CyberWire Daily - Daily: ISIS security breaches threaten narrative. Cyber industry issues. Updates on the crypto wars.
Episode Date: March 14, 2016Daily: ISIS security breaches threaten narrative. Cyber industry issues. Updates on the crypto wars. Plus, Joe Carrigan from Johns Hopkins University's Information Security Institute shares an overvie...w of Phishing scams. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who
shit their pants. Killer messaged you yesterday? This is so dangerous. I got to get out of this.
Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W.
Stream on Stack TV. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. The U.S. considers indicting hackers working for foreign intelligence services. Security researchers critique industry standards.
Phishing continues to spread ransomware and scoop PII,
but alert staffers interdict a billion-dollar bank heist,
and they do it with their proofreading skills.
Investors find the cyber sector less frothy, but it's still not a bear market,
and the U.S. continues to look for a way through its crypto-civil war.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, March 14, 2016.
As we await developments in the reportedly imminent U.S. indictment of Iranian hackers allegedly responsible for pre-attack reconnaissance of the Rye, New York, flood control dam, observers speculate about the purposes such indictments serve. On the one hand, it's unlikely in the extreme, although not impossible, that cyber operators working on behalf of national intelligence services would come to stand trial in a U.S. court.
It's even unlikelier that their home government would decide to extrad stand trial in a U.S. court. It's even
unlikelier that their home government would decide to extradite them to the U.S. But such indictments
are thought to serve diplomatic purposes, and also to introduce some friction into the operation of
hostile intelligence services. Individual operators are thought to become less focused, less aggressive,
when they consider the possibility that the famously dogged FBI has
identified them as the person behind the keyboard. As we post, the expected indictments have yet to
appear. We'll continue to follow the story. ISIS continues to worry about recent security
breaches, including, but not limited to, the USB drive with caliphate HR information,
a disgruntled jihadist turned over to Sky News and apparently to various
Western intelligence services. The disquiet is thought to extend from command levels down to
individual fighters. The individual jihadists are increasingly asking who's minding the security
store. How the intelligence services of countries opposing ISIS make use of the leaks remains to be
seen. For now, however, the narrative of competence and effective
religiously sound governance ISIS has been at pains to build seems to have taken a bit of a shaking.
Hamas returned to the information wars Friday. The Palestinian Sunni group hacked the Israeli
version of the Big Brother reality television show, displaying images of objectionable Israeli
actions and animations of Hamas car crash and knife attacks,
accompanied by threatening pro-Hamas text.
Security researchers offer some interesting proofs of concept and critiques.
Jose Carlos Norte has written JavaScript code that, by extracting information about user behavior and resources,
seems to offer the prospect of de-anonymizing Tor users.
He hopes Tor developers will take the threat seriously,
and they apparently have, closing off this particular form of fingerprinting.
In the meantime, if you're a Tor user, you might consider disabling JavaScript in your browser.
Insofar as critiques are concerned, Google Project Zero researcher Tavis Ormandy,
speaking for himself and not Google,
claims that across the sector, cybersecurity firms are too retro, too 1990s for the proper security of their own code.
He grouses that many of these firms, with Komodo being a recent but by no means unique example, often receive industry-awarded quality certifications.
To say Ormandy is skeptical of such certifications is to put it mildly.
He writes in his blog, Something has to change soon.
The next slammer or coder isn't going to target IIS or MSSQL.
The security of Microsoft products is in a different universe than it was a decade ago.
All of the major security vendors are using ancient code bases
with no awareness of modern security practices.
It's still hacking like it's 1999.
He invites industry commentary on his assessment. of modern security practices. It's still hacking like it's 1999. End quote.
He invites industry commentary on his assessment.
Phishing continues to be a preferred tool of cybercriminals.
Recent hospital ransomware infections are examples of the technique's success.
So are ongoing campaigns to pilfer taxpayer information from corporate payroll departments.
We spoke with Joe Kerrigan of the Johns Hopkins University
about the phishing threat.
We'll hear from him after the break.
