Satori botnet is awake (and it's not engaged in enlightenment). State-sponsored spyware campaigns. ISIS threatens cyberattacks.
Dave Bittner: [00:00:00:23] A quick reminder that there is exclusive content available to our Patreon subscribers, publications, bloopers, extended interviews and more, so check it out at patreon.com/thecyberwire. Thanks.
Dave Bittner: [00:00:15:18] Satori botnet flashes into existence with 280,000 bots. Is there a router zero-day out there? Insecure cryptocurrency apps aren't deterring speculators. How much energy does Bitcoin use? About as much as Denmark. Ethiopia's government is said to use spyware against journalists. Iran's Charming Kitty espionage group is looking at media, academics, activists, and political advisors. ISIS threatens cyber havoc this Friday. And the IOC takes a poke at Russia. Expect Fancy and Cozy Bear to poke right back.
Dave Bittner: [00:00:52:18] Now I'd like to tell you about a White Paper from our sponsor, Delta Risk. More than 90% of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding The Challenges Of Cloud Monitoring And Security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets. You can get your copy of the White Paper by visiting deltarisk.com/whitepapers-cloudmonitoring. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:01:51:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, December 6th, 2017.
Dave Bittner: [00:02:00:02] Security firm Qihoo 360 NetLab reports that a big Mirai-derived botnet, "Satori" awoke yesterday, perhaps exploiting a Huawei zero-day to herd 280,000 bots.
Dave Bittner: [00:02:12:18] Classic versions of Mirai, if we can call something a classic that's been around for less than a year and a half, used Telnet scanners to find vulnerable devices. Satori does not. Qihoo 360 NetLab says the botnet has two embedded exploits that seek to connect with devices on ports 37215 and 52869. As Bleeping Computer points out, quote, "Effectively, this makes Satori an IoT worm, being able to spread itself without the need for separate components," end quote.
Dave Bittner: [00:02:42:11] Qihoo 360 NetLab thinks the exploit that connects to port 37215 is a zero-day. They've been tracking it and have it under analysis, but they're unwilling to discuss it further, for now. CenturyLink thinks the botnet may be abusing a zero-day in Huawei Gateway Home Routers.
Dave Bittner: [00:02:59:17] There's less mystery surrounding the exploit that's hitting port 52869. That one is for a well-known and relatively old bug in some Realtek devices, CVE 2014-8361, if you're keeping score. A lot of Realtek devices have been patched for this one, which would suggest why this exploit has been the less successful of the two.
Dave Bittner: [00:03:21:22] There are some similarities between Satori and the Mirai variant that hit Argentina over the weekend, but researchers are tracking it as a distinct threat. And nothing yet, by the way, from Reaper, which has remained curiously quiet since its discovery.
Dave Bittner: [00:03:37:19] Do you over-share online? It's hard not to these days, thanks to social media, and there are specific risks to businesses that are easy to overlook. Cat Coode is the founder of Binary Tattoo, a firm that helps companies and executives evaluate and protect their online profiles, and she offers advice on calibrating just how much you share.
Cat Coode: [00:03:57:06] It's a trade-off, right, so every time you're giving away your information, because, of course, if you're not paying for the product you are the product, every time you're giving away the information, you're getting something back for it, and the currency is your information. But I think what's happening is everyone is so used to now getting things done for them, like if I'm going to download an app and it needs my contact book, well, why not, because I want the app, and then they realize they don't want the app and delete it, and they've now given away all their contact information. People don't consider that before-- do I really need this service in exchange for my information, or not? And they're just giving away the information all the time.
Cat Coode: [00:04:32:09] So, if you had to actually pay for something and you were being offered something and I came to your door and I said, "Would you like this?" You would have to consider whether or not it was the right thing for you to purchase before you spent your money on it, because you appreciate you can't get that money back again. But when it comes to online data as a currency, people don't consider that, they just keep giving it away and giving it away. And then if they don't like the product they get rid of the product, but it's too late because they've already given the data to that company.
Dave Bittner: [00:04:58:23] So when you're out and about and you're educating people on these sorts of things, are there things that come up that continue to surprise you?
