A Memcrash kill-switch. Shadow Brokers' leaked "Territorial Dispute" tools. Dutch DDoS, Indian hacks. FBI and backdoors. Notes from SINET ITSEF.
Dave Bittner: [00:00:00:00] A kill-switch for Memcrash may have been found and Memcrash may be dangerous for other purposes than denial-of-service. Researchers in Hungary take a look at the Shadow Brokers' dumps and speculate about the purpose of the territorial dispute module. The Dutch tax authorities sustained another DDoS attack last night. India's CERT renders a troubling report to Parliament. The FBI still wants a non-backdoor backdoor, and some notes from SINET ITSEF.
Dave Bittner: [00:00:34:12] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain, and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly, and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult, even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:43:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, March 8th, 2018.
Dave Bittner: [00:01:52:11] Researchers at security firm Corero say they've found what amounts a kill-switch that can turn off memcached exploitation for denial-of-service purposes. They've notified various authorities and are working to make the remediation more generally available. So bravo, Corero, for taking a shot at what's already proven a troublesome DDoS exploit. Corero does mix this good news with some less good news: the vulnerability that can be used for DDoS could also let attackers steal or modify data on affected servers.
Dave Bittner: [00:02:23:19] University researchers in Hungary, at the laboratory of Cryptography and System Security, that's CrySyS Lab of the Budapest University of Technology and Economics, have announced the results of their study of the Shadow Brokers' leak of what are said to be NSA hacking tools. Their most interesting conclusions are that the tools in the territorial dispute modules were particularly adapted to discerning the activities of competing state intelligence services. Wired looks at the Shadow Brokers' leaks and particularly laments the widespread dissemination of EternalBlue, which has been used in far too many attacks worldwide.
Dave Bittner: [00:03:01:15] The Dutch Tax Authority sustained another distributed denial-of-service attack yesterday. The disruption lasted about five hours. No data was lost or compromised, according to the Netherlands Times. The attack was a service interruption. The previous DDoS attack was in January. The suspect in that case was taken into custody last month. He said he did it for the lulz, as a joke. No attribution or, of course, arrests yet in yesterday's attacks.
Dave Bittner: [00:03:29:13] CERT-In, India's Computer Emergency Response Team, has reported to Parliament that more than 20,000 of the country's websites - including 114 government sites - were attacked between last April and this past January. The Indian press is treating this as a serious matter, which it would seem to be.
Dave Bittner: [00:03:48:15] In legal news, Yahoo! Is said to have agreed to an $80 million settlement in a class action suit shareholders brought against the company in the wake of the breaches it began disclosing in 2016.
Dave Bittner: [00:04:01:09] FBI Director Wray, speaking at Boston College this week, painted a picture of a world effectively at war in cyberspace. He also resumed the Bureau's longstanding pleas for responsible encryption, a non-backdoor backdoor that would enable properly authorized law enforcement authorities to break otherwise inaccessible devices in the course of investigations. Few think such a thing is possible. Any backdoor would have to be a backdoor, and hence an exploitable weakness, most observers in the tech community believe. The bureau, in their view, may as well be asking for something made of unobtainium.
Dave Bittner: [00:04:38:23] The attempted assassination of a former GRU officer and his daughter in the UK over the weekend appears to have used a nerve agent. The victims, including at least one first responder, remain in serious condition. How the poison was delivered is unknown.
Dave Bittner: [00:04:55:06] Protecting against insider threats is an important part of every organization's security posture, with phishing attempts on the rise and the simple fact that we're all human and sometimes we make mistakes. Richard Henderson is a Global Security Strategist at Absolute, and he makes the point that when it comes to insider threats, it may be in your best interest to expand the scope of what you're looking for.
