The CyberWire Daily Podcast 9.28.17
Ep 444 | 9.28.17

Deloitte and Equifax under the microscope. Congress grills the SEC. Credential theft trends.

Transcript

Dave Bittner: [00:00:00:00] A big thank you to all of our Patreon supporters. We've got lots of people signing up every day, the next person could be you. Go to patreon.com/thecyberwire and find out more.

Dave Bittner: [00:00:14:10] Deloitte and Equifax continue to find themselves under scrutiny, but we should all resist the urge to chase ambulances. The SEC commissioner gets a grilling from Congress, and we can't help wonder if his Spidey sense was tingling. Chances are your credentials aren't as secure as you'd like them to be. And Pyongyang is perched on a pile of coal.

Dave Bittner: [00:00:39:16] It's time to take a moment to tell you about our sponsor Recorded Future, so attention threat intelligence enthusiasts. The first week in October, consider heading to Washington DC and joining Recorded Future and the rest of your community for RFUN 2017. It's this October 4th and 5th. Share experiences, insights and best practices, learn from exclusive presentations by threat intelligence thought leaders, and you can be the first to know. Get a sneak peak of new Recorded Future product features and the company's development road map. Meet others like you, people who understand that cybersecurity depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence powered by Machine Learning. RFUN is the place to be if you're a threat intelligence enthusiast. If you attend, say hello to us. The CyberWire will be podcasting from the floor on the 5th. Register now at recordedfuture.com/RFUN. That's R-F-U-N. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, September 28th, 2017.

Dave Bittner: [00:02:01:09] Deloitte continues to deal with the consequences of its recently disclosed breach. Many of those consequences are foreseeable piling on as lawyers see, with some justification, regulatory gaps exposed by the incident, and as security researchers put the big four consultancy under the microscope and find all sorts of places where the company hasn't followed its own advice. Those include, proxy login credentials out on Google+, they've all been taken down now, VPN credentials on GitHub, thousands of hosts exposed on the Internet, as seen on Shodan searches, and so forth. Such results are practically inevitable for an organization as big as Deloitte, which may or may not be comforting. There's no further word on whether the breach is more damaging than Deloitte's initial minimalistic characterization makes it out to be, but the company and similar organizations are sure to receive a great deal of scrutiny in the coming weeks.

Dave Bittner: [00:02:56:07] Turning to the other two high-profile breaches, the Equifax incident produces fresh waves of hand-wringing and learned helplessness over the use of Social Security account numbers as elements of identity management, approaches. Those old enough to remember getting their first Social Security card may also remember the advice prominently printed on the card, "not intended for purposes of identification." So, it seems the new dealers who set the social security system up under President Roosevelt, may have seen something like this coming back in the 1930s, and we forgot their sound advice somewhere circa 1995. As Chesterton said in advice to reformers, if you come across a fence whose purpose you don't understand, wait until you know that purpose before you decide to tear the fence down.

Dave Bittner: [00:03:44:18] The biggest lesson emerging from Equifax is the importance of sound incident response preparation, especially with respect to disclosure and public communication. Federal News Radio offered some good advice on this. "First, go public with breaches as soon as you can, otherwise it looks like you're covering up. Crappy cyber practices eventually come to light anyhow, you don't need a 5,000 a day crisis management expert to tell you that. Second, realize that bad cybersecurity is as inimical to your job as crashing the mission."

Dave Bittner: [00:04:18:01] The Equifax mess has apparently also prompted what Palo Alto Networks deplores as ambulance chasing.

Dave Bittner: [00:04:24:11] Palo Alto's CEO, Mark McLaughlin, explained to Jim Cramer on Mad Money that ambulance chasing means approaching a hacking victim and telling them that you've got the solution that would have kept them out of trouble, if only they'd been smart enough to hire you.

Dave Bittner: [00:04:39:07] McLaughlin said, "What happens when you have major breaches like this, first thing is we don't chase the ambulance. Nobody in companies appreciates that, so if your security company is dialing in the next day saying, "First of all, I could definitely have stopped that for you," or something along those lines, you're going to be ignored. After the fire is out and you're thinking about the architectural design for the future, that's where we get to come into play."

Dave Bittner: [00:05:06:00] And that's probably advice worth considering for anyone in the security sector.

