CyberWire Daily - Daily & Week in Review: Ransomware, state actors, the current state of the crypto wars.
Episode Date: April 1, 2016In this podcast, we look back at a week of ransomware. The FBI succeeds in unlocking the San Bernardino jihadist's iPhone without Apple's help (and Apple like the rest of us would like very much to kn...ow why). Policymakers consider their alternatives in cyber conflict, and they run from lawfare to warfare. Tay's briefly let out of her room, but quickly sent back (and that's no April Fooling). Plus Backchannel's Steven Levy on repeating the cryptowars, and Ben Yelin on the challenges of establishing legal standing against the NSA. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
As MedStar recovers, experts consider the consequences of ransomware
and lessons from some recent infestations.
Cyber conflicts between nations prompt considerations of both warfare and lawfare.
We hear from experts in privacy law and the history of crypto wars.
And yet again, Microsoft's chatbot Tay has been bad.
I'm Dave Bittner in Dallas with your Cyber Wire summary and weekend review for Friday, April 1, 2016.
MedStar, a health care system whose operations are centered on Baltimore and Washington,
continues its recovery from the attack it sustained over last weekend. The health care provider sustained a ransomware attack at the beginning of the week that locked personnel out of electronic health records and
other systems. By midweek, the hospital system was able to restore care provider access to EHRs
and related systems, but complete remediation remains an ongoing process. The particular
strain of ransomware involved is said to be SAMHAM, also known as SAMSA, and MSIL.
Documents obtained by the Baltimore Sun indicate that the hackers demanded $18,100, payable in Bitcoin, for complete decryption of all affected files.
Lesser amounts would buy, the ransom demand said, lesser levels of recovery.
The amount is noteworthy. Hollywood Presbyterian,
the last high-profile hospital victimized by ransomware, paid $17,000 to obtain decryption
of its files from the attackers. So apparently this is how the criminal market is currently being set.
SamSam is one of several ransomware variants in circulation. Others include Petya, which encrypts a victim's machine's master boot record
with a fake check disk prompt,
and the related CryptoLocker, TeslaCrypt, and Locky strains.
Much criminal effort seems devoted to making ransomware
more evasive and difficult to detect.
Tim Erland, director of IT security and risk strategy for Tripwire,
offered these observations on the trend.
Quote, ransomware authors are always trying to evolve to avoid detection,
and using built-in Windows capabilities makes the malicious activity less noticeable.
This ransomware may change its encryption technique,
but it still requires an entry point onto the system.
Malicious word files sent through emails,
and the use of Microsoft
Office macros is a very old vector for this new malware, end quote. PowerWare, another recently
discovered ransomware variety, this one featuring fileless infections, has also been observed in
healthcare networks, but it's also turned up in a new series of crimes, those keyed to U.S. income
tax season. Cybercriminals are reported to
have begun using PowerWare against records taxpayers need in order to file. As always,
the best insurance against ransomware's more devastating effects remains regular, secure,
offline backup of important files. Sound digital hygiene, server hardening, and intelligent
application of security products can help prevent ransomware infections. In particular, attention to patching can blunt, as Recorded
Future puts it, many ransomware attacks. But since well-resourced enterprises continue to
fall victim to ransomware attacks, it's worth recalling that the criminals also adapt and
aren't without their own resources. Craig Young, a Tripwire computer security
researcher, commented, No protections against ransomware will ever be 100% effective at
preventing an infection. The best defense is and always will be a comprehensive offline backup
strategy and a proper disaster recovery plan. While AV tools can look for crypto API calls
or patterns related to implementing crypto algorithms,
this is a cat-and-mouse game where attackers generally have the upper hand.
So, not impossible, but there's no easy solution either.
Among the well-resourced enterprises that have been affected by ransomware include,
according to the U.S. Department of Homeland Security, some two dozen U.S. federal agencies since last July alone.
It's not yet known who was responsible for the attack on MedStar,
but linguistic evidence in the extortion communications
suggest a range of usual suspects,
criminal gangs operating probably from Eastern Europe.
Michael Daly, CTO of Raytheon Intelligence, Information and Services,
commented on the appropriate response to such attacks if indeed they come from overseas.
In the last two years, he said,
we have seen an increased use of international legal frameworks
that hold individuals and their countries responsible for crimes like the one against MedStar Health
by engaging law enforcement in the source countries and charging those responsible.
The U.S. law enforcement community has taken admirable action recently
with charges being brought against individuals in Iran and Canada.
The hackers in this case should take note.
Daly's comments might prompt some reflection on international cyber conflicts,
their prevention, management, and resolution.
Since the cyber domain now constitutes a central theater for conflict between states,
various governments are working on cyber capabilities
as they seek to evolve a deterrence regime.
