CyberWire Daily - Daily & Week in Review: Industry notes, including a look at labor markets. Cyber gangland and its neighborhoods.
Episode Date: April 15, 2016In today's Daily Podcast we discuss the international response to ISIS, and the terror group's latest info ops. We cover the news from cyber gangland (and bid Paunch farewell as he enters a Russian pr...ison) including malware developments and the latest criminal approaches to making their infrastructure resilient. We learn some things about competitions as a way of building the rising cyber labor force from Raytheon's Jack Harrington, and we hear about the challenges of cloud data security from University of Maryland's Jonathan Katz. It seems privacy is in tension not only with security, but with transparency as well. And we talk about what the metaphorical hat you wear says about you (you hacker, you). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K.
Nation state hacking gets mixed reviews. Three cheers for the American red, white and blue
versus ISIS, but thumbs down to those colors when they fly over Russian ops in Scandinavia.
Privacy seems to be in tension,
not only with security, but with transparency as well.
Crimeware is merging for new functionality,
and some ransomware gangs are finding the blockchain
a good infrastructure alternative.
We take a look at educating the rising cyber labor force,
and we learn something about the challenges
of data security in the cloud. And finally, we look at the good, the bad, and the ugly. You can tell
them apart by the color of their hats. I'm Dave Bittner in Baltimore with your Cyber Wire summary,
and we can review for Friday, April 15, 2016. The week that's ending saw the return of ISIS
to prominent online information operations,
in this case making its inspiration specific by marking individual apostates and crusaders
for death. One hopes that security authorities are properly alert. In any case, the U.S. has
stepped up military offensive cyber operations against the self-proclaimed caliphate, and there
have been few objections from other nations, not even apparently from Russia, with whom the U.S. and Turkey have found themselves
at cross-purposes in Syria. The Panama Papers and the coming implementation of the Privacy
Shield data handling agreement between the European Union and the United States brought
into focus an underappreciated tension. It's long been clear, and it's long
been discussed, that there are certain conflicts between security and privacy. The Mossack-Fonseca
data loss suggests that the relationship between privacy and transparency is also problematic.
This hasn't gone unnoticed by Department of Justice partisans in the FBI-Apple iPhone
breaking dispute. One DOJ attorney, speaking for himself,
noted this week that Apple seems to have more in common with Mossack Fonseca
than it does with the EFF.
We're paraphrasing.
What Jeff Breinholt wrote in War on the Rocks
is that Apple was acting like an offshore tax haven.
The FBI, by the way, still hasn't found much of anything on that jihadi's iPhone,
and consensus is that the Bureau's unlikely to tell Apple just what its hired gray hat hackers did to gain access.
The security industry saw a mixed week in the stock exchanges as investors grapple with
appropriate valuations. One issue companies and governments are struggling with is recruiting
skilled cyber workers. U.S. federal CIO Tony Scott addressed a passcode session in Baltimore
this Tuesday about the sector's need to close the talent gap by opening careers to people who may
have been overlooked due to their background, formal education, and the like, or even overlooked
because job descriptions are written in ways many people find unappealing. Not everyone wants to
think of herself as a cyber ninja, for example.
One promising way of attracting younger talent to the industry is competitions.
We spoke with Jack Harrington from Raytheon on one of these, the National Collegiate Cyber Defense Competition.
Here's what he had to tell us.
About 180 schools compete, and it's all about them being able to prove that they can defend and protect against network attacks and cyber attacks right so they get a real network there'll be different
types of red teams which are the actual hackers that are coming in and and
attacking their networks and they have to keep up the services they'll have
customers etc and as it goes to these regions, then the winner of each one
of those regions meets in San Antonio in April. And that's coming up here very quickly for the
national title. The best of the best schools make it each year, but it gives the kids real world
experience. I mean, that's the biggest thing I think for me is seeing how real life it is. They
have real life customers that
call them and they get bosses that give them tasks that they have to produce white papers
and presentations on in the midst of all this attack going on. So it's a very interesting event.
Harrington expressed the importance of improving the pipeline of workers
for both our industry and our nation.
You know, we're not only protecting ourselves, we're protecting our customers,
we're protecting the products that we provide, and we don't have enough talent,
nor do our customers have enough talent out there. And so we've been involved in a program for many
years in science, technology, engineering, and math, STEM, right, education and careers,
and it's called Math Moves You. It, focused on grade schools, getting more kids,
middle school math students, and getting them involved in math, science, engineering, because
we don't have enough engineers in our country. Well, the same thing is happening in cyber.
