CyberWire Daily - Daily & Week in Review: Malware mines Monero. That sad OPM breach, Crackas cracked, and more.
Episode Date: September 9, 2016In today's podcast, we look at the ways in which election hacking have driven increased tension between Russia and the US. (And Wikileaks says it plans to release more election-related documents, befo...re the US elections.) GovRAT 2.0 is out in the wild. Congress reports out its investigation of the OPM hack, and we get insider perspective from Cylance's Malcolm Harkins. Intel sells its security unit (which will go back to its old McAfee name). Markus Rauschecker from UMD CHHS discusses a proposal to check social media accounts at the border. And the FBI arrests two it says are the Crackas-with-Attitude. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions rise over election hacking as more call for naming and shaming Russia.
Assange says he has more docs to release on WikiLeaks.
VDOS DDoS service earned its master $600,000 over the last two years.
GovRat 2.0 is out in the wild.
Congress reports its investigation of the OPM hack.
Intel sells its security unit, which will go back to its old McAfee name.
And the FBI says they've nabbed the crackers with attitude.
they've nabbed the crackers with attitude.
I'm Dave Bittner in Baltimore with your Cyber Wire summary and weekend review for Friday, September 9, 2016.
There was little ambiguity at this week's Intelligence and National Security Summit.
The U.S. and Russia are clearly positioned as adversaries in cyberspace.
That the U.S. would rather not have to engage in an ill-defined and poorly delimited cyber
conflict with Russia was equally obvious. But many of the summit's participants were
prepared to echo U.S. Secretary of Defense Carter's warning to Russia that it should
avoid interfering in democratic processes. In the case of some members of Congress and experts
from the private sector, they were willing to amplify that warning. The senior members of the
House Permanent Select Committee on Intelligence called for more forthright attribution, more naming
and shaming. The interference in democratic processes, of course, refers to what's being
characterized informally, albeit all but officially, as a
Russian government campaign to disrupt upcoming U.S. elections. Such a campaign is under active
investigation, as Director Comey said yesterday at the summit when asked to comment on the matter.
Direct hacking of voting is feared, and intrusion into state election databases has fed those
concerns. But such Russian activity, as has been observed,
is more consistent with influence operation than classic cyber attack.
Observers see the probable goal as undermining confidence in U.S. institutions
to the general detriment of the U.S. and the advantage of Russia.
Most of the interest in the alleged Russian campaign continues to center on what Russian intelligence services
may have collected from political parties,
especially the Democratic Party, and from candidate Clinton's State Department-era private email server.
WikiLeaks' Julian Assange, objectively aligned with Russia's government,
has promised to release as many as 100,000 pages of new material related to Hillary Clinton.
No firm date is promised, but Assange says he'll leak the material before the election.
Krebs on Security reports that VDOS, an Israel-based booter DDoS attack service,
has earned its masters some $600,000 over the past two years.
The operator's criminal customers use VDOS in their attacks on targeted online services.
Operator's criminal customers use VDOS in their attacks on targeted online services.
InfoArmor has published an update on GovRat, a criminal campaign now in version 2.0,
and exfiltrating data from U.S. government, military, and defense industrial-based targets.
InfoArmor concludes that, quote, the threat actor is working with a highly sophisticated group of cybercriminals
that are selling stolen and fake digital certificates
for mobile and PC-based malware code signing
used to bypass modern AV solutions for other possible APT campaigns.
End quote.
The Congressional report on 2015's massive OPM breach is out.
We spoke with Cylance's Malcolm Harkins
and got the inside perspective on the breach.
We'll hear from him later in the show.
The big industry news this week was Intel's sale of a controlling interest in its cybersecurity unit to private equity firm TGP.
Intel Security, as the unit was called, will revert to its better-known name of McAfee,
despite challenges from the original founder, John McAfee.
Intel paid $7.7 billion for McAfee in 2010.
It sold 51% of the unit for $4.2 billion.
Intel will retain 49% of McAfee.
And finally, remember the crackers with attitude?
The boyos who allegedly got into the USDCI'sIs and DNIs and other numerous private email accounts.
The G-men yesterday popped two millennial gentlemen, Andrew Otto Boggs, age 22,
and Justin Gray Liverman, age 24,
and charged them with various computer crimes in connection with the incident.
The gentlemen allegedly worked by social engineering and not by applying any mad technical skills.
That social engineering involved impersonating, the feds say, allegedly, Verizon techs and FBI IT support.
Boggs and Liverman will soon plead their case in the Eastern District of Virginia.
Observers expect a swift adjudication.
That Alexandria court's not called the Rocket Docket for nothing.
that Alexandria court's not called the Rocket Docket for nothing.
So, North Carolina, it turns out the alleged crackas weren't from Nutley or Ron Concoma, after all,
as some of our stringers had speculated,
but allegedly, we stress, from North Wilkesboro and Moorhead City, North Carolina.
All persons accused of crimes are entitled to the presumption of innocence, or so our lawyers tell us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm joined by Marcus Roshecker. He's the Cybersecurity Program Manager for the University of Maryland Center for Health and Homeland Security.
Marcus, some privacy groups are not happy with the Department of Homeland Security
about a social media proposal that they've come up with.
What can you tell us about that?
