The CyberWire Daily Podcast 2.23.18
Ep 542 | 2.23.18

Mirai variant establishes proxies. Buggy smart contracts. Banking glitch. Studies from Verizon, Thales. FTC addresses credential stuffing.

Transcript

Dave Bittner: [00:00:04:01] Mirai's out in a new and improved form. Researchers find buggy smart contracts on Ethereum. A Chase glitch briefly exposed banking customer's information to other banking customers. Hacktivists continue to hit spyware companies. Horizon's Mobile Index warns that mobile security is being traded for business efficiencies. Thales looks at data security and finds that data breaches seem to have risen with cloud migration, and the FTC doesn't like credential stuffing.

Dave Bittner: [00:00:37:13] Now a moment to tell you about our sponsor, ThreatConnect. They've teamed up with DomainTools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. In order to stay ahead of malicious actors it is crucial that security teams add context and enrichment through their threat data. The combination of the ThreatConnect threat intelligence platform and DomainTools' Iris investigative platform, empowers security professionals to hunt APT's efficiently and effectively.

Dave Bittner: [00:01:09:13] Watch Director of product integrations at DomainTools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, as they explain how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. You can check it out today at threatconnect.com/webinar. We thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:53:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, February 23rd, 2018.

Dave Bittner: [00:02:02:21] A new variant of the Mirai Internet-of-things botnet has been seen in the wild. Fortinet reports that this version is capable of establishing proxy servers in infected IoT devices. They're calling the strain "OMG" because its configuration table includes strings that contain OOMGA.

Dave Bittner: [00:02:22:02] Why is this development significant? We heard from Gabriel Gumbs at STEALTHbits Technologies, who compared illicit proxy servers to a criminal fence - a dealer in stolen goods. Once they're set up, they can be used for any number of illicit purposes. They could be used to stage denial-of-service attacks, or they could be used to drive disinformation campaigns. The fence will handle whatever goods the hoods want to move.

Dave Bittner: [00:02:47:01] We also heard from Sean Newman, of Corero Network Security, who has some related thoughts on what OMG might be capable of. He said, "We're used to seeing Mirai variants being used to commandeer IoT devices, and once the botnet's been assembled, it can run denial-of-service attacks against a particular target. But OMG seems to be nosing out vulnerable IoT devices in an organization, and once it's found them, it puts in the proxy so that device can serve as a gateway into the organization. Once that gateway's established, attackers can exploit it against the victim organization in any number of ways: reconnaissance, data exfiltration, and so on."

Dave Bittner: [00:03:27:01] Mirai of course came to notice when it was used by some gentlemen in New Jersey to take down much of the Internet in the Eastern United States in a distributed denial-of-service attack on DNS service provider Dyn. Three young men took guilty pleas this past December in crimes related to the use of Mirai in DDoS attacks against a range of targets. Since 2016 the Mirai code has become widely available, and it's continued to evolve into new forms. Like OMG.

Dave Bittner: [00:03:57:13] University researchers in Singapore and London have determined that there are a lot of "buggy smart contracts on Ethereum." Essentially they created a private fork of the Ethereum blockchain and ran various permutations with live smart contracts. They found 34,200 contracts vulnerable to "undesired actions." They were able to verify and reproduce these "trace vulnerabilities" on some 3,000 smart contracts that hold about $6 million in ether cryptocurrency. It would be difficult for criminals to do likewise and steal the money, but the researchers note that it wouldn't be impossible. As one of the researchers noted to Motherboard, the whole business is mucky. “We’re dealing with applications that have two very unpleasant traits," said University College London's, Ilya Sergey. "They manage your money, and they cannot be amended."

Dave Bittner: [00:04:50:20] A "glitch" in Chase banks' customer-facing systems is said to have presented some customers with other customers' data. The glitch persisted for about 2.5 hours Wednesday evening, but appears to have been corrected. Chase stresses that the incident was not a cyberattack. Some observers speculate, to KrebsOnSecurity, that there may have been caching issues at the root of the problem.

