Influence operations. A new Mirai version is potentially more dangerous than the old one. Proofs of concept. New York's cyber security regulations for banks. What Verizon will get from Yahoo!
Dave Bittner: [00:00:37:01] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs: WakeMed is looking for an information system security officer to help safeguard sensitive information. You'll find this and other great opportunities at cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.
Dave Bittner: [00:01:40:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 22nd, 2017.
Dave Bittner: [00:01:50:21] As US investigation of Russian attempts at influence operations during the last election cycle proceeds, France warns Moscow to stay out of upcoming French elections. There are concerns that Russia Today and Sputnik, in particular, are peddling scandal disinformation about disfavored candidates - mostly candidates of the center-right.
Dave Bittner: [00:02:12:00] Kaspersky Lab researchers are tracking an evolved Windows-based botnet that's spreading Mirai malware. The emerging Mirai variant under examination also seems able to migrate to Linux systems. Kaspersky concludes from an inspection of the code that the person or persons behind it are more sophisticated than Mirai's original author. Recall that Mirai's source code was released last year, which suggests that such refinement and propagation was probably effectively inevitable.
Dave Bittner: [00:02:41:07] Kaspersky speculates that the actor researchers call a "muck spreader" probably has some large-scale attacks in view, although it's also worth remembering in this context the widespread concern last November that the original Mirai was a dress-rehearsal for a massive, state-directed, Internet takedown.
Dave Bittner: [00:02:58:12] The muck spreaders are thought in this latest version to be Chinese, or at least Chinese-speaking. The code was compiled on a Chinese system, host servers appear to be in Taiwan, and the controllers are abusing code-signing certificates stolen from Chinese companies. Infections have so far been limited, but researchers think the countries most likely to be hit with bigger waves of Mirai are quote, "emerging markets that have invested heavily in connected technology." End quote.
Dave Bittner: [00:03:26:17] Researchers report unpatched FTP protocol injection vulnerabilities in Java and Python. The Russian security company ONsec described the technique in 2014, but their warning attracted little attention. Researchers at Blindspot Security have recently gotten people's attention by demonstrating that FTP protocol injection can be used to bypass firewalls. They've tested it successfully, they say, against firewalls from Cisco and Palo Alto Networks, but they suspect it would work equally well against any number of other Linux-based firewalls. Blindspot told Bleeping Computer they disclosed the exploit to the Python team in January 2016, and to Oracle last November, but that no patches have yet been distributed.
Dave Bittner: [00:04:34:21] A trend we've been tracking is the growth of fileless attacks as a way for adversaries to gain access and escape detection. Mark Dufresne is Director of Threat Research and Adversary Prevention at EndGame, and we asked him for an overview of fileless attacks.
Mark Dufresne: [00:04:50:08] Traditional security tools are, you know, largely file-centric in their detection. So they look for files written to disc, files that are executing, what's backing a process and scanning that file. Adversaries know that, and so it's quite interesting and much easier for them to evade defenses if they're running only in memory. And that is largely because memory - I think of it as a very permissive environment for attackers these days, because it's very, very challenging to do memory forensics at scale. You know, a lot of people just pick a few critical systems, and maybe once a quarter will take a full memory image of those systems and do offline forensic analysis; which means, you know, combing through and searching through, you know, many gigs of RAM, which is a very kind of niche skill that, it's just hard. There's really two aspects to this problem: one aspect of this is how do they hide in memory, and that's done by, typically by process injection, which means running your code in the memory space of another process. It's a technique that's been around for a really long time; a tried and true thing that adversaries do.
Mark Dufresne: [00:05:53:23] Using tools, these days there are tools like PowerShell and, and things of that nature, which are commonly used admin tools that are very powerful and allow you to just go actually take--skip that whole file-based step and just do process injection into a running process using just PowerShell, which is an admin tool in everybody's box. And so, what you're able to do at that point is skip that whole file-based detection step if you're able to successfully inject, and then you're running in memory in a way that's very difficult for traditional tools to detect. And so, we're seeing a massive explosion in the number of actors doing exactly that, or maybe having like a hybrid approach where they might drop a, like an initial file on disc, but then everything else happens only in memory.
Dave Bittner: [00:06:36:21] And at that point, once they're in memory, is your best hope, you know, scanning for exfiltration?
Mark Dufresne: [00:06:42:06] Yeah. I mean, that's how--So some tools that are out there, they'll attempt to detect that process injection step by looking at a whole bunch of events created on end points and having rules for saying, "Hey, if these five things happen, a process injection might have happened. You might have a problem. Go look at that." That doesn't really address the full scope of ways that adversaries can do this, so it's not the best approach. I think still the stats are about half of breaches are discovered through external notification. Like, the typical case is just think of an FBI agent showing up and knocking on your door and saying, "Hey, you have a problem here. Go look here," and then you're really in tough shape because you probably have a well entrenched adversary running in memory all over the place, and how the heck do you find that? Because memory forensics, you know, looking across, you know, 8GB memory images across, you know, maybe 50,000 end points, that doesn't really scale very well. That would take you like years and years and years with forensic experts you don't have. You might just say this, this machine is ex-filling and I'm just going to re-image the box. Well that could work, but then you might lose a bunch of critical data or, or business disruption.
Mark Dufresne: [00:07:45:00] So we have in our platform at Endgame, what we--is a very powerful tool we call Fireless Attack Detection, you know, not requiring this traditional forensics approach to the problem, but it really turns into a, kind of a point and click detection problem.
