The CyberWire Daily Podcast 1.3.19
Ep 752 | 1.3.19

2019’s first noteworthy breach. Update on the Tribune Publishing hack. reCAPTCHA defeated in proof-of-concept. Dark Overlord should avail itself of the right to remain silent.

Transcript

Dave Bittner: [0:00:03] The prize for the first big breach of 2019 goes to Australia, but the year is still young. Ryuk artisanal malware has been implicated in newspaper print plant hacks. reCAPTCHA gets CAPTCHA'd (ph) again. The Dark Overlord teases some pretty dull stuff, a step ahead of the law and Pastebin content moderators. PewDiePie followers continue to pester internet users. And there's a new play about Reality Winner, the alleged NSA leaker.

Dave Bittner: [0:00:38] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter.

Dave Bittner: [0:01:06] ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud and guided investigation workflows. All the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [0:01:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 3, 2019.

Dave Bittner: [0:01:50] Pride of place in the 2019 data breach sweepstakes right now goes to Australia, where, according to Computer Business Review, the state government of Victoria is first out of the gate and off to a lead. Information about some 30,000 civil servants was compromised, stolen in a phishing incident that enabled the hackers to access a directory. The data lost are fairly anodyne in themselves - work emails, phone numbers, job titles - no financial or banking information. But even work emails, phone numbers and job titles, of course, could be further exploited to lend credibility to other social engineering attacks. So citizens of Victoria, think twice before taking action on communications you receive from people working for the state. They may not be whom they seem.

Dave Bittner: [0:02:39] As SecurityWeek and others report, it's become increasingly clear that the malware involved in the weekend's attack against U.S. newspaper printing plants was a Ryuk variant. Ryuk has appeared in a number of extortion campaigns before, and it's said to be well-adapted for tailoring against specific targets and their high-value business processes. The general approach taken by attackers using the malware is to get into the target network through compromised remote desktop protocol passwords. From there, they usually look for administrative privileges, then disenable security software and then pivot to encrypt or otherwise interdict some business-critical data or process.

Dave Bittner: [0:03:19] Researchers at security firm Check Point have called Ryuk artisanal, as opposed to commodity malware. GandCrab is an example of commodity ransomware. It's distributed through a big affiliate marketing program - the kind you may have encountered with Mary Kay (ph) or perhaps Jungian analysis. A hood buys GandCrab, slings it more or less indiscriminately against an array of possible targets and takes whatever the victims are prepared to pay. Usually, that's not much, but then, the hackers probably didn't invest that much in whatever dark web Tupperware party they bought the code from in the first place.

Dave Bittner: [0:03:54] Not so with Ryuk. The malware is used to closely target specific organizations by hitting their high-value assets. In this attack on newspaper print plants, Check Point says it's seen little evidence of automatic propagation capability, which suggests some significant preliminary preparation by the attackers. They clearly affected a significant business process, and they don't appear to have had any interest in stealing, destroying or manipulating data.

Dave Bittner: [0:04:24] Attribution remains unclear. Those willing to speculate cite mostly circumstantial code similarities to past attacks. Even the basic question of whether the attack is state-sponsored or purely criminal is proving resistant to resolution. There's no clear evidence of a ransom demand, at least not one that the victims are talking about, which would suggest that this represents the kind of infrastructure attack that a state might be interested in carrying out.

Dave Bittner: [0:04:50] On the other hand, the state most often mentioned as a candidate for attribution - that would be North Korea - has tended to engage in hacking that delivers a financial return. It might be a botched criminal attempt or a delayed criminal attempt or an abandoned criminal attempt. Investigation is in progress.

Dave Bittner: [0:05:11] There is that old saying about how trust can be difficult to earn but easy to lose. That certainly seems to be the case when it comes to protecting the personal information of customers. The folks at Ping Identity recently surveyed consumers to gauge their attitudes toward privacy and data breaches. Sarah Squire is senior technical architect at Ping Identity.