Dave Bittner: [00:05:14:00] Motherboard reports hacktivist break-ins at two surveillance software companies, Mobistealth and Spy Master Pro. Hacktivists had earlier hit FlexiSpy and Retina-X, so this particular subsector is receiving unwelcome attention. The report characterizes the two outfits as "spyware companies," selling privacy-invading "stalkerware" to private citizens who use it to keep tabs on children, spouses, and other persons of interest. Motherboard also sourly observes that a number of the customer accounts revealed in the data breaches are linked to email addresses from various US Federal agencies: DHS, TSA, ICE, FBI, and various military services, especially the US Army.

Dave Bittner: [00:05:58:21] Several reports are out on the state of security. Verizon's Mobile Index for 2018 concludes that many companies are willing to sacrifice some mobile security for business reasons. The 2018 Data Security Report from Thales notes that increased Government migration to cloud services has been accompanied by 20% jump in data breaches. These are perhaps connected, maybe coincidental. You'll find links to both reports in today's CyberWire Daily Briefing; they're worth a look.

Dave Bittner: [00:06:29:02] And finally, the Federal Trade Commission in the US seems moving toward adding some regulatory risk to the reputational risk credential stuffing already poses. The FTC has obtained a consent decree from online tax prep service TaxSlayer on the grounds that TaxSlayer didn't do enough to protect its customers from themselves. Credential stuffing essentially involves a hacker trying credentials exposed in one breach against a variety of other sites. Since people unfortunately tend to reuse their passwords, criminals get hits often enough to make this worth their while. Isn't that the users' fault, you'll ask, since after all TaxSlayer didn't expose anyone's passwords?

Dave Bittner: [00:07:08:20] Well, the FTC says, no. The business should have done more, like requiring multifactor authentication, requiring strong passwords, and alerting customers promptly whenever a password, address, or security question changed. Those businesses interested in how standards of care are shaping up under the FTC's regulatory lash would do well to consult TaxSlayer's experience.

Dave Bittner: [00:07:37:16] Time for a message from our sponsors at E8 Security. They understand the difference between a buzzword and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free White Paper that explains these new but proven technologies at E8security.com/cyberwire.

Dave Bittner: [00:07:57:13] We all know that human talent is as necessary to good security as it is scarce and expensive. But machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the humans something unexpected Cut through the glare of information overload and move from data to understanding. Check out E8security.com/cyberwire and find out more. Follow the behavior - find the threat. We thank E8 for sponsoring our show.

Dave Bittner: [00:08:46:03] I'm joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. It's been about six months or so since AlphaBay was taken down, the primary dark web marketplace. So bring us up to date, where do things stand? Have things come in to replace that vacuum there?

Emily Wilson: [00:09:05:10] Not quite. It's been an interesting six months on the dark web. AlphaBay taken down, Hansa taken down. This Fall, we saw a lot of instability around these prolonged DDoS attacks that went on for several weeks. We've lost a couple more markets in the mix. We saw a couple of smaller markets come up to prominence. It's been interesting. So the brief recap obviously, AlphaBay and Hansa taken down in June and July by international law enforcement. And then this Fall, the remaining markets, which had been scrambling a bit, kind of power not really consolidating with any one of them. No one of them really come up to take AlphaBay's place. The markets were attacked consistently and unavailable except for through MirrorLinks, for probably about six weeks.

Emily Wilson: [00:09:56:11] In that we saw one market quietly close its doors, thank it's customers and pay out any lost funds, and one market that went down in not at all a respectable blaze of glory. So now we have a handful of markets, not as many as we did before. We have a couple of older markets that are still stable. We have some newer ones that are coming up. We have some alternative markets, different crypto-currencies that are being moved around. We haven't seen anything come in to fill that vacuum, we've just seen a little bit more skittishness, and people adapting to increased uncertainty, which really is what the dark web is all about.

Dave Bittner: [00:10:38:01] Is there a sense that the people are looking over their shoulders more than they did since we've had these high profile take-downs?

