CyberWire Daily - Daily: Ransomware threats. Industry (mostly good) news. US State Department IG reports on email.
Episode Date: May 26, 2016In today's podcast we hear about security in international banking, some developments in the world of malware, and how presidential impersonation and a big loss cost a CEO his job. Analysts like some ...of the bigger cyber players (and they're waiting for Palo Alto's results tonight). VCs back three security companies with new funding. The State Department IG's report on email retention and security is out. DARPA wants to secure legacy IT systems, and US SOCOM wants innovative cyber tools. Dale Drew from Level 3 Communications walks us through the negotiations of ransomware, and Danny Rogers from Terbium Labs explains how to search for something when you don't know what that something is. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Banks think hard about shoring up their security.
Neutrino's back and a DNS campaign is serving up the poison ivy rat.
Cyber espionage infests Indian government networks.
A CEO loses his position over a costly email scam.
Analysts look with tentative favor on cyber stocks and wait for Palo Alto's results.
Startups close VC funding rounds.
The U.S. State Department's IG releases results of a major investigation of state's email retention and security.
And U.S. SOCOM is looking for innovative cyber tools.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 26, 2016.
Fallout from the cyber looting of the Bangladesh Bank continues.
Swift's CEO tells a major financial conference that the incident was, as he put it, a big deal.
Godfried LeBron outlined measures the funds transfer network wants its clients to take
to shore up security and reduce the chances of another large-scale fraudulent transfer.
Banks in the Middle East and Africa seem particularly on edge.
Kenya's central bank, for one, says it has credible indicators and
warnings of an imminent cyber attack. Whether that attack would be robbery, ransom, disruption,
or doxing is unclear. The neutrino exploit kit has been relatively quiet so far this year,
at least compared to competitors like Angler, but Zscaler has observed a spike in neutrino activity,
the kits being actively used in a malvertising campaign
that drops the Gamaru Andromeda Trojan on its victims.
Palo Alto researchers have found another campaign in the wild
that's exploiting DNS for command and control.
The attacks, which Palo Alto is calling Peace Loader,
redirects its victims to malicious sites
where they're exposed to the familiar Po ivy remote-access Trojan.
India's government has been among those receiving the ministrations of the people behind the
Dante cyber-espionage campaign.
Kaspersky says that the threat actors, so far formally not attributed, but signs point
to Chinese speakers, so you decide, may have established pervasive persistence in government networks.
They may also be able to spoof, convincingly, emails from senior officials.
Such email spoofing is also used, of course, in criminal phishing,
specifically in what's known as a business email compromise.
Austrian aerospace components manufacturer FACC
was recently the victim of a business email compromise,
disclosing on January 16 that it lost 42 million euros when an employee transferred those funds to a bogus account
on the authority of a spoofed email purporting to be from CEO Walter Steffen.
Observers are calling this kind of scam presidential impersonation.
On Tuesday, the company's board voted to remove Herr Stephan from his position,
making this the latest case of a CEO's ouster over a cyber incident.
Not all the industry news is bad, however.
Stock analysts are commenting favorably about Cisco, which posted good results last week,
and FireEye, whose story they find newly compelling, again.
Palo Alto reports its results tonight, and they're being awaited with considerable anticipation.
Celebrity stock picker Jim Cramer, for one, promises he'll be hollering and screaming his
own sober analytical conclusions as soon as he sees what Palo Alto has to say.
And there's some movement of venture capital into cybersecurity startups as well.
And there's some movement of venture capital into cybersecurity startups as well.
Votero has raised $4 million in Series A funding to expand its zero-day defense offerings.
Security chatbot shop Dimisto emerged from stealth with $6 million in Series A funding.
Finally, password and identity management company Dashlane has not closed only a Series C round worth $22.5 million,
but also concluded a strategic partnership with credit information firm TransUnion.
When it comes to defense against data breaches, we've seen a bit of a shift in attitude in the past few years. We've gone from saying, it'll never happen to us, to saying, we hope it'll
never happen to us, to asking, what plans do we have in place for when
it happens to us? Danny Rogers is CEO and co-founder of Terbium Labs, and his view is that defense,
while still necessary, is no longer sufficient. You have to take this risk-managed mindset
where you assume that you're going to be breached in one form or another, that data will leak out
of your organization.
And instead of trying to prevent everything, you have to look at all the other things you can do on top of all the defensive measures. And so if you can't stop everything, the next best thing, of course, is quick and quiet detection.
Early in the company's history, Rogers met with a potential client that was interested in hiring Terbium to scan the internet and see if any of their private files had been shared online.
But there was a catch, a pretty big one.
