CyberWire Daily - Vault7 leak: Brutal Kangaroo toolkit. Data breach and ransomware updates. Notes on code audit requirements.
Episode Date: June 23, 2017In today's podcast we hear about how Brutal Kangaroo has hopped out of Vault 7—don't let it poke your device with a thumb drive. Big data leaks wind up being traded on the black market. The dangers ...of careless configuration of an S3 bucket. Ransomware remains pricey. It can also serve as misdirection. Dale Drew from Level 3 Communications shares lessons from WannaCry. Darron Gibbard from Qaulys offer his take on the EU's GDPR. Software companies receive and respond to code audit requirements as a condition of doing business in Russia. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A brutal kangaroo hops out of Vault 7.
Don't let it poke your device with a thumb drive.
Big data leaks wind up being traded in the black market.
The dangers of careless configuration of an S3 bucket. Ransomware remains pricey. poke your device with a thumb drive. Big data leaks wind up being traded in the black market.
The dangers of careless configuration of an S3 bucket.
Ransomware remains pricey.
It can also serve as misdirection.
Software companies receive and respond to code audit requirements as a condition of doing business in Russia.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 23, 2017.
Don't put that in your mouth. You don't know where it's been.
I remember my mom telling me that.
You know what? Those are words to live by, and I did.
Well, I usually did.
Well, let's update that, and you'll see why in a moment.
Don't put that in your USB port.
You don't know where it's been.
In its now-familiar Friday ritual,
WikiLeaks dumped another set of documents from its Vault 7.
These purport to be a toolkit the US CIA assembled to use against air-gapped systems.
Air-gapped sounds deeply sinister, almost telepathic,
and there have been demonstration hacks of air-gapped systems that used, if not paranormal,
at least clever and surprising approaches to their targets.
But the reality here is more mundane.
The tool described in the leak used USB drives to get into its targets.
So effective, but essentially a technique that depends upon the human weaknesses of curiosity and misplaced trust
that have haunted us since snakes were suggesting fruit selections to our foremothers
or since Pandora decided to take a peek.
Still, a timely reminder, don't stick thumb drives into your devices unless you know where they've been.
And look, know where they've been doesn't mean, hey, I just got this from Cozy Bear.
It means you know it's safe.
We mention Cozy Bear because we like animals and animal-themed names.
Around here, B-Y-O-D generally means bring your own dog,
but the toolkit is alleged to be an American and not a Russian caper.
Yet it, too, has a totem animal.
Brutal kangaroo.
Why?
Well, who knows.
But then kangaroos do box,
so maybe this one is like the Max Bear of marsupials.
A very large database of some 800 million email credentials offered for sale in dark web markets
since October has been traced to Russian criminals.
It's not only for sale, but it's on sale.
The Times says it can be had for as little as two pounds.
Many British accounts are on the block. Postmortems of the Deep Root Analytics
voter data exposure see poor configuration of an Amazon S3 bucket as a sufficient explanation
of the incident. The data was collected under Deep Root's contract with the U.S. Republican
National Committee. After vanishing for a time, Lockheed ransomware is back.
This general kind of attack continues to exact a financial cost.
A South Korean web hosting firm paid the Arabist threat actors
around $1 million to recover their data,
but it can also serve other purposes.
The WannaCry Fuhrer, for example,
appears to have served as misdirection for a data theft campaign.
Gamers unable to reach their Final Fantasy online platform should know that it's not you, it's them,
and them means some unknown third party who's been subjecting Final Fantasy to a distributed denial-of-service attack.
Reuters reports that U.S. firms are complying with Russian government requirements
that they share their source code as a condition of doing business.
That's disturbing, but it's also not unexpected or even unusual.
China has long sought to exact similar arrangements from companies wishing to do business there.
The official reason is always security.
The governments want to ensure that code used within their borders doesn't bring security risks in with it,
and to some extent that's no doubt true.
There are doubtless other motivations at play.
