CyberWire Daily - Fancy Bear's phishing expeditions. Cryptowars and privacy regs in the EU. Is that really you, Dr. Niebuhr?
Episode Date: March 31, 2017In today's podcast, we hear about how Fancy Bear left tracks in Bitly, and Fancy Bear did an awful lot of phishing going back to March 2015. Experts take a look at Russian espionage and influence oper...ations, and they draw some disturbing conclusions. The EU seems ready to go anti-encryption—how that will work with the EU's regulatory emphasis on privacy is anyone's guess. The University of Maryland's Jonathan Katz explains the recent Z-Coin crypto-currency bug. Bob Ackerman from Allegis Captical and DataTribe offers insights on the investment environment for cyber. And no, that's not a famous theologian tweeting: it's the head G-Man. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy Bear left tracks in Bitly,
and Fancy Bear did an awful lot of fishing going back to March 2015.
Experts take a look at Russian espionage and influence operations,
and they draw some disturbing conclusions.
The EU seems ready to go anti-encryption.
How that will work with the EU's regulatory emphasis on privacy is anyone's guess.
And no, that's not a famous theologian tweeting.
It's the head G-man.
It's the Head G-Man.
I'm Dave Bittner in Tucson, Arizona, with your Cyber Wire summary for Friday, March 31, 2016.
As the week ends, interest in Russian cyber operations remains as high as ever.
U.S. congressional hearings into the extent of those operations continue,
and with heightened attention being drawn by stories of how extensive and aggressive Russian activities were.
Secure Works has been tracking Fancy Bear's activity during the run-up to last year's
U.S. elections, and they found that activity to have begun as early as March 2015, and
to have prospected over 6,700 people.
While there was clearly a lot of interest in the U.S. election,
that was far from Fancy Bear's only interest. Targets are said by Motherboard to have included
members of the U.S. military, diplomats all over the world, Russian government critics,
Hillary Clinton campaign staffers, and even Hillary Clinton. It was a phishing campaign,
thus typical of the commodity-level approach
that continues to pay off well for espionage services. Only 2% of the marks took the fish bait,
but when you've trolled through nearly 7,000 accounts, 2% is enough. SecureWorks was able
to get the details they did because Fancy Bear left its bit.ly URL shortener accounts public,
Fancy Bear left its bit.ly URL shortener accounts public, so even bears do leave tracks.
At Cynet ITSEF 2017 in Mountain View, California earlier this week, we heard an account of Russian cyber operations that emphasized four of its salient features. First, it has clear objectives
in what the Russians view as an ongoing war between themselves and the West, and especially against the U.S.
The principal objective is to induce chaos in what Moscow regards as a zero-sum contest.
A Western loss, whether financial, social, political, or reputational, counts as Russian gain.
As Andre Krell, CEO of security company Lifars, put it, during the Cold War,
if you did harm to the U.S.,
you were a hero, end quote, and that attitude and policy have persisted beyond the end of the Soviet
era. Second, while all espionage services show a tremendous appetite for data, newfound ability
to aggregate and correlate data makes any particular loss of a small bit of information
far more consequential than it would have been earlier.
And, as the Hoover Institution's Herb Lynn pointed out at ITSEF,
the Russian services have by no means been laggard in exploiting information in these new ways.
Third, there is no clear line of demarcation between organized crime and Russian espionage services.
The services regularly and deliberately make use of organized cybercriminal groups
to damage their targets.
Lin alluded to unconfirmed reports he learned of,
to the effect that there have actually been formal memoranda of understanding issued
by Russia's Federal Security Bureau to cybergangs.
Fourth, espionage and influence operations are commonly carried out using relatively simple tools.
Phishing continues to be used because phishing works.
Some of these observations were echoed yesterday at the Billington International Cybersecurity Summit in Washington, D.C.
Thomas Donahue, research director at the Cyber Threat Intelligence Center, more familiarly known by its acronym CTIC,
noted that intelligence
agencies have always had a large and insatiable appetite for information, and so Russian
concentration on big data tools is unsurprising, as is their ability to profit from the data they're
able to aggregate and correlate. He also said that sophisticated threats, like advanced nation-state
espionage services, differ from less sophisticated
threats, say small-time criminals or one-off hacktivists. Less in terms of the sophistication
of their technique than in their focus, determination, and persistence. They use what
works, and since phishing works, then by all means, they'll phish. James Traynor is currently
Senior Vice President, Cyber Solutions Group at
Aon, but recently he was the Assistant Director, Cyber Division of the U.S. FBI. He told the summit
that in his experience he'd long seen connections among organized cybercrime and the espionage
services of what he called the Big Four threat actors, Russia, China, Iran, and North Korea.
