Alleged BND surveillance of news organizations. Snake Wine in Japan, for disinformation? Singapore military phished. Google discloses more Microsoft unpatched bugs. Cloudbleed update. CloudPets may have privacy issues.
Dave Bittner: [00:00:03:17] The BND may have been listening to the BBC but not in a good way. Cylance reports on snake wine, a curiously familiar vintage sniffed in Japanese networks. Singapore's military sustains a phishing campaign without sustaining apparent damage. Google discloses more unpatched Microsoft vulnerabilities. These in IE and Edge browsers. Criminals claim to have exploited Cloudbleed but the jury's still out. And watch your language around those network stuffed animals.
Dave Bittner: [00:00:38:08] Time for a message from our sponsor Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve but your costs will drop and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker desktop and Netsparker cloud. Whether you're pen testing or security your enterprise online, you need to check out Netsparker.com. Try it out free with no strings attached. Go to netsparker.com/cyberwire for a 30 day fully functional version of Netsparker Desktop and by fully functional Netsparker means, yes, really actually truly fully functional. Scan the website with no obligation. Check it out at netsparker.com/cyberwire, and we thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:45:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 28th, 2017. Spiegel reports that Germany's foreign intelligence service, the Bundesnachrichtendienst has, since 1999, conducted surveillance operations against a number of news agencies, including Reuters, the BBC, and the New York Times. Spiegel says approximately 50 telephone, faxes and email addresses were on the surveillance list. Many of them apparently associated with the Bureau in South or Central Asia. The story has stirred up the opposition in the Bundes stock reviving suspicion that the BND was engaged in some sort of unseemly espionage in cahoots with other services, like GCHQ or NSA. The alleged surveillance would have begun under Chancellor Merkel's predecessor, social democrat Gerhard Schröder, which suggests that surveillance is as much a center left game as it is one for the center right. In any event, it will be Angela Merkel answering the questions.
Dave Bittner: [00:02:51:08] Cylance has found a threat group operating against business and government targets in Japan. They're tracking the campaign as Snake Wine but the operation looks a great deal like APT28, also known as Sofacy, which, of course, became famous over the past year for its involvement in apparent attempts to either influence or discredit the US elections. Snake Wine has a lot in common with attacks attributed to Russian intelligence services, particularly in its registration style which Cylance calls eerily similar. But in this instance there's a degree of ambiguity, since some aspects of the campaign seem to be marked with China's spoor, and even using some infrastructure, that's made itself available to a number of actors, including the Republic of Korea's intelligence services. That's South Korea, not North Korea. The threat actors have adopted a variety of measures to baffle attribution. Their goal is a matter of speculation, but Cylance thinks there's a good chance Snake Wine is ultimately aimed at disinformation.
Dave Bittner: [00:03:51:02] The Snake Wine campaign began in August 2016. So far, all of the attacks that have been detected appear to be the result of phishing members of the targeted organizations. So again, click with care. Personal data belonging to about 850 members of Singapore's military service have been stolen in an apparent attempt to penetrate that country's Defense Ministry. The theft was successful but the penetration wasn't. Authorities in Singapore believe the culprit is some state actor, with most signs pointing in this case to China. As of March 1st, New York State will be the first to implement new cybersecurity regulations for financial services organizations. We checked in with Steven Grossman from Bay Dynamics to find out what these regulations might mean.
Steven Grossman: [00:04:38:21] The intent of the regulations, in the first place, are really to get everybody in New York State that's within the financial services at a common base online for their cyber security - establish a minimum standard, so that customers and the community in general can have confidence, from a cyber point of view, that the institutions are dealing with are operating in a secure matter and protecting their information and their transactions to the highest level possible.
Dave Bittner: [00:05:09:23] Can you give us some examples of some of the new regulations that caught your eye?
Steven Grossman: [00:05:14:00] Yes, for example, when it talked about having to do pen testing and vulnerability assessment based on the risk assessment. Actually, one of the other things that it adds in, which I think is key, is continuous monitoring which you see in many companies with other kinds of regulations, PCI. For example, where they have a particular requirement that needs to be reported every quarter, you'll see companies going through a big scramble every quarter, trying to do scans, assess vulnerabilities, dump things out in spreadsheets, create reports and email them around to ensure that everybody is compliant at that point in the quarter so that they can have a satisfactory reporting done at the right time. But then, as you move further past that reporting period, things tend to slack a little bit until the next reporting period. What they're calling for here is the ability for continuous honoring, which means that each and every day of the week you should understand what your posture is and be re-mediating on a daily basis so that your quarterly reporting is really no big deal. The other most significant thing of this regulation or aspect of this regulation is the fact that it asks for the CFO or the executive officer of the corporation to sign on the dotted line at their compliance with the regulation. That starts to put people's personal skin in the game and that, I think, will raise the level of accountability by executives to actually be paying closer attention to the fact that they really are compliant and not just checking the box on compliance which differentiates this one from many of the other regulations that we've seen.
Dave Bittner: [00:07:07:04] That's Steve Grossman from Bay Dynamics.