This is going to be a different problem than that involved with nuclear deterrence during the Cold War.
Attribution is difficult.
A missile launch or an inbound flight of bombers are, relatively speaking at least,
much less ambiguous events than cyber attacks, which offer all sorts of opportunities for false flags, deniable operations, and so on.
And as we've had occasion to point out before, the little-discussed cyber-tonkin'-golf incident is at least as likely as the much-discussed cyber Pearl Harbor. wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed
novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, we have programs like the
detailed records program, and there are people who lean towards being civil libertarians,
and they'd like to see these programs overturned,
but it's not so easy.
What are some of the barriers keeping them from doing that?
So I think the biggest barrier is this legal concept of standing.
Standing, just in its most basic form,
means that in order for a person to sue someone,
they have to have some stake in the
outcome, right? So if I see you trip on the street and you wanted to sue the government,
I couldn't sue the government because it didn't happen to me. I didn't suffer some sort of injury.
In the context of these programs, it's very hard to prove that you yourself were the target of a
search. For one, the programs are very secretive, so it's very unlikely
that you would find out if you were being searched. And two, there's just a whole universe of data.
It's very hard to pinpoint exactly which data the NSA is using for their ongoing investigations.
And without knowing that you yourself have been the target of a search,
it's very hard to argue that you have standing in a court of law. So I think
there are ways of getting around that. There's a case, Clapper v. Amnesty International,
which was a very bad case for civil libertarians that basically ruled that
it was too attenuated to claim that you have standing just because
your information may have been collected by the federal government.
So how are they being challenged then?
So the challenges are usually bought by civil liberties groups who express some sort of
general interest or people who think that they can claim with some amount of certainty
that their communications have been searched themselves.
So, for example, one of the major call details cases, a gentleman by the name of Larry Clayman was a Verizon subscriber,
and the government, as part of the Snowden leak, seemed to admit that all Verizon subscribers had their information collected as part of the bulk
data collection program. The government argued that, well, we're collecting all that information,
but it's not necessarily all being searched. But the court in that case found that even though
it wasn't being searched, to do some sort of query, some sort of online query, you necessarily
have to search through everybody's information. So if
you have a million phone numbers and you're searching for one, you have to search through
that entire list. So in that case, Mr. Clayman, who was a Verizon subscriber, was able to convince
the court that he did have some sort of legal standing. The government has sort of tried to
push back against that by making a claim that has since been put into
question that not all phone records are actually being collected. I think it was a couple of years
ago, they leaked to the Washington Post that only 30% of calls are actually being collected.
And I think the reason they made that leak was to sort of hint that a person can't establish
standing because they don't know if their phone number
was part of that 30% that was being collected. At least the judge in this case that I was referring
to, which was claiming v. Obama, was not having it, was saying that the NSA was being duplicitous
in making that argument. Ben Yellen, thanks for joining us. Thank you.
Thank you. home. Black Cloak's award-winning digital executive protection platform secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The U.S. indicted, as expected, seven Iranian nationals
said to have worked on behalf of Iran's government for various cybercrimes that included the now-famous reconnaissance of the Bowman Street Dam in Rye, New York, as well as a range of attacks on U.S. financial institutions.
There's of course little prospect of bringing the accused to trial, but that's not the only desired outcome.
The U.S. has adopted a name-and-shame policy in its legal actions against agents of foreign governments.
Shaming here may well be metaphorical.
One doubts that anyone operating on behalf of Iran's Revolutionary Guard
would regard a U.S. criminal indictment for patriotic hacking as anything other than a badge of honor.
But an indictment may well give a state hacker pause.
More than one hacker has been nabbed and extradited from a vacation spot.
The dispute between Apple and the FBI over the unlocking of the San Bernardino jihadist iPhone
may have been put on hold for now, but many observers see it as reigniting the crypto wars,
a battle first fought decades ago, back in the 90s. Stephen Levy is editor-in-chief of the online
site Backchannel and the author of a number of books,
including Hackers, Heroes of the Computer Revolution,
and Crypto, How the Code Rebels Beat the Government,
Saving Privacy in the Digital Age.
He caught our eye with a recent article in Backchannel titled
Why Are We Fighting the Crypto Wars Again?
I spoke with Stephen Levy by phone earlier this week.
I've been really struck by how much this flap between Apple and the U.S. government
has brought up a lot of the tropes and some of the exact language in terms of the arguments
of a battle that I chronicled in the 1990s.
It was known as the crypto war.
In the 1990s, it was known as the crypto war. The whole thing sprang from these discoveries made in the mid-1970s by private researchers.
Before then, pretty much all research about cryptography was either done by the government or if someone did it privately.
