CyberWire Daily - Pyongyang's snarling through cyberspace, and what others are doing about it. Coppersmith espionage campaign in the Middle East. GDPR approaches. Giving your kid a smartphone?
Episode Date: December 20, 2017In today's podcast, we talk about what the Five Eyes see. Implications of North Korean responsibility for WannaCry. Defense and deterrence go with naming and shaming. The Lazarus Group looks to crypt...ocurrency theft to redress North Korean financial shortfalls. Copperfield cyber espionage campaign in the Middle East. GDPR approaches, and organizations look to get their data houses in order (and buy insurance). Justin Harvey from Accenture on choosing threat intelligence. Guest is Stan Engelbrecht from D3 Security on the vulnerabilities in public transportation. And what to do if your child gets a phone from Santa. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
What the Five Eyes See,
implications of North Korean responsibility for WannaCry,
defense and deterrence go with naming and shaming,
the Lazarus Group
looks to cryptocurrency theft to redress North Korean financial shortfalls, the Copperfield
cyber espionage campaign in the Middle East, GDPR approaches and organizations look to
get their data houses in order and buy insurance, and what to do if your child gets a phone
from Santa.
child gets a phone from Santa. I'm Dave Bittner with your Cyber Wire summary for Wednesday,
December 20th, 2017. Have you heard? People say North Korea was behind the WannaCry attacks that tore through vulnerable networks early this summer. Pyongyang hasn't had much to say about the
latest round of accusations, but it has denounced earlier attributions as slander and provocation, as of course Pyongyang would.
That said, all five of the I's are glaring like basilisks toward the Democratic People's Republic of Korea,
which they agree was responsible for WannaCry.
And it's not just the five I's, Australia, Canada, New Zealand, the United Kingdom and the United States,
but others too, Japan among them.
Some conclude that the lesson here is that collective defense works,
albeit in this case abetted by someone lucking into the kill switch,
because the outbreak could have been far worse.
U.S. networks, for instance, proved generally resistant to the campaign.
Two questions at least are being asked,
one pertaining to deterrence and the retaliatory capability necessary to deter,
the other to security lapses that can enable attacks.
To take deterrence first, if you wish to deter similar attacks,
how might you retaliate?
You can hack until the ones and zeros jump,
but it's not clear doing so will seriously affect North Korea's regime,
absent identification of something the regime values that one could hold at risk.
Blame, shame, and further isolation may be the best anyone can do, many observers suggest.
The U.S. stopped short of using language that would have characterized WannaCry as an act of war,
but North Korean cyber operations
are clearly a matter of concern. The White House drew particular attention to Facebook account
takedowns and Microsoft fixes as providing valuable and ongoing defense against North
Korean cyber attacks. Facebook said that last week the company cooperated with Microsoft in
joint action to disrupt the activities of a persistent
advanced threat group commonly referred to as Zinc or the Lazarus Group.
Microsoft, in addition to cooperating with account takedowns, has said it has taken steps
to clean customers' machines and strengthen Windows defenses.
The Facebook account takedowns are seen as suggesting that WannaCry is, as Engadget says,
the tip of the proverbial iceberg.
They're also taken by many as a sign that the U.S., and probably the U.K., are engaging in some form of retaliation, although little more is being said about it.
The Guardian quotes the U.K.'s Foreign Office Minister for Cyber, Tariq Ahmad, as saying, quote, we condemn these actions and commit
ourselves to working with all responsible states to combat destructive criminal use
of cyberspace.
He added that international law applies online as it does offline, and said the United Kingdom
was determined to identify, pursue, and respond to malicious cyber activity, regardless of
where it originates, imposing costs on those who wish to attack us in cyberspace.
The second big question about WannaCry is,
how did the alleged NSA exploits, particularly EternalBlue,
get loose into the hands of the shadow brokers in the first place?
Early in 2017, NSA warned Microsoft about a vulnerability
in Windows Server Message Block Protocol,
which Microsoft patched in March.
In April, the shadow brokers dumped what they characterized as stolen NSA attack code,
and that dump included the EternalBlue exploit, subsequently used by WannaCry to hit unpatched machines.
White House Homeland Security Advisor Tom Bossert, who's been the public face of U.S.
attribution of WannaCry to North Korea, said yesterday that, quote, the government needs
to better protect its tools and things that leak are very unfortunate.
