CyberWire Daily - Daily: SWIFT issues new fraud warnings. US investigates Russian influence operations. Patch news. Wages of sin are in-game purchases?
Episode Date: December 13, 2016In today's podcast, we learn that SWIFT has warned member banks of ongoing attempts at fraudulent funds transfer. US investigation of Russian influence operations continues, with bipartisan support. G...erman fears of Russian election hacking persist. Apple iOS, McAfee VirusScan Enterprise, and AirDroid get patches. Tor releases a browser with upgraded anonymity. Kevin Bocek from Venafi reminds us of the looming SHA-1 sunsetting. Ben Yelin from the University of Maryland Center for Health and Homeland Security examines a case involving stingray devices and warrantless searches. And some guy steals a million so he can spend it on in-game purchases. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash investigation of Russian influence operations continues with bipartisan
support. German fears of Russian election hacking persist. Apple iOS, McAfee VirusScan Enterprise,
and AirDroid get patches. Tor releases a browser with upgraded anonymity. And some guy steals a
million so he can spend it on in-game purchases. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, December 13, 2016.
SWIFT, the international funds transfer organization, has warned its member banks that attacks on the networks have continued
since the Bangladesh bank suffered a significant loss of funds almost a year ago.
The threat is very persistent, adaptive, and sophisticated, said a letter from Swift obtained
by Reuters, and it's here to stay. Swift is characterized as reluctant to say how many banks
have been affected or how much money has been lost, but one of the system's security leaders
acknowledged that there had been a meaningful number of cases.
Some of the local banks were compromised through technical support systems,
which represents a new wrinkle in the attack technique.
As bipartisan investigation of Russian influence operations continue in the U.S., President-elect Trump's skepticism over attribution prompts fruitful discussion of the topic.
The president-elect is skeptical about attribution generally,
wondering how you'd know who was in your network unless you caught them in the act.
There are, of course, many forensic techniques that can help reveal who was responsible for a cyber event.
The U.S. intelligence community says it has high confidence in its attribution of influence operations to Russia.
CrowdStrike goes farther,
placing their confidence at 100%. The Democratic National Committee brought in CrowdStrike to
investigate a suspected compromise of its networks back in May, and CrowdStrike is quite sure it
caught both Fancy Bear and Cozy Bear, respectively the Russian intelligence services GRU and FSB,
the Russian intelligence services GRU and FSB, Red Pod, in the systems.
It's worth noting two things. First, while attribution is indeed tricky and often uncertain,
there's a general consensus that in fact Fancy Bear in particular doxed the DNC and leaked discreditable emails through, probably, Guccifer 2.0, DCLeaks, and WikiLeaks. Second, the Russian
activity has generally been characterized as an information operation,
that is, an attempt to influence voter perceptions and choices during the election, and not an
attempt to directly manipulate the vote tallies.
The evidence that the Russians favored candidate Trump over candidate Clinton largely comes
down to the relative paucity of evidence that the Republican networks were similarly compromised.
There were some early releases of Republican emails,
mostly anodyne and routine communications among party members, organizers, and donors,
but these slowed to essentially nothing after the parties had concluded their nominating process.
Since there's no reason to suppose that Republican security was markedly superior to Democratic security,
and since it's unlikely that any political organization could long withstand the attentions of a leading nation-state's intelligence services,
the conclusion most drawn is that the Russian government favored Trump.
In any case, there appears to be a solid bipartisan determination in Congress to get to the bottom of things,
and the president has also directed that an investigation be done.
Few think Russian interest in information operations ended with the U.S. elections.
German authorities continue to express concerns that their elections have become the next
target of Russian operations.
Other observers see former Soviet republics and Warsaw Pact countries as likeliest to
receive the ministrations of Russian intelligence services.
Returning with some relief to more ordinary forms of cybercrime,
we note that a new cryptocurrency, Zcash, has already drawn the attention of crooks.
Kaspersky reports that criminals are installing mining software on victim machines
to accumulate a stake in Zcash.
Older cryptocurrencies like Bitcoin are, for various reasons,
less susceptible to this form of manipulation.
As we head toward the end of the year and into the next, there's an important sunset on the horizon.
The SHA-1 digital certificate standard is being phased out and replaced with SHA-2.
We checked in with Venify's Kevin Bocek for the lowdown on the transition.
Hashing algorithms are only as good as they can create a unique output,
and unique output that is not vulnerable to what's called collision.
Collision is when we can create another hash. And generally, again,
a hash algorithm is a fingerprint. You put in one number and you'll get out a completely unique
number on the other end. And these collisions then, when you have the ability to create
essentially a forgery, something that is unique or a duplicate, I should say, of something that's supposed to be unique is a big, big problem.
So a great thing is that both the browser, the operating system, and the certificate authority world have realized this.
we're going to be saying goodbye or at least not trusting SHA-1 fingerprinted certificates anymore in the browsers and operating systems that we all use on our desktop laptops and mobile devices.
