CyberWire Daily - ISIS claims Manchester concert bombing. The case for a North Korean Wannacry. US lawmakers consider cyber legislation.
Episode Date: May 23, 2017In today's podcast, ISIS claims responsibility for the Manchester concert bombing. Security companies make their case for pinning Wannacry on North Korea. US legislators consider bills to upgrade equi...pment and permit limited hacking back. Emily Wilson from Terbium Labs considers coming European privacy regulations. Doug Depeppe from the Cyber Resiliency Project describes a community based approach to cyber resiliency. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS claims responsibility for the Manchester concert bombing.
Security companies make their case for pinning WannaCry on North Korea.
U.S. legislators consider bills to upgrade equipment and permit hacking back,
plus a community-based approach to cyber resiliency.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 23, 2017.
Authorities in the U.K. continue to investigate yesterday's lethal bombing at a Manchester concert.
The suicide bomber has been identified as Saman Abedi,
a 23-year-old man who had previously come to the attention of authorities for an interest in ISIS.
The working theory initially has been that Abedi acted alone,
but UK security agencies are looking for signs of co-conspirators.
The lone wolf working theory is provisional,
with experts suggesting the nature of the bomb used indicates a support network
and minimally the sort of planning it would have been difficult for a solitary terrorist to conduct.
CBS News has reported that another young man was taken into custody in connection with the attack.
22 victims, including a number of children, have so far died in the attack.
59 others are believed to have been wounded.
ISIS has been quick to claim responsibility in its online channels,
characterizing the murdered victims, mostly young music fans,
as polytheists, crusaders, and worshippers of the cross, and celebrating
the attack in its now familiar narrative of inspiration aimed at recruiting and inciting
similar terrorists.
ISIS characterizes Abedi as a soldier of the caliphate.
ISIS appears to be instructing its members to stay clear of social media activities that
could bring them to the attention of law enforcement or intelligence services.
Those same services are, of course, sorting through the online chatter and similar evidence.
More circumstantial evidence points to North Korea
as the responsible party in the WannaCry ransomware attacks.
The apparent motive and clues in the attack code itself
are consistent with a DPRK operation,
but of course the attribution remains provisional and tentative.
A number of profiles have appeared of North Korea's Unit 180,
a cyber operations organization thought to be behind the Lazarus Group,
and such operations as Dark Soul.
Symantec, which has been tracking WannaCry, now assesses a link to North Korea as highly likely.
That confidence, as reported by Ars Technica, is founded on these bits of evidence, many of them gleaned from earlier,
more contained distributions of the ransomware. First, three bits of malware linked to the
Lazarus Group were left on a network that sustained an early attack by WannaCry in February,
the Trojan.Volgmer and two variants of Backdoor.Distover. Backdoor.Distover was a
disk wiping tool the Lazarus Group used against Sony Pictures. Next, Trojan.Alphanc, used to
spread WannaCry in March and April, is a version of the Lazarus Group's Backdoor.Doozer. Bravonk,
another delivery mechanism for WannaCry, used the same command and control IP address as Dooser and Distover.
Bravonk's obfuscation methods were significantly similar to WannaCry's and to other malware associated with the Lazarus group.
And finally, the Lazarus group's ContoP malware has significant similarities to WannaCry itself.
The Eternal Rocks campaign, which like Wanna, is based on the Eternal Blue exploits the
Shadow Brokers leaked, continues to appear more troublesome to most observers.
Its goal is persistence.
The purpose of establishing that persistence remains so far unknown, but it doesn't appear
to be a simple ransomware campaign.
Its execution is superior to WannaCry's.
ransomware campaign. Its execution is superior to WannaCry's. It's worth noting that Polaris Alpha has suggested that WannaCry's apparent slipshod execution may have been a matter of design as
opposed to ineptitude. The attackers may have been probing to test the response an attack on
unpatched systems would evoke. The Cyber Resilience Institute is a national not-for-profit organization that says their mission is to help communities build operational and sustainable public-private partnerships and cybersecurity information-sharing environments.
Doug DePepe is co-founder and board president of the Cyber Resilience Institute.
We take a cyber capacity-building approach to communities, to localities.
And so take me through how does that work?
How do you identify a community and then how do you engage with them?
One of the key things that really helped us is we were funded by the Department of Homeland Security
for a cyber market development project.
So what we're engaged with now is building out a marketplace model.
You know, there's a big effort now for information sharing in the ISALs and ISACs.
