The CyberWire Daily Podcast 9.25.17
Ep 441 | 9.25.17

Deloitte hacked. Verizon AWS S3 exposure. Phantom Squad's protection racket. Nuclear tension expected to spawn cyberattacks. Updates on CCleaner backdoor and FinFisher distro. Carlos Danger goes to jail.

Transcript

Dave Bittner: [00:00:00:16] Thanks once again to all of our Patreon supporters. You can find out how you can support our show by going to patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:12:16] Reports say that Deloitte has been hacked. A Verizon AWS S3 bucket is found exposed online. Locky is being spammed out in quantity. Phantom Squad hoods run a DDoS protection racket. Kinetic tensions the US, Tehran, and North Korea raise expectations of cyber offensives. Chinese intelligence thought behind CCleaner backdoor. Unnamed ISPs accused of FinFisher spyware campaign complicity. And Carlos Danger will go to the big house.

Dave Bittner: [00:00:49:02] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future's user conference, RFUN 2017, is coming to Washington, DC, October 4th and 5th. The sixth annual edition of this threat intelligence conference brings together the talented, diverse community of analysts and operational defenders who apply real-time threat intelligence to stay ahead of adversaries. And, since it's real-time threat intelligence, you know it's organized by Recorded Future, the people who know a thing or two about collection and analysis.

Dave Bittner: [00:01:17:05] Recorded Future's customers, partners and threat intelligence enthusiasts, are cordially invited to attend RFUN 2017. Improve your analysis, stay ahead of the cyber attacks by learning about the latest threat intelligence techniques and best practices, and say hello to us. The CyberWire will be there and podcasting from the floor on the 5th.

Dave Bittner: [00:01:36:11] If you are a threat intelligence enthusiast and, really, who among us isn't, register now at recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:55:24] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire Summary for Monday, September 25th, 2017.

Dave Bittner: [00:02:06:11] This morning the Guardian broke the story that Deloitte had been hacked. Deloitte is both a Big Four accounting firm and, like its peers, a leading provider of cybersecurity consulting services. The firm was compromised through an admin account in October or November last year, and discovered the breach in March 2017. Investigation is ongoing, but Deloitte is being tight-lipped, saying only that "few" clients' information, including emails, was exposed. Six clients are said to have been notified so far that they may have been impacted by the breach. When they were notified is not clear. It appears that Deloitte's Microsoft Azure account was compromised. Azure is Microsoft's cloud service, similar in function to its competitors Amazon Web Services or Google Cloud. The admin account through which the hackers gained their entrée to the cloud account appears to have been secured only by a simple password, and not with any form of multifactor authentication. Exactly how the hackers achieved access is not publicly known.

Dave Bittner: [00:03:10:04] The incident is said to affect mainly customers in the US. The information exposed to compromise includes emails, including client emails, and possibly usernames and passwords, IP addresses, and business and health information. Some of the content at risk is thought to include sensitive security and design information. Some observers believed something was up when Deloitte retained Washington law firm Hogan Lowell at the end of April in connection with some unspecified cybersecurity matter. That matter now appears to have been this breach of Deloitte's Azure account. This is another breach at a high-profile enterprise, Equifax, the Securities and Exchange Commission, and now Deloitte.

Dave Bittner: [00:03:53:05] In another unfortunate trend, an Amazon Web Services S3 bucket has again been found, exposed to public access. This one involves a fumble at Verizon, where the US telecom giant left server configurations and other sensitive information hanging out on the Internet. The exposure was found by security researchers at the firm Kromtech. The compromised material appears to involve, for the most part, internal Verizon Wireless systems, specifically Distributed Vision Services (DVS), which is a middleware system that exchanges data from Verizon's back-end to the front-end apps Verizon staff uses in stores and call centers. Kromtech and UpGuard are the two security firms who appear to be dining out on their assembly line discovery of exposed cloud services. It's unfortunate they have so much raw material to work with.

