The CyberWire Daily Podcast 2.7.18
Ep 531 | 2.7.18

Dutch DDoS arrest. Pyongyang is interested in cryptocurrency. So is the US SEC (in a different way). Uber explains its breach disclosure. New wrinkle in the "Microsoft" Help Desk scam.

Transcript

Dave Bittner: [00:00:01:07] Just the other day, my 11 year old son came to me and said, "Daddy, I'm having trouble seeing the blackboard in school. Do you think I could get a pair of glasses so I can see better?" And I said "Son, if enough people sign up to support the CyberWire at patreon.com/thecyberwire, maybe we can get you a pair of glasses." I'm kidding, of course. I just loaned him a pair of World War Two surplus binoculars. He's fine.

Dave Bittner: [00:00:31:08] Dutch police make an arrest in last week's financial sector DDoS case, and it's a teenager. North Korean interest in stealing cryptocurrency remains high. Adobe patches the zero-day Pyongyang had exploited against Seoul. Hardware wallets are found vulnerable to man-in-the-middle attacks. Crytpojacking trends. US regulators take a hard look at alt-coins and how they're traded. Uber says it regrets not coming clean sooner about its breach. And there are some new trends in an old help desk scam.

Dave Bittner: [00:01:05:08] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container, where the malware's rendered useless. With Comodo's patented auto containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com and we thank Comodo for sponsoring our show.

Dave Bittner: [00:02:21:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, February 7th, 2018.

Dave Bittner: [00:02:31:17] Dutch police have made an arrest in the distributed denial-of-service attack that disrupted some of the country's financial institutions last week. It's an unnamed teenager from Oosterhout who rented a booter service for unclear reasons. His alleged, and allegedly confessed, use of those booter services may explain the Russian IP addresses that ESET and others reported seeing associated with the attack traffic.

Dave Bittner: [00:02:56:03] Adobe has issued a quick fix for the Flash Player exploit that's been used in the wild against mostly South Korean targets. The attacks have been generally attributed to North Korean operators. North Korean cyber operators are also believed to be engaged in an ongoing campaign to steal cryptocurrency that continues during the run-up to the Olympic Games. South Korean authorities think it possible, and are investigating this possibility, that Pyongyang's hackers were responsible for last month's raid on the Japanese cryptocurrency exchange CoinCheck. The DPRK's interest in cryptocurrency closely trailed the dramatic run-up in prices that peaked, for awhile at least, at the end of 2017.

Dave Bittner: [00:03:37:00] While they're mulling this over, alt-coin mavens should look to their wallets. Most of the big recent heists have come in the form of raids on hot wallets, that is, repositories for the cryptocurrencies that are themselves connected to and resident in the Internet. Security experts concerning themselves with Bitcoin and other blockchain-based media of exchange have accordingly recommended using hardware wallets, basically external, detachable drives that can be used to store your alt-coin. These, too, however, have their issues. The Ledger brand of hardware wallets, among the most popular on the market, have been found susceptible to man-in-the-middle attacks. There will be no patch for them, says Ledger as it responds to researchers' disclosure of the flaw. Instead, Ledger invites users of the cryptocurrency product to "verify your receive address on the device's screen by clicking on the 'monitor button'."

Dave Bittner: [00:04:29:01] The run-up in price has also driven a rising interest in cryptojacking, the practice of installing cryptocurrency-mining software in non-cooperating devices, like your Android phone. Whether in-browser or server-based, cryptojacking uses victim device resources in a mining pool that delivers coin to the master miners. The drain on resources can be sufficiently serious to noticeably degrade an enterprise's IT performance. Compromised WordPress sites seem to be growing in popularity as dispensers of cryptojacking malware.

Dave Bittner: [00:05:01:02] Cryptocurrency speculators were able to take a bit of comfort at midweek as prices of some of the more prominent alternative coins surged up to twenty percent. That's still off their peaks, and it will take some time before it's clear if this represents a return to what will prove a secular bull market, or a return to a short-term speculative bubble, or if it's all just a dead-cat bounce.

Dave Bittner: [00:05:24:10] One form speculation has taken is the initial coin offering. The US Securities and Exchange Commission or SEC, has been skeptical of ICOs, stopping a few of them as fraudulent, and objecting to others as offering, in effect, unregistered and unregulated securities. In testimony before the Senate Banking Committee yesterday, the heads of two major market regulating bodies, the SEC and the Commodity Futures Trading Commission, the CFTC, distinguished the currencies themselves from their use in ICOs and from the blockchain technology that underlies them. In brief, they think that consumers who trade in these novel currencies tend to think the markets are better regulated than in fact they are. The regulators think that trading platforms should be regulated like exchanges, and that ICOs are in fact securities and should be treated as such. They also expressed their conviction that in fact cryptocurrencies could have, and did have, real value. If the hearings are any guide, cryptocurrencies are well on their way to normalization as financial instruments.

