CyberWire Daily - DPRK plays offense and defense. PyRoMine and EternalRomance. Russian disinformation on Syrian massacre. Alt-coin heist may be misdirection. Nakasone confirmed at NSA. Webstresser takedown.
Episode Date: April 25, 2018In today's podcast, we hear that North Korea has gone big with GhostSecret. Meanwhile, Pyongyang's elite tries to cover its online tracks. PyRoMine uses EternalRomance to disable security syst...ems enroute to cryptomining. Russia enagages in video disinformation about Syrian nerve agent attacks. A complicated alt-coin heist may be misdirection for something bigger. Huawei may be in trouble over Iran sanctions. Apple patches. Europol takes down Webstresser. General Nakasone confirmed as Director NSA and Commander US CyberCom. Daniel Prince from Lancaster University on security in the financial sector. Guest is Joe Cincotta from Thinking Studio on how smart design leads to better security.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea goes big with Ghost Secret.
Meanwhile, Pyongyang's elite tries to cover its online tracks.
Pyromine uses Eternal Romance to disable security systems en route to crypto mining.
A complicated altcoin heist may be misdirection for something bigger.
Huawei may be in trouble over Iran's sanctions.
Apple patches.
Europol takes down WebStressor.
General Nakasone is confirmed as director NSA and Commander U.S. Cybercom.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 25, 2018.
North Korea seems to be escalating a global data reconnaissance campaign.
North Korea seems to be escalating a global data reconnaissance campaign.
McAfee researchers are tracking Operation Ghost Secret,
which they say is particularly interested in critical infrastructure,
entertainment, finance, healthcare and telecommunications.
They attribute the operation to Pyongyang's Hidden Cobra group.
In other North Korean news, Recorded Future reports that the DPRK elite is going to ground, virtually speaking, exiting Western social media and online services in favor of
Chinese alternatives, where they'll presumably be less accessible to hostile surveillance.
It's not clear that Alibaba, Tencent, and Baidu are really that much more obscure than, say,
Amazon or Facebook, but Pyongyang'sidu are really that much more obscure than, say, Amazon or Facebook,
but Pyongyang's big shots are taking their trade elsewhere.
They're also using more obfuscation services.
Fortinet is tracking a Python-based Monero miner.
They're calling it PyroMine,
and they say it uses shadow broker-leaked equation group tool EternalRomance
to disable security systems en route to cryptojacking.
Disabling security systems could also enable Pyromine's operators
to stage further attacks.
Radio Free Europe, Radio Liberty, reports Russian disinformation
concerning Assad's nerve agent attacks against a civilian population.
State-run media are using year-and-a-half-old footage from a movie shot in Syria to prove
that the recent sarin attack against civilians in Douma is a Western hoax.
The film in question was a dramatization, not a hoax, of an earlier nerve agent attack
against the rebel head town of Wuta in 2013.
against the rebel head town of Uta in 2013.
Many of the conversations on cybersecurity these days center on the notion of the humans being a weak link in the chain.
The bad guys and gals rely on the fact that there's always a certain percentage of users
that they can trick into performing some action that gives them access to what they want.
Joe Chincada is managing director of Thinking Studio,
where they've been working on implementing better design for better security.
At the most basic level, we think people act rationally, but they don't.
However, they do act predictably irrationally.
And psychologists have been figuring out what these kind of hacks are
for our psychology for decades.
Around 2000s, this guy called BJ Fogg started looking at it
and seeing how you can actually design computer interfaces
to change people's behavior and change what they think and what they do.
And this research ended up being used in digital advertising.
It ended up being used in social media platforms like Facebook. That is
a fundamental part of them. And also, if you look at a lot of online gaming, it's all designed
around these behavior patterns and how they can create addictive behavior patterns. But not all
of those hacks are about addictive behavior patterns. In fact, some of them are just about
facilitating good behavior change.
What we saw is there's this huge gap in security. And when you think about it from a security standpoint, like there's some ridiculous statistic going around, like 98% of all security incidents
are essentially caused by human error in some way, shape or form. So if you can change the way
humans are interacting with software to mitigate some of that, you'll have a huge impact.
Secure user experience design is about looking for these foundational design patterns that can leverage all that learning from psychology, but apply it to just principles of user experience design to make people behave in a more prudent way when it comes to security.
Can you give us an example of sort of the difference between an approach that would
be secure design versus what we've done traditionally?
