CyberWire Daily - Daily: Statecraft, spycraft, & warcraft: inspiration, cells, & espionage. Cybercrime & punishment.
Episode Date: July 5, 2016In today's podcast we look at ISIS's shifting tactics in cyberspace, and the civilized world's response to them. OurMine continues to market its "services" by compromising celebrity accounts through r...ecycled credentials. Two new ransomware varieties--"Satana" and "Zepto"--make their appearance, and researchers track (without attribution) the spoor of MNKit and SBDH malware. A researcher releases, without prior disclosure, a ThinkPad zero-day. The FBI investigation into State Department email issues warms up. Ben Yelin from the University of Maryland Center for Health and Homeland Security tells us about a Florida man in trouble for hacking an election site, and Michael Jacobs brings us the National Cybersecurity Hall of Fame. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. its territory shrinks. EU internet surveillance is criticized as both porous and unaccountable.
OurMine again tries marketing by hacking.
AdWind is back and likely to spread.
Researchers offer insight into MNKit and SBDH malware.
In ransomware, Zepto succeeds Locky and Satana follows Petya's footsteps.
ThinkPwn appears as a proof of concept, but not yet in the wild.
And we've got updates on U.S. election hacks and email handling investigations.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 5, 2016.
A wave of ISIS-connected terror attacks over the past weekend suggests that the caliphate
has evolved a mix of inspiration and directed operation of organized clandestine cells.
The attacks, which ranged over the past week from Turkey through Israel, across the subcontinent
and into Malaysia, appear to represent the long-foreseen shift to out-of-area operations
as ISIS-controlled territory shrinks.
seen shift to out-of-area operations as ISIS-controlled territory shrinks. Cells, while potentially deadlier, are easier in principle to disrupt than are the self-organized attacks of
inspired lone wolves. Authorities worldwide look to the Internet for ways of countering both sorts
of threat. The European Union's surveillance of the Internet, with Europol's Internet Referral Unit, IRU, in the lead, is attracting criticism
from digital rights group AccessNow. The IRU has proceeded largely by requesting the dangerous,
potentially illicit content be taken down. AccessNow calls this approach haphazard, alarming,
tone-deaf, and entirely counterproductive. If there's illegal content online, AccessNow argues
it should be dealt with through
a duly obtained court order directing its removal. The IRU defends its practices on the grounds of
their success and notes that the material its work to remove includes, in a list Ars Technica provides,
quote, violent extremist propaganda videos, pictures of beheadings, bomb-making instructions,
and speeches calling for racial or religious violence.
The release of old lists of compromised credentials from sites like LinkedIn and MySpace would
be old news if it hadn't continued to cause problems for those who recycle passwords.
On Saturday, another celebrity social media compromise occurred.
Ezra Klein, editor-in-chief at Vox Media, had his Twitter account hacked by OurMine.
OurMine, you will recall, is a group that represents itself as a legitimate white-hat security scanning business.
They've proceeded by taking over accounts to show, as they would put it, security issues,
and then offering to scan an enterprise's social media presence for $5,000.
Thus, they promote their services by compromising their prospective customers' accounts.
Few observers take OurMind's claims of legitimacy or even technical skill seriously.
CSO coldly reports that, quote, most real security professionals see the group as a
collective of script kiddies, end quote, and that their purported exploits are really just
fallout from the recent series of credential dumps. In cybercrime, we're seeing some things old and some things new.
Heimdall Security reports interesting news on the old.
The Adwind remote-access Trojan is back,
appearing in targeted attacks against Danish companies.
Heimdall speculates that Adwind is unlikely to remain confined to Denmark,
since its fishmail is in English.
Adwind isn't tripping many antivirus
warnings this time around, so everyone in Midgard should be wary. Palo Alto reports evidence linking
the MNKit exploit generator with three Chinese cyber espionage campaigns. Those campaigns target
the Russian military, Tibetan communities, and Uyghur minorities. SBDH malware is turning up in active espionage campaigns run against targets in five Eastern European countries,
one former Soviet republic, Ukraine, and four ex-members of the Warsaw Pact,
Poland, the Czech Republic, Slovakia, and Hungary.
ESET, the Bratislava-based security firm that uncovered and is tracking the campaigns,
sees several interesting features in SBDH. The malware is using steganographic techniques to obscure some of its
command and control features, and it displays similarities to malware that appeared in Operation
Boot Trap, a criminal campaign that raided Russian banks. And two new ransomware strains have
appeared. Locky, famous for its use against hospitals, is apparently going into occultation.
It's being replaced by Zepto.
Zepto is marked by a number of stylistic similarities to Locky,
especially its requirement that victims work with it over Tor to repay the ransom.
The second new variety is being called Satana by researchers at Malwarebytes.
Satana follows Petya's lead.
It affects Windows machines to encrypt master boot records as well as files,
thereby rendering infected devices unable to load their OS.
Malwarebytes describes Satana as underdevelopment, but already functional.
A proof-of-concept exploit has been released by Dmitry Alekseyuk, a.k.a. Crash,
that overrides firmware
protections in Lenovo ThinkPads and possibly other similar systems. Crash calls the exploit
ThinkPwn and says he didn't warn Lenovo before releasing it because he thinks it too difficult
for exploitation in the wild. There are so far no patches or mitigations.
The National Cybersecurity Hall of Fame is taking nominations
for its next class, scheduled for induction in October. Since its first class was inducted in
2012, the hall has honored 26 of the most eminent contributors to the field.
