The CyberWire Daily Podcast 2.27.17
Ep 294 | 2.27.17
Cloudbleed and what it means to you. Ransomware updates. News from the Moscow treason trials. Coachella Festival breached.
Transcript

Dave Bittner: [00:00:03:19] Cloudflare suffers from Cloudbleed. The bug's now swatted, but it will take a lot of people some time to clear up their passwords. Spora ransomware's customer service gives lousy service. TrumpLocker ransomware's just VenusLocker poaching some brand equity. Pen testers say they can break into most networks in under 12 hours. The FBI gets asked again how it gained access to the San Bernardino jihadist's iPhone. There's an update on the Moscow treason trials. Are you headed to Coachella? Hang onto your passwords.

Dave Bittner: [00:00:40:03] Time for a moment from our sponsor, Netsparker. You know web applications can have a lot of vulnerabilities, of course you do, you're a regular listener to this podcast, and of course every enterprise wants to protect its website. But if you have a security team you know how easy it is for them to waste time calling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications but it automatically exploits them too and even presents a proof of exploit. Netsparker cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at netsparker.com but don't take their word for it. Go to netsparker.com/cyberwire for a free 30 day, fully functional trial of Netsparker desktop or cloud. Scan your websites with Netsparker for a month, no strings attached. That's netsparker.com/cyberwire, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:44:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, February 27th, 2017.

Dave Bittner: [00:01:53:20] Late last Thursday Google's Project Zero disclosed that Cloudflare was leaking sensitive information online. Cloudflare is a major provider of a content delivery network, Internet security services, and distributed domain name server services. The company has patched the memory leak bug responsible (the flaw is being called cloud bleed) and stresses that the problem with its caching infrastructure affected a relatively small set of the websites that use their DNS services.

Dave Bittner: [00:02:21:19] BitSight explains on its blog that Cloudflare's problems arose from an error in parsing logic that could lead to a buffer overrun that would output uninitialized memory content onto affected web pages. The websites potentially affected by Cloudbleed were those that had either email obfuscation, server side excludes or automatic HTTPS rewrites enabled.

Dave Bittner: [00:02:44:17] Since many popular services use Cloudflare, among them Uber, Fitbit, OKCupid and Patreon, and since data may he been leaking for some time, many researchers are advising users to assume their credentials have been exposed and, of course, to change them. The case is a cautionary one. It highlights the risk of third party memory leaks. A number of industry leaders have weighed in on the issue. David Berman of CipherCloud points out that whilst most service providers support best practices for data-in-transit and data-at-rest, there's still a gap for data-in-use.

Dave Bittner: [00:03:19:08] We also heard from Kunal Anand, one of Prevoty's co-founders. He noted that this story is unusual in that the search engines began picking up the leaked information without realizing they were doing so. "Reputable companies like Google are taking the extra step to purge their search caches for this sensitive information." Anand urges the sites and services affected by Cloudbleed to do API key and password resets across the board. We hope, like Anand, that this doesn't give enterprises migrating to the cloud or to infrastructure-as-a service option too many headaches.

Dave Bittner: [00:03:55:07] Shuman Ghosemajumder of Shape Security pointed out that this is "one of the widest exposures of confidential and sensitive consumer data ever observed." While it's unlikely that all of your passwords have been compromised he says "the problem is that almost any one of your passwords on over four million websites could have been compromised. So the safest course of action is to act as though all your passwords were compromised." This should also remind everyone of what a bad idea it is to reuse passwords.

Dave Bittner: [00:04:28:10] Ransomware and DDoS remain fixtures of the threat landscape. F-Secure describes the "ruthlessness" of Spora Ransomware's controllers. The security company has been reading through transcripts of interactions between Spora's "customer service" and the ransomware's victims. Whether you're pleading poverty or asking for sympathy because you just want your grandchildren's pictures back, or even if you tried to pay but lost your Bitcoin because Spora's payment system botched accounts receivable, the answer's the same: a mechanical refusal to consider a discount or even show ordinary human understanding. But then this isn't surprising. There really aren't many Robin Hoods or other honorable thieves out there in the criminal underground.

Dave Bittner: [00:05:11:11] Those who've been following the ongoing Moscow treason trials will recall that Russian authorities have been careful to insist that the defendants stand accused of having handed information, not to the CIA proper, but to "Americans." Over the weekend it's emerged what Americans those are thought to be. At least one of the defendants, Ruslan Stoyanov, is accused of passing State secrets to US companies, notably to Verisign's iDefense cybercrime unit. The accusations date back to 2010, and were leveled by the Russian online payment company ChronoPay. ChronoPay says it's looking forward to cooperating with the prosecution.

Dave Bittner: [00:05:51:05] Now that iPhone forensic and cracking shop Cellebrite has revealed more of its available services, the US FBI is being asked again, how it gained access to the San Bernardino jihadist's iPhone, and how much it paid for any assistance.

