The CyberWire Daily Podcast 3.1.18
Ep 546 | 3.1.18
Fancy Bear finds Berlin just right. RedDrop Android blackmail malware. Another AWS S3 exposure. FTC settles; SEC investigates. Blockchain radix malorum?
Play
Play
Transcript

Dave Bittner: [00:00:00:16] A special thanks to all of our Patreon supporters, you can find out how you can support our show by visiting patreon.com/thecyberwire.

Dave Bittner: [00:00:12:01] Fancy Bear gets busy in a sensitive German government network. RedDrop Android malware is built for blackmail. Intel issues another Spectre fix. The FTC reaches a settlement with Venmo over privacy, security and availability of funds. The SEC is investigating a number of initial coin offerings, and Mr Gates is no fan of cryptocurrencies. And it seems cryptocurrency mavens are no fan of Mr Gates.

Dave Bittner: [00:00:43:19] Now I'd like to share some words about our sponsor, Cylance. You know you've got to keep your systems patched right? Patching is vital, and WannaCry which hits systems that hadn't been patched against a known vulnerability, well that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern endpoint protection. Think about protecting the end points from the threats you never see coming. Cylance endpoint security solutions will do exactly that. Bend the bad stuff off and do your patching quickly but systematically. It's artificial intelligence and it's a natural for security. Check out the Cylance blog, Another Day, Another Patch, at cylance.com. And we thank Cylance for sponsoring the CyberWire. That's cylance.com. For cyber security that predicts, prevents and protects.

Dave Bittner: [00:01:44:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, March 1st, 2018.

Dave Bittner: [00:01:53:15] The Bears appears to have shown up in Berlin. And for that matter in Bonn. German authorities say yesterday that they are investigating a cyber espionage campaign against federal networks. The attack was detected in December, but the threat actors are believed to have been present in the networks for about a year, before they were discovered. The campaign is attributed not officially, but by anonymous sources close to the investigation, for Fancy Bear, Russia's GRU military intelligence service.

Dave Bittner: [00:02:21:24] Deutsche Welle describes the network, the IVBB which was the hacker's target, as a dedicated secure platform used only by quote, the Chancellery, the German parliament, federal ministries, the Federal Audit Office and several security institutions in Berlin and Bonn. The former German capital where some ministries still have offices, end quote.

Dave Bittner: [00:02:44:12] Fancy Bear gained notoriety as the threat actor that snuffled through the US Democratic National Committee, the International Olympic Committee, the International Anti-Doping Organization, French President Macron's campaign and a large number of other targets of official Russian ire. This isn't the first visit to Germany either. Fancy Bear is believed to have compromised Bundestag networks for more than a year.

Dave Bittner: [00:03:09:12] Security firm Wandera is describing RedDrop, a strain of Android malware, distributed for the purpose of blackmailing its victims. RedDrop combines the functionality of spyware, Trojan and data exfiltration. It's troublesome but apparently not terribly sophisticated or difficult to guard against. If users take apps only from reputable sources, and enable Google Play Protect, they are probably safe. Still, Android users take RedDrop as one more incentive to straighten up and fly right.

Dave Bittner: [00:03:40:22] Intel continues to address the Spectre and meltdown vulnerabilities that have bedeviled its CPUs. It's issued new fixes for Spectre to Broadwell and Haswell chips.

Dave Bittner: [00:03:53:01] The US Federal Trade Commission had reached a settlement with PayPal subsidiary Venmo over the company's practices. The root of the problem, according to the FTC, lay in Venmo's representation that funds transferred would be immediately available to their owners when in fact such funds could be and sometimes were frozen, while Venmo investigated underlying transactions. The FTC said this caused a number of customers undue financial hardship. The company was also in hot FTC water over its privacy and security practices, especially in the way it communicated those practices to its customers.

Dave Bittner: [00:04:30:01] Acting FTC chair, Maureen K. M Ohlhausen drew a lesson for the financial sector as a whole. "The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.".

Dave Bittner: [00:04:51:05] It's common practice for software developers to rely on varying degrees of open source software in their work. Rami Sass is CEO and co-founder of WhiteSource. A company that helps developers manage and secure their open source assets.

Rami Sass: [00:05:06:13] The default choice today, is to not develop yourself with what you can find in an open source project. And that's a trend that we've seen develop over at least the last decade. Or has become extremely prominent over the last decade. It may have started two or more decades ago. But today every software engineering group anywhere, that's working on commercial software, he's actually relying very, very heavily on open source components and spent just a small portion of the software that gets shipped to the customer, or gets deployed, is actually net new software or proprietary software that's been developed by your own engineers more than 50% of it is comprised of open source components. So much so that there is a big trend today talking about how software is composed and not written.

Dave Bittner: [00:06:09:20] Can you take us through what are some of the benefits and potential vulnerabilities of this approach?

Rami Sass: [00:06:17:03] So the benefits are enormous and fairly well discussed, in the sense that it's the open source itself, is free to use, readily available at large scale, usually very well maintained, by the open source community and can save you a lot of work while still giving you very high quality product or very high quality results very easily. So benefits are primarily around saving time, saving money and saving energy, while conserving all of these resources to really focus on the new innovative parts that you are now bringing to the world, other than having to do the same mundane tasks for the thousandth time that someone else has already done.

