The CyberWire Daily Podcast 5.2.17
Ep 340 | 5.2.17
IBM, Apple, and Intel all fix vulnerabilities and block threats. Neustar's DDoS report. Updates on the DarkOverlord and (separately) LizardSquad. Info ops and what they're after.
Transcript

Dave Bittner: [00:00:03:05] Trojanized USB sticks are out in the wild. So are phishing emails complete with backdoors and spyware payloads. Intel reports and mitigates a major firmware vulnerability in Core processors. ShadowWali backdoors afflict Japanese enterprises. The LizardSquad may be back but you still shouldn't listen to them, still less pay them protection. Neustar looks at DDoS trends. And do info ops heighten the contradictions?

Dave Bittner: [00:00:35:09] Time to thank our sponsor Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. Software as a service applications are changing the way organizations do business, as data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete SaaS protection. Providing detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks offers the most comprehensive cybersecurity for all cloud and software as a service environments, because secure clouds are happy clouds. Get started securing yours at go.paloaltonetworks.com/secure clouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:38:23] Major funding for the CyberWire is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 2nd, 2017.

Dave Bittner: [00:01:48:16] Some malware found in the wild affects products by two of the world's largest vendors, IBM and Apple, and Intel has found a vulnerability in its Core processors' firmware. This may be a busy, do-it-yourself week for sysadmins, especially in small and medium enterprises. In the first incident, it appears that IBM inadvertently shipped Trojanized USB sticks to customers. The devices were to be used as initializers for IBM Storwize disk racks. The company has, of course, stopped shipping the drives, and is advising customers to destroy any they've received. The malware is apparently a Trojan dropper that enables installation of other malware. According to researchers at security firm Kaspersky, this particular malware strain has hitherto mostly affected Russian systems. It's basically spyware, and Kaspersky researchers say it reports back to gangland operators.

Dave Bittner: [00:02:45:07] So, if you're received a USB drive from IBM with the part number 01AC585, don't use it. If you already did, IBM recommends making sure your anti-virus software is up-to-date, configuring that security software to scan temporary directories and then, of course, scanning. IBM also has instructions on how to manually remove the malicious file by deleting the temporary directory.

Dave Bittner: [00:03:12:15] Check Point warns that OSX/Dok malware that installs a backdoor and monitors web traffic, has been spreading through European targets. Like most successful Mac malware, it's disseminated through phishing. Apple says Gatekeeper wasn't bypassed and that, although the malware was signed with a legitimate but illegitimately obtained certificate, that certificate has now been revoked.

Dave Bittner: [00:03:37:03] There's also a firmware vulnerability in Intel platforms that researchers say is nine years old. Intel has patched its widely used Core processors, with the fix extending back to its first-generation Core, " Nehalem," which shipped in 2008. The company warns that, if left unpatched, the flaw could lead to remote management takeover of systems using Intel Active Management Technology, Intel Small Business Technology and Intel Standard Manageability. These are widely used by small and medium enterprises, who are advised to work through the patching as soon as they can.

Dave Bittner: [00:04:14:14] We've all seen the ads for the latest and greatest security products, promising that they and only they have the solution that at last is going to solve all the world's cybersecurity problems. Heck, we run some of those ads here on the CyberWire and they are awesome. That said, it's important to not forget the basics. Paul Farrell is CEO of Nehemiah Security.

Paul Farrell: [00:04:36:24] We think it's really important that a lot of good can happen in the industry by doing the unglamorous stuff and the industry headlines get the glamorous all the time, the newest, sexiest exploits and how to block them. But from what our experience is, is that a lot of good can be done by blocking and tackling in organizations day to day, like educating people on hygiene, like don't click on that link. You know, I mean, you, you'd be surprised how many people still click on the links. So it's concentrating on that kind of stuff and then locking down applications. You know, not allowing browser plug ins. Doing upgrades. Patches. You know, identify the problem in your network, manage it and then put stuff in place to protect it.

Dave Bittner: [00:05:26:04] Are we really talking about a balance here of making sure that you're blocking and tackling with the basics but then, you know, having some of the newer tools as well?

Paul Farrell: [00:05:35:17] Correct. We've all got to ride the wave of innovation but what we try to maintain is that innovation is great and we need to keep our fingers on the pulse of the industry from that perspective. But in another case, you can make a lot of headway just doing the blocking and tackling. We're reminding people what they should be doing. We're focusing on putting business cases forward through the financial side of the house, to understand what the risk is by not upgrading or not going to the next version of software, what's the risk exposure? I think, you know, as this industry matures, we're getting away from the fear, uncertainty and doubt. You know, the security salesman comes in and pounds on the desk, "You must upgrade because this is the latest and greatest and if you don't you're going to be exposed," to now what I call saying businesslike is like, "Okay, what's my risk? My risk is-- let's say my risk is $10,000,000." The cost to upgrade is $1,000,000. So we should be able to present those things to the business users and say, "Look, here's your risk, here's your exposure. What do you want to do?" And I think that's where our industry, as it matures, that's where what we need to focus on. We need to focus on going back to basics. The basics of configuration management that we're talking about here and the basics of presenting a business case as to why we need to do things on the IT operations side and the business side.

Dave Bittner: [00:07:03:14] That's Paul Farrell from Nehemiah Security.