And so this is a natural extension of our STEM involvement. And it really is, I think,
at this point about getting to the college kids because universities are starting to put bachelor's
programs together, starting to put master's programs together. But the numbers of students
that actually are aware of a degree or a opportunity and career in cyber is very low. I think it's a
national imperative we get more and more kids involved. For the coming generation, computers
and mobile devices are the most natural things in the world.
But according to Harrington, we need to do a better job at making sure that they consider security with those devices and the possibility of a career in the field.
Kids are born with a device in their hands today.
I mean, I look at my son, even he's 21, and he's texting and Snapchatting and doing all the things that young people do, and it's ubiquitous in their life.
But they don't think about cybersecurity, even from their own IT security hygiene perspective.
I mean, click on anything, two seconds, and things are launching.
And I think it's a failure at the national education level to get the word out and to say, hey, protecting yourself is important. And then
that this is an area that we need to get young people involved in. At one of the surveys we did,
about 50,000 companies were advertising for jobs that require a CISSP certification last year,
right? So that's a cyber and information security certification.
And what we found in kind of looking out there is there's only about 65,000 people
across the country that have these certifications and they're all employed already, right? So you
got 50,000 more that are out there. So we need to be able to create more. And I think that that's
a matter of,
you know, getting to the grade schools, getting to the high schools, and then most importantly,
getting to these college students. The finals are coming up April 22nd through the 24th in San
Antonio, Texas. And according to Harrington, it is a spectator sport. Biggest thing I'd say is come
on out to San Antonio. And it's a great weekend. You get to see all the excitement.
Saturday afternoon is probably the most exciting time
when the red team really unleashes their fury against the ten finalists.
Before that, they're kind of prepping as they go out.
So to really see a team, you get down and you see a team of red team hackers.
These are the best of the best across the country that get recruited
and compete to
be a part of that prestigious red team. So it's an exciting event. That's Jack Harrington from
Raytheon. You can learn more about the National Collegiate Cyber Defense Competition at
nationalccdc.org. IBM X-Force researchers report the two banking trojans,
Nymaim and Gozi, have combined into a single malware package, Goznim.
It uses Nymaim's two-stage malware dropper,
then deploys Gozi's injection of a malicious dynamic link library.
More than 70 banks are said to have been affected.
Goznim is being delivered, for the most part, by malicious macros and email
attachments. This isn't the first time malware has been combined. Attackers have done this sort
of thing before as an effective way of packaging desired functionality. The Shifu Trojan that
appeared in 2015, for example, integrated aspects of Shiz, Gozi, Zeus, and Drydex.
CTB Locker ransomware is now using the Bitcoin blockchain to deliver decryption keys to victims
and also to take victims' payments, according to Sikori.
This approach makes it easier for the criminals running the extortion.
They no longer have to maintain an elaborate infrastructure of gateways to their backend
server.
Calling all sellers. to their backend server. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center,
one of our academic and research partners.
Jonathan, I know an area of research for you and
your colleagues at the University of Maryland is the security of data in the cloud. Well,
one of the issues that comes up with cloud computing is that you have users that are
outsourcing their data to the cloud and then either doing computation over that data in the cloud
or just perhaps using it as a storage medium and then retrieving the data afterward.
So there are two concerns that come up most naturally.
One of them is privacy of the data, keeping the data hidden to the extent possible from the cloud.
And the other that comes up is the issue of integrity,
that is making sure that the data that you've uploaded to the cloud
is not being tampered with, modified, or accidentally deleted.
All right, so what areas are you all exploring when it comes to this stuff?
Well, in the area of ensuring integrity, one thing we're looking at is outsourcing schemes that allow a user, for example, to upload their data to the cloud, as I mentioned, and then be able to post queries on the data, for example, search queries, range queries, exact matches, what have you, and be ensured that the result they get back is actually correct with reference to the original
data that they uploaded. And so the challenge here is to make sure that the scheme is efficient,
namely that the user doesn't have to store very much data, doesn't have to do a lot of computation,
but nevertheless can be assured that the answer they get back from the cloud
is indeed correct and, like I said, hasn't been tampered with or fabricated completely.
So how about the privacy angle?
tampered with or fabricated completely. So how about the privacy angle? Well, there, one of the challenges is to ensure that the user can access their data obliviously. Because even if the user
encrypts their data so that the cloud can't actually view any of the underlying data itself,
the cloud provider may be able to learn a lot of information by looking at which items in the data
the user is constantly accessing. So for example, if they see the user repeatedly accessing one item, they know that that's
currently an item of interest.
