CyberWire Daily - WikiLeaks, responsible disclosure, and insider threats. Playstation credentials rumored to have been compromised. Apache Struts bug being actively exploited. DPRK missile cyber security. A look at West African cybergangs.
Episode Date: March 10, 2017In today's podcast, WikiLeaks offers to enter the responsible disclosure game, but be warned: there are legal problems should you accept classified information. Some AV companies tout their reviews in... Vault 7. Speculation about how CIA hacking notes leaked turns to an insider threat. HackRead warns that Playstation credentials may have been compromised. The Apache Struts vulnerability is being exploited in the wild. Observers cast doubt on reports the US successfully hacked North Korean missile launches. Joe Carrigan from the Johns Hopkins University Information Security Institute weighs in on SHA-1. Comodo's Kenneth Geers share insights from their 2016 Global Report. Trend Micro and Interpol take a look at the West African cybercrime scene. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Wikileaks offers to enter the responsible disclosure game.
Better late than never.
Some AV companies tout their reviews in Vault 7.
Speculation about how CIA hacking notes leaked turns to an insider threat. Hack Read warns that PlayStation credentials
may have been compromised. The Apache Struts vulnerability is being exploited in the wild.
Observers cast doubt on reports the U.S. successfully hacked North Korean missile launches.
Komodo researcher Kenneth Gears
shares insights from their 2016 global research report, and Trend Micro and Interpol take
a look at the West African cybercrime scene.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 10, 2017.
WikiLeaks is apparently opening its own version of the vulnerability equities process,
offering to share what it says it learned from the Vault 7 leaks with affected software vendors.
Companies are advised by U.S. authorities that receiving classified information puts them on legal thin ice.
Some of the antivirus companies mentioned
in Vault 7 as having tough-to-bypass products, notably Bitdefender and Komodo, aren't being shy
about letting prospective customers know their reputations as, to quote one leaked remark,
a pain in the posterior. There's now some speculation about where Wikileaks got the
material it released in Vault 7.
WikiLeaks itself says its source was a former U.S. government hacker.
The Voice of America says a U.S. intelligence official commented on background that there are some indications the leak came from a CIA contractor.
A federal criminal investigation is in progress.
The publication Motherboard reports that WikiLeaks may have been a bit
sloppy in redacting names from the dump. Some remain, but whether they're real names, pseudonyms,
or something else is difficult to say. But Motherboard is taking no chances and isn't
publishing any of them. Reaction from the security industry continues to hold that there's less to
the leaks than meet the eye, especially if that eye has been trained on the more alarmist headlines.
Ilya Kolachenko from the web security firm Hitech Bridge
told us that he's even a bit surprised at the attention Vault 7 has drawn.
Of course, the CIA uses hacking tools and techniques in its intelligence-gathering mission,
and he hasn't seen anything so far that indicates the agency was abusing those tools beyond its legal charter. The CEO of security company CyberX, Omer Schneider, agrees that it
isn't news that the CIA has hacking tools, or that it maintains a stock of zero days.
Most nation-states have similar hacking tools, and they're being used all the time. What's
surprising is that the general public is still shocked by stories like these.
Regardless of the motives for publishing this,
our concern is that Vault 7 makes it even easier
for a crop of new cyber actors to get in the game."
Predictably, the Chinese government has admonished the Americans in a high-minded way
that the U.S. really ought to stop spying.
The online publication Hack Read is warning that it's received reports
that 640,000 PlayStation accounts are for sale in a dark web market.
HackRead says the story appears credible, although it's been unable to confirm it.
Nonetheless, PlayStation users might well look to their accounts and credentials.
The Apache Struts remote code execution vulnerability is being actively exploited. Enterprises should
patch and patches are available. We heard from Craig Young, principal security researcher
with Tripwire, who thinks this is a particularly serious issue, a trivially exploitable command
injection execution that doesn't require authentication. It's possible for an attacker to create custom payloads quickly
to install malware on vulnerable web servers.
He suggests deploying web application firewall rules is a temporary mitigation
until admins can update struts.
Observers cast doubt on claims that U.S. cyberattacks interfered
with North Korean missile test launches.
It's not clear that DPRK missile guidance packages have the sort of attack surface envisioned
by reports of U.S. hacking.
Trend Micro and Interpol have an interesting report on West Africa's cybercriminal underground.
The crooks divide essentially into two categories.
Yahoo Boys, devoted to lonely hearts, stranded travelers, and advanced fee scams,
and Next Level Cyber Criminals, more sophisticated financial fraud and business email compromise capers.
Both groups are adept at social engineering, although the Yahoo Boys do tend to engineer relatively naive marks.
The Yahoo Boys, so-called for their association with Yahoo email, are much
given to trolling social media and concocting implausible stories. The next-level cybercriminals
are more likely to be found looking for tools in some hacker forum or black market. Of some
interest is the connection with Sakawa, an emerging religious system in which internet fraudsters offer sacrifice
in atonement to a god of thieves.
The sacrifices are held to render the victims of scams more likely to succumb to the ballyhoo.
There's also some thought that the sacrifices draw some of the sting of conscience the fraudster
might feel from being a crook.
So remember, the next time you receive an email from the widow of a Nigerian prince
entreating you to believe that a divine voice advised her to seek you out in her time of trial,
remember these things.
First, Nigeria is a republic, so no princes.
Or princesses either. Alas, lonely ones.
Second, there's no good reason to advance someone money to facilitate a bank deposit.
Third, that widow? No. It's a Yahoo boy.
And fourth, if any supernatural voice was whispering to your emailer,
by all the best authorities it was an internet god of thieves.
Not the sort of divine inspiration you'd want to heed, we think.
