The annual Black Hat USA conference in Las Vegas is a another opportunity for infosec pros to exchange ideas on improving enterprise security as well as be criticized for their failings. We have a roundup of the week’s coverage.
Facebook chief security officer Alex Stamos kicked off the three days of public sessions Wednesday with a keynote that warned security teams that the days snarky insular criticisms of users who make mistakes and developers who create buggy software are over.
According to ThreatPost, he urged the industry to have empathy not only for victims of cybercrime but also for those such as law enforcement who may take unpopular stances on encryption and information sharing. The hot responses to federal and state governments during in last year’s Apple-FBI encryption fight did little to advance discussion on the topic, he argued. Nor, he added, did criticism of security tradeoffs WhatsApp made in bringing end-to-end encryption to 1 billion users.
“Unfortunately, the truth is our community is not yet living up to its potential,” Stamos was quoted as saying. “We’ve perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery.”
Stamos pointed out that while zero days garner the bulk of headlines and admiration among white-hats, the fact is that most of those attacks never see the mainstream, and most of us are not the targets of complex, advanced adversaries. In fact, he said, maladies such as password re-use, phishing and spam have much more of an impact on security and privacy, yet are dismissed as uninteresting problems.
“We focus on the complexity of a flaw rather than the potential human harm,” Stamos said, adding that instances of abuse related to technology such as doxing or sexual exploitation of children are not viewed as areas of responsibility for security pros. “This is real harm, and these are areas we don’t focus on at all,” Stamos said.
“We have to focus on defense,” Stamos said, “and broaden our scope of what we consider our responsibility.”
In case employees don’t understand the dangers of befriending a stranger on social media, Dell SecureWorks Counter Threat Unit released a report at the conference about a dangerous virtual woman who calls herself Mia Ash. She’s the creation of a threat group called various names by researchers (including Cobalt Gypsy, OilRig, TG-2889 and Twisted Kitten) who has been trying to cozy up online to workers in the telecommunications, government, defense, oil and financial sectors in the Middle East and North Africa.
Her goal, according to a ThreatPost synopsis, is to befriend men working in desirable positions within and connected to energy-sector firms and eventually infect their computers with the remote access tool, PupyRAT.
To give Mia legitimacy she has pages on LinkedIn, Facebook, WhatsApp, Blogger and sites such as DeviantArt, an online artwork, videography and photography community. Sources of information used to build Ash’s backstory were cut-and-pasted from a number of places. For example, a LinkedIn profile was appropriated from a United States-based photographer. Her Facebook and DeviantArt page were updated regularly with images from several social media accounts belonging to a Romanian photographer who had no idea of the charade.
(If this sound familiar, in 2015 we wrote about how a penetration testing firm used social media to fooled a big customer. Read about it here.)
Dell researchers have identified two victims, one of whom opened an Excel document attachment sent by Ash that included the PupyRAT malware in file named “Copy of Photography Survey.xlsm.”
According to BusinessInsider.com, Facebook and LinkedIn have taken down “Mia’s” pages.
And a security conference wouldn’t be anything without (more) bad news: Ransomware is very profitable. That’s from a study sponsored by Google, Chainalysis, the University of California at San Diego and New York University’s Tandom School of Engineering. It figures over the past two years, 35 unique ransomware strains earned cybercriminals US$25 million.
Threatpost quoted a Google researcher repeated what others have been saying: The Petya and NotPetya ransomware have collected little cash because they aren’t intended to. Instead their purpose is to sow mayhem among victims by locking up or deleting data and giving the illusion that paying a ransom will make things right.
What’s making money is the Locky version. Locky’s secret, the story quotes a Google research scientist saying, is that its authors focused on malware development and finessing the supporting botnet infrastructure. Keeping development separate from distribution allowed the malware to be spread wider and faster than its competitors.
The story also says researchers warned of an up-and-coming ransomware called Spora to watch. It offers hackers “topnotch customer support with features such as real-time chat to help victims navigate payments and offering immunity packages to avoid getting hit by the ransomware again in the future.”