CyberWire Daily - DDoS and BEC risks rising. Ukraine says it stopped Russian cyber campaign. EU looks to stopping disinformation. NRCC email compromise. Facebook emails released by Parliament.
Episode Date: December 5, 2018In today’s podcast, we hear that CoAp-based DDoS attacks are on the rise. A Nigerian gang has done some industrial-scale work on business email compromise. Ukraine says it stopped a major Russian ...cyber attack. The EU looks toward its May elections and determines to do something about disinformation. The US National Republican Congressional Committee sustains an email compromise. Attribtution of a phishing expedition to Cozy Bear grows dubious. And Westminster doxes Facebook.  Joe Carrigan from JHU ISI explaining the National Centers for Academic Excellence. Carole Theriault interviews SANS’ James Lyne explains the Cyber Discovery program which aims bolster the security workforce. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Co-op-based DDoS attacks are on the rise.
A Nigerian gang has done some industrial-scale work on business email compromise.
Ukraine says it stopped a major Russian cyber attack. A Nigerian gang has done some industrial-scale work on business email compromise.
Ukraine says it stopped a major Russian cyber attack.
The EU looks toward its May elections and determines to do something about disinformation.
The U.S. National Republican Congressional Committee sustains an email compromise.
Attribution of a fishing expedition to Cozy Bear grows dubious.
And Westminster doxes Facebook.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 5th, 2018.
There's an emerging distributed denial of Service Risk reported. RFC 7252, the lightweight IoT protocol also known as COAP,
the Constrained Application Protocol, is being exploited in the wild.
Some of the DDoS incidents are coming in as high as 32 gigabits per second,
researchers tell ZDNet.
COAP is relatively new, introduced only in 2014, and it's designed to serve in the memory and computation resource-poor world of IoT devices.
It's also vulnerable to packet amplification and IP spoofing.
While Co-App's designers added security features to mitigate those risks,
implementing those features bulks up the protocol significantly,
reducing its attractiveness to IoT users.
Expect more DDoS attacks to abuse co-op devices.
There's been a rise in business email compromise attacks being carried out by a Nigerian gang security firm Agari calls London Blue.
London Blue, which is thought to have cells in both the UK and the US, has done its homework and compiled a list of some 50,000 executives whose emails they're spoofing to induce the
unwary to wire company funds to accounts the criminals control. London Blue's research is
both detailed and large-scale. Businesses should emphasize to their employees the policies they
have in place for
stopping business email compromise, like reminding everyone that no executive will ever direct them
by email to transfer funds. And if your business doesn't have that kind of policy and training in
place, for heaven's sake, get to work on them soon. Governments around the world are recognizing the
ongoing need to train the next generation of cybersecurity professionals.
CyberWire UK correspondent Carol Theriault did some digging to see what kind of efforts are taking place on her side of the pond.
So there's this weird catch-22 out there when it comes to working in cybersecurity.
On one side, we're seeing a huge growth in people interested in
working in the field. And no surprise. I mean, think about it. Despite us being in the nascent
days of digital connectivity, we've already seen frightening attacks on systems, data and privacy.
I mean, it doesn't take a rocket scientist to see that this industry is a hot one.
And it's going to be for some time to come. But still, the cyber industry
says it's desperate and can't find the right talent. And governments are worried too, pouring
in money into cyber. The US president budget includes 15 billion for cyber related activities
for next year. That's up 4% over this year. And the UK government is pouring 1.9 billion in to help tomorrow's cyber workforce.
Now, the SANS Institute, a UK-based IT security training company, has been selected to provide
the government-backed Cyber Discovery Program. That's a 20 million pound or roughly 25 million
dollar effort designed to teach students about things like cryptography, digital forensics and web attacks. I got a chance to speak with James
Lyon from the SANS Institute to find out more about the program.
Thank you for coming to the Cyber Wire, James. I know you're a busy man, so thanks for making
the time.
Absolute pleasure to be here. Thanks for having me.
Now tell me, why is the UK government worried about the future of cybersecurity?
You know, security is kind of rapidly becoming a supporting pillar of pretty much everything we do in our lives, right?
Anywhere we're using technology, in our homes, in the workplace, security is really a key concern.
And most nations across the planet have also recognised that there's a distinct shortage of people with
the right skills to help keep us safe. So this is an initiative to identify and expand that next
generation of security practitioners that will help us secure everything from Internet of Things
devices to future banking or even military. But I keep hearing from graduates saying,
look, I've gone to school, I studied IT security at
college or university, and I'm not getting into the industry. No one wants to hire me.