A great example is one that you might have already seen, which Google implemented on Gmail,
enterprise Gmail. So if you use Google Apps for the enterprise, you'll notice when you
email someone who you've never emailed before, it gives you a little warning, especially if that
person is outside the organization. It'll put a little message under the email address saying,
hey, this person, you've never messaged this person and they're outside of your organization.
Just make sure this is what you really want to do. And that little yellow bar stands out
against that white background that you're used to seeing on Gmail's interface. And what you really want to do. And that little yellow bar stands out against that white background
that you're used to seeing on Gmail's interface.
And what you're traditionally used to seeing is nothing.
You're used to seeing just a 2, a CC, and a BCC bar
if you look at your standard Outlook or any email client
that you'd be used to using.
So these changes can be quite subtle, but their impact can be enormous.
And that Gmail example is a perfect example of the subtlety, but also the potential benefit from that impact.
Now, it strikes me that particularly with security professionals, I think there's almost a point of pride of sitting down in front of the machine in front of a stark command line.
front of the machine in front of a stark command line. Do you ever find yourself having trouble selling the idea of design to folks who like to strip things down to their basics?
Well, yeah, it's a funny question that actually what we find is they're not normally our customer.
And that's, I think that's part of the problem, actually, is when security folk are really
thinking about this, a lot of the time they're thinking about the tools they need to use to solve the problem, right?
They're thinking either, you know, some might be thinking about perimeter security.
They might be thinking about infrastructure layer.
They might be thinking about, you know, user training and education that way.
But the conversations we're having normally with product owners, those guys instead have the opposite
problem. They don't necessarily understand the impact or the implication of these security
issues until it's too late. So we don't, I suppose, have the representation of these security folk in
those conversations, right? That's the problem. And that's why we still have the problem that we
have. The guys that are out there designing software are not the guys that are out there protecting the organization a lot of the time.
And we need to bring those two much closer together so that we instead have security.
I suppose, think of it like the secure development lifecycle should include user experience design as much as it includes OWASP and all the other things that we've got for the software engineering team. I think that's the place that we're getting now, where we're looking and saying,
actually, you know what, just because it looks pretty doesn't mean it solves the problem.
And in fact, you have to bring secure coding standards up to secure design standards.
That's Joe Chincada from Thinking Studio.
A complex hijacking of cloud service IP addresses in Chicago raises concerns about not only the immediate crime,
theft of about $150,000 in cryptocurrency by spoofing MyEtherWallet,
but of a more serious intrusion by Russian actors who may be staging an attack on commodity trading platforms or other financial infrastructure.
The incident happened yesterday morning and lasted for about two hours.
It involved around 1,300 IP addresses on Route 53, which is Amazon's domain name service.
Amazon wasn't itself hacked.
As the company said, quote, an upstream internet service provider was compromised by a malicious
actor, who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.
These peered networks, unaware of the issue, accepted these announcements
and incorrectly directed a small percentage of traffic for a single customer's domain to the malicious copy of that domain.
End quote.
to the malicious copy of that domain.
The upstream provider in question is reported by Ars Technica to be Enet,
a large Ohio-based Internet provider.
The reason the incident has prompted concern about Russian staging is that the MyEther wallet was redirected to a Russian server
via a man-in-the-middle attack at a Chicago server.
That server belonged to an
Equinix customer and was located at the Equinix IBX facility, that's International Business
Exchange, on Eastern Cermak. The server's location aroused concerns that the connection
between the Chicago Mercantile Exchange and the New York Stock Exchange may be susceptible to compromise.
$150,000 may be a lot to you or me, but to the attackers it looks like chump change.
Their wallet already seemed to hold around $17 million in altcoin,
and that too is grounds for concern that something else may be afoot.
Huawei has joined ZTE in U.S. crosshairs over sanctions violations.
The U.S. Department of Justice is investigating whether the Chinese device manufacturer violated U.S. sanctions against Iran.
Apple has patched macOS, iOS, and Safari.
As always, it pays to keep your systems up to date.
Bravo Europol, with its partners, the International Police Agency,
has taken down a major Internet irritant.
They've seized the infrastructure of WebStressor,
a notorious denial-of-service-for-hire shop.
Six alleged members of the WebStressor gang are under arrest.
The criminals operated under the fig leaf of a stressor business one might hire to test one's defenses.
But no, they were in fact selling DDoS to skid criminals.
U.S. District Judge Vince Chabria has delayed sentencing in the case of Yahoo hacker Karim Baratov.
His honor wants more information on Baratov's connection with Russia's FSB.
