CyberWire Daily - Ukraine accused Russia of renewed hacking by BlackEnergy actors. ASLR bypass proof-of-concept reported. Notes from RSA, and an update on Android gunnery malware.
Episode Date: February 16, 2017In today's podcast, in addition to notes from RSA, we hear some fresh accusations of Russian government hacking from Ukraine. Threat actors adapt. ASLR bypass exploit demonstrated. Yahoo!'s acquisitio...n by Verizon appears likely to be deeply discounted. From RSA, notes on coming industry consolidation. Dale Drew from Level 3 Communications offers a strategy for choosing security vendors. James Lyne from Sophos provides his take of the RSA conference from the show floor. An update on the Popr-D3 Android malware. How they name the bears. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fresh accusations of Russian government hacking from Ukraine.
Threat actors adapt.
ASLR bypass exploit is demonstrated.
Yahoo's acquisition by Verizon appears likely to be deeply discounted.
From RSA, notes on coming industry consolidation,
an update on the popper D3 Android malware,
and how they name the bears.
I'm Dave Bittner in San Francisco with your Cyber Wire summary for Thursday, February 16, 2017.
Ukraine yesterday accused Russia of conducting new cyber attacks on Ukrainian infrastructure.
Alexander Tukhachuk, chief of staff of Ukraine's security service,
said at a press conference that Russian intelligence services were orchestrating a campaign that enlisted the aid of both security firms and criminal hackers to attack Ukraine's energy and financial sector.
He claimed the intelligence Ukraine had developed suggested that the threat actors were those responsible for the black energy malware implicated in earlier attacks on his country's power grid.
CrowdStrike CTO Dmitry Alperovitch has been describing how threat actors, again principally Russian ones,
have adapted their tactics since last year's influence operations directed against U.S. elections.
Alperovitch sees a trend.
Hackers are likelier than before to release compromising information taken from their targets, and they're showing a new readiness to alter that information
before disseminating it. Researchers at VU have published a method of bypassing the address space
layout randomization protections, that's ASLR, that's in major browsers and operating systems.
Should this exploitation method be confirmed, it would have serious general implications for
security. We'll be following the developments as they become available. In industry news, Yahoo may
be reducing the asking price in its planned acquisition by Verizon. Reports suggest Yahoo may now be willing to
accept more than $300 million less than initially planned. The reduction is seen as having been a
result of the very large breaches Yahoo disclosed last year. Western security, intelligences,
and diplomatic services, especially in the U.S., are making a renewed, concerted attempt to counter ISIS messaging.
RSA, now in its penultimate day, continues its exploration of security industry themes.
The prospect of consolidation with its attendant concerns and perceived opportunities is much in the air this year.
That was indeed the topic of a keynote yesterday by Palo Alto Network CEO Mark McLaughlin.
He called it the coming disruption, and he predicted that industry consolidation would emerge from improved security as a natural outcome.
Alluding to the common complaint that enterprise security teams struggle with too many unintegrated point solutions,
McLaughlin predicted that, quote,
Point Solutions, McLaughlin predicted that, quote, the measure of the industry's success would be instead of people saying, I have 20, 30, 40 vendors, and I have to figure out how to handle
that, they'll say, I have 400 vendors, and I'm good with that, end quote. He argued that this
happy state would come about as vendors developed, quote, better ways of consuming their value
proposition, end quote, and that better way would consist of turning the product on.
He foresees the security industry being transformed by increased cooperation,
especially in threat intelligence,
and that this transformation would come about when people realize that everyone doesn't have to be the platform.
It's fun to wander the aisles of the RSA conference
and try to get a sense for what the overarching themes might be this year
James Line is Global Head of Security Research for Sophos
and we caught up with him on the show floor
There's a lot of focus here on the tactical but important issues
ransomware, people have realized it's a big issue for companies
so of course it's showcased here.
There's a lot of focus as well on machine learning, adaptive learning, and the use of data science in driving better security.
That's been a really exciting area that we've embraced over the past couple of years and is undoubtedly one of the big hot topics here.
And I think that probably will be one of the big hot topics over the next couple of years as well,
because it can be applied
to so many different areas of security,
so many different types of user policy
or detection at each of the layers.
I think we're really only
at the beginning of the journey
in application of that to security.
