An approach to SIEM that works for resource-constrained organizations.
The week that was.
Do you know how your AWS S3 bucket is configured?
Dow Jones joins the list of those whose Amazon Web Services S3 data buckets have been a bit too prone to slosh over (Dark Reading). Estimates vary, but Dow Jones thinks 2.2 million individuals' information was exposed.
The Verizon data exposure, discovered by UpGuard on June 8th, has been attributed to a third-party vendor, Nice Systems, which misconfigured an AWS S3 bucket holding data collected in the course of customer service calls (Register). Investigators are attributing the cause and duration of the incident to a failure to communicate (which seems Cool-Hand-Luke-ish), exacerbated by happenstance: a Verizon security employee whom researchers contacted was on vacation (DSL Reports). Thus although Verizon was notified on June 13th, the data remained unprotected until June 23rd. UpGuard thinks that's too slow (Channel Partners).
The other major data exposure cases recently have involved the US National Geospatial Agency, and the Republican National Committee, both traced to third-party contractors. Legal observers are drawing lessons concerning third-party due diligence from the incident (Corporate Counsel).
Amazon Web Services on Wednesday sent its customers a reminder that Access Control Lists (ACLs) govern who can see the contents of their S3 buckets, and that they should look at their buckets to insure that public read-access is enabled only where it's supposed to be. Misconfiguration, often by third parties, has hit data held by large organizations hard this summer, but AWS wants customers to remember that protecting information from inadvertent exposure isn't that hard. And, moreover, that securing that information is the customer's responsibility. The cloud, after all, is formed for sharing, and it's up to those who put their data there to ensure sharing is among authorized parties.
It's not clear any of the data exposed have been stolen, but no sensible enterprise is happy rolling the dice.
Get Smart on the Politics of Cyberspace
Third-party risk manifests itself in CDs, too.
Where there are data, there are risks, and some of those risks are more earthbound than any cloud. Witness Wells Fargo's misfortune. The bank learned this week that outside counsel it had retained mistakenly shipped CDs in the course of discovery to an attorney representing a former Wells Fargo employee suing another employee for defamation. The CDs contained personal and financial information on about fifty thousand high-net-worth customers. The mistake must be particularly galling given that Wells Fargo is not even a party to the lawsuit.
This may be not only a third-party breach, but at least a fourth-party breach as well: the outside counsel, which the New York Times identified as Bressler, Amery & Ross, says it used an "outside vendor" in the course of e-discovery. Bressler, Amery & Ross have asked that the data be returned. The plaintiff who received them said it's fortunate he's a good guy: a less scrupulous person would have spread the info all over the Internet (New York Times).
Can artificial Intelligence increase the precision of threat hunting?
Blockchain has its value, but it's no security panacea.
Cryptocurrencies like BitCoin and Ethereum have been seen as an attractive alternative to conventional fiat currencies, useful for secure and easy transfer of funds, for example. But they too are hackable. CoinDash, an Israeli "operating system" for using, managing, and trading "crypto assets" was the victim of a criminal hack in the course of its initial coin offering. Whether those responsible are ever caught seems to depend largely on how careful the crooks are when they cash out (Register).
In a second incident, hackers exploited a vulnerability in Parity Wallet's multi-signature contracts to steal roughly $30 million in Ether. The flaw has now been fixed, but there are also reports that a self-professed white hat group (we know this because they call themselves "The White Hat Group") of vigilante researchers went on to take control of about $70 million from various wallets (Help Net Security). The White Hat Group, apparently not connected with the crooks who looted Parity Wallet contracts, says they did it because the vulnerability was "trivial" to exploit, and that they're safeguarding the currency for its legitimate owners, who simply need to "be patient" until the funds are restored to them in a more secure form (/r/Ethereum).
Best Practices for Applying Threat Intelligence
Where the things are in the wild.
