CyberWire Daily - Subborn IoT botnets. Razzle-dazzle HTML phishing lure. Fancy Bear's false flag. Busy Yahoo boys. Crooks turn from Tor to Telegram. Kaspersky and contractors. Patch notes. SB 315 vetoed.
Episode Date: May 9, 2018In today's podcast we hear about Hide-and-Seek, a hard to flush botnet. A phishing technique takes advantage of an email client's rendering of HTML. Facebook death threats in 2015 are said to have b...een the work of Fancy Bear, dressed up as the Cyber Caliphate. Nigeria's Yahoo boys are busier than ever. DHS wonders what it will take to get US Federal contractors to get rid of Kaspersky. Crooks turn from Tor to Telegram. Patch Tuesday notes. And Georgia's governor vetoes a controversial cybersecurity bill. Joe Carrigan from JHU ISI on a pilot program from Delaware on mobile drivers licenses. Guest is Phillip Dunkelberger from Nok Nok Labs on authentication usability, standardization, and security issues. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hide and seek is a hard-to-flush botnet.
A phishing technique takes advantage of an email client's rendering of HTML.
Facebook death threats in 2015 are said to have been the work of Fancy Bear, dressed up as the cyber caliphate.
Nigeria's Yahoo boys are busier than ever.
DHS wonders what it will take to get U.S. federal contractors to get rid of Kaspersky.
Crooks turn from Tor to Telegram.
We've got some Patch Tuesday notes.
And Georgia's governor vetoes a controversial
cybersecurity bill.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, April 9th, 2018.
There are some possibly unpleasant developments in the world of IoT botnets.
Hitherto, you've been able to clear botnet malware from an IoT device by resetting the device.
This works because most of the botnet software normally resides in memory, which a reboot flushes.
This, however, may be changing.
In what Bleeping Computer describes as a game-changer,
Bitdefender has described its discovery of the Hide-and-Seek botnet, an IoT botnet that survives device reboots.
Under certain circumstances, Hide-and-Seek copies itself to a folder that houses daemon scripts in Linux-based operating systems, and routers and IoT devices tend to run on a Linux-based OS.
and routers and IoT devices tend to run on a Linux-based OS.
Bitdefender thinks hide-and-seek is still something of a work in progress and that large-scale distributed denial-of-service attacks are for now unlikely,
but the new approach to achieving persistence in the bot herd will bear watching.
Avanon reports finding BaseStriker,
a phishing technique that crafts HTML in emails so the malicious links, even those on a blacklist, pass through the Safe Links feature of Microsoft Office 365's Advanced Threat Protection.
It works by using the Base tag to split the malicious link in two. Safe Links passes it, but then the Outlook email client reassembles the link into a nicely
rendered and clickable form. The AP says it has evidence showing that 2015 threats communicated
via Facebook to spouses of U.S. military personnel were not in fact from ISIS. The unusually repellent
threats appear to have been the work of Fancy Bear, which is of course Russia's GRU.
The threats, issued under the false flag of the cyber caliphate,
would threaten military families.
Here's a representative sample the AP offered.
Quote,
Dear Angela, Bloody Valentine's Day.
We know everything about you, your husband, and your children.
We're much closer than you can even imagine. End quote. The threats were, at the time, widely believed to be genuine ISIS communications.
They're not the only time the GRU represented itself as ISIS.
It did something similar during the hack of France's TV5 that same year.
Those operations, arriving around the time of the ISIS-inspired massacre
at Charlie Headbow, were even more disturbing. We've had occasion recently to follow the
doings of Nigeria's Yahoo Boys and the gangs that employ them. They've been busy. Palo Alto
networks compared 2016 and 2017 and found a significant increase in the rate of cyberattacks
by the Nigerian gang Palo Alto Tracks as Silver Terrier.
Silver Terrier made on average 17,600 attempts each month during 2017,
up from 2016's average of 12,200.
The gang's operations are socially engineered,
so look to your user awareness training.
It's become a standard part of just about every large data breach story these days.
Countless usernames and passwords are revealed,
which of course leads to recommendations from service providers or authorities to change your passwords.
