CyberWire Daily - Daily: ISIS shows a slightly different face in cyberspace. BITAG issues advice to the IoT industry. Jackpotting and carding investigated.
Episode Date: November 23, 2016In today's podcast, we hear about how ISIS is making its way, quietly, back into the cyber news (and how the Australian Signals Directorate is on the case). The Broadband Internet Technology Advisor...y Group wants the IoT industry to face some unpleasant facts, and the security industry calls for standards. Europol finishes its second sweep of money mules. ATM jackpotting spreads in Europe and Asia. India suffers a wave of carding. Joe Carrigan from the Johns Hopkins University Information Security Institute reports back from the NICE Conference. BBC Journalist and Author Gordon Corera is our guest, discussing his latest book, "Cyber Spies - The secret history of surveillance, hacking and digital espionage." And security experts warn us all to be cyber savvy on Black Friday. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ISIS makes its way quietly back into the cyber news,
and the Australian Signals Directorate is on the case.
The Broadband Internet Technology Advisory Group wants the IoT industry to face some unpleasant facts,
and the security industry calls for standards.
Europol finishes its second sweep of money mules.
ATM jackpotting spreads in Europe and Asia.
India suffers a wave of carding.
And security experts warn us all to be cyber-savvy on Black Friday.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 23, 2016.
ISIS hasn't left the news, but its activities have recently been eclipsed by election hacking,
national privacy and censorship policies, and of course, risks of retail cybercrime. And we'll have observations on that cybercrime shortly.
But ISIS shouldn't be forgotten. Its online recruiting continues, with disturbing rumors
of attempts to quietly and surreptitiously recruit technical talent from schools and universities.
The group is also showing signs of following a trajectory familiar with maturing terrorist groups.
Its online activities are increasingly difficult to distinguish from for-profit criminality.
This shift can be seen in ISIS tactics, too.
The familiar howling of inspiration to the lone wolves is still there,
but observers are also seeing an upswing in phishing and spamming.
ISIS opponents haven't been idle in cyberspace either.
Australia's Prime Minister Turnbull yesterday told Parliament that yes, the Australian Signals
Directorate has indeed been engaged in offensive cyber operations against the Islamic State. He
declined to give details for obvious reasons of security, but he also cautioned businesses and
individuals to remain on their guard. In the U.S., disagreement over U.S. Cyber Command's conduct of operations against ISIS
is said by some to have contributed of rumored discord between the current administration and the director, NSA.
As businesses continue to face a range of cyber attacks,
various organizations and standards bodies continue to propose measures
that would offer both carrots and sticks as incentives for better enterprise security. The hoods themselves
are taking notice of these stick-side incentives. Heimdall Security sees signs that ransomware
purveyors are adding the threat of regulatory and legal penalties to their extortion notes.
Since the Internet of Things has now been proven to contribute to the risk of cyberattack,
particularly distributed denial-of-service attacks,
the broadband internet technology advisory group, BITAG,
believes it's time the IoT industry faced what BITAG considers some unpleasant facts.
First among these facts is this.
Forget about end users actually updating the software on their devices.
It's just not going to happen.
So BITAG recommends that industry build mechanisms for secure, automatic updating into their devices.
BITAG is influential.
It was founded in 2010 by industry leaders including Google, Intel, Verizon, Comcast, Microsoft, and Time Warner Cable.
The Cyber Wire received reactions to the report from Synopsys and Rubicon Labs.
Rubicon's Rod Schultz called the recommendations comprehensive and insightful,
but short on incentives.
Quote,
The challenge is that the power of the IoT is rapidly being realized
and so far its velocity is not impacted by security.
A Hammurabi code for IoT security needs to come with consequences,
and unfortunately these recommendations may simply go down in history as aspirational dreams.
Mike Amadi of Synopsys Software Integrity Group also had a mixed reaction.
While I certainly applaud efforts to set guidelines for addressing security in IoT devices,
I remain concerned by a complete lack
of baseline verification and validation of cybersecurity, end quote. He thinks some form
of certification is in order and necessary if guidelines are to ultimately have effect.
Europol has released more details on its recent sweep of money mules. The second European money
mule action ran last week from the 14th to the
18th of November 2016. Some 580 suspects were identified and 380 were interviewed, leading to
178 arrests. The International Police Agency says it made the arrests with the cooperation of
authorities in 16 European countries and the assistance of the U.S. Secret Service and FBI.
countries and the assistance of the U.S. Secret Service and FBI.
106 banks and other private partners also supported the operation.
The mules were implicated in crimes that inflicted an estimated 23 million euros in losses.
