The CyberWire Daily Podcast 5.11.17
Ep 347 | 5.11.17

French media recover from DDoS. XaverAd infests Android ecosystem. Zero-days patched, but exploited in the wild. Mother's day giftcard hacking. Telephonic harassment.

Transcript

Dave Bittner: [00:00:00:14] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:12:05] French media sites recover from a massive, successful DDoS attack. Android adware harvests and reports PII. Microsoft's quick patching of zero-days includes three that are being exploited in the wild by state and criminal actors. Advice on Mother's Day gift cards, and some news about skids and harassing phone calls.

Dave Bittner: [00:00:36:04] Time to tell you about our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily, they do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:40:07] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 11th, 2017.

Dave Bittner: [00:01:51:00] Cedexis, a Paris-based provider of cloud and network services that operates internationally, was taken offline by a large distributed denial-of-service attack yesterday. Many media companies are Cedexis customers, and the hardest hit in the incident were French media outlets, including Le Monde and Figaro. Services have been restored. Investigation is in progress, but the source of the attack is for now at least unknown.

Dave Bittner: [00:02:17:06] Sophos describes Android XavirAd, an adware library recently found infesting Google's Play Store. The adware strain is particularly objectionable in that it improperly collects personal information after users have specifically declined to provide their data to the ads XavirAd serves up. The app introduces itself with a high-minded privacy policy that disclaims any collection of personal information, but, of course, that's exactly what it goes on to do, sending the data off to its controllers. It's noteworthy that the adware employs a variety of evasive techniques, including sandbox detection.

Dave Bittner: [00:02:54:13] Microsoft is getting some good reviews for its quick patching of zero-days. That's good, because of course those vulnerabilities have been swiftly exploited in the wild. ESET and FireEye report on the use in the wild of three zero-days Microsoft patched this Tuesday. They say the zero-days were all exploited by the Russian cyber espionage group Turla (also known as KRYPTON, Snake, Uroburos, Waterbug, or Venomous Bear, presumably from the same litter as sisters Cozy and Fancy). Some of the flaws were also exploited by some "financially motivated" gangs in Russia, perhaps another instance of the familiar interpenetration of security services and the underworld.

Dave Bittner: [00:03:35:06] Just how at risk is your company's data? According to security platform vendor Varonis, perhaps more than you think. They recently released the 2017 Varonis Data Risk Report, Ken Spinner is their VP of Global Field Engineering.

Ken Spinner: [00:03:50:07] What we found after doing the assessments that we've been doing for our customers for the last two to three years, is we found that there was interesting information contained within the assessments. And what we decided to do, is we decided to mine the data that we were collecting from all the different customers that we were performing these assessments for, and the reason we did that was we felt there was value in combining this information, extrapolating it out and providing the information back to the industries, so that people within the security industry and the IT industry could get a better understanding of what the issues were in terms of protecting data. And what we found, you know, in terms of results is that people are using this information to go back to boards and to go back to financial people and say, "Here's quantified risk, and these are the things that we need to do about it."

Dave Bittner: [00:04:40:23] So take me through some of the key findings in the report.

Ken Spinner: [00:04:44:04] The data that we collected came from a number of different organizations, a number of different countries. I think the companies that were represented in here were from somewhere in the neighborhood of around 12 countries, 33 industries and they had between about 50 and 10,000 employees. And what we found was that roughly 20% of the folders that were analyzed were open to everybody in the company. And what that means is that any time somebody got access to a corporate network, roughly 20% of their data was potentially exposed to that person who came in there. And that person could be, let's say anywhere from a senior level executive to somebody who's purely there to visit, let's say one of their co-workers or one of their colleagues, you know, from a different company. So certainly concerning.

Ken Spinner: [00:05:31:23] And another key data point that we found was almost half of the assessments that we performed found over a thousand sensitive files that were open to everybody. Once again, what that means is that this data which could contain proprietary information for the company or a sensitive employee information or a sensitive medical information, everybody who got access to that network could access that information.

Dave Bittner: [00:05:56:21] Now one of the things that the report shed light on was risks associated with stale data. Can you explain to me what that means?

Ken Spinner: [00:06:05:13] Sure. Well, in any organization, people have been gathering and collecting data and creating data and modifying data for years and years and years. And the one thing that really doesn't happen in any organization is people don't really go back and look at the data that they have and figure out which data is actually being used and which data's not being used. And what we found in terms of statistics was that for data that analyzed over a six month period, roughly 71% of all folders in the sample were stale. And what that means is that there's a significant opportunity for companies to save money and to reduce risk purely looking at their stale data and reacting to, you know, these types of statistics.

Dave Bittner: [00:06:45:12] That's Ken Spinner from Varonis. You can find the Data Risk Report on their website.

Dave Bittner: [00:06:52:03] A public service announcement. Sunday is Mother's Day in the US, the second biggest holiday minefield in North America. If you've put off gift-buying to the last minute, think twice before settling for the lowest-common denominator present of them all: the gift card. Not only is it impersonal, unlike the clay candy dish you probably made and gave her when you were in kindergarten, but gift cards have themselves recently become a favorite target of cybercriminals. Automated bots are scanning for cards and scooping up their unused balances, which can then be resold on the dark web.

Dave Bittner: [00:07:24:23] We heard from The Media Trust's Chris Olsen, who pointed out this kind of theft not only hurts customers, but the brands that issue gift cards too. He urges businesses to take a holistic approach to security, privacy, and user experience, and he thinks they can do it, "you can effectively balance revenue objectives and compliance with the company's policies and regulatory requirements." We'd add this: flowers are almost always appreciated.