Emily Wilson: [00:10:50:21] In general I think people are adapting, which is what you would expect in this community. People are adapting to having to use alternative links to following vendors around different markets. I think we're just seeing more loyalty to vendors. I think we're seeing people take a little bit more responsibility for their own security. But by and large I think the immediate fear and thud has died down.

Dave Bittner: [00:11:28:15] You say you've seen some interesting trends in the fraud markets, some shifts there?

Emily Wilson: [00:11:33:21] Yes. So the fraud markets in a lot of ways operate separately, as a separate eco-system from some of the drug-focused markets. We've seen some markets there go up and go down, as markets tend to do. But also some of the markets are going to more restricted access or pay to play, and that's just interesting. I think people are trying to protect their membership a little bit more, whether it's, you need to pay to access, you need to get a referral code. I think the community as a whole is just becoming slightly more skeptical.

Dave Bittner: [00:12:04:24] Thanks for the update, Emily Wilson. Thanks for joining us.

Dave Bittner: [00:12:13:14] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news - there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99% you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve.

Dave Bittner: [00:12:45:01] Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container where the malware is rendered useless. With Comodo's patented, auto containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So, with Comodo you can say with confidence, I got 99 problems but malware isn't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. We thank for Comodo for sponsoring our show.

Dave Bittner: [00:13:29:05] My guest today is Andrea Little Limbago, Chief Social Scientist at Endgame. In her recent blog post on the Endgame website, titled "The March Toward Data Localization" she outlines the lag between law and policy and technology and how nation states are taking different approaches to data security and sovereignty.

Andrea Little Limbago: [00:13:48:21] It's one of those things that isn't discussed as much in our community, obviously it's not as sexy as the latest hack or high profile cyberattack that's going on. Basically as we've seen it, there's a lot of policy and legal frameworks that has lagged behind technology and across the board in general. But I think it's especially true in information security where a lot of laws, especially in the US, are 20, 30 years old, and we just kind of keep building on top of them. The interesting thing is that that's actually starting to change. So after a couple of decades of slumber, the policy and legal frameworks are starting to wake up a bit. I think it's going to really impact cybersecurity for companies and just for individual privacy.

Andrea Little Limbago: [00:14:31:10] There's been so much talk about the GDPR, which is the General Data Protection Regulation that's coming into effect in the European Union in May. It's one of the first international regulations that's really had some businesses concerned with whether or not they have to adhere to it or not, what needs to be done to comply, those kinds of things. So when these kind of regulations actually start hitting businesses in the US, that's when there starts to be more discussion and buzz about it. The EU isn't the only one though, and that's one of the things that, for me. I tend to study more the other countries out there than the EU as much. The GDPR is just one example of this data localization, which is basically country-specific data laws for how data is processed or stored within a given territory, and they vary dramatically.

Andrea Little Limbago: [00:15:23:05] So we're starting to see this large patchwork of data localization laws across the globe. I feel like it's something that has been making the rounds, obviously in more of the legal circles, but I don't feel like it has as much information in cybersecurity. And so I want to elevate that discussion and bring it into our community because it will have a big impact. And hopefully if more folks are computing, with the technical background to provide some insights into how to shape it, so we don't turn with some of these laws we've had in the past that are counterproductive to our own defenses.

Dave Bittner: [00:15:53:07] One of the points you make is that there are two major frameworks that are gaining traction. You describe the multi-state Cold War model and cyber sovereignty. Can you describe those for us?

Andrea Little Limbago: [00:16:03:24] It's one of those things that I think that we're at an inflection point. We're looking globally at how the international system is starting to shape itself. If you think about the Cold War model, it's - just to sort of frame it as far as something people know more about. So, we had the Soviet block and sort of the Western bloc, and they have different ideologies and ways of looking at it and their economy, how [INAUDIBLE] information, those kinds of things.

Andrea Little Limbago: [00:16:27:19] We're seeing similar ideological divides, starting to emerge. Not adherent to those some tenants but it's sort of that bipolarity starting to emerge as well and so the multi-state Cold War model is one that tends to be more so among European, new democratic countries, US, Australia, Japan and so forth that are advocating for more of a free, secure, open Internet. You saw the foundations for how the Internet was actually founded and emerged, sort of the more of the Utopian on how the free-flow of information can help promote societies, help economic development, help governance, provide access to all sorts of information when people previously didn't have that.