The other major long-standing cyber crime wave currently under international investigation involves jackpotting, that is, manipulation of ATM firmware to induce the machines to kick out
large quantities of cash, like a one-armed bandit disgorging a jackpot. Russia-based security firm
Group 1B, which has been investigating, says the Kobalt gang has been jackpotting ATMs in Europe
and Asia. A great deal of the activity has occurred in former Soviet republics. The crime wave has
been in progress since July of this year.
The boot trap group has earned its own notoriety for hitting ATMs in Thailand and Taiwan.
Indian authorities are dealing with their own crime spree,
and this one looks more like conventional carding.
Some 3.2 million pay cards are thought to have been compromised.
The police are looking into it,
and consumers are advised to pay close attention to the security of their accounts. In the U.S., we're just two days away from the
oddly named Black Friday, by recent tradition the door-busting start of the holiday shopping frenzy.
The Americans aren't alone here either. Thanksgiving may be an American holiday,
but shoppers are hitting their stride elsewhere as well. And there's no shortage of advice on staying safe over the long weekend and into the new year. You'll find a full sampling
of that advice in today's CyberWire Daily News Briefing, so please read and heed.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, nice to have you back. I know you recently attended the NICE conference.
You wanted to share some of the things you learned from there.
First of all, tell us, what is the NICE conference?
The NICE conference is for the NICE program, which is the National Initiative for Cybersecurity Education.
Within NIST, which is the National Institutes for Standards and Technologies, all these great government acronyms.
That's right.
One of the things that the NICE project does is they release the NICE framework for cybersecurity education.
They just released a new draft and that's actually open for public comment.
If you go to the NICE website at NIST, you can download that, read it and actually comment on it if you if you if you are so inclined.
And you came back having some insights. There were some some interesting discussions that you interesting discussions that you were part of.
Yeah. One of the most interesting things that I found was this is a meeting of people in government,
academia, and business. And there was a general consensus of something I've suspected but haven't
really been able to articulate. In cybersecurity, there is a real disconnect between the employee pool, the recruiters,
and the hiring managers. And I'm not saying there isn't a shortage of cybersecurity workers. There
is. But there's also this disconnect. I heard this horror story where there was a position that was
opened, an entry-level position. The hiring recruiter listed a CISSP as one of the requirements for
this entry-level position. The CISSP is a credential that takes five years in the industry
before you can hold the credential. So this is a recruiter who doesn't understand the industry.
And this is not unique to cybersecurity, in my experience. This is fairly common across a lot
of technical fields.
So let's back up and dig into that a little bit.
I mean, so basically they're saying it's sort of a catch-22 because they're saying this is an entry-level position with an entry-level salary.
However, we're going to require that you have this experience credential that usually pays a lot more,
that usually requires a premium of the employer to the employee when they have it.
And then they wonder why they aren't getting it.
And then they wonder why they can't fill the position.
Right, I see.
Interesting.
It's because nobody with a CISSP is going to even apply for an entry-level position
because they've already got, at a minimum, five years' experience in the field.
So, I mean, to be fair, certainly we can't put the blame on all recruiters.
I'm sure there are some out there who are up on these things.
They're being successful in hiring.
But what you're saying is that when there is this sort of disconnect, that this disconnect exists.
It is a real thing.
Yes, it is.
People are talking about it.
It's a big enough deal that it was being talked about at this conference.
And so it's an area where people need to be aware and try to fix it.
What I think it is, I'm not disputing the problem that there's not enough people in STEM and in cybersecurity.
Right.
But I think that this situation, this disconnect that we're talking about, just exacerbates that problem.
Ah, gotcha.
All right, Joe Kerrigan, thanks for joining us.
My pleasure.
My guest today is Gordon Carrera.
He's a journalist with the BBC covering national security.
His latest book is Cyber Spies,
The Secret History of Surveillance, Hacking, and Digital Espionage.
On Tuesday, November 29th, Gordon Carrera will be appearing at the International Spy Museum in Washington, D.C. to discuss the book.
The preface of your book starts with the sentence,
the computer was born to spy. Explain what that means.
Well, I mean it in two senses. One is that if you go back into the history of it,
the first computer in what many people consider to be a computer, a semi-programmable machine, electronic machine, was in my mind built at
Bletchley Park and it was built to help with spying. So it was a machine called Colossus
built in Britain to help with code breaking one specific area of spying. So in that sense,
the computer, the first computer was born to help with spying. But then I think in the more general sense, what I mean is that computers
are uniquely useful for and vulnerable to spying and espionage. In other words, there's something
intrinsic to computers and especially networked computers that makes them valuable to spies and
also vulnerable to being spied on by other people. And I think that history,
that spying and computers are intrinsically linked, and there's an interwoven history there
right from the last 70 years through to today, which I think explains much about cybersecurity.
