The CyberWire Daily Podcast 1.29.18
Ep 524 | 1.29.18

Coincheck cryptocurrency heist. ICO phishing. Jackpotting comes to America. Dridex and FriedEx. Transduction attack threat to IoT sensors. Jihadist steganography. Oversharing with Strava?

Transcript

Dave Bittner: [00:00:00:15] Thanks again to all of our Patreon supporters, you can find out how you can become a supporter at patreon.com/thecyberwire.

Dave Bittner: [00:00:11:03] Hackers loot the cryptocurrency exchange Coincheck to the tune of about $530 million. Experty's ICO speculators get phished by crooks. Jackpotting hits American ATMs. The Dridex banking Trojan apparently has a ransomware sibling: FriedEx. Transduction attacks could hit IoT sensors. Steganographic app "Muslim Crypt" is designed for jihadist communication. North Korea tells Britain to mind its own business about WannaCry and the Strava fitness app reveals locations of user activity.

Dave Bittner: [00:00:48:15] Now I'd like to share some words about our sponsor, Cylance, you know you've got to keep your systems patched, right? Patching is vital and WannaCry which hit systems that hadn't been patched against a known vulnerability, well, that's Exhibit A. But you also know that patching is always easier said than done, Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern endpoint protection. Think about protecting the end points from the threats you never see coming. Cylance endpoint security solutions will do exactly that. Bend the bad stuff off and do your patching quickly, but systematically, it's artificial intelligence and it's a natural for security. Check out the Cylance blog, Another Day, Another Patch, at Cylance dot com. And we thank Cylance for sponsoring the CyberWire, that's Cylance dot com for cyber security that predicts, prevents and protects.

Dave Bittner: [00:01:48:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, January 29th, 2018.

Dave Bittner: [00:01:58:10] The Japanese cryptocurrency exchange Coincheck has reported the loss of some $530 million in NEM tokens to cybercriminals. This passes the record formerly held by Mt. Gox, the now defunct crypto exchange done in by a $450 million heist. Coincheck announced Friday that it had suspended NEM deposits, then shortly thereafter stopped NEM trading. Over the weekend all payments on the Coincheck platform were halted. The theft appears confined to NEM (also known as Nemu). Early suggestions that transfer of Ripple currency were fraudulent appear to have been premature and unfounded. The story continues to develop.

Dave Bittner: [00:02:40:20] It's not known how the exchange was looted or whodunnit, but there are reports that say the currency taken had been stored in an Internet-connected hot wallet. Coincheck has said it intends to reimburse users who lost funds in this attack, they plan to repay about $400 million but how they'll get the funds to do so remains unclear. Japanese authorities are investigating the theft.

Dave Bittner: [00:03:05:00] There's been another noteworthy cryptocurrency hack, this one of an ICO. The ICO was for Experty, a startup that bills itself as "the first Ethereum powered voice and video application which allows users to monetize their time, knowledge, and expertise on a global scale." Sales handled by Bitcoin Suisse. A bogus pre-ICO announcement purporting to be from Experty phished unwary speculators into transferring more than $150,000 in Ethereum to the crooks' wallets. Experty says it's addressed security issues surrounding the phishing expedition and that it will be offering some compensation to investors inconvenienced by the incident.

Dave Bittner: [00:03:46:17] Jackpotting has arrived in the US. Hitherto seen most often in Eastern Europe and East Asia, the hacking of ATMs to get them to spill cash to a waiting mule has now appeared in the US. The Secret Service is working with banks and ATM vendors to contain the problem. Hackers get access to the ATMs by posing as maintenance workers and connecting to the device with an endoscope. Once they've synched, they can remotely induce the machine to dump cash into the waiting arms of a money mule.

Dave Bittner: [00:04:17:03] Bratislava-based security firm ESET reports that the authors of the familiar banking Trojan Dridex have branched out into ransomware. They're responsible, the researchers say, for the ransomware strain known as either BitPaymer or FriedEx. Not only do Dridex and FriedEx share code, but there are several instances of the malware strains having the same date of compilation. FriedEx was discovered last year and usually infects its targets by a brute-force remote desktop protocol attack.

Dave Bittner: [00:04:48:02] Research indicates that widely used electronic sensors are susceptible to transduction attacks, which suggests a greatly expanded Internet-of-things attack surface. A transduction attacks, as a report from researchers at the University of Michigan and Zhejiang University explains, "exploits a vulnerability in the physics of a sensor to manipulate its output or induce intentional errors." They call for greater attention to embedded security, particularly at the border of the analogue and digital world sensors occupy.

Dave Bittner: [00:05:21:21] In news that will doubtless figure in future cryptowar salvoes, a new secure communications app, "Muslim Crypt," is out, and designed specifically for the jihadi market. It takes a steganographic approach, hiding messages in a photographic image. Photos have a lot of noise, and in this case the message masquerades as just that.

Dave Bittner: [00:05:43:07] Pyongyang tells London to mind its own business about WannaCry, which Pyongyang says it didn't do in the first place, and while you're at it, London, stop copying Washington. So there. There are the usual threats of massive righteous cyber retaliation, and so on.

