Router vulnerabilities. Hacking around the Hanoi summit. DDoSing an election. Brushing back a troll farm. Crytpojacking an embassy.
Dave Bittner: [00:00:03] Nokia routers are found vulnerable to man-in-the-middle and denial-of-service attacks. As one would expect, the U.S. and North Korean summit in Hanoi this week summons up some hacking. Ukraine accuses Russia of DDoS attacks in the service of election disruption. U.S. Cyber Command played some chin music for St. Petersburg during U.S. midterm elections. And if you're going to hack into an embassy, wouldn't you want to do more than install a cryptojacker?
Dave Bittner: [00:00:36] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7, 365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to RSA this year, visit Akamai in the North Hall, booth 6153 to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai - intelligence security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:44] The CyberWire podcast is made possible, in part, by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.
Dave Bittner: [00:02:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 27, 2019.
Dave Bittner: [00:02:14] Maryland-based Tenable Research announced this morning its discovery of six vulnerabilities in Nokia routers that could allow an attacker to launch man-in-the-middle or denial-of-service attacks, modify or log network traffic and spread malware into places that were previously secure. One vulnerability permits an attacker to disable the firewall and access a telnet service by sending a modified HTTP request. Another allows for stack buffer overflows or arbitrary code execution. Tenable also found hard-coded route credentials in SSH and telnet services. The researchers say that Nokia is working on a fix. If you're a user, keep an eye out for patches.
Dave Bittner: [00:02:58] U.S. President Trump and North Korean unique leader Kim Jong Un are meeting for their summit in Hanoi. And predictably, the sessions have attracted the attention of hackers. The hackers in this case are probably working for Pyongyang. EST Security, a cybersecurity company in the Republic of Korea, has come across a spearphishing document last week that poses as an invitation from the Korea U.S. Friendship Society to a meeting in Seoul regarding the Trump-Kim summit.
Dave Bittner: [00:03:27] The company says the malware delivered is associated with North Korean hackers. CrowdStrike's vice president of intelligence, Adam Meyers, told CyberScoop that it's observed the same document lure being used by a suspected North Korean threat actor it calls Velvet Chollima. A Chollima is an East Asian Pegasus, much used as a symbol of heroic success in North Korea. The researchers don't reveal who was targeted by the spearphishing, but CyberScoop notes that North Korean state-sponsored hackers have been known to go after analysts and experts in Korean affairs.
Dave Bittner: [00:04:05] The retail industry faces significant challenges fighting payment fraud as more and more of our transactions move online. Payment systems need to strike a careful balance between keeping our information safe, but not slowing the transaction down and inconveniencing the customer or merchant. Randy Vanderhoof is director of the U.S. Payments Forum and the Secure Technology Alliance.
Randy Vanderhoof: [00:04:28] There is a lot of new technology that's being introduced to address fraud in the online space. Some of the tools have been around for a number of years, but weren't particularly effective or well-implemented that are now going through a revision and a refreshment, which are promising to be much more effective. And that's a standard that has been developed by EMVCo, which is the global payment security standards organization.
Randy Vanderhoof: [00:05:05] And the technology is known as 3-D Secure, and the newest version is called EMV 3-D Secure, which utilizes additional data elements that are available in the transaction stream, either from the mobile device, tablet or from the computer system that provides additional data that the retailer and the merchant - I'm sorry - the retailer and the bank can use to determine if they believe the person making that transaction is the authorized person to do so.
Dave Bittner: [00:05:43] And what are you all seeing in terms of the fraudsters - for them upping their game in response to these technologies?
Randy Vanderhoof: [00:05:50] Well, the fraudsters are always quick to adapt and change. The first thing that the fraudsters typically do is, when they see the door is locked at one merchant, they just go to the next merchant and keep wiggling the handle. So they find a merchant that's not protected and then exploit things the old-fashioned way. But as the more sophisticated retailers upgrade their fraud mitigation systems and there's fewer and fewer open doors, then they start to change their tactics in terms of how they go about trying to commit the fraud - things like taking advantage of the shop online. Pick-up in store is where someone could shop online with a stolen credential and then, five minutes later, show up at the store to pick it up before the fraud group in the retailer has had a chance to review the payment data that was presented. And the person walks out with the merchandise. That's another technique or tactic that fraudsters adapt to leverage the time the merchant has to verify the address information or the payment shopping history of the client to make a determination as to whether or not they should trust that transaction.
Dave Bittner: [00:07:16] And how do you see this playing out as we go forward? Can we continue with these evolutionary steps? Is there going to have to be some sort of a reset at some point?
Randy Vanderhoof: [00:07:24] Well, it's going to be a continuous arms race, but the digitization of payments is continuing to reduce the threat surface area for where merchants and issuers, you know, do have some control. So things like biometrics and using mobile devices where they can also track your location and the data elements associated with the owner of that phone, in addition to their payment information to have more data-rich risk mitigation are ways in which they're fighting the fraud trends in the market.
