CyberWire Daily - HBO hacked. Operation #LeakTheAnalyst targets individual security researchers. Election hacking notes. UK's Home Secretary opposes strong encryption. Russia bans VPNs. Bitcoin, crime, and punishment.
Episode Date: August 1, 2017In today's podcast, we hear about the HBO hack, and the exposure of episodes and scripts Operation #LeakTheAnalyst targets individual security researchers. Election hacking: machines, databases, a...nd public opinion are all targets. The UK's Home Secretary wants Silicon Valley to rethink strong encryption. Russia, like China, is clamping down on virtual private networks. The BTC-e Bitcoin exchange is shut down amid allegations of money laundering. Awais Rashid from Lancaster University on developing a security culture. Michael Janke from Data Tribe on his efforts to stand up the National Institute of Digital Security. And write this 500 times: "I will not mine Bitcoin on my school computer." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
HBO gets hacked and intellectual property is exposed.
Operation Leak the Analyst targets individual security researchers.
Election hacking, machines, databases, and public opinion are all targets. Thank you. allegations of money laundering, and write this 500 times, I will not mine Bitcoin on
my school computer.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 1st, 2017.
Hackers have compromised HBO.
They claim to have pilfered 1.5 terabytes of data,
and they've leaked a script from an upcoming episode of Game of Thrones online.
Their motive is unclear. It may be extortion.
It may be nothing more than counting coup, the lulz, as they say.
The hackers also claim to have obtained unreleased episodes of other shows,
including Ballers, Insecure, Room 104, and Barry.
The incident is noteworthy in that unlike earlier Hollywood hacks that exploited lax
security at third-party vendors, especially post-production facilities, HBO itself appears
to have been breached. The cable giant has confirmed the breach, but has been reticent
about disclosing exactly what was stolen. The hackers are pleased with themselves,
addressing themselves to all mankind
and promising the greatest leak of the space era with more to come.
So you ain't seen nothing yet, apparently.
But what the actual impact of the leaks will be remains to be seen.
Pirate torrent usage has been in decline for some months,
and past escapades like this one have tended to lay an egg.
We heard from security company Prevalence Brad Keller,
who in an email compared this hack to the Netflix loss
of some Orange is the New Black episodes.
The lesson he draws from the HBO affair
is that a company's intellectual property
is an important asset that needs protection.
Quote,
Too often companies only look at customer data
and company
financial information as assets requiring protection, forgetting that the release of
a company's intellectual property can have devastating consequences. The lost revenue
from the theft of intellectual property is gone forever. End quote. No significant developments
today in the Operation Leak the Analyst story. It's worrisome because of the way a named individual was singled out for targeting.
So far, it appears that FireEye's own systems, including those of its Mandiant unit, were unaffected.
Demonstrations of voting machine hacks at Black Hat last week prompt continued rumination over threats to election security.
Concerns fall generally into three broad categories.
First, the vulnerability of electronic voting to hacking
and therefore direct manipulation of results.
This is the sort of problem illustrated at Black Hat.
It also seems not to have yet been realized in the wild.
Second, exposure of voter databases.
This has occurred and is worrisome.
Security firm Looking Glass
has found some 40 million U.S. records for sale in dark web markets. And third, of course,
influence operations. These have so far largely been Russian in origin and connected with both
doxing, enforced transparency as it's been called in the political context, and straight
disinformation, fake news.
The effect of influence operations remains the subject of investigation in the U.S. and elsewhere.
Officials in Germany, where the next major Western elections will be held next month,
are on the lookout for all three threats.
Michael Janke isn't afraid of challenges or big ideas.
He's a former Navy SEAL and co-founder of cybersecurity incubator DataTribe,
plus Silent Circle and Blue Pacific Studios.
After being asked repeatedly by reporters why our nation couldn't do a better job protecting itself from cyberattacks,
he put his mind to it and proposed an effort that he calls the National Institute of Digital Security.
As ideas go, it's a big one.
If you think about the commercial sector, whether it is on one end a Lockheed that's building our latest generation fighters,
or it's a small design shop that is innovating with IP,
and all in between are the Disneys, the banks, the Fords,
you know, it's literally open season on them. Then you have government. Outside of NSA, CIA,
a few other places, their level of cybersecurity protection awareness and skill is just extremely low. You take a look at what happened at OPM, right?
You think about the cost of a single aircraft carrier, and you think about an organization
that fits in the middle. It's not a government organization, and it's not a Wall Street,
you know, publicly traded company that's got to make revenue every quarter. You take the best of both.
You take very experienced, large company management, very streamlined. You take talent
that exists within the intelligence community. And then you take universities and some of the
real raw talent in Silicon Valley, and you bring them together for a mission.
And that mission is we are going to create basic, fundamental software.
And you begin to build this repository where American corporations, whether they're publicly
traded or a mom and pop, can go utilize this software for free.
or a mom and pop can go utilize this software for free, and you begin immediately getting into our ecosystem a level of basic digital hygiene, including the government, basic features that
can rapidly build up their defense profile. Now, from the commercial side, how do they win? Well, now you have these companies
that are able to donate some money to it, like a non-for-profit. They can sponsor certain things.