We need to create security measures to better protect that from happening, end quote.
While there have been at least three arrests in connection with NSA leaks, none of these, so far as is publicly known, were for leaks of exploits to the shadow brokers.
So presumably investigation continues.
WannaCry is of course currently in remission, as it has been for some months.
The DPRK's current interests appear to lie in cryptocurrency,
with the Lazarus Group paying a great deal of attention to hacking wallets and catfishing people with access to alt currencies.
The UK's Minister for Cyber, Ahmad, alluded to Pyongyang's motives in his statement on WannaCry.
Quote, the indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber program to circumvent sanctions.
End quote.
That program now concentrates on stealing Bitcoin,
so alt-currency fans, look to your wallets.
With the holidays upon us, many will be traveling to visit friends and family.
They'll make use of public transportation,
and some of those systems are semi-autonomous.
Stan Engelbrecht is director of cybersecurity practice at D3 Security. One example, well, one that I take daily here would
be the TransLake SkyTrain here in Vancouver, which doesn't have any drivers. It's all centrally
controlled, so all the speed, any type of stopping mechanisms or anything like that is basically all
controlled out of a central location, and it's all really driven by
interconnectedness. And so what are some of the specific vulnerabilities that systems like this
would have? A number of them would be just the central systems themselves. I mean, if we're
talking the SkyTrain, it really was something that was developed in 1986. It came out when the World
Expo here in Vancouver happened. Back in 1986, the idea of a cyber attack, I mean, we're talking
about something that really wasn't even thought of nor even invented at that point. And so these systems,
which are now internet connected, really don't have the controls and securities in place that
they need to in this time and space. That's probably one of the biggest problems that
they're running into right now. And so have we seen any attempts to get into these sorts of systems?
Well, there was a San
Francisco one, which happened not too long ago, which is fairly well known. The Muni attack
basically caused their system to run for free. Our system here, there hasn't really been an attack,
I would say, in terms of causing the system to go down. There was a card hack in terms of the
payment system, which people were able to ride for free, but not really anything where it was a real disruption.
Different actors are getting into different places.
And so the prospect of a general cyber attack on a public transportation system is something I would say is inevitable.
Can you sort of contrast the difference between someone who would be going after criminal things,
you're trying to get some money versus someone who, you know, perhaps a terrorist attack. You listed it out right there. The difference is going to really be motive. So
a cyber criminal, I mean, while they don't really want to disrupt the system, so to speak, they want
to get into it to profit from it, whether it's, you know, being able to siphon off account
information, whether it's being able to actually, you know, directly pull money out of the card
payment systems that they have in place. Whereas if you're looking at something, I only use the word state actor or a terrorist organization,
I mean, if you have the ability to shut down New York's central train stations or anything like
that that's going to be interconnected, you're going to cause widespread chaos. That's going to
have a number of different impacts, obviously financial, but you're really talking about
pulling a system down or causing a
lack of service you're talking about oh that's one of their mo's right they're they're terrorists
they want to spread terror and that having the system pulled down is is is one aspect of it if
i think of possible outcomes in terms of what can happen there i mean i look at our skytrain system
you know and i would hope that they have uh you know some physical controls in place in terms of
speed but if somebody gets into the centralized system,
and you can well imagine if they just turn off the controls or turn up the controls on these systems
so the trains just run at full speed and there's no stopping
or the operators don't have the ability to stop the trains.
I mean, you're talking about a mass accident that could affect hundreds of people at a time.
And is your sense that the municipalities are prepared for these sorts of things or are they behind?
I would say they're behind.
One of the people that we've had come in is from our security group here as a gentleman by the name of Gary Perkins.
And he's actually the CISO of the province of British Columbia here.
And really, according to him, from what he knows of the public systems and whatnot,
he figures that probably less than 5% of municipalities and public
and in the public sector here
is ready for really any type
of a widespread cyber attack.
And of course, I mean, that's concerning.
I think us in the security community
and even with our group here,
one of our goals is to really educate
the public on some of the dangers.
And I think if the public is better educated,
not in a way where we're spreading fear.
I mean, that's really not our goal.
Our goal isn't to spread fear.
Our goal is to educate and just make people aware.