With apologies to Maurice Sendak, here's a quick rundown of some of the malware circulating in the wild this week. GhostCtrl, a versatile Trojan afflicting Android devices, is active in the wild (SC Media). So is a resurgent Adwind RAT (Security Intelligence). Kaspersky describes NukeBot, an attack-ready exploit designed to harvest banking credentials (Software Testing News). The Central Bank of the United Arab Emirates warns the Gulf region to expect the return of GreenBug banking malware (Arabian Business). Trend Micro warns that the "Promediads" malvertising campaign is distributing a ransomware and information stealer mashup (Trend Labs Security Intelligence Blog).
Like the Week that Was? Find more critical insights in our Quarterly Report.
Costs and effects of cyberattacks.
Lloyd's released an estimate Monday of how much a major cyberattack could cost the global economy. It could be comparable to the effects, the insurer says, of Hurricane Katrina, amounting to as much as $121.4 billion (Bloomberg). Their study was prepared with the assistance of Cyence (Lloyd's). The report's purpose is "to help insurers quantify cyber-risk aggregation" (Lloyd's). The effects can linger, too: the British telecommunications firm TalkTalk, which suffered a breach in 2015, is still suffering. It reported a 3.2% slip in revenue in the first quarter this year. Its CEO at the time of the incident was Baroness Dido Harding, who left her job at the beginning of April. The proximate cause of the revenue decline is given as recontracting consumer customers to new, lower-cost, fixed rate plans (Belfast Telegraph).
Affected businesses continue to count the costs of NotPetya, the faux-ransomware infestation that broke out of Ukraine late last month. Maersk, whose shipping and port operations were affected worldwide, has resumed operations but hasn't yet returned to normal. The company says it has adopted (unspecified) security measures to prevent the recurrence of another attack (TradeWinds), and says that as far as it can determine no customer data were exposed in the incident. The US Federal Maritime Commission (FMC) afforded Maersk some relief by granting the line a 20-day exemption from service contract filings. The FMC also took the opportunity to urge the supply chain as a whole to buck up its cybersecurity. As Commissioner William Doyle put it, “This cyber attack happened to Maersk, the largest ocean carrier in the world. If it can happen to them, it can happen to anyone.” So Maersk is working to recover, but its shareholders are said to be getting restive. They expect a more complete accounting of the incident when the company reports on August 16th (Loadstar).
FedEx, also hit hard by NotPetya, has reported. The Securities and Exchange Commission10-K form the shipper filed this week says the company doesn't yet know how long it will take to restore systems affected by the NotPetya attack, and that it's possible the company's TNT unit—the one directly affected—may be unable to ever fully recover. As FedEx put it in the 10-K, "We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus." FedEx added that, "In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods" (FedEx). So the NotPetya story isn't over, and FedEx and Maersk are far from the only companies that will continue to be affected.
The experience of WannaCry has apparently moved enterprises to buck up their patching, but Windows 10 rates of adoption seem unchanged (Dark Reading).
Costs of autarchy and social control.
China's Great Firewall will almost certainly remain in place as long as the current regime endures, but it's exacting a price. Some two-million people are believed employed in the dead-weight drag of censoring net content, and the categories of material being censored continue to expand. There's a booming live-streaming industry in the country that's about to be throttled by content control, and observers think it won't be the only sector to suffer (Foreign Policy).
A look into the carding souk.
Security company Digital Shadows published a study of the cybercrime black market this week. They were specifically interested in the state of carding souks. Their research suggests interesting comparisons between the carding underworld and drug markets, both of which exhibit a complex structure designed to monetize crime in several stages. Data harvesters intercept the paycard information, distributors resell the card data, "fraudsters" (who are typically low-end skids who run the highest personal risk, and so are analogous to street dealers), and then various collaborators used to monetize the take. Monetization can be done by dupes, or by mules, fences, and others who move and sell fraudulently purchased goods.
One interesting highlight: the criminal carding groups offer courses whose come-ons sound like the old "draw me" invitations you used to see in matchbooks. Most of the courses, unsurprisingly, are in Russian, but Digital Shadows offers a translation of a representative example: "Do you want to become a professional in the world of carding? WWH-Club offers you a new profession, a new source of income, a completely different quality of life! It will change your view on personal finance. It will show you how to earn money in an interesting, intellectual and amicable way, and find progressive friends and community!"
