CyberWire Daily - Extortion claims. Election influence operations seem likely to continue. A Russian bank claims it's being framed by DNS spoofing. "Cyber Pearl Harbor" fears may be a distraction.
Episode Date: March 21, 2017In today's podcast, we hear about the claim that "the Turkish Crime Family" is holding iPhones hostage. WikiLeaks grumbles that it has few takers for its Vault 7 bugs. Germany raises its state of cybe...r alert, pre-election. The US expects more Russian cyber and influence operations. A Russian bank says it was framed (and maybe it was). UMD's Jonathan Katz provides technical details on the recent SHA-1 collision. Mandiant's Ronald Bushar gives us highlights from their M-Trends report. Fears of a "cyber Pearl Harbor" may distract from real ICS risks. And no, Martians haven't landed in New Jersey. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Is the Turkish crime family for real with its threats to wipe iPhones remotely?
WikiLeaks grumbles that it has few takers for its Vault 7 bugs.
Germany raises its state of cyber alert pre-election. The U.S. expects more Russian cyber and influence operations.
Fears of a cyber Pearl Harbor may distract from real ICS risks. And no, Martians haven't landed
in New Jersey. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, March 21, 2017.
A group calling itself the Turkish Crime Family claims to have contacted Apple with a ransom demand.
If Cupertino doesn't pay them either $75,000, Bitcoin or Ethereum cryptocurrency, or one hundred thousand dollars in itunes gift
cards they will remotely wipe millions of iphones and icloud accounts the deadline for payment is
april 7th it's unclear whether the threat is real or even whether the turkish crime family has
actually communicated with apple this may well be a case of skids crowing large, but it should also serve as a timely reminder of the importance of securing your iOS devices and iCloud accounts.
South Korea reports stepped-up cyberattacks on its military networks, probably an unsurprising development given that they coincide with U.S.-South Korean military exercises.
Korean military exercises. WikiLeaks' Julian Assange says, in effect, that companies who decline his disclosure of exploitable bugs, allegedly from CIA files, are stooges for the
U.S. intelligence community. That seems unfair, but on the other hand, Mr. Assange knows he's
hardly flavor of the month in Langley or Laurel, and the IC certainly discourages anyone from having to do with him.
Germany raises pre-election cyber alert levels to prepare for Russian cyber and information
campaigns. The U.S. FBI warns that more Russian attempts to influence U.S. elections should be
expected. The Bureau continues investigating possible contacts between Trump campaign
officials and Russia. FBI Director Comey's testimony to Congress confirmed that the Bureau is convinced
Russian intelligence services were involved in hacking the Democratic National Committee.
What's surprising is not so much that the Russians would have wanted to do so,
but that they were so noisy about it.
We heard from Fidelis Cybersecurity Threat Systems Manager John Bambinek,
who calls this, quote, classic power projection.
In effect, they're sending the message that if they can do this to the U.S.,
they can approach smaller countries and say, in effect, nice election you got there.
Shame if anything happened to it.
As Bambinek put it, quote,
The true damage of the hacking hasn't been its impact on the election,
as there is little to indicate it had any impact on the final vote count.
The real impact is the harm and destabilization we continue to bring upon ourselves.
A U.S. that is consumed with bitter infighting
and openly questions the legitimacy of its own institutions
is dramatically less able to curtail Russia's geopolitical ambitions.
That is exactly what they want.
Russia's Alpha Bank has asked U.S. law enforcement for help
with what it says are false signs of contact between itself and the Trump Organization.
Alpha Bank says it has observed multiple domain name server requests,
that is, DNS requests, mostly using U.S. server providers to a Trump Organization server.
The bank says the requests were spoofed to make it appear that they originated from Alpha Bank
and were intended to give a false impression that Alpha Bank had some sort of relationship with the Trump Organization.
They also say they believe the attacks were launched from a botnet.
Mandiant, a division of FireEye, recently released their 2017 M-Trends report on breaches and cyber attacks.
Ronald Bouchard is Mandiant's vice president of global government services, and he gave us an overview of what they gathered.
We've seen a rapid rise in both the sophistication and the volume of financially motivated criminal actor groups.
the volume of financially motivated criminal actor groups. We're actually stating in our latest analysis that in some cases, financial actors are as sophisticated or in some cases,
even more sophisticated than government or intelligence agency capabilities. We've also
seen a shift from what we use the term smash and grab, which was very kind of visible,
the term smash and grab, which was very kind of visible, direct theft of financial data that could easily be monetized to a shift in tactics that is focused on either direct ransom of information or
theft of information for purposes of extortion. So kind of a secondary, if you will, attack vector
that is extremely successful in a lot of scenarios. Organizations
are often motivated to pay a relatively small ransom to get either their information back or to
avoid the possibility of a public disclosure. And it eases the burden, so to speak, on the
attackers. They don't have to necessarily find the crown jewel information in the organization.
They just have to find any information that is somehow valuable to the business
and they can monetize that very rapidly.
So that's certainly a trend we've seen kind of globally.
We've seen an enormous rise in targeting, obviously, in Asia, Pacific region,
especially around more sophisticated actors targeting the back-end banking infrastructure as well.
