CyberWire Daily - Bank hack in Mexico. FacexWorm goes cryptomining. SamSam's volume discount. Influence ops. Researchers confirm that teams use teamwork.
Episode Date: April 30, 2018In today's podcast, we hear about an attempted banking hack in Mexcio. Hidden Cobra gets busy around diplomacy. The FacexWorm adds cryptomining functionality. SamSam ransomware looks to catpu...re entire enterprises. A Sunday Times investigation finds that Russian Twitterbots tried to swing British voters toward Labour. The US House Intelligence Committee has released its report on influence operations during the last US Presidential election. Researchers find that teams and committees are different things. Robert M. Lee from Dragos on regulations vs. incentives. Guest is Dan Lyon from Synopsys on IoT security.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An attempted banking hack in Mexico.
Hidden Cobra gets busy around diplomacy.
The SpaceX worm adds crypto mining functionality.
SamSam ransomware looks to capture entire enterprises.
A Sunday Times investigation finds that Russian Twitter bots tried to swing British voters toward labor.
The U.S. House Intelligence Committee has released its report on influence operations during the last U.S. presidential election.
And researchers find that teams and committees are different things.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
April 30, 2018. At the end of last week, hackers made a raid on Mexico's banking transfer system. Three banks are said to have been affected, Banco de Bajio S.A., Banco Mext and Grupo
Financiero Banorte.
They experienced unspecified difficulties in connecting to Mexico's central bank through
S.P.I.E., the country's interbank electronic transfer system.
The attack seems to have been contained.
The banks quickly shifted
their connections to an alternative contingency system, but details still remain sparse.
Hidden Cobra, the North Korean cyber espionage unit, has recently exhibited a higher level of
activity. Observers expect this. Increased espionage often accompanies periods of high-stakes
diplomatic interaction,
like the recent North and South Korean summit,
and projected meetings between DPRK leader Kim and U.S. President Trump.
While the U.S. Department of Homeland Security has also recently warned of the reappearance of destructive wiper malware wielded by North Korean actors,
the spike in cyber operations seems largely motivated by wide-ranging
espionage interests.
That, and of course the prospect of theft, never to be overlooked when considering Pyongyang's
straightened finances and the means it uses to redress its shortfalls.
Trend Micro offers an update on the FaceX worm, which researchers have been tracking
since last year.
The malware has picked up new crypto-mining functionality.
It circulates as a malicious Chrome extension and now both installs a crypto-miner in victim devices
and redirects users to sites hosting various cryptocurrency scams.
Estimates of the cost of the Atlanta ransomware attack have now risen above $5 million,
which should be more than enough to scare any municipal government straight.
SamSam, the ransomware that so badly infested Atlanta's networks back in March,
appears to be moving toward a fresh target set, with signs that it may now be going after corporations.
In doing so, the SamSam masters are exploiting known vulnerabilities
in addition to the more common phishing and social engineering approaches.
They seek to infect machines across an entire enterprise
and then offer a volume discount.
You can get your data back for the low, low price of $45,000 in Bitcoin.
Why the discount is pegged at $45,000,
no one seems to know.
Researchers at security firm Sophos
guess that the figure might fall below
some reporting threshold,
but they freely admit they're in the dark themselves.
The range of devices being wired up to the Internet
continues to grow, quickly,
to the point where it can be challenging
to wrap your head around the scope of the point where it can be challenging to wrap your
head around the scope of the issue. It's a big attack surface made up of lots of devices of all
sizes from industrial control systems to consumer electronics and toys. Dan Lyon is a principal
consultant at security firm Synopsys and he joins us to share his view on IoT security.
and he joins us to share his view on IoT security.
I don't know that anybody fully grasps the full scale of connecting all of these systems to the internet and just all of the different threats and risks that that exposes across the internet.
So I would say we're still learning about that. People are still coming to terms with it.
It's immature from the perspective of other systems that have gone through this, such as financial systems, web systems.
We went through this 10 years ago or more.
We went through it with mobile apps.
And now we're starting to go through it with IoT devices.
And so where do you think successful pressure is likely to come from? Is this a situation where we need regulation or are
people going to gravitate towards the safer devices just through market forces? I think that
regulation is the only thing that has shown itself to be truly effective. Self-regulation
is really slow and I don't believe that self-regulation drives the same types of behaviors
because of all of the trade-offs that need to happen, time, cost, schedule. In an ideal world,
the market forces would drive this, but it's too complicated, I think, for market forces to
truly drive. I remember when I was a kid,
my grandfather pulling me aside
and showing me on a box for a portable radio.