But there are significant national differences in the
way each of the big four interacts with crime. For example, Russia tends to make direct use of
criminal organizations almost as subcontractors. In the case of China, one tends to see government
officers moonlighting as cybercriminals without direct official sanction as a kind of private
enterprise. Iran's relationships, Trainor said, were too complex for easy characterization,
but North Korea's case is easily understood.
The government itself engages in criminal activity for the state's profit.
Such observations about international cyber conflict are particularly timely
as U.S. congressional inquiry into Russian influence operations continues.
We'll continue to follow those hearings with interest.
Reports suggest that the European Union will soon mandate back doors in encrypted communications.
The Register says that companies who don't anticipate and voluntarily comply will find
a hammer dropped on them sometime in June. This anti-encryption stance, motivated in part by concerns about police ability
to monitor and stop incipient terrorist activity,
seems to be in tension, to say the least,
with the stringent privacy protections
the EU also wishes to put in place.
Researchers at Palo Alto Networks
have found two remote-access Trojans,
Troikolis and Moonwind,
in active use against utilities and other targets in Thailand.
Open-source developers using GitHub should beware.
The Dimni Trojan is there and being used against them.
Finally, Gizmodo says it's found FBI Director Comey's Twitter account.
It's long been known Director Comei was on Twitter, but exactly what
his handle was he coyly kept secret, which would explain the small number of followers he claimed,
less than 10. The director's handle turns out to be an homage to theologian Reinhold Niebuhr.
You'd think a Chicago man would have chosen Paul Tillich or Paul Ricor, but we don't know.
Maybe you go to Twitter with the theologians you got.
core, but we don't know. Maybe you go to Twitter with the theologians you got. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer
science at the University of Maryland and also director of the Maryland Cybersecurity Center.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, we saw a story come by about this cryptocurrency called Zcoin.
Turns out they have a vulnerability.
Yeah, that's right. They announced a vulnerability a couple weeks ago.
And what they had noticed was that a hacker was able essentially to spend about half a million dollars worth of their cryptocurrency that they weren't, of course, supposed to spend about half a million dollars worth of their cryptocurrency
that they weren't, of course, supposed to spend.
And once they noticed that, they started digging into the code,
and they found actually that their code was indeed vulnerable to an attack,
and they went ahead and patched it.
And to their credit, they were very public about it.
They announced this vulnerability.
They announced this mistake on their blog.
And then they followed up with a more detailed post afterward
explaining what exactly had happened.
According to the story, this was a case of a simple one-digit typo.
It's really unbelievable. It was exactly that. It was a one-character typo in their code.
And what this allowed the attacker to do was to essentially re-spend coins multiple times, which is something you're obviously not supposed to do.
actually respend coins multiple times, which is something you're obviously not supposed to do.
And for those of the listeners who know a little bit of programming, it came down to a simple error of using a double equal sign rather than a single equal sign. So the double equal sign is meant to
test equality between two values. And the single equal sign is meant to be an assignment of one
value to another variable. And just that one error in the code allowed the attacker to go ahead and double spend all these coins.
And this is the kind of error that can make it through your usual rounds of testing.
Yeah, that's right.
It's not one of the things that typical static analysis, for example, would find.
It's an error kind of in the logical portion of the code,
and you'd have
to really understand what the code is supposed to be doing in order to find it, which means that
these automated analyzers are probably not going to be able to find it. But you need really humans
to be involved and to be checking the code and to spot the error. Looking at the code, which is
available on their blog, as I mentioned, it is kind of surprising that it wasn't caught earlier.
But you know, it's one of these things where just a mistype and a single character error,
like I said, can cause these problems. And I guess if you look at the same code too many times,
you don't even notice these kind of things anymore.
And in this case, nearly half a million dollars worth of problems.
Yeah, that's right. It's really one thing interesting about these cryptocurrencies,
of course, is that anytime there's a vulnerability, you can be sure someone's out there looking to make money off of it because these cryptocurrencies have value in the real world.
And so you can be sure that people are constantly looking to take advantage of them.
Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Bob Ackerman.
He's founder and managing director of Allegis Capital,
a seed and early-stage venture capital firm focused on cybersecurity.
