CyberWire Daily - Updates on Cozy Bear and Shamoon tradecraft. Crypto wars flare in the UK. FBI warns of attacks against FTP servers. Typosquatting, scareware, and other problems.
Episode Date: March 28, 2017In today's podcast, we hear how Cozy Bear slips through with domain fronting. Shamoon's infection methods are revealed. The crypto wars flare over not-so-lone wolves, but there are some genuine lone w...olves out there as well. Medical and dental practices warned against attacks on FTP servers. A networked sterilizer is, well, digitally unhygienic. Docs dot com search functionality temporarily disabled. Remember, if you want to reach the G-men, it's FBI dot GOV, not dot com. The UMD Center for Health and Homeland Security's Ben Yelin examines a case where a defendant's expertise is being held against him. Brian Brunetti from Route1 warns about VPN insecurity. Scareware hits iOS users. And a Brooklyn prosecutor gets bad advice from the old heart. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cozy Bear slips through with domain fronting.
Shamoon's infection methods are revealed.
Crypto Wars flare over not-so-lone wolves,
but there are some genuine lone wolves out there as well. A network sterilizer is, well, digitally unhygienic.
Docs.com's search functionality is temporarily disabled.
And remember, if you want to reach the G-men, it's FBI.gov, not.com.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 28, 2017.
FireEye offers some insight into how APT-29 evades detection.
It's also known as CozyBear, that is by General Consensus, Russia's FSB.
The threat actor uses domain fronting to disguise traffic with the appearance of its being directed to a host allowed by network censors. Domain fronting has also been used
by less sinister organizations to bypass government censorship. The technique is ambivalent.
It can be used equally to protect people operating anonymously under conditions of repression
and to insinuate espionage tools on behalf of repression itself.
Palo Alto researchers have determined how Shamoon spreads its destructive payload.
Its operators use a mix of legitimate tools and batch scripts to download it to host names
the attackers know exist on the target network.
This had hitherto baffled observers, but Palo Alto and others continue to work through the
attacker's tradecraft,
and that tradecraft is becoming clearer. Shamoon, you will recall, was first discovered in use
against Saudi Aramco in 2012. The reprehensible Westminster attacks in London have caused the
crypto wars to flare in the United Kingdom. Home Secretary Amber Rudd called for restrictions on
encrypted communications,
particularly on services like WhatsApp.
Her remarks came in a radio interview, but she appears at least for now to have joined U.S. FBI Director James Comey among the crypto-skeptical dead-enders.
Most industry observers think encryption solves far more problems than it creates,
but it does at times give investigators problems, as it may have
in the Westminster attacks. It still appears the perpetrator was less lone wolf than a loosely
inspired cell member. Israeli police continue to investigate the motives of the man they arrested
in connection with online threats against Jewish community centers in the U.S. and elsewhere.
This one does seem to be a genuine lone wolf, the disaffected
individual acting out of some as yet undetermined personal grievance. Whatever his motives were,
they're unlikely in the extreme to have included jihad. Two warnings are out to the health care
sector. First, the U.S. FBI has warned that malicious actors are attacking FTP servers
to establish access to protected
health information belonging to medical and dental patients. The motive is apparently a
mix of extortion, harassment, and potential identity theft. Second, and this one's an IoT
story, researchers at Schneider and Wolf have found that the embedded web server in the Miele
Professional PG8528 is vulnerable to directory transversal attack.
There's no patch yet, so if you use one of the devices, your best bet for now is to disconnect
it from the internet. Observers have been noting the irony of a washer-disinfector used to sterilize
biomedical instruments being the occasion of bad internet hygiene. It's a pretty common security practice to use a VPN, a virtual
private network, to provide a secure connection to your enterprise network when working remotely.
Brian Brunetti is president of RouteOne, and he says VPNs provide a false sense of security.
There's a lot of risk that goes with a VPN and a lot of trust. And that's where just blindly using VPNs is very concerning for us.
Help me understand. So it's not so much that the actual connection that the VPN is providing
between the endpoint and the secure network is itself insecure. It's that connection is
happening at all that opens up the opportunity for insecurity?
That's right.
So if we walk through the connection process, the first thing is that trusted network that you're going to connect to with your VPN client, they've had to open inbound ports on their firewall to facilitate a VPN connection. But ultimately, I'd say the biggest risk with VPNs is once that
connection is established, you effectively have full network access at that point. So wherever
that user is, wherever they're connecting from, that trust that's been implied through the
authentication process that allows them network access and in both directions.
So if that user is a malicious actor, they now have the ability to introduce malicious things
into the network. And conversely, they now have the ability to remove things such as sensitive
data and information from that network. And so take me through, what are the types of things that you recommend?
The first piece is the authentication and confirming the individual is who they say
they are.