Dave Bittner: [00:07:59:09] That's Mark Dufresne from Endgame.
Dave Bittner: [00:08:03:09] New York State's new Cybersecurity Requirements for Financial Services Companies will go into effect next Wednesday, March 1st. They're expected to be widely influential, the way California's stringent automobile emission standards shaped the car industry in the 1970s and 80s.
Dave Bittner: [00:08:19:23] Balabit's CTO and co-founder, Balázs Scheidler, points out that one big impact the regulation will have is that quote, "banks are now required to scrutinize their suppliers, and to report on breaches that affect them." End quote. He expresses the hope that the regulations will motivate closer monitoring of third-parties.
Dave Bittner: [00:08:37:23] Prevalent's Jeff Hill agrees that the requirements will drive more attention to third-party risk, something he characterized as the "soft-underbelly" of enterprise security. We'll be watching the Empire State over coming months to see what effects the regulations in fact have. They're likely to extend well beyond New York.
Dave Bittner: [00:08:57:06] As attendees look back at RSA, they seem prepared to award the mindshare prize to Internet of Things security. We would say that artificial intelligence, workforce development, and endpoint security gave the IoT a run for its money. We'll continue to look back at RSA through the end of this week: trends, warnings, spycraft, cyber war, and some of the splashier IoT hacks - a lot of which involve increasingly smart cars. And if you're in the market for a used car, maybe you should think about it in the same way you would if you were buying a jailbroken used phone.
Dave Bittner: [00:09:30:15] We close with a look at some industry news. Verizon has negotiated a discount for its purchase of Yahoo!'s core assets. While Yahoo! has certainly been dinged and dented by a series of large data breaches - those dings and dents are what drove down the price - Verizon still sees value in its acquisition. It's particularly interested in Tumblr, Flickr, and Yahoo! news and fantasy sports services. And with those properties, of course, comes a great deal of potentially lucrative "behavioral data." Online ad revenue continues to be a lucrative venture.
Dave Bittner: [00:10:08:24] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are - and really, who isn't? - you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. That's cylance.com. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:11:08:01] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, you know, I know you and I talk a lot about personal privacy. The EFF - the Electronic Frontier Foundation - has some pretty good tools and some pretty good guides available, if that's something that you're interested in.
Joe Carrigan: [00:11:27:07] Right. That's right. If you go to ssd.eff.org, that is their guide for surveillance self-defense - that's what SSD stands for - and they've got some pretty good information there on what kind of tools to use, how to use these tools, how to vet these tools yourself; and that's really the most important thing. You don't know, when you're downloading a tool, whether or not it's a good tool unless you actually go through some kind of vetting process. Right? I mean, how do I know that the open source disc encryption that I'm using is still a good disc encryption tool, right? Should I be using TrueCrypt anymore? Well, the authors of TrueCrypt say no, you shouldn't be using TrueCrypt anymore. Right?
Dave Bittner: [00:12:03:20] Well, and, and how do you know if, if something, if some random tool that you come across isn't actually doing the opposite of what it says it's doing?
Joe Carrigan: [00:12:09:09] Exactly. Not everybody is a software engineer. Not everybody--even those that are software engineers, few of them can actually reverse engineer a product or, or do, you know, analysis on it to see what's, what's going on behind the scenes and see what kind of information is being sent out, and how, and where.
Dave Bittner: [00:12:26:20] One of the things I like about this surveillance self-defense kit is that, you know, like yourself I get asked by a lot of people - family and friends - what do I do to protect myself? And this is a good way--this is a good starting point for people who aren't in the business to kind of get a run down of what to do, and why and, you know, some, some tools that are really accessible.
Joe Carrigan: [00:12:47:16] And they, they talk about password managers in here, which is one of my favorite topics. Once you start using a password manager, there's really no excuse for repeating passwords across different sites. And that's really one of the ways that people get taken advantage of, is they're using one password across all their sites. And if one of these sites gets breached, and the password is encrypted - even if it's a very strong password - if the password is encrypted with a weak hashing algorithm or, - God forbid - not encrypted at all, now you've just opened yourself up to these people coming into all of your accounts. But, a password manager really makes it easy to use a different password on every single site.
Dave Bittner: [00:13:27:16] I have these conversations with friends and family, and probably you hear the same thing that I do where I say to them, "Do you reuse passwords?" And they kind of sigh and say, "Yeah, I know I shouldn't but..." Everyone--Well, so many people just do it because it's so hard not to.
Joe Carrigan: [00:13:46:23] If you get a password manager, it's not hard to do it anymore. I mean, you could ask me right now what my Facebook password is - I don't know what my Facebook password is. I don't know what my Twitter password is. I don't know any of this information. I just don't waste my time thinking it. I do know the, the "combination" - and I'm, I'm using quotes, since we're on a podcast, I'm doing the finger quote thing - the combination to my safe, that's just one big password. I know what that password is, but I don't waste time remembering 20, 20 character random strings. I just let a computer do that. Computers are very good at that.
Dave Bittner: [00:14:20:22] All right. Well, it's good advice, for sure.
Joe Carrigan: [00:14:23:00] Yes.
Dave Bittner: [00:14:23:09] Joe Carrigan, thank you for joining us.
Joe Carrigan: [00:14:24:14] It's my pleasure, Dave.
Dave Bittner: [00:14:28:01] And that's The CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to cylance.dom.
Dave Bittner: [00:14:40:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.