CyberWire Daily - Daily: Paranoia -as-a-service? Cyber con jobs.
Episode Date: April 27, 2016In today's Podcast, we hear reports of success in the cyber war against ISIS. Inquiry into the Bangladesh Bank hack continues; the threat actors behind it may have additional capers in the works. Andr...oid malware flourishes, and so does a vigorous underground extortion market. The FBI says it doesn't know what vulnerability was exploited to open the San Bernardino iPhone, and that it doesn't want a hacking arms race with criminals and terrorists. Ferruh Matvituna from Netsparker shares some wisdom on app security, and Jonathan Katz from the University of Maryland explains program obfuscation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who
shit their pants. Killer messaged you yesterday? This is so dangerous. I got to get out of this.
Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W.
Stream on Stack TV. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. recruiting, and retention. ISIS supporters form a new cyber attack group. Investigators continue
to explore the Bangladesh bank hack and its connections to the Swift network. Extortion
by ransomware, doxing, locking, DDoS, or pure gas rises in the criminal element's favor. The FBI
says it won't disclose the vulnerability exploited to unlock the San Bernardino jihadist iPhone
because it doesn't know what the vulnerability is.
Dino Jihadist iPhone because it doesn't know what the vulnerability is.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, April 27, 2016.
Those listening for reports of progress in the cyber war being waged against ISIS heard some from U.S. Air Force Major General Peter Gersten, a deputy commander for Operation Inherent Resolve,
the U.S. effort against ISIS in Syria and Iraq. He said yesterday that the inflow of ISIS recruits
has dropped over the past year from a monthly average of between 1 and 2,000 to roughly 200
today. Desertion rates are also said to be up. The ISIS manpower shortage is regarded as a clear
indicator of low morale.
So, anyone who's been wondering why the U.S. has recently been as open as it has been to discussing cyber operations against ISIS may now have their answer. The drop in recruiting and
retention is partially accounted for by direct combat losses and the fear such losses inspire
in both current and prospective jihadists, and partly by ISIS's
increasing poverty and inability to pay fighters, caused both by financial sanctions and, again,
direct kinetic action. To return to cybercrime proper, the Swift Financial Transaction Network
continues to mop up security issues revealed by investigations into the Bangladesh bank hack.
It's working to help its customers upgrade security while reassuring them about the fundamental reliability of the
funds transfer network. The Financial Times reports that FireEye, which is investigating
the incident, is hinting, in FireEye's dark and knowing way, that there are signs that the threat
actors behind the theft are actively targeting other banks. FireEye is probably right.
We heard from Frederick Menes, Senior Manager of Market and Security Strategy at Vasco Data
Security, who observed that there were many ways that the local Swift client in Bangladesh could
have been compromised. He offered some advice for any Swift Alliance member, quote, always rely on
strong user authentication mechanisms, he said,
rather than usernames and static passwords. Android malware retains its regrettable and
rising popularity among the criminal element. Russian mobile users are being affected by
RUMS, that's R-U-M-M-S, which spreads by SMS phishing. FireEye researchers warn that RUMS
is after customer banking information,
credentials, and of course, balances. On the ransomware front, Kaspersky does some good work
by breaking the Cryptex ransomware and making decryption tools available to the victims.
So bravo, Kaspersky. As we come to rely more and more on apps, particularly on our mobile devices,
the security of those apps continues to
be a growing concern. We spoke with Feru Mafituna, founder and CEO of NetSparker, about the challenges
in developing secure apps. The technology is rapidly changing. Security is almost always an
afterthought. You first try to deliver stuff. Later, you say, OK, also, we need to make this
secure. So it's an
afterthought. And that's a huge problem, because security should be part of the process. In addition
to all these challenges, now we have these new startup culture. And even the big companies such
as Facebook and Google is adopting the very same startup culture, you need to be agile.
That means you need to develop faster, you need to deploy
faster. And when that happens, you sacrifice security most of the time. According to Matvi
Tuna, designing secure apps is partly process and partly culture. Application security is
insanely complex right now. The first thing you need to think about, okay, how can I design it
securely rather than let's build it and then see if it's secure.
