The CyberWire Daily Podcast 5.22.18
Ep 604 | 5.22.18
Speculative Store Bypass. GPON-based botnet. Customer data exposures. Roaming Mantis gets more capable. Nation-state threats.
Transcript

Dave Bittner: [00:00:04:02] The Speculative Store Bypass vulnerability is found in most current chipsets. GPON-based routers are assembled into botnets. Comcast and TeenSafe close vulnerabilities in transmission and storage of customer data. Roaming Mantis banking Trojans acquire new functionality. Is Moscow waiting for the World Cup to conclude before going on cyberattack? How about Iran and China? Will DPRK hacking be on the summit agenda? And GDPR is coming Friday, to some information near you.

Dave Bittner: [00:00:41:16] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy, find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it.

Dave Bittner: [00:01:07:19] ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect your team works as a single cohesive unit, reinforced by a global community of peers. To register for a free ThreatConnect account or learn more, Visit Threatconnect.com/free. We thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:59:19] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday May 22nd, 2018.

Dave Bittner: [00:02:11:22] Another speculative execution flaw similar to Spectre and Meltdown has been discovered by Google's Project Zero. The vulnerability is exploitable by Speculative Store Bypass, which could expose user data across a broad range of devices. Intel is calling it, Variant 4, and classifying it as medium risk. Microsoft is even more optimistic, characterizing the risk to users as low, but Variant 4, which has been designated CVE-2018-3639, is being taken seriously.

Dave Bittner: [00:02:46:24] The issue isn't confined to Intel chips. It affects both Intel and AMD x86 chipsets, POWER 8, POWER 9, System z, and some ARM processors as well. Exploitation of the side-channel vulnerability could allow unauthorized read-access to memory on afflicted systems.

Dave Bittner: [00:03:06:17] Speculative execution is an optimization technique chip designers use to speed tasks by performing some of them before, strictly speaking, they're needed. It uses a history of branch executions to predict tasks before they've been called for. This makes more efficient use of processing resources, employing them as they're available to accomplish tasks that will probably be wanted.

Dave Bittner: [00:03:29:11] This disclosure has been coordinated among Intel, AMD, ARM, IBM, Microsoft and other tech firms. Some vendors have already issued mitigations. Those who face a more challenging patching problem, including Intel, intend to make fixes available within the next few weeks. Analysts tell users to expect some performance decline after applying patches. Intel says tests of the coming fixes have shown a 2 to 8% decline in performance.

Dave Bittner: [00:03:59:01] Security firm, Bomgar, recently released their Privileged Access Threat Report for 2018 which shines a light on what are often poorly managed account privilege practices. Sam Elliott is director of security product management at Bomgar, and he joins us to share some of their findings.

Sam Elliott: [00:04:16:00] The thing that's really core to us, when it comes to managing privilege access, are those users that actually have the credentials and need them to do their jobs. Those users, we tend to put in two different categories: insiders or third party - Insiders being the people that are employed by you and are part of your organization. Third parties would be those folks who come in to help your organization with technology challenges, so think Microsoft or CISCO or somebody coming in from the Microsoft or CISCO office, virtually, to work on the systems where they have applications. So those are the service providers or third party vendors.

Sam Elliott: [00:04:53:07] We've done this for a few years now and it's interesting to watch over time how the trends are changing, either for the better or, in some cases as we discovered from this report, some trends that were kind of surprising in the wrong way. I think overall the research indicates the majority of the organizations continue to lack just the general awareness when it comes to effectively managing privilege access. There's a lot of data in the report that suggest organizations are aware of the challenge, but they're still playing catch up to how do we actually manage this in a meaningful way so we can prevent the types of breaches we're seeing ending up in the news and having everybody have to go and get new credit cards or get credit monitoring or something of that sort.

Dave Bittner: [00:05:48:21] What do you think is guiding those trends?

Sam Elliott: [00:05:51:00] I think there is this matter of trust that's happening. We're in a modern era where it's increasingly likely that if you worked in a large organization and you're part of the IT team, that you're going to have to be defending your organization against cyber breaches. And I think that we're really seeing that so many of the breaches that happen stem from a compromised credential or maybe an unsecured remote access connection out to the Internet, that would make it easy for a thread actor to connect to and then move into an organization's internal and hopefully more well-protected part of the organization.