Richard Henderson: [00:05:16:15] A lot of people are starting to really appreciate the understanding that what we have traditionally thought of as insider threats only is a small portion of the equation. The definition of an insider threat is so much more broad in scope than what we've generally come to appreciate as an insider threat. So, a perfect example, we're all familiar with the Edward Snowdens, and people quitting a job and walking out the door with everything on a thumb drive. And yes, those are absolutely types of insider threats. But, there's so much more beyond that malicious insider who's intentionally trying to do harm. You know, you think about the system admin who has decided in a huff that he or she wants to leave the company, and they nuke everything before they go. Those are things you need to worry about.
Richard Henderson: [00:06:04:17] I was at the Forrester Privacy and Security Summit late last year and I sat in on a talk that specifically mentioned insider threats, and there was an interesting statistic that said that over half of security incidents in an enterprise today involve an insider in some shape or form, and what does that mean? It means, for example, if your marketing team decides that they're going to email off a spreadsheet full of potentially sensitive customer data to a third party processor and in some jurisdictions they didn't get the exclusive opt-in from those customers to share that data with that third party, technically that's an incident, and that is an incident that was caused by an insider.
Richard Henderson: [00:06:47:22] Someone clicks on an email and they didn't mean to, and they share some information they shouldn't have. That's a different type of incident that involves an insider. So, there's a lot of attacks out there are precipitated on by someone on the inside doing something either they didn't mean to, or something they should not have done. Now, of course, you want to realize that people's intentions are good and they don't mean to, most of the time, intentionally or negligently cause harm to the enterprise, but they do through their actions or, in some cases, lack of action.
Dave Bittner: [00:07:23:12] It seems to me that there's an emotional component to that as well. That it's natural for someone to think, "Oh my gosh, I made a mistake and now I'm going to get in trouble, I better not say anything." But, if you can reward people for doing the right thing somehow, even if it's just saying, "Hey, we're really glad you called us in here to help fix this," that's really setting up that culture where that bigger picture security situation is top of mind for people.
Richard Henderson: [00:07:48:24] I mean, ask yourself this question: would you rather have an employee come forward and say, "Look, I think this isn't right," and have it be something totally innocent or something totally innocuous? Or have them not say anything at all and then something bad happens and you don't find that out because it got through your defenses, and it may take a long time before you realize something really bad has happened? I know what I'm going to pick. And I would hope most people would pick that they would rather have their employees waste a little bit of help desk resources on the occasional false alarm, than not saying anything trying to clean up a giant mess later on down the road.
Dave Bittner: [00:08:23:12] That's Richard Henderson from Absolute Software.
Dave Bittner: [00:08:27:23] SINET's annual ITSEF conference wraps up today in Silicon Valley. The first day's sessions covered, as expected, the state of the cybersecurity industry.
Dave Bittner: [00:08:36:21] Some takeaways from the conference so far include the rapid maturation of deception technologies, which are beginning to assume an important role in security architectures. Executives whose companies have used them, showed a surprising unanimity: deception has been good to them, both effective and affordable.
Dave Bittner: [00:08:54:17] People view the explosive growth of the Internet-of-Things, of course, with considerable concern, especially the industrial Internet-of-Things, where a general failure to secure levels zero and one render national infrastructures disturbingly vulnerable to catastrophic disruption. A panel yesterday on the IoT urged schools of engineering, in particular, to begin teaching students how to design for a high-threat environment. As one panelist said, "Civil engineers design, always, against gravity. Now electrical, industrial, and systems engineers should start designing against an environment rife with attackers."
Dave Bittner: [00:09:30:04] Another interesting discussion considered regulation and liability. The current regulatory environment, especially GDPR, and recent consent decrees obtained by the US Federal Trade Commission, has effectively made businesses responsible - fairly or unfairly, like it or not - for their customers endpoints. Businesses would do well to come to grips with this new reality.
Dave Bittner: [00:09:52:11] And the cybersecurity market itself has changed. Vendors find that the CISOs they wish to sell to aren't so available. They've gone into hiding. SINET CEO Robert Rodriguez said, "You won't find those CISOs walking the floor of RSA in the old approachable way. They've secluded themselves in hotel suites," and Rodriguez thinks tone-deaf vendor marketing is responsible. No one, as he put it, wants to be approached by "some guy on roller skates wearing a gorilla suit," a comment with which one must reluctantly agree. So, before you strap on those skates and say, "Step right up, friend," take some time to listen and understand what the customer might actually want, and need.