I would say to anyone listening,
don't rest on your laurels as to the approach to security that has to be taken. We're in a fascinating time where there's a lot
of disruptive approaches, a lot of interesting new tactics for dealing with old threats and new
alike. Challenge your vendors with how they're solving problems more innovatively, and make sure that your implementation is as simple as possible. Complexity is ultimately the greatest enemy of security. Make your life easier. Focus on the high-value problems.
That's James Line from Sophos.
line from Sophos. We'll have more reports on the conference tomorrow and early next week,
but we did want to close by adding some clarification to a story that attracted much attention earlier this year. CrowdStrike's report that the Russian army was using Android
malware to target Ukrainian artillery units operated in the Donbass. We were able to catch
up with CrowdStrike and discuss their research. We confirmed that the compromised app in question, Popper D30,
is in fact a technical fire direction application,
a gunnery program that computed the technical solution to be applied to the guns themselves,
enabling them to deliver indirect fire against the targets they've been ordered to engage.
It was developed to replace the older, slower, more cumbersome manual computations done
with charts and slide rules. The malware did not, as had been widely reported, although not by
CrowdStrike, extract GPS data from the devices of Popper D30 users. It did collect information that
would be useful in deriving some order-of-battle intelligence. More interestingly, it collected course location information about the compromised device.
Such information isn't precise enough to generate a target,
but it does provide a very useful target indicator
that could then be confirmed and refined by more precise methods of observation
– drones, radar, forward observers, and so on.
Pulling course location only also offered the attackers
a measure of stealth. Extracting more precise geolocations would have drawn down device
batteries more quickly, possibly arousing user suspicions. The advantages of an app that can
compute gunnery data are obvious. Only the most paranoid operator would counsel a return to charts,
pins, protractors, and slide rules.
That said, there's no doubt someone in the basement of Fort Sills' Knox Hall is mulling exactly that. Oh, and one more thing. How does CrowdStrike name the bears it finds?
The honor goes to the researcher who discovers the threat actor.
Thank you. with purpose and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to
vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look
at motherhood
and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
Joining me once again is Dale Drew.
He's the chief security officer at Level 3 Communications.
Dale, you wanted to share some specific advice when it comes to choosing and hiring your cybersecurity providers?
Yeah. So we recently wrote a blog on this to sort of put this concept out there. But in essence,
our theory is with security being as competitive as it is, with the resources being as thin as they are, and with the bad guys being
as capable as they are, and that capability evolving at a more rapid pace than we've ever
seen before, the sort of theorem that we're posing out there for dialogue is, why would you hire
your own security capability and organically try to not only grow and evolve that capability,
but try to respond to the sophisticated landscape rather than give that capability to a third party.
So if you take a managed security provider, most managed security providers not only have to have
a fairly significant compliance regimen, they also serve a significant number of industries.
So they have a pretty cross-domain set of expertise associated with fighting security threats.
who's vetted the security product capability landscape already,
who has cross-domain expertise and can see threats in industries before they hit your industry,
and who has solved the hiring problem associated with that finite set of resources in solving cybersecurity problems.
And it's pretty much the same mentality that people have today with regards to how they hire security guards. They don't hire their own security guards as
employees. They contract that out through a third-party service because that's a capability
they don't want to be good at. They want to be good at their core business. And we think it
should be the same for security, especially as those threats evolve and especially as those
threats are not specific to individual companies anymore, but they're specific to industries, we really think companies have a responsibility to spread that capability across your managed security providers.
You know, the argument I often hear on the other side of that is that people say, well, that's great, but I really want to be in control. I need to have control.
Yeah, and I would say, you know, if you're – well, I mean, I would argue the other way.
I would argue if you want to take a bus to work, you don't have to be the driver.
You know, you want to be a passenger on that bus and you want to give the expertise to
that driver and i would say security has evolved to the point now where you almost have a a
fiduciary responsibility not to be an expert in that field because you can only be an expert
up to your individual total capability whereas a managed service provider who's got capability across
multiple industries and multiple domains has no choice other than to be experts across that entire
field. And you get the overall benefit from that. If I have a dollar of investment, I'm having to
spend more of that dollar in the sort of niche security capability to protect my company than I am my
core responsibility. And so I'd say from a budgetary perspective, you have a responsibility
from an investment perspective to spend that dollar the wisest way you can. And the wisest
way you can is to give it to someone who already is an expert in that field and who can provide
that capability better than you can today.
All right. Dale Drew, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to