Cat Coode: [00:05:05:05] The personal information always surprises me, the birthdays, the names of pets. Like, when you think of the questions that you would get asked if you lost a password, like, "What is your mother's maiden name?" that amount of information is so easily found. So one of the things I do, I joke I'm an online professional stalker, one of the things I do is I look for people online in order to tell them what their public identity looks like, so that they can go in and fix it and take away the stuff that they don't want shared. But I always find the answers to those questions, again, pets' names, the street you grew up on. People will say, "Hey, look, the house is for sale that I grew up on," and I'm like, "Great, now I can answer that question." Or things about their grandparents. I can-- "Look, my maternal grandparents," and there's their mother's maiden name. That information, you don't need to share that. You don't need to share your birthday or your children's birthdays, none of that information is required online. That is voluntarily shared information.
Dave Bittner: [00:05:59:10] Yeah, a lot of businesses are finding themselves victims of spearphishing, and you make the point that a lot of social media accounts, even if you think it may be locked down, it might not be as secure as you think.
Cat Coode: [00:06:11:00] So if-- for instance, if I were to go into a Facebook account, and you've got everything locked down, a profile photo is always public, always, and there's no way to lock down the likes on it. So, in five minutes, I can figure out who you're connected with, even if you closed your friend list off, based on that. So if your security settings are not set, I can get some personal information about you that way and if not, I can go through your friends. So what often happens is people will call a second person in the company, or they will email them, and they will have enough personal information about another member of that company that gives that second person security that this person knows what they're talking about. So I could call, for instance, an executive assistant and say, "Hey, I know Bill's on a plane to Italy right now, I'm friends of his through his daughter's school and soccer club, and you know, his wife, Brenda, and I'm just calling because we're supposed to do this business transaction, I need it to go in by four, and so I'm going to send you an email from my company, and I just need you to press this button," and then a bunch of extra information that makes it sound like I clearly know who this person is.
Dave Bittner: [00:07:17:08] Right.
Cat Coode: [00:07:17:21] Lots of companies are losing money this way, because they have this trust factor, that there's no way you could possibly know that much about someone without having actually known them.
Dave Bittner: [00:07:27:02] So, in that kind of a case, what's to be done?
Cat Coode: [00:07:28:23] A lot of it is an awareness. Part of it is the fact that Bill has probably over-shared his information online or is unaware of what he is sharing. He's put his own profile at risk by over-sharing the information. And the second thing is to go into these companies, and as part of the cybersecurity training we have a lot of amazing software products that come in and prevent regular phishing scams and all that stuff. But it is-- the human firewall is so key right now that companies need to make sure that their employees appreciate the element of human engineering that's happening and, just because someone says they know someone or seems to have a lot, that's not enough to verify who they are.
Dave Bittner: [00:08:06:14] That's Cat Coode. Her company is Binary Tattoo.
Dave Bittner: [00:08:11:22] Have you ever wondered how much energy the Bitcoin network consumes? Sure you have. We have, especially since Bitcoin and other blockchain-based technologies are being invoked all over the place, for everything from remittances to IoT security. Digiconomist has taken a look at the question, and they estimate that, annually, Bitcoin uses about as much electrical power as Denmark, which suggests to some observers that maybe the cryptocurrency isn't, as they say, sustainable. It also suggests why criminals have been willing to take the time and effort to install miners in Android devices.
Dave Bittner: [00:08:46:08] Phishing emails are becoming more persuasive, using Mailsploit for greater plausibility, and incorporating the trappings of encryption to lure in marks who'd otherwise be wary.
Dave Bittner: [00:08:57:11] Citizen Lab reports finding evidence that the government of Ethiopia is using lawful intercept software developed by Cyberbit to spy on journalists.
Dave Bittner: [00:09:08:09] As ISIS video posted online promises to deliver a major cyberattack against the US this Friday. The former Caliphate, now clearly in its diaspora phase, has shown little ability to do more than low-grade website defacements of indifferently defended targets, and they're probably feeling some pressure to demonstrate serious cyberattack capabilities. It's a threat worth watching, but so far unsupported by much evidence.
Dave Bittner: [00:09:35:00] Iranian espionage group Charming Kitten is said, by Israeli cyber firm ClearSky Cyber Security, to have embarked on a campaign targeting academics, journalists, human rights advocates and political advisers. The targets have little in common beyond an interest in Iran and a usually unsympathetic attitude toward the Islamic Republic. Charming Kitten is said to have established a bogus baited news service as a lure, "The British News Agency."
