CyberWire Daily - Daily: Elves vs. trolls in the Baltic. Updates on Bangladesh bank heist, DoJ vs. Apple.
Episode Date: March 21, 2016Baltic elves versus Russian trolls. Pakistan considers its cyber strategy. Investigation continues into the Bangladesh Bank hack. More hackers are interested in going after OS kernels. Apple and the D...epartment of Justice are poised for this week's hearings. And the University of Maryland's Markus Rauschecker tells us what it means to "hack the Pentagon." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who
shit their pants. Killer messaged you yesterday? This is so dangerous. I got to get out of this.
Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W.
Stream on Stack TV. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. Pakistan considers its cyber strategy. Investigation continues into the Bangladesh bank hack.
More hackers are interested in going after OS kernels if the results of Pwn2Own are any indication.
Apple and the Department of Justice are poised for this week's hearings.
And we hear from the University of Maryland's Marcus Rauschecker, who tells us what it means to hack the Pentagon.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, March 21, 2016.
Social media remain a field for conflict among states and aspiring states, as ISIS resumes its push to inspire the disaffected,
and disturbing levels of pro-Russian trolling resume in the
Baltic states. The Baltic situation is particularly interesting. The Baltic states, Latvia, Lithuania,
and Estonia have, alongside their neighbor Finland, long punched far above their weight in cyberspace,
especially since the 2007 cyber-rioting Estonia suffered in the wake of a dispute with Russia
over the removal of a Second World War memorial. That rioting, sometimes referred to as the First Cyber War, and generally
regarded as setting a template for plausibly deniable cyber-action analogous to the Green
Men's militias deployed by Russia in Ukraine, prompted Estonia and its neighbors to develop
increasingly capable cyber-defense capabilities. Those capabilities have also prompted volunteer efforts in information operations.
The goal in Lithuania most recently has been to counteract pro-Russian trolls with benevolent elves.
Current conflict is worrisome as observers in Lithuania worry that a Russian drawdown in Syria
presages that country's turn toward the Baltic states,
which fear that Russia will follow the template it established in Ukraine,
information operations followed by initially deniable, then increasingly overt, military action.
Pakistan considers its long-term interests in cyberspace as Google removes an app,
Smash App, Pakistan's ISI, allegedly used in espionage against Indian targets.
Pakistan's ISI allegedly used in espionage against Indian targets.
Patriotic cyber-rioting, plausibly deniable but arguably state-inspired operations,
and alleged direct attacks by state security services have long been a feature of tensions in the subcontinent.
Preliminary reports on the hack of Bangladesh's central bank
suggest that the thieves were patient and sophisticated,
covering their tracks and planting malware intended to support the apparent legitimacy of their fraudulent transactions. Reports differ on how much was stolen. They range from a low of $81 million to a high of $101 million, but the crooks aimed much higher. in a much larger take by alert staffers at Deutsche Bank, whose suspicions were aroused by some careless proofreading in otherwise well-crafted spear-phishing emails. Some
$30 million are thought to have gone to a casino junket operator, Bangladesh bank officials
say with some understatement that recovering the funds is likely to prove difficult.
The U.S. FBI is said to be assisting authorities in Bangladesh with the investigation.
Since funds were transferred from a Bangladesh bank account in New York to the Philippines,
FBI involvement is hardly surprising.
Authorities in Bangladesh are looking into the possibility of insider involvement.
Preliminary reports suggest that several sets of difficult-to-spoof biometric credentials
were used to enable the theft.
Bangladesh's finance minister has claimed that, of course, bank officials were complicit in the crime.
In response to this theft, administrators of the finance industry's SWIFT messaging system
are working to reinforce recommended security measures with banks
that use the system in managing fund transfers.
Pwn to own wrapped up last week.
Observers see an increased interest in achieving
privilege escalation by exploiting OS kernel flaws. Of the 21 vulnerabilities on display,
six were in OS kernels, six were in browsers, and the rest were either in operating system
components and processes or in Flash Player. Late last week, the Department of Justice asked
for an evidentiary hearing on the case of the San Bernardino jihadists' iPhone.
Apple is said to regard this as a sign that the Justice Department is losing confidence in its case.
Hearings are set for this week.
The Department of Defense has been notably more crypto-friendly and thus more industry-friendly than has the Department of Justice.
The Pentagon is in the midst of a major outreach to the tech industry.
Prominently featured in that outreach is its Hack the Pentagon program, effectively an invitation to bug hunters.
We spoke with Marcus Roshecker of the University of Maryland's Center for Health and Homeland Security about hacking the Pentagon.
We'll hear from him after the break.
As the U.S. continues, we hear, to prepare indictments against Iranian hackers for poking around in a virtual sense, that flood control dam in downstate New York,
the cyber commentariat again returns to its favorite reassuring bedtime story.
That is, of course, the squirrel threat.
The Cyber Squirrel website has been tracking these
and has racked up a tally of 1,139 confirmed successful squirrel attacks
on critical infrastructure,
confirmed successful squirrel attacks on critical infrastructure,
which is 1,138 more so far than confirmed Iranian incursions into critical systems.
We have no quarrel with squirrel awareness,
although we do object to those who would impute malicious intent to the hapless squirrels themselves.
But we do object to the general ignorance of the snake threat to the power grid,
especially in Guam, where brown tree snakes are so much the leading cause of power failures that we here, residents, call them snake-outs.
We're pleased to see that CyberSquirrel
has added snakes to their tally sheet.
Bravo, CyberSquirrel, for helping all
achieve more snake awareness.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Thank you. Hack the Pentagon program. Right. So the Pentagon announced the Hack the Pentagon initiative.
This is going to be a pilot program that's going to start in April of this year. And essentially,
the Pentagon, the Department of Defense, is asking outside hackers to help them find any vulnerabilities or weaknesses in their networks. This is something that's sometimes referred to as
a bug bounty program. And we've seen this in the private sector for many years, where a company will hire
outsiders to try to get into their systems in order to test the security and the safety of
their systems. The Hack the Pentagon program is interesting because it's really the first time
that the federal government is using this kind of bug bounty program to test its systems.
Of course, there's no shortage of people who are trying to hack the Pentagon every day. But
in this program, what are the boundaries that they're setting on the people who volunteer to help with this effort?
So anyone who's going to be involved in this program, any hacker that's going to be involved,
will be heavily vetted before they're allowed to participate.
They'll have to undergo extensive background checks.
And furthermore, once they are accepted into the program,
they're only going to be allowed to target predetermined systems by the Pentagon.
And any of those systems at this point will not be connected to any critical operations of the Pentagon.
So that's really a way to ensure extra safety in terms of the program.
So does this sort of thing signal more cooperation between government and industry in your view?
I think so.
We're seeing that government is looking more and more towards the private sector
to try to work with the private sector to enhance cybersecurity overall.
And government is seeing that the private sector has a lot of solutions out there,
a lot of approaches that are working in the private sector.
And I think there's a sense that some of those valuable tools can be applied
on the government side as well. So we're seeing closer and closer collaboration, I think, between
the public and private sectors. Absolutely. All right, Marcus Roshecker, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
and that's the cyber wire we are proudly produced in maryland by our talented team of editors and producers i'm dave bittner thanks for listening Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.