CyberWire Daily - A coming surge in North Korean hacking? Middle Eastern cyber espionage campaigns. Microsoft patch issues. Infowar updates. NIST's draft electrical utility cyber guidance. Problematic toys.
Episode Date: February 21, 2017In today's podcast, we hear that analysts are predicting a surge in North Korean hacking after China embargoes coal. ViperRAT catphishes the IDF. Magic Hound and Shamoon both use malicious macros to i...nfect victim systems. TASS says no one really knows who hacked OSCE. Sputnik teases with a WikiLeaks tease. RSA Security's Zulfikar Ramzan offers insights from the conference. UMD Center for Health and Homeland Security's Markus Rauschecker explains how Airbnb might be affecting some foundational elements of the internet. Google shames Microsoft over patching. NIST has cyber advice for power utilities. Some RSA notes, and My Friend Cayla gets the boot from Berlin. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Analysts predict a surge in North Korean hacking after China embargos coal.
Viper rat catfishes the IDF.
Magic Hound and Shamoon both use malicious macros to infect victim systems.
TAS says no one really knows who hacked OSCE.
Sputnik teases with a WikiLeaks tease.
NIST has cyber advice for power utilities.
We've got some RSA notes.
And my friend Kayla gets the boot from Berlin.
Kayla gets the boot from Berlin.
Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, February 21, 2017.
Observers are predicting an upsurge in North Korean hacking.
That prediction is driven by recently imposed Chinese sanctions.
Like most of the rest of the world, China is upset by North Korean missile tests and has imposed an embargo on coal imports from the Democratic People's Republic of
Korea. Selling coal to China has long been a main prop of the DPRK's shaky economy, and some
analysts think it's likely that Pyongyang will seek to recoup its economic fortunes through various
forms of cybercrime.
There are several stories trending out of the Middle East.
A catfishing campaign has been targeting members of the Israeli Defense Forces with android malware called ViperRat.
Early speculation about attribution in the Israeli press and elsewhere
pointed in the general direction of Hamas, the Palestinian Sunni group
that's the de facto ruler of the Gaza Strip.
Lookout Security, however, believes such attribution may have been hasty,
and that far from initial characterizations of Viper Rat as relatively primitive,
the malware is actually more sophisticated than reports made it out to be.
Cisco is tracking Magic Hound, a rat-centric campaign targeting Saudi businesses.
The attackers gain their entree by phishing.
Cisco's Talos Group says the malware is for the most part commodity stuff,
IRC bots, Metasploit meter-preter payloads, and an open-source remote administration tool.
IBM's X-Force has continued its investigation of Shamoon,
the destructive campaign against Saudi Aramco and other Gulf targets
that reappeared in November 2016 and January 2017.
Researchers believe the initial infection was through malicious macros
in a compromised document.
In the realm of international cyber conflict,
the Russian news agency TASS primly notes that TASS is authorized to state that the Organization for Security and Cooperation in Europe, the OSCE, has been unable to determine exactly what actor was responsible for the hack OSCE sustained last year.
Pretty much everybody except TASS thinks it was the Russian intelligence services.
it was the Russian intelligence services.
Another Russian news agency, Sputnik, last week teased the world with reports that Wikileaks is itself teasing with the prospect of more leaked emails involving Julian Assange's
Bet Noir, former Democratic presidential candidate Clinton.
So far, however, nothing.
Bitcoin news service reports a disquieting trend.
An increasing number of U.S. businesses are stockpiling Bitcoin to pay off ransomware attacks.
This isn't the best news because, first, a stash of Bitcoin maintained against extortion
is likely to draw cyber blackmail as meat draws flies.
And second, well, if you pay, there's increasingly no guarantee you'll get your files back anyway.
Ransomware purveyors are now often in it for the short term,
and devil take the hindmost.
Google's Project Zero is seen as having effectively shamed Microsoft
when the Redmond giant pulled its expected patches
instead of issuing them as expected a week ago.
Google has disclosed several vulnerabilities publicly
that it had earlier privately passed
over to Microsoft. Industry sources are baffled by Microsoft's decision. Initially, the company
announced it would delay the February patches, but shortly thereafter amended its public
statement to say that it would skip February entirely, deferring fixes until March. The NIST Cybersecurity Practice Guide SP1800-7, Situational Awareness for Electric Utilities,
was issued late last week.
Public comments on the draft will be accepted through April 17, 2017.
The practice guide is likely to be as influential in the energy sector as other NIST publications
have been elsewhere.
energy sector as other NIST publications have been elsewhere.
Turning again to RSA 2017, the event's organizers claimed record attendance, 43,000 is being widely reported, and the show's floor was crowded, as were surrounding streets and hotels.
The many companies exhibiting were being asked by those they pitched to explain the problems
their technology solved, to demonstrate the ease of their solution's implementation, and, this question largely though not exclusively from
investors, to show how they differentiate themselves in a crowded marketplace that
seems ready for consolidation. Zulfiqar Ramzan is chief technology officer for RSA Security,
and he was the keynote speaker at this year's conference.
We caught up with him at the show.
To me, this past year, the defining issue for us, I think, as we look at our industry,
was a cyber attack on the Democratic National Committee.
Because it was one of the first times where the mass public realized that there are these massive implications that occur when cyber threats are carried out successfully.