That last sentence offers a sad insight into the behavioral economics of the carding world. The course costs you 45,000 rubles, which comes to about $745. An additional fee for "course materials" will set an aspiring fence back $200. This can amount to a decent investment for a career criminal: as Digital Shadows points out, you might earn up to $12,000 a month, or seventeen times the average Russian compensation. The training seems pitched mostly at prospective mules and fences.
Another black market takedown.
Silk Road's successor, Alpha Bay, was taken down more than a week ago. Many of its customers decamped for an alternative, Hansa Market, which billed itself as the dark web's most secure contraband trading site. But on July 20th a joint operation of the Dutch National Police, Europol, and the US FBI and DEA shuttered Hansa. The black market had in fact been under the covert control of Dutch police for about a month. Servers in Germany, Lithuania, and the Netherlands were seized, and two site administrators in Germany were arrested. Europol also has the addresses of some 10,000 customers, who should expect police inquiries in the near future (Europol). Bitdefender is being credited with generating the lead on Hansa Market that Europol passed to the Dutch National Police. Law enforcement authorities are calling the takedown a positive example of what international and public-private cooperation can do against cybercrime (SC Magazine).
Trends in cybercrime.
Cisco's 2017 Midyear Cybersecurity Report sees a continuing decline in exploit kits, but a resurgence in some attack styles that have been popular for years, especially spamming, ransomware, and business email compromise. They are seeing a rise in the relatively new fileless malware, and their make-your-flesh-creep prediction is that there will be a wave of "Destruction of Service" attacks designed to wipe out backups and prevent enterprises from continuing or even restoring operations once they've come under attack (Help Net Security).
US Senator Wyden (Democrat, Oregon) concerned about hackers spoofing emails from Federal agencies this week sent the Department of Homeland Security an open letter urging DHS to take the leas in pushing widespread adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC) as a standard across the Government (SC Magazine). ValiMail has a useful overview of DMARC on their website.
International cooperation and conflict in cyberspace.
Christopher Painter, who led US State Department cybersecurity initiatives and had gained a reputation as an advocate of diplomatic engagement with adversaries over cyber maters, announced this week that he will resign his post as the Department's Coordinator for Cyber Issues at the end of this month. In a reorganization of the Department, Secretary of State Tillerson has decided to close the office Painter heads, the Office for the Coordination of Cyber Issues (Ars Technica).
Painter is regarded as an advocate of diplomacy and negotiation with adversaries, including Russia, a course he views as both realistic and inevitable. A Russian news agency, RIA, said late this week that in fact there were discussions in progress on a joint US-Russian cyber working group, but US security and intelligence officials say that's news to them (Washington Examiner). At least, they're not participating. They say it's a "pipedream" being smoked at unimportant mid-levels (Financial Times).
US Director of Central Intelligence Pompeo characterized Russian motivation, in Syria as in cyberspace, as "loving to stick it to America," which sounds about right (Military Times). He's also not a fan of WikiLeaks, which Thursday performed its ritual dump of alleged CIA hacking-related documents (Fossbytes).
Microsoft appears to be waging lawfare against the Kremlin. Redmond is said to be suing Fancy Bear for its mucking around with Windows systems (TechCrunch). They're also going after the domain names Fancy uses (Daily Beast).
There are signs that DarkHotel 2.0 is back, and this time may be going after closely defined political targets (Inquirer).
In the US, a bipartisan initiative to secure electronic voting spins up at Harvard's Belfer Center (Washington Post). The initiative will be called "Defending Digital Democracy," and will be led by Eric Rosenbach, formerly chief of staff for Obama Administration Secretary of Defense Ashton Carter. Its lead staff prominently features former Clinton and Romney presidential campaign managers, respectively Robbie Mook and Matt Roades. Advisors include security leaders from Facebook, Google, and CrowdStrike (Ars Technica).
Unsurprisingly, other industry voices are also expressing concern. Akamai is among the companies warning that election hacking remains an unsolved problem (Boston Herald).
Infrastructure and IoT vulnerabilities.
"Devil's Ivy," a vulnerability in the gSOAP open-source code widely used in security cameras, surfaced this week as manufacturers and users grapple with a response (WIRED).
