CyberWire Daily - CISA is now officially an agency. Cozy Bear is back. Gmail spoofing issue opens social engineering possibilities. Speculation about “cyber 9/11s.”
Episode Date: November 19, 2018In today’s podcast, we hear that CISA is now an agency within DHS. Cozy Bear is back, and spearphishing in American civilian waters. Ukrainian authorities say they’ve detected and blocked a malw...are campaign that appears targeted against former Soviet Republics. A reported Gmail issue may make for more plausible social engineering. The Outlaw criminal group expands into cryptojacking. Infrastructure, financial, and data corruption attacks discussed as possible “cyber 9/11s”. Rick Howard from Palo Alto Networks with a book recommendation from the Cybersecurity Canon project. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
CISA is now an agency within DHS.
Cozy bears back in spearfishing in American civilian waters.
Ukrainian authorities say they've detected and blocked a malware campaign
that appears targeted against former Soviet republics.
A reported Gmail issue may make for more plausible social engineering.
The outlaw criminal group expands into cryptojacking.
Infrastructure, financial, and data corruption attacks are discussed as possible.
Cyber 9-11s.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary
for Monday, November 19th, 2018. The new U.S. Cyber Security Agency,
the Cyber Security and Infrastructure Agency, or CISA, is now ready for its groundbreaking.
President Trump signed the legislation that authorized it into law on Friday.
The CISA Act, in effect, reorganized and clarified the Charter for the Department of Homeland Security's National Protection and Programs Directorate,
best known simply by its initials, NPPD.
It's now an agency responsible for overseeing civilian cybersecurity across the federal government,
with an expansive brief to support state, local, and private sector cybersecurity efforts as well.
Christopher Krebs, the NPPD's director, will become CISA's first director.
Krebs characterized CISA's establishment,
which has been widely described as a rebranding, as more of a groundbreaking than a ribbon-cutting.
He said, as reported by the Federal News Network, that the new agency has a two-year roadmap to
achieving its full operational capability. A number of familiar officials will remain with CISA.
capability. A number of familiar officials will remain with CISA. Jeanette Manfra, for one,
will serve as Assistant Director for Cybersecurity and Communications. As a new agency roughly on par with other DHS organizations, like the Federal Emergency Management Agency and the Secret Service,
CISA will receive increased budgetary and operational authority. That may be a good thing, too, because the civilian side could probably benefit from increased resources and attention.
Even if CISA isn't exactly shovel-ready, it will have plenty to tackle.
As an example of what the new agency will be up against, consider news that began to develop late last week.
Guess who's back and interested in U.S. civilian agencies and the private sector?
Cozy Bear, that's who.
This is that other Russian cyber-operational agency, the quieter sister to GRU's Fancy Bear.
Cozy Bear discreetly established itself in the Democratic National Committee's networks early in the 2016 election cycle,
months before the flashier and more ostentatious Fancy Bear showed up and blew the gaff.
Cozy had last been prominent in 2017 when it conducted espionage campaigns against government targets in Norway and the Netherlands.
Cozy Bear is generally associated with either the FSB or SVR, both of which are KGB descendants in the current Russian security and intelligence bureaucracy.
According to ZDNet and Reuters, the group has been engaged in spear phishing U.S. targets.
CrowdStrike and FireEye, among others, have been reporting the discovery and watching the operation.
CrowdStrike says Cozy Bear has been impersonating a U.S. State Department official in spear-phishing
emails.
The payload is a link to a legitimate but compromised website.
Targets form a familiar set of Cozy Bear interests.
Government agencies, including law enforcement agencies, think tanks, and business information
services.
Cozy Bear, by the way, if you're keeping score at home,
is also known as APT-29, the Dukes, or Power Duke.
Ukraine's CERT, working with the country's Foreign Intelligence Service,
says it stopped battlespace preparation for a campaign
that would have installed a new version of the Terodo espionage and attack staging malware.
would have installed a new version of the Terodo espionage and attack staging malware.
There's no attribution, but they note that the campaign appeared interested in former Soviet republics.
It's designed to run only on systems localized to the languages prevalent in the near abroad, among them Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, and Tatar.
CERT-UA recommends the usual hygienic measures against infection.
Be wary of opening attachments.
Disable autorun for removable media.
Be skeptical when an operating system displays a message that a file requires that certain software be installed before it can be opened.
And, of course, regularly and securely back up your files.
of course, regularly and securely back up your files.
Researchers report a Gmail flaw that enables a user to add an arbitrary email address to the From field.
The social engineering possibilities are obvious, but the approach is an unusual one.
Researcher and software developer Tom Cotton told Bleeping Computer that a colleague of
his found in her Gmail account's sent folder some messages she hadn't
in fact sent. What seems to have happened is that an anomaly in the from field permits it to be
structured to contain a recipient's address or indeed any address. This of course could facilitate
business email compromise or other forms of fraud. Trend Micro is tracking the Outlaw criminal group,
which is engaged in a renewed botnet campaign
for cryptojacking, scanning, and brute forcing of credentials.
It uses an internet relay chat, that is IRC bot, to attack.
Outlaw's initial goal appears to have been creation of infrastructure
that could be used to mount distributed denial-of-service attacks.