And I think if we were better at spreading that type of an awareness, I think probably more things would happen quickly.
And you'd get, you know, if it's a political item like you brought up in terms of public transportation,
if there's more of an outcry from the public to secure these things, I think things would probably happen in a much better fashion.
That's Stan Engelbrecht from D3 Security.
Another cyber espionage campaign has been spotted in the Middle East.
Researchers at security firm Niatron call it Copperfield.
It's an evolution of the H-worm, also called Houdini, that emerged from Algeria four years ago.
No firm attribution yet, but Niatron speculates about the possible involvement of Algeria, Iran, and Saudi Arabia.
As full implementation of the EU's General Data Protection Regulation, GDPR, approaches its May deadline,
many organizations are looking for a silver lining in what amounts
to a pretty dark regulatory cloud.
Computing reports that GDPR does afford everyone an opportunity to get its data house in order.
There are also reports of a lining, silvery or leaden remains to be seen, for underwriters.
A lot of businesses have decided to transfer their GDPR regulatory risk by taking out cyber insurance policies.
There are only five days until Christmas, of course,
and those of you who are considering getting your kids' smartphones may find some quick advice useful.
The website CoolMomTech offers nine bits of counsel that are worth your consideration.
First, check location settings so your kids don't inadvertently broadcast their whereabouts. Second, of course, you'll want to set restrictions and
parental controls. Third, consider setting up some way of sharing, like the family sharing offered on
iOS devices. Fourth, set up their contacts, especially if you are sharing, to avoid oversharing.
Fifth, manage their passcodes so you knowodes and add your fingerprint to devices with biometric
security.
6.
Set up a charging station somewhere away from the child's bedroom so they'll be less tempted
to sit up all night looking at their new phone.
7.
Sit them down and show them how to use the phone.
You don't want them picking up this kind of know-how on street corners, either physical
or virtual.
8. them picking up this kind of know-how on street corners, either physical or virtual.
Eighth, consider making a contract with them about how, when, and where they'll use the phone, or at least set clear limits for them.
And finally, if you get them a phone, get them a case to put it in, a good case that
will survive dropping, immersion, maybe even temperamental banging.
And happy holidays.
And happy holidays. be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, welcome back. Today, we wanted to touch
on threat intelligence. Specifically, you make the point that when you're shopping for threat
intelligence, it pays to make sure you know what you're getting. That's exactly right. It seems
like on a daily basis, my team and myself are asked questions from our clients, like, how do I
know if we're spending our time and money on the threats that impact the areas of the business
that are critical to making money? Or how do I triage security incidents? Or do I even have
the right or the best threat intelligence? And it seems like there is a feeding frenzy in the
cybersecurity market today. More and more companies, software companies are coming out with
their next generation threat intelligence. And then you've got next generation threat intelligence feeds and so on. And really, I think that we as an industry
need to examine and talk about the various forms of threat intelligence and how it affects our
clients or how it affects businesses per se. And that's really being materialized through
the hype around having the best threat intelligence, like the best bad domains or the best
bad IPs and knowing exactly what signatures are out there and having them first before anyone
else and getting them to the clients. And really what we should be focusing on is not just the tactical threat intelligence, not just the indicators of compromise or indicators of attack, but also examining the who, what, and why and where behind a lot of the attacks. know who out there wants to cause you harm from an adversary level. And just hanging your hat on
tactical threat intelligence could be a mistake simply because these indicators, IPs, domain
signatures, all of that good stuff, is all predicated on one simple thing. And that is
someone else in the world had to have seen that adversary or seen that threat one time before.
But what we're seeing is we're seeing very advanced adversaries.
Heck, you don't even have to be an advanced adversary.
You can just be an adversary, not even nation state.
And it's very easy to take your malicious code and rejigger a few variables.
And now you have a completely new signature. So
it's really important not to hang your hat just on indicators of compromise or attack.
So is it really a notion that while threat intelligence can be an important part of
the spectrum of tools that you use, you shouldn't allow it to give you a false sense of security?
Right. And I think that it really speaks back to previous points. We're seeing an industry being moved from solely based around prevention to prevention, detection and response. And if you put all your eggs in the threat intelligence basket, you are almost saying you're putting all of your eggs in the prevention basket.
All right. Justin Harvey, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.