CyberWire Daily - Code signing certificates for sale. Impact of cybercrime on the world economy. Reaper out from under Lazarus's shadow. Catphishing. Cyber intelligence against terror. Ransomware and other hacks.
Episode Date: February 22, 2018In today's podcast, we hear that counterfeit certificates are on sale in criminal souks. Cybercrime is said to cost $600 billion globally every year. Russia objects to being called a bad actor in cy...berspace. North Korea's Reaper threat actor steps out from the shadow of its big brother, the Lazarus Group. Catphish from Lebanon spread spyware through Facebook. Israel says it gave Australia a cyber assist against ISIS terror last summer. Ransomware notes. Prof. Awais Rashid from University of Bristol on what students should be learning about cyber security. Guest is Martijn Grooten from Virus Bulletin on security product testing and the changes they’ve seen over time in the products they test.  Harper's was hacked, and so was Allentown, Pennsylvania.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Cyber crime is said to cost $600 billion globally every year. Russia objects to being called a bad actor in cyberspace.
North Korea's Reaper threat actor steps out from the shadow of its big brother, the Lazarus Group.
Catfish from Lebanon spread spyware through Facebook.
Israel says it gave Australia a cyber assist against ISIS terror last summer.
Ransomware notes? Harper's was hacked and so was Allentown, Pennsylvania.
I'm Dave Bittner with your CyberWire summary for Thursday, February 22, 2018.
Researchers at threat intelligence firm Recorded Future investigated a spike in the use of
certificates to enable malware infections.
Their researchers found that, contrary to general opinion, the certificates so used weren't, in general, stolen.
Instead, they're counterfeited and registered using stolen corporate identities.
As their report puts it, quote,
Contrary to a common belief that the security certificates circulating in the criminal underground
are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed End quote.
Code signing certificates are used to verify that code has been written by a particular author,
the certificate holder, and that the code hasn't been altered or tampered with.
The certificate includes a cryptographic hash that validates the signed code's authenticity and integrity.
Certificates served up by malware do more than the obvious damage
of helping the malware establish itself in victim
systems. They tend to make deep packet inspection on infected systems less effective. The criminals
don't appear to be making a killing in this particular black market, so certificate sales
appear likely to remain a boutique niche for criminals. Nation states are a different matter.
They'll probably see considerable advantage to using fake code signing
and SSL certificates in their highly targeted operations.
Russian diplomats denounce British attribution of NotPetya to Russian security services.
They also denounce American contentions that Russia is a safe haven for cybercriminals,
in large part because of a cozy relationship between those security services and organized cyber gangs.
The common theme comes down to a complaint that there's no evidence.
No Western intelligence service, Russia says,
has offered any proof that Russia is a bad actor in cyberspace.
To strengthen his accusation of American bad faith,
Pyotr Svirin, first Secretary of the Russian Embassy in Washington,
asks why, if the Americans are so concerned about cybercrime,
they have turned down all of Moscow's efforts to get some cooperation in crime-fighting.
First Secretary Svirin's complaint came at a D.C. event yesterday,
covered by CyberScoop, in which security firm McAfee
and the Center for Strategic
and International Studies think tank presented the results of their joint study of the economic
impact of cybercrime. They see that impact rising. They say it's now up to $600 billion
worldwide annually, up $100 billion since a similar study in 2014. Discouragingly,
they also conclude that whether
countries spend a lot or a little on security against cybercrime, they wind up with similar
outcomes. And yes, the study does call out Russia. In fact, it calls out several centers of cybercrime,
Brazil, India, and Vietnam, where the issues aren't so much state policy as they are the
lawlessness of an entrenched and technically capable criminal subculture.
North Korea is a different matter.
There, the government itself arranges the crime and has the state security and intelligence apparatus committed directly.
And, of course, there's the interesting case of Russia.
The contention that so angered Mr. Svirin is that the Russian security services,
The contention that so angered Mr. Svirin is that the Russian security services,
notably the FSB and the GRU, connive with cyber mobs and permit them to hit the right targets.
Right, of course, from the point of view of the Russian government.