And so one thing we're working on here is the development of so-called oblivious data
structures that allow a user to obtain their data without revealing to the cloud, even
when they're accessing the same data multiple times and without revealing, in fact, anything
about the access pattern to the data.
And this is just one mechanism that can be used to ensure privacy for the data being stored by the client.
Interesting stuff. Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
This was the week of Patch Tuesday.
If you were worried about the mysterious Badlock vulnerability, take heart.
Badlock turns out to be bad, but not truly horrific, and Microsoft has now patched it.
SysAdmin should pass Cisco's Unified Computing System, UCS, central software.
Researchers have discovered that a remote, unauthenticated attacker can compromise UCS.
Users of QuickTime for Windows should also take action.
It's at the end of its life, Apple will no longer support it, and it's affected by known
vulnerabilities. In this case, users should follow Trend Micro's advice and simply uninstall
the software as soon as possible. Returning to international cyber conflict, we note that
several sources are reporting that Sweden's infrastructure has been under threat of a cyber,
or at least an electronic, attack from Russia since November of last year.
The incident under most discussion is a series of outages Sweden's air traffic control system
experienced between the 4th and 9th of November 2015.
These disruptions are thought to have been caused by Russian testing of its Krasuka mobile jammer,
a very modern but also very blunt electronic warfare instrument.
While the Krasukha-4 is said to be clever and agile,
it's still a big jammer that puts out massive RF energy,
designed to shutter hostile surveillance and communication systems
as far away as low Earth orbit.
The fact that such alleged jamming would have posed a problem
for civilian air traffic control systems is unsurprising.
What's mildly surprising is the suggestion that the threat to Sweden's infrastructure came either from Russian military forces
or by actors supported or directed by the Russian government, specifically an advanced persistent threat group.
This suggests a more conventional cyber attack than the heavy electronic warfare operation implied by Krasuka.
Heavy-duty jamming would also seem easier to attribute.
After all, it's unlikely that a group of hacktivist hobbyists, say in Kaliningrad, would have fabricated their own Krasuka.
There's also reports that Swedish power generation and distribution networks may have also been probed.
Russia and Ukraine continue to host the world's most active and capable cyber-criminal gangs.
Looking Glass and Lifars offer an overview of Eastern European gangland in the Cyvalence blog.
They make a good bit of money from direct theft,
but they also realize considerable profit from the sale of products and services.
Off-the-shelf Trojans and DDoS bots are particularly popular items.
The gangs also offer hacking services, dedicated server sales and bulletproof hosting,
spam and flooding services, download sales, DDoS services, traffic sales,
file encryption services, and exploit writing services and sales.
One mild surprise in the surveillance report is the minority but influential participation of German black marketeers.
Eastern Europe obviously overlaps Central Europe, at least for the cyber gangs.
One trend in cyber gangland is making the Eastern Europeans' infrastructure more robust and resistant to takedowns.
According to a Team Kimri report, more of them are using fast-Flux networks to change the A records of a domain
rapidly, which yields a swiftly changing list of IPs hosting that domain. This makes it more
difficult to take the domain down. FastFlux network servers are located for the most part
in Ukraine and Russia. They're hosting major carding sites as well as TeslaCrypt payment sites
and Treasure Hunter point-of-sale controllers.
Before we leave cyber gangland, we note that Dmitry Fyodorov, a.k.a. Ponch,
the Black Hole Exploit Kid impresario, was just sentenced to seven years by a Moscow court.
Whatever protections Ponch thought he had either reached their expiration date, or perhaps he overstepped his bounds or overstayed his welcome.
In any case, Ponch and several other cyber criminals are now out of circulation.
Finally, on the subject of hackers,
here's a quick guide to the various colors of the metaphorical hats they wear.
Metaphorical because, as everyone knows, all hackers literally wear hoodies.
They also say we hear, I'm in, a lot, but we might have just heard that on television.
Think of the distinction in terms of use and disclosure. White hat hackers are vulnerability
researchers, penetration testers, and the like. They operate within the law to find security bugs
and disclose them to the people who can fix them. Sometimes they earn a bug bounty. Black hat
hackers are criminal hackers in the classic sense. They find vulnerabilities and exploit them for illicit gain.
And somewhere in between are the ones in gray hats.
What they do can be a little unclear, whether because the law is unsettled,
because they themselves operate on both sides of the law,
or because they disregard commonly accepted precepts of ethical disclosure.
Fairly or unfairly, exploit brokers are often grouped with the gray hats.
So there you have it in cyberspace, the good, the bad, and the ugly.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.