He'd like to see more on Baratov's involvement with the conspiracy.
Such involvement might justify the prosecution's request for the unusually long eight-year sentence.
And finally, the Wall Street Journal, announcing this morning that Lieutenant General Paul Nakasone
was to be confirmed as both Director NSA and Commander U.S. Cyber Command
said the Senate has approved his dual hat, D-U-E-L.
We thought at first that this was a typo, that they meant dual hat, D-U-A-L, as in the two of them.
But maybe that's wrong.
It could be a showdown, with Nakasone asking the GRU's Igor Korobov to smile when he hacks that before
they slap virtual leather. Well, hey, we can dream, right? At any rate, congratulations,
General Nakasone, and good hunting.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
We wanted to talk about cybersecurity in the financial services sector.
You have some thoughts here.
What can you share with us today?
So I think one of the really interesting things about the financial services sector is that it's almost like one of
the misunderstood critical national infrastructures globally. And we've seen a number of significant
attacks against those infrastructures. Fortunately, though, operationally, financial services
has a very strong response to cybersecurity attacks. And that is in part due to
significant regulation around operational resilience and operational risk. But increasingly,
as we know, the financial services sector is becoming digitized. There are a number of new
approaches, new startups selling slightly different variants on financial services that
consumers can get apps for on their mobile phones or enable them to develop new approaches to
managing their finances. And then now the new regulations that have come out to open up the
banking sector add a new dimension for that and that brings out a much wider economy for new startups and new businesses
to develop. So my specific concern is that or interest here is that the financial services
operate on the concept of trust and confidence. We have to trust that the banks are going to be
able to do the right thing and we have to have confidence in them that they know what they're doing. But we've seen from cyber security that nothing erodes trust and confidence quite as
quickly as having a failing digital service. So it's that challenge between an increasingly
digitized financial services sector that operates fundamentally on trust and confidence against
this idea that digital systems can quickly and rapidly erode trust and confidence against this idea that digital systems can
quickly and rapidly erode trust and confidence? And how do we manage that conflict?
Yeah, it seems to me like there's a disproportionality there where,
I guess it's almost a cliche that, you know, things can go wrong very quickly in the cyber realm.
Yeah, and that's one of the slightly more concerning things. So if you look at the sort of the recent financial crashes, what we saw there was the fact that within the financial services sector, we were building up considerable amounts of financial risk in these commodities that were being sold around mortgages or bad mortgages and bad debts. And it only took one or two little things to happen and it cascaded and created a global failure.
And now what happens when we set up systems that start to take people out of the loop even more?
So, for example, imagine we've already got computational trading algorithms sitting there looking at the stock market doing things.
But imagine that then combined with smart contracts, which are designed to start to sell physical commodities this hidden risk within the financial services sector,
where one thing will happen that could cause a cascading failure across several systems,
not necessarily a failure, but cascading actions across several systems, which doesn't then have
humans in the loop to be able to protect that from happening and causing a significant global
failure. I don't want to be too doom and gloom about it,
but that's one of the things that keeps me awake at night.
Well, I suppose, is it fair to say it's sort of that unknown unknown,
that systems are being put in place and no one's 100% sure
how those cascading effects might kick in?
Yeah, certainly.
So if I'm writing a smart contract on a distributed ledger system of your choice, then, you know, I don't know what other potentially smart contracts that will be out there that might be affected by that.
Particularly if, say, my smart contract is triggered based on some action in the real world and the output of another smart contract is to trigger that action in the real world. And the output of another smart contract is to trigger that action in the real world.
It's going to be very difficult in terms of the complexity to add all these things up.
And then the other thing is to think about is that smart contracts and their evolution will
make it much easier for individuals to be able to create these kind of automated trades and sales
of commodity items or any other money-based system that you want.
And therefore, nobody's really going to be able to have that big overall picture.
Whereas now, to create a contract for something is actually quite a lot of effort.
There's a lot of cost involved.
You have to get lawyers involved.
And so they tend to be very large, tangible things that you put that effort into.
But what happens when you can create smart contracts for
selling items for two or
three dollars or pounds?
You've got this really
complex interplay between all these things
that can potentially
cause a lot of problems
because we just don't understand how they're all
interconnected. Daniel Prince, thanks for
joining us.
connected. Daniel Prince, thanks for joining us. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, generation of cybersecurity teams and technologies. Our amazing CyberWire team is Thanks for listening.
We'll see you back here tomorrow. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.