Sarah Squire: [0:05:34] We've had a lot of concern in the identity community around privacy and consumer privacy. And we've had a few products some of our customers have tried to sell - an extra private service or an extra protection against breaches. And it just doesn't sell, right? So we know that the market isn't responding to that. But we have no research about, what does the market respond to? Why are consumers not buying this? Do they not care about their privacy? Are they just not willing to pay for it? What is going on?

Sarah Squire: [0:06:03] So we commissioned this survey to ask them directly, how do you feel about the breaches? How do you change your behavior? How do you respond to the market when things like this happen?

Dave Bittner: [0:06:13] So let's go through with them. What were some of the key findings?

Sarah Squire: [0:06:16] There's some really fascinating stuff in here. So 21 percent of people have been victims of a breach. And of that 21 percent, 34 percent of them experienced financial loss. We found that young people are more likely to experience financial loss than old people, which was surprising to us. But young people are much more promiscuous with their information. They're more likely to give it out online, especially sensitive information like Social Security number or credit card. So that kind of makes sense that they would be more subject to breaches, simply by the fact that they're more likely to give out their information.

Dave Bittner: [0:06:51] Yeah. There was some interesting stuff in here that I noted. One of them was, speaking of that younger generation, that they are more trustful of brands.

Sarah Squire: [0:06:59] They are, which is surprising, right?

Dave Bittner: [0:07:02] Is it? I don't know because, like you said, you know, it seems like they're more willing to give away information. With that, does that imply that they have a more trusting nature when it comes to these brands?

Sarah Squire: [0:07:14] They - well, they say that they do. In the circles - the communities that I am a part of, it's very common for us to think that young people are very savvy, and they're very cynical, and old people are very ignorant and that they're very trusting. And we found the exact opposite.

Sarah Squire: [0:07:29] Old people are very cynical. They don't trust online sites. They know that they're likely to be breached, whereas young people are very trusting, and they just think that giving their personal information isn't an issue because companies must be good at security, or they wouldn't be big companies.

Dave Bittner: [0:07:44] Yeah, that's fascinating. I wonder how much of that has to do with the whole notion of being a digital native - that if it's something that you're comfortable with and familiar with, naturally, you're going to be more trusting of it.

Sarah Squire: [0:07:55] Maybe. Or maybe they don't watch the news. Maybe they don't know about breaches. Who knows?

Dave Bittner: [0:07:59] (Laughter) Right.

Sarah Squire: [0:07:59] We didn't ask them why they're trusting. We just know that they are.

Dave Bittner: [0:08:02] Yeah. Now, another interesting data point here was that Americans were almost twice as likely to share information with brands as their friends from around the world. Dig into that some for me.

Sarah Squire: [0:08:14] Isn't that fascinating? Yes, so Americans are more likely to share their information. And Americans actually have fewer privacy laws than Europeans do. So our guess is that Europeans actually have more trust in their government. We know that in terms of identity laws and privacy protections that are put in place by government.

Sarah Squire: [0:08:34] So we think, possibly, that the Europeans are more likely to be suspicious about sharing online information because their government will take care of them, right? They have privacy laws in place, like the General Data Protection Regulation, or GDPR, that will help them have some recourse if something bad happens, whereas Americans don't have that.

Dave Bittner: [0:08:56] So what in the survey was particularly surprising to you? Was there any unexpected results that came back?

Sarah Squire: [0:09:02] I would say the most shocking result we found was that when people hear that a brand has been breached, 36 percent of them stop engaging with that brand altogether. So they do not come into stores and buy things. They do not call on the phone. They don't come in online. Not only that, 78 percent of everyone we surveyed said that they would stop engaging with a brand that experienced a breach online altogether.

Dave Bittner: [0:09:31] So if - what's the take-home lesson here? If I'm someone responsible for the reputation of a brand, and I'm interacting with my cyber folks in my company, what's the message that I need to take to them?

