CyberWire Daily - Sri Lanka bombing investigation update. Christchurch call. ShadowHammer moves upstream. Carbanak in VirusTotal after all. Spoofing banks. Bots vs. Mueller Report. ASD’s best practices.
Episode Date: April 24, 2019Sri Lanka investigates a homegrown jihadist group with possible international connections for the Easter massacres. New Zealand is preparing the Christchurch Call to exclude violent terrorist content ...from the Internet. ShadowHammer moves its supply chain attacks upstream. Carbanak source code seems to have been in VirusTotal for two years. Someone’s spoofing financial institutions. Bots surged upon the release of the Mueller report. ASD offers a counsel of perfection. Prof. Awais Rashid from University of Bristol on evidence based risk assessment. Guest is Michael P. Morris from Topcoder on the challenges of creating secure apps in the gig economy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sri Lanka investigates a homegrown jihadist group
with possible international connections for the Easter massacres.
New Zealand is preparing the Christchurch call to exclude violent terrorist content from the Internet.
Shadowhammer moves its supply chain attacks upstream.
Carbonac's source code seems to have been in virus total for two years.
Someone's spoofing financial institutions.
Bots surged upon the release of the Mueller report.
And ASD offers a council of perfection.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Wednesday, April 24th, 2019. The death toll in Sri Lanka's Easter massacres has now risen above 350.
The country's intelligence services have identified Ma'uvi Zaran Hashim
as the leader of the coordinated attacks against Christians at worship and foreigners in tourist hotels.
Hashim is generally being described as a radical Islamic cleric
known for his online sermons calling for the extermination of unbelievers.
He's been delivering this message over several years, often using imagery of the burning
twin towers as a backdrop for his homilies.
ISIS has, of course, claimed responsibility for the murders, and Hashim has over the years
spoken with approval of the caliphate and its commitment to jihad.
As ISIS enters its diaspora phase, without control of any territory worth mentioning,
observers think the jihadist group will increase its online presence.
The bombings in Sri Lanka weren't instances of the now sadly familiar pattern
of lone wolves being inspired to kill by example and exhortation.
Those indeed remain a threat, but the Sri Lanka attacks were organized,
coordinated and centrally directed.
The operational style is closer to that which Al-Qaeda demonstrated during the 9-11 attacks.
The suspects in the bombing, including all of those arrested,
are Sri Lankan citizens, not foreigners.
It's believed that some of those involved had returned from abroad,
where they had fought for ISIS. That's a relatively small group. Sri Lanka's Muslim minority population
hasn't contributed a large contingent to ISIS jihad. Unfortunately, a small contingent is all
that's necessary. Security organizations responded quickly to the attacks, rounding up bomb-making
material and taking a large number of people in for questioning,
but poor interagency coordination seems to have led them to miswarnings of coming attacks,
even when such warnings were issued by national authorities,
and even went so far as to name the group thought likely to conduct attacks and its probable ringleader.
There's always a lot of signal lost in the noise,
even when intelligence services have a good idea that something's up.
But in this case, the failure to heed the warning seems to have been a more serious matter of poor coordination
and even alleged political infighting of the bureaucratic
as opposed to the ideological variety.
Sri Lanka's president seems to think so.
President Sirisena has asked for the resignation of both the defense secretary and national police chief.
Some 60 arrests have been made so far.
The attackers have been characterized as well-off and well-educated,
with some of them having been educated in the UK and Australia.
This would fit a long-standing pattern of an educated and relatively prosperous class
seeking transcendence through a leadership role in revolutionary violence.
But the investigation is still young, and the state of emergency remains in effect.
New Zealand's Prime Minister, Jacinda Ardern, has issued a Christchurch Call,
inviting other countries to join in restricting the distribution of extremist
content through social media. The text of the Christchurch Call is still being finalized,
but in outline its goal is to eliminate terrorist and violent extremist content online.
She acknowledges the difficulty of doing so, but thinks the killer who murdered Muslims in
their mosque on March 15th did one thing that was unprecedented.
He live-streamed the massacre as he was committing it.
This is the model of violent extremist content she has in mind.
She's enlisted the support of France initially and hopes other countries will join once the Christchurch call is complete.
It will be, the Prime Minister says, actionable and not aspirational.
Kaspersky Lab has linked the Shadowhammer supply chain attack to the Shadowpad threat actor.
The attackers successfully backdoored widely used developer tools. Among the products affected
were online games. These are thought to be the same actors who earlier this year targeted
Asus and its software update process, but this time they seem to have
moved farther upstream. They're now believed to have meddled with versions of the Microsoft
Visual Studio development tool used by various video game companies in developing their wares.
