Natanz pre-emptive sabotage updates. NAME:WRECK DNS vulnerabilities. Tax phishing. ATM cards and advance-fee scams. Ransomware-induced cheese shortage.
Dave Bittner: Updates on the sabotage at Natanz - whether it was cyber or kinetic, Iran has vowed to take its revenge against Israel. NAME:WRECK vulnerabilities affect DNS implementations. Tax season scammers are phishing for credentials. If you like the investment opportunities those Nigerian princes used to offer, you're going to love their loaded ATM cards. Ben Yelin looks at data protection and interoperability. Our guest is Jules Martin from Mimecast on the importance of security integration. And in the Netherlands, ransomware is inducing a shortage of cheese.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 13, 2021.
Dave Bittner: The BBC points out that the cause of the explosion at the Natanz power distribution system remains unclear. Natanz has been the target of both cyber-espionage with Stuxnet and physical sabotage - the Homeland Tigers' bombing. Most coverage, like that in Slate, is treating the incident as a probable Israeli cyberattack and is citing Israeli media reports in support of that conclusion. The Guardian notes that the incident displays the vulnerability to sabotage of industrial systems like those in the centrifuge facility at Natanz.
Dave Bittner: Iran says it intends to retaliate where, when and how it chooses. WION quotes a spokesman from the Iranian Foreign Ministry as saying, "Iran's answer will be to take revenge against the Zionist regime at the right time and place," end quote. Press TV, Iran's English-language news service, explains Tehran's policy more colorfully, quote, "Israel awaits Iran's response. Terrifying days ahead for Zionist entity," end quote.
Dave Bittner: The US administration said that it had, "of course," seen reports of the Natanz incident, that the US was not involved in any manner, had nothing to add to public speculation and that it expected this week's nuclear talks involving Iran to proceed as planned.
Dave Bittner: Researchers at Forescout and JSOF today reported their discovery of nine vulnerabilities - collectively NAME:WRECK - in DNS implementations found in four widely used TCP/IP stacks. The researchers particularly note NAME:WRECK's effect on FreeBSD and Siemens' Nucleus NET.
Dave Bittner: The researchers offer an explanation of their choice of name for the family of vulnerabilities. NAME:WRECK, they write, refers to how the parsing of domain names can break - wreck - DNS implementations in TCP/IP stacks, leading to denial of service or remote code execution. In total, the four TCP/IP stacks affected are FreeBSD, IPnet, NetX and Nucleus NET. The range of attacks possible through exploitation of NAME:WRECK vulnerabilities range from garden-variety information theft through sabotage of building control and industrial process control systems.
Dave Bittner: Researchers say that they want to provide advice on fixing the issues they discovered. Patching, of course, is the first step. FreeBSD, Nucleus NET and NetX have all recently been patched, and vendors using the software should be providing updates to their customers. If an organization is patching FreeBSD servers or network appliances, it should identify the operating system it's running on them, get the versions of the installed packages and update the vulnerable systems.
Dave Bittner: But patching isn't always easy and in some cases, especially with respect to IoT devices, may not even be realistically possible. Many of those devices aren't centrally managed and are difficult to access. There may also be problems taking them down temporarily for patching, and some of the firmware may run unsupported versions of their real-time operating systems.
Dave Bittner: Should patching not be possible, Forescout and JSOF recommend the following mitigation steps - discover and inventory devices running the vulnerable stacks; enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices; monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements; configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic since exploitation requires a malicious DNS server to reply with malicious packets; and finally, monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days affecting DNS, mDNS and DHCP clients. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators.
Dave Bittner: Forescout and JSOF's executive summary concludes with a glum warning about DNS as a whole - quote, "this research is further proof that DNS protocol complexity leads to several vulnerable implementations and that the community should act to fix a problem that we believe is more widespread of what we currently know," end quote.
Dave Bittner: Armorblox warns of a tax-season W-2 scam using Typeform for credential harvesting. It begins with a phishing email impersonating an automated file-sharing communication from OneDrive. It looks like a message from a familiar workflow, and it includes, as such phishing does, the usual dressings of business communications, like reference numbers, plausible subject lines - home loan is one representative subject - and data that seems to fall in the ballpark. The email - and it's typically come from a Hotmail address, so recipients beware - seeks to induce the sense of hurry and emergency that phishing normally does.
Dave Bittner: One wrinkle that's unpleasant for the unwary is the use of what Armorblox describes as security themes, such as helpful, albeit anodyne notes as a link that says, learn about messages protected by Office 365. And in this case, the link actually takes you to a real Microsoft-hosted page that contains security information.