Sarah Squire: [0:09:44] The message that we think is most valuable is that companies spend a lot of money on getting influencers - right? - to promote their brands online on Instagram, on Facebook and social media. They spend a lot of money on marketing, and they don't spend a lot of money on security.

Sarah Squire: [0:10:00] And so what these results show us is that the money you spend on marketing is going to be completely wasted if you screw up security. So you need to take some of that budget and say, if we want to have an emotional engagement with our customers, that can happen through a breach, right? That's a very emotional engagement. People feel violated when their information is breached, and they stop interacting with you altogether. And that can kill a brand.

Dave Bittner: [0:10:26] That's Sarah Squire from Ping Identity.

Dave Bittner: [0:10:31] Google has updated its reCAPTCHA system with challenges designed to more readily detect spam and other forms of automated abuse. The updates were motivated, in part, by the unCAPTCHA proof of concept in 2017 that demonstrated ways around the screen. But unCAPTCHA has been updated, and it's now said to be able to bypass the improved reCAPTCHA. A readily available speech-to-text API yields about 90 percent accuracy over the CAPTCHAs, which is close enough for most purposes. Industry Comment points out that measures like reCAPTCHA aren't in themselves, of course, sufficient to ensure security, nor would Google make that claim. Automated tools will catch up.

Dave Bittner: [0:11:14] Ryan Wilk of NuData Security told us in an email, quote, "CAPTCHA in and of itself is only one piece of the authentication puzzle. If CAPTCHA is the only security layer, once the puzzle is broken, then the bad actor has won," end quote.

Dave Bittner: [0:11:30] The Dark Overlord, the skids whom Sophos describes aptly as a well-known group of highly self-amusing cyber extortionists, has, as the group promised or threatened, released documents it claims it hacked from real estate and insurance companies. The group says the firm's engaged in a far-fetched conspiracy to stage the 9/11 attacks. They've offered to sell the documents for bitcoin, of course. But so far, the teasers they've posted to Pastebin seem, for the most part, to be old stuff recycled from earlier breaches. Need we add that the files don't remotely add up to evidence of much of anything, still less a 9/11 conspiracy? The Dark Overlord's posts have been fairly quickly removed from Pastebin, and Twitter has also blocked at least one account that was hawking the Overlord's wares.

Dave Bittner: [0:12:21] Did we mention that Sophos also called the return of The Dark Overlord slimy? They did, you know. We're not here to say they're wrong. When the police close in on the Overlord, as they no doubt will, having over the last two years pruned some of the group's more obvious members, we trust that they'll remember to read them their rights.

Dave Bittner: [0:12:42] Speaking of the more unpleasant internet subcultures, followers of YouTube star PewDiePie - we use the word advisedly since that's what he's called - those followers, we say, are again taking a break from eating Tide Pods to find exposed Chromecast adapters, smart TVs and smart TVs and Google Home systems via a Shodan search. Once they've found the vulnerable devices, they display a message urging their victims to subscribe to Mr. Pie's channel, a compelling recommendation - we guess - coming as it does from consumers of washday products.

Dave Bittner: [0:13:18] And this read-'em-their-rights thing - well, Mr. Martin's apparent confession was recently tossed by the judge ruling in the preliminary rounds of the alleged NSA leaker's trial because the judge didn't buy the FBI's claim that they didn't need to Mirandize Mr. Martin because it was a noncustodial interview.

Dave Bittner: [0:13:37] A new play titled "Is This a Room" uses the transcript of Reality Winner's noncustodial interview with the FBI to dramatic effect. It's like a thriller, says playwright Tina Satter in an interview with The Intercept, the publication that, more or less, put Ms. Winner in the position she now finds herself in trouble over a misappropriation of classified material. Still, custodial or not, remember: you've got the right to remain silent. So Dark Overlord, PewDiePie followers, please avail yourself of that right.