We think that it's critical that you identify that the individual using that device is the
appropriate individual and that they have the entitlements to do what you're about to grant
them access to do. And then if what the user actually requires is that teleworking or mobility
or that full desktop experience, there's ways to facilitate that where you don't need to provide
them with a VPN. So as an example, we have a technology called MobiKey, where it
facilitates that secure remote access without opening up any inbound ports on the firewall.
And the way that that secure mobility is delivered is effectively that users provided
the image or the screen of the desktop that they're controlling in the network,
the secure desktop, and then we detect their typing and their mouse movements,
and we deliver that back to the secure desktop.
So we provide the full capability to the user without any of those inherent risks of a VPN. So you're not dealing with data at rest or data in transit with that approach.
That's Brian Brunetti from RouteOne.
Microsoft has temporarily disabled the search option on dots.com,
Redmond's publishing and file sharing service,
out of concern that it could be used to trawl through published documents for sensitive information.
Some observers see a problem in the service's default visibility setting, which is
public. There are reports of compromises. Users are cautioned to look at and reconsider their
settings. Various bad guys are reporting to be typo-squatting on the domain name fbi.com.
Remember, the FBI is at fbi.gov, not.com. Thewhitehouse.com caused a similar flurry of misunderstanding a few years ago.
It led not to the citizenship and policy material presented by the real site,
thewhitehouse.gov, but to an enterprising adult site.
And speaking of adult sites,
iOS users visiting adult sites are being hit by scareware,
the usual you've-been-found-download you've been found downloading illegal content, and so on.
The obvious defense is not to visit such sites, not that you would.
And do remember that the consensus among experts
concerning both ransomware and scareware hasn't changed.
Victims should not pay.
Finally, the heart may have its reasons, which reason knows not.
But wow, sometimes the heart really
goes off the rails, if we may mix metaphors. For your consideration, a U.S. prosecutor in Brooklyn,
if you must know, who was involved romantically with a detective, forges a judge's signature on
a surveillance warrant so she can spy on her rival in what appears to have been a love triangle.
The next time your heart tells you to do something
like forge a warrant, hack a device, go somewhere likely to be infested by scareware, surreptitiously
install surveillance cameras, take it from our advice, Maven, don't listen.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. fault-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, you know, we find
ourselves visiting these online child pornography cases, and as much as the subject matter may be
unappealing,
the fact of the matter is that a lot of interesting legal things happen because of these cases.
We've got a new one here from the Eighth Circuit Court. Bring us up to date on this one.
So this comes from an individual in Nebraska named Michael Hike. He was convicted of multiple
child pornography-related crimes, and it all stemmed from an investigation by the federal government using a network investigative technique.
Mr. Hike was using a Tor network.
I think he was an IT administrator.
And as we know, you have to have a relatively sophisticated amount of knowledge to operate the Tor network. He used that network to
obscure his IP address and to access child pornography. What he has said in his defense
is that the evidence gained from the original investigation has gone stale, and there's not
enough hard evidence to prove that he himself was the person who accessed this pornography
and who downloaded it on his
computer. As part of his defense, he said his daughter was also home. He also said that this
was an unsecured wireless network. So potentially one of his neighbors or somebody walking down the
street could have accessed this information. The government has said, or the prosecution has said,
because this person has specialized knowledge and knows
how to access the Tor network, that's what makes him a particularly prime suspect. That in and of
itself is sufficient evidence. So we see this situation where a person's professed knowledge,
and he admitted that he has knowledge of Tor networks, ends up really hurting him in a court
of law because the very evidence that he
knows how to use it, he knows the complicated procedures that go into accessing these websites
are one of the reasons that the federal government has good evidence on him.
And so where does it go from here?
Now that the evidence has not been squashed, his conviction will be upheld. And his only
option at this point is to appeal the case to the United
States Supreme Court. This was a federal case made into the Eighth Circuit. You know, I have
no idea whether this issue is novel enough for the Supreme Court to consider it. But even so,
I think the defendant's legal case here is not very strong. I mean, as a user, you have to
download special software. Once you
have that special software, you can't just, you know, do a Google search and end up on one of
these websites. You have to know exactly where to look. You have to know the internet forums where
people post the text files that give you instructions on how to use the Tor network to access these
devices. You know, even if the evidence itself was stale,
that's not in and of itself reason for it to be unreliable. And again, it was the evidence that
this defendant himself had intimate knowledge of how Tor networks worked that particularly
implicate him in downloading child pornography. So another lesson is you're likely not as anonymous
as you may think you are.
Absolutely. I mean, now that the government has learned how to deploy these network investigative techniques, it really cuts into the effectiveness of the Tor network.
I mean, you can't fully obscure your IP address anymore.
We know that the government has employed this NIT on Playpen, and this is the second website, Pedoboard, that I've heard of where they've employed this technique.
And now that they know that it's such an effective tool, I'm sure they're going to be using
it on any site they can possibly find.
Ben Yellen, thanks for joining us.
And now, a message from
Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.