They can draw talent out of there. They can build on this free software. You have to first
understand the stakeholders. And so from a practical point of view, how does this National
Institute of Digital Security run? Is it an independent organization and where does it get
its funding? Yes, it is an independent organization that is run by seasoned executives, not government.
However, both private sector, both publicly traded venture, as well as large and small cybersecurity and any
firm can put money into it. Government puts money into it. Like I said, you could run this per year
for the cost of a single battleship. And so the idea would be you take some of that,
And so the idea would be you take some of that, you bring in the private sector, and you build a $10 billion budget that can run you five years.
Professionalize it, allow our companies the ability to access, download, and begin deploying.
That's Michael Janke from DataTribe. The organization he's proposing is the National Institute of Digital Security.
British Home Secretary Amber Rudd is in California, working to convince Silicon Valley's
tech industry that real people don't need strong encryption. Only terrorists do, she says, making
her position in the crypto wars quite clear. So two of the five eyes, at least, are squinting very hard at strong encryption.
Last week, it was learned that Apple had agreed to knuckle under to Chinese authorities who
directed the company and others to block virtual private network services from their stores and
offerings. Over the weekend, Russia also banned VPNs. Amnesty International isn't happy, and
neither is Edward Snowden, who for some reason
seemed surprised that the Russian government would exhibit ambitions to control online speech.
In the cryptocurrency world, Alexander Vinik, co-proprietor of BTC-E, a large and popular
Russian Bitcoin exchange, was arrested late last week in Greece by Greek police executing a U.S. warrant.
Vinik faces money laundering charges stateside.
He's also suspected of playing a part in the Mt. Gox fraud and implosion.
Now U.S. authorities have also taken control of BTCE's domain in a cooperative takedown executed by the FBI, the Secret Service, and the Department of Treasury
pursuant to a seizure warrant issued by the U.S. District Court for the District of New Jersey.
BTCE customers are concerned about their funds.
It's unclear whether they'll recover them or whether they'll be forfeited.
Coinbase, the legitimate California-based digital asset exchange,
is widely reported to be under a denial-of-service attack.
But this seems to not be the case. asset exchange, is widely reported to be under a denial of service attack.
But this seems to not be the case.
The availability problems it's suffering seem to not be an attack, but rather heavy usage by customers concerned about this month's anticipated Bitcoin fork.
And finally, an employee of New York City's Department of Education, one Vladimir Ilyaev,
a computer systems manager who's worked at the department
for more than 10 years, has been disciplined for using his work computer to mine Bitcoin.
Since Bitcoin mining now takes a lot of computational and electrical power, it's not so
easy to do it at home, and Mr. Ilyaev hit on the idea of just leaving his work computer to do the
digging. New York's Conflicts of Interest board fined him four vacation days worth about $600,
but he's kept his job.
No word on whether they had him write,
I will not mine Bitcoin on the job, 500 times.
After all, that's what Mrs. Krabappel would have done.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
You all have done some research on encouraging security cultures among software developers. And through that research,
you all have a few tips to share with us today. Yes, thank you for having me back again. Indeed,
software now plays a fundamental role in our society from the apps that we use to the smart devices that we deploy in our homes or in our workplaces.
And the question that naturally comes is, who has developed that software and what kind of security practices that were followed by those who developed the software?
And so we've been doing some research in terms of understanding what kind of interventions can actually help build better security cultures within teams.
But also, of course, you know, we know that good interventions like,
for example, penetration testing work really, really well, but then they tend to be quite
costly. Similarly, code reviews are a really effective way of understanding security,
but they require quite a lot of discipline from the security team and the developers themselves.
So we did some interviews with experts who have been
engaged in encouraging security cultures within organizations or developing security cultures
within development teams to try and understand what are the perhaps low-cost interventions,
the ones that don't require a lot of effort or investment of resources, but also don't require
a huge amount of discipline from the development team to carry out. And through this research, we actually identified five main interventions. So, for
example, threat modeling can be a good way of encouraging security cultures, just getting the
team together in some kind of brainstorm to model the various types of attackers, threats, and
commercial impact of attacks on the systems
under development. A really good low-cost way of doing things is an incentivization workshop,
so to motivate the developers themselves to understand the security problems and how to
prevent them. And some of the experts, for example, suggested that it's not simply a case
of scaring the developers into security, but if you can, for example, shock them by showing some particular security problems, but leave them knowing how to solve them, then that
can actually particularly encourage them to do this. The other thing that we found was that
low-hanging fruit in the sense of component choice can be quite useful. So, for example,
if developers are using plugins, then, you know, knowledge about the security vulnerabilities or good security practices followed in those plugins can be quite, quite useful. And the other things that we also found were that things like static analysis tools can be a particular thing. And another very simple thing, a continuous reminder of some sort, you know, to just simply remind
the developers that they need to sort of think about it on a regular basis. So not only an
initial motivational talk, but actually thinking about reminders in the way of, say, security
competitions or positive feedback when a team achieves a secure product, you know, or using
public security disasters. We saw
that in the case of the NHS in the UK, in the news as lessons, you know, these kind of things can
also help encourage, build a security culture. So I want to emphasize, again, this is not at the
expense of things like penetration testing, but these are things that any team can do at a fairly
low cost and don't require a huge amount of discipline to keep carrying them out.
All right. Good advice. Professor Owais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.