The CyberWire Daily Podcast 5.8.18
Ep 594 | 5.8.18

Greek and Turkish hacktivists swap defacements. Process Doppelgänging in the wild. GDRP is coming (like winter, for you Game of Thrones fans.) Profiling infosec enthusiasts.

Transcript

Dave Bittner: [00:00:03:14] Hacktivist lightning flashes over the Aegean and hits Greek and Turkish TV stations. Process Doppelgänging is observed in ransomware circulating in the wild. Unstructured data could expose enterprises to GDPR regulatory risk. So might transitive data sharing. Big US companies are ready to follow GDPR standards in North America as well as Europe. Older Lantech industrial servers appear vulnerable to remote code execution, vandals hit security cameras in Japan, and teachers, don't necessarily leave those kids alone, but maybe that cultist is actually an infosec enthusiast.

Dave Bittner: [00:00:46:01] And now a word from our sponsor LookingGlass Cyber Solutions. An open letter from the malicious botnet on your network.

Male Speaker: [00:00:53:18] So here we are, it's just you and me at this Godforsaken hour. You're looking right at me, too; I'm on the second monitor to the left. Had you seen me you would have realized I compromise computers in your organization and they work for me now. Even if you had spotted me your current process is too slow to catch me. You update your network rule sets once a week, I'll be in Cabo by then working on my tan. I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kick-butt technology that fends off cyberthreats like me. Data breaches, ransomware and stolen credentials in real time. Be a hero with the LookingGlass Scout Shield Threat Intelligence Gateway. See the video at lookingglasscyber.com.

Dave Bittner: [00:02:02:07] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 8th, 2018.

Dave Bittner: [00:02:17:05] National pride and traditional resentments manifest themselves around the Aegean as rival teams of Turkish and Greek hacktivists take whacks at one another's national media outlets. The two contending groups are the Akincilar, "Invaders", from Turkey and Anonymous Greece. The former accuse the latter of support for Kurdish terrorists; the latter accuse the former of conniving at Kurdish genocide. This sort of hacktivism flares periodically where long-simmering ethnic rivalries are found; it's seen now and again across the India-Pakistan border, for example. It's something security practitioners might keep in mind: the reaction of Greek security authorities in this case was almost blasé: the incident, they said laconically, had been contained.

Dave Bittner: [00:03:06:07] SynAck ransomware (not to be confused with Synack the security company) has been observed using Process Doppelgänging in the wild. Process Doppelgänging executes code by abusing the Windows loader. Thus it doesn't need to write to disk, which makes it more evasive and difficult to spot with technical screens. This has been known to be possible for some time, but the use of Process Doppelgänging by malware in the wild is relatively novel.

Dave Bittner: [00:03:34:15] Have we mentioned to you that the EU's General Data Protection Regulation takes full effect on the 25th of this month? Little doubt remains that the GDPR will affect data protection, collection, and privacy standards worldwide. A recent study by Varonis Systems took a look at unstructured data in particular. They investigated a sample of 130 companies, inspecting about 5.5 petabytes of data. They found that, in general, far too much sensitive data is made accessible to far too many employees. On average, 21% of a company's folders were accessible to all employees. That's a lot, and the risk of a breach brought about by credential theft should give everyone pause. GDPR will expose companies to substantial regulatory penalties if personal information is breached.

Dave Bittner: [00:04:26:09] Apple, Facebook, Twitter, and Sonos are some of the larger companies who plan to adhere to GDPR standards in North America as well. The Wall Street Journal calls regulation the "hot import" from the EU, and there's something to that.

Dave Bittner: [00:04:43:00] One concern some people are worrying about - TechCrunch has a short think-piece on it - it transitive data sharing, the kind of sharing that got the alleged Golden State Killer caught, and that eventually proved the downfall of Cambridge Analytica. Transitivity is familiar to all us from grade school arithmetic, right? You remember it. In one example, if A is greater than B, and B is greater than C, then A is greater than C. Or if A is less than B, and B is less than C, A is less than C. Social media connections tend to be transitive. That's how, says Anshu Sharma, writing in TechCrunch, Cambridge Analytica came to learn so much about so many people who never used that quiz app in Facebook. Some of their friends did, and that's all it took. Holding information shared, in such transitive relationships, by people who never actually shared it, is worth some reflection. There may be some good there, but there may also be some exposure to regulatory risk.

