CyberWire Daily - State-sponsored ransomware campaigns coming? DarkHydrus and Phishery. Hitting ATMs for alt-coin. US sanctions Russia. IBM looks at artificially intelligent malware. Black Hat notes.
Episode Date: August 9, 2018In today's podcast we hear that Tehran seems ready to follow Pyongyang into state-sponsored theft to redress financial shortfalls: cryptocurrency ransomware looks like Iran's preferred approach. Dark...Hydrus uses commodity tool Phishery in Middle Eastern campaign. Jackpotting cryptocurrency ATMs. The US imposes sanctions on Russia. Reality Winner's sentencing date announced. IBM looks at artificially intelligent malware. The mob's role in the cyber black market. What's the bigger gaming threat, sideloading apps or the Fortnite dance? We're asking for a friend. Awais Rashid from Bristol University on issues with software warranties. Guest is Cheryl Biswas from the Diana Initiative, a conference in Las Vegas celebrating diversity, women in security, and how to pursue a career in information security and technology. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. We'll be right back. cyber black market, according to Oxford? And what's the bigger gaming threat, sideloading apps or the Fortnite dance? We're asking for a friend.
From the Black Hat Conference in sunny Las Vegas, where if you can't stand the heat,
get out of the desert, I'm Dave Bittner with your CyberWire summary for Thursday, August 9th, 2018.
As sanctions reimposed in response to its nuclear program begin to bite,
Iran seems poised to follow the trail North Korea blazed in cyberspace,
state-directed hacking that aims at direct theft to redress economic pain.
Accenture researchers have been tracking ransomware strains,
many of them requiring payment in Bitcoin or other cryptocurrencies,
and they've concluded that they represent an incipient Iranian campaign against targets of opportunity that offer the prospect of quick financial gain.
Tehran's state-directed hackers have a reputation as being relatively less sophisticated than those run by Russia and China, and indeed those run by major Western powers, the Five Eyes and their closest friends,
but they also have a reputation as determined, fast learners.
Palo Alto Network's Unit 42 describes a phishing campaign by unattributed threat actor Dark Hydrus
that's prospecting Middle Eastern governments.
threat actor Dark Hydrus that's prospecting Middle Eastern governments. Unit 42 has observed them using the open-source tool Fishery in a credential harvesting campaign directed against
a university. A ZDNet report on one aspect of the criminal-to-criminal market suggests that
one particular commodity is especially lucrative. Malware designed to steal cryptocurrency from ATMs that deal in the altcoins
is pricey. It commands fees as high as $25,000 a pop, which suggests that the black market is
betting on a continuing growth in popularity for cryptocurrencies.
In a move applauded in the UK, the US has announced imposition of very heavy sanctions against Russia
over Moscow's nerve agent attack in Salisbury, England.
Other sanctions for Russian misbehavior in cyberspace have also been imposed.
The Washington Post sniffs that these cyber attack sanctions are toothless,
but the measures the US is taking in response to the Novichok attack appear to be severe
and have been recognized as such by the Russian government.
The Kremlin swiftly denounced the Novichok sanctions as not only illegal but unfriendly.
Reality Winner, the ex-U.S. Air Force ex-NSA ex-contractor who pled guilty to charges
connected with leaking classified information to The Intercept,
will be sentenced on August 23rd.
Ms. Winner was caught when the outlet she offered the document, The Intercept,
sought to confirm its authenticity with the U.S. government.
U.S. counterintelligence officers were able to use dots on the printed copy to identify the specific printer on which the document had been run.
From there, it was possible to narrow the list of potential suspects
to a small number of users of that particular printer,
and then the access and printing were swiftly traced to Ms. Winner's account.
IBM is describing their work on DeepLocker
and what it has to say about potential exploitation of artificial intelligence
by criminals and other threat actors.
Among the more interesting implications of their work are conclusions about AI's utility in attack.
It shows considerable promise in making malware more evasive. As so often happens with evasive
malware, this approach lets the attack remain quiet until it confirms it's in the right environment,
not just outside a sandbox, but in the enterprise it was intended to target.
Not only does it make attack code better at detecting and evading
such useful security techniques as sandboxing,
but according to IBM, it can make reverse engineering malware impossible.
