CyberWire Daily - Daily: Ransomware spreads (backup or pay up?). Safe travels. FTC, NFL embarrassed.
Episode Date: June 9, 2016In today's podcast we follow the latest news and trends with respect to ransomware, now the hottest commodity on the black market, and still able to fetch between $15,000 and $20,000 an extortion. Twi...tter credentials join VK's in the criminal souk; both sets may have been harvested via earlier breaches in other social media sites. NATO looks into cyber collaboration, workforce development, innovation (Estonia hints low budgets can drive creativity), and the risk of strategic surprise in hybrid warfare. Cylance becomes the industry's latest unicorn with a big Series D funding round. The Johns Hopkins University's Joe Carrigan help us plan our backup strategy, and Scott Petry from Authentic8 offers suggestions for safe browsing while traveling. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K and enter code N2K at checkout.
That's joindelete me.com slash N2K code N2K.
Ransomware scores in Alberta and it's low cost-cost and low-risk elsewhere, too, so back up your files.
Twitter credentials turn up for sale on the dark web, although Twitter itself seems not to have been breached.
Old LinkedIn compromises are being used to craft spear-phishing campaigns in Europe.
This week's NATO conference takes up cyber workforce development, surprising approaches to innovation,
the need for more cooperation, and the risk of strategic surprise.
Cylance becomes the cyber sector's newest unicorn,
and there's another cyber fumble in the NFL.
I'm Dave Fittner in Baltimore with your Cyber Wire summary for Thursday, June 9, 2016.
Ransomware spreads as this low-cost, low-risk caper continues to grow in popularity
among the criminal element. This week, Canada's University of Calgary is one of the latest victims
to pay up, sending $20,000 Canadian, that's about $16,000 U.S. dollars, to extortionists who locked
up its systems. As we've seen in the Hollywood Presbyterian incident, the decision to pay was
a cost-benefit one.
One university official said,
And the easiest way to avoid that was to pay the ransom.
The attack was discovered on May 28th.
The university hasn't said what strain of ransomware was involved, and Calgary police are investigating.
Over the weekend, more than 100 million VK credentials turned up for sale in the dark
web.
At midweek, users of another social media platform, Twitter, faced a similar problem.
32 million Twitter credentials are now up for sale.
The handle associated with this theft, tessa88 at exploit.im, also appeared in connection with the VK breach.
It seems that the problem in this later case is not Twitter's,
and Twitter has been actively tweeting that it's investigated
and is confident that it hasn't itself been breached.
Suspicion currently focuses on a connection between these Twitter users
and the old breaches of LinkedIn, MySpace, and Tumblr.
That old breaches can continue to do damage for years may be seen not only in this incident,
but also in a spear phishing campaign currently afflicting Europe.
Data from the LinkedIn breach is being exploited to craft unusually specific
and convincing messages to closely targeted victims.
It's worth noting that Twitter credentials seem to fetch a higher price than corresponding data from VK.
The hacker asked for one Bitcoin, about $570, for all 100 million-plus VK accounts,
but Tessa88 wants 10 times this amount, according to reports, for Twitter data.
10 Bitcoin, roughly $5,800.
Issues of cyber workforce development continue to worry both industry and government.
They've come up at NATO talks underway in Estonia,
and industry continues to nag schools to do more to inspire and develop students for careers in the field.
Some see generational problems here.
The U.S. White House, for example, laments that its lagging technological setup
makes it hard to recruit millennials to work there.
They think the president's IT is, as the kids say, lame.
There's also a view abroad in the travel industry that millennials are particularly vulnerable
to cyber threats faced by travelers, because millennials are particularly accustomed to
and dependent on internet access.
But travelers of all ages face risks when they're abroad.
We spoke to one expert, Authenticate's Scott Petrie,
about some of the measures people might use to protect themselves while they're traveling.
My advice to my friends if they're using a mobile phone is to shut off Wi-Fi.
I don't auto-join any network because of the embarrassing ease with which a Wi-Fi network can be spoofed.
It's very easy for me to run something called a rogue access point. I can
basically publish my Wi-Fi router with that same name or that same SSID of that network, and your
phone will automatically connect to my network. So your access point into the public internet would
be through the Wi-Fi node that I control, and that would give me the ability to sort of break open
your data and start snooping your information,, in a worst case, potentially even steal your information.
And of course, it's not just your Internet access point that's vulnerable.
Your web browser itself is a common threat vector,
and Petrie and his team at Authenticate have what they say is an effective solution.
Run your browser from the cloud.
The list of vulnerabilities in accessing internet services is really endless.
And what we've done is we've said, let's keep all of the web code, all of the HTML,
all of the JavaScript, all of the Flash, all of the cookies and trackers off of the user's device.
We run a disposable browser in the cloud on our servers, and then we provide a high-fidelity display of that browser session
to the user's device. So the only thing that's reaching the user's device is a display of that
remote browser session, so they're keeping themselves away from any exploitive code.
