CyberWire Daily - Daily & Week in Review: Money laundering, cyber fraud, lost laptops, & how cyber criminals get paid.
Episode Date: June 3, 2016In today's podcast we review some notes on alleged North Korean involvement in fraudulent SWIFT transfers, and on new US sanctions. We take a look at various corners of the cyber criminal underground,... including commodification of both malware and stolen data. Big claims for artificial intelligence are going to involve some big litigation, too. And we hear, again, about the vulnerability of data-at-rest and the importance of encrypting your devices. Ben Yelin from the University of Maryland Center for Health and Homeland security discusses the potential legal ramifications of a Facebook privacy suit, and Joseph Billingsley tells us about the Military Cyber Professionals Association. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Point to North Korea. Awareness grows of how big some very big breaches were.
One weird trick to earning a living from home with ransomware.
Extortionists look for embarrassing digital exhaust.
Big claims for AI making for big claims in court, too.
And hey, NFL, don't fumble your laptops.
Say, maybe deflating mobile devices would improve your ability to hold on to them.
Any Boston-area cyber companies have thoughts on this?
Just kidding.
We like to kid.
We're kidders.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, June 3, 2016.
New evidence surfaced this week of possible North Korean involvement in fraudulent funds
transfers over the SWIFT network.
Anomaly Labs has joined BAE and Symantec in saying it's found the malware spore of the DPRK-connected Lazarus Group in the affected banks.
Coincidentally or not, on Wednesday, the U.S. Treasury Department tightened sanctions on North Korea.
Citing the DPRK as a center of money laundering,
North Korea. Citing the DPRK as a center of money laundering, Treasury moved to restrict the country's ability to transfer funds by limiting the amount of correspondent accounts
to process transactions involving North Korea. The illicit transfer that prompted the SWIFT and
its partners in the global financial services to review and upgrade their security measures
was February's theft of $81 million from the Bangladesh Bank via
swift transfers through the New York Federal Reserve.
This week, responding to a Reuters Freedom of Information Act request, the Fed's Board
of Governors disclosed 51 cybersecurity incidents at its Washington location between 2012 and
2015.
The report covered only Washington, not the 12 regional branches, and included several incidents attributable to espionage.
This has been a week of big data breaches, not new breaches,
but old ones that turned out to be a lot bigger than originally thought or feared.
LinkedIn began the trend two weeks ago when it was determined that its 2012 breach
was orders of magnitude larger than previously believed.
The business-focused social network has since been joined by Tumblr and MySpace, both of whom have also significantly
upped estimates of the number of data lost. The stolen credentials are for sale in dark web
markets at surprisingly low prices. One familiar name mentioned in connection with the breaches,
Dropbox, seems on further review to have sustained no security breach after all.
Krebs on Security reports that Lifeline and other identity theft protection companies
warned customers that Dropbox had leaked 73 million usernames and passwords,
but this appears quite wrong.
The lost data seems to have come from the Tumblr breach.
The low prices cybercriminals put on such stolen information, just $2,800 for nearly
half a billion stolen MySpace credentials, suggests that the black market is continuing its race to
the bottom. Some criminals are selling zero days or malicious code, and even these don't carry
prohibitive price tags. An alleged Windows Zero Day is being auctioned with bids starting at $95,000,
and Jigsaw Ransomware is being offered for the fire sale price of $139.
Crimeware markets are shifting toward a volume model, looking for sales to the skid mass market.
So how much do ransomware crime lords stand to make?
We haven't actually seen pop-ups offering us the one weird trick that will let us earn thousands working from home,
but the criminal gig economy doesn't appear to be making anyone spectacularly wealthy.
Flashpoint has been poking around the Russian criminal underground since December,
and it seems to them that a diligent, successful head of a ransomware campaign stands to pull in around $7,500 a month, or around $90,000 a year.
That is, if they stay on the good side of the militia long enough to get paid.
The FSB's announced on Wednesday that it collared 50 hackers who rifled Russian bank accounts of some 1.7 billion rubles, or $25 million.
So what does a ransomware boss have to do?
It's like any other multi-level marketing scheme you might run from your home.
Get code, recruit distributors, collect ransom, and pay the distributors a commission.
Not all online extortion involves ransomware.
Criminals are getting into an enterprise's network,
finding information that shows they've been there,
and then contacting the hacked enterprise with an offer to disclose the vulnerability in exchange for payment.
Effectively black hat pen testers, the bug poachers are asking about $30,000 a pop.
And there's more traditional blackmail, too.