Dave Bittner: [00:06:02:01] Fitness app Strava has published some attractive heat maps showing the exercise patterns of its users. The data is "aggregated and anonymized," as Strava points out, but critics point out that the patterns on the map effectively reveal the locations of "secret army bases," as the Guardian puts it. Strava says military users should just opt out of the reporting. If they've revealed themselves or their favorite jogging paths to the world, that's on them, and not on Strava. It's worth noting that critics know the patterns correspond to bases because they already know where those bases are, and the secrecy of some of the locations people are mentioning, like Groom Lake, Nevada, is pretty attenuated anyway. To be sure, you'd have to be pretty highly cleared to actually visit Area 51, but a Strava heat map isn't exactly revealing this particular high desert location to the wide world.

Dave Bittner: [00:06:53:11] So, to take one of the examples being cited, you can tell that someone's riding a bicycle alongside a runway. So what? It's well-known to listeners of various radio shows that are broadcast all night long from the middle of Pahrumpistan, that it's long been a staple in the UFO logical lore that circulates throughout the American Paphlagonia that Area 51 is where captured flying saucers are test-flown. And wouldn't you want the civil servants reverse-engineering Grey technology to stay fit and trim? Don’t believe us that this is going on at Area 51? Take your heads out of the sand, sheeple. Just watch Independence Day again. Hollywood knows, man.

Dave Bittner: [00:07:34:19] Here's a question, however: why would you want this kind of heat map anyway? Is it pure marketing, like the many cyberattack heat maps we've long enjoyed as a kind of eye candy? Oh, that alien technology we were mentioning? We're joking, just having a little fun. If the Public Affairs Office at Nellis Air Force Base, or China Lake, or Fort Irwin, or Twentynine Palms are listening, we're, kidding, right? We don't want a visit from the Men in Black. Not to mention a hovering Black Helicopter would make it tough to record with good audio. But seriously, the concern that more temporary sensitive locations in active theaters of operation might be revealed is more troubling, although how usable such intelligence might be remains an open question. And the case shows what information can be developed even from aggregated and anonymized data. No doubt a lot of soldiers, sailors, airmen, and marines are receiving a good OPSEC talking to this week. And that's a Good Thing, to be sure. So by all means, troops, opt out, stay safe, and good hunting.

Dave Bittner: [00:08:48:15] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to business today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze the computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? You can test drive ObserveIT, no installation required at observeit dot com, slash cyberwire. That's observeit dot com, slash cyberwire and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:56:13] And joining me once again is Zulfikar Ramzan, he is the Chief Technology Officer at RSA, they're a Dell Technologies business. Zulfikar, welcome back, you know, obviously hot and heavy in the news these days are Spectre and Meltdown, but you want to make the point, make sure that we're thinking about these threats correctly.

Zulfikar Ramzan: [00:10:14:11] That's right, you know, I think there's been this trend in the last few years of these mega vulnerabilities, obviously ones like Heartbleed, more recently Spectre and Meltdown, and so on and so forth and I think that what's interesting to me is that when you think about vulnerabilities today, we've been dealing and talking about some of the same issues now for 20 plus years. Most of the major breaches that occur have happened because of somebody exploiting a known vulnerability. And so the point that I really want to make is if you're a security practitioner, thinking about how to secure and safeguard your organization, I think it's important to take a much more risk centric, maybe business centric view if you will, around thinking about vulnerabilities and here's what I mean by that.

Zulfikar Ramzan: [00:10:52:07] The reality is that not every vulnerability is created equal. Some vulnerabilities will be easy to exploit, some may already have exploit code available on the wild. Some vulnerabilities may have a significant impact to your business, if they're exploited. For example, there may be a vulnerability on a critical production server or on a piece of hardware that contains critical and sensitive data about maybe your customers etc., and I think what people have to do is, when they think about vulnerabilities, it's not so much the, let's jump on what the latest vulnerability is and try to fix it, take a step back and try to figure out the impact of that vulnerability to your business, the likelihood that that vulnerability will be exploited. And then take those pieces of information and engage with the business stakeholder or the infrastructure stakeholder to help alleviate the vulnerability. Too often today, security professionals will shout out that, "Hey, we have to fix these vulnerabilities," on the flip side, the reality is that very few security professionals have the authority to fix the vulnerability. They may have the responsibility of identifying it, but it could be on the infrastructure underneath and being able to have that conversation I think is what's missing today.

Dave Bittner: [00:11:54:06] Yes and I can't help wondering, you know, when news of something like this breaks, something that is as big a news as Spectre and Meltdown have been, you know, something sort of foundational, the way that they've been, I think it's easy for people to get caught up in the unknowns that the news is coming quickly and they're not sure. They've got people from their organization saying, how concerned should we be about this? And they want answers and not all the answers are there.

Zulfikar Ramzan: [00:12:17:23] That's right, I think these are also developing over time as people understand the full implications of these threats. In Spectre and Meltdown, obviously very deep vulnerabilities really affecting the lowest level of systems, very widespread. But on the flip side, I would submit to you that most people who were jumping on the Spectre and Meltdown bandwagon were focused 100 percent on those issues, might have been ignoring existing issues on their networks that have been around for some time, that would have a more pressing impact to their business. And so I think the key is, not to ignore what the latest vulnerabilities are, but don't over rotate to the point that you completely ignore all the fundamentals that may be more relevant to your business and to your networks today.

Dave Bittner: [00:12:53:14] Zulfikar Ramzan, thanks for joining us.

Zulfikar Ramzan: [00:12:55:23] My pleasure.

Dave Bittner: [00:12:59:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Cylance dot com. And thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit e8security.com, to learn more. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future podcast, which I also host, the subject there is threat intelligence and every week we talk to interesting people about timely cyber security topics. That's at recordedfurture.com/podcast.

Dave Bittner: [00:13:49:21] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.