CyberWire Daily - Daily: Sovereign mafia state? Spearphishing with Pay Commission bait. IoT risks.
Episode Date: June 6, 2016In today's podcast we follow developments in the SWIFT-related Bangladesh Bank fraud case—more observers buy into the view that North Korea was involved. Many see anti-racketeering measures being ad...apted to cyberspace, with businesses improving their security by reducing their attackers' return-on-investment. Pakistani hackers spearphish Indian civil servants and install espionage backdoors. Anti-ISIS measures seem to have heightened ISIS's internal mistrust. Irongate and other IoT threats are discussed, as is a rise in hacker attention to Android. Malek Ben Salem speaks to the challenges of identity in the IoT. Zack Schuler from Ninjio makes the case for entertaining training. And OurMine tweets dadada... Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Miller Lite.
The light beer brewed for people who love the taste of beer
and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
To brew a light beer, they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time.
Learn more at MillerLight.ca.
Must be legal drinking age.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash Nostra,
anti-racketeering and cyber criminals' return on investment, Android and malware developers'
crosshairs, Iron Gate's ultimate purpose remains obscure, it's not in the wild yet,
but some variant of the son of Stuxnet may wind up there, Pakistan-based threat actors target Indian government officials, and who in the world would use da-da-da as a password?
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 6, 2016.
As investigation into the swift-linked Bangladesh bank fraud continues,
sources close to the inquiry tell Reuters that the New York Federal Reserve Bank
blocked 35 transfer requests before
approving the five that resulted in an $81 million loss. The first time the requests appeared,
they were rejected for improper formatting. No corresponding bank was listed. The thieves then
resubmitted them with the missing information provided, at which point the New York Fed
released five of them. The remaining 30, interestingly, were flagged and held pending
review for potential economic sanctions violations. They were only later discovered to be fraudulent.
The New York Fed, Swift, and Bangladesh Bank continue to dispute where the primary responsibility
for the theft lies. More observers find themselves convinced by evidence developed by Symantec that
the North Korean government was involved in the fraudulent transfers.
The DPRK's spore appears in malicious code linked to the Lazarus Group,
widely held to be a cutout for Pyongyang.
The U.S. Treasury Department last week tightened sanctions against North Korea.
Observers see the DPRK as increasingly dependent upon traditional organized crime methods to fund itself.
The Diplomat, for example, describes North Korea as a sovereign mafia state.
If so, expect more anti-racketeering measures to be deployed against it.
Carbon Black, for one, thinks such an economic approach to cyber defense might be applicable to businesses as well. An op-ed in CSO argues that the hackers threatening businesses,
mostly organized criminal gangs and rogue nation-states, are themselves best understood
as business-motivated to find soft targets and reduce the time spent on attacks to the minimum.
So, the argument goes, you can reduce your risk by taking steps to decrease the attacker's return
on investment. Cyber conflict in South Asia is attracting much attention in the Indian press.
FireEye reported late last week that hackers operating from Pakistan
successfully posed as journalists, complete with a registered but quite bogus news site,
to mount a spear phishing campaign against Indian civil servants.
The bait was well chosen, news articles referencing India's seventh pay commission.
Since the pay commission will have a direct effect on government salaries, the bait was snapped up.
What the interested civil servants swallowed with it was a backdoor, specifically the breach rat
payload. The goal of the campaign seems to be espionage. The threat group is thought to be the
same one that's been active for several years against the Indian government and Pakistani dissidents. Analysts continue to investigate IronGate, the Siemens
PLC targeting malware FireEye described last week. There's still no sign that it's been used in the
wild, but observers differ over what this son of Stuxnet might actually be up to. Proof of concept?
Developmental article intended for use against real targets? Security testing tool?
Whatever it's up to, IronGate is evasive.
It keeps an eye out for VMware or Cuckoo sandboxes, whose detection stops IronGate's dropper from downloading,
and it uses malicious DLL library files to record traffic.
The malware also exhibits man-in-the-middle functionality that remains poorly understood.
Iron Gate's discovery has contributed to rising concern about the Internet of Things.
So will a new report from Carnegie Mellon which ranks the 10 riskiest emerging technologies.
9 out of 10, arguably 10 out of 10, are IoT tech. Augmented reality, smart homes,
enterprise 3D printing, networked dashboard telematics,
smart medical devices, smart robots, smart sensors, commercial drones, driverless cars, and car communication systems.
We spoke with Malek Ben-Salem from our research partner Accenture about the challenges posed by one aspect of the Internet of Things,
specifically device identity. We'll hear from her after the break.
Odds are you've had to sit through your share of security awareness training videos.