Dave Bittner: [00:06:27:18] Security company Okta recently released the latest version of their Business at Work report, highlighting the most popular tools organizations are using to get their work done online. This year they added a section on security. Yassir Abousselham is Senior Vice President and Chief Security Officer at Okta, and he takes us through their findings.

Yassir Abousselham: [00:06:46:19] Essentially we, we see a lot of countries keep coming back in the headlines as the sources for cyber attacks, and when we looked at attack data, and here I have to stop and maybe define what attack means. In this context, we focused on both password strain attacks and brute force attacks against cloud services. So when we looked at these attacks, we found that they are coming, or at least they are originating from pretty much everywhere around the world. There is some concentration in some specific countries, specifically China has something like 48% of all of the attack traffic, followed by the US at 7.7%, and then France 4.5, and finally Russia 3.4% of all the attacks. What we also found is that 23% of all the attacks were coming from Tor Exit Nodes, which essentially tells us how important the Dark Web has become in enabling cyber attacks.

Yassir Abousselham: [00:07:49:18] What we also, I guess, have as a, as a takeaway is, and this is more or a recommendation, is that because these attacks are coming from everywhere and because we obviously have limited resources as security teams to maintain the safety of our services and users, we need to start either blocking traffic or at least, or a minimum, stepping up authentication, meaning requiring a second factor, if we were not expecting legitimate traffic to come from some of these sources. For example, a, a, a country that we're not doing business with, then maybe it is somewhat safe to require that any user, or any authentication from that country, needs to provide a second factor. If we were not expecting legitimate traffic to come from the Dark Web, then maybe we should just block it altogether.

Yassir Abousselham: [00:08:41:22] So this is kind of the first area. The second one was around the current state of passwords. We looked at the average password policy across the Okta ecosystem and we analyzed passwords that have been previously compromised and published on the Internet. And what we found is that the average password policy is something like eight characters in length, with complexity and lock out. The second thing that we found by analyzing the passwords that have been previously breached, and obviously they're, they're published on the Internet, is that when users are given the choice, they tend to converge on shorter and less complex passwords.

Yassir Abousselham: [00:09:23:02] In fact, less than four percent of the passwords that have been compromised and published, would comply with this average password policy that I just mentioned of eight characters in length and so on. What that tells us is that companies need to adopt password policies that are adequate for their environment and indeed the assets that it provides access to. But they need to enforce those policies, obviously, they should not leave the choice, when it comes to protecting critical assets, to the end user to decide whether they want to have a, a long password or a shorter complex one and so on.

Yassir Abousselham: [00:09:58:15] And the last thing, last techniques we highlighted was attackers know that, you know, most users tend to reuse the same password over and over again. So they capitalize the first letter, they add numbers at the end, they add special characters at the end as well. And so that, what that does is that it really brings down that, that entropy significantly and it really allows them to optimize the attack techniques to only focus on passwords that have the highest chance for success.

Dave Bittner: [00:10:29:24] That's Yassir Abousselham from Okta. There's much more to their Business at Work report than we had time to cover here, including multi-factor authentication and the brute forcing of passwords. You can read the complete report on their website.

Dave Bittner: [00:10:43:17] Researchers at security firm UpGuard, who've been dining out for the better part of a year on their ability to find security problems with cloud services, has found another leaky Amazon Web Services S3 bucket. This one belongs to Octoly, a Paris-based firm that connects "influencers" on Instagram, Twitter, and YouTube with companies willing to provide them with goods and services for marketing purposes. You know the sort of thing, you try the product and if you like it you'll presumably recommend it to your Friends and Followers. Some 12,000 influencers have had their data slosh out of Octoly's bucket.

Dave Bittner: [00:11:18:15] In other hearings before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Uber defended its controversial "bug bounty" program but the company also said it had been wrong to delay disclosure of its 2016 breach. Critics had thought what Uber characterized as a bounty looked in certain respects more like a ransom payment. The ride-sharing company's Congressional inquisitors heartily agreed with them on disclosure, saying that delaying disclosure by a year certainly "raised red flags."

Dave Bittner: [00:11:48:21] In industry news, the well-known security company Proofpoint announced that it will acquire Wombat Security for a reported $225 million. The acquisition is a significant one, and it indicates Proofpoint's intention to move into the anti-phishing and general security training market.