Dave Bittner: [00:05:45:09] Does your organization have a threat hunting team? Do you know what they're up to and how they're doing? Chris Dollase is Deputy General Council and Vice President at Mimecast, and he recently moderated a panel at the RSA conference titled Swimming in a Sea of Enemies: the Dilemma of the Threat Researcher. He joins us to share his thoughts from that panel.

Chris Dollase: [00:06:06:19] Threat research takes many different forms. You know, Mimecast has a bunch of stuff that does threat research but what we're really getting into are people that sort of do more offensive versus defensive research, looking at different websites or looking at what attackers are doing or finding where attackers are storing stuff, and I think it really falls into three buckets. So, the first is compliance with the law. That can take many different forms and has different ramifications. The second is the risk to the company that the researcher works for, and then the last was what's interesting for me because I'd never really thought about it, was how the impact is to the actual researcher, the person doing the research.

Dave Bittner: [00:06:50:10] Well, let's work through them in reverse order, then. I mean, what is the impact on the researchers?

Chris Dollase: [00:06:55:06] Well especially people who sort of get really into the Dark Net, there are a lot of bad things in the Dark Net and one researcher, we'll say it was hypothetical, was in a bad place in their life and they really kind of went off the rails and ended up getting sort of involved in child pornography and ended up getting arrested. People who work for anti-virus companies and things like that, who are exposed to many bad things are actually closely monitored and given counseling and things like that, because you can really, once you get into the Dark Web, maybe not find your way out as easily as you think you can.

Dave Bittner: [00:07:35:05] No, it's interesting. I think a lot of times in a technical field like this we don't often think of the emotional components.

Chris Dollase: [00:07:43:02] Yes, I agree. I think that's a very important part of it and I think, you know, part of that too is for a company you want to make sure you're monitoring what people are doing and, in addition to monitoring, there's also auditing what people are doing, because it's very easy to get caught up in and to do something that's completely non-relevant to the mission of the company in that area.

Dave Bittner: [00:08:07:04] It strikes me that, you know, if I walk around my neighborhood and go door to door and just check to see whose front door is unlocked and whose not, that's going to attract attention, and I wonder what the equivalent of that is for threat researchers?

Chris Dollase: [00:08:26:13] I think that actually bleeds a little into the law question and, there's a series of laws where it's at, but we really focused on the Computer Fraud and Abuse Act. The issue we have is that the attackers, the bad guys, you know, they don't have to follow rules, they don't have to follow company policies, they don't have to follow laws, it's what they do. The threat researcher has all those things in scope as they go through it. A violation is knowingly accessing a computer without authorization. A bad guy doesn't care about that; if they get caught, they get caught. But that's a sort of a trap for the white hat hackers. They can still run afoul of that law because it's simply by doing it, and simply going about to access a computer is all the intent. It doesn't matter whether you're trying to do it for the good, that can be a violation. And so that's the trouble in counseling threat researchers; they don't quite always get that part of it. You know, anyone who is doing threat research need to be trained on what the law is, what the company policies are, and how best to go about doing research, and there are best practices. I do think what's missing in the industry, as a sort of an aside, is more guidance to people on how to do things.

Chris Dollase: [00:09:41:00] I think the second thing is that management in companies need to be much more aware of what's going on in their threat research organizations, because I think a lot of them have no idea what's going on and have no idea what the risks are that their company are involved in. And I think the third one is the first point we discussed which is there really is a people side to this and it needs to be closely monitored to help with the other buckets of making sure things are legal and to make sure that policies and things are sort of done ethically, but also on the human side, which is that these threat researchers are in a bad place, in a war zone almost, and need to be cared for as they go through it.

Dave Bittner: [00:10:22:14] That's Chris Dollase from Mimecast.

Dave Bittner: [00:10:25:20] Researchers report finding two exploitable flaws in Lantech's IDS 2102 industrial networking systems that could allow remote code execution. The bugs are present in older versions, ones running version 2.0 and earlier of the firmware. Lantech told SecurityWeek the vulnerable product was phased out in January and that it won't be patched.

Dave Bittner: [00:10:49:03] Unpatched Drupal flaws, the so-called "Drupalgeddon," continue to be exploited for cryptojacking. Drupal users should patch and update.

Dave Bittner: [00:10:59:02] Providing evidence, were any more needed, that idle hands flourish and fidget the world over, people in Japan with too much time on their hands are hijacking Canon security cameras to display the message "I'm Hacked. Bye2," which isn't even good haiku.

