but we've missed what you might think of as the fundamentals when it comes to good credential hygiene and good access hygiene. So things like
making sure that I'm not sharing my domain admin credentials with more than one person. So I make,
so I don't make it hard for me to have good accountability or good attestation when it comes to who did what, when, with which type of credential, on which system.
And so I think really that the awareness is building and people are saying, hey, you can do a lot of damage with an elevated credential or with an element of unsecured access.
So we've got to start putting more of our focus there,
kind of an internal focus.
You may have heard the term assume they're already in.
What would I do in my internal defense in depth posture
if I was thinking that way?
And so there's just a bit of a mind shift.
Firewalls are absolutely required,
but they're not good enough
as the only means of protection these days.
That's Sam Elliott from Bumgar.
You can check out their complete Privileged Access Threat Report for 2018.
That's on their website.
Vulnerable Gigabit Passive Optical Network, that's GPON-based home routers, are being herded into botnets.
Much of the activity, which is being tracked by security firm Trend Micro,
is centered on Mexico. Trend Micro calls the scanning Mirai-like, but this isn't Mirai.
The story is still developing. We'll see what comes of it.
Two problems have appeared on the consumer data security front.
Comcast is reported to have rendered customers' Wi-Fi passwords relatively easy to compromise.
The issue was found in the cable giant's Xfinity activation site.
The problem is, as the researchers who found it explained to ZDNet,
that it's possible for someone to activate an account that's already active.
The information needed to do so is minimal, and it's not verified by text or email.
And finally, Comcast was sending
the wireless name and password in plain text. Comcast took the service down promptly once it
was alerted to the problem. The TeenSafe tracking app that lets parents keep tabs on what their kid
is doing online has apparently left thousands of customer accounts exposed through an inadvertently misconfigured AWS bucket.
Teensafe has secured the database and is in the process of notifying affected customers
and of investigating whether any of the data may have been stolen.
Researchers at Kaspersky Labs are describing the evolution of the mostly mobile Trojan
Roaming Mantis.
It began as a banking trojan, but now it's evolved. Roaming Mantis has acquired both
phishing and cryptojacking functionality. It's fluent in a remarkable range of languages.
Arabic, Armenian, Bulgarian, Bengali, Chinese, both traditional and simplified, Czech, English,
Georgian, German, Hebrew, Hindi, Indonesian, Italian, Japanese, Korean, and simplified, Czech, English, Georgian, German, Hebrew, Hindi,
Indonesian, Italian, Japanese, Korean, Malay, Polish, Portuguese, Russian, Serbo-Croatian,
Spanish, Tagalog, Thai, Turkish, Ukrainian, and Vietnamese. Did we mention English? English.
The still-upcoming U.S.-North Korean summit may have another item on the agenda in addition to North Korean nuclear weapons.
Advisors to President Trump are considering urging that discussions of cyber operations be placed on the table as well.
The DPRK has remained active in cybercrime.
Recent estimates suggest that some $650 million have been stolen since Kim Jong-un's ascension to power in 2011.
have been stolen since Kim Jong-un's ascension to power in 2011.
U.S. officials are concerned about securing their own communications channels and the channels they intend to use in working with their South Korean allies.
It's widely believed that those communications will receive considerable hostile attention
from Pyongyang's espionage services prior to and during the summit.
Three other nation-state big dogs aren't barking right now, but there's speculation that they may
do so soon. Speculation in the UK holds that Russia's restraint from attacking British
infrastructure is temporary. The World Cup is hosted in Russia this year, and once it's over,
analysts expect the bears to begin dancing and prancing
through Blighty again. The BBC doesn't put it quite like that, but such is the gist of what
people are thinking. Cozy and fancy, we hardly knew ye. That was okay. Iran's widely anticipated
reprisals against the U.S. for withdrawing from the nuclear deal are also yet to materialize.
In Tehran's case, however, the night is still young.
And some ask what might have become of the large trove of data stolen in the OPM breach,
presumably now in the hands of Chinese intelligence.