Dave Bittner: [00:04:45:14] More cyber extortion waves continue. One of the more notable is a large spam campaign distributing the venerable Locky ransomware. Another is more of a protection racket. The crooks of the Phantom Squad group are shaking down companies with the threat of denial-of-service attacks if they don't pay up. DDoS prevention shop, Cloudflare says it's about to launch a new service that will make distributed denial-of-service something you only read about in history books. Good luck to them, we hope they're as good as their word, and will watch developments with interest.

Dave Bittner: [00:05:18:16] As observers goggle with continued astonishment at Equifax's handling of its breach, some look to Belgium for an alternative model of credit reporting that presumably handles consumer data in a more consumer-friendly fashion.

Dave Bittner: [00:05:33:07] International tensions over Iran and North Korean missiles and nuclear programs prompt concerns about coming waves of cyberattacks from the two countries. In the case of Iran, US skepticism about that country's compliance with a nuclear arms control agreement is seen as affording Tehran an opportunity to undertake a fresh campaign of cyberattacks. It's either pretext or provocation, depending on whether you view the matter from Washington or Tehran. Iran has shown some capability in both espionage and sabotage, and its abilities in both areas are generally held to be on the rise.

Dave Bittner: [00:06:09:22] In the case of North Korea, the tensions that are believed likely to find expression in cyberattacks are bring increased by Pyongyang's recent round of long-range-missile and high-yield nuclear weapons tests. The weapons the DPRK has been testing are thought to be either full-blown thermonuclear devices, or, at the lower but still very dangerous end, boosted implosion weapons. There's been little in the way of diplomacy in evidence from either Pyongyang or Washington. Recent North Korean cyber activity has, for the most part, concentrated on theft, either in the form of raids on cryptocurrency wallets and bank accounts, or in the form of aggressive and illicit Bitcoin mining on other people's servers.

Dave Bittner: [00:06:51:22] Avast thinks the backdoor insinuated into its CCleaner security software was probably put there by Chinese intelligence services. Kaspersky and other companies looking into the incident attribute the hack to APT17, the threat group also known as DeputyDog, a departure from the customary naming of Chinese threat groups after pandas. Kaspersky also sees a tie to the cyberespionage group Axiom. Novetta regards Axiom as an umbrella organization engaged in coordinating espionage on behalf of the Chinese government. The backdoor in CCleaner appeared designed for use against major Western tech companies, and this too is consistent with Chinese intelligence services' longstanding interest in intellectual property and industrial espionage.

Dave Bittner: [00:07:40:09] ESET's look at the spread of FinFisher spyware has concluded that major Internet service providers in affected countries were complicit in spreading the lawful intercept product into targeted devices. ESET declines to name the countries where they observed this campaign, citing concerns for the safety of people in those countries as grounds for its reticence. FinFisher has seen considerable use by relatively repressive regimes.

Dave Bittner: [00:08:08:06] And finally, in the latest high-profile conviction of a prominent politician on charges related to online misbehavior, disgraced New York Congressman, Anthony Weiner has been sentenced to what the New York Post trumpets as "hard time." It's not good for the former Representative. He got 21 months in prison this morning, but it's not exactly hard time, either. He'll be serving his sentence, in all probability, at a minimum security Federal institution, where he won't exactly be breaking rocks in the hot sun or working on the chain gang, but it's a swift and deep fall nonetheless. Wiener apparently had hoped to escape jail time, even after his conviction for engaging in suggestive chats online with underage girls. Hope springs eternal, evidently. After his departure from Congress and public apology, Mr. Wiener sought political redemption in run for Mayor of New York. His campaign, never a front-running one in the Democratic primary, cratered when it came to light that he was still misbehaving under his old nom d'amour "Carlos Danger."

Dave Bittner: [00:09:15:15] Time for a message from our sponsors at E8. We've all heard a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzz-words. Well, no thinking person believes in panaceas but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is and machines are great at that kind of base-lining. For a guide to the reality and some insights into how these technologies can help you, go to e8security.com/cyberwire and download E8's free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present-day payoff in terms of security.