Where's the disconnect here?
Starting kind of at the top end of the funnel there, people that have maybe done some study,
have some existing skills. There's a real challenge where lots of industry organizations
are looking for people with five years experience
with proven skills as practitioners. And in many cases, people coming out of traditional
academic study routes don't have that kind of level of experience required to get into
those roles. So there's a shortage of internships or apprenticeships to make people be able
to pivot. Even with that group of people that are trying to make it through
to those roles, there's still kind of a collapsing of cybersecurity down to a single profession.
It's seen as this one thing when there's a huge plethora of different types of roles,
which needs lots of people with diverse skills, different interests, which often doesn't get
reflected in the recruitment processes of many organizations. So how is SAN stepping up to kind of bridge this gap?
Yeah, it is a fascinating experiment that started kind of four or five years ago. I remember sitting
in a local cafe writing some of the first lines of code for this, and thankfully it's been taken
over by far more competent developers now than me. So we took each of the major disciplines,
forensics, kind of binary exploitation, forensics, binary exploitation,
reverse engineering, penetration testing, and worked backwards, abductively, to the skills
and problem solving that you would need to be effective. And then we wrapped it in a game with
narrative, where people go and work for the cyber protection agency, leveling up their skills,
solving these kind of fun challenges.
So this program at the moment is for people in the UK, for 14 to 18 year olds, although there's also the ability to be a club leader. So if you're a teacher, maybe a parent, or you want
to be a volunteer, you can lead a set of young adults through the challenges in a club and help
inspire them with that passion that's much needed for this next generation
of security practitioners.
That being said,
we are looking at running programs elsewhere.
We'll be expanding over the next couple of years
to other countries.
We're looking for opportunities to do that.
And based on how the inaugural year of cyber discovery
has gone so far, we can see it's going to make a huge difference to the level of talent that's out there.
My fingers and toes are crossed.
If you or someone you know are between the ages of 14 and 18, based in the UK, and want to learn more about the SANS free cyber training program, check out joincyberdiscovery.com. James,
thanks so much for joining us today. This was Carol Theriault for the Cyber Wire.
Ukraine's SBU security service says it detected and stopped a massive Russian attempt to compromise
judicial targets. The attack vectors were malicious accounting documents distributed
as attachments to phishing emails. The SBU says they traced the malware's command and
control infrastructure to Russian IP addresses. The SBU speculates that the campaign's intention
was both espionage and the disruption of judicial services. The report comes at a time of heightened
tension in Russia's hybrid war against Ukraine,
most recently Russia's engagement with and capture of Ukrainian naval vessels
in the formerly binational but now disputed Sea of Azov. It's perhaps noteworthy that NotPetya,
which started its worldwide romp in Ukraine, was spread through compromised accounting software widely used for tax preparation in that country.
The EU continues to push big tech on election security,
especially as elections for the European Parliament, scheduled for May, approach.
Their principal concern is disinformation,
and the announcement of the EU's action plan explicitly names Russia as the principal concern,
now and going forward.
The announcement outlines four areas in which the Union intends to take action.
First, they commit themselves to improve detection with strategic communication task forces
and the EU hybrid fusion cell taking the lead.
The responsible agency, the European External Action Service, will see its
strategic communication budget double with a view to more effectively addressing disinformation.
Second, the EU will establish a dedicated rapid alert system to facilitate data and assessment
sharing. Rapid alerts are expected to serve the goal of coordinated response. Third, and this one will be of most significance to industry,
the EU will effectively implement the commitments made under the Code of Practice.
These involve first a requirement of transparency and authenticity.
Bots and people who are not what they claim to be
are to be expelled from the platforms they use.
And second, there will be an expanded rumor control effort
that will draw upon fact-checkers and academic researchers
who will monitor the Internet for disinformation
and post responses in a more visible way.
Finally, there will be a coordinated effort
to promote media literacy among EU citizens.
In the US, as initially reported by Politico,
the National Republican Congressional Committee, the NRCC, reports that emails of four senior staffers were compromised.
The NRCC was responsible for coordinating the recently concluded midterm campaigns.
They discovered the compromise in April, and security firm CrowdStrike, already on retainer to the NRCC, conducted the internal investigation. The case has now been referred to the FBI, who is investigating. There's no
attribution yet, nor has stolen data surfaced anywhere so far. As Wired reports, the breach,
while serious, was more limited than those the Democratic National Committee sustained
during the 2016 election cycle.