Sam Elliott: [00:06:36:04] With the velocity of these attacks happening and being more visible, organizations are really starting to take notice. They've been doing all this very clever stuff out on the perimeter of their organization's defense and depth security posture, but they've missed what you might think of as the fundamentals, when it comes to good credential hygiene, and good access hygiene, so things like making sure that they're not sharing my domain admin credentials with more than one person. So they don't make it hard to have good accountability or good attestation when it comes to who did what, when, with which type of credential on which system.

Sam Elliott: [00:07:21:01] I think that the awareness is building and people are saying, you can do a lot of damage with an elevated credential or with an element of unsecured access, so we've got to start putting more of our focus there. You may have heard the term, "Assume they're already in?" What would I do in my internal defense and depth posture if I was thinking that way?

Sam Elliott: [00:07:47:17] There's just a bit of a mind shift. Firewalls are absolutely required but they're not good enough as the only means of protection these days.

Dave Bittner: [00:07:55:06] That's Sam Elliott from Bomgar. You can check out their complete Privileged Access Threat Report for 2018 on their website.

Dave Bittner: [00:08:04:08] Vulnerable Gigabit Passive Optical Network, that's GPON-based home routers, are being herded into botnets. Much of the activity, which is being tracked by security firm Trend Micro, is centered on Mexico. Trend Micro calls the scanning, Mirai-like, but this isn't Mirai. The story is still developing, we'll see what comes of it.

Dave Bittner: [00:08:26:10] Two problems have appeared on the consumer data security front. Comcast is reported to have rendered customers' Wi-Fi passwords relatively easy to compromise. The issue was found in the cable giant's Xfinity activation site. The problem is, as the researchers who found it explained to ZDNet, that it's possible for someone to activate an account that's already active. The information needed to do so is minimal, and it's not verified by text or email. Finally, Comcast was sending the wireless name and password in plain text. Comcast took the service down promptly once it was alerted to the problem.

Dave Bittner: [00:09:05:22] The TeenSafe tracking app that lets parents keep tabs on what their kid is doing online has apparently left thousands of customer accounts exposed through an inadvertently misconfigured AWS bucket. TeenSafe has secured the database, and is in the process of notifying affected customers, and of investigating whether any of the data may have been stolen.

Dave Bittner: [00:09:28:24] Researchers at Kaspersky Labs are describing the evolution of the mostly-mobile Trojan Roaming Mantis. It began as a banking Trojan, but now it's evolved. Roaming Mantis has acquired both phishing and cryptojacking functionality. It's fluent in a remarkable range of languages: Arabic, Armenian, Bulgarian, Bengali, Chinese, both traditional and simplified, Czech, English, Georgian, German, Hebrew, Hindi, Indonesian, Italian, Japanese, Korean, Malay, Polish, Portuguese, Russian, Serbo-Croatian, Spanish, Tagalog, Thai, Turkish, Ukrainian and Vietnamese. Did we mention English? English.

Dave Bittner: [00:10:09:13] The still-upcoming US-North Korean summit may have another item on the agenda in addition to North Korean nuclear weapons. Advisors to President Trump are considering urging that discussions of cyber operations be placed on the table as well. The DPRK has remained active in cybercrime. Recent estimates suggest that some $650 million have been stolen since Kim Jong-Un's ascension to power in 2011.

Dave Bittner: [00:10:36:00] US officials are concerned about securing their own communications channels, and the channels they intend to use in working with their South Korean allies. It's widely believed that those communications will receive considerable hostile attention from Pyongyang's espionage services prior to and during the summit.

Dave Bittner: [00:10:55:04] Three other nation-state big dogs aren't barking right now, but there's speculation that they may do so soon. Speculation in the UK holds that Russia's restraint from attacking British infrastructure is temporary. The World Cup is hosted in Russia this year and once it's over, analysts expect the Bears to begin dancing and prancing through Blighty again. The BBC doesn't put it quite like that, but such is the gist of what people are thinking. Cozy and Fancy, we hardly knew ye, and that was OK.

Dave Bittner: [00:11:28:15] Iran's widely anticipated reprisals against the US for withdrawing from the nuclear deal are also yet to materialize. In Tehran's case, however, the night is still young.

Dave Bittner: [00:11:40:08] And some ask what might have become of the large trove of data stolen in the OPM breach, presumably now in the hands of Chinese intelligence. In any case, the OPM stuff hasn't made much of an appearance in the black market, and as Holmes would tell Watson, the significant thing is that the dog didn't bark, in this case on the dark web.

Dave Bittner: [00:12:00:21] Maybe this whole GDPR thing has the spooks spooked in the Aquarium and on Tonggang Road. After all, messing with Langley is one thing, but you really don't want to be on the bad side of the boys from Brussels. Have you heard about those fines for mishandling personal data? Murder!