Philip Dunkelberger is president and CEO of Knock Knock Labs,
and he also works with
the Fido Alliance, a group looking to bring standards-based authentication to the masses.
He maintains that usernames and passwords have outlived their usefulness.
One, they were never designed for usability. They were really designed for quick local access,
and access, if you think back, they were invented in the mainframe days,
so terminal access
and use, they were really not designed to be really usable. They had no idea of using something
like a PC or, you know, even more troublesome, a tablet or a laptop, where you've got much less
screen space and keyboard space. The complication that has come in trying to secure them, upper and
lowercase special characters, longer lengths, changing them all the time,
doing essentially password rotation,
has not worked well.
The other piece is that from a security standpoint,
you end up storing them in some kind of container
or database that becomes a large attack surface
that if I want to steal credentials,
I can just attack that particular database and steal a lot of people's credentials.
And what that has led to from a security standpoint,
81% of the people, according to the Verizon studies,
and echoed by Dr. Larry Poneman, who invented cost of a data breach,
81% plus of all data breaches begin with a stolen credential.
81% plus of all data breaches begin with a stolen credential.
So usability, not good for tablets and phones from a security standpoint,
creates a big attack surface and is really not secure in a modern architecture today.
And so in your estimation, what's next?
What is next is the industry who created that particular modality,
usernames and passwords and other types of
inventions over time has got to think about the problem differently. And the way we've been able to do that is think about things like, what would it mean to the world if we didn't have to use
passwords anymore, if we could use a better, more natural way of logging in, something like a selfie
or a fingerprint swipe or your voice.
Those would be something that would be an improvement from a usability standpoint.
And then could we separate the idea of storing large amounts of information or biometrics
on a back-end database that could be attacked? So both of those ideas are something the industry
has been working on, and that has led us to the
announcement this week of two standards bodies. One is a recommended standards body, the FIDO
Alliance.org, and the W3C, which is an official standards body that governs a number of different
standard protocols for the internet. The one that we'll talk about today is the browser
protocol and being able to standards organizations with a lot of industry heavyweights in it
coming together to find a better way to do authentication. So let's dig into that some
take us through what are you all hoping to achieve with the browser standards?
The browser standards that were announced was the coming together of the FIDO alliance, which means Fast Identity Online, which has had over 300 plus companies involved in developing a protocol or a handshake. hardware, small tokens, those kind of things that are very costly to manage and replace.
Replacing that with an infrastructure that basically turns secure elements on your device
or on your laptop or on your phone and common ways of using it like a selfie or your voice
or a fingerprint, all of those things being able to replace a username and password in
a standard format that allows people to plug them together easily and build a better way of authentication.
And so what kind of a timeline do you suppose we're on in terms of making this an official standard?
Well, that's a great question.
Standards usually take, I was involved, I was the CEO in a prior life of pretty good privacy, PGP as it's well known in the industry.
CEO in a prior life of pretty good privacy, PGP as it's well known in the industry. That standards body of making an encryption standard took us roughly 10 years. Because of the pressing
problems that we have with the theft of credentials and the large attack surfaces that are out there,
we've been able to get to this kind of recommended standard in less than five years.
And I think that what we're going to see is the rollout beginning later this year
with people like Google and Microsoft announcing
at the most recent RSA conference
that this will be available over the course
of their product deliveries over the next year.
So this is gonna be available on a broad scale
within a year.
All of these are just component parts of the protocol
that will let the technologists
implement it and let the users, whether they're corporate users or consumer users, enjoy the
benefit. And so we didn't dig the hole of usernames and passwords in five years. We're
not going to get out of this in a short period of time. But for the first time, we're building
new roadways or thinking about
the roadways differently than we have in the past to make usability and security something
that's available to everybody. That's Philip Dunkelberger from Knock Knock Labs. You can
learn more about the FIDO Alliance and their authentication standards at FIDOAlliance.org.
Microsoft patched some 67 issues with its products yesterday.
One of the vulnerabilities addressed merits particular attention.
