CyberWire Daily - Hansa Market takedown. Recovery from EternalBlue exploits is a long slog. Banking malware rising. Power grid vulnerabilities. Devil's Ivy and the IoT. A look at criminal markets.
Episode Date: July 21, 2017In today's podcast we hear about an international raid that took down the illicit Hansa Market—which, it turns out, the Dutch National Police had covertly taken over for about a week. Recovery fro...m WannaCry and NotPetya continues its long slog. Banking malware is on the rise in the wild. Studies warn of power grid vulnerabilities. Devil's Ivy infests security cameras in the IoT. Digital Shadows offers a look at hackers' black markets and see similarities to the drug trade. Our newest partner Robert M. Lee from Dragos introduces himself and the ICS work he does. Guests are Leslie P. Francis and John G. Francis, coauthors of the book, “Privacy - What Everyone Needs to Know.”And our congratulations to Dr. Whitfielf Diffie, the newest Fellow of the Royal Society. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An international raid takes down the illicit Hansa market.
Recovery from WannaCry and NotPetya continues its long slog.
Banking malware is on the rise in the wild. Studies warn of power grid vulnerabilities, Thank you. of the Royal Society.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 21, 2017.
International law enforcement enjoyed a big win yesterday as a joint operation by the Dutch National Police, Europol, and the U.S US FBI and DEA took down Hansa Market,
the contraband market that succeeded recently dismantled Alphabay
as the dark web's leading source of illicit drugs, weapons, and crimeware.
The Dutch police took covert control of the site over a week ago.
Servers were seized and arrests made in Germany, Lithuania, and the Netherlands.
So bravo Bitdefender, which supplied information vital to the operation.
Companies continue their recovery from both WannaCry and especially NotPetya.
The latter attack in particular has had a long-term effect on operations and a material
effect on revenue.
Concerns about the eternal blue exploits involved in the attacks appear to have motivated closer attention to patching.
A resurgence of Android banking trojans is being reported by Dr. Web and other security firms.
Google is now offering Android users of Google Mobile Services 11 and more recent versions Play Protect,
which is intended to enable them to screen potentially harmful apps.
Banking threats are of course not confined to Android. which is intended to enable them to screen potentially harmful apps.
Banking threats are of course not confined to Android.
Kaspersky Lab reports its discovery of Nukebot, a ready-to-attack version of TinyNuke.
The malware infects bank sites with a view to stealing credentials.
Trend Micro warns against a current malvertising campaign it's calling ProMediaAds. It's distributing the Sundown Pirate Exploit Kit,
which is a mash-up of ransomware and an information stealer.
It may be related to the Green Flash exploit, which appears ready for a reappearance in the United Arab Emirates.
There are reports out this week from both GCHQ in the UK
and the National Academies in the US.
Both find their respective countries' energy sectors vulnerable to attack.
GCHQ says the grid in the UK may already be compromised,
and the National Academies say there's a lot of work to be done on securing the electrical grid in North America.
The Devil's Ivory Internet of Things vulnerability, reported this week,
occurs in the widely used open-source IoT code GSOAP.
ViewPost's Chris Pearson emailed us some comments on Devil's Ivy.
He points out that GSOAP is especially prevalent in physical security devices.
Quote,
When developers share similar foundational code bases,
bake these into the software running their devices,
and fail to address or miss vulnerabilities as part of a well-oiled software development lifecycle, the impacts can be broad.
Among the companies whose products Pearson says are afflicted by Devil's Ivy are
Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp,
Siemens, Sony, and Toshiba.
The president's executive order on cybersecurity reached some of its agency reporting deadlines
this week.
There's also some interest being expressed in Congress on adopting some additional safeguards
agencies could put in place to help safeguard citizens in their
interactions with them. Senator Wyden, a Democrat of Oregon who's long been interested in cybersecurity,
sent an open letter to the acting Deputy Undersecretary responsible for cybersecurity
at the Department of Homeland Security, in which he urged DHS to take steps to
ensure that hackers cannot send emails that impersonate federal agencies.
Senator Wyden advocates general adoption of DMARC,
that's the Domain-Based Message Authentication Reporting and Conformance Standard.
We received emailed comments from Valamail's Alexander Garcia-Tobar on impersonation.
He said, quote,
on impersonation. He said, quote, the FBI reports that impersonation attacks are rising in frequency and cost the U.S. billions each year, end quote. He thinks adopting DMARC standards is something
not only federal agencies could do, but that businesses could increase the security of their
emails and reduce impersonation attacks by doing the same. Whitfield Diffie may now add FRS to his name.
On Friday, it was announced that the cryptology pioneer had been elected to the Royal Society,
National Cryptologic Museum Foundation.