He's also a board member at DataTribe,
which he describes as a startup co-creation studio
that builds disruptive startups in the domains of data, analytics, and cybersecurity.
He joined us in our studios in Baltimore.
You know, I think we're kind of an interesting place in the development cycle of the market.
I sort of look at the last few years as large-scale efforts to kind of remediate gaps and holes in cyber defenses.
So if you imagine a dike with a thousand holes in it,
a lot of people running around trying to put fingers in those holes.
And that's important.
It's important because the architecture that we're living with today
basically is based on a 50-year legacy.
It wasn't designed with the level of data integration,
speed or velocity of data movement that we have today. And so
inevitably, there are gaps that need to be plugged, and that's not going to go away for the foreseeable
future. But I think we're on the cusp of what I'll call the second wave of innovation, where people
are beginning to think, based on that first wave, about more effective systems. You know, what have
we learned in that first wave of innovation? How do we begin to get ahead of some of these threats as opposed to purely responding to them? So think of this as
how do we stop water from getting through the dike? And so I think that's a really interesting
area that we're beginning to move into where we'll see a lot of innovation. And then you look at
things like orchestration and automation, you clearly we're ready for that second wave
where we need to fill the skills gap,
we need to be able to respond more rapidly to a threatened environment,
levels of automation to assist threat analysts
in responding to those threats.
Good example of second wave of innovation.
How do you begin to build the stack so that your people are more effective and your offenses are stronger from the outset?
What about consolidation?
Are you seeing a lot of that in our future?
I think consolidation is inevitable in any industry, number one.
And cyber is not going to be any different.
I think what's different about cyber is innovation will continue apace along with consolidation.
So if you think about it, we're kind of rolling up the past areas of innovation.
There'll be consolidation there while we push ahead in new areas of innovation.
Historically, if you looked at innovation, the initial wave of innovation is driven by what I call hype and hope.
The world will never be the same.
We've got to grab part of that.
The second wave of innovation is sort of rationalization.
Okay, what did we learn in the first wave?
Now let's be a little more thoughtful, a little more deliberative about what we're innovating around.
The third is that consolidation, which historically is more of a maturation of an industry cycle.
We're going to see the consolidation in cyber, but it's not about maturation.
It's just about building the baseline of functionality so that innovation can focus in the new areas.
You know, the nature of cyber, as you well know, is just, you know, bad guys versus good guys.
Innovation is a constant.
It moves at a very rapid space.
But at some point in time, we kind of have to clean up behind ourselves and integrate this functionality,
which is essential, you know, into platforms that are a baseline of functionality
and allows us to focus on new areas of innovation like homomorphic encryption or data provenance or orchestration and automation.
I mean, if you stop and think about it, security analytics, orchestration and automation,
do the two of them come together, consolidate, and is that SIM 3.0?
So you've got this rationalization of the building blocks into larger pieces
so that innovation can be focused in the areas which are more differentiated
and really represent the cutting edge.
Do you consider cybersecurity to be fundamentally different from
other industries? Yeah, I do. I mean, if you stop and think about cyber, I can't think of another
area of technology where innovation is a daily mandate from a technical perspective. I mean,
if you think about the sharing economy,
the lists and Ubers of the world,
the innovation is around a business model.
It's important, but there's not that continual drive
for technical innovation.
Cyber, if you step back and look at cyber,
there's a tendency to think about cybersecurity
as a vertical
niche. You know, I would argue that that is about as wrong as you could possibly be. In fact,
cyber is broadly horizontal. You know, the global economy today operates on a digital substrate,
you know, and cyber is about that digital substrate. So cybersecurity is as broad as
information technology. So, you know, you have
information technology evolving all the time, cyber is evolving with it, you have this legacy
architecture that has all sorts of gaps and holes. So in terms of a domain for innovation,
it's about as big as you can possibly imagine. And because the bad guys are very adroit at kind
of identifying vulnerabilities and exploiting those vulnerabilities, the good guys are running around equally challenged to either anticipate where those vulnerabilities are or to respond to vulnerabilities that have been identified.
So innovation in this space is on a day-to-day basis. It's one of the reasons why it's difficult, quite frankly,
for cybersecurity companies when they're public, you know, to continue to innovate as quickly as
possible. As you get larger, it's harder to innovate as quickly as you need to be in order
to be at the cutting edge in cybersecurity. So it's a market segment, if you will, that is
more driven by innovation than anything I can think of,
certainly in my career. That's Bob Ackerman from Allegis Capital and Data Tribe.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.