So looking for those very large paydays with a attacks against the financial transaction back-end, things like
SWIFT, et cetera. So there's kind of a combination of what I would deem the front-end attack that is
rapidly monetizing data from a ransom perspective, and then the more sophisticated back-end attack
vectors that are really trying to compromise the infrastructure of banking and global financial services. Another trend we've seen, which is actually a positive
trend, is organizations, and it might be correlated to the shift in tactics, but we've seen a very
significant decline in the amount of time it takes organizations to detect an attack.
And we've seen this trend over the past
four or five years of our reporting. So it used to be more than a half a year of time between
compromise and detection. We're now down to 79 days on average in the latest report, which really,
you know, it speaks to, it's still too long, but it's much, much improved compared to years past.
Now, again, we attribute some of that to the relative investment and sophistication of cyber defense capabilities,
especially global companies and organizations that are really focusing on cybersecurity as a business risk
and investing more dollars, resources, and time and effort in securing their infrastructure.
dollars, resources, and time and effort in securing their infrastructure.
But we're also, I think, attributing some of that decline to the fact that threat actors are really starting to become less concerned with how long they can stay
in an environment and more concerned with how fast can they get information,
get access to it, and monetize it in some way.
Again, especially on the financial threat actor side of the house.
That's Ron Bouchard from Mandiant.
You can find the entire mTrends report on their website.
Looking at our CyberWire event tracker, a quick note on some upcoming events worth your attention.
Tomorrow, ThreatConnect is holding a webinar on tailoring threat intelligence to fit an organization's needs.
A week from this Thursday, on March 30th, the second annual Billington International Cybersecurity Summit will meet in Washington.
And on April 6th and May 5th, senior executives will meet in Atlanta and Dallas, respectively,
for the Cybersecurity Summit.
And you can see the CyberWire website for discount registration.
Researchers have been looking at threats to infrastructure,
and some of those threats might exploit old code written years ago in COBOL.
While they acknowledge that
the much-talked-about cyber Pearl Harbor is at least a theoretical future possibility,
concern about a Pearl Harbor shouldn't blind security officers and operators to an immediate,
very real threat, targeted attacks against industrial control systems. Those have happened
and do happen, and while they may be more limited in their effects than the continent-wide bolt from the blue people fear,
they're serious, they're dangerous, and they're here today.
In his unfettered blog at Control Global, Joe Weiss identifies 18 countries that have sustained targeted attacks on control systems.
Finally, you do all know that the Cyber 9-12 event held this past Friday and Saturday was a competition for student teams, not something that actually happened, and that the exercise scenario that posited a 2018 cyber conflict between the U.S. and China was fictitious, that there's no imminent cyber war prompted by hacking back, that there are no cyber letters of mark and reprisal.
We feel a need to say these things again, since some reaction to our accounts of the Atlantic
Council's well-conducted event made us feel like Orson Welles in the Mercury Theater of the Air
dramatizing the War of the Worlds. And no, should you YouTube over to the Mercury Theater,
Martian cylinders have not landed in New Jersey either. We're reliably informed
that New Jersey remains Martian-free. Now that we're clear that all this was an exercise, we note
again how rich and well-structured the scenario was, and how effective it exhibited the risk of
escalation through misunderstandings, incomplete information, and unintended consequences.
But please do remember, it was, as Gilbert and Sullivan wrote,
merely corroborative detail intended to give artistic verisimilitude to an otherwise bald
and unconvincing narrative. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal
instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Jonathan Katz. He's a professor of computer science at the University www.microsoft.com being found? Yeah, this was certainly very big news. In some sense, it wasn't very much of a surprise because the cryptographic community had known for a while that SHA-1 was in principle
weak and that there were better ways to find collisions than a pure brute force attack.
Nevertheless, it was still considered to be quite difficult to actually go ahead and find that
collision. And what these researchers had done is actually use both algorithmic improvements, as well as the
computational power available to them at Google, to go ahead and carry out the attack and find a
collision. So what were some of the technical details behind this, as a cryptographer,
that caught your eye? Well, a couple of things. I mean, like I said, first of all,
there was prior work showing
these theoretical vulnerabilities in SHA-1. And what these researchers had done was improve on
those and reduce the cost of the attack further. And then to me, it was really just impressive to
see the amount of computational power that was available that they were able to harness at Google.
Those are the listeners who are more technically minded. They basically carried out about two to the 63 SHA-1 invocations. So that's an amount of work
that for a while was considered at the edge of practicality, and I guess maybe still might be
considered at the edge of practicality. But you can see that somebody or an organization with the
resources of Google is able to carry out that much amount of work to do an attack.
Yeah, two to the 63, two to 64, whatever it takes, right?
Right, exactly.
Now, SHA-1 has been deprecated, and certainly the word has been out for a while that people
who are using it need to move on to SHA-2, but it seems like there's still plenty of
instances where it's sort of hanging around and lurking out there on the web.
Yeah, that's right.
And I think this is going to be, again, a wake-up call for people.
You know, it's not something which is going to have impact immediately.
So the fact that these researchers have found a collision doesn't mean that these protocols using SHA-1 all of a sudden overnight become insecure.
But it's, again, another warning that they really do need to start actively migrating away from SHA-1 to the alternatives like SHA-2 or even SHA-3, the recently standardized hash function.
Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.