Dave Bittner: [00:06:06:20] Security firm Nuix has been surveying penetration testers - those are the good guys, white hats, who tests systems for security by attempting to break into them with the owner's permission. Nuix concludes that a determined hacker can generally get into a network within 12 hours. This sounds bad enough but Lamar Bailey of Tripwire thinks the conclusion, if close-read, is marginally less alarming. Bailey points out that most network intrusions still occur by exploiting known vulnerabilities that have been left unpatched. So his advice remains, pay attention to the basics. Why make it easier on the attacker than necessary?

Dave Bittner: [00:06:43:20] And you've heard of Trump Towers and any number of other places and products associated with the eponymous 45th US President. Here's another one. TrumpLocker. But the name is adventitious, if not deceptive. Mr Trump isn't involved. And TrumpLocker's not even new and huge or yuge. It's just a thinly repacked version of the old VenusLocker ransomware.

Dave Bittner: [00:07:08:13] Finally, headed for the Coachella Music Festival? We hear it's like Burning Man meets Bob Hope but admittedly, it can be hard to hear from one shining sea to another, so perhaps we got it all wrong. Anyway, we're sure it's a swell time. So enjoy it if you find yourself between the Joshua Trees and the Salton Sea in California's low desert. But there's a snake in the heavily irrigated garden. Isn't there always? In this case, the snake is one hacker going by the Slavic themed name "Berkut". He or she or they is selling more than 950,000 user accounts for the popular music fest in the Tochka black market. Some of them seem legitimate. So watch your credentials and consider paying cash for your flowered headdress.

Dave Bittner: [00:07:57:11] Time to thank our sponsor Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. The cloud is a remarkable business enabler but when you use public clouds like Amazon Web Services and Microsoft Azure, remember that security is still a shared responsibility. They're your apps and your data and no one cares more about securing them than you do. Palo Alto Networks' Next-Gen cloud security can help. It gives you complete visibility to control your apps and reduce your threat surface area from the network to the cloud. Stay secure and protected wherever your apps and data may be. Palo Alto Networks offers the most comprehensive cyber security for all clouds and software service environments because secure clouds are happy clouds. Get started securing yours at go.paloaltonetworks.com/secureclouds, and we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:08:59:03] Joining me once again is Ben Yelin. He's the senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, a story came by from TechCrunch. President Trump put in a hiring freeze across the Federal Government but that is going to affect cybersecurity, specifically some cybersecurity students?

Ben Yelin: [00:09:18:20] Yes, so there's this really great program, it's called the CyberCorps Scholarship for Service and it allows students who have graduated with some technical degree to have some sort of loan forgiveness if they take a job in the public sector. The problem is that with this hiring freeze there are not many jobs that are going to be hiring, only if there are some vacancies. Will the Federal Government be hiring people using this scholarship? The way the scholarship works is that if you are not able to obtain a public sector job within a certain time period after graduation then you are liable to pay back those loans. So it's not just that we're depriving the Federal Government of young talent in cybersecurity and again, this is something that President Trump himself has said is a critical issue, but we're forcing many of these students, who may have been relying on obtaining this scholarship and getting public sector employment, to be massively in debt when they come out of school and I think it's a penny wise and pound foolish policy.

Dave Bittner: [00:10:23:14] So is this a situation where some students had headed off to college and made their plans based on this program and now the rug is sort of being pulled out from under them?

Ben Yelin: [00:10:35:04] I think that's exactly what's happening. Now there are other opportunities that are not with the Federal Government that the scholarship also allows people to get public sector jobs at the state local level but the real bulk of government jobs relating to cybersecurity, because this is a national issue with national implications, are going to be federal jobs. I mean it's the Federal Government that has, NIST, it's the Federal Government that has the cybersecurity task forces. So, again, while there may be jobs available for any of these students in state and local governments, we're still cutting off a major, major potential source of jobs for students who are relying on this program to go through school.

Dave Bittner: [00:11:21:02] Yes. The article points out that the National Security Agency, the NSA, has its own version of this program, called the Stokes Educational Scholarship Program, and it's likely that that's exempted because of NSA's role in national security but so far, OPM hasn't really issued clear guidance on this.

Ben Yelin: [00:11:36:19] Yes, that's another problem is that there's the sort of vague exception to the general Federal hiring freeze for military and national security. But that leaves open a number of questions. What counts as national security? As we've said, the President himself has declared cybersecurity to certainly implicate national security. So, does a program like the one you discussed with the NSA qualify for that? I think there's not a lot of clarity and that's one of the problems with many of these executive orders so far is that the policies themselves aren't supplanted with clear guidance to federal agencies as to how they're gonna be implemented. So it creates confusion and it can create real heartache for students who are relying on these scholarships for gainful employment, and really all of us who want the federal government to be hiring the best and the brightest. There's going to be a major talent drop off because of this policy.

Dave Bittner: [00:12:33:11] All right, Ben Yelin, thanks for joining us.

Dave Bittner: [00:12:38:00] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to Cylance.com. We hope you'll check us out on Facebook, Twitter and LinkedIn and if you'll head on over to iTunes and leave a review for our podcast, well, that's really helpful as well. It's one of the best ways that you can help new people find our show. So thanks in advance.

Dave Bittner: [00:13:08:17] The CyberWire podcast is produced by Pratt Street Media. Our editor John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.