CyberWire Daily - Worm alert. Stumblebums or masterminds? Widia commodity ransomware in its early stages. Taking the fight to ISIS in cyberspace.
Episode Date: May 25, 2017In today's podcast, we hear about a vulnerability in widely used networking software leaves it open to a worm infestation. Were the WannaCry hackers annoying stumblebums, or are there deeper games afo...ot? Help desk scammers say they'll rid you of ransomware—they won't. Researchers watch "Widia," commodity ransomware that's still an early stage work-in-progress. The Manchester terrorist looks more like a known wolf than a lone wolf. Ben Yelin reviews the Supreme Court's consideration of a cell site privacy case. Yong-Gon Chon from Focal Point Data Risk discusses their Cyber Balance Sheet Report. And US Cyber Command would like ISIS to know that they're in the Fort's crosshairs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A vulnerability in widely used networking software leaves it open to a worm infestation.
Were the WannaCry hackers annoying stumblebums, or are there deeper games afoot? Help desk
scammers say they'll rid you of ransomware.
They won't. Researchers watch
Wydia, commodity ransomware that's
still an early stage work in progress.
The Manchester terrorist looks more
like a known wolf than a lone wolf.
And U.S. Cyber Command would like
ISIS to know that they're in the fort's
crosshairs.
ISIS to know that they're in the fort's crosshairs.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 25, 2016.
WannaCry was notable for being a ransom worm.
The U.S. Department of Homeland Security warned that a vulnerability in Samba, the free Linux and Unix networking software, leaves it susceptible to similar worm infestations.
According to researchers at Rapid7, there were no signs of exploitation in the wild, at least in the first 24 hours after discovery and disclosure.
the threat posed by Eternal Blue and Eternal Rocks remains unsettled, but there is widespread concern that active exploitation may be taking more disturbing forms than the stumble-bum
extortion of the first WannaCry wave. Semantec's attribution of the WannaCry attacks to North
Korea is being picked up by other observers, with some dissenting voices being raised.
The dissent is founded largely on grounds of a priori caution, attribution of this kind
being necessarily circumstantial, but they also cite evidence in the code pointing to the possibility
that the Lazarus Group's spore Symantec followed was the result of some unknown third party copying
earlier malware. The mixed nature of the attack also baffles some. Were the attackers stumblebums
who copied malware ineptly
and simply delivered it via the slick Eternal Blue exploit
they got courtesy of the Shadow Brokers,
or were they playing some deeper game?
We've seen suggestions of a deeper game exploiting Eternal Blue
and Eternal Rocks in other sources,
including Croatia's CERT and security companies like
Sedco, Forcepoint,IFORT, and Cyber Detection
Services, and the story will clearly continue to develop over the coming weeks.
The argument in favor of North Korean stumblebums would be consistent with a vast, loose effort
that wasn't prepared to take in all the cash a campaign of that size would have been expected
to generate.
That the overt goal of WannaCry was financial is also consistent with a North Korean origin.
Pyongyang is cash-strapped, especially now that sanctions imposed by China, formerly
the DPRK's main trading partner, have begun to bite harder.
On the other hand, there are plenty of warnings that North Korea's hackers are dangerous and
capable, so perhaps the extortion is just misdirection.
In any case, Symantec is fairly confident they've got the attribution right.
A variant of the familiar help desk scam is taking advantage of widespread public concerns over WannaCry.
The scammers call, tell you you're infected, then offer to take over your machine to fix
the infection.
The UK's Action Fraud Centre sounded the alert,
but it's reasonable to expect this approach wherever the help desk scam flourishes.
SentinelOne reports a new ransomware strain, Wydia,
interesting in that it looks like early-stage commodity-level crimeware.
Wydia asks for a credit card payment as opposed to customary Bitcoin,
but it seems more scareware than true crypto ransomware.
It throws up a screen that says your files are encrypted, but actually they're not.
Sentinel-1 thinks the authors will eventually add the malicious encryption they now lack.
It's early, so stay tuned and stay alert.
It's also worth noting that the incident shows there's no obvious and unavoidable relationship
between cryptocurrencies and cybercrime.
Bitcoin in particular, and blockchain technologies more generally, represent efficient ways of transferring funds,
but they're by no means uniquely associated with criminal elements, and they're fast on their way into the economic mainstream.
While WannaCry was a ransomworm, the most common vector for a ransomware infection continues to be phishing.
A recently released survey of enterprise security leaders by the magazine Computing suggests that ransomware is among the likeliest attacks to get through corporate defenses.
There's no question that cybersecurity has earned attention in the boardroom. But attention doesn't always mean alignment.
Yonggon Chan is CEO of Focal Point Data Risk,
and they recently released the Cyber Balance Sheet report,
which takes a closer look at the breakdowns between board members and their security teams.
Some of the key findings in the report really show a lack of alignment
between what board members and security leaders actually view as the value of cybersecurity
programs. For instance, security leaders really see their role as providing security guidance or
as a business enabler. And the reaction to that from a board member is that that's really more
aspirational and that security's job is to protect our organization and our assets
from liability associated with data breaches. And so board members see security's role as
data protection and helping the organization to manage risk.