Dave Bittner: [00:07:52:13] And finally, Phishing phone calls are one thing, the "Microsoft help desk scam" is well known to you, our audience. Those scam calls are motivated by the same thing that drives phishing emails, basically credential theft and privilege escalation. But what about calls where the motive is less clear? We've all gotten prank phone calls, and we'll bet that some of your tastes are low enough that, let's be honest, here, girls and boys, and we're looking mostly at you, boys, you've yukked it up over calls advertising books written by the well-known author Ignatz Porterhouse Freely, who usually uses just the initials of his first and middle name. Or even inquiries about whether a store "has Prince Albert in a can." Right, you'd better let him out. We endorse none of this, and discourage it even when it doesn't rise beyond the nuisance level of a day-before-Halloween ding-dong-ditch or a call to Moe Siszlak's bar. We are, after all, a family show, and members of the security community.

Dave Bittner: [00:08:47:18] But there are other more irritating and even dangerous forms of harassment, and these are no joke at all. Flashpoint describes an apparently motiveless telephone harassment campaign. The skids used "Phonecord," a telephonic bot service. Among the recipients of the prank calls are police organizations (including Britain's NCA, the US FBI) and also pizza chains (who saw that coming?), hotels, and ordinary people whose personally identifiable information has been exposed in earlier breaches. Phonecord has been used for both DDoS and swatting. The effect of DDoS is well-known, and while the UK's National Crime Authority and the US FBI can cope with it, it's harder if you're Mama Mia's Chicago-Style Pies, or the Dew Drop Inn. It can be even scarier if you're just some ordinary citizen whose PII have been swept up and dumped in a breach. And swatting, of course, when the police are called to your house by a prankster who says you've got a gun and are cooking tar heroin are the scariest of all.

Dave Bittner: [00:09:48:07] It's one more reason for legitimate businesses and government agencies to look to the security of their customer databases. And one more reason to hate operations like XaverAd. We doubt they've got the security of their marks at heart.

Dave Bittner: [00:10:06:03] Here's a message from our sponsors at E8. They'd like to invite you to take a joyride. But it's not the kind of bad behavior that you'll find in the joyrides of say, the Blues Brothers or the Italian Job, it's a joyride into behavioral analytics, the indispensable tool for being able to tell good behavior from bad behavior. You'll know the bad actors by what they do, how they behave and not by who they say they are. The experts at E8 are offering you a first hand look on a small scale with no obligation at what behavioral analytics can do for you. Go to e8security.com/joyride and hop on in. Seeing is believing. So go to e8security.com/joyride and let E8 show you what they can do. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:54:12] Joining me once again is Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. It's been all over the news that we not too long ago passed the first 100 days in the Trump administration and everything that comes with that, so I thought it'd be a good opportunity for us to look back in terms of cybersecurity, what have we seen in the first 100 days or so with President Trump?

Ben Yelin: [00:11:17:04] So we haven't seen much, certainly he hasn't produced the sort of policies that he's promised. The President, during the campaign and during the transition, promised the American people that he would release an executive order on cybersecurity and as of this recording, he's still not produced that executive order. The one hint we do have about his cybersecurity priorities is that he has requested, through his Budget Director, Mick Mulvaney, additional funding to protect federal networks in his budget proposal. And that's particularly notable because besides the areas of defense and national security, pretty much every other discretionary government function, domestic function, has been targeted for cuts. So we want sort of an idea of whether the President is prioritizing cyber defenses for government networks, then I think it's a particularly encouraging sign that he has proposed this funding increase.

Dave Bittner: [00:12:17:15] And in terms of ability to enact policy, to put things in place, is it a matter that the President and his staff have simply been busy with other things? With health care, with trying to get a budget passed and so forth?

Ben Yelin: [00:12:32:06] Well I will say that this isn't the only promise that has been broken. If you actually look at in the last, in the waning 14 days of the campaign, the President listed his official legislative agenda for the first 100 days and I don't think he's been able to enact a single one of them. So it's not that cybersecurity in particular has fallen by the wayside, I think through a combination of maybe a learning curve and you know, having to deal with some of his other priorities, a lot of his both legislative and regulatory initiatives have gone on the back burner. Another major problem for him in this, certainly affects cybersecurity as well as all other federal policy, is that he's vastly behind on appointments. I think compared to the, you know, two or three previous administrations, he's made 25% of all the confirmable cabinet position appointments. And that means that many of these federal agencies, including the ones that implicate cybersecurity, are drastically understaffed at this point.

Ben Yelin: [00:13:29:14] And the staff that is there, I think are sort of waiting for some sort of policy direction. That's what an executive order would produce, it would give, you know, some of these career staff members and government agencies like MIST, at least some guidance as to what the policy is going to be, but, so far, I think they're sort of as in the dark as we are about what the priorities are.

Dave Bittner: [00:13:52:14] Alright, time will tell. As always, Ben Yelin, thanks for joining us.

Dave Bittner: [00:13:58:18] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit TheCyberWire.com. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:14:16:00] If you enjoy the CyberWire every day, we hope you'll consider leaving a review for us on iTunes. It is one of the best ways that you could help other people find our show. And of course you can show your support for The CyberWire by supporting us on Patreon. Visit patreon.com/thecyberwire to find out about how to become a contributor and all of the benefits we put together for those who give.

Dave Bittner: [00:14:37:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.