If attention to detail and skepticism about email
are the beginning of wisdom concerning phishing,
we see another positive example of the recent attempt
at a billion-dollar electronic heist
targeting the Bank of Bangladesh
via the U.S. Federal Reserve Bank in New York.
Misspellings and wire transfer requests
set the spider-sense of Deutsche Bank employees tingling, and that stopped the theft from
becoming more serious than it proved in the end to be. In industry news, cyber stocks rallied late
last week, but there are plenty of signs investors are taking a more nuanced view of the sector.
Tech industry layoffs and the imminent demise of Norse, whose directors are now engaged in selling off the former Storystock's assets,
are inducing investors to take a closer look at more classical indicators of value.
Passcode reports that Norse's creditor foreclosed on it last week after Norse's board decided that the company was no longer viable.
In the U.K., the opposition Labor Party warns the government that the pending legislation over surveillance powers will need substantial overhaul before it stands a reasonable chance of passage.
In the U.S., President Obama appeared at the South by Southwest tech conference last week to mixed but on balance skeptical reviews.
He tried to strike an ironic note even as he strongly backed his Justice Department's stance on encryption. It's worth noting that his Defense Department, including NSA, doesn't share that stance, and has recently
even sounded surprisingly techno-libertarian, but that wasn't the White House line at South
by Southwest. The case in which the Justice Department is seeking to compel Apple's assistance
in brute-forcing an iPhone used by a San Bernardino jihadist, continues to work its way through the courts.
That case seems about to be joined by a similar one
in which the Justice Department seems ready to clash with Facebook
over WhatsApp encryption.
North Korea has denounced South Korean allegations
of widespread DPRK cyber espionage
as scurrilous fabrication and provocation,
specifically its BS fabrication,
which shows that either Pyongyang
or its translation services have a pretty strong mastery of demotic American idiom.
There's nothing to it at all, says Pyongyang, just more of the usual warmongering from Seoul.
We are content to leave judgment of the competing accusations' credibility as an exercise for you,
our listeners. Yes! Yes! With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and
wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
Joining me is Joe Kerrigan
from the Johns Hopkins University
Information Security Institute.
Joe, I want to just go through an overview of phishing and the various types of phishing for our audience.
Let's just start off with phishing.
Okay, so phishing is a – I guess it's kind of an older attack now.
It's been around for a while.
It's like a social engineering attack.
I send out an email that looks like a legitimate email and it has a link
that is not a legitimate link. And it got to start as a banking scam to get people's login
credentials for their bank. It would look like it came from their bank and the link would look like
it was a link to their bank, but the link wouldn't be a link to the bank. And then you click on the
link and the webpage would look like the bank. And then you click on the link, and it would look, the web page would look like the bank web page,
and it would ask you for your login credentials.
And then the attacker would have your bank login credentials.
So let's go through some of the other types of phishing.
There's spear phishing.
You can think of that as the same kind of thing.
Phishing you can think of as casting a broad net.
I'm going to send a bunch of emails out,
and maybe I'll get five or six people to respond out of 1,000.
Spearfishing, each email I send is targeted to a specific individual in the hopes of increasing my return rate.
And it may look like it comes to you from somebody you know or from somebody you have experience in dealing with.
And there's a recent addition to the phishing collection, and that's whaling.
That's right.
Whaling is where I'm spearfishing,
but now I'm spearfishing somebody who I know is important.
I can't talk about too many details,
but I have heard a story about a CEO that was targeted by a spearfishing attack,
and I saw the email.
The email was very convincing and very well-crafted.
These spearfishers and whalers are getting very good at their craft
and very convincing.
So what's a way to guard yourself against this kind of thing?
Just be very paranoid
and very suspicious of everything you get.
If I get emails from
people I know and
it's asking me to click on a link and I'm
not expecting that email, I pick up
the phone and I call them. I say, hey, did you send me this email?
Also important to note, don't call the number that may be in the email
because that phone number might be fake as well.
That is correct.
Don't call that number at all.
Call the number that you have on file or look them up on the Internet or in a phone book.
You still have a phone book.
That's right.
All right, Joe Kerrigan, thanks for joining us.
Eric, and thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.