CyberWire Daily - Daily: DPRK attempt on RoK rail ICS? Ransomware updates. US tax season cyber issues.
Episode Date: March 9, 2016Daily: DPRK attempt on RoK rail ICS? Ransomware updates. US tax season cyber issues. Plus, Accenture's Malek Ben Salem on embedded device security. Learn more about your ad choices. Visit megaphone.fm.../adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
South Korea accuses the North of more cyber espionage, this time against railroads.
FireEye says it thinks advanced governments around the world
may have built vulnerabilities into industrial control systems.
Maybe. It could happen.
Criminal gangs ramp up their use of ransomware and get more agile in distributing it.
Tax season phishing rises.
And the IRS seems to have another problem with knowledge-based authentication.
And as concerns about the Internet of Things persist,
we hear from Accenture's Malek Bensalem, who tells us about embedded device security.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 9, 2016.
summary for Wednesday, March 9, 2016. The Republic of Korea issues another complaint about North Korean cyber operations, an attempt to access South Korean railroad workers' email.
The goal was unclear, but the DPRK is thought to have been out to compromise transportation
control systems. This is an old-school approach to an attack on industrial control systems,
although such old-school approaches to credential harvesting can apparently work. Witness the much-discussed attack on Ukraine's power grid
back in December. But FireEye has raised a more disturbing possibility, the prospect that advanced
cyber powers have already built latent vulnerabilities into industrial control systems
with a view to holding them in reserve for future exploitation. As presented, this is more a possibility than a conclusion based on specific evidence,
and so should no doubt be partially discounted as FUD,
but on the other hand it is a disturbing possibility.
A study of the success ISIS continues to enjoy with respect to information operations,
and in particularly with its messaging,
suggests that the claim to control and govern territory is central to that success.
The Institute for the Study of War sees a high degree of coordination in ISIS messaging,
and given the caliphate's concentration on inspiration,
its relatively primitive technical cyberchops matter not a rap.
IBM mulls the significance of JavaScript-based ransomware as seen in Ransom32.
Attackers can use this approach to achieve significant infections
without needing to reach the underlying operating systems.
But the trend is disturbing in two respects.
First, it constitutes a cross-platform threat.
Although Ransom32 has so far been observed only in Windows machines,
that situation can't reasonably be expected to persist.
Second, it's being offered as a service, and it can be used by criminals with only minimal
technical ability, which suggests easy proliferation, and there will always be plenty of soft targets
available for attack.
One of the reasons the Key Ranger Mac ransomware is attracting so much more attention than
the damage it's done or the risk it poses would seem to merit, is that KeyRanger demonstrates the black market's turn toward platforms that had previously been immune to
ransomware attacks, or if not immune, then at least overlooked. WebRoot's discussion of the
trend toward polymorphic malware, inherently much more difficult to detect by legacy signature-based
approaches, would also seem to bear out the growing sophistication of cybercriminals.
It also suggests that the trend on the part of security vendors to offer detection based on behavior
is probably well-founded on current threat realities.
A study by Damballa shows other ways criminals are evading legacy detection techniques.
The gangs are becoming increasingly mobile with respect to their infrastructure.
Damballa found, in an eight-month study of Ponyloader malware,
that the controllers used, quote,
281 domains and more than 120 IPs spread across 100 different ISPs, end quote.
It's tax season in the U.S., and the news isn't particularly good.
But then tax news rarely is good news, right?
At any rate, the Internal Revenue Service sustained a major
breach last year, and part of its attempt to make the victims whole was assigning them identity
protection pins to be used as an additional layer of security when filing tax returns.
Unfortunately, the system that distributed the pins has also been compromised, and the IRS has
taken it offline. Some 800 stolen pins have been used to file fraudulent returns.
Phishing of companies for tax information also continues. Snapchat, Seagate, Mansueto Ventures,
and RightSide have all been targeted. Point-of-sale malware remains a problem, particularly in the hospitality sector. Rosen Hotels and Resorts discloses that it's discovered a malware infection
that has affected card processing over the past 17 months.
The Florida-based chain is notifying its customers.
Yesterday was Patch Tuesday, and many major companies issued fixes to issues in their software.
The list of those patching includes, of course, industry leader Microsoft,
and also Google, Adobe, Mozilla, Facebook, and SAP.
Admins face their customary busy time of the month,
and observers have begun
to wonder whether patching has begun to outgrow most enterprises, and even more so most users'
ability to keep up with it. IBM says that its anticipated layoffs are by no means going to
be as extensive as some companies interested in recruiting spooked IBM workers are leading people
to believe. The Apple Department of Justice dispute in the U.S.
continues to have fallout for parties not directly concerned. Despite Secretary of Defense Carter's
strongly expressed support for strong encryption and equally strongly expressed aversion to back
doors, observers see Silicon Valley as still spooked by invitations to cooperate with the
Department of Defense. It's worth noting that one of the other Five Eyes, Britain's GCHQ,
has echoed the US NSA's similar position on encryption in backdoors.
One watches for this declaration's effect on British industry.
In the matter of the FBI's call for a government OS to unlock the San Bernardino jihadist iPhone,
Apple has ramped up its PR offensive by claiming that acceding to the FBI's request
would place much else at risk, including power grid control systems. The Department of Justice
has appealed a related decision in a New York case in which the presiding magistrate rejected
its request under the All Writs Act for similar assistance in unlocking a phone.
And finally, if you've ever wondered which U.S. states distribute the most spam,
Komodo will tell you what it sees as it blocks.
Numbers 1 and 2 are no surprise.
They are, respectively, Populous and Coastal California and New York.
But number 3 is in the heartland.
Utah.
Who knew? We'll be right back. investigating I'm doing these days is who shit their pants. Killer message to you yesterday. This is so dangerous. I got to get out of this. Based on a true story. New season premieres
Monday at 9 Eastern and Pacific. Only on W. Stream on Stack TV.
Do you know the status of your compliance controls right now? Like right now. We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Malek Ben Salem is the R&D manager for security at Accenture Technology Labs, one of our academic and research partners.
I know some of the research that you all are doing has to do with embedded device security
and some of the unique challenges with embedded devices.
Absolutely.
As you know, especially with the advent of the Internet of Things,
embedded devices are becoming increasingly connected.
They're being deployed in remote areas where
they're exposed to tampering by adversaries. And it's hard to protect them using the traditional
mechanisms of protection that we rely on, where we assume that the adversary does not have physical
access to the device. And this is particularly important in the healthcare sector.
So think about a hospital, you know, anybody could go in pretty much and they can go into
any patient room, they can, they have access to the medical devices deployed there. And, you know,
if they have a malicious intent, they may be able to modify what the medical device does and,
you know and introduce significant
damage to the patient.
So if someone has an IV pump that's giving them some dose of medication, someone could
alter that machine and cause serious trouble?
Absolutely, yes.
So tell us about some of the work that you're doing in that area.
So in order to protect against those types of attacks and tampering with the devices,
we partnered with Johns Hopkins University with their Healthcare Security Institute,
and we tried to come up with security mechanisms that would detect any tampering with the devices.
It relies on profiling how a security device works in a particular mode,
and we build a sort of a control flow graph that's dynamically built while that device is operating in that mode.
Then in real time, we detect if the device starts behaving differently,
you know, basically deviates from the profile that we built for that device.
And if we detect such deviation, we can either alert the security administrator
or just give emergency cases we can stop the device from working.
So when we built our prototype, we were focused on an infusion pump.
So when we built our prototype, we were focused on an infusion pump.
But you could apply this to pretty much any embedded security device.
Malek Ben-Salem from Accenture Labs, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.