But that's just us.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and
showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
You know, we've got some stories here about SHA-1.
SHA-1, right.
And SHA-1 has been sunsetted.
Yes, it's been deprecated.
That's right.
For a number of years, people have been saying don't use it.
But it's still in a lot of uses around for file verification, for certificate signing things.
Google has changed Chrome so that now when you get a SHA-1 signed certificate, it says
this is not as secure as it should be, and kudos to Google for being ahead of the curve
on that one.
And actually, I think it was one of their researchers that recently generated a SHA-1
collision.
Yeah, let's talk about that. That's interesting. Hash collisions are a very interesting thing. and actually I think it was one of their researchers that recently generated a SHA-1 collision.
Yeah, let's talk about that. That's interesting.
So hash collisions are a very interesting thing.
So you have a hashing algorithm is an algorithm that you put something into, a string of bytes into,
and what you get out is called a hash digest, and it's always the same length depending on what the hashing algorithm is.
It has a few properties, like it shouldn't be easy to be reversed.
But one of the other properties is that it shouldn't be easy to generate two hashes that are identical,
two hash digests that are identical.
Now, MD5 has been broken for a very long time, and it still has uses in forensics, but that's about it.
So it's not good for storing password hashes.
It's not good for anything password hashes. It's not good for
anything other than a forensic application. SHA-1 now has entered that realm where it's about the
same. It's no longer reliable as a demonstrably no longer reliable. Theoretically, it's been no
longer reliable for a number of years, but now it is demonstrably no longer reliable.
Yeah, I saw that Google said that it
would take roughly 110 years of computing from a single GPU to produce the collision.
Right. And Google's being a little coy with it. They're going to, they say they're waiting 90
days to say exactly how they did it, which I guess is a good thing. Yep. That's, that gives
everybody enough time to, to stop using SHA-1. I'm, I'm going to go out on a limb here and predict that not everybody's going to stop using it.
Well, no, and I've spoken to some other experts on the show about people who help organizations
sort of track down and replace their uses of SHA-1.
And one of the points they made was that if you have a large website or a large installation,
you may have instances of SHA-1 spread around that maybe you've lost track of.
Right. It's a configuration management problem as well.
It can be a nightmare.
Yeah. All right. Interesting stuff as always.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
My guest today is Kenneth Gears. He's a senior research scientist with Komodo Threat Research Labs and a NATO Cyber Center Ambassador. At this year's RSA conference, he presented Komodo's
2016 Global Report, what they describe as a deep dive into new discoveries and detailed analysis of
recent malware incidents tied to geopolitical events around the world. We spoke with him about
the report and the kinds of insights he gains from the research he does with the kind of data he has
at his disposal. I'm looking right now at about three months worth of data, but it's about three
and a half billion rows from every country
on the planet. So believe it or not, Komodo has clients in North Korea. So every country, every
city, every province on the planet. And what we can see if we divide our clients into not only geographic components, but vertical components. So what industry you're
in, healthcare or aerospace, government, et cetera. Really, we can see the progression
of malware from patient zero throughout the earth. So for me as an analyst, it's just a dream opportunity to be able to look at
so much data and come up with not only a report that, you know, is interesting today, but really
is potentially of historical interest, because we can see kind of the birth and death of malware.
And not only that, one of the things that I personally specialize in is kind of the geopolitical angle.
So I've always looked at attribution issues and data exfiltration categories, for example.
I worked at the Pentagon for a long time trying to figure out who's hacking the United States and why. But one of the things I'm doing with Komodo is putting together really kind of strategic think piece type analysis as well. to be, not hacked directly, let's say, but via information operations in social media,
fake news, the weaponization of doxing, for example, and hacking of political parties,
wide range of things.
wide range of things. It really, it can push an election over the edge, at least in theory,
and perhaps in practice. So I'm looking at major events like elections or invasions,
big business events, mergers, deals, that sort of thing. But I can see kind of over our whole ecosystem of malware to identify where geopolitical crises are reflected in the network data. Because really,
cyberspace is just a reflection of human affairs. So nothing happens really, even at the tactical level. If
you want to go out on a date or go to a movie, that in fact is easily reflected in cyberspace.
And it's important to know that even if communications are encrypted, you can still do heavy traffic analysis against anything and surmise what is
happening in the real world. But for our report, what we're doing is we're placing things into
resolving IP addresses to countries so that we can see which countries are most affected.
And then within those countries, we can divide our client base by vertical.
So we know in which industry you work.
If you're in education, for example, recently I looked at a lot of targeted spam campaign,
and it all was going to a particular university network space within a particular country.
in a particular country. For me, what that meant was that somebody was targeting the, you know,
intellectuals within that country. And when you have a whole lot of data, you can do that kind of analysis. So you say this is not just spam, but in fact, it's a spam campaign that has malicious links. We'll take you to compromising and compromised
already websites where you download malicious code onto your computer. But the recipients of
those emails, it wasn't random. It went, in fact, to a targeted group of individuals.
But you have to, as an analyst, not just know a little bit about hacking, but kind of follow real world events so that you can marry the two.
But that's what we're doing with our 2016 report.
You know, we're trying not just to talk about viruses and worms and Trojans, but what they're used for and who potentially the actors are who write this kind of software and the purposes they're using malicious code for, which is, you know, which really is even more important and easier to understand for a layperson.
system administrators to this kind of analysis and this angle to help defend your company. Because if you know, for example, that you are entering a period of geopolitical uncertainty or international
conflict and tension, for sure you'll be targeted. That's only normal today. So for me as an analyst at Komodo working on such
a large data set, it's really a joy to be able to have room for a lot of creativity and imagination
when putting together a year-long report. That's Kenneth Gears from Komodo Group. Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.