Randy Vanderhoof: [00:08:07] Big data, you know, is used more than just for marketing purposes. It's also used to screen transactions based on location, based on the device, based on the amount. And with that data plus other knowledge-based resources that merchants and issuers can tap into about address and phone number and other past experiences, all are helping to manage the risk. But with each additional step that is taken, the concern is that we don't add additional friction to the checkout process. Consumers ultimately decide that if it's becoming too difficult to use one online transaction venue, then they'll abandon it and go someplace that's simpler and easier, and particularly when they're protected, in case that there was fraud anyway.
Randy Vanderhoof: [00:09:13] So the real challenge is to step up the game in terms of identity and authentication of who we're transacting with online, and at the same time, try to do it in the background or allow those that are the most trustworthy transactions to go through unimpeded and then have step-up authentication when some score associated with the trust of the data that they're seeing raises suspicions to a level that requires them to do additional screening.
Dave Bittner: [00:09:46] That's Randy Vanderhoof from the U.S. Payments Forum and the Secure Technology Alliance.
Dave Bittner: [00:09:52] Ukrainian President Petro Poroshenko accused Russia of launching DDoS attacks against Ukraine's Central Election Commission on February 24 and 25, CyberScoop reports. Poroshenko said that defense mechanisms had been developed by the National Security Council, along with Ukrainian law enforcement agencies and their American partners. This is the latest in a long-running series of Ukrainian complaints about Russian cyber interference. The two countries have been engaged in hybrid war since Russia's forcible invasion and annexation of Crimea in 2014.
Dave Bittner: [00:10:28] We're inclined to think of state-sponsored attacks as involving espionage, or perhaps sabotage, against high-payoff or high-value targets like a power grid. DDoS we're inclined to think of as something hacktivists do - you want to punish the objectionable people who aren't listening to you on that cause that's really important to all right-thinking people - or that competing underworld figures would do to one another - you want people to make their in-game purchases from you, not from that irritating guy in Saskatchewan. But really, DDoS can be a form of sabotage and the kind of activity that states show signs of increasingly engaging in.
Dave Bittner: [00:11:06] DDoS attacks against international affairs targets increased by 200 percent in the second half of 2018, compared to the second half of 2017, according to NETSCOUT. The volume of nation-state threat activity increased as well. The U.S. Justice Department has recently included DDoS among the list of offenses it asserts Iranian state-backed hackers have committed. So President Poroshenko's claims aren't, on their face, implausible.
Dave Bittner: [00:11:35] The Washington Post reports that U.S. Cyber Command disrupted Russia's Internet Research Agency's networks on the day of the U.S. midterm elections and for a short period afterwards to prevent Russian trolls from spreading disinformation on social media while votes were cast and counted. The campaign effectively cut off the internet for the entity, causing the trolls to complain to their system administrators. The strike is generally viewed as a good thing in the U.S., although some analysts doubt it will have much of an impact on future Russian information operations.
Dave Bittner: [00:12:08] Security expert Thomas Rid said that, quote, "such an operation would be more of a pinprick," end quote, than a long-term deterrent. Some defense officials said that grand strategic deterrence wasn't the objective here. One official told The Post that part of our objective is to throw a little curveball, inject a little friction, so confusion. This seems sensible enough, a brushback, not a knock down. We've heard generals call this sort of thing letting the enemy know that you care. Cyber Command was granted the authority to launch more offensive campaigns by a Trump administration policy implemented last August.
Dave Bittner: [00:12:49] Finally, security firm Trustwave this morning released a report on their discovery that the website for the Bangladeshi Embassy in Cairo was infected with a coin-miner in October and recently began distributing cryptomining malware to visitors via malicious Word documents. The site is still compromised, so steer clear.
Dave Bittner: [00:13:09] Researchers don't believe a nation-state is behind the activity due to its lack of sophistication, but they say it serves as a reminder that even low-skilled attackers can hack important government sites. It's worth noting the pettiness of compromising such a site for cryptomining purposes. It's more Boris and Natasha than Jim Angleton, and even Fearless Leader would probably call Boris out for it. But please, Madam or Mr. Ambassador, look to your security wherever your embassy may be.
Dave Bittner: [00:13:44] And now a word from our sponsor LookingGlass Cyber Solutions. Cyberthreats are a risky business. Criminals are taking bigger risks than ever before to acquire your organization's sensitive data. As pressure increases, you need a partner to help manage and control your digital business risk. Slide into LookingGlass's booth, number 2327, in the South Hall at RSA Conference 2019 to hear how you can better manage your organization's risky business by leveraging their 20-plus years of investment and tradecraft for an outside-in view of your security posture, or step away from the hectic expo floor for a demo tailored to your business needs in the LookingGlass meeting suites at the Marriott Marquis. Reserve your demo and learn more about LookingGlass at RSA Conference, or visit their website, lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass for sponsoring our show.