Dave Bittner: [0:14:16] Now a moment to tell you about our sponsor, Attila Security. Attacks on the U.S. Defense Industrial Base Supply Chain, otherwise known as DIBS, is one of the most pervasive cyberthreats facing our nation today. DIBS are vulnerable for a variety of reasons, ranging from legacy software and systems and a corporate culture that values operations over IT security. Cybercriminals exploit these weaknesses and target their attacks on DIBS in order to gain access to government networks. Attila Security is tackling this threat head-on. Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any nontechnical user. GoSilent is a firewall and VPN in one and turns unsecure data transmissions into top-secret-level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIBS supply chain, visit attilasec.com. That's spelled attilasec.com. And we thank Attila for sponsoring our show.

Dave Bittner: [0:15:40] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute. He's also the host of the ISC StormCast podcast. Johannes, it's great to have you back. You know, we've been seeing more and more stories about attacks on laptops, things like cold boot attacks and encryption issues with drives. What can you share with us? What tips do you have to keep your system safe in the wake of these new attacks?

Johannes Ullrich: [0:16:05] Yeah. So what these attacks have in common somewhat is that an attacker needs to have physical access to your laptop. And that's, of course, always a critical issue if you're, in particular, traveling. You can't possibly keep your laptop - or laptops, in some cases, where you're traveling with multiple laptops - with you all the time. You sometimes want to go out for dinner and such and have to leave your laptop in your hotel room, for example.

Johannes Ullrich: [0:16:33] What it really comes down to is that you probably cannot protect your laptop getting accessed. What you want to do is you want to make it more difficult. And you also want to make it easier to detect that your laptop got accessed. So one thing, for example, try to avoid hotel safes. Hotel safes are notoriously insecure and are usually easily defeated without you noticing that anything happened. But what you could, for example, do is, first of all, start with a boot password. If you boot your laptop from a different disk, if you're trying to get into BIOS settings and the like, well, you should ask for a password here. That's one layer of defense that you can have.

Johannes Ullrich: [0:17:18] The second layer would be sort of better physical protection of your laptop. What I like are, like, backpacks that have a plastic hard compartment attached to them that you can lock with a padlock. Yes, the plastic is usually easily cut through, but that's something you would notice. So when you're picking padlocks, for example, for something like this, of course, don't pick the TSA-approved one. Get a better one that an attacker would have to cut instead of just pick. And that way, again, you at least would be able to detect what happened.

Dave Bittner: [0:17:52] Yeah, I can imagine folks going through the exercise of trying to find clever places in a hotel room to hide their laptop.

Johannes Ullrich: [0:17:59] Yeah, of course. That's another option that you have. If you do that, make sure you shut down your laptop. And certainly, it helps...

Johannes Ullrich: [0:18:07] (Laughter) Right. Yeah, you don't want to cook it.

Johannes Ullrich: [0:18:07] Yeah, not only to cook it but also, if you leave it sort of in sleep mode, sometimes Bluetooth, Wi-Fi and so stays enabled. That, of course, could help an attacker to find the laptop or at least realize there is still a laptop in the room. So - but yes, certainly, the cooking it - that's actually a problem I have had with laptops in the past where I sort of stuffed them in my backpack. And then when I pulled them out a couple hours later, sort of, I got the warning that it sort of...

Dave Bittner: [0:18:37] Right.

Johannes Ullrich: [0:18:37] ...Auto-shut down because of a heat issue because...

Dave Bittner: [0:18:38] Right, yeah.

Johannes Ullrich: [0:18:39] ...It didn't sort of properly go to sleep.

Dave Bittner: [0:18:41] Right. You didn't hear the fans running like a hair dryer.

Johannes Ullrich: [0:18:43] Yes, yes (laughter).

Dave Bittner: [0:18:46] Yeah (laughter). All right - well, as always, good advice.

Johannes Ullrich: [0:18:49] Yeah, thank you.

Dave Bittner: [0:18:49] Johannes Ullrich, thanks for joining us.

Dave Bittner: [0:18:56] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [0:19:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they are co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.