CyberWire Daily - Daily & Week in Review: Europol and its partners say they've got the head of the Avalanche snake. DDoS and IoT botnet updates. Android vulnerability. New rules for warrants and insider threats.
Episode Date: December 2, 2016In today's podcast, we hear about an international take down of the Avalanche cybercrime ring. (Bravo, FBI…and others.) A vulnerability in AirDroid is reported—you can find the app in the Google P...lay Store. Russia says there's a plot afoot to hack its banks and spread financial panic. US Senators tell the White House they want to know more about Russian attempts to influence US elections. This week has seen more Mirai DDoS, a resurgence of Shamoon, and another round of WikiLeaks doxing. There are also changes to NISPOM and Rule 41 in the US, and Ben Yelin from the University of Maryland Center for Health and Homeland Security fills us in on that. Denim Group's John Dickson helps us understand what we might expect from the coming Trump presidency. In the UK the Snooper's Charter received Royal assent. And what do pacemakers and e-cigarettes have in common? Malware. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Police take down the avalanche cybercrime ring.
A vulnerability in Android is reported.
You can find the app in the Google Play Store.
Russia says there's a plot afoot to hack its banks and spread financial panic.
U.S. senators tell the White House they want to know more about Russian attempts to influence U.S. elections.
This week has seen more Mirai DDoS, a resurgence of Shamoon, and another round of WikiLeaks doxing.
There are also changes to NISPOM and Rule 41 in the U.S., and in the U.K., the Snoopers Charter receives
royal assent.
And what do pacemakers and e-cigarettes have in common?
Malware.
I'm Dave Bittner in Baltimore with your Cyber Wire summary and week in review for Friday,
December 2, 2016.
We're able to begin today with some good news.
An international police operation involving the FBI, the UK's National Crime Agency,
Germany's BND, Europol, and others has taken down the Avalanche cyber fraud ring.
Avalanche has been described as one of the largest crime-as-a-service networks in cyberspace.
Active since 2009, it hosted not only money laundering operations,
but some of the world's best-known and most dangerous malware.
The names of the malicious code families will be familiar to many of you.
Citadel, Drydex, Valtrak, TeslaCrypt, PandaBanker, Crydex, and GameOverZeus,
to mention just a few of the strains available on Avalanche.
Avalanche had long been resistant to takedown because of the fast-flux approach it employed,
changing the IP address records associated with domain names roughly every five minutes.
39 servers are said to have been seized in coordinated raids, with another 221 taken offline.
Hundreds of thousands of domains were also seized
in an international sweep carried out in five countries Wednesday.
Wired puts the tally north of 800,000.
The U.S. Department of Justice reporting on the operation
and the role the FBI played in it, especially the Pittsburgh office,
said that some 40 countries were involved.
At least five arrests have been reported so far,
with other warrants still outstanding.
The takedown is interesting and perhaps novel in that it concentrated on hitting leadership
and key infrastructure, as opposed to netting little fish and tinkering around the margins.
In a statement to the Associated Press, Fernando Ruiz,
head of operations at Europol's Cybercrime Center, put it this way,
quote, we have arrested the top, the head of the snake.
We are sure that this will have a very huge impact, end quote.
The rest of the snake hasn't escaped attention either.
German authorities identified 16 leadership-level players at Avalanche,
and a German court in Ferdin says to have issued seven arrest warrants.
Avalanche had victims in a reported 180 countries. Observers see the success
as a good sign that Avalanche is gone for good, although one must temper such optimism with
recognition that we've seen criminal revenants before, and almost surely will again. As usual,
the investigation and takedown proceeded with security industry support. Yesterday's raids
were the culmination of four years of collaborative international police work. A new Android vulnerability surfaces inside Google Play's
walled garden. Zimperium reports that for the past six months, the remote management app AirDroid
has used a static, readily detected encryption key. Ars Technica compares it to leaving your
house key under a doormat.imperium informed airdroid of
the vulnerability in may and airdroid has sought to address it but with imperfect success they're
working on a comprehensive solution russian authorities say they've uncovered a plot by
unnamed foreign intelligence services but they're looking at you vice president joe biden you spy
master you to disrupt russia's banking system with a mix of cyberattacks and information operations
designed to foment financial panic.
These statements have a certain symmetry with concerns expressed in the U.S. over Russian election hacking.
On that election hacking, FireEye describes Russian intelligence services as having, quote,
weaponized social media, end quote,
and says those services no longer appear to care much about their activities going undetected.
Several U.S. senators have asked the White House to reveal more of what they think the White House
knows about Russian attempts to influence the election. Looking back at the week,
observers continue to expect more Mirai-Botnet distributed denial of service. The biggest
incident affected nearly a million customers of Deutsche Telekom last Sunday.