So, you know, just change that mindset, training your developers to develop secure code and put
that security culture into the development. NetSparker's website is netsparker.com.
Extortion is indeed rising in cyber criminals' favor, but not all extortion
takes the form of classic ransomware like Cryptex, encrypting files and withholding keys until the
marks pay up. Some extortion involves doxing and uses it to blackmail people in ways anyone who's
watched film noirs would immediately recognize. Symmetria's been taking a look at one dox market,
Ransombin, and says,
This one truly stands out. It's a platform where any criminal can use what other criminals have stolen,
like a cyber-ransom Uber or Airbnb.
Ransom Bin also provides a way for victims to pay up.
Symmetria's not sure yet who's behind Ransom Bin,
but they think the site's language and style give off an American vibe.
The crypto range wars between defenders of security and defenders of privacy are somewhat quieter of late, at least so far this week, but U.S. FBI Director Comey fired a little H&I program
yesterday at Georgetown. While the bureau did succeed in getting into the San Bernardino
jihadist iPhone, Director Comey said, quote,
I don't see us becoming a prolific hacker being the answer to our public safety problem,
end quote. That approach just won't scale. The Bureau has also said that it won't tell
Apple about the vulnerability the FBI's hired whitish hats exploited to get into the phone.
And why not? Because, the Bureau says, it doesn't know. And why doesn't it know?
Apparently because it didn't think it appropriate to ask, because then it might have to disclose
the vulnerability. Anyway, the Bureau says, it stands to reason that vulnerability has a short
shelf life and that Apple's probably patched it already. But one wonders, if they don't know how the phone was hacked, how can they be so sure it was hacked?
In any case, one awaits an account of what it was investigators found or didn't find in that famous iPhone 5C. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
I'm joined by Jonathan Katz,
Professor of Computer Science at the University of Maryland
and Director of the Maryland Cybersecurity Center, one of our academic and research partners.
Jonathan, I want to ask you about program obfuscation.
It's not just a fun word to say. It's an important element of computer science.
Program obfuscation is a technique that's been around for decades.
And the basic idea is that it allows you to take the source code for a program
and transform it in such a way that somebody else can still
execute the program.
They actually get working source code
that they can compile and then run
that will have the same functionality
as the original program, but with the guarantee
that they can't figure out anything from the source code
about how the program works.
They basically can't figure out anything about what
the program is doing other than what they might have already known. All they can do is run
the program, feed it inputs, and get back corresponding outputs, and they can't learn
any of the underlying, as it were, trade secrets about how the program was developed.
So it sounds good in theory, but it's my understanding that there's some challenges
associated with it? Well, there was a big breakthrough about a year ago when cryptographers developed the first mechanism for program obfuscation
that could be proved secure in some sense under some relatively new cryptographic assumptions.
And the community has been really excited by this development.
And in fact, there's even a DARPA program now funding work in this direction.
But unfortunately, this work is still very much in flux.
Right now, the schemes that exist are highly inefficient. And even worse than that, there's been some recent results demonstrating that the cryptographic assumptions that people are using to prove security of these cryptographic obfuscators may not be as hard as originally thought.
So what are some of the practical applications of obfuscation?
So what are some of the practical applications of obfuscation?
Well, one example is that you could obfuscate a program that contains a secret key inside of it.
So, for example, you could imagine embedding a secret key inside of a program that would encrypt some incoming encrypted emails and only decrypt them if they satisfy some particular condition. And if you gave somebody that program without
performing obfuscation, they would be able to look inside the source code and extract the key
and then encrypt all your email. But if you obfuscate the program first, then you could hope
that the secret key would be hidden. The person would not be able to look inside the source code
anymore and obtain the secret key. But nevertheless, they would still be able to use the program to
decrypt emails that satisfy that condition. Jonathan Katz, thanks for joining us. And if you have a question for one of our
experts, we'd love to hear it. Send your questions to questions at thecyberwire.com.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.