Some of us have even had a hand in making a few of them.
And when I say training video, what comes to mind probably isn't the most entertaining
thing you've ever seen.
Zach Shuler is founder and CEO of Ninjio, and he wondered if it was possible to make security training videos
that are both educational and entertaining.
I'm still having trouble buying it.
Pretty obvious to me.
A copy of our movie leaks, he gets a hold of it,
and decides to shut us down the only way he knows how,
with a spear-phishing cyber-attack.
How much time is left?
Whoever it was, they're smart. Make sure they gave us just enough time to not be able to do
anything. I just had this epiphany like, wow, you know, we really have to focus on the human being.
And, you know, just from personal experience, every piece of corporate training that I've
ever gone through, you know, I would start it. I would minimize it on my computer. I would go about doing my email or whatever else.
I would listen for audible cues to say, you know, select the answer or click next,
but I wouldn't actually pay attention to any of it. And so I said, all right, let's start with
a blank canvas. And if I wanted to be trained on a topic, what would that look like?
I boiled it down to, first you need to be a storyteller.
How soon after the patient died did you learn the reason you couldn't access the records was because of a computer breach?
News spread fast. Minutes, I'd say.
Not long after I was contacted by our chief of staff, he told me the hospital's network had been infected with something called ransomware.
These episodes are things that people actually watch.
And we can measure engagement and everything.
And they really watch, and we focus on a single attack vector
so we don't overwhelm them with a bunch of information all at one time.
And then we release one, a new one, every month.
The videos are animated using a Western anime style,
and they are bold and a little bit edgy.
So for those that say, hey, it's too racy,
it's too this, it's too that,
for every one of those, I get ten people that go,
oh my gosh, this is racy, this is great.
That's Zach Shuler from Ninjio. That's N-I-N-J-I-O.
Do not click the link.
It means it's from a hacker, and clicking that link would enable them to launch a ransomware attack.
Turning your worst fears into our reality.
Criminals are giving Android security some close and unwelcome attention.
Criminals are giving Android security some close and unwelcome attention.
They're looking for ways to exploit various APIs, with Usage Stats Manager attracting considerable interest.
They're also using GitHub as a de facto collaborative R&D platform.
Hackers' ongoing attention to Android, along with smaller but significant recent signs of interest in iOS,
prompt observers to think that the new wave of major data breaches may well begin with a mobile exploit.
Finally, over the weekend, hackers in India appear to have compromised Facebook boss Mark
Zuckerberg's Twitter and Pinterest accounts.
Twitter and Pinterest both cleaned up the disruptions to Zuckerberg's account, which
appear to have lasted just a couple of hours.
The Saudi hacking group OurMine appears to have been responsible.
Akamai has seen OurMine involved in both social media hacks and DDoS since 2015.
Sources tell Softpedia, off the record, that the group is composed of four to six teenagers.
In this case, they seem motivated by the lulz.
They tweeted that Zuckerberg was using da-da-da as his LinkedIn password.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings. Try it today and get up to $75
in PC Optimum Points. Visit superstore.ca to get started.
to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated
Amy Adams stars as a passionate
artist who puts her career on hold
to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Only on Disney+. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem. She's the R&D manager for security at Accenture Technology Labs, one of our academic and research partners. Malek, we talk a lot about
the Internet of Things, and I know you've pointed out that one of the challenges of the IoT
is dealing with identity. So the IoT is witnessing tremendous growth.
We've anticipated more than $20 billion of connecting things by 2020.
And the ability to accurately establish and validate identity is critical to everyday
life, but particularly to things in the Internet of Things, as machines have to communicate with each other.
And identity has been the cornerstone of security for the internet.
We build trust based on our understanding of who we are communicating with.
But translating that into the internet of, as machines now communicate with each other, we need to think about identity within that space differently.
We have to think also about privacy in a space where machines will be communicating.
We want to preserve the privacy of the people using those machines.
the people using those machines. So we need to think about IoT or identity mechanisms where identity of an individual device can be grouped with other devices so that we get some privacy
protections there. And why is it that traditional device identity isn't adequate when we're talking
about the IoT? So the traditional identifiers that are available today
are things like an IP address, for example, or a MAC address.
What's also available as a traditional identifier
is what is known as the UUID, or the Universal Unique Identifier,
which is a 128-bit number used to identify identities.
And then we have the device serial numbers that manufacturers allocate to devices.
All of these are easily spoofed or easily copied and reproduced.
So none of them actually are secure against cyber attackers.
So a new approach really has to be devised to ensure that machine-to-machine
communication can be established in an automated and secure fashion.
All right, Malek Ben-Salem, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you.