You will recall the Ashley Madison affair, in which the threat was exposure and humiliation.
The U.S. FBI has warned that more of this sort of thing is on its way.
Attackers look for potentially embarrassing information, then contact the victim with
an offer to keep such information private for a fee.
The information might be any number of relatively accessible things, like rude emails one would
rather not have generally disclosed, or interactions with adult websites.
We suggest you remember philosopher Immanuel Kant's categorical imperative,
or at least the Washington Post test version of it that's passed into folklore in all of your online communications.
Always act in such a way that you'd be happy to have everyone do as you do.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Joining me once again is Ben Yellen. He's a senior law and policy analyst with the University of Maryland Center for Health and Homeland Security. Ben, there was a recent story about a
Northern California district judge ruling on Facebook, allowing a class action suit from people in Illinois
who don't like the photo tagging feature on Facebook with facial recognition.
Where's this case going?
I'm sure most of your listeners would be interested to find out
where the merits of this case are going to go.
I think we're all interested in whether a private company
can use this facial recognition software
and whether plaintiffs
have some sort of privacy interest that would prevent it.
Unfortunately, I think the way this case is turning out, we're so far from the merits
because of all of these legal hurdles that both sides are jumping through.
So just to give a little background here, the dispute in this case is around choice of law issues.
So when each of us click the agree to terms of use on our Facebook pages, which we've all done,
we agree that if there's ever any dispute between us and Facebook, that dispute will be adjudicated in California courts.
And this is what Facebook wants.
They have expectations for California courts.
That's where they're located. All of
their lawyers are out there. So it's a favorable policy towards Facebook. What this judge decided,
he didn't make any indication of the merits of the case. He didn't say anything about the privacy
interest involved in facial recognition software. And he even said that that choice of law provision in the contract
you sign when you click on those terms of use is not technically invalid. He did, however,
point to a part of a test on choice of law issues. And that test is whether the choice of law clause
in the contract is, quote, contrary to a fundamental policy of Illinois and if so whether
Illinois has a greater interest in the determination of this case in other words are we dealing with an
issue that the Illinois state legislature has decided is of such importance to its people
that it would not be in the interest of justice or fairness to have the case adjudicated elsewhere.
This judge in Northern California decided that Illinois had expressed the fundamental importance of that case and had determined that Illinois actually has a greater interest
in determination of the case.
So he has moved this case back into the venue of Illinois.
The reason I think this could be problematic is that
it creates a level of uncertainty both for Facebook and for plaintiffs who want to challenge
some of the privacy or perceived privacy intrusions of Facebook. We're now in this
area of uncertainty as to whether if a state passes a law that governs something in this area,
whether it is of such fundamental policy importance
that a California court would transfer it back to that original state.
And that's just a very, very vague standard that I think will be difficult
for California judges to adjudicate going forward.
And what is this? I mean, looking forward, you have Facebook, which is a global company. I mean, could we find ourselves in a situation where local jurisdictions are saying, we're not going to allow this thing? We perceive, for example, facial recognition being an intrusion of privacy. And so could scenario is that Facebook is going to be faced with legal chaos and lawsuits in various states.
I mean, if the decision of this Northern California judge is of any guidance, then state legislatures will know that if they express some sort of fundamental policy, then they can get suits adjudicated against Facebook in their state courts.
And that's Facebook's worst nightmare.
They do not, especially on questions of fundamental privacy interests,
they do not want to be traveling around the country responding to suits in 50 different states
based on the whims of 50 different state legislatures.
So I think if the ruling of this judge is upheld, it could be an
absolute logistical nightmare for Facebook. And I think if they are interested in avoiding some of
these difficult choice of law questions, that might impact their policy on facial recognition.
All right, Ben Yellen, thanks for joining us.
recognition. All right, Ben Yellen, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. many large organizations are using older, even more vulnerable versions of both WordPress and Drupal, so review and, if necessary, upgrade your installations.
U.S. schools approach their summer vacations, but the Air Force Association will be offering
its popular cybersecurity boot camps for students interested in the field. This summer, the
AFA says it will hold a record number of camps in 85 locations.
One organization looking to the state of the cybersecurity profession is the Military Cyber Professional Association.
We spoke with the MCPA's founder, Joseph Billingsley, about his organization and its role in the professional community.
Based upon my experience out in the field in all different types of capacities,
whether you're talking more on the intel side of the house or on the more IT signal comm side of the house or in strategy policy world,
I noticed a real gap, a real need for people to crosstalk more with each other within the space,
within the military cyber community in particular. And I really focused on this particular community because it's very, very clear from my own experiences and also from the findings and multiple documents and policy documents as well that this is a national security priority, cyber, cybersecurity, cyber operations.