And if you take that model and put it in a community, the question becomes, what is the business model?
How does that sustain itself?
There's a need for information sharing.
It's a great idea.
It's a defensive mechanism for situational awareness. And we see that once you have that situational awareness, once you stand up your eyes out, it creates more market opportunities because that growing awareness of the threat and even different technical sensing that reveals, you know, an indicator of compromise, that that then
leads to greater interest in training, in improving, you know, an organization's cyber
resilience. So it just leads to additional services being needed, as well as the awareness
of it creates demand. And so what we're under our contract, what we are building out is a market
based, a market forces, a marketplace based model in communities. From a practical point of view,
what does the engagement look like? The starting point is building a community. So we have a
toolkit. So it's called the C-Champion Toolkit. That's how a community wanting to affiliate with
us, they can go on to a site and they can download the toolkit. And that just gives the basic
organizing information, what the value proposition, how to reach out in a community to your vendors,
to your potential members, and so on. It describes the business model.
potential members and so on. It describes the business model. The other way that you can get started is we've started up a national cyber threat intelligence internship. So it's called
the Crowdsourced Cyber Threat Intelligence Internship, targeting different events as
capstones. We have close to 100 students now across the country, and we train them on cyber threat intelligence and
analysis. And then we use the event as the capstone activity where we are generating intelligence,
analyzing it, and sharing it, both with partners who are on the event side as well as with
government, if there's any law enforcement or critical infrastructure, government-type
threats.
That's Doug DePep from the Cyber Resilience Institute.
In the U.S., WannaCry and other recent incidents, including the Shadow Brokers leaks, have prompted
a flurry of legislative attention.
The Senate is considering the PATCH Act, which would place the intelligence community's
vulnerability equities process on a legal foundation. The House has passed a bill that
would speed IT modernization within the federal government with a view to increasing security by
closing the vulnerabilities legacy systems present. Also in the House, a member has introduced a bill
that would mandate a review of the role played by cryptocurrencies in financing terrorism.
a bill that would mandate a review of the role played by cryptocurrencies in financing terrorism.
Such investigation would be based to a significant extent on a priori probability as opposed to specific indicators.
And finally, WannaCry itself seems to have prompted bipartisan introduction of the Advanced Cyber Defense Certainty Act in the House. The proposed legislation would empower U.S. companies hit by cyber attack to
hack back under certain circumstances. For a useful thought experiment on how such hacking
back might play out in practice, we recommend looking at the Atlantic Council's Cyber 912
exercise. You'll find a description on our site at thecyberwire.com slash events.
cyberwire.com slash events.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, your work takes you around the world.
And recently you were over in Europe.
And that got you thinking about some of the coming privacy regulations.
Absolutely.
We here certainly in the industry and the states have conversations about privacy regulations all the time.
And we're looking and hoping to see these have an impact at a national level.
But, yeah, I was recently in The Hague in particular.
It was really interesting to talk to people about how they're thinking about privacy,
especially as Europe as a whole is approaching the GDPR regulation that's coming into effect next year.
I think we're going to see some really interesting changes in expectations, in innovations, and in evaluations of these companies and in software as people scramble to get ready for these GDPR.
And it's going to affect companies of all sizes.
Absolutely, right.
This isn't just companies that hold a certain amount of personal information.
This is everything from your massive conglomerates to your smaller or
medium-sized businesses. Now everyone is responsible for the data, and they really
are responsible. This is not regulation that I think we're going to see moved. This is a hard
deadline people need to prepare for. And how about if you are an American company who may
be doing business overseas, may not know if you've got customers who are overseas,
this will have an effect on you as well. Absolutely. I really think that we're going to see some trickle down or some
flow over effects of this as these companies, big and small, who are operating internationally
kind of need to prepare for this. Are these companies going to just handle their European
data? Are they going to make some broader changes across their organizations?
I think it's going to be an interesting year. So do you think we'll see a global shift towards more privacy just because it'll be easier for people to obey the rules of the European Union,
to have one set of rules, I guess is what I'm getting at, rather than try to cherry pick
around the world? I think the conversations that we see happening as European companies and as companies who operate internationally prepare for GDPR will help to structure the conversations that are happening kind of internationally or domestically here in the States.
But I don't know if I'd go as far to say as people are going to move toward one particular type of regulation or legislation on this.
I think we're going to see a lot of people holding off and punting for as long as possible,
which is unfortunate.
All right.
Interesting stuff.
Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.