I think certainly there's this Hollywood notion of spying, of this sort of gamesmanship,
you know, James Bond and Mission Impossible, those
sorts of things.
How much do those align with the reality?
Well, I think, you know, I think for a long time, the public perception of intelligence
work was, you know, out of sync with the reality.
And I think, you know, for a a long time people still in the popular imagination had
the visions of john le carre and kind of documents uh dead drops for documents or they had the vision
of james bond and and their kind of guns and fast cars and it took a long time really for the popular
imagination understanding to catch up with what data and technology had done to spying.
I mean, and it's interesting, it took a while for the spies
to really understand what data was going to do to them.
I mean, if you look at the world of human intelligence,
so put aside the kind of NSA and GCHQ and the electronic signals intelligence,
I mean, data has been transformative for human spying
because, you know, 10, 15 years ago,
suddenly these intelligence agencies like the cia
like mi6 realized that all the ways they operated um were no longer going to be possible so you
couldn't just pick up a passport and a false name and travel to another country anymore to meet an
agent because suddenly there were biometric databases. Suddenly people were going to do online searches and look at your social media to see whether your cover, whether your legend stood up.
And so suddenly there was this realization that actually the data trails people left were going to fundamentally transform the spying business.
And so even the old world, if you like, of human intelligence has now been totally transformed by technology and by data.
And it's enabled it in some ways, but it's also challenged it enormously.
And effectively, only those who can adapt to that will survive in the future.
Because in a data-rich environment, if you don't know what data trail you're leaving you can get caught if you're a spy but also if you understand how to exploit data you can find the people you're after the potential
agents you want to recruit much better so that's just the world of human intelligence let alone
the kind of the speed at which the technical intelligence world the signals intelligence
world has changed over the last few years where they are constantly trying to keep on top of the
data volume, the data velocity, the variety of different applications people are using.
I think about how people are encrypting their day-to-day communications today. Things like
iMessage has end-to-end encryption. Your book mentions that there was a meeting at Stanford
in the 70s that was a bit of a turning point when it comes to these sorts of things. That's right. And I think, you know, this,
this, you hear the talk about the crypto wars that are going on at the moment and this battle
over how far there should be strong encryption and end-to-end encryption available to people
in the 70s. And I talked to Martin Hellman and Whit Diffie,
who went on to develop one of the most famous public key encryption techniques, and who were
at this meeting in Stanford, effectively over the table from people from the NSA who had come over
to talk to them and to have this debate about how strong encryption should be
that the public could use.
And back then, I mean, this was a huge battle
and Diffie and Hellman were there arguing
that people could not trust the state
and therefore they needed to have stronger encryption
and to be sure there were no back doors in it
and to be confident about it.
And actually, you know, when you read the the because the transcript and the audio of that meeting still
survives it's very interesting because the context is watergate and and a concern over how the states
might exploit that information and a fear about it and on the other side of the table you've got
veterans of the NSA one who'd been actually in World War II, who is offended by the idea
that he might be breaking codes in order to spy on the American people, in his mind.
It's something that's vital for national security because enemy actors, you know, adversaries are
using the same forms of encryption. And if they're released into the wild, then into the public,
then those adversaries will be using them. So, you know, these battles about encryption, which I think is absolutely central, go back decades. And that Stanford
meeting, I think, is a really important starting point. As you were writing the book, were there
any things that surprised you or provided unexpected insights? I think it surprised me
how deep the history was of cybersecurity and computer security.
I mean, we think of them as very recent terms and cyber being something that's kind of last 10 years.
But as I said, if you go back,
you can find computer security way back in the 60s.
And some of the reports like this famous Anderson report
written for the US government in the early 70s
actually outlines much of what people worry about
today and this was kind of 45 years ago and I think you know if you look at some of the phrases
about big data and exploiting big data and understanding anomalous behavior it's talked
of as if it's very new actually the intelligence agencies were doing this in the cold war
with soviet communications and doing traffic analysis and large-scale traffic analysis.
So I think what was interesting writing it was understanding what's really new and what's not new,
and we just kind of think of as new because we didn't really understand the history enough.
That's Gordon Carrera.
He'll be discussing his book, Cyber Spies, next Tuesday, October 29th at the International Spy Museum in Washington, D.C.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your