CyberWire Daily - Daily & Week in Review: Android issues, SWIFT hacks, the cyber security marketplace.
Episode Date: May 13, 2016In today's podcast, we look back at the week just ending and see new attempts on banking systems. Some involve SWIFT; others involve Anonymous, and some have to do with the FDIC. And what about those ...fingerprints? Markus Rauschecker from the Center for Health and Homeland Security examines the increased scrutiny the FTC and FCC are putting on mobile device providers. And we interview Dr. Emma Garrison-Alexander about her leadership positions with NSA, TSA and UMUC. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Swift is back in the cyber news as the International Financial Transfer System
is said to be quietly warning customers of another caper.
Outside observers suspect insider threats.
Operation Icarus continues to annoy banks, mostly around the Mediterranean.
The FDIC discloses five breaches and Congress isn't amused.
Patch Tuesday has come and gone, but work for sysadmins remains.
Law enforcement may be quietly making its peace with strong encryption, and my interview with Dr. Emma Garrison-Alexander
on her leadership positions with NSA, TSA, and UMUC.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 13, 2016.
The International Financial Transfer System, SWIFT, reappears in security news today as reports surface of another attempt to use the system to divert funds from a bank.
This bank, still unnamed in reports, is said to be a commercial bank in Vietnam.
BAE investigators are reported to have seen similarities between code associated with
this attempt and malware uncovered in the Bangladesh bank case. It also sees some
possible similarities to what's known of the Sony hack. The New York Times late yesterday obtained
a copy of a letter to users the newspaper says Swift intends to post privately today.
The letter is said to contain a warning about the Vietnamese bank incident,
a conclusion to the effect that both this and the Bangladesh bank theft
are part of a wider and highly adaptive campaign targeting banks.
It appears, according to The Times,
that the problems lie in the interface between Swift and the banks that use it,
as opposed to Swift's core systems.
It also seems likely that legitimate credentials have been
compromised. SWIFT is expected to advise banks to shore up security on their end. Speaking in
Frankfurt, Gottfried Lebrant, SWIFT's CEO, told a financial conference that SWIFT regarded the
Bangladesh bank raid as customer fraud. Security Week quotes him as saying,
I don't think it was the first, I don't think it will be the last.
FireEye, which is investigating the Bangladesh Bank incident, has, according to Bloomberg,
found evidence of three groups' activity in the bank's systems, a Pakistani organization,
one from North Korea, and a third as-yet unidentified actor. It's the third one that
actually pulled off the theft. The Pakistani and North Korea groups are thought to be state-sponsored, but traces of their presence in the system do not appear to have
been implicated in fraudulent transfers. North Korea's representatives at the UN,
Bloomberg notes primly, did not respond to a request for comment.
Pakistani ministries the news outlet contacted also didn't return calls.
How the hackers got in remains unclear, but there's much
continuing speculation that these incidents were inside jobs, at least in part. InfoArmor's chief
intelligence officer, Andrew Komaroff, told the Cyber Wire that in his view, the speed and ease
of attack like this is probably beyond the reach of typical underworld money mule services. Quote,
such types of transactions almost certainly couldn't be
organized without the help from either insiders or traders very familiar with operational controls
in the affecting institutions, he said. We also hear from last-line security expert Craig
Kensek, who thinks the heist suggests that someone who's worked in the financial industry
has gone rogue. He also thinks data loss prevention systems used in financial transactions
may need more granularity and more levels of control.
Quote,
Swift needs to re-examine their processes and use outside experts to try and crack their system.
They, if they haven't already, need to create a list of trusted IP addresses
that larger funds can go to without eyes-on approvals.
End quote.
addresses that larger funds can go to without eyes-on approvals, end quote. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina.
The only investigating I'm doing these days is who shit their pants.
Killer messaged you yesterday?
This is so dangerous. I got to get out of this.
Based on a true story.
New season premieres Monday at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm joined once again by Marcus Roschecker from the University of Maryland Center for Health and Homeland Security. Marcus, we saw recently a story about some of the mobile providers are
facing increased scrutiny from both the FTC and the FCC when it comes to security updates. What can you tell us
about that? Yes. So the Federal Trade Commission and the Federal Communications Commissions are
asking mobile device providers and manufacturers to provide information on what they're doing to
secure the devices that they're selling. I think both the FTC and the FCC and the public in general
is recognizing that as we use our mobile devices more and more, we're storing more and more sensitive information on these devices.
So there's a real concern about securing and safeguarding that information.
And the FTC and the FCC want to make sure that these mobile device manufacturers and the software developers for these devices are doing what they should be doing to protect the
data that is being stored on these devices. And I know sometimes people are concerned about
overreach by these regulatory agencies. But in this case, it seems like this is good for the
consumers. Yes. I think overall, it should be good for consumers. Consumers should be concerned about
the safety and security of the data that they're storing on these devices.