Well, it began in 2012 when the three of us, myself, a fellow named Rick Garrett,
and Larry Letow were having lunch. And one thing led
to another. There was a suggestion made that we really ought to begin to honor the people who
formed the industry that we now talk about as cybersecurity. That's Michael Jacobs, the chair
of the National Cybersecurity Hall of Fame Advisory Board. With a mission statement that reads, the Cybersecurity Hall of Fame will
represent the mission, respect the past, protect the future, and will honor the innovative
individuals and organizations which have the vision and leadership to create the foundational
building blocks for the cybersecurity industry. There are five different categories under which someone
could be nominated. The categories are technology, policy, public awareness, education, and business.
Jacobs says there's no shortage of nominees. We'll probably end up reviewing around 50,
perhaps 60 nominations, and we do that through a two-round voting process.
Each of the members of the board are provided five yes votes every year.
Every year of the five years we've been doing this.
There was near unanimity in agreement on where the yes votes got used.
There are 11 members of the Board of Advisors.
They're drawn from industry, academia, and government.
There are a number of household names,
like Ruvess Shamir and Edelman,
and Whitfield Dishy and Marty Hellman.
And so it's a great range of people
that have been influential in starting the industry
and sustaining the industry.
And that's what it's all about.
Michael Jacobs shared his view that recognition of the cybersecurity industry as a whole
has been a long time coming.
There has historically been, in my experience, over 52 years,
a great deal of skepticism about the need for this industry.
It's taken an awful long time
for the industry to get established, for people to recognize the threat, and for people to begin
doing something about the threat. So the folks that we're talking about are people that have
had great impact in causing that turnaround to occur, either through technology, which was simple to use,
relatively inexpensive to acquire,
and has in many respects become ubiquitous.
People who formed industries around the technology.
So these are folks that had a vision
and made a significant contribution to allow things to happen.
Nominations are open for this year's National Cybersecurity Hall of Fame,
and you can learn more at cybersecurityhalloffame.com.
The Brexit vote has, to no one's surprise, spawned phishing campaigns
inducing the unwary to open emails offering counsel on what Brexit means for you,
for the global economy, and so forth.
Open your emails with caution, especially
if you're in the UK. Two ongoing cyber security stories with implications for US elections
continue to develop. Guccifer 2.0 is still insisting, no really, he's not a Russian spy,
he hacked the DNC for purely private reasons, but these protestations are falling on ears that grow
progressively deafer.
Election site security will remain an issue for the foreseeable future.
We spoke with the University of Maryland's Ben Yellen on the case of a gentleman facing felony charges for hacking into a Florida election site. We'll hear from him after the break.
The other incident with implications for the election is the FBI's ongoing investigation
into email security, record retention, and
the handling of classified information during presumptive Democratic presidential nominee
Hillary Clinton's tenure as U.S. Secretary of State.
The Bureau interviewed former Secretary Clinton on Saturday.
Her husband, former President Clinton, held an unscheduled meeting with Attorney General
Lynch last Monday, and both the White House and the Justice Department were at pains late in the week to reassure everyone
that the FBI's investigation into the former Secretary of State's emails
would proceed without political influence.
And finally, another innocent person,
named after the Egyptian goddess of nature, motherhood, and magic,
has been blocked by Facebook.
Isis Thompson found herself locked out of the social media site
and staring
at a pop-up message that said her name, her actual name, did not comply with Facebook's policies.
She sent them proof of her ID explaining that yes, she is Isis, but not that Isis,
and as we go to press, she's still waiting to be let back in. Acronyms can be inadvertently
tricky after all, especially when you're trying to make a name for yourself on the international stage.
Just ask the Moro Islamic Liberation Front.
Do you know the status of your compliance controls right now? Like, right now?
compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. I'm joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security,
one of our academic and research partners.
Ben, there was an article recently in Ars Technica about a Florida man
who was trying to demonstrate the insecurity of a Florida election site,
and he sort of decided to take matters into his own hands.
What can you tell us about this case?
Well, I would first start by saying
it's generally not a good idea in these instances
to take matters into your own hands.
This is an individual, David Michael Levin in Florida,
who hacked into a local county Board of Elections website
to prove that it was insecure.
He used the Pilfer credentials of the County supervisor of election.
Now, granted, we all are very concerned about the integrity of elections data,
especially considering what happened in Florida in 2000, I think we're very
sensitive to that, but this person, Mr.
Levin, not only hacked into the account, but did it on video.
And actually that video was
used as evidence against him. And that has led to a criminal hacking charge. So even though
the point that he was trying to make that the integrity of the elections data was at risk
is a good one. He certainly was ill advised in trying to break in himself and especially
ill advised in putting it on video on
the internet. So from his point of view, it was all about good intentions, but he just went about
it the wrong way. What would be the proper way to handle this? If you think there's a security flaw
in something like this, what's the best way to go about it? Generally, you should not try to use
the Pilford credentials of anyone. If you really do think that about it? Generally, you should not try to use the pilfered credentials of anyone.
If you really do think that there's a problem, you can certainly raise it to the media.
I think that would be the best way to raise your concerns without actually hacking into any system yourself.
And, you know, in this case, it is a public official.
So you have the right to contact the public official to express your concerns.
And again, the concerns are certainly warranted. I just think that there's a significant risk in hacking into the device and that will
risk you a felony charge. And I just, again, even though the purpose of it might have been noble,
it's just not worth it to face a felony hacking charge. That can garner significant criminal penalties. All right, Ben Yellen, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.