Yeah, so there's a new proposal out by the Department of Homeland Security that says that anyone coming into the United States through a visa waiver program would now have toernames or other social media identifiers, Facebook, Twitter handles, so Protection could presumably investigate any kind of online media
presence, any kind of online postings to when they review the application of the individual
traveling to the United States. So on the surface, that doesn't seem terribly unreasonable, but there
are a number of privacy groups who take issue with this. Right. So DHS is saying a lot can be
learned about an individual if you
take a look at their social media or their online presence, and DHS thinks that they can then more
easily identify potential terrorists or other threat actors before they come to the United
States. Of course, privacy and civil liberties groups are very opposed to this proposal because they say it's a
fundamental infringement on the right to speech and the right of opinion. And it can potentially
put a damper on people's willingness to post online and to post their views and to post their religious views online. There's a real concern among privacy
groups that this proposal is an infringement or obstacle to free speech and freedom of expression.
And so it is just a proposal, so I suppose there'll be a comment period before anything is
settled on? Absolutely. Right now this is a proposal. DHS is seeking comments on this proposal.
We'll see what they get back.
I know that a lot of the privacy groups, civil liberties groups,
have already responded with strong opposition to this.
I'm sure DHS will be getting a lot of comments about this proposal.
And they'll take that into account,
and they'll
see if they need to refine the proposal. And then we'll see what happens to the proposal in the end
if it goes through or if DHS decides to scrap it. All right. We'll keep an eye on it. Marcus
Roshecker, thanks for joining us. Thanks very much.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The U.S. House of Representatives Committee on Oversight and Government Reform released their report on the OPM data breach this week, subtitled, How the Government
Jeopardized Our National Security for More Than a Generation.
My guest today is Malcolm Harkins, Chief Security and Trust Officer at Cylance, a cybersecurity
company who was named specifically in the report for their part in detection and remediation
of the breach.
I asked Malcolm Harkins for his take on the report.
I thought the report itself was quite
thorough and complete. It seemed like a very thoughtful and well-written and one of those
reports that they turned over all the rocks and my read of it looks like they summarized the key
items quite well and it for, was very useful in looking through
not only the details of the timelines, the analysis, but I also think the conclusions
that they came up with. Can you take us back and sort of walk us through the timeline of
what happened with this breach? Well, if you read through the report, there's in many ways a little
bit of a couple different timelines.
One of them started out a few years ago, long before this ever got into the press. In 2012, they had established that attackers had access to the OPM network, according to the U.S. CERT, and found malware resident on their servers since 2012.
and found malware resident on their servers since 2012.
And so it evolved.
You could look at it back into that time period, but also some things in 2013.
But 2014 is really when they had the first, what I'd say, notification from the U.S. CERT of data exfiltration from their network.
And that was what created what they called their Big Bang Strategy,
where they spent a few months trying to figure out when and how things were occurring
so they could observe the intrusion.
And then they had their Big Bang Strategy,
which was essentially the extraction and remediation of the intrusion from their environment that they went through.
Now, what I think most of us seem to remember is really what happened in 2015 when the notification
went out that they had been breached. And that's really what caused the awareness,
what then triggered the oversight committee to do this investigation.
And Cylance is mentioned specifically in this report.
What was your role in the discovery and the remediation?
So our role dates back in multiple things.
Into the 2014 time period, they were looking at our product, doing some evaluation of it
at that time. But in reality, what happened was in April of 2015, an individual in the OPM
organization got kind of the first indications of malware that was occurring. And what they had done
was they brought a silence expert on site to help facilitate the discovery and then installation of
our silence protect product. And then from there, we worked with them very closely through that
rollout and then the remediation and essentially elimination
of the intrusion from their environment. What we did was we found the specific instances of the
malicious code when they had already had some detection. So OPM had already had some idea that some things were not
right, that were found through other means and other mechanisms. And then they ran those samples
against us, which then told them, okay, this is something that is malicious. And that's when we
got the engagement. We sent people in to help. We started rolling out
the product. And as you can see in the report, there were some items that as they started doing
that roll up, characterized as, you know, they were kind of lit up like a Christmas tree. Because
once they rolled us out, and they started getting the visibility to what was on their systems, there was right
around 2,000 pieces of malicious code that we had identified.
What are the takeaways for you?
I think the takeaways are a few things.
One, when you evaluate a new technology and a new set of controls and a new way of doing things like opium had
the opportunity to do starting in 2014 and again if you look through the timeline
and you look through the conclusions if they had deployed us in those time periods the report is
pretty conclusive it would have prevented and mitigated essentially all of this from having
occurred. That's a little bit, you know, hindsight's 20-20, but I think there's a lesson in that for
everyone. And it's a new approach, it's a new way of thinking, but it does change the risk dynamics.
So that's one. Two, perhaps the leadership challenge. And I think that's a
broader thing that when I read the report, that I think is perhaps a systemic issue across the
industry in terms of having policies, not implementing them, having an idea of what I
can do to solve the risk, not moving forward with it, not getting the budget and authority,
having a level of perhaps more independence
of the security team and the security officer
from the IT team.
Because again, if the IT team's measured
on availability, rollout of functionality and cost,
I'm a big believer in structure drives behavior.
You get what you measure. That's an element, I think, of some of this stuff. And then finally, I think the other
big learning and conclusion out of this report is there is hope. You can achieve a level of security
that is unprecedented. I think you can achieve a level of flattening and lowering your total
cost of controls that's unprecedented when you focus on prevention. And then finally,
I think with the right mindset, security can enable the business.
That's Malcolm Harkins from Cylance. You can hear more of our discussion where we talk about
the responsibilities of board members, proactive versus reactive approaches to security, and how some security professionals have what Mr. Harkins describes as a hero dilemma
next week on our website, thecyberwire.com.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.