CyberWire Daily - Netherlands financial sector recovers from DDoS. Lizard Squad, Mirai, and coin mining. IOTA wallets emptied. Snooper's Charter loses in court. US House may release surveillance memos. Strava OPSEC.
Episode Date: January 30, 2018In today's podcast we hear that the Dutch financial sector is well on its way to recovering from the recent DDoS wave, which could be the work of anyone from teenaged skids to some nation's intel...ligence service. Lizard Squad may have a connection to Mirai. The reptiles are also getting into the coin mining business. Patient phishing relieves IOTA cryptocurrency users of the contents of their wallets. UK's Snooper's Charter smacked down by High Court. US House Intelligence Committee votes to release classified memo on surveillance. Jonathan Katz from UMD on the “fuzzing” of private healthcare information. Guest is Michael Simon from Cryptonite with results from their 2018 Health Care Cyber Report. US military personnel get an OPSEC lesson on Strava. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Dutch financial sector recovers from a DDoS wave,
which could be the work of anyone from teenage skids to some nation's intelligence service.
Lizard Squad may have a connection to Mirai.
The reptiles are also getting in the coin mining business.
Patient Fishing relieves IOTA cryptocurrency users of the contents of their wallets.
UK's Snoopers Charter is smacked down by High Court.
The U.S. House Intelligence Committee votes to release a classified memo on surveillance.
And U.S. military personnel
get an OPSEC lesson on Strava.
I'm Dave Bittner from scenic Maple Lawn, Maryland, just outside of Baltimore, with your CyberWire
summary for Tuesday, January 30, 2018.
The CoinCheck hack is looking costly for the exchange that was victimized late last week.
The exchange has pledged to repay about 90% of the funds people lost when NEM coins were
looted from hot wallets. The amount to be repaid is thought to amount to some $425 million of the
estimated $530 million stolen. This looks to us like 80%, but every news source covering the story calls it
90%, so we assume either the estimated losses are lower or the estimated repayments are higher.
In any case, $435 million is a lot. Japan's financial services agency, FSA,
has ordered Coincheck to improve its cybersecurity. The exchange is still in operation
– the trading it suspended Friday did not include Bitcoin trades – so the security upgrades have a
serious purpose. They're not likely to be cheap either. The incident is prompting regulators
worldwide to consider tighter control over cryptocurrencies and speculation therein.
Over the weekend and continuing through yesterday,
the Dutch financial sector was subjected to a serious round of distributed denial-of-service attacks.
The Dutch Revenue Service and several of the country's major banks were affected.
ING, the Netherlands' largest bank, was hit Sunday evening.
The country's third-largest lender, ABN Amro, sustained three attacks over the weekend,
augmenting the four others it had sustained over the past week.
Rabobank, the second largest Dutch lender, underwent an attack that began Monday morning.
All three banks are in the process of recovering normal operations,
and that recovery seems now substantially complete.
Customers would have noticed problems with website availability.
There's no evidence any systems were breached or data lost. Also targeted with a denial of
service attack was the Dutch Revenue Service, whose website went down for a relatively brief
10 minutes. The Netherlands Ministry of Justice and Security said the attacks were very advanced,
but that the banks showed a reassuringly high degree of defensive preparation.
There's no attribution or suspected motive in the attacks, the Ministry of Justice and
Security said, but researchers at security firm ESET say they observed that the command
and control servers for the botnets used in the attacks were for the most part located
in Russia.
That doesn't say much about motive.
As ESET points out, the attackers could have been anyone from bored teenagers in it for
the lulz to a state security apparatus, either sending a message or engaging in misdirection.
And speaking of skids in it for the lulz, teenaged or otherwise, the Internet of Things
security company Zingbox has released a report on the Lizard Squad that connects it to the
Mirai
botnet.
The researchers conclude that there's a connection, after all, between the Mirai botnet and the
notorious, and for the most part incarcerated, skids at Lizard Squad, well known for their
attacks on gaming systems like PlayStation and Xbox Live, as well as for their Lizard
Stressor distributed denial-of-service service.