He said, look, this box has this UL listing sticker on here.
And that means that it's been tested
that the electrical systems in here are safe.
Do you think that push to have something similar to UL,
perhaps even UL themselves, is something that could be effective?
So I think that that's a great analogy. I think it has some promise in terms of pushing some
change in the industry, which I would argue some change is better than perfect change. But I think
what's different with security,
when you're talking about electrical safety, you're coming down to ultimately the laws of
physics. How do electrical signals work? What are the laws of physics that govern those?
You can do more analysis that holds up longer on that type of system than you can on security,
that type of system than you can on security where security is definitely not governed by the laws of physics and is changing at a very rapid rate uh you know we don't learn about new
laws of physics that need to be incorporated into the ul electrical safety standards right uh but
we learn about new security things every day that need to be reviewed and understood and possibly, you know, introduce a new design consideration that has to be accounted for.
One of the problems with IoT, I think, is that the use is so pervasive across multiple organizations.
You know, you've got the large global organizations that have resources that they can bring to
bear to help this problem for them.
They can bring staff on, they can hire staff, they can pay for third party testing.
But if you start to look at smaller organizations, they don't have those same resources.
They don't have the staff, they don't have the skills, they don't have the budgets to
hire those people.
They can hire third parties to help them assess things that they may want to bring into their
networks. So that's one view of the risk. They can start to look at maybe the provenance of how these
devices are created. That's going to vary depending upon the maturity of the manufacturer
that they're building these from.
So I think it's kind of a combined approach looking for those things they can do, such as third party assessments on off the shelf things.
And then they can work to identify and develop compensating controls.
They can work together to try to drive change into the manufacturers and make sure that the
manufacturers are building secure devices by design so that the risks are reduced when they
purchase them. And that's going to require working together as groups, working across
industry to drive that type of change to make sure that it's a viable purchasing consideration.
that type of change to make sure that it's a viable purchasing consideration.
That's Dan Lyon from Synopsys.
There are some senior leadership changes among the Five Eyes.
In the UK, Home Secretary Amber Rudd has resigned over the Windrush immigration scandal.
Sajid Javid will succeed her as Home Secretary.
And in the US, former Director of Central Intelligence Mike Pompeo has been confirmed as Secretary of State. Investigations into Russian influence operations
targeting British elections show some notable Twitterbot activity mounted in the interests
of Labour leader Jeremy Corbyn. An inquiry by the Sunday Times finds that a significant number
of bogus accounts,
run apparently from Russia, sought to amplify Labour talking points and, in the Times' view, swing the election toward Corbyn's party.
Labour has retorted that remarks by Russia's embassy in London
show that in fact Moscow preferred a Tory victory.
Thus influence operations continue to lend themselves to divergent partisan interpretation.
That remains true in the U.S. as well, where the House Intelligence Committee's report on the 2016 election elicits reactions that break down along party lines.
Essentially, the conclusions hold that the Russian government did indeed seek to interfere with the election,
but that there's no serious evidence of collusion with those efforts on the part of the Trump presidential campaign. Democrats say it's not over and that
there's more to be looked at. Republicans are raising eyebrows over possible improprieties
on the part of former Director of National Intelligence Clapper, which Democrats maintain
were nothing more than legitimate engagement with a news organization, in Clapper's case,
CNN, which has lent the matter its name, Clapper to Tapper.
Let us move to academic cyber competitions
and consider a result researchers obtained by watching
the National Cyber Watch Center's Mid-Atlantic Collegiate Cyber Defense Competition
in the spring of 2017.
The researchers, which included experts from the Army Research Laboratory's
Cyber and Network Systems Branch at Aberdeen Proving Grounds
and National Cyber Watch Center and Carnegie Mellon University,
found that teams worked better when they functioned as teams.
That is, teams as opposed to committees or communities.
As they put it, quote,
functional specialization within a team
and well-guided leadership
could be important predictors of timely detection
and mitigation of ongoing cyber attacks.
End quote.
Anyone disposed to take the team metaphor seriously
will be unsurprised.
Teams, whether athletic or military,
are characterized by clear, distinctive roles
among their members.