Dave Bittner: And finally, the page where you're asked to enter your credentials is hosted on Typeform, a familiar and legitimate service that unfortunately also lowers the bar for cybercriminals to launch successful phishing attacks. In fairness, it's not just Typeform that's being misused in this way. Armorblox says, quote, "we have also observed attacks exploiting Google Firebase, Box, Webflow and Google Forms in a similar manner," end quote.
Dave Bittner: So be cautious during tax season, which in the U.S. this year has an extra month to run.
Dave Bittner: Security firm Avanan notes, with an air of weariness, that the old Nigerian prince scam is still with us and still reeling in plenty of fresh fish. It's not, in the narrowest sense, a Nigerian prince scam, since classically that scam represents itself as an investment opportunity. This one still has a Nigerian connection, but it involves a missing ATM card that - hey, hey - just happens to have a million bucks or so on it. Come on, you want to say, and you're right. But why do these scams continue to circulate? Because someone, somewhere bites on them.
Dave Bittner: And finally, here's a consequence of ransomware that we may not specifically have foreseen - cheese shortages. BleepingComputer reports that Bakker Logistiek, a Netherlands logistics company that provides air-conditioned storage and transportation services, has sustained a ransomware attack that's disrupted its operations enough to induce a shortage of cheese in Dutch supermarkets. The logistics firm was unable to process orders from customers, and it was unable to sort through the inventory held in its warehouse to make deliveries. These processes are all highly automated and therefore are, in principle, susceptible to disruption by cyberattack.
Dave Bittner: So has cheese replaced toilet paper as a hard-to-get commodity? Cue the gastrointestinal jokes and lame puns about Gouda, if you must, but the incident is a warning shot across the food distribution systems generally considered.
Dave Bittner: When selecting the tools to best defend your networks, many advocate a strategy of diversity, of choosing the so-called best-in-breed solution for any given security task. With that, however, can come complexity as you find yourself managing multiple platforms and alerting systems from different vendors. Jules Martin is vice president of ecosystems and alliances at Mimecast, and he advocates a strategy of security integration using open APIs.
Jules Martin: If you look at malware-as-a-service and the increase in that particular type of model, then you look at the campaign days - before, we were seeing campaigns run over a number of months, sometimes six months, 12 months - and then the proliferation of ransomware and sender impersonation. As those types of attack vectors have grown, we've then seen an increase in the attack volumes, really responding to either geopolitical sort of shifts in the global landscape or things like the pandemic as well. So the actual speed and delivery of these types of attacks is the first problem we're all facing now.
Dave Bittner: And has there been a sufficient response to that? Are the defenders able to keep up?
Jules Martin: I think it's a challenge for all the defenders because if you look at the traditional approach to IT security, you've got a mixture in some cases of still on-premise and the inflexibility and cost associated with running that. You've then got multiple consoles to manage.
Jules Martin: And what we've found in this mobile workforce we've all been forced to adopt is that people are now buying more and more equipment. And that means there's more to manage, and the efficacy levels drop, meaning people miss threats. Then, if you combine that with the human error from literally Zoom fatigue and the constant meetings where I've been on Teams and what have you, people do miss threats, both at the management layer and at the user layer. Then, if you then add into all of that, there's a skill shortage. Depends who you speak to - there's about 3 million open heads, I believe, of people looking for skills, cybersecurity experts as well. So there's a whole number of things all coming together at the same time.
Dave Bittner: So you advocate integrating some of your security tools, taking advantage of APIs. Can you describe for us - how does something like that play out?
Jules Martin: Right. So if you look at the traditional challenge, as a business, we've made our name and established leadership position in the market around email. And years ago, we've been protecting that email environment. Traditionally, it was on premise. Now it's very much cloud based. But if you look at the IT operations that run that messaging platform, they're looking after messaging, the performance search, the archiving, the backup, the continuity, so on and so forth. That's the IT operations role.
Jules Martin: And here at Mimecast, we actually have that team in the U.K. But our SOC - who manages the security operations of the prevention and detection, the response and remediation, et cetera - they're based in the U.K., here in the U.S. and down in Australia as well. So what we're trying to do is bridge that gap between the legacy security and - I should say the legacy IT operations and the new SOC that's been formed over the past few years. So it's bringing those two together. It isn't just a messaging issue. This is a business issue. We need to get these teams talking together.
Dave Bittner: That's Jules Martin from Mimecast.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, but also my co-host over on the "Caveat" podcast. Ben, welcome back.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: Interesting publication from the EFF - the Electronic Frontier Foundation - written by Bennett Cyphers and Cory Doctorow. And it's titled "Privacy Without Monopoly: Data Protection and Interoperability." This is right up your alley, Ben. What do you make of this?