Zingbox found four distinct activities that link Lizard Squad with Mirai.
First, Mirai's source code was publicly released nine days after the arrest of Lizard Squad founder,
Zachary Bukta.
Second, the Ukrainian hosting provider Blazing Fast was used by both the authors of Mirai
and by the Lizard Squad parasites of the Big Bot Pine group.
Third, the authors of Mirai engaged in a distributed denial-of-service attack
against security blogger Brian Krebs shortly after he criticized Lizard Squad,
saying, I hope it's clear to the media that the Lizard Squad is not some sophisticated hacker group.
This apparently stung.
Fourth, there are references to Mirai on a Lizard Squad website
hosted at a site whose URL we won't read here because it's slightly more than half composed
of vulgarities. This is to be sure circumstantial, but it's interesting. Also interesting are signs
that the Lizard Squad members who remain at large have expanded their interests from renting out
stressors for DDoS as a service
into the trendier crimes of Monero and Ethereum mining.
Michael Simon is president and CEO of Kryptonite, a company that focuses on proactive network
defense. They recently released their 2018 Healthcare Cyber Report, and Michael Simon
joins us to share their findings. We're in the business of protecting
critical vulnerability use cases, and healthcare is sort of that perfect storm of connection of
those use cases, and that's what prompted us to do this. So take us through what were some of the
key findings from the report. There's sort of two directions of the key findings. One is there's been a pretty dramatic increase in the number of ransomware attacks.
And second, actually the number of records reported to have stolen has decreased.
These are healthcare records.
It's an interesting sort of dichotomy, if you will.
We believe that one of the reasons that the records have decreased is
because now attackers are really going to widen their attack vectors to more and more facilities.
Some of them might not have as many records. And they're also seeing that they can get more money
out of a ransomware attack than actually stealing a record itself.
That's interesting because we often hear that a healthcare record in particular is more valuable
than, say, a credit card number, something like that.
Yeah, it is, and it still is. But if you look back into 2012 timeframe, a healthcare record
would get somewhere in the neighbor of $50 on the dark web.
Today, you're down to numbers that could be $1 or 50 cents.
And it isn't because they aren't valuable.
It's there's so many out there.
Now, let's revisit what you said about the ransomware,
because I guess the common advice from law enforcement is don't pay the ransomware.
But yet, it seems to me like particularly when it comes to health care, we've seen several incidences where people have paid the ransom of how they have to report these attacks,
they're simply reporting what records have been potentially accessed and what attacks have been,
you know, have occurred. But they're not obligated to say whether they paid the ransomware attacks.
So we can only speculate whether organizations have paid them or not. From a healthcare or hospital facilities perspective, all they care about is patient care.
If a ransomware attack is potentially impacting the care of a patient,
I'm guessing they're going to pay that fee pretty quickly. The concern though is there's nothing to
stop that attacker from doing the same thing the next month, the next year, because they have the information to do it.
So what's your perception on where these health care systems are in terms of properly protecting themselves?
Are they catching up? Are they getting ahead of the game?
I think to answer that question, you have to take a look at these organizations first and see why I use the term perfect storm.
Healthcare organizations in general weren't built around an IT infrastructure. So they were built
around how to care best for the patient. So IT and OT, operational technology and information
technology, were sort of separate. And there's
not nearly as many IT professionals in the healthcare world as you'll find in the finance
world, for example. So the healthcare organizations are desperately trying to beef up their resources
in the IT side. Some are doing a lot better than others. Others are not really doing very much at all. And then you have the situation of medical devices, what I call IOMT.
Other people use the same term, Internet of Medical Things.
These are devices designed for patient care that really had no concept of security built in.
So you take the idea of not a lot of IT resources, these medical IoT devices,
and that really becomes the perfect storm for an attacker. So I think what's happening is these
healthcare organizations are desperately trying to catch up, but they're still the perfect storm
of opportunity for hackers. That's Michael Simon from Kryptonite.
storm of opportunity for hackers. That's Michael Simon from Kryptonite.