In any case, the OPM stuff hasn't made much of an appearance in the black market,
and as Holmes would tell Watson,
the significant thing is that the dog didn't bark, in this case on the dark web. Maybe this
whole GDPR thing has the spooks spooked in the aquarium and on Tongyang Road, hmm? After all,
messing with Langley is one thing, but you really don't want to be on the bad side of the boys from
Brussels. Have you heard about those fines for mishandling personal data?
Murder.
Oh, by the way, GDPR goes into full effect this Friday.
Have you heard?
We thought so.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the director of analysis at terbium labs
emily welcome back um we want to talk about the notion of fear versus empowerment there's a lot
to unpack there so uh where do we get started sure so i was at a conference a couple of weeks
ago the no identity k-n-O-W for your listeners,
the No Identity Conference hosted by One World Identity. And one of the panelists there kind
of pushed back against the idea that we need more communication and security. We need to
be putting out more content in order to educate not only our users, but also consumers as a whole.
He said, you know, we have enough of this information out there already.
The problem is that we're not focused on empowering users.
We're educating them maybe, but we're kind of leaving them in a lurch here.
And that really resonated with me.
And I think anyone who's heard me talk for more than two minutes has heard me say this
before, but I think there's a real problem in security of relying on fear and selling fear. It's easy. It's convenient. It's quick. It's
something that we can all get behind. It creates a visceral reaction in people, but that's not
helpful. And in fact, it's detrimental. From my perspective, and this is something that I focus
on a lot, we focus on a lot at Terbium, you don't need to be afraid of the threats facing
you in security. You should be concerned. There's a lot to be concerned about, but you do not need
to be afraid. And I think that if we actually want to be having conversations about productive
advancements in security, we should be talking about reasonable concern and not fear.
insecurity, we should be talking about reasonable concern and not fear. And it strikes me that,
just from a practical point of view, if my employees are afraid to report something that they may have done wrong, because they're going to get their wrist slapped or lose their job or
whatever, that contributes to insecurity. Absolutely. And I think we can see this
inside of companies. I think we can see this out of leadership. I think we can see this inside of companies.
I think we can see this out of leadership.
I think we can see it in the industry.
And certainly I think for consumers outside of the industry, you know, my parents, your
parents, you know, people are afraid.
And so what do they do if you're afraid, you feel helpless and uncertain, you want to push
back against that.
You don't want to feel afraid.
No one likes that. And so you ignore it or you say, I can't do something about it. It really
strips someone of their agency. And you're right. In a corporate organization, you really don't want
someone who is so afraid that they decide to ignore it. Oh, I'm afraid I clicked on a phishing email,
but I just won't say anything because then something bad can't happen if I don't bring it up.
Or I don't understand what's going on here.
What are these threat actors?
Are they coming after me and my data?
What does it mean if I have a data breach?
I'm afraid I'm not going to do anything about it.
That's pointless.
And frankly, it's a foolish way to market security.
It also hits me that from an IT point of view, if I'm afraid of my users doing bad things
and I lock their machines down so much that it's hard for them to get their work done.
They are, being clever humans, going to find workarounds.
Absolutely.
And it's interesting you bring that up.
That was something one of the other panelists mentioned at the conference that I thought was useful was that, you know, your users are going to consistently find workarounds for whatever you throw at them.
And so you shouldn't be running around looking
for stopgap solutions and how do I move them away from this thing? I don't want them to think about
it. I want them to think it's this big, bad, scary thing so they don't go touch it. Or if I make it
complex enough, they won't mess with it. They'll just leave it alone. That's not going to work.
Yeah, it seems like it's almost a hierarchical thing where rather than lording over people,
you need to collaborate with them.
I think collaboration and I think just honest communication, which is very easy to say and very difficult to do. I think being able to say, this is something we're concerned about
and we're working on it. And here's how you can help. Here's what you can look for.
Because then even if people don't recognize it when they see it, I'm thinking
about phishing emails, for example, here, you have at least treated them like reasonable,
responsible adult humans who are capable of making decisions and capable of recognizing
issues if you educate them about them. Yeah. And then they'll be invested in the solution.
They'll want to help. Absolutely. All right, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.