From there, they moved on to brute-forcing SSH to increase the botnet's size,
and most recently they moved on to cryptojacking.
Fears of infrastructure attacks continue to surface, notably in the UK's Parliament,
according to The Guardian. CNBC offers a rundown of cyber 9-11 possibilities, knocking out essential services,
attacking financial systems in such a fashion as to cause a financial panic,
or altering data rather than simply deleting, stealing, or rendering that data unavailable.
So what does a nation do when it comes under such an attack? NATO has some ideas. The alliance said late last week that
it would not itself, as an alliance, conduct offensive cyber operations. It would, however,
as Luftwaffe Major General Wolfgang Renner, head of NATO's Cyber Operations Center, put it last week,
quote, integrate sovereign cyberspace effects from the allies who are willing to volunteer,
end quote. This may seem like a distinction without a difference,
but the answer represents the relative immaturity of international norms in cyberspace
and NATO's attempt to map the legal distinction between national initiatives
and collective defense to the new domain.
New Domain. agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks,
and he also leads Unit 42, which is their threat intel group.
Rick, it's great to have you back.
You and I talk about the Cybersecurity Canon Project,
about the books that are recommended there.
You've got a book you want to recommend for us this month.
Yeah, I've been running a cybersecurity canon project
for the past five years.
And for your listeners that don't know what it is,
it's kind of a baseball hall of fame,
but only for cybersecurity books.
We have a committee of network defenders.
These are CISOs and journalists, consultants and the like.
They read the books and write book reviews
that make the case that the book fits into one of three categories. First, this is a must read by all cybersecurity professionals.
Second is maybe it's not a must read, but if you are interested in the topic, this is the book for
it. And most importantly, the third category is do not read. Okay. Because if you decided that you
were going to read a book this year to learn something new and you went to Amazon and looked for cybersecurity books, you would have some 2000 books to choose from.
How would you decide which one to read? So enter the Cybersecurity Canon Project.
After five years, we have 17 books in the Hall of Fame and roughly 70 books that are on the candidate list.
And so this month, I thought I would highlight one of the Hall of Fame inductees from last year. It's called Worm, the Digital World by Mark Bowden. We inducted it into the
Hall of Fame in 2018. Have you read this before, David? No, I've not. All right. So Worm is a story
of how the cybersecurity community came together to do battle with what seemed at the time to be
the largest and most significant cyber threat to date, the Conficker worm.
And back then, it was the time of the Estonian and Georgian distributed denial of service attacks,
and the Conficker botnet was growing to be the largest DDoS delivery system ever created.
So a white hat group of cyber uber geeks formed what they call themselves the Conficker cabal,
uber geeks form what they call themselves the conficker cabal with a mission to stop the worm because most of the world cannot even understand it let alone do something about it now mark bowden
the author he wrote the reason i love him or there's lots of reason to like what he writes
about but he was the author of black hawk down okay a story Modern Warfare. And among many other fabulous books, he wrote The City of
Way this past year about Vietnam. It was fantastic. But he also wrote the screenplay to the Black Hawk
Down movie, right? And so, but the thing about it, he is not a geek, right? And he decided he was
going to learn about cybersecurity, and he did a fantastic job. He accurately captures the essence
of our cybersecurity community in times of crisis. And when we. He accurately captures the essence of our cybersecurity
community in times of crisis. And when we inducted him to the Hall of Fame last year, I got to
interview him on camera, okay? And it was a dream come true. Sometimes I can't believe they pay me
money to do this job. It's fantastic. Bowdoin compares us all to cybersecurity superheroes,
okay? Like the X-Men of Marvel Comics fame, because of what
he sees as our superhuman ability to work with computers and our desire to help each other and
to save the world. Let me read a small passage that demonstrates this notion, okay? This is from
the book. What were superheroes after all, but those with special powers? Marvel's creations
were also invariably outsiders, not just special, but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking lies, suspicious of authority, both governmental and corporate.
They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the glaze.
But out here in the cyber world, they were nothing less than the anointed, the guardians, the special ones, not just the ones capable of seeing the threat that no one else could see, but the only ones who can conceivably stop it.
I love that.
Okay.
And I aspire to be that. I wish I could be all those things he mentioned in there.
All right.
But in the end, the Conficker Cabal failed.
Okay.
And the Conficker cabal failed.
To use a chess analogy, the cabal maneuvered the Conficker worm hackers into a check by preventing it from receiving any new instructions.
But they were unable to kill it completely or to put it in the checkmate.
Today, it still rages on.
It still doesn't do anything, but it continues to grow.
Security professionals will learn nothing new in terms of technology and craft, but they will remember that scary time and how we were all very worried about 1 April 2009, the day that the world thought Convictor would come to life.
Newbies will get a lot out of this book, though.
Bowdoin does a great job of simply and clearly explaining many of the key technical pieces that make the Internet run.
If you are new to the community, this book makes a great introduction. It is a Cybersecurity Hall of Fame inductee, and all of us should have read it by now.
But more importantly, how can you not like a book where the author favorably compares the
cybersecurity community to the X-Men? As Stan Lee likes to say, enough said.
All right. Well, you make a compelling case for it. I will have to check it out. Our ongoing book club between you and me. So as always, good recommendation. Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.