Dave Bittner: [00:07:08:22] Security firm Cybereason reports that "ShadowWali," a run-of-the-mill but quietly effective backdoor, has been used to attack Japanese businesses since 2015. ShadowWali harvests credentials. Its author, said to be "highly anonymous" and known to researchers only as "user123," appears to be operating from somewhere in East Asia but his or her or their identity remains unknown.

Dave Bittner: [00:07:36:20] Remember the LizardSquad? A gang of young skids who worked for a while as DDoS impresarios? They're back, or at least someone claiming to be them is. Their stock-in-trade has been to send businesses letters threatening them with DDoS unless they pay protection money. But we've heard from the DDoS protection specialists at Akamai and they say it's mostly hooey. The extortion notes seem to be mass junk mail and you shouldn't, Akamai recommends, consider paying them under any circumstances. The chances that you'd actually be subjected to the threatened distributed denial-of-service attack is vanishingly small. And even if you were subjected to DDoS, there's no reason to believe paying the protection would keep you protected. Keep your Bitcoin in your wallets and if you're trolled by LizardSquad, let law enforcement know.

Dave Bittner: [00:08:26:20] Security company Neustar today released a major study of DDoS trends, real trends, that is, not bulk-mailed nasties like the likes of the LizardSquad. The problem is, unfortunately, real and increasing. The size, pace, and volume of attacks have grown significantly over the past year, as have the costs they exact from enterprises.

Dave Bittner: [00:08:49:02] In the field of cyber conflict, observers continue to point out the conceptual continuity of old-school propaganda with new-school information operations. The latter are troublesome in that technology has lowered the barriers to entry. Now small nation-states and even smaller movements can exert a formidable effect on mass opinion by working effectively online. One of the goals of some of the mass movements is also familiar from the late nineteenth century, heightening the contradictions. The viler the messaging, the more pressure governments come to feel to do something and that something is often a step on the slippery slope to repression. There's a growing Parliamentary sentiment in the UK, for example, to punish social media providers who fail to stop, quote, "hate speech from crossing their platforms," end quote. The Old Bolsheviks would have understood perfectly.

Dave Bittner: [00:09:48:04] And now a moment to tell you about our sponsor Control Risks. Control Risks thinks like your adversaries and knows that they attack as a means to an end. Whether you're worried about malicious insiders stealing intellectual property, state supported foreign competitors targeting M&A data or hacktivists looking to smear your reputation, one thing is clear, a standard technical approach to incident response is not enough to address the entirety of your problem and protect your business's future growth, profit and brand. Control Risks has conducted more than 5,500 complex investigations in nearly 150 countries. Their 360 degree response framework pulls together their expertise in investigations, crisis management, network and host forensics, data analytics and legal compliance support. Effective response often requires more than standard incident response and how you respond can mean the difference between an isolated incident and an enduring crisis. Let Control Risks navigate you through it. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risk for sponsoring our show.

Dave Bittner: [00:11:06:09] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center For Health And Homeland Security. Ben, a story came by on Motherboard about some American farmers who were turning to the black market to get software for their John Deere tractors. Bring us up to speed here. What are we talking about?

Ben Yelin: [00:11:24:16] Sure. So, when a farmer, your average Midwest farmer buys a John Deere tractor, they sign a contract that basically says they don't have a right to repair in the case of any sort of malfunction. They have to call the dealer and the dealer will bring a USB port which, you know, has the relevant software to make the connection. John Deere owners don't like this. They don't want to pay the exorbitant costs of calling the dealer. Sometimes it takes a long time for the dealer to make an appointment and get there. You don't want to interrupt your farming et cetera, et cetera. So many of these farmers have gone to the black market and are buying devices from the Ukraine, buying them online.

Dave Bittner: [00:12:07:01] One of the reasons I think this is particularly interesting is that there's this whole notion of people having the right to repair their devices. And as more and more devices have software being a major part of them-- you know, our cars are computers now-- it's interesting to me that back in 2015 the Librarian of Congress basically carved out an exemption of the Digital Millennium Copyright Act for land vehicles and that includes tractors. But John Deere has found a way around that.

Ben Yelin: [00:12:36:03] Right. They found a way around that by, you know, putting this provision in their contracts. But what the Library of Congress said, in association with the Copyright Office, is that you can't contract away a right to repair. You know, normally when you pirate software, you're going to be charged under the Digital Millennium Copyright Act. But this exception applies to things like land vehicles, including tractors. These are realms that exist in a physical world and have existed in the physical world and it makes commonsense to us that an owner of one of these devices should be able to go in and fix it themselves. I think that was the justification behind the policy change. So it is superseding even the contract agreement that farmers make with John Deere. I think the Federal Government is trying to make it legal to initiate these repairs without a person having to go to the dealer. You know, the broader lesson of this is this right to repair is going to apply more and more when we're dealing with brick and mortar type items that you used to be able to just fix with a screwdriver. Now you need to have some access to software to fix them and there's going to need to be some sort of legal precedent around whether, you know, you should treat it like it's an old Buick or whether you should treat it like a dull computer. The laws have sort of had varying standards to that effect but I think as more and more of these brick and mortar devices require software, I think we're going to start to see more conformity. Maybe there can be a contract provision where the owner of the tractor can make these modifications, can, you know, legally under the law procure software, even on the black market, but they're responsible for any potential damages to the tractors.

Dave Bittner: [00:14:20:23] Right. All right, it's an interesting one. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:27:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. They're the company keeping your data safe with artificial intelligence. You can check them out at cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.