Dave Bittner: [00:10:36:19] Now a word about our sponsor, the Johns Hopkins University Information Security Institute. Providing the technical foundations and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security, assurance and privacy. We value their expertise and insights as one of the CyberWire's academic partners, and, of course, they're one of the world's great research universities. The Institute is also an NSA and DHS designated Center of Academic Excellence in information assurance and cyber defense and research. Visit isi.jhu.edu to learn more. And there are scholarships available. That's isi.jhu.edu. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:11:31:11] I'm pleased to be joined, once again, by David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. We have seen some crazy stories about cryptocurrency. The numbers are all over the place, and that attracts the bad guys. What's your guidance here? Should people be wary when jumping into this stuff?
David Dufour: [00:11:53:20] David, first of all, thank you for having me. Absolutely. We're not going to talk about whether buying cryptocurrency is the right thing to do or not. We're not investment advisors, obviously. What really people need to be aware of is where are they buying these cryptocurrencies? Because, you know, the first big Bitcoin market set up in Japan was set up on such a simple platform that it was easily hacked and the whole thing was blown up. The guy who started it is in jail now.
David Dufour: [00:12:25:06] It's a function of are you comfortable and paying attention to where you're actually buying your cryptocurrency? For example, December 6th, there was a crypto site that was hacked; November 25th, a crypto site that was hacked; August 22nd, a crypto site that was hacked; July 19th, a crypto site that was hacked. So, I'm not talking like the good ones. There's good sites where they're asking you and they're doing good security. There's a lot of start-up sites that don't put security top of mind, and they're being attacked heavily because there's so much money to be made.
Dave Bittner: [00:13:00:19] So, don't get drawn in by the promise of quick profits without doing your due diligence on the security behind the scenes?
David Dufour: [00:13:08:11] That's exactly right. In all honesty, I'm a big fan of Bitcoin and cryptocurrencies and the idea behind them and not being attached to government entities and stuff, really opens up markets. But, make sure that if you're buying it, you're buying it from a reputable place. I'm not going to steer people to New York, where New York has regulations about this. They regulate and monitor cryptocurrency exchanges that start up there. But, you might spend a little bit of time understanding how the exchanges work, how they're regulated, what's going on behind the scenes, before you just open up a wallet and buy something.
Dave Bittner: [00:13:45:22] Talk to your financial professional, right?
David Dufour: [00:13:48:08] [LAUGHS] Well, they might scratch their head too. I'm going to say they give you a call, David. [LAUGHS]
Dave Bittner: [00:13:54:00] [LAUGHS] We definitely don't want them to do that, that's for sure. [LAUGHS]
Dave Bittner: [00:13:58:14] What about the hardware wallets that I see people selling? Is this something to explore?
David Dufour: [00:14:04:13] Again, it's something to look into, and I think they're not a bad idea. All of this is so new and it's so the Wild West. Understand who you're buying it from, what kind of platform it's been built on. And the thing is, if you're not a highly technical person who's familiar and comfortable with researching technology, you're going to have to find some third source that you trust, to make a good recommendation. So much of this stuff comes up and down every day. And I'm theorizing here that you're going to see some hardware crypto wallets that aren't legitimate, hardware crypto wallets that you're going to buy and then somebody's going to steal your currency off those, because they're spoofing them. Everyone has to be very conscious of what they're doing. I know everybody's excited, they want to get on cryptocurrency and in the speculative nature, everybody's going to make a billion dollars. But, just take the time to understand where you're buying, not just what you're buying.
Dave Bittner: [00:15:07:11] Alright, good advice as always. David Dufour, thanks for joining us.
David Dufour: [00:15:10:24] Thanks for having me, David.
Dave Bittner: [00:15:14:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:15:36:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:15:46:05] Our show is produced by Pratt Street Media with editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.