Think of the different
functions in a football or baseball team. A football down begins, for example, when the
center snaps the ball, and there's no need to discuss, in the huddle or on the line,
whether a tackle, guard, or tight end should really be doing that, nor what's actually
involved in the snap. That's what we've heard from our sports desk, at any rate.
Similar observations could be
made about any athletic team. They could also be made about small military units. An artillery
section, for example, has clear responsibilities assigned to each cannoneer when it occupies a
firing position. The gunner, the assistant gunner, the number one and number two cannoneers, and so
on, all have very specific roles,
and their section chief is in charge.
Or so we've heard from our gunnery desk.
All of these cases are noteworthy for their susceptibility to improvement through drill,
and they're also noteworthy for the team's ability to work without discussion or constant direction.
Observing the collegiate competition came to the same conclusion.
The winning teams were the ones in which the members knew and did their jobs,
usually without needing to turn away from their keyboard. In fact, the researchers said,
face-to-face interactions emerged as a strong negative predictor of success.
That is, chit-chat, waffling, and negotiation, or waiting to be told to do something.
These things are bad. It's sometimes said by unreflective coaches, chit-chat, waffling, and negotiation, or waiting to be told to do something,
these things are bad.
It's sometimes said by unreflective coaches, sportscasters, and company-grade officers that good teams don't think.
That's not true. They think a lot.
But they do it in advance, and they reduce their thinking to practice.
Congratulations, by the way, to the University of Maryland's Cyber Dogs,
which were what the researchers called a purposive social system.
They won because, as Ars Technica's headline writers put it, they shut up and work.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. I saw recently
on Twitter, you made some comments about regulation in the electrical sector, specifically about the
difference between regulation and incentives. Take us through what you're getting at here.
Regulations can set a good base for what we expect to be done, either programmatically or
performance-based, on what actions and minimum standards we want companies to comply with.
And across the U.S. electric grid, they've been doing that for over a decade now with the NERC
SIP regulations. And they do set a strong base standard of what we want to see, like two-form
authentication for communications into a control center. The problem, though, is that regulations only can apply to a past state that we're
interested in. In other words, it's not good at predicting where we need to be. It's not good
about allowing innovation. It's saying, hey, here's what we have perceived to be a good base.
Previously, let's work towards that. This is ultimately a good thing, but we must
understand that regulations can't regulate out the human adversary. Regulations themselves can't
protect us. They can just apply a base level of defensibility and opportunities for defenders.
And in that way, I think that some industries could still do with some regulation, not a huge
regulatory van,
but there are decentralized industries
where that might make sense.
But in certain industries where it's much more centralized
and a community driven,
and maybe even that we've already had regulations,
we need to open it up for incentives instead.
In the case of the US electric sector,
I testified in front of the Senate
that we needed to take a pause for a while.
New regulations in the power sector
come out every two to four years,
and that creates an extreme pressure of the companies to keep up with regulations
instead of focusing on new innovative ways to do security.
And it would be beneficial to take a three to four year period
where we stop coming up with new regulations,
allow the companies to do anything for security
that they deem appropriate for their companies, and then have those lessons learned and extract
out best practices from that instead of just trying to focus on regulation.
Thinking of the political incentives here, that if I'm a politician, it's easier for me to get
hit by saying, well, why didn't you regulate these people? Why did you just let them run
free and do whatever they wanted to do? That's actually exactly why this still happens.
I've talked to just about everybody in this discussion in terms of like sides of the
conversation from the government to regulators to asset owners. And that's entirely what it
comes down to usually. We know that the regulations have been good, but nobody wants to be the person
that suggests less regulations. The power company
doesn't want to say, hey, you know, we've kind of exhausted this because then they don't look
willing to move the needle. The government doesn't want to say, yeah, let's take a break on this,
because if a cyber attack happens, they look like a weak administration on a weak party on
taking action for security. The regulator doesn't want to not do regulations
because those regulators are generally political appointees
and they're only there for three to four years.
So the idea of not doing anything for three to four years
looks very bad on them and their party
and this was their opportunity to get involved
and try to influence change.
So it's a tricky subject because, quite frankly, everybody is incentivized to do regulations whether or not they do anything for anybody.
I think they have been beneficial, to be honest.
Our power grid today is much better off than what it was a decade ago. But there is a time to say, OK, folks, let's work towards programmatic regulation or let's work towards incentivizing through tax credits or programs from the government to find new best practices and innovation and security that's going to be cool and exciting and helpful instead of checkbox.
All right. Interesting stuff. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.