And to tie it together with the Wi-Fi story, we speak over a point-to-point encrypted protocol
so that we know that the client we're presenting
the data to is actually the client and there's no one in the middle trying to snoop the packets
so we've designed this to be as close to end and secure for accessing the internet
as can be developed even to the point where you can use an infected PC over a corrupted Wi-Fi hotspot, and none of your data
is going to be exposed because it's, securely speaking, our protocol to the browser that's
running on our servers. That's Scott Petrie from Authenticate. That's the word authentic and the
number eight. At NATO's conference, senior officials of the Atlantic Alliance don't like
the way they've been surprised by mostly Russian initiation of hybrid warfare in recent years.
They're looking for better use of intelligence products and improved intra-alliance cyber cooperation.
Estonia, which has long punched far above its weight in cybersecurity, had pointed out that budget constraints can breed innovation.
They've found that if you have less to work with, you're often forced to be more creative.
But money does continue to flow into the cyber sector.
Despite some rocky IPOs and reports that venture capital is becoming more skeptical,
the industry this week welcomes its newest unicorn,
as Cylance's Series D round puts the company's valuation above $1 billion.
The chief technologist of the Federal Trade Commission,
the agency that's aggressively pushing to become one of the biggest U.S. enforcers
of cybersecurity law and policy,
shared her own recent experience of identity theft.
Someone apparently walked into a phone store and hijacked her mobile number.
The thief used a fake photo ID.
The FTC advises victims of such fraud to
report it to identitytheft.gov. And finally, listeners to American Sports Talk Radio,
and you know who you are, will have heard Tuesday's and Wednesday's kerfuffle over the
National Football League's apparent tweet that the league's commissioner had passed away. It was,
of course, a hoax, an unfunny joke. Commissioner Goodell is alive and well. How the league's commissioner had passed away. It was, of course, a hoax, an unfunny joke.
Commissioner Goodell is alive and well.
How the NFL's account was hijacked remains under investigation,
although the league has recovered control of its Twitter presence.
The credentials seem to have been compromised by some miscreants,
as Dark Reading calls them, calling themselves the Peggle Crew,
and possibly associated with a now-suspended Twitter account,
I Dis Everything. the Peggle Crew, and possibly associated with a now-suspended Twitter account, IDissEverything. The compromise may have been enabled by hacking an NFL staffer's email.
The NFL Twitter account's password is said to have been Olsen3CulverCam88,
which Ars Technica sniffs at as weak. Still, it seems to us, than da, da, da.
Miller Lite.
The light beer brewed for people who love the taste of beer and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
They chose both because they
knew the best part of beer is the beer. Your game time tastes like Miller time. Learn more
at MillerLight.ca. Must be legal drinking age.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan from the Johns Hopkins University Information Security Institute.
Joe, when it comes to backup, you can backup locally, you can backup to the cloud.
That's right.
You could do both.
You can do both.
What are the pros and cons of each of those methods?
You should do both.
That's first.
All right.
The pros and cons are you're kind of defending against two different eventualities.
First off, you should be backing up your data.
Eventually, your hard drive is a
physical device. It's going to crash. It's going to fail at some point in time. It's a ticking time
bomb, as they say. It is. They wear out. So if you have a backup locally, let's say you have one of
these little external drives, or maybe you actually are talented enough to set up a RAID array in your
house where you can keep these files
off of your machine and onto another machine, that protects you from a hard drive failure,
but it doesn't protect you, say, from your house burning down.
So if your house burns down, of course, the first thing that happens is the fire department
shows up and they spray water everywhere.
That's generally not good for electronics.
So there's also a cloud backup solution.
There's a number of different providers
out there that provide backup where they encrypt your files online. And these are all big companies
and they're people you can trust with your data, I would suppose. But there have been cases where
these companies have just stopped functioning or actually gotten hacked in the case of one company called Codespaces,
which was a code repository for collaboration and also for backup of source code.
Somebody got their credentials to their Amazon cloud.
They were running in the Amazon cloud and just deleted all the machines for that company,
essentially just destroyed the company and took everybody's backups and destroyed them.
So you're really putting your fate in someone's hands.
If that cloud service provider has some sort of catastrophic failure or some kind of major
security breach, you could be subject to that as well.
That's right.
And that is the risk with these cloud storage providers is a security breach.
Of course, that's also going to be dependent upon you as the user of these servers to make
sure that you behave in a way that is more secure than
anybody else, really. And I guess that's kind of what you're hoping is that you're the guy that's
hard to guess his password so they don't bother you because there's hundreds of people out there
whose passwords are easy to guess. Right, right. I don't have to outrun the bear. I just have to
outrun you. Exactly. So really, a belt and braces approach. Good to have both local backup and cloud storage.
Why not?
These things are inexpensive and readily available.
Very cheap.
Yeah.
All right, Joe Kerrigan, good advice as always.
Thanks for joining us.
My pleasure.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.