And as anybody could also see from looking at CNN.com or your local newspaper,
cyber breaches are a very real thing.
The intellectual property that is hemorrhaging out of the United States is a very real thing and impacts our nation in a very serious way.
So that's where I decided at the time as a strategist, Functionary 59 strategist,
to focus my energies on this
particular community. Among the functions of the Military Cyber Professionals Association is
providing activities, opportunities, and education for its members on both the local and national
level. At the national level, we have certain high-impact nationwide types of events. Most recently, we participated in the Navy League's national
exposition at National Harbor. We hold Capture the Flag, Cyber Capture the Flag CTF events.
So most recently, the JCC, the Joint Cyber Challenge, was a national level event with
teams from across the American defense community, which was great.
Then we also have a number of chapter level events. So also a cyber capture the flag event run by our St. Louis chapter based on the folks over at the Scott Air Force Base,
more regionally based participation from all over the place. That was called Hack the Arch.
We have a scholarly journal called Military
Cyber Affairs with very legitimate processes and editorial staff in place with representatives from
all these different institutions of higher learning across the defense community, such as
the Naval Postgraduate School, Army War College, Air Force Institute of Technology.
the Naval Postgraduate School, Army War College, Air Force Institute of Technology.
We also have a magazine called Cyber, which is a more accessible and kind of fresh opportunity for folks from across the community to publish in and to be kept up to speed on what's going on out there.
The organization also encourages participation with K-12 STEM programs.
At the local chapter level, the chapter leadership is empowered and encouraged to get out there, enter local community, find existing opportunities for our members to volunteer in.
So a great example of that is the Cyber Patriot cyber defense competition, which is actually run by our partners over at the Air Force Association.
And they are a very well-oiled machine that also has a military aspect to it.
And we have partnered with them and encourage our members to go plug in
and easily volunteer their technical skills in mostly middle school and high schools with that particular program.
More recently, I was approached by the Smithsonian Institution here in the D.C. area
about having some of our members partner up with their new innovation center called the Spark Lab
and try to bring in some K-12 community members from
across the region and act as a mentoring or coach type of role for those kids who were
interested in the STEM fields, particularly IT or computer sciences. Mentorship is an important
part of their educational mission, and for that, military veterans are an essential asset.
With a lot of veterans, whether they got out after serving their first tour of duty or if
they retired after decades of service, of uniformed service, they have a lot of great
real-world experience that they can impart on to the next generation. And so another aspect of what we do is purposefully doing
matchmaking between mentors and mentees. Our mission is very much focused on developing
this particular community within the military because we have a huge need to develop this
community. And the other aspect of that, of our mission with the K-12 education or outreach
activities with the K-12, because that's really how we're going to get our nation right long term,
whether you're talking about security-wise or economic-wise as well. The national priority
really that we're focusing on right now is that military cyber community.
Joseph Billingsley is a major in the United States Army,
but he spoke to us in his capacity as the founder of the Military Cyber Professionals Association.
Finally, sports fans and health care professionals will be interested in the continuing story of a stolen laptop.
The device was used by a Washington Redskins trainer,
was apparently unencrypted, and was stolen from a car last month.
It contained medical information on not only current and former players,
but on any player who attended the National Football League's scouting combine
from 2004 to 2016.
The Cyber Wire heard from several experts who weighed in on the breach and its implications.
Lastline's CTO and co-founder Giovanni Vigna noted that data at rest are notoriously vulnerable when they're unencrypted.
The Redskins said in a statement reported by ESPN that no HIPAA-sensitive information was compromised.
We confess it's difficult to imagine how they might be sure of this, but note that the team was clearly aware that HIPAA might be a problem.
Michael McGrath, current chairman, HIMSS Identity Management Task Force
and director of healthcare business Vasco Data Security,
told the Cyber Wire that, quote,
this is a clear example that healthcare breaches are not isolated to healthcare organizations.
They apply to employers, including the National Football League.
End quote.
He suggested teams might protect their medical information
with the same diligence they apply to their playbooks.
He also noted that laptop thefts remain depressingly common,
yet organizations continue to overlook their encryption.
Ballybit's Matthew Ravdin sees the incident as a violation of trust,
whether or not it involved
HIPAA violations as well, and would go so far as to suggest not storing any sensitive
data on a mobile device.
Well, in any case, team, here's our halftime speech for the weekend.
When it comes to encryption and multi-factor authentication, don't punt.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.