Our congratulations on a well-deserved honor.
Dr. Diffie joins the more than 8,200 fellows elected since the Society was founded in 1660.
You may have heard of some of them.
Charles Babbage, Daniel Bernoulli, Charles Darwin, Arthur Eddington, Albert Einstein.
Well done, Dr. Diffie. Security company Digital Shadows has a study of the cybercrime black market.
They are specifically interested in the carding markets and how they've evolved.
Their research suggests interesting comparisons to drug markets
with a complex structure designed to monetize the theft in several stages.
There are data harvesters who intercept the pay card information,
distributors who resell the card data,
fraudsters who are typically low-end skids who run the highest personal risk,
analogous to street dealers,
and then various types used to monetize
the take. Monetization can be done by dupes or by mules, fences, and others who move and sell
fraudulently purchased goods. One interesting highlight, the criminal carding groups offer
courses whose come-ons sound like the old draw-me invitations you used to see in matchbooks and
comic books. Most of the courses,
unsurprisingly, are in Russian, but Digital Shadows offers a translation of a representative example.
Do you want to become a professional in the world of carding? WWH Club offers you a new profession,
a new source of income, a completely different quality of life. It will change your view on
personal finance. It will show you how to earn money in an interesting, intellectual, That last sentence offers a sad insight into the behavioral economics of the carding world.
Still, better written than the shadow broker stuff.
Digital Shadows says the course costs you 45,000 rubles, which comes to about $745.
There's an additional fee for course materials that will set you back 200 bucks,
a decent investment for a criminal.
As Digital Shadows points out, you might earn up to $12,000 a month,
or 17 times the average Russian compensation.
Plus, there are all those amicable and progressive friends.
The training seems pitched mostly at prospective mules and fences.
So hop to it, progressive community.
It could be your ticket to joining the wealthy elite.
Or maybe not. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part
of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous
film from Search Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to welcome to the Cyber Wire podcast Robert M. Lee.
He's the CEO of Dragos.
Robert, welcome.
By way of introduction, we want to start out as we always do with our new partners. Tell us a little bit about yourself and a little bit about Dragos.
Thanks. Yeah, thanks for having me. So as far as myself, I really focus on sort of the industrial
control system space. A lot of my background was starting out in the U.S. Air Force and then over
in the U.S. intelligence community, then over in the U.S. intelligence community looking at and standing
up a mission to identify nation states breaking into industrial control environments like
manufacturing sites, water facilities, electric power grids, etc. That was all fun and maybe
too popular, too productive. It would have been a better mission maybe if we turned out we found
that there was nobody attacking anywhere. That wasn't the case. So my team and I jumped out and created Dragos. So Dragos is a fellow Maryland-based company. We are a bunch of folks
that focus on industrial security. We've got our technology, and we've also got incident response
and intelligence teams trying to tackle this very specific and niche industrial problem.
So let's dig into that a little bit. Tell me a little more about Dragos. What are the specific types of challenges that you all are hoping to address?
So I really see two major challenges in the ICS or industrial control system security space.
Challenge number one is we simply don't have enough people in this field. Estimates range
between 500 and 1,000 ICS cybersecurity professionals worldwide.
I think it's probably closer to the 1,000 number, but that's still very, very trivial
in terms of overall skill sets.
And the second big issue is we don't really understand the ICS threat landscape.
And this also, of course, leads to a little bit of hype when we see things like, oh, my
gosh, somebody got a phishing email.
The power grid is going to come down.
It's like, whoa, whoa, whoa.
There's a little bit more nuance than that. And so sometimes over the years,
we've seen IT best practices copy and pasted in ICS environments inappropriately. So when we try
to tackle the problem, we've got our threat operations center who goes out and does instant
response and threat hunting and services in the field. And the real purpose of that is,
can we see intrusions firsthand?
And from those intrusions,
can we pass that to our intelligence team
to generate real intelligence,
not just indicators and stuff like that,
but insight into the adversary landscape
that I mentioned is fairly unknown.
And then ultimately,
can we drive that to our product
in a way that we start scaling
and automating best practices and response efforts
and how we tackle these problems.
Because at the end of the day, I think civilian infrastructure should be off limits to adversaries,
and we're only getting more and more aggressive adversaries.
Yeah, it strikes me that ICS is one of those areas where just about everyone can sort of wrap their hands around what would happen if.
You know, if they get attacked, the lights are going to go
out or the water is going to stop flowing or that dam is going to burst. Yeah, I mean, that's the
tricky area, right? This is a topic that is fundamentally important to everybody's life.