The organization is like a reverse protection racket.
Nice little ransomware program you got there. Shame if something happened to it.
Of course, if you'd like to take out a Ukrainian power utility, well, all might be overlooked. With so many security products out there,
it can be a challenge to comparison shop and evaluate what might be the best fit for your organization. Virus Bulletin is an organization that's been in the security software testing
business for over two decades, giving them a unique view of the industry.
I checked in with Martijn Groten, the editor of Virus Bulletin, for his perspective.
I think the major change we've seen, and it's a very subtle one, but I think over the past
decade or two decades, antivirus has changed from software that hardens your PC or your
device to software that protects you against things
you shouldn't do, like download things of the internet that are dangerous or open certain
email attachments and then enable macros.
Current operating systems are a lot more secure than they were a few years ago.
And if you are someone like quite a few security professionals, if you're someone who knows
what they should and shouldn't do
and really trusts herself not to accidentally click on things,
you'll probably be okay without antivirus.
It's just that 99% of the people are not like that,
and nor should we expect them to.
So I think that's a major change.
I think in the early days, there were these mass viruses that spread,
and everyone really needed antivirus to protect against them.
And these days, it's more subtle, but it's still
very important, I would say. And as you look across the landscape of the various products
that are offered, do you feel like we've hit a point where most of them offer a good value,
that there may be differences between them, but you're probably, if you get one of the big name
ones, you're probably going to be in good shape? I would say so, yes. And of course, it depends
how you use it, how you set it up, what kind of threats you're facing.
I mean, they typically are better at protecting you against mass malware than against very targeted attacks.
And that's not to say that they're powerless against very targeted attacks.
But I would say I wouldn't just focus on the big names.
I mean, there are a lot of smaller names that are doing an equally good job, sometimes for half the price of a big name or less.
The product landscape is quite varied,
but overall products are doing a pretty decent job and much better than they often get credit for.
And as operating systems have gotten more sophisticated and the attacks have gotten
more sophisticated, how have you had to adapt your testing procedures?
An antivirus product has many different layers and to test it you need to be more clear
about which layers you test. In the past it was all about is the product able to detect this virus
or not and these days there are so many different layers and you need to focus on specific layers or
on several layers at once and depending on what you do and depending on what the purpose of your
test is you get different results and I think it, you have to be more and more careful about the kind of claims you
make.
And I'm always very hesitant about us or other testers making very big claims about
all products detectives or all products misdeeds.
Things are a lot more subtle in practice.
I see.
What advice do you have for people who are trying to shop around to decide which product is best for them?
I think the general advice at first is always try to see what kind of threats are you concerned about?
Which kind of threats does your organization face?
What kind of threats are you prepared to defend against?
Maybe you're a small business and maybe you are worried about an advanced attacker from overseas
who may be very skilled and have a lot of money to spend on attacking you.
But maybe you decide that that's a risk you're worth taking.
And hopefully, or even more likely, you'll decide that actually this is not something you should worry about.
I've seen a trend among security professionals working in, not in the security industry, but working in the real world, so to say, to get overly worried about all the fear-mongering going on in security,
the things that we say, almost trying to overprotect themselves.
Buying solutions that look very nice, but maybe offer only a tiny bit of extra protection
that is just not worth for the kind of organization that you have.
At the same time, if you are an organization in special fields or you're a very big organization,
then you need to be aware that what works for a small company what works for an average home user is
not good enough for you that's martijn groten from virus bulletin more spyware has been found
being distributed by facebook catfish winsome profiles of fictional people named Rita, Alona, yes, Alona, who would no doubt have suggested she no longer wants to be Alona,
and Christina were seeking contacts whom they would infect with spyware.
The campaign, which seems to have originated in Lebanon,
was discovered and described by Prague-based security firm Avast.
If you want to connect with Rita, Alona or Christina, you're too late. Their
profiles are all gone from Facebook, probably enjoying a digital afterlife somewhere in
the company of Robin Sage. Israeli Prime Minister Netanyahu this week credits his country's
Unit 8200 with detecting an ISIS plot last year to destroy an airliner and with tipping
off Australian security authorities
in time to stop the bombers.
