CyberWire Daily - WannaCry, worm wars, ransomware pandemics, and a place for kill switches. And what might a cyber Pearl Harbor look like?
Episode Date: May 16, 2017In today's podcast we follow the developing story of the WannaCry pandemic as it continues to unfold, with speculation about attribution focusing on the Lazarus Group. Why malware would have a kill sw...itch. Throwbacks to the worm wars. The risks of unpatched, superannuated, or pirated software. Litigation exposure in the WannaCry affair. David Dufour from Webroot on the basics of exploits and scripts. Paige Schaffer from Generali Global Assistance reviews the Identity Theft Assessment and Prediction Report published by the University of Texas at Austin Center for Identity. Cyber Pearl Harbors, again—what might one actually look like? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The developing story of the WannaCry pandemic continues to unfold,
with speculation about attribution focusing on the Lazarus Group,
why malware
would have a kill switch, throwbacks to the worm wars, the risks of unpatched, superannuated
or pirated software, litigation exposure in the WannaCry affair, and cyber Pearl Harbors
again.
What might one actually look like?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, May 16, 2017.
We continue to follow the developing story of the WannaCry ransomware pandemic.
Enterprises of all kinds, worldwide, private, industrial, governmental,
entered the week bracing for a renewed wave of WannaCry infections.
The problem hasn't gone away, but attacks on the scale scene Friday,
and continuing until the now-famous kill switch was found and flipped,
simply haven't materialized.
It would, of course, be foolish to think we've seen the end of WannaCry and those behind it,
but for now at least, the world seems to be in the recovery and remediation phase of the incident.
So why did WannaCry have a kill switch in the
first place? Researchers at security firm Silance are looking into the ransomware, and they offer a
preliminary observation that kill switches are holdovers from the worm wars of the early 2000s.
That's when owners wanted to be able to dismantle their malware once it had met their goals.
The objective would be to keep the malicious code better targeted to, as Silance puts it, keep it from going wild once it gets out.
The kill switch would appear to be ambivalent, however,
since it's easy to change.
Silance told us in an email,
quote,
Attackers can either hijack the kill switches
by mutating the code to meet their needs
or remove the kill switch altogether.
If the kill switch is hijacked, malicious actors can alter the code
so Bitcoin instructions go to their pay points.
If the kill switch is removed altogether,
the downside is that they, the initial users,
lose control over the worm when it goes out into the wild.
End quote.
In this case, the kill switch appears to have been carelessly exposed.
One might expect better of criminal or covert tradecraft.
It's worth noting that Checkpoint says it's found a less virulent successor version,
and Bitdefender thinks last week's attacks are the first of many more to come.
Some experts think the WannaCry ransomware campaign has the look of a targeted attack gone wrong.
It looks far more indiscriminate in its infection rate,
which amounts to a pandemic,
than even the best-prepared criminal gang could handle.
And the Bitcoin wallets established as repositories for ransom payments
don't seem equal to the task either.
There's no clear attribution yet,
but several researchers from Google and elsewhere
believe they've discerned a similarity between WannaCry's code
and some similar cryptors thought to have been used by the Lazarus Group in 2015.
The Lazarus Group, of course, is generally connected to North Korea's government
and has been blamed for dark soul attacks against South Korea, the Bangladesh bank fraudulent fund
transfer caper, and the wiper attack against Sony Pictures in November 2014.
transfer caper and the wiper attack against Sony Pictures in November 2014.
The plaintiff's bar is expected to be paying close attention to negligent patching in enterprises that suffered from WannaCry, but Microsoft is not generally thought to have much exposure.
There's a growing sense among affected third parties, like patients in the UK's National
Health Service, that the organizations victimized by the attack should have taken better measures to protect themselves,
particularly since WannaCry was spread by exploiting unknown and patched vulnerability
that persisted for the most part in systems that were beyond their end of life.
Observers expect litigation to follow,
and they doubt that Microsoft will be the plaintiff's target.
Microsoft points out that the affected organizations
were running either unpatched or unsupported software,
and some legal commentators agree that they're arguably negligent to do so.
Given that it appears personal data weren't exposed in the campaign,
it seems likely that lawsuits, if any, would come from people directly injured by the suspension of services,
the ransomware induced in some organizations.
injured by the suspension of services, the ransomware induced in some organizations.
In other news, the University of Texas at Austin Center for Identity recently published their 2017 Identity Theft Assessment and Prediction Report. Paige Schaefer is president and COO of Identity
and Cyber Protection Services for Generali Global Assistance. She joins us to discuss the report.