There seems to have been no malware installed in NRCC systems,
and the attack seems to have been accomplished by using compromised credentials to gain access to emails in a cloud service.
The responsible party is widely assumed to be Russia,
and this is being taken as an instance of what Defense Secretary Mattis last week
called Moscow's ongoing efforts to muck with U.S. elections. It's important to note that such attribution
at this stage rests, publicly at any rate, on a priori plausibility.
While elections receive the most media attention, practically the lion's share,
the Center for Strategic and International Studies warns of Russian influence operations aimed at undermining trust in the U.S. judicial system. The think tank has
an ongoing project monitoring such activities, and they report that here, as elsewhere, the
adversary's goal is to weaken civil society and trust in institutions. This objective can be
expected to be pursued opportunistically, without any
particular ideological commitment or consistency. For all the stick Moscow is receiving in the West
this week, it's worth noting that not all the news today necessarily reflects badly on the Russian
government. The recent phishing campaign against the U.S. State Department and various think tanks that FireEye and CrowdStrike
tentatively attributed in mid-November to APT-29, that's Cozy Bear, a unit of Russia's SVU or FSB,
now looks less clearly the work of the Russian operators. Research by Microsoft, whose office
suite was the conduit for the phishing, and which is in a position to have access to considerable
data concerning the incidents, concludes there's in a position to have access to considerable data concerning the
incidents, concludes there's not enough evidence to warrant that conclusion. Redman tracks a threat
group, ITRIUM, whose activities overlap those of APT 29, and the verdict on ITRIUM and so on APT 29
should now probably be, well, not quite not guilty, but probably not proved.
And finally, as hoped or feared, depending on one's preferences or allegiances,
Westminster has released the internal Facebook emails the UK's parliament strong-armed out of a third-party litigant.
The high-level emails outline various ways Facebook considered monetizing users' data.
Motherboard and other outlets consider the emails damaging to Facebook,
but they do seem to show mostly that Facebook actively considered the revenue opportunities that might be found in their users' information.
But at this point, few will be surprised that the itch to monetize data
is the temptation of the 21st century.
is the temptation of the 21st century. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Black Cloak.io. me all about the National Centers of Academic Excellence. What's going on with this organization?
So this is not really an organization, but it's kind of a program run by two organizations in
the government, the National Security Administration, the NSA, and the Department of Homeland Security.
And they jointly sponsor the CAE project. And what this is, it's a way of recognizing schools
who have good cybersecurity programs.
And Johns Hopkins University Information Security Institute is a CAE center of excellence.
Okay.
The way this works is you have to apply to the program and have your curriculum evaluated,
your facilities evaluated, and the community is very involved in this.
In fact, I'm involved in the application review process.
And it's a great way to make sure that, number one,
as an academic institution, you're training people in what is necessary for cybersecurity.
Right.
Because we use these tools for evaluation that map directly to the NICE framework. Now,
I talked previously here about going to the NICE conference, the National Initiative for Cybersecurity Education has a conference every year. And they also produce
the NICE framework, which tells you the job roles and the things those people need to fill.
It's a great resource from the National Institute of Standards and Technology on how a cybersecurity
organization should be laid out,
depending on what you need to protect.
So this Centers for Academic Excellence process maps directly to that
so that you know that you're meeting the needs that are out there in the marketplace right now.
So what's in it for the academic institution, other than this sort of vetting?
Does it give you access to anything?
Other than this sort of vetting, does it give you access to anything?
Does it make it easier for you to place students in some of these government institutions?
It does make it easier to place students in government institutions, absolutely.
I know that there's a number of institutions.
I know that Capital Technology University has a great relationship with the NSA,
and they're also a center of academic excellence.
You're denoting yourself as someone who's meeting current needs and that your students are going to have a much better opportunity for employment when they get out.
So it's something, if I'm a student shopping around for where I might want to study cybersecurity.
Right.
So if you see that the college you're applying to is designated as a CAE institution, then
I would consider that more than one that wasn't.
Not to say that if it doesn't, it's a bad program.
That's not what I'm saying.
What I'm saying is that the program that is a CAE designation is meeting certain criteria
for current requirements.
Now, is this just four-year universities?
Can community colleges take part of this as well?
At community college, there's a two-year designation, there's a four-year designation, and then there's a research
designation as well. So it can also be applied to master's programs like ours at the Information
Security Institute. Right. And PhD programs as well. All right. All right. Well, thanks for the
update there, Joe Kerrigan. Thanks for joining us. My pleasure, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.