It's since come to light that there were smaller but still significant disruptions in the UK.
Both TalkTalk and the British Post Office were hit with DDoS also on Sunday.
About 100,000 UK customers were knocked offline.
A Mirai IoT botnet has been implicated in both the German and British incidents,
and in both cases, the botmasters told affected customers
they were sorry and meant no harm.
The customers didn't get your apologies, dudes.
They were offline. Go figure.
Shamoon has returned to bedevil Saudi networks,
destroying data in several sectors.
Civil aviation is thought to be particularly
affected by the Iranian malware. Wikileaks docked the German BND over its relationship with the
US NSA. Wikileaks also sustained a four-hour outage yesterday, and speculators speculate
on a priori grounds that the incident was a retaliatory DDoS because, of course, that's what speculators do.
On Wednesday, NISPOM Change 2 went into effect. NISPOM is the National Industrial Security Program. It required all federal contractors with a facility clearance, that is roughly a
clearance to store and work with classified information, to self-certify that they have
an insider threat management program in place. Such a program would address responsibility training and reporting.
Insider threats, of course, can be malicious, careless, or even well-intentioned.
Another example of an insider threat came to light this week in the Netherlands,
where people noticed that documents relevant to Europol terror investigations
were compromised by a careless police investigator.
He took them home and exposed them to the internet,
where Shodan searches stumbled across them.
The unnamed investigator is described variously as a rogue and not a rogue.
It would seem likely that he belonged to that tribe of hard-working pack rats
that's long been the despair of security officers.
The Week also saw the Snoopers Charter become law in the UK
and in the US implementation of changes to Rule 41, which governs the scope of warrants to collect
information online pursuant to criminal investigations. We'll hear more about this
from Ben Yellen after the break. And finally, some notes about cybersecurity and your health.
Researchers have shown that various pacemakers and implantable defibrillators, ICDs,
are vulnerable to reverse engineering and hacking.
Their proof-of-concept exploits showed that they could collect information about the patient
in whom such a device was installed, as well as information about their treatment.
It's also possible to go beyond such threats to privacy and drain the device's battery
or send the device arbitrary commands.
So perhaps you're thinking you can avoid these problems by adopting a more heart-healthy lifestyle.
You've heard that smoking cigarettes could give you heart disease, and so you chuck your last pack of coffin nails and say to yourself,
I'm going to get me some of those e-cigarettes I see at the convenience store.
No luck, friend. The malware is going to get you even in the e-cigarettes I see at the convenience store. No luck, friend. The malware
is going to get you even in the low-tar alternative. Wapak Lab says that people suspect some Chinese
e-cigarette manufacturers are hard-coding the USB charging units that come with the high-tech butts
with malware. So think twice before you plug that cigarette into your laptop's USB port.
That nicotine buzz isn't worth a malware
infestation. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, once again, this case with the FBI versus the people who ran the Playpen child pornography site. It's back in the news.
There have been some new revelations about the extent of the FBI's hacking.
Bring us up to date.
So we found out in January at least a small part of the extent of this operation in which
the FBI was trying to hack into computers to shut down this child pornography ring.
We recently learned that the deployed malware was much more extensive than we originally thought.
It's now known that the FBI obtained over 8,000 IP addresses,
and they were actually able to hack computers in 120 different countries. The reason that this
concerns some civil liberties advocates is that all of these searches were based on a warrant
issued by one magistrate, one magistrate who generally would only control a relatively small geographical area. But in this case, this warrant has covered, obviously, IP addresses both in the United States and around the world.
And that actually invokes another problem that's been in the news recently,
and that's so-called Rule 41 of the Federal Rules of Criminal Procedure.
The way Rule 41 operates is that it dictates the ground rules for electronic
surveillance. And one of those ground rules is that magistrate judges cannot allow surveillance
anywhere beyond their jurisdiction. Earlier this year, those rules were amended and those
amendments were ratified by the U.S. Supreme Court. And now under Rule 41, a single magistrate judge can
authorize electronic surveillance, even if the surveillance itself is going to implicate IP
addresses beyond the geographical reach of that magistrate judge. This caused a bit of a political
battle earlier this week in the United States Senate, a couple of senators tried to introduce a bill to delay implementation of this amended Rule 41.
I know Senator Ron Wyden, who is one of the biggest civil liberties advocates in the Senate, was behind this effort.
Also, Christopher Coons of Delaware.
They tried to get a bill passed by unanimous consent in the Senate.
The Senate leadership had no interest in passing the bill.