Andrea Little Limbago: [00:17:06:08] So that's on the one hand. And then within that is a big emphasis on individual freedoms, individual security and privacy. And so one thing I would say, these are sort of the overarching umbrellas and obviously each country adheres to these in different ways. So it's not just black and white but these are sort of the two big buckets. Then the other one would be cyber sovereignty and that, on the surface, ostensibly, it sounds really great. Each country should have control over data within their own borders. So it sounds very similar to the notion of sovereignty, where the governments have control of the laws and the legal frameworks, and the use of force, those kind of things, within their own borders, and so perhaps it's just elevating that to the cyber realm.

Andrea Little Limbago: [00:17:45:08] It's under the umbrella of that, but really what a lot of it is, is countries using this notion of cyber sovereignty for greater control of data. So accessing data for individuals within a country. It helps justify various forms of censorship and what does and does not make it onto the Internet. So really, if you want to just think about, it's government control of the data. So really it's much more so limiting of personal privacy and more so empowering governments to have control and access to whatever data they want within a country. And that will be more indicative of China, Russia, but it's a lot of other ones as well are starting to introduce similar laws.

Dave Bittner: [00:18:19:17] So having those two different frameworks, what are the natural tensions that are introduced between them?

Andrea Little Limbago: [00:18:26:11] That's really interesting. On the one hand, because it's somewhat evolving slowly and it's really starting to manifest itself quite a bit over the last few years, the tensions are starting to emerge. One of the places that you see it a lot, unsurprising, is at the United Nations. So as the United Nations is trying to set forth with some global norms would be for cybersecurity. So what are the appropriate rules of the road that a country should adhere to? So what may or may not be off limits for an attack? What may or may not be off limits for accessing data? Those kinds of things.

Andrea Little Limbago: [00:18:55:19] And so for the UN, who has historically been there to help establish international guidelines for country behavior, and trying to establish those guidelines at the international level for cyber, is really, really difficult. Because for the past five or six years, United Nations has a group of governmental experts that's been trying to pull together these various rules of the roads and guidelines. Just last year, it completely fell apart, and my understanding is the people who were in some of the discussions, it was this tension between the view of the world from the China, Russia, and some of those kinds of countries, those perspectives, in contrast to what European Union, United States and democratic countries were trying to push for, for what the norm should be. Those discussions just completely fell apart last year, and so right now it remains an area of a largely anarchic system where there is no super national control, so every country is going to be doing their own thing, which basically

Andrea Little Limbago: [00:19:57:20] Means that so far countries vary dramatically on what is off limits for targets, what's the right behavior? What kind of cooperation is okay? All those things across the board are just up to every country's whims and up to their own incentives. That's probably one of the biggest areas. But you also see it a lot as far as bilateral relations between countries. You're starting to see more and more bilateral cyber agreements going on. And you see them a lot.

Andrea Little Limbago: [00:20:21:11] Generally within each of these different areas you see the democracy starting to do their own bilateral agreements in cybersecurity and then the authoritarian regimes. The US and China, did do an agreement along the lines, in 2015, of what would be off limits, such as to ban using cyber espionage for commercial purposes. But again, because there was no teeth onto it, there were no repercussions for failing to adhere to that, it really hasn't had the teeth to actually provide any long term changes and behavior.

Dave Bittner: [00:20:51:00] That's Andrea Little Limbago from Endgame. You can read her full report, "The March Toward Data Localization" on the Endgame website. It's in the blog section. We've got an extended version of this interview on our Patreon site at patreon.com/thecyberwire. Our Patreon supporters get first access to it and in a few days it'll be available to the general public.

Dave Bittner: [00:21:15:05] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security - follow the behavior, find the threat. Visit E8security.com to learn more.

Dave Bittner: [00:21:37:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're code building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Patrick, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.