And so what do you think is driving that disconnect?
I think there are several factors that drive that disconnect.
I think the first thing really talks to the communication barrier.
Within the cyber industry, there's a lot of emphasis on jargon.
We talk about things like data exfiltration instead of just calling theft theft.
We talk about things like zero days. We talk about
exploits and vulnerabilities instead of saying, these are errors and these are bugs and these
are mistakes. And I think that emphasis on jargon doesn't allow board members to embrace
the communication and build the right types of trust and confidence because board members are
accustomed to speaking the
language of business. And that language of business is very much cemented in financial terms
and enterprise risk terms. Board members have had 13 years to get acclimated to audit terms
as a result of Sarbanes-Oxley. So they think about things in terms of materiality and material weaknesses
or control deficiencies. And because of that language barrier, we see as a key factor
in showing that disparity. And so which side do you think has to make the adjustment? Is this a
matter of the IT folks having to learn to speak the language of the board or the board having to
learn the language of IT or is it meet somewhere in the middle?
I think it's meet somewhere in the middle, but I do believe there is more effort that needs to be
applied from the security leader's side. When a board member looks at a security status report
that's being presented to them, they want to see things that represent a relationship to the business.
And so if the cybersecurity function doesn't show how it supports the business making money,
that's a real challenge.
So the security leader needs to be able to translate a lot of these concepts in such a way that helps them build trust.
That's Yonggon Chan from Focal Point Data Risk.
As members of Manchester suicide bomber Saman Abedi's network are rolled up in counterterror operations,
and six arrests so far include his father and a brother,
he looks less than ever a true lone wolf, inspired but not controlled by ISIS.
Unfortunately, he may also have been a known wolf.
Investigation into the Manchester bomber's radicalization suggests his family warned the authorities,
and Abedi's brother had, according to NBC News,
been under surveillance as a possible terrorist in Libya for some months before his arrest.
There are also reports that suggest members of Abedi's family were concerned about his
radicalization and brought that to the authorities' attention.
Testimony before the U.S. Congress this week offered a glimpse, albeit through a glass
and darkly, of the U.S. military's cyber offensive against ISIS.
The organization conducting it, Joint Task Force Ares, was established by U.S. military's cyber offensive against ISIS. The organization conducting it, Joint Task Force Ares,
was established by U.S. Cybercom's commander, Admiral Rogers.
It's led by Lieutenant General Paul Nakasone,
commanding general of U.S. Army Cyber Command,
and it operates in support of U.S. CENTCOM,
the American combatant command operating in the Middle East.
Understandably, they won't provide much in the way of details,
but Admiral Rogers summed up the task force's operations this way,
quote,
We have been very public and acknowledge the fact that we're using cyber offensively against ISIS,
not just because we want ISIS to know that we're contesting them,
but because, quite frankly, we also think it's in our best interest for others to have a level of awareness
that we are investing in capability and we are employing it,
within a legal law-of-armed-conflict framework, not indiscriminately.
Good hunting, Joint Task Force Ares.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. So, I'm going to go ahead and get started. From Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Ben
Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and
Homeland Security. Ben, welcome back. I had a story come by from Ars Technica. It was about the Supreme Court asked to rule if cops need a warrant for cell site data. What's going on here?
So one of the newest tactics for law enforcement across this country is to glean information from cell site data can reveal at least which cell tower a person was closest to. If you're trying to figure out whether a potential criminal was at a particular location at a particular time, it can provide that information.
Of course, this implicates the Fourth Amendment's ban on unreasonable searches and seizures.
Up until now, lower courts have held, for the most part, that the collection of cell site towers that's done without a warrant is indeed constitutional.
And the constitutional basis for these decisions comes from a 1979 case called Smith v. Maryland.
That case held that if a person voluntarily submits information to a third party, basically some sort of business record.
So in that case, they were talking about a person's
landline phone calls, which we would now consider metadata, what time the call was made,
the number that made the call, the number that received the call. Since you are voluntarily
giving that information to a third party, you lose your reasonable expectation of privacy,
and thus a warrant is not required. And lower courts have held that the collection of cell
site information is analogous. You should at have held that the collection of cell site information
is analogous. You should at least be aware that when you're making a call from your cell phone,
you are submitting location data to your cellular service provider. And once you do that,
you've lost the expectation that they are not going to share that information with law enforcement.
So far, the Supreme Court has had
chances to review cases on this subject, and they've turned all of those opportunities down.
There is the sort of informal rule of four that if four of the nine justices choose to take a case,
then the case will be heard in front of the Supreme Court. We'll have to see. There are
currently five outstanding cases across the country based on the warrantless collection of cell site data.
So it seemed like the time is ripe to clarify this issue, especially since our laws and the doctrine from Smith v. Maryland, the third party doctrine, is potentially outdated in our digital world.
All right. We'll keep an eye on it. Ben Yellen, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.