CyberWire Daily - Dark Web trading post compromised. Ransomware updates. Reactions to Risk Based Security's 2016 breach report. International cyber conflict notes, and a treason case in Russia.
Episode Date: January 26, 2017In today's podcast, Dark Web trading post AlphaBay looks buggy, and leaky. Some not-so-bad news on ransomware (and bravo to those Gateway City librarians). Risk Based Security's 2016 breach report say...s the USA is number one (but not in a good way). Sweden's armed forces recover from a cyberattack by unnamed parties. Saudi Arabia remains on high-alert for fresh infestations of Shamoon. Dan Larson from CrowdStrike weighs in on ransomware evolution. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security highlights a Dept. of Commerce report on the IoT. And the Russian treason case may be closer to what would look like a corruption case under Western eyes. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
AlphaBay looks buggy.
Some not-so-bad news on ransomware, and bravo to those Gateway City librarians.
Risk-Based Securities 2016 Bre breach report says the USA is number one,
but not in a good way.
Sweden's armed forces recover from a cyber attack by unnamed parties.
Saudi Arabia remains on high alert for fresh infestations of Shamoon.
And that Russian treason case may be closer to what would look like a corruption case.
may be closer to what would look like a corruption case.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, January 26, 2016.
Bugs in AlphaBay, the big dark web trading post, as ZDNet calls it,
have permitted a hacker, gray, white, or black hat, take your pick,
but the smart money seems to be on dark gray,
to obtain and leak more than 200,000 messages exchanged on the site.
It's worth noting again with our partners at Terbium Labs that not all dark web activity is necessarily nefarious, so don't rush to judgment.
But it is nonetheless the case that a lot of dodgy stuff can and does get swapped at these trading posts.
It's not all beads and other trade goods.
The ransomware news today is mostly good, or at least not so bad.
A new strain of Verlocker, an easily spread but also easily defeated ransomware variant, is out in the wild.
Both Sophos and ESET have provided decryption tools for earlier versions,
but this latest addition is even more easily thwarted than that, according to Malwarebytes
researchers. Enter any 64 characters into the lock screen's text box, click pay fine,
and Verlocker, touchingly, naively even, believes it's been paid. So the criminal coding skills
seem to be declining,
at least in this instance.
Nonetheless, Verlocker is no laughing matter.
It spreads very aggressively from device to device.
Amid reports that many victims of cyber extortion continue to pay up, there's a positive role model
and a gratifying success story to be found
in the St. Louis, Missouri library system.
They've successfully recovered from their own ransomware incident
because they had an effective file backup program in place.
Their systems have been restored and are reported to be back in business as usual,
and they didn't send a dime the crook's way.
One thing most security researchers agree on is that ransomware is here, and it's here to stay.
Dan Larson is technical director
at CrowdStrike, and we checked in with him for his take on what's to come.
I think it's really expanding breadth. So we already have some evidence. We saw in the month
of January already that instead of just going after a regular old end-us they're now targeting servers on the internet they started
with servers hosting MongoDB the reports look like about 25 percent of every single MongoDB
server out there got hit with some ransomware a couple weeks ago and they're taking that model
and bringing it to to more kind of infrastructure parts of the internet, like Elasticsearch servers and
even Apache Hadoop servers.
So basically, it's going from attacking data on an individual's computer, from the assumption
that the individual will pay ransom for that, to attacking other places where there's valuable
information.
And one of those places is obviously databases.
And are we seeing what you would categorize as any sort of meaningful response from law enforcement?
Yeah, actually, there have been a number of, you know, useful collaborations between
cybersecurity firms and law enforcement to do things like take down the infrastructure, right?
A lot of the ransomware relies on asymmetric encryption,
so it needs to reach out to a command and control environment.
And we've seen, you know, a handful of law enforcement initiatives to take down that infrastructure.
We've also seen some collaborations.
There's one out of the Netherlands.
We've also seen some collaborations. There's one out of the Netherlands. It's just called Stop Ransomware and has Europol and a number of other private security companies that are providing a centralized place for decryptors and things like that.
So they're doing what they can, but from an attacker's perspective, encryption is kind of a beautiful thing, right?
If you implement it correctly, it's very difficult to undo and recover.
And where do you suppose we are in this arms race? Are the good guys making progress or are we still playing a game of catch up?
I think there's a lot of catch up still being done.
For example, I saw a report that said 49%, so almost half of all small businesses
were impacted by a ransomware attack. And one in five small businesses that were impacted ended up
going out of business, you know, a few months later. So I think that, you know, in general,
there's a level of vigilance that just kind of isn't there. There's a lot of people who think,
you know, I have antivirus and, you know, that should protect me. But, you know, that's outdated thinking.
We need to step up our game and get a lot more serious about how we defend our systems.
That's Dan Larson from CrowdStrike.
Risk-based security yesterday issued its 2016 breach report, and the U.S. is number one.
In this case, unfortunately, that's nothing to take satisfaction in.
Still less wave a big foam finger to rhythmic chants of USA, USA.
America is number one in the incidence of data breaches.
In part, that's because the U.S. creates, stores, and uses an awful lot of data.