A presentation of results obtained by the University of Oxford's
Human Cybercriminal Project took a look at the place of the mafia in the cybercriminal ecosystem.
The mob is there, but it's not dominant.
What the mob does know, and what it contributes to the cyber underworld,
is expertise in money laundering.
Blackhat, DEFCON, and B-Sides aren't the only games in town this week in Las Vegas.
Black Hat, DEFCON, and B-Sides aren't the only games in town this week in Las Vegas.
There's a tower suite at Caesars Palace that's filled to capacity with a diverse group of people who've come together to celebrate an event they call the Diana Initiative.
Cheryl Biswas is one of the co-founders of the Diana Initiative, and she shares their story.
We started out of an event that was before this. Last year, we reformed as the Diana Initiative,
and our mandate was to support and encourage diversity
and women in security and technology.
The name Diana Initiative came because we had all seen
the Wonder Woman movie, and we were really mobilized.
We loved the concept of a kick-ass heroine,
because that is how we felt trying to pull this together.
And we realized there were a lot of other famous Dianas
who represented strength, creativity,
all of the things that we embody here,
that sense of empowerment.
So give me a sense of what's going on here.
You've got multiple rooms,
you've got multiple events and speakers. So what's going on here. You've got multiple rooms, you've got multiple events and speakers.
What's the program here?
So the program is about, first and foremost,
giving people the opportunity to connect and have conversations
and get to know each other, to nurture and grow relationships
where they can hopefully build their careers off of. We're offering two speaking
tracks this year. Last year we had one. There was such a demand. People wanted to show what they
know. We brought on a technical track. So we're featuring technical as well as non-technical
tracks. And we have got an amazing roster of speakers. These are people who have spoken at
Black Hat, at DEF CON, at B-Sides. And as well, we're encouraging first-timers,
because it's a smaller, more intimate gathering, so they feel safer.
They get the opportunity to present.
In addition to that, we had a huge success with our Lock Pick workshop from last year.
So we're featuring that again, and it's another chill space
where people learn really cool things.
And they have offered a lock repinning
workshop this year, which is just in, it was a signup event, but it's a very cool thing to learn.
We're featuring a resume and careers workshop for both days, where you can actually sit down
and talk to somebody about what you'd like to do, to do a mock interview perhaps, to get your resume assessed and reviewed.
And we want people to have the opportunity to go into a career that they love,
that they may have not even realized, but to give them that leg up.
And in addition to that, we're going to have a couple of social events.
On Thursday night tonight, we're going to have a mixer,
and it's going to be our quiet
party. Games, trivia contests, it's a lot of fun. And again, it brings people together in a quieter,
safe, welcoming space. Tomorrow night's Friday. That's our loud party. So that pretty much sums
it up there. Now, you've mentioned a couple times the importance of having a safe space.
And it's something I hear, particularly when I talk to women about the conventions, is that they're not always safe. They're not always
welcoming. So can you describe to me the importance of providing this place off to the side where
people can be themselves and ask questions, learn things? Yes, definitely. For us, we wanted to
offer an oasis. That's how it felt to us. That's how it has felt to our attendees.
You can come here.
You can hear yourself think.
You know that people are going to be respectful.
You're recognized.
You're welcomed.
Because it is overwhelming to have 20,000 people circulating.
I mean, I love it, but even I can find that overwhelming.
So up here, you are in a space where you get to have the benefit of a learning environment
and a con feel without an overwhelming number of people to contend with.
And we really are about our code of conduct.
It's about respect, and it's about safety.
If we understand the rules of play here, all of us benefit.
safety. If we understand the rules of play here, all of us benefit. And we have been very careful to communicate that and make that available to all of our con goers. And what's the reaction
been from the larger community as a whole, the InfoSec community, the cybersecurity community?
Are they supporting your efforts? We are so overwhelmed and grateful. Yes,
the support has been amazing.
People really want us to be here.
They love what we're offering.
They're showing their support in all manner of ways. We've had people come and give everything that you could think of.
We have manpower and womenpower and supplies and just contributing to the cost of running an event.
We couldn't do it without them.
Yes, we are so grateful. The support's overwhelming. We are an incredible and extraordinary community.