Dave Bittner: [00:07:11:17] Google has disclosed another set of unpatched vulnerabilities in Microsoft's Internet Explorer and Edge browsers. While Google's Project Zero has been reticent about the details, lest they render exploitation easy, it's believed the flaws could render users vulnerable to remote code execution. Google had earlier disclosed vulnerabilities Microsoft was thought to have been ready to patch two weeks ago. When Redmond omitted those from its monthly round of fixes, Google went public. Observers speculate that Microsoft will address both sets of vulnerabilities when it issues March's patches.
Dave Bittner: [00:07:47:16] The other troublesome issue uncovered by Google, Cloudflare's Cloudbleed vulnerability, may be undergoing exploitation by at least one illicit carder forum, CW2Finder, some of whose members have claimed to have obtained paycard credentials by using the bug. Those claims are currently unconfirmed but warrant watching. We'll hear later from the Johns Hopkins University's Joe Carrigan about the extent of Cloudbleed, and what measures the prudent should adopt to protect themselves. Naked Security has kind words for both Google and Cloudflare in this matter. For all the anger the vulnerability prompted, the Sophos news service argues that, in fact, the incident shows the system works. Google found it, told Cloudflare, which patched the problem and began notifying potential victims of their exposure. Some of the controversy surrounding the bug's discovery and disclosure center on the Google researcher's relatively quick public announcement, which some observers see as unfairly jamming Cloudflare.
Dave Bittner: [00:08:48:08] ESET patches its Mac antivirus. Users of ESET's products are urged to apply the fixes. Finally, in another report from the island of misfit toys, there are reports that Internet-connected stuffed animals from CloudPets come with privacy flaws that record and report conversations held in the toys' vicinity. Researcher, Troy Hunt, drew attention to the issue yesterday in his blog, Have I been pwned? According to Hunt, the manufacturer, Spiral Toys, left some 800,000 customer credentials exposed in a publicly accessible site. They'd contracted with Romanian company mReady for storage of the credentials, apparently emails and passwords, in a MongoDB database. Criminals are thought to have accessed the information several times in December and January. Also exposed were more than two million voice recordings of parents and children talking to, or around, their CloudPets. So remember, little pitchers have big ears, and so do their animal friends, and their animal friends' manufacturers, and their animal friends' manufacturers' third-party contractors, and so on, infinitum.
Dave Bittner: [00:10:02:03] Time to take a moment to thank our sponsor, Palo Alto Networks. You can find them at go.paloaltonetworks.com/secureclouds. Public clouds like Amazon Web Services and Microsoft Azure are great business tools but it can be easy to forget that when you use them security isn't just their job alone, it's a shared responsibility and we know it's not always easy to share but Next Generation cloud security can make it a lot easier. It gives you the visibility you need to control your apps and reduce your attack surface from the network to the cloud. With Palo Alto Networks you get the broadest, most comprehensive cyber security for all cloud and software service environments. Make sure your apps and data stay secure and protected. Your customers and stakeholders expect it. Secure clouds are happy clouds. Find out how to secure yours. Get started at go.paloaltonetworks.com/secureclouds, and we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:11:05:17] I'm pleased to be joined, once again, by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, security company Cloudflare had what we in the business call a bad day recently.
Joe Carrigan: [00:11:16:10] Yes. They're a web hosting company and they're a big one. They handle about ten percent of the Internet's web traffic and recently they had a bug in their code that allowed information to be leaked. It was found by a researcher at Google. It's an obscure bug. They're calling it Cloudbleed because it is reminiscent of the Heartbleed vulnerability from a couple of years ago. The problem is a boolean operator in the code, somebody used a greater there or equals to as opposed to an equals to and that allowed more information to come out. I'm not sure of all the technical details, but it certainly seems like something very similar to the Heartbleed where you could ask for more characters than you said you wanted and it would just dump memory back to you in the response. This boolean operators in code, you could be reviewing the code and look at it and say this should work just fine because you're not considering the edge case where somebody is asking for more information than they should be asking for and the program will give it to them.
Dave Bittner: [00:12:17:12] So it'll make it through testing and, certainly, this system has been deployed for a while before anyone noticed there was a problem.
Joe Carrigan: [00:12:24:22] Yes, exactly, made it through testing and code reviews just fine.
Dave Bittner: [00:12:27:21] It's interesting. The other thing you and I talk about a lot are passwords and they're saying change your passwords.
Joe Carrigan: [00:12:33:12] Yes. This is the host for companies like Uber and OkCupid and some other big names. I wouldn't be in a panic telling people to go out and change their passwords but you certainly cannot hurt yourself right now by changing your password. You can never hurt yourself by changing your password and, if you follow my frequent advice of using a password manager, it's very easy to do.
Dave Bittner: [00:12:58:07] Right. Get yourself on a schedule to change those passwords.
Joe Carrigan: [00:13:03:04] Then, when you have an event like this, just go out and make sure you can change your passwords again.
Dave Bittner: [00:13:07:13] Joe Carrigan, thank you for joining us.
Joe Carrigan: [00:13:09:00] My pleasure Dave.
Dave Bittner: [00:13:12:05] And that's The CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber threats point your browser to cylance.com. We hope you'll check us out on Twitter, Facebook and LinkedIn and, if you're so inclined, please leave us a review on iTunes. It's one of the best ways to help people find our show. So thanks in advance. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.