CyberWire Daily - Daily: ISIS offers Christmas inspiration (and it's got nothing to do with peace or good will). Fancy Bear makes a battlefield appearance. Blogging services under attack.
Episode Date: December 22, 2016In today's podcast, we hear about ISIS attempts to inspire Christmas attacks. Ukraine is on the receiving end of Russian tactical cyber operations, and yes, it's Fancy Bear. Analysts mull the possibil...ity of a Russo-American détente emerging from cyber conflict. Mirai continues to rope maverick devices into its bot-herd. Virginia Tech's Hume Center's Dr. Charles Clancy explains mobile device encryption. Adnan Amjad from Deloitte describes creative ways of finding IT talent. And WordPress and Tumblr receive criminal attention. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS offers a murderous take on Christmas in its online communications.
Ukraine is on the receiving end of Russian tactical cyber operations,
and yes, it's fancy bear. Thank you. WordPress and Tumblr receive criminal attention.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, December 22, 2016.
Vocative reports online threats in ISIS media seeking to inspire the terrorist group's adherents,
sympathizers, and wannabes to attack Christian churches during the Christmas season.
Such attacks are seen by many, but especially by German authorities dealing with recent murders in Berlin,
as the attempt by ISIS to further alienate Muslims
living in non-Muslim lands from their neighbors,
and so to drive them into ever closer ties to the increasingly virtual caliphate.
An interesting series of reports from the cyber threat intelligence firm CrowdStrike
offer insight into both Russian deniable hybrid warfare and Russian influence operations.
Fighting in eastern Ukraine has seen an odd battlefield result.
Ukrainian forces are losing their D-30 howitzer batteries to artillery counterfire at a surprisingly
high rate. In two years of
fighting, Ukrainian forces are said to have lost about half their artillery pieces. They've lost
80 percent of their D-30s, and CrowdStrike suggests an explanation. The D-30 units have been hacked.
An Android app, Popper D-30, which a Ukrainian artillery officer developed and distributed to
improve the gun's
responsiveness to calls for fire, has been trojanized with a version of Fancy Bear's
ex-agent. The malicious implant reports gun positions back to Russian fire units,
which then target and destroy the Ukrainian artillery. It's unclear from CrowdStrike's
report whether the POPR-D30 app is a survey or a fire direction tool.
They simply say it reduces the time it takes a unit to fire from minutes to seconds.
But in either case, it would reveal gun positions. If this study is credible, as it appears to be,
this would be a clear instance of cyber operations in support of combat at the tactical level.
The connection with U.S. election hacking, as noted by the Washington
Post and others, is this. Fancy Bear used earlier versions of ex-agent implants against the DNC.
Ex-agent is one of Fancy's signature tools. Some observers claim to discern a silver lining in the
clouded Russo-American cyber relations. Intolerable tensions, they tell Passcode, could lead to detente.
Well, maybe. Observers are looking at the long, slow road nuclear arms control and confidence
building took during the Cold War and drawing hope from that. It's unclear, however, whether
cyber conflict is more like nuclear war with high barriers to entry and clear verification means,
or more like espionage, which has none
of those things. In any case, the U.S. continues to pursue a full investigation of Russian influence
operations seen during the last election cycle, and will be watching for signs of more vigorous
retaliation. There's talk in operator circles, reported by the Council on Foreign Relations,
among others, of the value of noisy operations.
The SANS Institute's Internet Storm Center warns that Mirai IoT botnet malware is ranging
into fresh areas as it seeks the ruin of home routers, thermostats, security cameras, and
other connected devices.
The ongoing shortage of qualified IT talent has led some firms to get creative when casting a net for new hires.
Adnan Amjad is a partner with Deloitte's cyber threat risk management practice.
One of the areas of concern is we don't have enough talent coming out of schools in the last several years to address that demand. by demand, then there also haven't been robust programs to convert existing talent into talent
that can help manage cyber risk.
We see, especially in the commercial sector, there has been a huge push to see how we can
recruit people who have a risk background.
And when I say risk, I mean fairly broadly, right?
So, for example, if you are a business risk person, right,
and you understand the risk in a business process,
we can take you and teach you the technology aspect of it, right?
So if you understand, for example, how a pharmaceutical company does clinical research
and manages the risk around
that research, we can take you and we can teach you the technology that you can deploy,
right, because you have that core knowledge of risk as well.
So we see that happening in large organizations across all sectors, and we see that happening
in the professional services side of the house as well,
which is where I sit, and relatively successful most of the time because, like I said, it's easier
to teach somebody the technology. I think it's harder to take a technologist and, in some cases,
have them understand the business aspect of it. The other area is bringing people who don't necessarily know computer network security
or even have a risk background, but have a data background or have a statistics background.