CVE-288174, which affects the way the Windows scripting engine handles certain classes of objects,
is already being exploited in the wild.
Adobe also patched, addressing issues in Flash Player and the Adobe Creative Suite.
VPN Mentor is offering an unofficial fix for vulnerable Dasan GPON routers.
If you can't wait for Dasan, give the offer a look, but a circumspect and a cautious one.
Unofficial stuff can be good, but caveat emptor.
The U.S. Department of Homeland Security is wondering what it will take to get federal contractors
to purge Kaspersky products from their systems.
Secretary Nielsen is musing aloud and darkly about punitive contracting measures
to bring the primes and subs into line.
Feeling increasingly exposed and ill at ease on tour, it appears that the
criminal underground is turning to Telegram when it feels the need for an online forum.
Georgia Governor Nathan Deal has vetoed that state's ill-received State Bill 315,
called catastrophically stupid in Boing Boing's headline assessment, which would have criminalized many common and legitimate security research practices.
It also would have authorized certain forms of hacking back under the rubric of active defense.
The hack-back provisions of the law were also greeted with widespread skepticism.
A number of commentators thought the bill would not only have criminalized innocent white hats,
but also inspired poorly informed and difficult-to-contain cyber-vigilante activity.
So there you go.
Those checks and balances you learned about in high school civics class are alive and well in the Peach State.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is joe kerrigan he's from the johns hopkins university information
security institute joe welcome back hi dave so uh you sent over an interesting article it was
about the state of delaware who's sort of dipping their toes in the water to have mobile driver's
licenses right what's going on here I'll tell you what I think.
And this is just me doing what's probably the easiest part of my job.
And that's going, this is going to be bad.
Go on.
So the mobile driver's license, two of the key features that the article talked about,
one of them was the ability to identify yourself as over the age of 18 or over
the age of 21 without having to disclose other information, like your address and your name and
everything, which is a good concept, a good idea. I like that idea. So I can get into, let's say I'm
someone who wants to get into a bar. I can use this ID with the bouncer at the door without that
bouncer finding out where I live.
Right.
It just has a picture of you and says, yes, you're over 21.
I see.
And that's it.
And that's great.
If there was a way to secure that to be the only way that a picture of you could show up on your phone
with the statement saying, yes, you're over 21, then that would be fine.
However, my prediction is that there will be all kinds of apps released
that will permit people to have essentially what amounts to a fake ID.
Right.
Just smile for this picture, and we'll put up the picture and say,
yes, you're over 21 in this app.
And it's hard to put a hologram on an iPhone app.
Absolutely.
I don't know that it's possible to put a hologram on an iPhone app.
Well, but also there's some interesting uses from law enforcement to use this during a traffic stop.
They talk about the officer could ping your smartphone and request the driver's license information before even walking up to your vehicle.
That's right.
And that gives me concern because my initial reaction or thought on this is as soon as this comes out
and becomes widely available, everybody who has a malicious intent will be trying to get
into every single person's driver's license who has one of these apps on their phone.
It's basically a big sign that says, come hack me.
Not that I know of any vulnerabilities on this system, but it is certainly part of the attack surface that is going to garner a lot of attention.
Yeah, it's interesting because so far,
the driver's license is something that we've kept off of our smart devices.
You have your license in your wallet, all that information,
your driver's license number.
Generally, I don't have on my phone.
So we talk about how all of this private information is on our phone.
Well, this would push even more to your mobile device.
It would push more information that is not usually on your phone to your phone.
And I just have a couple of concerns with this.
I'd like to learn a little bit more about it.
Yeah, it would be interesting.
Hopefully it will be one of those things you can opt into.
So for the folks who see the benefits of it, they could do it.
But if you wanted an old-fashioned driver's license, you could still do that.
It's very easy to opt out. You just tell them that you don't have a smartphone.
Ah, and you hope nobody calls you while you're standing in line and telling them that, right?
If it does ring, you just go, I don't know what's happening.
What's that noise? I hear that noise every now and then. I'm not sure what it is.
I'm about to back up.
Right. All right. Well, keep an eye on it. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.