Two men were arrested. The plane wasn't bombed.
A paper in the Journal of the American College of Cardiology
describes increased hacker interest in implantable medical devices.
The probability of attacks against devices like pacemakers may be rising.
Colorado's Department of Transportation is struggling with a large SAMSAM ransomware infestation,
according to the anti-phishing specialists at KnowBe4.
SAMSAM is financially motivated, but other ransomware strains aren't.
Annabelle ransomware, for one, seems motivated by the lulls and the desire to show off.
Malware hunter team is tracking it.
The good news, reported by Bleeping Computer, is that Annabelle is a variant of stupid ransomware
that's a proper name, by the way, not a description,
and can be removed with an updated stupid decryptor.
Bravo to Mr. Michael Gillespie, proprietor of the stupid decryptor.
Two other incidents are worth mentioning.
Harper's, the venerable American journal of opinion, has warned subscribers that their
passwords may have been stolen.
And in a municipal hack, the Rust Belt gets a cyberwire brushing.
The city of Allentown, Pennsylvania, is struggling with a major Imhotep infestation.
The self-propagating, credential-stealing malware has disabled the
city's financial department, no more external banking transactions, knocked out all the city's
185 public safety surveillance cameras, and is keeping the Allentown Police Department from
accessing Pennsylvania State Police databases. According to the Allentown Morning Call,
the virus hit last week.
The city thinks the initial infection vector was a phishing email.
Remediation is expected to cost between $800,000 and $900,000.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at sunwing.ca.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And it's my pleasure to welcome back to the show Professor Awais Rashid. He's a professor of cybersecurity at the University of Bristol. Awais, welcome back. We wanted to touch on
educational issues today, specifically what cybersecurity professionals should be learning
in your estimation. What can you share with us about that?
Thank you for having me back.
I think the key thing that we need to bear in mind is that cybersecurity is becoming an increasingly complex issue.
And one of the big problems is the focus that we tend to have is very much still from the mindset
that there is a single device that is being attacked
and being used.
Of course, we teach people about security of networks
and all those kind of issues.
But really, we need to be thinking beyond that.
We are moving towards very highly connected infrastructure.
And we are not talking about a device,
a small number of devices,
a network that is often under the control of a single organization, potentially. We are really talking about
thousands, tens of thousands, hundreds of thousands of devices interacting with each other,
interacting with users, new devices coming into that environment. And that is a very complex
landscape. And at the moment, we are not focusing enough in terms of what the future problems are.
We still very much in our education tend to be very reactive, which is important.
We want to teach about what are the problems of today or the near future and solve them.
But ultimately, as we connect our infrastructure more and more, these issues are going to become very, very pertinent.
And we need to also think about what we should be teaching professionals in terms of how to protect infrastructure of the future. So in terms of someone who is a student
who's looking to set out their roadmap of the classes they want to take and the things they
want to study, what suggestions do you have? Well, I have, of course, a little bit of a biased view
at the moment in the sense that I lead a project called the Cybersecurity Body of Knowledge Project. But if anyone who is interested can actually go and look at www.cyborg.org
and there is a detailed document which has been built through a consultation with stakeholders
in academia, industry, as to what are the key knowledge areas that people
need to know about.
And there are a total of 19 knowledge areas divided into five categories.
So there we highlight things like infrastructure security, of course, software and platform
security, system security, but very importantly, also understanding attacks and defenses and
human organizational and regulatory aspects.
And the fact of the matter is that none of these things exist in isolation.
All of these interplay in complex ways in the complex infrastructures
that we are increasingly developing and will continue to develop in the future.
Not everyone will be an expert in everything,
but it's important that when people become experts in a particular aspect of security,
they are still cognizant of the fact that all these other factors influence what happens so that they can look at the big picture rather than just
only a very narrow pathway.
Professor Weiss-Rashid, thanks for joining us.
The Cybersecurity Body of Knowledge is at cybok.org.
That's C-Y-B-O-K dot org. okay.org.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.