They objected to the request, and the rule took effect as of December 1st. Obviously, this is something we're
going to have to watch for going forward. Since the Supreme Court has ratified Rule 41, really,
the only remedy is going to be legislative, and it remains to be seen whether there's the political
will to undo the work that's been done to amend Rule 41.
Well, we'll have to keep an eye on it. Ben Yellen, thanks for joining us.
My guest today is John Dixon. He's a principal at Denim Group, a secure software development
company and consultancy on matters of software risk and security. John Dixon is a's a principal at Denim Group, a secure software development company and consultancy on
matters of software risk and security. John Dixon is a former U.S. Air Force officer serving in the
Air Force Information Warfare Center and was a member of the Air Force Computer Emergency Response
Team. In his role at Denim Group, he's close to policymakers at the state and federal level,
and we wanted his take on what we might expect in terms of cybersecurity policy as we head towards a Trump presidency. He joined us from his office in San
Antonio, Texas. What about his relationship with the Russians? There was much talk during the
campaign that President-elect Trump resisted naming the Russians as being responsible for hacking, although he encouraged them to do so.
As we move forward and he has to engage with agencies like NSA, like the FBI, how are those relationships or even his tone and attitude towards the Russians, how is that going to frame things for him?
Well, I would pay a lot of money to be at that first meeting, our first set of meetings in Fort Meade.
You know, interesting enough, these guys work for him now.
These agencies, these thousands and thousands of professionals in the intelligence community now work for him, work for the executive branch and report to him.
So now they're his asset. And my sense is that there's
probably some level of mending offenses that should occur or probably has to occur. So he's
going to have to trust at least find advisors to trust, be it Admiral Rogers, be it somebody in the
DOD or DHS. And that's why I think the appointments are so important.
But yeah, he definitely was pretty strongly came out questioning the intelligence community.
That's probably one of the first candidates
that I can recall that's done that.
And overtly encouraging the Russians to hack us,
that was probably more hyperbole
than it was serious policy in the context of the moment.
So we'll give him a little bit of benefit of the doubt on that one, but we'll see.
Is it fair for us to expect expertise in the realm of cybersecurity?
I mean, certainly not everyone who has held the office of the president has been an expert in all of the areas that were under their command.
I think there's this notion that as long as people put good people around them who do know these sorts of things
and then trust their advice, follow their advice on good counsel, we may just be okay.
But that's not the sense that I think people are feeling or describing as we come into a Trump presidency.
Certainly his behavior during the campaign doesn't give a lot of people hope.
Do you think that's a fair assessment?
I think we're going to see. We'll find out.
And what's happened since the election with the transition team doesn't put
those fears to rest. But here's what I would say. He is going to have bigger policy issues to tackle.
We've already talked about that. I mean, and he's going to have policy issues that come to him.
I think if you read about what happens to any president in their first hundred days,
they're typically tested by some type of foreign policy crisis that wasn't on
their radar screen. And it happened to Obama, it's happened to every president where they come in and
say, my first 100 days, here's my script for my first 100 days. And then something happens in the
Middle East, or the North Koreans do something, and it just not, it sucks the cycles out of you.
So I think that's, that'll be interesting to see. And that's why they have
to rely on experts, because you want the public policy engines of state to continue onward
in spite of those crises. So it'll be very interesting to see, given his interaction
with anonymous or the anonymous guys coming after him, whether or not the
activists are going to do something, whether or not he's going to be tested by the Russians
or the North Koreans.
But one thing I would say, I bet she's probably one of the smartest candidates on cybersecurity
stuff, given what he went through during the election cycle, during the campaign.
I mean, his properties were attacked, the hotels were attacked,
his campaign headquarters was attacked.
Obviously, the DNC and RNC were attacked.
So he may be, along with his former competitor,
probably the smartest candidates on cybersecurity ever, I would suggest.
There is a lot of policy underway at the executive branch level in DHS and in the DOD and certainly a lot of proposed legislation in Congress.
You've got smart guys on both sides of the aisle and both houses, guys like Will Hurd, like Mike McCall from our backyard who know this stuff particularly well. So one interesting positive that's come out of all this is that maybe with the deadlock
no longer in the House and Senate between the two parties, maybe they can actually get
some cybersecurity legislation through that helps move things forward versus the last
year or two where neither party wanted to give each other a win.
year or two where neither party wanted to give each other a win. So I'm hopeful, I got my fingers crossed that maybe we can move the legislative needle a bit above and beyond information sharing.
The question is, on the legislative front, will a senator or congressman submit a bill that creates
a separate agency or cabinet level role for this type of function. That was something that got bandied about last year.
So we'll see.
But yes, on the executive side, government will continue on doing what it does.
That's John Dixon from Denim Group.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.