But still, there are clearly security issues here.
Almost half the data exposed in breaches comes from the U.S., according to Risk-Based Security.
The Cyber Wire heard from a lot of industry experts eager to weigh in on this sorry state of affairs.
John Gunn from Vasco Data Security sees three factors driving these results.
First, he says, a massive number of the
hackers that attack U.S. targets are based in Russia and coordinate attacks on the U.S. with
involvement of the state, while the U.S. does not do the same. Second, there's a lot of valuable
data in the U.S., so the country is targeted on the Willie Sutton-esque grounds that that's where
the money is. And finally, he thinks breaches in some other countries,
and he's looking at you, Russia,
are probably significantly underreported.
Willie Leichter of CypherCloud warns other countries not to get cocky, kid.
That the U.S. leads the world in data breaches is unsurprising,
but the disparity between it and the rest of the world should be a wake-up call and not a source of complacency.
So the U.S. presents a large attack surface.
If you consider regions as opposed to individual countries, however,
there may be less to the ranking than meets the eye.
Brian Lang at Lastline thinks so.
Quote,
We analyze millions of potentially malicious files every day for our clients in the U.S. and throughout the EU.
We believe that the difference noted in the data can be attributed to the attack clients in the U.S. and throughout the EU. We believe that the difference noted in the data can be attributed to the attack surface
in the U.S. as opposed to individual countries.
The U.S. is simply a much larger market with highly centralized aggregations of data.
But when taken as a whole, the volume of attacks in the EU and in the U.S. are nearly even."
Balabit's Daniel Bagot sees a problem in over-concentration of security researches
on perimeter defenses, as opposed to detection of malicious activity inside networks,
especially in the form of abuse of privileged accounts.
New Data Security's Robert Capps finds the report dismaying, but not surprising.
He said, quote,
What is frustrating about seeing these U.S. numbers
is that the data these criminals are going after is most often private user data
that's being sold and used for identity fraud, among other types of cybercrime.
It's no accident that breaches are up, and so is identity fraud.
End quote.
He thinks work on strong behavioral analytics and passive biometrics
offer the prospect of some technological amelioration of the breach problem.
Turning to international cyber conflict, we hear that Sweden's armed forces have disclosed that they've sustained a cyber attack from an unnamed source.
The incident required the services to shut down their Caxus IT system. Recovery is in process.
their Caxus IT system. Recovery is in process. Saudi Arabia remains on high alert for further infestations of system-killing Shamoon 2 malware. The infection is thought to be carried for the
most part by malicious emails. Symantec has been tracking Shamoon's possible connection to the
Greenbug cyber espionage group. We close with a quick update on the case of Ruslan Stoyanov, the hacker-hunter arrested
earlier this week by Russian authorities on charges of treason. As we noted yesterday,
it seems unlikely that Stoyanov's employer, Kaspersky Lab, is involved, since the alleged
crimes are said to have occurred before he entered Kaspersky's employ, and while he was
working for Russia's Interior Ministry. The treason statute
he's been charged under permits secret trials, so it may be sometime, if ever, that details become
public. But most observers think it likely that the alleged offenses are more along the lines of
corruption than, say, espionage.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Marcus Roshecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, I saw recently that the Department of Commerce came out with a report.
It's called Fostering the Advancement of the Internet of Things.
It's something that certainly caught our eye.
Take us through, you know, what's the process for these kinds of reports?
How do they come to be and what are they hoping to achieve with them?
Yeah, so I think we all have now recognized that the Internet of Things really is the next big thing in cybersecurity law and policy.
Internet of Things really is the next big thing in cybersecurity law and policy.
Everyone's trying to wrap their heads around how we as a society are going to tackle this issue.
We are seeing through the connectivity of all these new devices,
certainly great promise for individuals and organizations,
lots of opportunities there to improve our lives. But also with all that comes a great deal of
vulnerability. I think what the Department of Commerce is trying to do here with this report is
highlight some of the benefits of Internet of Things devices, but also highlight some of the
concerns that are out there. And, you know, certainly the department itself has its views,
but they really wanted to get some input from the general public as well.
So these reports, as is the case with many other types of reports that come out in the federal government, are open to public comment for a period of time.
So interested stakeholders can provide comments to the government agency, and then the government agency will consider those comments and move forward based on those comments.
So I think that's what we're seeing here.
And I think it's probably a very good way forward when we're talking about such a complex issue as Internet of Things.
And so once they've gathered up the comments, is it then a process of commerce then going to lawmakers themselves
and making recommendations for legislation?
That could be. But really,
I mean, all these comments are there are public comments. So everyone, anyone can review them.
Hopefully these comments shed some light on some of those important issues when it comes to,
in this case, Internet of Things. How do we promote industry, but also ensure security?
So all of that is going to be taken into consideration.
And based on what the comments are, I think a strategy is going to be set forth in terms of how to proceed. Marcus Roshecker, thanks for joining us. The name of that Department of
Commerce report is Fostering the Advancement of the Internet of Things, and it's easy to find
online. If you have a question for any of our academic or research partners,
feel free to send us your questions at questions at thecyberwire.com.
We'd love to hear from you.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.