We were talking to the CISO of a Swiss bank,
and he said, you know, we have this client list, for example,
that is our crown jewels of being a wealth management bank,
and we'd like you, Terbium Labs, along these assumptions,
to tell us the instant that client list leaks to the internet.
We're worried about insider threats or social engineering attacks, things like that.
Except the catch is they couldn't give us the list.
And so that sort of prompt of how do you build a search engine to find the needle in the haystack
when you're not even allowed to know exactly what the needle looks like.
We use this technique we developed called data fingerprinting to really pre-program it with whatever the client is interested, but in this way
that they never have to reveal it to us. So it doesn't increase their risk profile. It doesn't
increase their attack surface. We don't actually store any raw data in our system. We just do what
we call kind of take fingerprints of the Internet to the tune of billions a day
and compare that to the fingerprints that we have on file of our clients' data
and then alert them in this automated way if any of it appears.
You know, trying to bring that discovery time for data, you know,
data breaches down from the hundreds of days into the hours or sometimes even minutes.
That's Danny Rogers, CEO and co-founder of Terbium Labs.
Various reports show surprise over the very old IT systems in use across the U.S. government,
from the IRS to Strategic Command.
Coincidentally, DARPA has awarded a grant to develop ways of securing such legacy systems from cyber attack.
a grant to develop ways of securing such legacy systems from cyber attack.
The U.S. State Department Inspector General has released a lengthy report on email security and retention practices observed at high levels in the department.
It's not pretty.
Essential findings include probable violations of record retention laws and policies, lax
security practices, a strong interest in protecting private emails from
exposure, and indications that some private servers may have sustained some sort of attacks.
Finally, U.S. Special Operations Command is looking for innovative ideas and capabilities
for cyber operations. It would particularly like to hear suggestions from industry on social media
tools. SOCOM is, of course,
engaged with ISIS in cyberspace, and the command has established an innovation lab in what the
Washington Post calls a former hipster tattoo parlor in Tampa. They're calling it Softworks.
That is, we guess, Special Operations Forces Works. We get the tattoo stuff, but hipster's a little surprising. But we don't know.
What are you seeing these days on Hay Street, Delta? Anyway, good luck to you, SOCOM.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
and keep your company safe and compliant.
Dale Drew joins me.
He's the chief security officer at Level 3 Communications.
Dale, on yesterday's show, we talked about the ransomware attack suffered by Kansas Heart Hospital in Wichita.
They paid the ransom, and the crooks came back and demanded more.
Is this how it goes these days with ransomware?
You know, in most cases, the victim will receive an email, you know, directing them to where to
pay the ransom, you know, which is typically via Bitcoin, how much the ransom is, and what will
happen once they pay the ransom, which is typically getting access to a recovery password or a
location where their data is stored.
There typically isn't much negotiation on that very first pass.
And so the victim really doesn't have a chance to talk to the bad guy and has very limited time in order to respond.
After that, once the first ransom is paid, then we see a little bit more sort of back
and forth between the bad guy and the victim, where the bad guy will then contact them back, where they'll go back to that victim and say, you know, that simply just is not enough.
We want some more.
And then there's a bit more of dialogue because the bad guy has got to be able to convince the victim that, indeed, they will get their data back once they pay this second ransom.
And so it's an opportunity for the victim to be able to get some pretty critical information about the bad guy and live access to the bad guy, which is typically when companies like us are engaged,
to help identify where the bad guy is coming from and what group they're a part of
to be able to consult with that customer.
where the bad guy is coming from and what group they're a part of to be able to consult with that customer.
The bad guy will typically negotiate one or two times with the victim before either deleting the data or going on their way.
And so what are the odds of the victim actually getting their data back?
You know, I'd say traditionally it's pretty low. I'd say it's in the 10% to 15% range of a customer successfully getting the necessary information to recover their data.
So once the ransomware perpetrator has gotten you, it's too late.
So what should businesses be doing to protect themselves?
You know, the biggest thing that we can recommend is backing up your data.
A regular disciplined backup means that if your data is ever encrypted or if your
data is ever lost, you at least have access to a backup of that data to recover. So we can't
stress enough the importance of daily incremental backups of critical infrastructure and the ability
to recover desktops quickly. The other one is more traditional in the sense that it's phishing security,
meaning that educate your employees on what they should be clicking on
and how they should be clicking on it.
Because the avenue of bad guys gaining access to systems to perpetrate the malware scam
is through phishing email attacks.
And so education on knowing what, you know, education
on knowing what employees should click on and how they should click on it is critical.
All right. Good stuff. Dale Drew, thanks again for joining us.
And now a message from Black Cloak. Did you know the executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.