Dave Bittner: [00:10:00:11] When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:18:18] And I'm pleased to be joined, once again, by Chris Poulin. He's a principal at Booz Allen Hamilton Strategic Innovations Group. He heads up their Internet Of Things security team over at Booz Allen. Chris, welcome back to the show. We wanted to talk today about connected automobiles. Let's just start with some basic things. If I head out today and I buy myself a brand new car, what sort of vulnerabilities do I need to worry about?

Chris Poulin: [00:10:41:09] Well, it's kind of interesting because, right now, there haven't been any publicized attacks on vehicles and the reality is that there are all kinds of ways that cars could be attacked. You know, some of it is because of the complexity of the software and firmware in the vehicles right now. In fact they say that there are approximately 100,000 lines of code that run a modern luxury automobile and I believe Ford said, in their F150, that they have 150 million lines of code, because now those pickup trucks are effectively offices on wheels.

Dave Bittner: [00:11:14:15] Wow.

Chris Poulin: [00:11:15:00] I don't know how you quantify how vulnerable a vehicle is, because that's a general thing. But in terms of the different types of vulnerabilities that we get concerned about, obviously if somebody can hack in through the telematics unit which keeps the car connected back to the auto maker and then jump from the in-vehicle infotainment system (the area in the car where you're tuning the radio and setting the seats) over to the CAN bus, then effectively you can control just about any aspect of a vehicle. So the brakes are all controlled electronically now, engine components are controlled electronically. Steering is also controlled electronically, by the way, for lane departure assistance and things like that.

Chris Poulin: [00:12:02:03] It's funny because the autonomous vehicles, self-driving, all the auto manufacturers are getting in on that game. There are lots of reasons why we should all be driving self-driving cars, or more correctly, that the cars should be driving themselves. But one of the things that people get scared of is that there are far more sensors in self-driving cars now and far more actuators; things that actually can take control of the car and do things. So the sensors themselves, obviously, are sampling the environment, what cars are ahead of you, what does traffic look like, what are the environmental factors, is the road wet or not, are you departing from the lanes?

Chris Poulin: [00:12:41:23] If you can trick those sensors, you can actually cause the car to react in a way that is false, at least in terms of the physical reality of what the road is presenting to the vehicle. So to some extent, you can actually be outside of the car and present it with, perhaps, a picture that you project onto its video camera or into it's LIDAR sensors that make it believe that the road curves to the left when in fact it goes straight, or that there is no car in front of you when in fact there is, so you rear-end it.

Chris Poulin: [00:13:15:20] And so that's part of it, the other one is, if you can actually break in, as I pointed out before, because everything is becoming more by-wire driving, instead of manual controls, which is a harder thing for an attacker to do, obviously, is to actually get in and take control of the car by invading the CAN bus, they can also accomplish the same thing. The thing to do is caution people. I'm not a big fan of fear, uncertainty and doubt. At least at the moment there is not a lot of motivation for an attacker to cause harm to passenger vehicles, unless you're some sort of high profile target. I think probably more to the point is that the vulnerabilities are going to be about cyber crime which is perhaps they'll find some way to put ransomware on the car and keep you from being able to start your car until you pay half a bitcoin or something like that.

Chris Poulin: [00:14:01:05] I think that's far more likely in the future so we should be worried about it, but probably not as worried about the safety aspects as we are about the potential economic impacts of nobody being able to go to work.

Dave Bittner: [00:14:12:17] Alright. Interesting stuff as always. Chris Poulin, thanks for joining us.

Dave Bittner: [00:14:18:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:14:31:16] Don't forget, I'm a regular guest on the Grumpy Old Geeks Podcast, where I take part in a segment called Security Ha. You can find the Grumpy Old Geeks Podcast wherever all the fine podcasts are listed. And another reminder, if you enjoy our show, it will help us a lot if you can leave a review and subscribe on iTunes. It really is one of the best ways to help people find the CyberWire.

Dave Bittner: [00:14:51:18] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.