Dave Bittner: [00:14:53] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's great to have you back. You have some exciting news to share on the business end of things, a few changes going on there at Webroot.
David Dufour: [00:15:07] Yes, quite a few. First of all, it's glad to be back here, David. You know, Webroot is in the process of being acquired by Carbonite, and we're very excited about that.
Dave Bittner: [00:15:17] So take me through - what is that like for you and your team? When something like this was announced - first of all, were there - did you know it was coming? Were there inklings of it, or was the rumor mill running? Or was it pretty transparent?
David Dufour: [00:15:30] So it was kind of a surprise for us from the engineering side. I think a lot of times, engineering teams are heads down, focused on their product development and things like that. And we don't spend a lot of time looking at the business or even, you know, businesses working with other businesses. So I don't want to say it was a surprise in the sense that, you know, someone came along and was interested, but I don't know that we were ready for, you know, the announcement. And it did surprise us to some extent.
Dave Bittner: [00:15:59] Yeah. So what's the mix of emotions there? Like, you mentioned that you're excited about it. I would imagine - if it were me, there'd be a certain amount of anxiety there, too, 'cause nobody likes change.
David Dufour: [00:16:11] That's true, David. I would say, though, surprisingly, from the engineering side of things, there's a lot more excitement than there is, you know, fear or concern, simply because we're a cybersecurity company. And as you know, since I've been on the program, I almost always end the program with, one of the main things you can do is back up a computer to prevent attacks and to recover. And so as cybersecurity experts, we're super excited to be working with and working for a company that provides that service 'cause it's a fundamental thing to being secure.
David Dufour: [00:16:48] And on top of that, we're very complementary from a product perspective. So the engineering product org isn't feeling a lot of concern because we build endpoint solutions, cybersecurity solutions, DNS, things like that and - where their focus has primarily been on data protection. And so it's a really good fit. So from a purely engineering perspective, we're very excited because it - there isn't a lot of threat to people's jobs from the engineering side at all.
Dave Bittner: [00:17:17] So what are the things that you're excited about? What will this allow you to do? Does it mean a greater access to funding or resources? What are you pumped up about?
David Dufour: [00:17:27] Well, yeah, I'm sure now I'm going to have, like, people on the bench, tons more resources, all kinds of money. You know, nobody's going to care about...
Dave Bittner: [00:17:35] (Laughter) Lighting cigars with hundred-dollar bills.
David Dufour: [00:17:37] Exactly.
Dave Bittner: [00:17:38] Yeah (laughter).
David Dufour: [00:17:39] No. I'm fairly certain we're going to be - we're going to still be running a tight ship, as we have, moving forward. You know, Carbonite's a publicly traded company. So I think one of the big changes for us is we're going to kind of be under the microscope on our product focus, how we're delivering, where we, as a private company, have had the luxury of, you know, keeping that kind of stuff quiet.
David Dufour: [00:18:00] But I do believe there's going to be a lot of work we can do and be very creative, since we're both cloud-based companies playing in the same space with different products, on how to build better solutions from a cybersecurity perspective to protect folks. But I don't think we're going to be, you know, sitting around, looking for work, for sure. There's a lot of stuff that business leaders are already putting together that they want us to be thinking about.
Dave Bittner: [00:18:24] Now, from your position as a team leader, with the folks that you work with, how do you manage a transition like this yourself? How do you communicate to your team what's coming, what to expect and to keep people's spirits up and their anxiety down?
David Dufour: [00:18:39] Well, that's actually a great question and something that's really important to consider. And so we have - I personally have folks in five offices. And in the last two weeks, I've been to four of those. And I really feel like there's got to be a commitment to getting in front of folks, being very direct with them. And as I think my team would tell you, I'm pretty blunt about what I think is happening in general. And so I try to just be as forthcoming with information as I can.
David Dufour: [00:19:08] And then I have to add on top of that that then you've got to kind of be around in a way that makes it so people can approach you on the side and get their questions - 'cause maybe they didn't want to ask them in a larger group. So as engineering leadership, you've got to really, you know, consider the audience. A lot of engineers can be introverted, so you need to get the information out to the teams. You need to really spend face time with them, and then you need to make yourself highly available in a comfortable environment where they can approach you with questions to mitigate any concerns they may have.
Dave Bittner: [00:19:39] Well, good luck to you and your team. I certainly wish you the best. It seems like a good fit. So David Dufour, thanks for joining us.
David Dufour: [00:19:46] It's been great being here, David.
Dave Bittner: [00:19:51] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:04] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.