We are focused on learning. So mentoring each other, nurturing each other and growing each
other up is a big part of why we get together at these kinds of events. Any opportunity we have to
support each other at this level is
going to pay massive dividends. We all benefit from it, and I just really want to say thank you
to everybody who's made this possible. That's Cheryl Biswas from the Diana Initiative.
We were with Cisco's Talos Group yesterday, enjoying a midday recording of their Beers
with Talos podcast. The recording from that session will be available shortly,
but we'll share one observation from the Talos panel of experts.
One of them deplored the move of the popular game Fortnite to Android,
on the grounds that it was inculcating poor security habits in the children at whom it's pitched,
habituating them to downloading apps impulsively and in an insecure fashion.
He asked if it wouldn't be possible to do better, a call for security acculturation by design.
Two quick preliminary comments.
We're not entirely sure Fortnite is pitched entirely at the children,
although the middle school demographic appears to be an important one for Epic Games.
The fact that variations of the Fortnite dance were so popular during World Cup scoring celebrations
suggests that people old enough to know better
are spending a lot of quality time
with the soldiers, outlanders, ninjas,
constructors, and commandos.
And second, what about the possibility
of aesthetic offense offered by that nutcracker skin?
We mean, what self-respecting character
would want to be dressed like that?
Right, Jonesy?
You hear me, Banshee?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, welcome back.
We wanted to touch today on software warranties.
What do you have to share with us today?
Well, software is all around us.
It has a lot of good uses, but we're also aware of the potential vulnerabilities that exist in software.
And we often fairly regularly hear about different types of vulnerabilities.
different types of vulnerabilities. And one question that is often raised is that perhaps liability will change the game and vendors and developers need to be held more to account.
And the thing that I want to discuss was whether actually warranties are a way for developers to
limit the consequences they may have to deal with. Are the ways we currently use warranties
really always aligned with the goal of secure software.
That's an interesting notion.
So a warranty, for example, outlining what is and isn't precisely covered.
Yes, and I think that's where the question is.
Where do you draw the line?
Because normally warranties are intended to protect consumers.
They often then
end up indirectly opening up consumers to a wide variety of issues because they're often used as a
way to limit the developer's liability. So there is this kind of really complicated balance that
needs to be drawn as to how do you punish the bad without, for example, stifling creativity
and stimulating the good. And I'll use one particular example without, for example, stifling creativity and stimulating the good.
And I'll use one particular example that, you know, with the rise of app stores and actually
even Internet of Things, you know, people are being encouraged and people do write their own
applications for mobile phones or IoT, and they deploy them to potentially millions of people
around the world, certainly through some of the major app stores.
So the question is, you know, to what extent does liability apply to those developers?
What kind of warranties should they be providing with their software?
Are they, for example, leaving themselves open to liability?
Do consumers actually get any real protection by specifying particular types of warranties in this context?
and aerial protection by specifying particular types of warranties in this context.
Do you suppose, I mean, when I think about something, for example, like Apple's App Store,
is there an implied warranty there that that app has been through a certain level of rigorous review before it's allowed to be distributed?
So it's an interesting question that, yes, there might be an implied warranty.
I'm, of course, not a lawyer so i have
to be careful as to what what i state here sure but i think the question then is to where do you
draw the line so for example if your uh game app crashes and you lose a lot of credits that you've
built in the game including some for which you may have paid a lot of money okay should it be covered by the warranty?
Or does the warranty only apply when an app is used in a critical setting?
And I'm sure if you went and looked at some of the license clauses that come with some of the apps, they would very specifically leave out any kind of liability arising from
any loss of data or loss of economic value in that sense.
And we also see all sorts of other license clauses, and that's not specifically about the
Apple App Store, you know, which, for example, prohibit benchmarking. So, you know, you can't
really see how well an application performs against other applications or complicated uninstalled procedures, which make it very,
very hard for the users to uninstall applications in themselves.
So it's a really complicated landscape.
And I think that's where the question lies.
As increasingly software plays a central role in the fabric of our digital society, it's
not a question that we
are going to completely ever get away from, because every time there is a major breach,
the question does come up as to what should be the responsibility of the vendor and the developer,
who is liable, what kind of warranties should be provided, and what is reasonable expectation on
part of the user. And I think it is something that requires a longer and more detailed debate and consideration.
All right. Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.