CyberWire Daily - The CyberWire Daily Podcast 2.5.16
Episode Date: February 5, 2016In today's podcast, we hear some small signals that the ISIS narrative may be faltering. European governments struggle to accommodate privacy while addressing security. Malware gets more evasive, and... ransomware retains its popularity among crooks. And finally, are some white hats approaching a line they shouldn't cross? We also hear from the University of Maryland's Markus Rauschecker, who discusses critical infrastructure's cyber risks and responses. http://thecyberwire.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Is the ISIS narrative losing some charm as it comes up against actuality?
European governments show double-mindedness over privacy and surveillance.
Malware authors make their products warier and more evasive.
WordPress-based ransomware campaigns continue unabated.
And just because you wear a white hat doesn't mean the law will necessarily recognize you as a good guy.
This is John Petrick, the CyberWire's editor, here in Baltimore, filling in for Dave Bittner
with your CyberWire Daily Podcast for Friday, February 5th, 2016.
Reports from U.S. intelligence sources suggest a weakening of ISIS in its core territories.
The causes of such weakening, if real, are complex.
They may include competition from a resurgent al-Qaeda, particularly in the Sahel
and Afghanistan, an ISIS pivot to operations in Libya, encouragement of international recruits
to stay home and work terror there, and simple combat attrition. But from the point of view of
information operations, perhaps the most encouraging sign to ISIS opponents is a rise in desertions.
The realities on the ground are
increasingly seen on that ground as disconnected from the self-proclaimed caliphate's aspirational
messaging. Concerns about terrorism, largely centering on ISIS but extending to other groups
as well, continue to prompt governments to push for more comprehensive surveillance powers.
Poland has just enacted a law assuming such power
and has done so in explicit response to the rising threat of Islamist radicalization and terrorism.
The EU is not happy about the new laws,
but Poland is probably more bellwether than outlier in European surveillance policy.
The United Kingdom and the United States are in talks about extending the UK's ability
to serve wiretap warrants in the US.
US officials seem surprisingly receptive to the proposal.
Researchers looking into newly evolved strains of malware find that malcoderers are paying increasing
and increasingly effective attention to evasion and obfuscation.
Trustwave, for example, describes how the Neutrino Exploit Kit is now using OS fingerprinting
to screen out devices
that may be collecting information on the kit for purposes of defense, reverse engineering,
and so on. Specifically, Neutrino is parrying Linux machines, which are favorites of security
researchers. And Palo Alto Networks describes a new custom backdoor they're calling a T9000
that's adopted some fairly snazzy anti-analysis techniques.
T9000 identifies, Palo Alto reports, some 24 security products and then customizes its
installation to evade analysis. T9000 is the latest member of the T5000 malware family,
also known as PLAT-1. Its earlier variants have been in use at least since 2013,
when Cylance reported on its use by what it called Grand Theft Auto Panda.
FireEye researchers also found the malware distributed in 2014,
and the bait in that case was the disappearance of Flight MH370.
The ransomware campaign afflicting WordPress sites continues today,
and researchers are still trying to get a good handle on its origins
and the specific methods of infection it's using. The campaign's motive, however, is quite clear,
and that motive is extortion. Victims find themselves enmeshed in Tesla-cripped ransomware.
So this is probably a good time to revisit the ways in which enterprises can protect
themselves against ransomware. Dark Reading offers a convenient summary. Authenticate inbound email,
Dark Reading offers a convenient summary.
Authenticate inbound email, harden your email servers, consider ad blocking, monitor file activity,
and have a good, current, sound, and well-exercised response plan in place.
We'd add one more to their list, and this works for individuals as well as enterprises.
Back up your data.
A great deal of ransomware gets its foothold in a device through social engineering. The Cyber Wire's Dave Bittner spoke earlier this week with the Johns Hopkins University's Joe Kerrigan about social engineering.
In a darkly comedic look at motherhood and society's expectations, Academy Awardnominated amy adams stars as a passionate
artist who puts her career on hold to stay home with her young son but her maternal instincts
take a wild and surreal turn as she discovers the best yet fiercest part of herself based on
the acclaimed novel night bitch is a thought-provoking and wickedly humorous film from
searchlight pictures stream night bitchitch January 24 only on Disney+.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Joe Kerrigan, Senior Security Engineer at the Johns Hopkins Information Security Institute.