So sunsetting will happen officially in February 2017 when our browsers, whether that be Microsoft Edge, Microsoft Internet Explorer,
Apple Safari, Google Chrome, finally will display the insecure, not trusted,
your connection is not private warning in all the browsers.
And so what's involved in making the switch? How hard is it to upgrade from SHA-1 to SHA-2?
Well, you've got to know what you're using. So you've got to know all the digital certificates that you are in fact using, which requires getting intelligence about what's deployed publicly, what might be inside your network, what might be deployed now out in cloud services or hosted by third parties.
your network, what might be deployed now out in cloud services or hosted by third parties.
You then have to triage. You have to triage. All right, we're going to fix and replace these keys and certificates, get new SHA-2 certificates that have been issued for a few
years by certificate authorities now. And as you're going through this whole process,
validate that it's actually occurring to your policy and validate that you've actually successfully replaced your old SHA-1 certificates or, gosh, god forbid, you've got MD-5 certificates, which we still see, replaced now with secure SHA-2 certificates.
That entire process doesn't happen by accident. That entire process, certainly,
you know, to a lot of security teams, network teams working in businesses or governments is
difficult. And that's why they're increasingly looking to automation to systems to help them
find out what they've got and walk them through that process and validate it.
That's Kevin Bocek from Venify.
Several patches and upgrades are out this week.
An alpha version of a sandbox Tor browser was released over the weekend, promising more
reliable anonymity.
Apple has addressed 12 vulnerabilities in iOS 10.2.
AirDroid has also received security updates that close off the possibility of recently discovered exploits.
And, pushed by a vulnerability researcher,
McAfee has shuttered 10 holes in its virus-scanned enterprise security product.
And finally, in crime and punishment, the Bulgarian avalanche hacker Krasimir Nikolov
has been extracted to the U.S., where he will stand trial
thanks to the alert work
of the alert G-men of the FBI's Pittsburgh squad. Avalanche was elusive, and so was our final
criminal of the day. But it's difficult to see how this second gentleman escaped arrest as long as
he did. Consider, if you will, the case of one Mr. Kevin Lee Coe, late of Sacramento, California.
Mr. Coe is reported to have copped to a plea of embezzling some $4.8 million from his employer
between 2008 and 2015.
A thought experiment, if you will.
If you were he, pause and imagine how you might spend your take.
Snazzy cars?
Check.
Plastic surgery?
Depends, but okay.
Check.
Seasoned tickets for the 49ers and the Sacramento Kings? Check. Plastic surgery? Depends, but okay. Check. Season tickets for the 49ers and the
Sacramento Kings? Check and double check. But that's only $3.8 million or so. Here's where you
may part imaginative company with Mr. Coe. He spent $1 million on in-game purchases for Game of War.
We hope the digital armor and virtual siege engines were worth it.
Mr. Koh is expected to become a resident of Club Fed sometime in the spring.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
Interesting article in Ars Technica.
An appeals court has ruled that it does not matter how a wanted man is found,
even if it is via a stingray. There's some interesting stuff going on here. Fill us in.
Sure. So this case is called United States v. Patrick, and it took place in the Seventh
Circuit Court of Appeals. And the majority held in that case, and it was a three-judge panel,
that because there was an outstanding arrest warrant for the defendant in this case, the defendant had forfeited
his reasonable expectation of privacy, and therefore a warrant was not required to use
a Stingray device to identify his location.
Basically, the judge said, once you have an outstanding arrest warrant, you have forfeited that reasonable
expectation of privacy. Therefore, it doesn't really matter what method law enforcement uses
to find you. It can be a police informant. It can be a location identifying device like a stingray.
This is somewhat of a workaround of the really serious issues that are invoked with stingrays about
whether, in general, there needs to be some framework within law enforcement as to whether
warrants are required and what that process should be. Yeah, I thought it was notable that there was
a lengthy dissent. The circuit chief judge, Diane Wood, concluded she said it's time for the stingray
to come out of the shadows so that its use can be subject to the same kind of scrutiny as other mechanisms. And she listed things like thermal
imaging devices, GPS trackers, and so forth. You know, it just, it strikes me that these Stingray
devices really seem to be a catalyst for a lot of these, a lot of interesting tests and
conversations about our fundamental right to privacy. Absolutely. And this dissent carries a lot of weight. Diane Wood is a very prominent circuit
court judge. She was considered for a Supreme Court appointment by President Obama in both 2009
and 2010. And I think she brings up a very good point. Because of the secrecy surrounding this
device and because of the haphazard way it's been implemented across different jurisdictions, both at the state and local level, the judicial branch knows very little about it.
And I think that gets to the broader point that she brings up, that it's time for the judicial branch to come up with some sort of framework to evaluate this device.
They've done so with all different types of devices.
framework to evaluate this device. They've done so with all different types of devices. There have been cases on thermal imaging, on GPS trackers, on pen registers. The judicial branch is slow,
but they do have an obligation to keep up with the technology, especially because this is such
a novel issue. All right. We'll keep an eye on it. Ben Yellen, thanks for joining us.
for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.