CyberWire Daily - Daily: US Govt on Ukraine grid hack. ISIS threatens social media hacks. Ransomware rising. "Government OS."
Episode Date: February 26, 2016Daily: US Govt on Ukraine grid hack. ISIS threatens social media hacks. Ransomware rising. "Government OS." Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The USICS Cyber Emergency Response Team reports on the Ukraine grid hack
and has some advice for US utilities.
Don't connect your control systems to the Internet.
ISIS tells Twitter and Facebook it's going to take them down from the web.
Ransomware continues to flourish as both grand and petty larceny.
Cyber risks remain imperfectly understood.
And Apple tells the court what creation of government OS would actually entail.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, February 26, 2016.
The U.S. government officially stated yesterday what everyone has unofficially believed for about a month and a half.
The power grid in western Ukraine was indeed taken down by a December cyber attack.
The Department of Homeland Security's Industrial Control System Cyber Emergency Response Team's recommendations
to the electrical power industry, however, are more pointed.
They offer counsel on what are surely good practices,
and they also advise some substantial disconnection.
For example, the report says,
quote,
organizations should isolate industrial control system networks
from any untrusted networks, especially the Internet.
End quote.
There's little doubt that Black Energy figured in pre-attack reconnaissance,
but the malware's precise further role in the attack remains unknown and officially under study.
Quote,
It is suspected that Black Energy may have been used as an initial access vector to acquire legitimate credentials, the team writes.
However, this information is still being evaluated. End quote. The team writes, Washington has asked Silicon Valley to do something about extremism online,
and both Twitter and Facebook have taken some small steps in that direction.
ISIS has noticed.
The caliphate promises retaliation in cyberspace.
Addressing Mark and Jack by first name,
that would be Facebook's Mark Zuckerberg and Twitter's Jack Dorsey,
an online message says,
You announce daily that you suspended many of our accounts, and to you we say, is that all you can do?
You are not in our league.
If you close one account, we will take ten in return and soon your names will be erased after we delete your sites.
Allah willing, and we'll know that what we say is true.
End quote.
The missive is signed by the Sun's Caliphate Army.
There's also a video suggesting the Caliphate's more customary direct physical brutality,
the flames of Ansar depicting bullet-ridden images of Mark and Jack.
A think piece in Technology Review wonders whether Silicon Valley really could or really would
respond to Uncle Sam's call for mobilization.
The answer is a qualified yes.
Could if they considered ways of introducing dissenting voices from ISIS's core demographic
into the narrative. Would because, to the presumed dismay of techno-libertarians,
Silicon Valley's presumed aversion to working with the intelligence community
seems to be eroding as the reality of the ISIS threat sinks in. At least, so thinks Technology Review.
Ransomware continues its rise as the currently fashionable form of cybercrime.
Students of the problem see several developments contributing to the trend.
First, the availability of anonymous networks like Tor make criminals think they can get away with it,
but one notes that the apparent success of the feds in getting researchers under subpoena to
de-anonymize Tor users
might give the gangs pause if they're paying attention.
Second, cryptocurrencies like Bitcoin induce hoods to think they'll actually be able to get paid without getting caught.
And third, the growing Internet of Things has expanded the available attack surface,
and many newly networked devices are neither designed for nor installed with security in mind.
Many law enforcement agencies, including the FBI, are working the problem and offering advice.
Companies like Kaspersky and Emsisoft have released free decryption tools for specific strands of ransomware,
a public service for which they deserve commendation.
We'll say it? Thanks.
But the best defense remains anticipatory.
Back up your files.
Cyber risk management concerns filter up to corporate boards and C-suites.
CEOs in particular are acknowledging that they're a bit at sea with respect to understanding cyber risk.
A look at the report Independent Security Evaluators released this week
provides evidence that compliance may be clouding healthcare enterprises' view of the threat.