Rami Sass: [00:07:16:05] On the risk side, there are some risks that all derive essentially from the fact the you are bringing in some third party piece of software and embedding it in to your own software and then selling it or deploying it out into the world as if it is your own. So you essentially become accountable for all potential issues that may be hiding in the open source components, usually they'll look malicious. So we rarely, if ever, see cases where people try on purpose to provide you with faulty open source components. Although there are some stories from the espionage world, certain countries I will not name, that may be doing some of these things as part of a sort of intelligence. But besides those fringe cases, most of the problems are the derivative from the fact that open source is just software in its own right at the end of the day. And it gets written by human beings, flesh and blood, whilst off to engineers and may make the same kinds of errors that people working on commercial software

Rami Sass: [00:08:36:10] Make and that in turn means that there will be all there are, several known security vulnerabilities in open source projects. There could be quality issues and to add to those, there sometimes can also be legal issues in the sense that open source while free, will always come with some strings attached. So you cannot really distribute code, without attaching some kind of copyright waiver. And when people waive their copyright, they would normally add some terms and conditions under which they waived their copyright, which in turn become licenses. So all open source just to be open source, needs to have some license attached to it, and some licenses start adding additional conditions and requirements, from the developers that if you don't adhere towards, you don't pay attention to, could sometimes get you into a little trouble.

Dave Bittner: [00:09:42:05] That's Rami Sass from WhiteSource.

Dave Bittner: [00:09:46:02] The US Securities and Exchange Commission has begun investigations into multiple ICOs. The Wall Street Journal reports the SEC has issued 'dozens of subpoenas' to tech companies, who have held token sales and their advisors. TechCrunch notes that the money raised in initial coin offerings, amounted to six billion dollars last year and has already hit the one billion dollar mark in 2018. Six billion dollars is far from huge, but it's not trivial either. Being a bit larger than the CIA's World Factbook estimate of the GDP of French Polynesia, Bermuda, Jersey or Lichtenstein.

Dave Bittner: [00:10:23:14] And finally, Microsoft's Bill Gates is no fan of cryptocurrencies, which he sees primarily as modes of illicit funds transfer and money laundering, favorite financial vehicles of drug dealers, contraband peddlers, blackmailers, and other bad people. He takes it as read that the alternative currencies have blood on their hands, this week in a Reddit 'Ask Me Anything' session he said, quote, 'Right now cryptocurrencies are used for buying fentanyl and other drugs so it is a rare technology that has caused deaths in a fairly direct way. I think the speculative wave around ICOs and cryptocurrencies is super risky for those who go long', end quote.

Dave Bittner: [00:11:02:23] Alt-currency advocates reacted contemptuously, saying as for example Bitcoin developer Udi Wertheimer did, that cryptocurrencies are no more and no less a cause of death than traditional cash has always been. The general rejoinder has been that cryptocurrency's salient feature isn't anonymity, but rather immutability. And the ability to support trustless transactions. He may have more of a point about the riskiness of cryptocurrency speculation.

Dave Bittner: [00:11:34:04] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore. They are too difficult to deploy, too time consuming to maintain, and too heavy on the end point. They are high maintenance, and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era, with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:12:40:11] And joining me once again is Johannes Ullrich, he's from the SANS Technology Institute. He's also the host of the ISC StormCast podcast. Johannes welcome back, you wanted to touch base today about the memcached denial of service situation here. What can you share about that?

Johannes Ullrich: [00:12:56:02] What's happening really is that this is yet another one of these reflective denial of service attacks. What's happening here is that we do have another UDP based reflective denial of service attack. The culprit here in some ways is one of these NoSQL bases called memcached. Now memcached is a very simple database as the name implies, it runs all in memory. With that there isn't really any authentication or access control for it. Now when you ever installed it, it usually only listens on the loop pack interface in your system, and in a configuration of file it actually explicitly warns you not to have it listen on an open exposed interface. That's not fire-walled such, but apparently, probably no surprise here, people aren't listening. The problem with this is memcached has a status command. When you send this command to memcached it replies with a, essentially a sort of dump of its status which is quite robust.

Johannes Ullrich: [00:14:05:00] So this has been used in denial of service attacks. A hacker will spoof a packet, it appears to come from the victim asking for this status and memcached will reply with a few kilobits in some cases hundreds of kilobits, of data. So this has been used to amplify the denial of service attacks, and they have reached typical multi gigabyte sizes.

Dave Bittner: [00:14:33:15] How do you prevent this sort of thing?

Johannes Ullrich: [00:14:36:10] If you find a memcached database exposed like this, first of all fire whoever set it up like this. Because that's really sort of non-excusable but, yes you would never really expose memcached to the open internet, like I said, you also expose all of your data, because there is no authentication for this database. It's often used in web applications to hold session data on certain more ephemeral data. So certainly critical and confidentially, so never really should be exposed, and that's really the big thing here. Now if you're at the bad end of one of these denial of service attacks, you can try and filter everything that's coming from source port, 11,000 2011, that's the port memcached is listening on. But typically you will need some help from some upstream ISP, some anti-denial of service service that you need to hire, in order to filter this traffic as far as possible. These attacks are so large, with hundreds of gigabits per second. That probably what you're doing on premise, with your firewall, won't really work.

Dave Bittner: [00:15:46:15] That's interesting stuff. Johannes Ullrich, as always thanks for joining us.

Johannes Ullrich: [00:15:50:22] Thank you.

Dave Bittner: [00:15:53:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.

Dave Bittner: [00:16:15:22] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe. Where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.

Dave Bittner: [00:16:45:00] This podcast was edited to remove an error, concerning an exposed Amazon S3 bucket.