Obviously, that data is very personal data.
It's financial data.
It's health data.
There's a lot of stuff on those devices nowadays that needs to be protected.
And I think overall, it's probably good for the consumer that the FTC and the FCC are getting involved here
and wanting to know more about what manufacturers are doing to actually protect the data that is being stored on these devices.
Marcus Roshecker, thanks for joining us.
Thanks very much.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
This week continued to see the expansion of Anonymous' Operation Icarus. Op Icarus is
designed to, as Anonymous puts it,carus. Op Icarus is designed to,
as Anonymous puts it, bring down the world financial system in retribution for that system's
crimes against humanity. The engine of retribution is distributed denial of service.
The hacktivist collective and its collaborators in Band Offline and Ghost Squad began in Greece,
moved to Cyprus, hit targets in Kenya, Panama, Bosnia, and Herzegovina,
and most recently have surfaced in Montenegro, Monaco, Jordan, and South Korea. In most cases,
service has been relatively rapidly restored, but the campaign continues to annoy the financial
sector. This week, the U.S. Federal Deposit Insurance Corporation disclosed that it suffered
five major breaches since October.
Individual banking consumer data are affected.
Congress is investigating.
The FDIC can expect to be called onto the Capitol Hill carpet in coming weeks.
Early this week, the Panama Papers were posted in full searchable form by the ICIJ.
No big cats escaped from the big bag of terabytes,
and at week's end, talk about the Mossack-Fonseco breach is subsided into general murmuring
about the need to close tax loopholes, rein in offshore accounts, establish better transparency,
and so on. Most of the activity the data reflects seems more unseemly than illegal,
or when illegal, already known to law enforcement and under investigation.
The Denham Group commented to us on what they characterize as a tenacious cross-site scripting problem
GoDaddy experienced and has now resolved.
Denham Group Principal Dan Cornell described the issue as blind cross-site scripting
and said it's not unusual to encounter it during application assessments,
especially in
utilities and financial institutions. Exploitation can result in privilege escalation. He thinks
developers could avoid this and other problems by using solid threat models, appropriate coding
standards, and security testing integrated into the development process. Cornell said,
quote, stored or blind XSS actually appears to be easier to fix than reflected XSS based on some of Cornell said, This week's Patch Tuesday saw Microsoft issue 16 fixes, eight of them rated critical.
For the most part, they addressed remote code execution vulnerabilities in Internet Explorer,
Edge, JScript, and VBScript scripting engines in Windows, Office, Microsoft Graphics Component,
Windows Journal, and Windows Shell.
Adobe also patched this week with updates to PDF Reader and ColdFusion provided on Tuesday.
They also promised to patch a Flash Player Zero Day and did so yesterday.
That fix closed some 25 issues, including two type confusion flaws, one of which is the Zero Day.
The other bugs addressed could all be exploited for remote code execution.
They include 12 memory corruption issues, 8 use-after-free problems,
buffer overflow and heat buffer overflow problems,
and a direct search path vulnerability.
So cut your sysadmin's appropriate slack as they deal with these patches, and update appropriately.
Signs indicate that the FBI may be quietly making peace with widespread encryption,
recognizing it as an investigative inconvenience as opposed to an existential threat.
And a Lego guy Play-Doh hack may be joining the nearly forgotten, although not forgotten by us,
gummy bear hack, in which imprints of fingerprints on sticky candy or modeling clay are used to
unlock biometrically protected devices. But we don't know. You'll recall that the FBI got a
controversial warrant to require a woman
in California, not a suspect in the case under investigation, to unlock a phone with her
fingerprints. Well, they tried all ten fingers, but alas, no joy. So they asked her for the password.
Sorry, she answered, it's not my phone. But did they offer her a gummy, we wonder?
Swedish fish?
Turkish taffy?
My guest today is Dr. Emma Garrison Alexander.
Dr. Emma, as she likes to be called, has over 30 years of combined federal experience at NSA,
where she served as Deputy Counterterrorism and as a Senior Operations Officer,
and at TSA, where she led their IT organization as Chief Information Officer.
She's currently Vice Dean for the Department of Cybersecurity and Information Assurance
at the University of Maryland, University College.
Dr. Emma, welcome to the Cyber Wire.
I'm curious, when you were a kid growing up, were you someone who was interested in science and mathematics?
So I have always liked math and science right from the beginning of school.
And when I got into high school, without my parents pushing me, I wanted
to take all the advanced math. I wanted to take the algebra. I wanted to take the geometry,
the trigonometry. I wanted to take the physics and the chemistry because I felt like I was going to
learn a lot more if I took those more advanced courses instead of taking just the general
courses. They work very well if you're interested in a career in computer science or electrical engineering.