And that's primarily something we see a lot in what we call the monitoring aspect of cybersecurity
and then the resilient side of cybersecurity.
So what monitoring means, for example,
the security operations area, for example,
you bring a lot of data together.
If you're a large enterprise, you bring lots of data together.
And you need smart data scientists
to be able to correlate the data and pull it together, right?
So there's that expertise,
which traditionally didn't sit in cyber, is in huge, huge demand.
And when you get into responding to a breach, you need those data skills as well, which
traditionally cybersecurity groups have not necessarily built.
So not only you need that business background, right, from a positive risk
perspective, but the other area that we see a lot of attention to are people who have a data
background and who typically haven't resided with an IT. That's Adnan Amjad. He's from Deloitte's
cyber threat risk management practice. Two popular blogging services, WordPress and Tumblr, came under attack this week.
A wave of dictionary attacks on WordPress sites, earlier attributed to unknown criminals operating from a Ukrainian ISP, has been further localized.
The attackers appear to be working from Alchevsk, a city in the Donetsk Oblast, which is heavily disputed in the ongoing hybrid war.
Oblast, which is heavily disputed in the ongoing hybrid war.
Bleeping Computer notes that the Ukrainian government's RIT doesn't really run in that region, and that it seems likely the ISP is a bulletproof host catering to criminals.
Tumblr sustained a distributed denial-of-service attack that disrupted it in Europe and the
U.S. for a couple of hours.
We heard from security company Plixer's CEO Michael Patterson, who again reminded us that DDoS can have at least two goals,
downing a website and distracting security teams
from another primary attack.
The attack on Tumblr was claimed by a criminal group,
RIU Star Patrol.
They say they did it for the lulz.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National
Security and Technology at Virginia Tech.
Dr. Clancy, it's my understanding that when it comes to security on our mobile devices,
that it is the cellular tower that negotiates the amount of encryption between your mobile device and the tower, if there's any at all.
And so this can sort of lead to situations where if someone's spoofing a tower,
they can direct your mobile device to say, hey, we don't need any encryption here.
Let's just send things in the clear.
I was wondering if you could, first of all, tell us, is that the case?
And kind of give us some of the historical background for why this option was included.
It is the case, actually. A cell tower is able to select from a variety of different encryption options
when it negotiates a new session with a cellular device. This started back in the 2G era. Of course,
when you move all the way back into 1G, the analog original phone networks, there was no encryption.
And this caused principally a lot of theft of service. I've heard rumors and statistics that 60% of the
phone traffic in Los Angeles in the early 1990s was all spoofed and stolen accounts where people
were using someone else's phone number because there was no encryption. So as we moved into 2G,
there was the desire to add encryption to the cellular infrastructure, principally to avoid fraud.
But in the mid-1990s, when the 2G cellular standards were being created, the U.S. still had very strong export laws around encryption.
If you were surfing the net back in the mid-1990s and you went to go download the Netscape browser, you may recall being asked whether or
not you were within the United States. And depending on your answer, you'd get a different
version of Netscape that had stronger encryption than if you checked the box saying that you were
outside the United States. So these sorts of export controls on encryption led to the development of
a range of security options in 2G cellular, where it could support
unencrypted links, weak encrypted links, and strong encrypted links. By the time we got to 3G,
however, the encryption laws had been reformed, and there were no prohibitions on export of strong
encryption. However, we also by then started to see the rise of China within the technology ecosystem.
And they had an agenda of pushing for weaker or no encryption options within the standards.
And so the reasons why there were no encryption, there's options for not having any encryption vary depending on the generation of technology and the political situation.
But the consequence is that pretty much every generation of cell phone technology includes options where you can disable encryption. What about the coming generations of cellular technology? Is this a security hole that's going to be patched? When you get into
4G, I mean, the options are still there, but most of the implementations, particularly on the handset side, are not likely to support some of those modes.
So while it would be much more difficult to spoof a 4G tower, your phone needs to support 2G and 3G.
So if I'm an adversary who wants to spoof a tower, rather than try and spoof a 4G tower,
which may be difficult or impossible depending on the encryption on the device, all I have to do is
spoof a 2G tower because all the phones need to be backwards compatible to support 2G. And so
that's what we see in the whole world of the IMSI catchers, which were brought to the attention of
the media about two years ago because they're used by law enforcement.
The Stingrays and things like that.
Exactly. The Stingray is the kind of the Kleenex of the ecosystem, if you will.
It is just one of many different products on the market that supports basically a false base station
that's able to convince phones to connect to it for the purpose of identifying each of the phones.
All right, Dr. Clancy, thanks for explaining it to us. Interesting stuff.
And now a message from Black Cloak.
message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you.