They wish to establish a favorable national trading position with domestic competitive advantage,
interest in reverse engineering foreign products, and so on,
but the requirement isn't unprecedented.
Americans are skittish these days about most things Russian, and not without reason.
Reuters, however, points out the market reasons for compliance.
Quote,
From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators
or risk being shut out of a lucrative market.
End quote.
The companies also say they've taken steps to minimize the risks associated with exposing their code.
Quote,
Such audits occur in the U.S. too, albeit in the limited context of defense contracting and other sensitive work.
And calls for code audits have been recently woofed
from Capitol Hill in the direction of Kaspersky Labs,
the Russian security vendor whose products
are widely used in the U.S. and elsewhere.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part
of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous
film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney Plus.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, welcome back to the show. As we think about WannaCry, and as WannaCry sort of fades a bit into our rear view mirror, you had some thoughts about how
we look back on it and what it can tell us about the future. You know, I think WannaCry is just a
great example of the time for us to use adult attention span to solve global problems. You know,
what happens is when there's a flash of an instant and we all get together, we all try to solve the problem.
We all try to repair the issue.
And then the moment that that issue dies down, we're on to the next problem.
And things like WannaCry really signal sort of what the future holds for us.
You know, the difficult thing about WannaCry is it was a very unsophisticated collection of code.
It was someone who had just taken piece parts and put together various components of code.
There was a lot of bad code.
The algorithm to determine which Bitcoin wallet it was going to use wasn't working.
So it didn't make the bad guys as much money as they had hoped.
The algorithm to scan for other victims wasn't working properly.
And so it could have
spread much deeper than it did. But nothing really stopped that capability from being used by an
adversary who wanted to wreak havoc on internet infrastructure and just encrypt the internet as
we know it and hold it for ransom. Between that and the fact that things like WannaCry are using protocols
like Tor, and we as a security community are not really prepared to be able to track, you know,
sort of malware activity through Tor, it's really a time for us to sort of, you know,
wake up as a community and get a lot more proactive in stopping those sorts of attacks.
I think WannaCry signals two things. I think WannaCry signals two things.
I think WannaCry signals to organized crime that if they really want to make a lot of money at using exploits,
there is a significant inventory of deep entrenched exploits from the NSA and the CIA releases that are going to allow organized crime to weaponize those
and do another global ransomware attack again that has all those pieces fixed.
It also allows a nation state to decide that if they want to cause havoc in a specific country
or the internet as a whole, that they now have sort of the mechanism and the avenue to do that.
Imagine everyone's laptop being encrypted or desktop being encrypted or data center being encrypted with absolutely no mechanism to be able to recover.
We keep on hearing very, very sophisticated sort of advice on how to detect and prevent against things like ransomware, things like WannaCry.
But it really is just a matter of
us getting back to the basics. Not only do we need to collaborate more as an ecosystem and get
proactive and be able to stop these things, we need the attention span to figure out as bad guys
of all their tools, how we respond to that as a community. And then on ransomware specifically,
just really get back to the basics. Don't click on links that you don't directly trust and back up your data.
And I think that if we can sort of address those sort of really sort of fundamental issues,
that we're going to be a lot more capable as a community to protect critical data on the Internet.
Dale Drew, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Darren Gibbard.
He's the Chief Technical Security Officer at Qualys, a provider of cloud-based security and compliance solutions.
Prior to his position with Qualys, he was the head of enterprise risk and information
security services for Visa Europe.
He joins us today to discuss the GDPR, the EU's General Data Protection Regulation.
General Data Protection Regulation has been enforced or enforced since 2016, so last year.
The regulation itself has been worked upon by various governing bodies in the EU since 1998.
Each of the regions within or the countries within the European Union
have had their own data protection regulation and have been working on that in the case of the UK since 2002 and have had the General Data Protection Act since then.
been working on it and working with basically the various different governing bodies within the EU in Germany and in the UK in Ireland in France and all the various regions and has been working on
that as soon as 2002 and been amalgamating and getting the regulation together and since it
came into mandatory requirements since 2016.