Dave Bittner: [00:12:20:19] By the way, GDPR goes into full effect this Friday. Have you heard? We thought so.

Dave Bittner: [00:12:31:05] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. See what Workspace ONE can do for your enterprise security at: thecyberwire.com/VMware. We thank VMware for sponsoring our show.

Dave Bittner: [00:13:32:14] Joining me once again is Emily Wilson. She's the director of analysis at Terbium Labs. We want to talk about the notion of fear versus empowerment. There's a lot to unpack there so where do we get started?

Emily Wilson: [00:13:47:17] I was at a conference a couple of weeks ago - The Know Identity Conference, hosted by One World Identity and one of the panelists there pushed back against the idea that we need more communication in security. We need to be putting out more content in order to educate, not only our users but also consumers as a whole. He said, we have enough of this information out there already. The problem is that we're not focused on empowering users, we're educating them maybe, but we're leaving them in the lurch here. That really resonated with me and I think anyone who's heard me talk for more than two minutes has heard me say this before, but I think there's a real problem in security of relying on fear and selling fear. It's easy, it's convenient, it's quick, it's something we can all get behind, it creates a visceral reaction in people. But that's not helpful and, in fact, it's detrimental.

Emily Wilson: [00:14:46:09] From my perspective, and this is something that I focus on a lot - we focus on a lot at Terbium - you don't need to be afraid of the threats facing you in security. You should be concerned, there's a lot to be concerned about, but you do not need to be afraid. I think that if we actually want to be having conversations about productive advancements in security, we should be talking about reasonable concern and not fear.

Dave Bittner: [00:15:12:08] It strikes me that just from a practical point of view, if my employees are afraid to report something that they may have done wrong, because they're going to get their wrist slapped or lose their job, or whatever, that contributes to insecurity?

Emily Wilson: [00:15:30:05] Absolutely, and I think we can see this inside of companies. I think we can see this out of leadership. I think we can see it in the industry, and certainly I think for consumers outside of the industry, people are afraid and so what do they do? If you're afraid you feel helpless and uncertain, you want to push back against that. You don't want to feel afraid, no-one likes that. So you ignore it or you say "I can't do something about it," really strip someone of their agency.

Emily Wilson: [00:15:59:13] And you're right, in a corporate organization, you really don't want someone who is so afraid that they decide to ignore it. "Oh I'm afraid I clicked on a phishing email but I just won't say anything because then something bad can't happen if I don't bring it up." Or, "I don't understand what's going on here. What are these threat actors? Are they coming after me and my data? What does it mean if I have a data breach? I'm afraid. I'm not going to do anything about it." That's pointless and frankly it's a foolish way to market security.

Dave Bittner: [00:16:24:21] It also hits me that, from an IT point of view, if I'm afraid of my users doing bad things and I lock their machines down so much that it's hard for them to get their work done, they are, being clever humans, going to find workarounds.

Emily Wilson: [00:16:38:04] Absolutely, and it's interesting you bring that up. That was something one of the other panelists mentioned at the conference that I thought was useful, was that your users are going to consistently find workarounds for whatever you throw at them. So you shouldn't be running around looking for stop gap solutions and "How do I move them away from this thing? I don't want them to think about it. I want them to think it's this big bad scary thing, so they don't go touch it. Or if I make it complex enough they won't mess with it, they'll just leave it alone." That's not going to work.

Dave Bittner: [00:17:06:13] Yes, it seems like it's almost a hierarchical thing where rather than lording over people you need to collaborate with them.

Emily Wilson: [00:17:12:17] I think collaboration and I think just honest communication, which is very easy to say and very difficult to do. I think being able to say, "This is something we are concerned about, and we're working on it and here's how you can help. Here's what you can look for." Then even if people don't recognize it when they see it, I'm thinking about phishing emails for example here, you have at least treated them like reasonable responsible adult humans who are capable of making decisions and capable of recognizing issues if you educate them about them.

Dave Bittner: [00:17:46:00] Yes, and then they'll be invested in the solution. They'll want to help.

Emily Wilson: [00:17:51:10] Absolutely.

Dave Bittner: [00:17:52:07] Emily Wilson, thanks for joining us.

Dave Bittner: [00:17:58:23] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. Find out how Cylance can help protect you using artificial intelligence, visit Cylance.com. Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware. Creators of Workspace ONE intelligence. Learn more at VMware.com.

Dave Bittner: [00:18:26:08] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:18:35:18] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.