The government had the power to declare it.
The U.S. government had the power to declare it classified.
Researchers couldn't even get access to their own papers when that happened.
They couldn't share them, you know, with their colleagues or, you know,
or even in some cases, even themselves.
The original crypto wars ended with the government acknowledging that code and crypto were a form of speech.
Cryptography was officially legal.
So, you know, the big things that happened after that war reached a stand-down, let's say,
were, of course, 9-11,
which just increased their surveillance state,
but then there was also the Snowden revelations,
which increased awareness of the surveillance state
and unease about it.
Also, there was the explosion of mobile technology.
We have our things with us all the time.
So in a way, we need even more protection.
But was the government really completely comfortable with strong encryption?
While researching an article for Wired magazine,
Levy was invited to visit the NSA.
The NSA has two responsibilities.
One is to capture signals intelligence, as they call it, to capture messages
that might be of value to national security. And the second is to protect the communications of,
you know, like Americans, both governmental and non-governmental. And I felt that they really
didn't do a very good job in the second one. They were concentrating on the offensive side
of the coin, but not so much the defensive side of the coin. They're okay with a certain degree of encryption, but up to the line
where they needed to read it. They said, okay, well, we're fine with this. We're fine to have
it built into every browser and things like that. And probably you can get an indication of what
they were able to break by what they let go by. When considering what was the FBI's case against Apple,
Levy says it's important to remember that encryption is widely available from a variety of sources,
not just the version that comes built into a particular device.
If Apple said, you know, yes, we're able to give the government, you know, the use of the phones there,
that wouldn't solve the problem there.
There's a really interesting transcript which the government somehow made available to people,
showing a couple terrorists talking, or would-be terrorists.
You know, they're people planning terroristic acts.
And they were discussing what communications to use.
And one of them said to the other, you know, let's use the Apple phone,
because that's something the government can't get into there.
And the government was using that as an example of, see, you know, this is why the Apple phone because that's something the government can't get into there.
And the government was using that as an example of, see, you know, this is why we can't have this.
But actually, it's quite the opposite example.
It shows that people, you know, considering committing horrible acts are taking a look at what is breakable or what is going to be turned over to government and what is not going to be turned over to the U.S. government.
So if the U.S. government had its way with Apple, that conversation would have gone quite differently. They would have said, no, don't use the Apple phone. The government gets access to that. Let's use Tor or some other
system that the government can't get, right? I asked Stephen Levy where he thought this latest
round of crypto wars would leave us. There's a pretty good chance that we're going to reach the
same outcome that we did before. The NSA is going to figure out how to get hold of what it really needs to get hold of.
And some law enforcement entities are not going to be too happy because they're not going to be
able to get sort of the massive access to communications that they would have had they
not been encrypted by default there. I think that's what they're talking about. There used to be a
phrase in the 90s that if crypto is outlawed, only criminals will have crypto, right? Meaning
the default things that most of us use won't be safe, but the systems that are harder to use but
readily available around the world will be adopted by criminals and people committing horrible acts.
He added that there are some areas where more encryption, not less, could help make us safer.
You know, there's a big national security argument to be made for stronger default encryption there.
Our national infrastructure is vulnerable.
Dark-side hackers or state actors from overseas, like a break-in to them there.
So we really should be looking about using more
of these encryption technologies, you know, to batten down our infrastructure and other things
rather than leave zero-day exploits unreported so that intelligence agencies and law enforcement
agencies can take advantage of them. Levy says that in the end, encryption is here to stay,
and that means law enforcement will come to rely on other methods of gathering information.
But you can't lock up math. You're not going to get rid of encryption. Ultimately, the government,
in a very practical sense, is going to figure out how to get as much as it can, how to break as much
as it can, and get access to as much as it can. And there's lots of other ways to get as much as it can, how to break as much as it can, get access to as much as it can.
And there's lots of other ways to get hold of things besides breaking the keys.
And we'll go on.
Stephen Levy writes online at backchannel.com.
Although we're here in Dallas for the Women in Cybersecurity Conference,
we'd like to close with a shout-out to this weekend's regional finals
in the Collegiate Cyber Defense Competition.
The Mid-Atlantic rounds are being held today and tomorrow in Baltimore at the Johns Hopkins University.
Good luck and good hunting to the competitors.
And finally, Tay, that potty-mouthed chatbot, made a brief return to social media this week
as Microsoft let the teenage emulator out of her room on an evident promise of good behavior.
But while Tay's language had cleaned up, her behavior hadn't,
as she ruthlessly spammed her followers.
So back to the room, grounded from Twitter indefinitely.
Well, if you build a teenage emulator,
we suppose you should count it a success if the emulator emulates a teenager.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.