Dave Bittner: [00:05:11:00] For better or worse, passwords are still fairly ubiquitous when it comes to online credentials. How you choose them and how you store them can make all the difference in the world, especially with large databases of breached passwords, readily available on the dark web. Trip Nine oversees the threat intelligence programs division at Comodo, and he shares some of the credential compromise trends they have been seeing.

Trip Nine: [00:05:34:02] Everyone is familiar with a lot of the big breaches, LinkedIn, Dropbox, Adobe. However, what a lot of people aren't familiar with is how hackers are using, let's say LinkedIn, for example, in 2017. We're seeing most of those hashes cracked since they were unsalted, MD5 hashes, and it's very easy to uncover the plain text passwords, and also search for particular employees in an organization. So that third party we're seeing do a lot of damage. It's kind of a weird side door that hackers are using to get into organizations.

Dave Bittner: [00:06:08:05] Take us through exactly how does that work?

Trip Nine: [00:06:09:10] Okay. So, what a hacker would be able to easily get a hold of is a 170 million LinkedIn records on the torrent network. They would just query for particular domains, for example company a, b, c, and then from that they get the MD5 hash associated with that email address, and they would just take that over to a cracking site like hashkiller.co.uk, enter it in and near 100% of the time that hash would be cracked, and they'll find the actual plain text password for that employee, and then they can use that to brute force attack the organization.

Trip Nine: [00:06:49:16] The way that most people deal with their passwords is they'll use the same phrase over and over again, maybe modify one or two characters, but it becomes very easy to reverse engineer and figure out what the present day password is.

Dave Bittner: [00:07:04:09] One of the things that you study is password psychology. That's something that's interesting to me. How do people go about choosing their passwords, and what are some of the common mistakes they make?

Trip Nine: [00:07:16:09] Well, most people in my own research only use two or three variations of the same word over and over again, for years. And what they'll do is, when they're forced to change their password they will just, if they have a numeric character in their password, they'll just go up one digit. And what that tells a hacker is for a third party data breach that might have happened a year or two back, they know that they can just count down in digits to try to brute force into a particular application.

Dave Bittner: [00:07:48:03] What are some of the other techniques that you see in common use?

Trip Nine: [00:07:51:06] Just switching to direct attacks, in contrast to third party attacks, we're seeing a particular piece of malware called the Pony Exploit, which has been around for a few years, but we're seeing it become more and more advanced. It's very well-engineered, through botnet attacks. We're seeing it just wreak havoc on enterprise organizations. In fact, any US enterprise organization over a thousand employees, we usually find stolen records from Pony Exploits, well, near 100% of the time. That could be their customers, that could be their vendors, their partners, or their internal employees.

Dave Bittner: [00:08:31:19] How do people find themselves infected with this?

Trip Nine: [00:08:35:04] We're seeing a lot of companies that we talk with, they had no idea that their director of HR, it was a phishing attack on them, but the malware itself, it's not like ransomware where you got the skull and crossbones that come up and demand money. These silently just go in and they take copies of actual credentials that are stored inside of the browser, then they exfiltrate it. Sometimes the code had an auto-delete functionality built into it, so it leaves without a trace. Some of it is advanced enough to really evade more legacy endpoint detection.

Dave Bittner: [00:09:09:05] What is your advice for folks to protect themselves against these kinds of things?

Trip Nine: [00:09:14:01] First piece of advice would be not to store your passwords inside of Google Chrome, at least right now, or Internet Explorer, or Firefox. Most browser-based password managers are very vulnerable. I would recommend LastPass, or another password manager, that has more security. And, also, these particular types of exploits, they don't know how to look into those files of those third party password managers; there's no localized copies of the password stored onto the machine. Be very careful about what passwords you store inside of a browser.

Dave Bittner: [00:09:49:14] That's Trip Nine from Comodo.

Dave Bittner: [00:09:53:19] Turning to the Securities and Exchange Commission, the US Senate has been hearing from, and, more importantly, talking to, the Commissioner this week. They've given him a grilling over the EDGAR breach, the SEC recently disclosed, but the Senators have also been giving them some direction. The Upper Chamber is uneasy about the SEC's coming regulatory regime, the Consolidated Audit Trail National Markets System, CAT NMS. This system is designed to enable auditors to track “all trading activity in the U.S. equity and options market.” It will encompass the exchanges, other Federal regulatory agencies, and industry bodies, as well. And it appears to turn the financial sector into a panopticon for all of its participants, from Wall Street to Main Street. As Senator Mike Crapo, a Republican from Idaho, pointed out to the SEC Commissioner, that's great power and great responsibility, so they'd better get it right. You don't have to be J. Jonah Jameson to think that the EDGAR breach suggests the SEC won't do as well as Peter Parker.