Ben Yelin: Yeah, it's a really interesting paper. And the entire thing is available for free on their website - eff.org. And I recommend reading it in its entirety.
Ben Yelin: At a very high level, you have this problem of both corporate concentration, which, you know, we've talked about in the antitrust context, where a few companies dominate the entire sphere of the internet, stifle competition in ways that are harmful to the consumers, and you have this issue of the lack of user privacy. And in the view of EFF, these two problems are interconnected. When you have a few companies that have such dominant control over certain spheres of the internet, they have less incentive to protect the privacy of their users.
Ben Yelin: So what EFF is proposing is an entirely new framework to both encourage competition, revitalize competition in this online space, give users more agency over their own data and increase what we call interoperability.
Ben Yelin: So, you know, when I send somebody a message from my iPhone and they have an Android device, maybe not all of the features on my iPhone are going to be compatible to what that user sees on the Android device. And so that's, you know, a relatively minor interoperability concern, but if you scale that up, you can see how that would be a big issue, where certain platforms are not compatible with other platforms.
Ben Yelin: So EFF has turned this notion into some policy ideas. The first is to have competitive compatibility - helpfully shortened to ComCom, which I think is hilarious...
Dave Bittner: (Laughter).
Ben Yelin: ...Which is a proposal to encourage startups and other tech companies to interoperate - and I'm quoting here - "with incumbent services without their permission." So this would be a way of shutting down the tools that larger companies use to try and stifle competition by making their service the only thing that's compatible with some other service. You know, you have to have a Google device in order to use this particular application.
Ben Yelin: The second proposal would give companies - or would require companies, rather, to provide a baseline of interoperable access to their services. So, you know, there'd be some sort of, perhaps, federal standard so, you know, that you don't have that interoperability problem.
Ben Yelin: And this is both an issue in terms of data portability, so that you could access data no matter where that data is transferred and no matter which companies hold it, and what they call back-end interoperability, which would require large companies - so the Facebooks and Googles of the world - to, quote, "maintain interfaces that allow their users to interact fluidly with users on other services."
Ben Yelin: So this is a way to, you know, make the internet a little more user-friendly. It would encourage companies or require companies not to use anti-competitive practices that shut out their competitors and make it so that you're required to use their services if you want the features, you know, from particular applications. And it would do so in a way that would augment user privacy protection.
Ben Yelin: So it's a really interesting proposal. It's not without its concerns. In one of the sections of the paper, they go into some of the potential privacy concerns with their own proposal. But it's certainly worthy of consideration.
Dave Bittner: Yeah. It reminds me of, back in the day, those of us who are old enough to remember the breakup of the big telephone systems, you know, into the Baby Bells. And one of the issues there was that, you know, allowing long-distance carriers access to those local phone lines, you know, that they had to be able to - in order to get that call to you, they had to make use of someone else's infrastructure, and they required that those local phone companies do that. It seems to me like there might be some parallels here.
Ben Yelin: Yeah, I think that's exactly right. I mean, we've done things in all different types of realms to augment interoperability. We see this a lot in the emergency management field, which I'm in, in some of my consulting work, where you have radio systems that were not compatible, that were using different channels. You know, maybe the police radio system couldn't communicate with the fire department system. And that creates major problems for the public and the users because it makes these systems inaccessible and it just makes them more difficult to use.
Ben Yelin: So, you know, interoperability is so important. Having some standardized system that companies are required to adhere to really makes the user experience much more fulfilling.
Dave Bittner: Yeah. No, it's fascinating, and it's hard to imagine, you know, some of these walled gardens like Facebook, you know, being OK with something like this, so - but I guess that's where the regulation part comes in - right? - that they wouldn't have a choice.
Ben Yelin: They wouldn't have a choice. I mean, that's - you kind of shoot for the moon when you come up with a policy paper. Would the current United States Congress pass something like this? Probably not. But ideas have to start somewhere, and this is sort of the EFF's - what their dream policy would be to encourage interoperability and improve competitive practices in the industry.
Dave Bittner: Yeah.
Ben Yelin: So it's not like, you know, some legislator is going to take this in its entirety and turn it into a federal statute. But this is just an idea of how it could be done in the future.
Dave Bittner: Yeah. All right, well, it's interesting stuff. It's titled "Privacy Without Monopoly: Data Protection and Interoperability," again, written by Bennett Cyphers and Cory Doctorow over on the EFF website. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The taste the leading canned drink can't match. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.