The attackers used the corrupted development tool to insert malware into the finished games,
backdooring the gamers who purchase and play them. You'd think if it was up on VirusTotal
someone would notice, right? Well, not so fast. The CarbonX source code has apparently been there
for about two years, and everybody overlooked it until FireEye researchers found it. We thought
this must mean that VirusTotal is like that big government warehouse at the end of Raiders of the
Lost Ark, where FDR's administration sends the Ark
to reside in perpetual obscurity with an unimaginable quantity of other precious, dangerous,
embarrassing, or curious things. But one of our team pointed out that, no, that warehouse was
designed to conceal things quietly, not make them available to those who wanted them.
He's probably right. So maybe VirusTotal is more like a teenager's bedroom.
There's a popular notion that more and more we are heading toward a gig economy,
with workers moving from job to job rather than taking on a full-time position with a single organization.
There are opportunities and challenges associated with this sort of approach
for both those doing the work and those doing the hiring.
challenges associated with this sort of approach for both those doing the work and those doing the hiring. Top Coder is a company that's set out to make it easier and more secure for both sides of
that equation, offering a platform that connects and manages gig coders and the people who need
them. Michael Morris is CEO at Top Coder. You can still go down and do background checks and do
and do background checks and do contracts and NDAs and the same type of, call it paper-based security models that companies use today, that can still be done. But frankly, it's really kind of
worth as much as the paper that it's written on in many cases, because you're subject to
whatever the human behavior is of the person on the other side of that. But we still can enforce all of those types of requirements.
Like the person has to be a resident of this country.
They have to have the past work experience that is X or not Y.
They have to agree to certain terms and conditions and sign documents.
So all of those things can be tracked.
But the things that we feel are more important
is really getting down to a granular level of tracking security. And when I say security,
I come kind of right now combining together, not only the security of the code or the deliverables
that come back, but also the security of the IP that goes out and the IP that comes in.
So you can track security on an extremely granular level.
We require that every time an interaction happens, we are tracing back who has access to that data.
Where is the data being put?
How do I ensure that nobody else can download that data?
Who can see it? When anything comes back into us, we do the same type of transactional-based security
checks.
So whether it's virus scanning, code reviews, we have a minimum of two people look at each
piece of code that comes in manually.
So these are actually paid reviewers that will look through code.
So these are actually paid reviewers that will look through code.
And to me, it creates a much more secure and robust way of working versus the traditional model of just assembling teams together and having that ad hoc requirement for security.
This is just built into the process.
Topcoder uses a rating system as well.
So a lot of people will think about the gig economy models as this unknown group of people.
And in the Topcoder world, that almost couldn't be farther from the truth.
So a lot of what we do is in the form of we run a lot of competitions.
So if we're trying to solve something complicated, we have multiple people try to solve it and we pay the ones that do the best job, you know, not only the best one, but we will also pay different places. We do that on the algorithm side. We do that in the coding side.
We do that in the creative design side. So it's a way of working in our environment where you can
create this competitive, but still collaborative environment for people to work within.
So we track everything from somebody's reliability to their performance.
We graph it against their peers.
We have rating systems.
So if you think of like what Major League Baseball does for their players,
we do that same type of thing for our community.
But we track them on their accomplishments.
You know, when they compete in something or produce something, all of those scores, all
of those reviews, all of that data gets inputted into our platform and it shows up in their
profile.
So these are very much known
entities that are in this community and in my opinion it's it's that's the type
of thing again we kind of think that the paradigm shift moving to the gig economy
it's a misconception to think that these are unknown entities yet they may be
remote and virtual but they're very well known.
They're very well represented
in terms of what they've done in the past.
These are known entities.
These are people that have a background
and have a track record
that you can look at and see.
You can see the people
that are working on your projects.
That's Michael Morris.
He is the CEO at Topcoder.
Gray Noise Intelligence, a network traffic mapping shop,
has seen an unusual surge in traffic that spoofs major financial institutions.
Sure, there's spoofing that goes on all the time,
but Gray Noise told CyberScoop that this is really a concentrated wave of spoofing.
Why it's being done is unclear,
but there's some speculation that an attempt to embarrass security vendors may be in the works.
The U.S. House of Representatives would like Google to explain its Sensor Vault location database.
Specifically, they'd like Mountain View to tell them why they collect it and what they do with it,
who has access to it, and why they seem
to hang on to it for essentially forever. The bosses behind the hands, behind the keyboards,
behind the bots didn't much like the Mueller report. Bots took to the internet in large
numbers after the report was released last Thursday. Security firm Safeguard Cyber told
us in an emailed comment that this is a pattern. The bots and the trolls who go with them tend to remain, as Safeguard put it,
dormant until a particular topic or event aligns with their disinformation campaign.