Dave Bittner: [00:10:56:14] The breach of Sonic remains under investigation. Sonic, of course, is the chain of drive-ins headquartered in Oklahoma that has almost 3,600 locations in North America,. It appears that the incident might be linked to the roughly five million paycards that just turned up in the Joker's Stash, a dark web market run by and for carders. Fast food restaurants handle a lot of paycards, which makes them attractive targets. Since last year Chipotle, Wendy's, and Arby's have all been hit.

Dave Bittner: [00:11:26:06] North Korea's got a lot of coal it can't sell. Coal has been the DPRK's principal export for some time, we hear that they're sitting on $9.7 trillion worth of the stuff; that's trillion with a T. Anyone whose got anything worth stealing online should look to their defenses. Pyongyang's especially interested in cryptocurrency wallets these days, and those nuclear and ballistic missile programs aren't going to pay for themselves.

Dave Bittner: [00:11:57:05] As our sponsors at E8 security can tell you, there's no topic more talked about in the security space than Artificial Intelligence, unless, maybe, it's Machine Learning. But it's not always easy to know what these could mean for you. Go to e8security.com/cyberwire and see what AI and Machine Learning can do for your organization's security. In brief, they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and Machine Learning are the technologies that can help you do it. So visit e8security.com/cyberwire and see how they can help address your security challenges today. That's e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:12:56:00] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, good to have you back. You wanted to talk today about some patterns that you have noticed, and wondering if maybe we're in a lull before a storm. What do you want to share with us here?

Dale Drew: [00:13:12:16] My goal is not to carry the sign that says, "this is the end of the world". However, there was a study just released by CNN that says that 4% of surveyed Americans were worried about the eclipse. So, I want to be careful in the language I choose, not to alarm anybody. I think our concern is from a trend perspective, if you look at some of these massive global cybersecurity events that have occurred, about five years ago. We would have a massive security event once every four to five years.

Dave Bittner: [00:13:51:08] How would you define massive?

Dale Drew: [00:13:53:16] What I would say is something that impacts probably more than three to four countries at a time. From an Internet service provider perspective, our issues were when there was a major defect with a routing provider. For companies, it was if there was a major defect that affected all versions of Windows, or all versions of Unix, and they were all publicly exposed. You knew what every security organization was doing, because everyone had to group together to figure out how to block and tackle, and then patch and prevent during those times. We'd see those every four to five years.

Dale Drew: [00:14:33:11] About three years ago, we saw a trend where that was happening roughly every 18 months. Bad guys were being more diligent in researching really, really old code. And the nation states do it, because the nation states want to find exposures that have the most access across the Internet infrastructure, or the corporate infrastructure. Bad guys are learning from those techniques and they're also researching really, really old Internet code and really, really old operating system code to find a way to have as much accessible infrastructure as they possibly can, either for infrastructure capability - I want to build a huge botnet; access to data - the more systems I have the more PII and confidential information I can find; or for extortion. We've seen a huge surge with WannaCry and Petya of spam ransomware. I'm going to encrypt 600,000 machines at once and then ask for $300. And if I get 10% of the people respond, that's better than a targeted attack against a few corporations.

Dale Drew: [00:15:39:02] Our biggest fear is, in the first half of 2017 we've already had two major global security events that have impacted, in one case, hundreds of thousands of victims, the other case, tens of thousands of victims. We're definitely seeing a shift in the professional bad guys employing more and more nation state techniques to be able to gain access to more infrastructure.

Dale Drew: [00:16:00:10] This is something from a what do you do perspective. This is something that really is going to rely on more vendors to make sure that they review their embedded code to look for those exposures the same way the bad guys are, and hopefully find it faster. And for companies, corporations and network providers to spend more diligence in protecting their infrastructure. Having a patch process, so that when an exposure does come, you know how to block access to it, patch it and prevent it. And to stay diligent on people who are trying to access that infrastructure. So, when you can't prevent, you have to monitor. Diligence, I think, is the key in the coming months and coming years.

Dave Bittner: [00:16:43:18] All right. Dale Drew, thanks for joining us.

Dave Bittner: [00:16:50:15] And that's the CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com.

Dave Bittner: [00:17:02:13] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.