Dave Bittner: [00:10:03:09] The International Olympic Committee has banned Russia from the next Winter Olympics, for "systemic abuse of the anti-doping system." Expect Russian security services to engage in some systemic abuse of IOC networks. The Bear siblings, Cozy and Fancy, growled a lot after the last Russian Olympic doping scandal.
Dave Bittner: [00:10:24:10] As we think about threat actors in the news, we can't help but reflect on the naming customs that have emerged for them. If it's a kitten, it's got to be Iranian. If it's a bear, Russian. Panda? China. Dragons? For the most part, East Asian. But our patriotic amour proper is wounded here. Surely there are some good animal names people could come up with that would wink in the direction of the Five Eyes?
Dave Bittner: [00:10:46:21] Some seem obvious. It's hard to imagine Australia and New Zealand without kangaroos and kiwis, but if those are too obvious, how about dingos and skinks, like Dutiful Dingo or Smug Skink? It's tougher as you move on to the other three Eyes. For Canada, loons and beavers? Perhaps. The UK could go with bulldogs or maybe lions. Unicorns seem out, because of their financial connotations.
Dave Bittner: [00:11:15:06] The US is a harder case. The eagle is too obvious, so how about this? Agencies are all in states, and every state has its own patriotic bird, animal, even in Maryland, at least, where we are, an official dinosaur. Why not associate actors with the state in which the responsible agency has its headquarters? Thus, instead of a boring Fort Meade euphemism like "Equation Group," how about something snappy suggested by those Baltimore birds, the official oriole or, for the poetically minded, Edgar Allen's raven? And I suppose if you're going to woof in the general direction of Langley, then pick a Virginia theme, like the cardinal or, better yet, the foxhound. In any case, we're sure the security community would welcome some guidance on the matter, perhaps from the agencies themselves. Let us know what you think. Even generic suggestions like ferrets, foxes and squirrels are welcome.
Dave Bittner: [00:12:11:24] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cybersecurity leaders, when your CEO asks department heads for a status update, do you envy your colleagues like the VP of Sales or CFO, who only have to pull a report from a single system instead of deploying a team of people to check multiple systems and then waiting for them to report back? Do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly, and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk in terms of dollars and cents. Visit nehemiahsecurity.com to learn more and get a free customized demo just for CyberWire listeners. Visit nehemiahsecurity.com today. That's n-e-h-e-m-i-a-hsecurity.com. And we thank Nehemiah Security for sponsoring our show.
Dave Bittner: [00:13:22:02] And I'm pleased to be joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, certainly with hacks like Equifax...
Joe Carrigan: [00:13:31:07] Yeah, that's great, isn't it?
Dave Bittner: [00:13:32:22] ...it's, it's great and, you know, Yahoo! just released recently that it wasn't a million-- I'm sorry, a billion, it was three billion accounts that were released.
Joe Carrigan: [00:13:45:09] That was from-- is that from the old breach?
Dave Bittner: [00:13:47:01] That's from the old breach, right.
Joe Carrigan: [00:13:48:12] Yes, so now they're upping that number again.
Dave Bittner: [00:13:50:19] But I, I have this feeling of fatigue, and sort of inevitability. I don't-- I, I just don't know where-- what to do with this. If all the information is out there, it seems like, surely, there must be information about me out there, must be information about you out there. The odds are-- I feel like we've hit this point where the odds are greater that your information is out there than it's not.
Joe Carrigan: [00:14:18:08] Right. No, that's probably 100% correct. When the Equifax breach happened, I was actually at a meeting for a project I work on called THAW, Trustworthy Health and Wellness, with some other institutions. When he heard about this, he said, "I'm just going to put my Social Security number on my website." But, you know, it's, it's just out there.
Dave Bittner: [00:14:42:02] Well, we've talked about this before, I think, offline. You know, when I was a student in college, your student ID was your Social Security number.
Joe Carrigan: [00:14:49:13] Right, and I had an ID at the first college I attended, that had my Social Security number written on it.