Power grid hacking remains a concern. In the UK, GCHQ warned that energy sector targets have probably already been compromised (Motherboard). And on Thursday the US National Academies of Sciences, Engineering and Medicine, released their long-anticipated report, commissioned by Congress and funded by the Department of Energy, Enhancing the Resilience of the Nation's Electricity System. No one will be surprised to learn that the Academies found there was a lot of work to be done (Morning Consult).
Apple and Oracle were among companies who patched this week. Apple addressed security issues in iOS, MacOS, and Safari, especially those surrounding the Broadpwn bug (Bleeping Computer). Oracle's patch was unusually large, and addressed a range of security flaws in business applications (CSO).
In industry news, Awake Security emerged from stealth this week with $31 million in funding. The startup's technology has been compared to near-unicorn Darktrace (Fortune). ScaleFT closed a $2 million seed round (Dark Reading). Healthcare cybersecurity startup Protenus receuved a $3 million Series A extension (Tecnical.ly Baltimore). Splunk joined a $15.8 million funding round for security analytics startup Insight Engines (Silicon Angle).
CRN ran a scorecard at midweek of the companies in the cybersecurity sector who've been the top ten, so far this year, in terms of funds raised. Counting down from ten to one, the list begins with e-commerce fraud prevention shop Signifyd at ten (which added $56 million in May to the $31 million it already had). Endpoint security specialists SentinelOne comes in at nine after adding $70 million in January (total investment now roughly $110 million). At number eight is Darktrace, whose $75 this month raised the total investment to $180 million and lifted the company's valuation to a near-unicorn $825 million. Number seven on CRN's list is Sumo Logic, specialists in cloud-based log management and analytics: the $75 million they raised in June took the company's total to $230 million. Armor comes in at number six, and bills itself as "the first totally secure cloud company." Armor attracted $89 million in funding back in April, bringing its total to almost $150 million.
At number five is Netskope, the cloud access security broker, which received a $100 million round that brought its total investment to $231.4 million. WIth Netskope we enter unicorn country: analysts place the company's valuation north of $1.25 billion. At number four is another unicorn, Crowdstrike (usually thought of as an endpoint security company) picked up $100 million in May for total funding of $256 million and a valuation of a billion. Number three on the list is another end-point shop: Cybereason raised $100m in June for a valuation of $850 billion. Tanium, number two, got $100 million in funding this May, raising the total investment to $402 million. The company, rumored to be preparing for an initial public offering, is valued at $3.75 billion. And finally, at number one we find Illumio, specialists in segmentation security for data centers and public clouds. Illumio's $125 million funding round in June raised its total investment to $267 million.
It's worth noting that the companies on the list tend to be players in the endpoint, cloud, and artificial intelligence spaces.
There was also some merger and acquisition news. Rapid7 announces its acquisition of security orchestration start-up Komand for an undisclosed amount (Register). Avast is buying London-based Piriform, a software optimization concern (eTeknix). Regulatory headwinds (blowing from CFIUS, the Committee on Foreign Investment in the United States) are said to be delaying Broadcom's acquisition of Brocade. (CRN). WatchGuard says it's looking for new acquisitions (CRN).
A week after the US General Services Administration removed Kaspersky Lab from procurement Schedules, Britain's GCHQ said, in response to inquiries, that it "never certified" Kaspersky software (Inquirer).
And we end with some good news, and congratulations.
Whitfield Diffie may now add "F.R.S." to his name. On Friday it was announced that the cryptology pioneer had been elected to the Royal Society (National Cryptologic Museum Foundation). Our congratulations on a well-deserved honor. Dr. Diffie joins the more than 8200 Fellows elected since the Society was founded in 1660. You'll have heard of some of them: Charles Babbage, Daniel Bernoulli, Charles Darwin, Arthur Eddington, Albert Einstein, etc. Well done, Dr. Diffie, FRS.
This CyberWire look back at the Week that Was discusses events affecting China, Egypt, European Union, Germany, Israel, Lithuania, Netherlands, Qatar, Russia, Saudi Arabia, Ukraine, United Arab Emirates, United Kingdom, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.