Dave Bittner: [00:12:06:15] Finally, there's a bit of evolution in the familiar Microsoft help desk scam, a scam we hasten to say is not the doing or responsibility of the Microsoft corporation. It's the scam in which a caller from "Microsoft help desk" tells you over the phone that they've detected malware on your Windows computer which they will remove if you "let them take control." In this new wrinkle, reported by researchers at security firm Malwarebytes, the hoods afflict Chrome by abusing an API. It's window navigator msSaveOrOpenBlob, to lock a page by repeatedly forcing the browser to save it to disk. The hack then displays a dialog box telling you, the victim, that your machine has been blocked by their ISP, and that to recover you should call "Microsoft Help Desk" and help them help you. What follows is easy to imagine. So don't call. Just kill the unresponsive page and get on with life. For now this only affects Chrome, but similar infestations in other browsers are unlikely to be far behind.

Dave Bittner: [00:13:11:17] And now a few words about our sponsor DataTribe, the successful and growing cybersecurity startup studio. They're doing something different to bring onboard some of the freshest talent to the sector. They're launching the DataTribe cyber competition. A competition to identify high technology start ups who've got a vision to disrupt cybersecurity and data science. The three finalists will split $20,000 in prize money, but that's just the beginning. Finalists will be considered by DataTribe for up to two million dollars in seed funding. Startups with less than 1.2 million dollars in seed financing are eligible to apply, and contestants have until March 23rd to apply at datatribe.com/go/cybercompetition. And if you've got questions, DataTribe has answers. Email inquiries to contest@datatribe.com. Successful companies backed by Data Tribe include ReFirm Labs, Enveil and Dragos, which recently made headlines over CrashOverride and Trisis. So check it out. It's datatribe.com/go/cybercompetition. And we thank DataTribe for sponsoring our show.

Dave Bittner: [00:14:24:00] And joining me once again is Justin Harvey, he's the Global Incident Response Leader at Accenture. Justin, welcome back. You know, we talk a lot about ransomware, and there's a little bit of controversy as to whether or not you should pay the ransom. Law enforcement generally says don't pay. What's your take on this?

Justin Harvey: [00:14:41:06] Let's just look at the numbers here. There is a report that came out just recently that the record growth of ransomware in 2017 could hit two billion dollars. Now, I mean that sounds really high to me, but even if it's ten percent of that, let's just say it's 200 million, it's still a, a pretty bad problem. And many organizations out there are, are suffering from this, and I used to be of a different camp. I have to admit, I was actually in the camp of saying, well let's pay where it makes sense, and we should explore it and all these companies should have Bitcoin on hand, ready to pay in case something happens.

Justin Harvey: [00:15:22:21] I've actually reversed the position. I'm actually more in the camp of not paying the ransom for a few reasons. So there is an exception to this rule, which I'll get to. But I would say the, the 80% rule, 80% of organizations should not pay. So for a few reasons, number one is, you never know who you're paying the ransom to. You could be transmitting monies to a criminal enterprise. You could be transmitting money to a nation state, or even a terrorist group. So it's really important to discern, or in this case, not pay because you don't know who the money is going to. You could be funding a terrorist organization.

Dave Bittner: [00:16:01:23] I see.

Justin Harvey: [00:16:02:15] And the second reason here would be in many instances, a company that pays the ransom does not get its files back. So there's no assurance that you have that A, you're going to get the decryption key, or in the cases that your data's being held hostage and being threatened to be leaked, that the, the data won't already be leaked after you pay that money. So, finally, for the third case here, as we've seen with some recent news within the last couple of months, there could be a public and, or consumer and, or a stockholder backlash of paying the ransom. If you're paying the ransom, it could be seen as misuse of corporate funds or, in some cases even breaking regulatory or laws. So therefore, you should tread with caution.

Justin Harvey: [00:16:49:05] Now, I did mention, Dave, that there's an exception to the rule, and I think that, I, I think that for critical infrastructure, for healthcare, hospitals, air traffic control, airlines, things where human lives are at stake. If, if there's a condition where there is a chance to get back the data or restore services, I could see that as making the case to, to pay. But again, it's a, it's a very slippery slope by get it going through and paying the ransom, because there's no guarantee A, you're going to get the result you want, or even B, if it reaches the public's ears, there's no guarantee that someone else isn't going to shake you down for the same condition.

Dave Bittner: [00:17:27:19] And so I guess the lesson here is that you really need to plan ahead so that should you get hit with ransomware, you've got backups in place and you can transition to them as quickly and painlessly as possible.

Justin Harvey: [00:17:38:22] Exactly. A strong incident response program, strong end point detection and response capabilities, including monitoring, using least privilege necessary on your, on your end point. So I, I see many companies taking an easy ride out and giving everyone domain or administrative access to their end points. There are ways to get around that, and there are ways to, to better secure those endpoints. And finally, keeping all of your end points and applications up to date, and choosing a backup solution, that's not tied to your network, something cloud based, or something offline based, so that if you, if and when you are hit, you can easily recover without the ransomware encrypting your backups as well.

Dave Bittner: [00:18:26:01] Good advice. Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:28:16] Thank you.

Dave Bittner: [00:18:31:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.

Dave Bittner: [00:18:53:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.