Approximately 50% of identity theft incidents that happened between 2006 and 2016, so really,
you know, the last 10 years, half are low-tech. Criminals exploiting non-digital vulnerabilities,
empty prescription bottles, some sort of paper documents, really those vulnerabilities caused by human
error. Another interesting factor is that, you know, we hear about these huge breaches, such as
Target and some of the others across the country that really give you kind of this vast national
view. But it turns out that really 99% of the cases are really localized. They were combined to a local geographic area,
smaller businesses, or certain victim profiles. The other thing that we can't forget and should
take to heart that many folks that are victimized occur from insider threat. Roughly 34% of the
cases that they study came from insiders. So employees of companies or family members of
individuals had a role in one-third of these cases. When you look at these numbers, when you
look at the report, what are some of the key takeaways in terms of what people can do to
better protect themselves? Well, if you think about the low-tech initiative, so rip up or shred
your information, don't throw it in the garbage. Certainly where medical information is
concerned, there are many aspects of PII that's captured. The top five pieces of PII that are
compromised are name, certainly social security number, address, date of birth, and of course,
credit card number. And name and social security number rank the highest credit card,
about 7%. So if you think about your information that's potentially out there, name and address
and date of birth, that's on a lot of information. So best to shred. If you think about, we're just
past tax season, but get your W-2s from your office. Don't have them mail it to you. A lot of times I go to the
doctor and sometimes they'll ask for my social and I just don't give it to them so that it's not
printed out on any information. And so if you're coming away with forms, just take good care on
how you get rid of those things. Criminals, they capture your information, just your basic
information and put it together. They can get it in a really low-tech way. And many times credit cards, though, are also procured in the dark web,
on chat rooms, and what have you. And so it's best to be vigilant about your information and
where you keep it, where you put it, and how you get rid of it. But also, from a proactive
standpoint, you want to have some service that's monitoring your information
so that if somebody does get a hold of it, somebody walking through a Starbucks with a card reader
and collects a bunch of credit card information, that you're going to get some alerts,
whether it's credit or alerts on the dark web, that your information is showing up in a nefarious place.
So you've got a bit of proactive protection there.
That's Paige Schaefer from
Generali Global Assistance. The report is the 2017 Identity Theft Assessment and Prediction Report,
published by the University of Texas at Austin Center for Identity.
Finally, returning once again to the fallout from WannaCry, while U.S. targets were hit by
WannaCry, they suffered relatively lightly, we stress relatively, compared to targets in Russia, China, India, and Britain. Various
senior security experts in the U.S. have revived talk of a cyber Pearl Harbor. We'd like to conclude
by taking that metaphor seriously. Consider the Pearl Harbor attack. It involved not strategic
surprise, the U.S. expected Japan to go to war, nor
operational surprise. The Pacific Fleet in Pearl Harbor was warned, as was the Army's Hawaiian
garrison and General MacArthur's command in the Philippines. What it did involve was tactical
surprise. The U.S. was caught napping on Battleship Row and Wheeler Field. So, would a cyber Pearl
Harbor involve tactical surprise? Pearl Harbor
also seemed to be a failure of middle management. Junior enlisted radar operators saw and reported
inbound aircraft, but were told by their higher-ups not to worry, and the USS Ward depth-sank a midget
sub entering Pearl Harbor and reported the sinking. The highest Navy and Army commanders in the islands knew they were under a war warning
and thought they'd directed appropriate precautions and alerts.
So perhaps a cyber Pearl Harbor would be one suffered
when someone between the CISO and the SOC failed to get the word?
And finally, of course, 2,403 people died in the attack,
and a further 1,143 were wounded.
Would a cyber attack need to work that kind of kinetic effect before it qualified as a Pearl Harbor?
Seriously, these questions are worth thinking about.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Pictures. Stream Nightbitch January 24 only on Disney+. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing Thank you. and keep your company safe and compliant.
And joining me once again is David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back.
You know, every now and then we think it's good here to reach back and talk about some of the basics.
And so we're asking you today to give us an overview of exploits and scripts. All right, great. Well, it's nice to be back, David. Thank you for having me.
You know, there's always a lot of talk about ransomware and malware and the things that those
can do to you. And sometimes we forget to talk about the delivery mechanisms of how that stuff
gets on your system or infects your mobile device. Two about the delivery mechanisms of how that stuff gets on your system or infects
your mobile device. Two very common delivery mechanisms are exploits and scripts. Scripts
are probably the more simple example of the two. And those typically come in the form of
email attachments. You know, you used to have script exploits embedded in web pages and things
of that nature.
But the browser manufacturers have done a pretty good job of blocking malicious scripts from being able to execute in your browser.
So now we see scripts, the two most common scripting languages out there, VBScript and JavaScript.
We're seeing those come into organizations or into your home through email attachments where it might say resume.script
or something like that. And what they're trying to do is to entice you to open this script
that will then execute and pull down that malware or that ransomware and install it on your machine.
The other more sophisticated and, you know, in my position, the one I really enjoy looking at because it's pretty sexy, are exploits. And
typically, you see exploits on web pages through third-party apps where someone has gone out and
they've figured out how to take advantage of the operating system, the browser, or some third-party plug-in to a browser such that if you navigate to a web page,
this exploit will run behind the scenes.
You won't know it ran, and it'll do a drive-by where it'll actually pull down some malicious code
without your knowledge and then install that code, and you're in trouble.
And so exploits, they're more expensive.
They're much harder to find. And once they're known about, they get plugged very quickly. But the scary
thing is you don't know they happened until you're infected. All right. It's good to review
the basics. David DeFore, thanks for joining us. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.