They're one of our academic and research partners.
Joe, it strikes me that no matter the amount of automated security we have for our systems,
we still have to deal with the issue of the person sitting in front of the machine.
Right, the people, the weakest link.
Sort of defining that, I mean, we talk about, I know this is one of your favorite subjects, social engineering.
Yeah, social engineering is fascinating to me.
Just the psychology of getting people to tell you information that they're not supposed to tell you.
I have a friend who used to work for a company probably about two decades ago, and their security audit had a very interesting component to it.
They would call into the company that they were auditing. They would be very honest with the people.
They'd say, I'm from company X.
I'm contracted with your company, and we're doing a security audit, and I need to know
your username and password.
And 25% of the people would tell them their username and password as part of a security audit.
Oh, my.
Yeah, you just failed the audit.
But let's break that down a little.
It seems to be so straightforward as to be almost absurd.
But on the other hand, if someone calls and says, I'm from security, it would be easy to not think twice about that.
Correct.
Yeah, people are trusting generally.
And that's what I mean about being fascinated by the psychological aspect of it.
it. There's another article that I read recently where somebody was saying, why would I spend time and effort reverse engineering someone's password when I can just call into the organization and ask
10 people and one of them will give me the username and password? So how big a threat is this? I mean,
is it compared to, you know, like I said, the automated attacks coming in, how big a component
is social engineering? It's a big component because if I can get someone's username and password, I can actually
get into the network immediately without any more delay.
So it is a large portion of where people are focusing now.
And there's some people, some of whom I've known, when I've worked with companies that
did security audits, who are very, very good at just talking their way into things
or talking people out of things.
They're masters at it.
It's almost like a Jedi mind trick.
So there's an art as well as a science.
Absolutely.
This is very much an art.
So if I'm a company and I'm trying to protect myself
against these kinds of attacks,
is it a matter of training my people?
What can I do?
It is a matter of training your people.
And that's pretty much all you can do.
Because if you have people who are giving out username and passwords, that's a real problem.
You have to educate everybody that nobody ever needs your password to get your information.
It's something that nobody ever needs to use.
And if I'm an administrator of a system, I don't need your password to access your files.
I can either get the access or I can change your password.
Joe Kerrigan from Johns Hopkins University Information Security Institute.
Thanks again for joining us.
My pleasure.
We finish with two stories that may be about white hats or black hats.
You be the judge.
A Drydex botnet is showing some odd behavior.
Instead of sticking to its customary last of passing out a banking Trojan,
the botnet is instead replacing the usual malicious links with an installer for Avira antivirus.
Avira is a legitimate security product.
Now, whoever is doing this isn't Avira.
And Avira also notes that people who've gone to the installer have received a valid signed copy of the antivirus software instead of the malicious Trojan.
Why this is being done is equally mysterious.
It could be a malicious actor seeking to, quote, mess with the heads of security firms, unquote, as the register puts it.
But Avira thinks that unlikely.
It seems more probable that a white hat vigilante is at work.
So, nice motive, but as Avira points out, this kind of activity is illegal in an awful
lot of jurisdictions. This isn't the first time an Avira installer has replaced a malicious payload.
The phenomenon has been observed before with both CryptoLocker and Tesla. And on the subject of
well-intentioned but probably illegal behavior, CSO interviews a guy prudently identified only as
Seth, who set out to pwn tech support scammers.
Seth has set up an old plausible-looking box
as his honey trap adjunct.
When the scammers call,
he pretends to swallow their fish bait,
then lets them take over his machine
and have their way with it.
After some minutes of this,
Seth says,
I call BS on the guy.
And this angers the scammer,
who then proceeds to take
as much of the bait box's contents as he can scoop up.
Some of those contents consist of about two dozen malware samples stored in the documents folder.
Seth, of course, doesn't know if his whack-back hit the bad guy target,
but he seems to have found it a satisfying experience.
Again, quite likely illegal in many, even most jurisdictions,
so kids, really, don't try this at home.
You'll break your mother's heart.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.