CyberWire Daily - Daily: Hospital hack, ransomware evolution, the FBI, and Scotland Yard.
Episode Date: March 30, 2016In today's Daily Podcast we hear about the ongoing story of the MedStar Health hack, which anonymous sources say was ransomware. The incident remains under investigation. We hear about ransomware's ev...olution. Big Law finds itself in the crosshairs of a Russian (or Ukrainian?) cyber gang. The Justice Department hints at more litigation over decryption. We talk to the University of Maryland's Markus Rauschecker about the NIST Framework, and we finish our conversation with Zimperium about their successful experience integrating their mobile security solution with a big telecom's services. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More on the MedStar health hack.
Although no one's talking on the record,
off the record, it's looking a lot like ransomware.
Ransomware continues to evolve in effectiveness and in popularity among cyber criminals. An Eastern European gang is after
big laws data, and it wants to use it for illicit stock trading. As the FBI says it's opened that
jihadist's iPhone, Apple wants to know how, and the Justice Department signals more litigation
over decryption may be in the barrel. And Scotland Yard thinks you'd all be more careful
if your bank didn't compensate you for losses to online fraud.
I'm Dave Bittner in Baltimore with your CyberWire summary
for Wednesday, March 30, 2016.
MedStar Health continues its recovery from the malware infection it sustained Monday. March 30, 2016. tight-lipped about details of the case, but as usual, anonymous sources close to the investigation
but not authorized to speak are telling the press, anonymously, that the malware that hit MedStar was
ransomware. There are plenty of possible ransomware variants under speculative suspicion,
prominent among them being server-side malware SamSam and MacTub. PowerWare, the recently
discovered and unusually vicious strain that uses innocent-looking
Word files with malicious macros as vectors, is also being mentioned by observers.
In the MedStar case, this remains speculation. What isn't mere speculation is the increasing
interest ransomware controllers are taking in healthcare targets. Understandably, there's much
advice circulating this week on protecting yourself from ransomware, including the usual counsels about backing up files and developing emergency
plans for continuity of operations. Various good actors are offering protective measures, too.
Bitdefender, to take one public-spirited example, is offering a free tool it says will provide
protection against Locky, TeslaCrypt, and CTB Locker. Essentially,
the tool stops ransomware installation routines by communicating, falsely, that the targeted system
is already infected. But note that such tools have an inherently short shelf life, and that
continued vigilance is required. Symantec has found a new cyber-espionage trojan,
Backdoor.Dripion. Most of its targets are in
Taiwan, and so we leave attribution as an exercise for the reader, but infestations have also been
reported in Brazil and the United States. Cheetah Mobile reports discovering a remote
execution vulnerability in the Truecaller phone call management app. There's more information on the bug at Cheetah Mobile's blog at cmcm.com.
Today we finish our discussion with another firm in the business of securing mobile devices.
Zimperium's John Michelson describes their experience developing and integrating their
mobile security solution with Deutsche Telekom services.
According to Michelson, from the outset, it was critical that they build their tools with
integration in mind. You have to architect for extensibility. If we had made the mistake of not
having an extensible architecture, then we would end up with a Deutsche Telekom version of all of
our software. And then they made the other telco version of all of our software. And then our
version that we sell directly.
And then here's a customer where we, and that would create an unmanageable mess where there would be incredibly high cost of change for us.
And it would impact our ability to innovate.
It would slow down our pace of change.
We obviously don't want that.
We're in a market that is still nascent and evolving.
There are so many
ways that our product needs to live within the ecosystem of our customers that extensibility
is really, really key. It's natural, says Michelson, to be cautious when partnering
with a massive company like Deutsche Telekom. Make sure you're working with a partner who's
committed to being friendly to partners, has proven in the past that they've been friendly and responsible partners,
and then work at sufficiently high enough level in the organization
that these folks take that seriously, right?
They carry the responsibility.
They know that it's their job to do a good job,
to be responsible with partnering.
And I think you'll be fine.
We feel squeamish talking to partners at the level we do,
but it's the only way for them to know that you're their partner for them to choose, right?
And so we're in this together at the end of the day.
So you really can't hide things from them.
So it's a tough one.
You've got to be careful.
But at the end of the day, you've got to do it.
And you've got to take some business risks.
Zimperium's website is zimperium.com.
Law firms take note.
A Russian gang is after your client's data,
or it may be a Ukrainian gang. The evidence is ambiguous. 46 of the biggest U.S. firms and two
members of the U.K.'s magic circle are apparently being prospected for data that could enable the
gang's so-called mastermind the ability to execute profitable and illicit algorithmic trades in stock of companies
undergoing mergers and acquisition.
The FBI also has this one under investigation.
And as if the FBI didn't already have enough on its plate,
the Bureau continues to do whatever it's doing to the San Bernardino jihadist's iPhone.
But Apple has served notice that it wants to know,
however the Bureau did whatever in fact it did to get into that phone. Looking across the Atlantic, we see that the Commissioner of the Metropolitan Police
has told banks they shouldn't compensate customers who are the victims of online fraud.
Doing so only rewards carelessness. Maybe if people lost their money, they'd be more sensible
and responsible in the future, says Scott Linyard. And that sounds exactly like something Inspector Lestrade would have said to Sherlock Holmes. So, caveat investor,
patch your systems, back things up, and to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Marcus Roshecker.
He's from the University of Maryland Center for Health and Homeland Security.
They're one of our academic and research partners.
Marcus, back in 2014, NIST released their cybersecurity framework.
Tell us about that.
Yeah, so President Obama in 2013 actually already issued an executive order,
Executive Order 13636, and that required NIST to create the
Improving Critical Infrastructure Cybersecurity Framework. So the framework is a really big deal.
It was created by NIST by bringing together thousands of stakeholders from every level,
from the government level, from the private industry level, and from academia. And these
thousands of experts got together to create this framework that is a collection of existing standards, guidelines, and best practices that any
organization really can use to improve their critical infrastructure. We've seen that since
its creation, the framework has been adopted by many companies and many organizations.
There's been a vow to use the framework to help their cybersecurity efforts.
And overall, I would say that the framework has been a big success.
Yeah, I mean, one of the remarkable things about it is that the response has been overwhelmingly
positive.
Absolutely. The response has been overwhelmingly positive. Like I said, we see big companies like
Apple and Bank of America, but also companies in the critical infrastructure sector, and really
organizations across the board using the framework and implementing the framework for their purposes.
And this doesn't just apply to the private sector. Government is using this, too.
We've seen Congress endorse the framework in the recent Cybersecurity Enhancement Act of 2014.
We're seeing state governments implementing the framework in their statewide IT plans.
We're also seeing that in the private sector,
use of the framework is becoming part of any contractual agreement between organizations that will work together.
So a condition of working together might be
that companies are implementing the cybersecurity framework.
Has the framework shown up in the courtroom yet? Has it been tested there?
That is really another important piece of it. So the framework itself is volunteer,
and it's really important to note that it is volunteer. No one is required to use a framework.
But there's a sense that once there are lawsuits against organizations for data breaches,
for example, I mean, we've seen inevitably that there are a lot of lawsuits that come out of these kinds of cases. And there's a sense that courts may start looking
to the framework to establish a standard of care by which companies and other organizations have
to behave. Given that there's no comprehensive standard of care out there, no law that courts
can look to to really clearly see what the standard of care is that a company should implement,
there's a sense that courts may end up looking to the framework to really set that bar,
to establish the standard of care by which basic negligence claim is going to be decided.
Marcus Roschecker, thanks for joining us.
for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.