So organisations are preparing and they are preparing for the regulation
and have been working very, very hard in the last 12 months.
And in a lot of cases, a lot longer than that,
have been working on and with their regional regulators basically on the regulation for probably two to three years on average within European organizations preparing themselves.
And there's a number of steps that need to be taken by organizations to basically make sure and ensure that they become compliant with the regulation.
And a lot of it is around basic security good practices.
So practices that organizations should already have in place
and should be operating in their sector or their vertical that they operate within.
Is there a sense that organizations are going to be ready?
If you'd have asked me a year ago, I'd have said no. If you asked me recently when I engage with CISOs and I talk to CISOs and
CIOs in various organizations, yes, they will be. I think there has been a lot of focus in the last
12 months, basically, within the regulatory bodies, within the vendor space that has been helping organizations
prepare for it. 90%, 95% of organizations will be ready to go by the May 25th, 2018.
And as far as organizations that are outside of the EU, what is your expectation for how this is
going to affect them? I firmly believe that it will affect them just as much as what it affects the organizations
within the EU itself. So it's ensuring that EU citizen data is protected wherever it goes
across the globe. PwC did a very good article last October in the US where they interviewed over 2,500 organizations within
the US. And the average spend per organization was a million dollars on preparing for GDPR and
making sure that their organizations were ready. And that's across obviously multiple sectors,
obviously multiple sectors, multiple size organizations.
So if the U.S. is leading by example, then, you know,
obviously Australia are working well towards it.
I was down in South Africa basically three weeks ago.
They're preparing for it.
So if I'm totally honest, I probably think everybody outside of the EU is better prepared for the GDPR than what they are within the EU.
Why do you say that? Just because of the understanding of the budgets that are being spent and the preparation that's being put into making sure that the citizens' data is separated and is understood and is known and where that data is going and how it's being used within the organizations that are processing it.
So when the May 2018 deadline arrives, how do you see this playing out?
Do you suspect that it'll probably be a non-event
or will we expect to see some organizations paying hefty fines?
I'm hoping it'll be a very quiet event and basically a bit
like Y2K and basically it will become a non-event and just be everything will carry on as per normal.
From my perspective, I think it will be business as usual. So organizations that are already under regulatory regime will be prepared, will be ready, and will be basically
ready to go. Organizations that are not so used to the regulatory regime will have a lot more work
to do to get themselves used to the language of the regulation and to understand what the impacts
would be to their respective organizations. Do you suspect that there are going to be any unexpected consequences of the new regulations?
I think there will be.
I think there will be a positive for cybersecurity, information security, and IT security teams.
In a lot of cases, with things like privacy by design and privacy impact assessments,
security teams have been left out of the project
management of future development strategy conversations within respective organizations.
And I think this is an opportunity for the security industry to mature and to grow up
and to finally have that C-level, C-suite presence.
Because what the cyber, the security teams, the CISOs, the CIOs are going to be protecting
the organizations and protecting the CEO from breach, from massive regulatory fines.
So I think, you know, I've been in this industry for 25 years now. I think it's now finally with the incoming GDPR, the regulation, I think it's going to actually improve.
And I think it's going to make the CISO's role a lot more important within organizations.
The UK Information Commission has a very good 12 steps to take now document that is a good document to refer to and reference for any organisation.
And it just highlights what organisations need to be prepared for and what they need to be doing.
So I think that would be a good reference document to use.
That would be a good reference document to use.
You know, basically, it's a horrible yellow color.
But apart from that, it's basically quite a nice document that gives you quite, you know, the steps to any organization, whether they be a small, you know, small 10-man organization through to 50,000, 60,000 employee organizations or hundreds of thousands of employee organizations need to take.
That's Darren Gibbard from Qualys.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. hacked. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.