Swissray's departing leader warns that the insurance industry itself, which should certainly be expert in risk management, still has trouble assessing cyber risk. In fact, the insurance
sector should probably view cyber as at least as much risk as underwriting opportunity.
Everyone, it seems, has an opinion about the Apple-FBI dispute. The most interesting development
at week's end is Apple's explaining to the court
exactly what would be involved in creating for the FBI
what Apple is tendentiously but probably fairly calling Government OS.
It's not trivial, and it's not likely to be a one-off either.
Studies of public opinion show mixed results
over how much people really do value their online privacy.
It's worth recalling that both
business and governments collect vast amounts of information. We spoke with Johns Hopkins
University's Joe Kerrigan about public and private data collection, and we'll hear from him after the
break. Finally, Jacksonville State University is investigating, and has also referred to law
enforcement, a case in which a student may have stolen credentials to hack into university records.
Think of it as registering for a class, although in this case that would be a Class B felony.
A note to our listeners, we'll be at RSA next week covering the conference and special issues and podcasts.
If you're going to be there, drop by booth 1145 in the South Hall and say hello.
But act quickly, while supplies last, we'll give you a swell pen.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest
part of herself. Based on the acclaimed
novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Joe Kerrigan from the Johns Hopkins Information Security Institute.
They're one of our academic and research partners. Joe, it seems like these days there are lots of different organizations who are collecting
our data.
The government collects our data.
Private companies collect our data.
But those are very different things.
And in your opinion, they're not the same.
Right.
And this is, let me be clear, this is my opinion.
There's a lot of talk around corporations collecting your information.
That doesn't concern me as much as government entities collecting your information and your
activity, cell phone logs and things of that nature.
When a company is collecting my behavior online, I know what their goal is.
Their goal is to sell me something.
Their goal is to tell me about a product that's available that they think I might be interested
in.
And sometimes that becomes kind of a nuisance. My favorite example of this is at some point in time, I was looking at my mail.
I have a Yahoo mail account, and there were ads on the side of that for Depends undergarments.
And I'm thinking –
You'd slipped into some demographic unknowingly.
Why is it that you think I need Depends?
Well, there was – but remember there was that case with Target where Target had figured out that a young – I believe it was a teenage girl who was pregnant started sending her coupons for baby stuff and her parents didn't know that she was expecting.
Correct, correct.
While my stories are humorous, that one's not so much.
Those kind of events are – where you have adverse effects like this are kind of few and far between.
Some people would argue they're unacceptable,
and I would say their arguments are not
invalid. I would also
say that perhaps I don't
really agree with them.
My concern, however, is much more
with governments collecting the data.
Something that companies never
do is they never kick open
doors and go into a house and round people up and take them away never to be seen again.
Governments have a history of doing that kind of thing.
And that's what makes me nervous.
And I'm trying not to sound like a guy with a tinfoil hat on.
But I trust a government a lot less than I would trust a corporation simply because of the amount of
power that they wield. So how does someone go about limiting the amount of data that's available
for the government to gather from them? There's a couple things they can do. First, you could get
a web proxy service that anonymizes your internet traffic without costing a lot of speed. And you
can shop around online for them, and there are lots of articles that tell you which ones are the best
and which ones keep the records and which ones don't.
As far as cell phone records go,
you have to go to a more extreme measure
where you're using what they call burner phones.
These are phones that you buy at the store for cash,
and then you buy time on these phones for cash,
or you just repeatedly throw the phones away.
However, that makes it kind of hard for people to get in touch with you.
I mean, that's something we're kind of captive with.
We have these phones now that we carry around that track a lot of information about us.
Obviously, on the individual level, we're limited in what we can do, but it really is
one of those things I think, as a society, we have to keep our eye on.
Yeah, I would agree with that.
There's really not a lot you can do, particularly with the phone records,
without going to extreme measures that become very inconvenient actually.
All right.
Well, sleep well tonight, Joe.
Joe Kerrigan from Johns Hopkins Information Security Institute.
Thanks again for joining us.
It's my pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.