A lot of the bot chatter was Russian, but not all of it.
There are, if NBC News is to be believed, also indications that some of the botmasters are in Saudi Arabia.
Why their chatter should align with what St. Petersburg is woofing isn't immediately obvious.
And finally, the Australian Signals Directorate says that government agencies don't really have to follow its recommended security controls,
because those controls, best practices though they may be, might just be too hard to follow.
Best practices, though they may be, might just be too hard to follow.
ZDNet sniffs that ASD is showing a can't-do attitude,
but it also raises a question worth considering.
If a practice is realistically too difficult to be followed,
can it be a best practice?
Perhaps we need a new category of control, not best practice, but counsel of perfection. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, it's great to have you back.
We wanted to talk today about risk assessments, specifically evidence-based risk assessments.
What do you have to share with us today?
I think the key word here is data, data, and data. The challenge usually is that we have a number of risk assessment frameworks that are out there, lots of best practices and guidelines, but we
often do not have very good data sources and information sources on which these risk assessments
are based. They are times derived from low-level technical measures that don't
necessarily relate to the higher-level business objectives of organizations, or vice versa. They
are based on estimates because they're based on expert judgment. And I think the key challenge
here is, how do we actually ensure that we are getting the right type of data to inform risk decision making within organizations and that there is a
full traceability of those risk decisions all the way from the data points that we get
and their impact on the overall business and effectiveness of the organization.
What about situations where a type of business, for example, could be growing very quickly,
changing very quickly and be new? And obviously this applies to cybersecurity.
There may not be that historical data that you can use to make your risk assessment with.
Yes, historical data is just one type of data.
The question is, you know, what is it that you need in terms of your organization at a particular point in time in making decisions?
And your example is actually excellent in the sense that you are in a business that are growing. need in terms of your organization at a particular point in time in making decisions, then your
example is actually excellent in the sense that you are in a business that are growing.
And as you're growing and new people are joining the business, are you simply considering access
control mechanisms for those people?
But are you also considering that perhaps your HR department is now getting overloaded
and they are not able to actually notify in time when people are leaving
your organization so that their credentials can be revoked in time and so on and so forth. So
the key is understanding where an organization is at a particular point in time,
understanding what the goals are, what are the challenges that it is facing at a particular
point in time, and then seeing what data is relevant in terms of making risk decisions. At the moment, a lot of the risk decisions are made on the basis of estimates
and probabilities. And that's a good way of doing things. But we can't keep doing it just simply
based on estimates and probabilities. We need to better instrument our systems and organizations
to get actual data so that we can make decisions
that are based on actual evidence of what's happening within an organization and what kind
of risks are actually posed. This also takes me on to an example that in some of the studies that
we have done, we often see that organizations worry about the risks that don't necessarily
immediately impact them. And the focus always tends to be on very high level risks,
on very sophisticated attackers who may want to compromise the organization when actually the biggest risk might come from the low skilled, you know, opportunistic attacker who may just
exploit a very simple vulnerability because you're not really considering that those things need to
be taken care of. And I think this is really what I mean, that we need to really understand as to where the risks come from
and collect much, much better data.
In general, there aren't really very good ways,
A, to instrument systems at the moment,
but also B, actually then taking that into risk decision-making
in an effective way that informs the more senior members of an organization.
Now, how much do you suppose it helps to bring someone in from the outside, someone who has
no emotional attachment to any of the internal goings on within the organization?
Oh, that's a tricky question.
It is a tricky question that if I say, no, it's not a good idea, then, you know, I'm
basically telling that nobody should invite any consultant ever into an organization.
And if I say it is a good idea, then, you know, everybody will invite consultants.
I think the fact of the matter is that there is a balance.
People coming from outside can often see things that you can't internally see within an organization because, let's just say, you're too close to the situation.
you're too close to the situation and what may seem day-to-day practice or what may be data that you don't think is relevant may be more or less relevant to what you want
to do.
But that shouldn't be at the expense of what is embedded test and knowledge within the
organization.
And a lot of work, actually, that we have ourselves and others have done shows that,
in fact, so-called day users within an organization, non-security users often tend to have a lot of contextual knowledge.
And if you actually speak to them, they can understand us.
They can explain as to where potential risks are arising, but also why do they arise in that particular way?
Because it could be that the way the security systems are designed are not designed to fit in with what they need to do to
get their job done, for instance. And that's why they end up, for example, at times being bypassed
or slightly molded to get what needs to be done. It has to be a balance as to bringing an external
perspective versus actually leveraging what is perhaps a major source of information to employees
of an organization, because they often understand the
context really, really well. And they can actually articulate things that an external person may not
know. Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.