Users of IOTA cryptocurrency were successfully robbed of some $4 million by an unusually patient criminal who set up a malicious seed site that assigned users predictable seeds, an 81-character
seed necessary to create a wallet. Once this was done, the criminal Norbert V. Dieberg fished to land users
on his site. On January 19th, Norbert V. Dieberg used the logs he'd accumulated over six months of
operation to empty the user's IOTA wallets. His site is now closed and he is on the lam.
It's worth noting that a DDoS attack on IOTA network nodes occurred at the time Norbert Wiedeberg was looting the wallets.
The attack seems to have been misdirection, a common use of DDoS.
In a setback for HM government, the High Court in London ruled the Snoopers' charter unlawful.
The surveillance law had been challenged in court by a Labour MP.
It had been enacted during Prime Minister May's tenure as Home Secretary.
The U.S. House Intelligence Committee has voted to release its presently highly classified
memo on alleged surveillance abuses.
It is thought that both the majority staff-prepared memo and its minority counterpart will be
made public.
And finally, we return to the curious case of Strava,
the fitness app whose aggregated and anonymized heat map
shows stuff like someone riding a bicycle around the runway at Groom Lake, Nevada,
and troops running for exercise at various U.S. bases around the world.
White House Cybersecurity Coordinator Rob Joyce says,
quote,
It's really clear that the heat map is a security risk, end quote,
and that the administration is thinking through what to do about it.
As we thought when we spoke about this incident yesterday,
a number of service members are receiving some Strava-related OPSEC guidance.
A Defense Department representative said, quote,
Secretary Mattis has been very clear about not highlighting our capabilities
to aid the enemy or with the chain of command.
And we say again to the troops, thanks and good hunting. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora, have continuous visibility into their controls with Vanta.
Here's the gist.
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
I saw a story in Science News,
and it had to do with health care information, patient information,
and attempts to de-identify large patient data sets
because of these privacy issues. Can you take us through what are we talking about here?
Well, basically, there's always a concern when working with medical data or other data collected
about individuals that the data itself will reveal information about PII of individuals or
other sensitive information about people who
participated in the study, whether that's being released to the researchers or whether that's
released to the general public in case data from that study is ever released. And so it was really
nice to see here, actually, that medical researchers are aware and taking great care
to try to anonymize the data that they're working with and the data that they're publishing
in order to prevent this kind of de-identification of the individuals in the data set.
And how do they go about doing that?
Well, there are various ways you can do that.
A lot of different techniques have been developed over the years.
The ones that they were looking at in the study that you were talking about seem to be based on an idea called k-anonymization,
on an idea called k-anonymization, where basically what you do is you modify certain data in the data set to ensure that there's always a large group of people sharing any given number of
attributes. So that basically means that rather than if an attacker got their hands on the data,
they wouldn't be able to look at a row of a database, for example, and then correlate that
with a particular individual taking part in the study. More recently, people have looked at other techniques like differential privacy,
which actually give more rigorous guarantees about what can be learned from individuals based on the data.
So what's your take on the technique that they used in this example?
Well, from what I could read about it, and this is only based on the news article,
I wasn't actually able to get a copy of the paper itself.
It looked like they had used a technique based on k-anonymity and some fuzzing,
which involves changing some of the data values. And then they evaluated the effectiveness of that
against a specific attack. And they showed that that particular attack was unsuccessful.
And that's a good start. But what worries me about that is that it leaves open the possibility that
there are other attacks that the researchers didn't think about that would allow an attacker to learn information about individuals.
And so what you'd really prefer is, you know, rather than preventing one specific attack,
you'd rather have a technique that would de-anonymize the data in such a way that it
was secure against all possible attacks.
And that's what something like differential privacy would allow for.
And, you know, I hope going forward that they
try to integrate those techniques into what they're doing as well.
Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.