We all are impacted in a major way by industrial control systems, whether we realize it or not.
And it is easy to wrap your mind around, oh oh my gosh, what are the power that goes out?
But the nuance in how that would take place is often lost.
And that's really where a lot of the expertise comes in and knowing what really can and can't
happen related to specific events.
And in that sort of chasm of a lot of people being super interested but also not a lot of people responding firsthand and seeing and having expertise on the nuance of it, in that chasm between those two points, we often find a lot of hype.
And so folks that are well-intentioned but talk in the media or elsewhere about the potential and really miss that it's really not fear and gloom and doom.
I mean, there's some scary scenarios, but not quite, you know, movie-level land yet.
All right. Well, Robert M. Lee, welcome to the show. We're happy to have you.
We're looking forward to what you have to say.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
My guests today are Leslie and John Francis.
They are co-authors of the book Privacy, What Everyone Needs to Know.
Leslie Francis is a distinguished professor of philosophy and distinguished Alfred C. Emery professor of law at the University of Utah,
where she also serves as
Director of the Center for Law and Biomedical Sciences. John G. Francis is a Professor of
Political Science at the University of Utah. I think a lot about privacy that matters to people
is choosing the terms on which you reveal yourself to others. I think that kind of is a theme that
wanders through a lot of the privacy literature.
And one of the problems is that people may not have the range of choices that they want.
So yeah, I need a cell phone. That comes with some risks. I would rather have it come with
fewer risks. We all know that there are certain risks of data getting stolen. As we head towards these
GDPR standards in Europe coming up next year, it strikes me that different cultures have different
standards for privacy. And as we become more of a global community, how do you see that playing out?
In Europe, there has been, as you know, a great deal of concern, particularly
about social media or search engines that can reveal a great deal about people's records that
make them accessible to a larger audience. And I think it is that there are, I mean,
cultural variations, so that in the United States, the debate is often over the right to know versus, say, the right to be forgotten.
And Americans tend to go a bit more on the right to know, on having access to information about others that they would like to see.
And the Europeans, I think, have been somewhat much more constrained
in that notion. And that's probably shaped to some extent by the fact that all the firms that
gather the data and transmit information tend to be giant American firms. So in a way,
this has accelerated the debate in Europe, at least I would suggest,
that you're not only dealing with the right to know versus the right to be forgotten,
you're dealing with the fact that the data might be shipped to another country,
to some of that discussion. One other difference between Europe and the United States that we
might mention is that the United States has been much more concerned about
government gathering of information, whereas in Europe, there's a great deal more concern about
the private sector and control of information. Some of that's ironic because some of the history
of European privacy attitudes has actually been shaped by the legacy of fascism.
And communism in eastern europe yeah
what about encryption uh what are your thoughts on that it's it's a it's a fascinating debate
because it does actually highly highlight the whole question of security questions as it did
over the phone uh uh that apple declined to de-encrypt and And I think at the same time, it's also equally clear that you can address
encryption. It's not that much of a total firewall, as people would say. But I think it's going to be
forever kind of one of the great challenges ahead, because we're now in an age of ever-growing
hacking. And encryption is one way to address that,
but maybe not always the best.
So I think, yes, the encryption is there.
Yes, people will figure out how to break encryption.
But I think that's part of the ever-going
cat-and-mouse aspect of security on the net.
It changes, and who has the advantage
seems to change on a regular basis.
As we go forward, looking forward from this point in time, where do you think the discussion on privacy needs to go?
I think it needs to go to whether in the United States we should have a more overarching single approach to privacy,
rather than what people call the sectoral approach that
we now have. So one of the things that's very difficult for people to understand is that the
protections for your educational records are different from the protections of your banking
records. And they're different for the protections of your credit. It seems like it's all financial information, right? So why are
the protections different if it's your bank than if it's a credit bureau or a credit reporting agency?
The rules also vary depending on who has the data. So why should the protections for my health
information be different if it's possessed by my doctor than if I store it in a
secure website called a personal health record? And I think we're going to have to look at the
question of whether we should have a more general, overarching consumer privacy approach the way
it exists in Europe. And one of the, maybe I would just add one thing. Justice Breyer has a famous
quote that if you over-regulate, you under-regulate. That is, if you make regulatory policy
so complicated, people simply avoid implementing it. And in some senses, that has to be constantly
a consideration in privacy policy, because if it gets too complicated, people just go around it. And so I
think probably more weight should be given to people being sensible, to kind of educating them
about how you use information and the risks you employ and your willingness to entertain a risk.
That's Leslie and John Francis. They are the co-authors of the book Privacy,
What Everyone Needs to Know.
It's from Oxford University Press.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to