So if you look at the
actual techniques themselves in the DNC hack, there was some sophistication, there was some
basic tools being used, but nothing that was earth-shattering by any stretch of the imagination.
But I think what was earth-shattering is that that led to a ripple effect where people started
questioning the foundations of democracy. It's the first time that I feel people have truly
questioned that,
and they're questioning it because of a cyber attack. So I think for us as an industry,
that has to be top of mind because that's what our customers are thinking about in so much detail.
And we've got to think about what it means for us to move forward as an industry in a world where that is now the new norm. We live in this sort of post-cyber threat world or this post-ripple,
chaotic world of what cyber attacks can create.
Today, we've seen researchers, or a couple of years ago, we saw researchers able to compromise
a car and find a way to remotely stop it from working, put the brakes on remotely.
Imagine they could do that in the future when there are millions of cars on the road, or
even worse, if they could do that with millions of cars and they can direct where they go and push them towards a common target.
I mean, it wouldn't be an exaggeration to call that almost like a cyber 9-11 type event, except this time the attackers can do it from the comfort of their own home, not have to actually be in a physical airplane to make that work.
And so those implications to me are truly profound because I think we have to take a step back and realize that that's not beyond
the art of the possible right now. That's actually within the
realm of what we conceive of.
And it just takes one or two bad people
out there. And there's a lot of people in the world.
There's always a few bad eggs.
And it doesn't take that many resources for those
few bad eggs to cause some real
sophisticated damage to
infrastructures that we take for granted as being available
to us at any time of day and night.
And so there's a very careful balancing act we have to play as professionals in security of how do we educate the public about the art of the possible without sometimes revealing too much because that can turn people off from really appreciating the risks that are involved.
We live in a world where things can go wrong anytime.
And we rely on trust in so many ways for everything we do.
Look at the human body.
There are viruses running in our bodies at any given moment in time.
It's not like we all are in this perfectly clean state.
Maybe that's the case with the cyber world as well.
There's all sorts of issues happening, but we focus on the ones that matter most.
If you're a human, maybe you focus on, okay, is my heart working correctly?
Or if I have a serious illness, maybe I should go address that.
But if I've got a light cold, I don't need to do the same remedy as if I had a flu.
And so I think we have to rethink security models around priorities for what we're trying to achieve
and then take a step back and look at things much more holistically than we have been in the past
as opposed to doing that whack-a-mole, one-by-one job.
That's Zulfiqar Ramzan from RSA Security.
Finally, there's some news from the Island of Misfit Toys.
Only if you believe German security authorities, and who wouldn't?
The toys in question aren't nice and underappreciated toys like Yukon Cornelius rescued in the
old puppatoon.
In this case, the toy in question is one My Friend Kayla, a doll that Germany's Federal
Network Agency calls an espionage device.
Parents are being advised to destroy any Kalas because Kayla is recording their children's conversations
and sending them back to Kayla's American manufacturers, Genesis.
Genesis says it's all on the up and up, they've got a privacy policy,
and the interactions are just there to improve the customer experience, but the Germans are having none of it. It's also been noted that the ever-helpful community of
security researchers has done some proof-of-concept hacking that modified Kayla to curse and yell
scary stuff at kids. So it's research, everyone. We thought maybe Kayla was just hanging out with
Tay. Tay? Are you listening?
Tay?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. Joining me once again is Marcus Roshecker. He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, I wanted to touch on Section 230 of the Communications Decency Act, which has sort of come under a closer microscope lately because of some things going on.
But before we get into all of that, why don't you start off, give us an overview of why is Section 230 of the
CDA so important? It's critical to the internet as we know it today. Basically,
Section 230 provides that providers of interactive computer services cannot be
treated as publishers or speakers of information that's posted by users of those services. So in other words, a service provider
cannot be held legally responsible for something that a user posts on that service. As you can
imagine, if this protection did not exist, there would be very few companies or service providers
that would actually be willing to continue offering their services. Because if they could
be held legally responsible for something somebody else posted on their service, because if they could be held legally responsible for
something somebody else posted on their service, you know, that's probably a risk that no one would
want to be confronted with. And it's commonly referred to as a safe harbor provision, but
there's some people who are sort of chipping away at it, thanks to some conflicts with Airbnb.
sort of chipping away at it, thanks to some conflicts with Airbnb. Yeah, so basically,
a lot of cities and municipalities around the country are trying to sue Airbnb for violations of some of the postings that are on their Airbnb site. So users use Airbnb to kind of rent out
their apartments or their rooms. And sometimes those listings on Airbnb
violate zoning laws or other regulations in those cities and municipalities. So
cities are actually suing Airbnb for those illegal posts, those illegal listings. And of course,
Airbnb is taking objection to that, to those suits, claiming that they have no legal responsibility to prevent those kinds of listings based on Section 230 of the Communications Decency Act.
But cities and municipalities are passing new laws that try to circumvent the Section 230, and Airbnb is finding itself more and more on the defensive here and facing legal hurdles here.
All right. So it's something to keep an eye on because it really is foundational to the Internet as we know it.
Absolutely. And if we see a development here in the case of Airbnb as regards to Section 230,
we might see these kinds of encroachments in other areas of the internet
as well. So it's definitely something to keep an eye on. All right, Marcus Roshecker,
thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you.