So you complete your college education, you get your degree, and now you're looking for a job.
And did that lead you directly to government from there?
Yes, it did.
At that time, the National Security Agency, along with other companies and government
organizations, they were recruiting at my school. And one of the interviews that I had
was with NSA. And ultimately, they made me an offer and I accepted it.
I'm curious, did you run into any roadblocks either being a woman or even specifically
being a woman of color?
I think that there were challenges. One of the things I benefited from
is when I started my career at NSA, while the number of women in the field were low at the time,
I was hired at a time where a number of other women were also being hired. So I was one of a
few women, but I was not the only woman within the field. I think that helped some, and I was one of a few women, but I was not the only woman within the field.
I think that helped some.
And I was determined to be successful.
I was determined to contribute to the mission.
I was determined to be relevant to what was needed in the organization.
And through some of the challenges, I learned a lot.
I learned the importance of making sure you look out for yourself and not expect someone else to do that for you. You wrap up your time there and the
opportunity from TSA comes along. How are the challenges at TSA? How do you contrast them
against your experiences at NSA? I always tell people that government is government. So there
are some things that are common to being a part of a government organization. But what was strikingly different between NSA and being there and TSA and
being there was the fact that one organization is very private, very closed, right, very quiet,
do fantastic work for the nation.
But it is not a public institution.
It's a very internally facing and community facing type organization.
TSA is the direct opposite.
Their whole reason for existing is to engage the public.
They are most notably known for what they do in the aviation arena, right? The airports,
but they have responsibilities in all modes of transportation, you know, highways, rail,
mass transit, pipeline, maritime, as well as aviation. So the truth of the matter,
the biggest adjustment was going from a place where I had been hiding, working in these highly classified areas, to an organization that's very much public-facing.
Take me through the decision process.
You decide to wrap up your career or the portion of your career with TSA.
And so where are we now?
So I decided to take an early retirement.
I then took a year off to just take care of some family matters. And then I decided to take an early retirement. I then took a year off to just take care of some family matters.
And then I decided to reengage.
And I had been an adjunct faculty at the University of Maryland University College since 2010.
And I really wanted to do something in academia.
And that's something I had wanted to do for a while.
And it just so happens that at the time that I was looking to reengage,
there was an opportunity at the University of Maryland University College that I interviewed for.
So I've been the Vice Dean for Cybersecurity and Information Assurance in the graduate school since November of last year.
I'm responsible for four graduate programs, Cybersecurity Technology, Cybersecurity Policy and Management, Digital digital forensics, and cyber investigation,
and we have an information assurance program. And so I oversee those programs at the graduate level.
I mean, that's kind of a different world for you, isn't it? How's that transition been?
It is a different world, but because UMUC is a non-traditional university,
it has a lot more elements of business to it than you would in a traditional university like University of Maryland at College Park.
I'm curious, looking back on your time at TSA and your time at NSA, what are the lessons that you've learned?
What are the takeaways from your time at those places?
One is take advantage of all the opportunities that are afforded to you.
One of the things I give an essay great credit to, and I would say that's why they have a
world-class workforce, is training.
And when I say training, it was all the way from your formal college education.
They pay for my master's degree and they pay for my doctorate degree.
So in addition to that, they also paid for other training, you know, whether it was that
learning tree or if it was Cisco training or some other type of training. So as an organization,
NSA values training. And so it's important that when you have an organization that's willing to
invest in you, that you take advantage of that investment. The second thing is, as you're going through your career,
you need to make your career a priority.
You need to ensure that you're doing those things that you need to do
in order to move forward, in order to progress,
in order to move into the positions that you're interested in,
in order to succeed in the pathway that you've actually laid out.
Thirdly, I think it's important that you plan out your career, that you do not leave it to happenstance.
I think it's really important to create a pathway.
The fourth thing, it's very important to have mentors and coaches.
My mentors were invaluable to me all the way from having peer mentors to having senior mentors.
They were very, very important to helping me through my success.
I think it's important that we really work as a nation and through various organizations
to get more women and more minorities into the cybersecurity field.
I think that is really, really important.
I know there are many initiatives that are going on right now to do that, and I think we should
stay on top of that and follow it through and ensure that, you know, our nation is well protected
and that we take advantage of all the rich resources that we have in those communities
to bring them into the fold to be a part of solving the cybersecurity challenges that we're facing as a nation. In 2010, President Obama had made a statement
that he identified cybersecurity as one of the most serious economic and national security
challenges we face as a nation. So all of us need to be involved in addressing that challenge.
Our thanks to Dr. Emma Garrison Alexander for joining us. You can hear
an extended version of our conversation, which includes Dr. Emma's views on cloud computing,
as well as the specific cybersecurity challenges she faced at TSA on our website, thecyberwire.com.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.