Dave Bittner: [00:14:54:14] Every test I took in college, I wrote down my Student ID Number, which was my Social Security number, so how many pieces of paperwork, how many-- You know, all of the things for the university to track the fact that I went to that school, it's all tied to my Social Security number. So I've heard that there are other nations who have done a better job with this, that they have adopted a digital version of a Social Security number, some sort of secure encrypted kind of thing. It seems to me like we have to be heading in that direction, but I've seen little--
Joe Carrigan: [00:15:27:09] We have to move away from Social Security numbers as the primary key on people. We need a data point, a way to identify somebody that is, is-- can be changed and can-- is revocable, that's the word I'm looking for, revocable.
Dave Bittner: [00:15:42:20] Well, I don't know if you recall, if you actually have your Social Security card, I do have my Social Security card from-- I think it was given to me when I was a child--
Joe Carrigan: [00:15:50:20] Yes, I've lost mine.
Dave Bittner: [00:15:52:01] Yes, most people probably have. But on the card it says, "This is not to be used as a form of identification."
Joe Carrigan: [00:15:56:15] Correct! Yeah, that's right.
Dave Bittner: [00:16:00:07] Yet here we are!
Joe Carrigan: [00:16:00:17] Trying to do just that.
Dave Bittner: [00:16:03:08] If only there were a group of smart people who could come up with some sort of way to replace our-- But I guess it's momentum, it's--
Joe Carrigan: [00:16:10:11] Right, oh, yeah. There is a huge momentum problem here. I don't know that anything's going to change until the pain of changing becomes less than the pain of the current state and, for most of us, you know, we're just willing to sit around and wait until something bad happens, like somebody opens an account in our name and then how bad does that hurt? If someone were to call me tomorrow and say, "Hey, your mortgage on your property in Florida's overdue," my answer would be, "Well, go ahead and foreclose. I don't have a property in Florida. I don't know what you're talking about."
Dave Bittner: [00:16:40:22] Yeah. But, but, you know, you could take the credit hit and, I don't know, I mean, perhaps, you know, someone-- If someone does a targeted attack on every single member of Congress and only every single member of Congress, maybe we'll get their attention, right?
Joe Carrigan: [00:16:53:13] You mentioned credit hits, right? So, if I get enough credit hits, right, and my credit score drops, then identity theft stops being a problem, right? Because nobody wants to open a--
Dave Bittner: [00:17:04:10] They won't be able to.
Joe Carrigan: [00:17:05:14] Right, they won't be able to open a credit card.
Dave Bittner: [00:17:06:12] You won't be creditworthy.
Joe Carrigan: [00:17:07:14] Because my credit score will be like 300 or something.
Dave Bittner: [00:17:10:01] But I think that's part of the point, though, is that if all this information is out there, through all of these services, all the things that rely on this information become sort of meaningless.
Dave Bittner: [00:17:20:19] Yes. I mean, how reliable is the information that's out there?
Dave Bittner: [00:17:24:12] Right.
Joe Carrigan: [00:17:25:16] And yeah, I can contest a lot of things on my credit report or anything that's on my credit report. I can put a document in there. There are some laws about-- That have made it a lot more difficult to open a bank account. I remember the last bank account I've opened, which was actually at a Credit Union within the past four years, I was astounded at how much documentation I had to present just to open a bank account.
Dave Bittner: [00:17:47:20] Yeah, no, that's true. I opened one for my son recently and it was a whole-- You know, electric bills and proof of residency and so on and so forth, yeah. Well, I don't think we've come up with any solutions here, but we've certainly made our complaints known.
Joe Carrigan: [00:18:01:14] No, all we do is sit here and complain, right?
Dave Bittner: [00:18:03:12] All right.
Joe Carrigan: [00:18:04:22] I'd like to come up with a solution.
Dave Bittner: [00:18:07:09] Well, you know, as with many things I think there are some good ideas being tested in other nations, which seems to be the way that it goes with many of these things.
Joe Carrigan: [00:18:17:12] No, we definitely need to start moving in this direction, that is for sure.
Dave Bittner: [00:18:20:22] It's inevitable. Alright. Well, as always, Joe, thanks for joining us.
Joe Carrigan: [00:18:23:19] It's my pleasure.
Dave Bittner: [00:18:26:20] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out cylance.com.
Dave Bittner: [00:18:39:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.