Dave Bittner: [00:11:18:10] Watching cameras

While watched by the cameras 

I am hacked: bye2

Dave Bittner: [00:11:25:10] There we go, we fixed it for them, complete with juxtaposition and fruitful ambiguity; five, seven and five syllables. In fairness to the idle hands in Japan, their handiwork is less objectionable than that of last week's Arizona dipstick, the one fiddling with highway signs. But still, kids, stay in school and don't hack security cameras.

Dave Bittner: [00:11:46:15] Speaking of the kids, BleepingComputer takes a look back at the late 1980s ritual abuse panic, linked with the related repressed-and-recovered memory panic. The two panics were serious matters, with lives damaged, careers lost, and jail time served. They're worth remembering as cautionary tales. But what interests Bleeping Computer is a document found in an old teacher's supply closet. Distributed to schools by police, the document is called Identification, Investigation, and Understanding of Ritualistic Criminal Activity.

Dave Bittner: [00:12:21:07] So BleepingComputer read this guide with an unexpected frisson of self-recognition. Consider: teenagers who were regarded as "at risk" for falling into the clutches of ritual crime covens were associated with "Fantasy Role Play". They were held to be underachieving experimentalists with "curiosity beyond norm". They were intelligent, creative, bored, and suffered from low self-esteem. They "may use computers with access codes", probably much the way you do, gentle listener, and they tended to lock their bedroom doors, sometimes with padlocks.

Dave Bittner: [00:12:59:06] So, nascent dark side cultists or just run-of-the-mill information security enthusiasts? Bleeping Computer thinks the latter and, on reflection, we admit we could probably show you a few hacker-weight of security types who fit the profile. They're okay, though, so don't be too quick to judge the books by their covers.

Dave Bittner: [00:13:19:12] Our advice is unchanged, kids: stay in school, be better, and don't hack security cameras, or attendance rosters, or grades. You get the picture.

Dave Bittner: [00:13:35:09] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agents and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:44:08] And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Now Emily, we speak a lot about third party security issues and I wanted to check in with you on what sorts of things you see on the Dark Web when it comes to third-party stuff.

Emily Wilson: [00:15:00:20] Sure. It has definitely been a busy couple of months for third-party breaches and leaks. Obviously we're all talking about Cambridge Analytica. We heard some bad news for Delta and Best Buy and others for this 24/7.ai leak. One of my favorites recently was the list that came out of PayPal a little bit earlier in the year about the 600-plus companies they share your data with; some of them seem perfectly legitimate, other ones you kind of have to squint at. From my perspective, as someone who spends a lot of time looking at leaked data on the Dark Web and I'm going to specify here leaked data, not data for sale, a lot of the information that I see is coming out of third parties. Sometimes you will see people who are going after specific organizations, and they're leaking information from that organization, and you're ending up with a lot of, you know, first party corporate data getting leaked. That does happen. More often than not, though, where we're seeing corporate information show up is in third-party leaks and that can be in one of two forms.

Emily Wilson: [00:15:59:01] On one hand, we can see corporate data show up from other professional organizations, different marketing or consulting or tech firms that you might be using, you know, people who have a reason to have your corporate data who just didn't have solid enough security and now this data is getting leaked and your employees are getting exposed. The other side, and I often wince when I see this, is we'll see corporate information show up for services that have no reason to have corporate sign-ups, so lots of leaks coming out of music streaming services, video streaming services, sports or gaming platforms and there mixed in with all of the other web-mail addresses are corporate accounts. People are using their professional identities to sign up for these services and so, when they get leaked, especially if we're talking about password reuse, that can be a bad day for the company.

Dave Bittner: [00:16:45:24] So, just out of convenience for me or laziness I sign up for Spotify or Pandora or you know something with my Xbox and instead of using my personal Gmail account or whatever I used my corporate account, reuse my password and now they've got me.

Emily Wilson: [00:17:02:01] Yes. And these types of services, especially I would say in the gaming community in particular, and also in the music streaming community, these types of services are getting regularly attacked and there are a lot of leaks going around, this information is circulating, and this can be not necessarily new breaches but stuff from years ago, and so it continues to be a problem.

Dave Bittner: [00:17:25:22] So an interesting insight there in terms of setting corporate policy for what you can and cannot use your corporate email address for, perhaps?

Emily Wilson: [00:17:33:17] I think that would be a good argument. I think we all of us have been in a rush sometimes or maybe you use the wrong Auto-fill, but it's something to keep an eye on because you really are creating double exposure there.

Dave Bittner: [00:17:44:00] Emily Wilson, thanks for joining us.

Dave Bittner: [00:17:49:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:18:09:18] And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:18:14] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:18:28:07] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.