CyberWire Daily - The CyberWire - 2.16.2016 - Daily cyber security news brief.
Episode Date: February 16, 2016Ukraine grid hack investigation. Malware descriptions: Fysbis, Corkow. Ransomware news. UK police vs. Crackas. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. and phone calls, a look at the FISBiz Linux malware used by the Russian APT28 espionage group,
it's not fancy, but it does the job. Researchers trace North Korean cyber operations,
and South Korea upgrades its state of cyber alert. Bad news and good news on ransomware,
crackas and dot govs react with both alarm and braggadocio to last week's arrest.
French police collar an alleged bomb threat specialist.
And we hear from University of Maryland expert Jonathan Katz,
who explains the underlying technology behind Bitcoin.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 16, 2016.
Ukraine continues its investigation into December's attack on segments of its power grid.
That attack is now said to have been months in preparation,
with reconnaissance beginning about six months prior to the attack itself.
The latest statements from Ukrainian officials offer more evidence of a Russian connection.
The attackers used a Russian ISP and made phone calls from within Russia, but they stopped short of attributing the attack to the Russian government. Evidence for any such attribution remains largely circumstantial,
but the Russian government remains a prime suspect in the incident. Investigators continue
to focus on black energy and think the attack itself was probably accomplished using compromised
credentials.
Palo Alto looks at FISBiz, Linux malware widely used by the Sofasi group,
also known as APT28 or Sednet,
and, as Palo Alto primly notes, a cyber espionage group believed to have ties to Russia.
While relatively unsophisticated, FISBiz is thought to retain its usefulness in part because of relatively underdeveloped awareness of Linux malware, and because many of its targets are business enterprises focused on Windows.
Tensions increase on the Korean peninsula as North Korea undergoes a protracted period of assertiveness and nuclear sable rattling.
The Republic of Korea expects cyberattacks from the DPRK and moves to a higher state of cyber alert.
Kaspersky and AlienVault lend some credence to South Korean concerns.
Researchers with the two companies describe the continued activity of apparent North Korean
threat groups who participated in the cyber looting of Sony in 2014.
They trace the attackers through a long string of exploits, ranging from Dark Soul to the
word-processing
malware Hangman. As is increasingly the case nowadays, the researchers stop short of saying
the NORCs did it, but it's fairly clear where suspicion points. Other companies, notably FireEye,
have attributed many of the incidents to the North Korean government.
ESET has described the Korkow malware used in criminal manipulation of Energo Bank's currency trading platform.
Unlike such retail banking trojans as the better-known Hesperbot,
Korkow targets banks as opposed to their customers, and so has received less popular attention.
ESET does, however, regard Korkow as both evasive and capable.
What's less clear is how its controllers monetize their attack.
They don't appear to have profited directly from the attack,
which leads ESET to speculate that the criminals either traded in the futures market,
set up some third party for profitable trading,
or were simply engaging in a trial run.
The Hollywood Presbyterian Hospital, a large Los Angeles medical center,
struggles to recover from an unusually tough-to-remediate ransomware attack.
center, struggles to recover from an unusually tough-to-remediate ransomware attack.
Here, the price of recovery the criminals are asking is higher than most enterprises would be willing to pay, $3.6 million.
Hollywood Presbyterian isn't the only medical center hit by ransomware.
Last week, the Lucas Hospital in Neuss, Germany, was the victim of TeslaCrypt.
There was some good news over the weekend on the ransomware front.
Security firm Emsisoft has succeeded in decrypting Hydrocrypt and UmbraCrypt. So, well done to Fabian
Vossar and his crew. The arrest of an alleged cracker with attitude by police in the UK last
week has prompted both Hebejeebies and Gaskinade from other crackers and, unsurprisingly,.govs.
They're chatting with their media contacts at Motherboard, saying such things as, heebie-jeebies and gasconade from other crackas, and, unsurprisingly, dot-govs.
They're chatting with their media contacts at Motherboard, saying such things as,
We are worried. I think I'll get raided before this month is up.
And, Our campaign will only intensify now.
And, If we find out who snitched cracka out, we'll be coming after him or her.
So there, snitches. Take that.
The teen arrested in the Midlands cracka sweep remains appropriately nameless. So does a teen arrested last week in France. Identified only as Vincent L., this 18-year-old
studies at Ellusé in Dijon. He was also administrator of the Darkness SU XMPP service.
His arrest came in connection with bomb threats issued over about a week at the end of January
and beginning of February. The threats were hired crime, offered for sale by Evacuation Squad.
Vincent is out on bail, but will apparently be charged with failure to give the authorities
his encryption keys. Evacuation Squad's declared motives were plausibly adolescent,
especially the second and third, hatred of the American government, hatred of authority,
and a love of chaos.
They charged between $5 for threatening a school to $50 for disrupting a major sports
event.
Framing someone for a bomb threat, a particularly chilling service, was offered for $5.
All of this could be paid in Bitcoin.
No other currency was acceptable.
How Bitcoin actually works is worth some attention.
We caught up with the University of Maryland's Jonathan Katz, and we'll hear from him after the break.
But here's some news you can use should you travel to France in pursuit of a life of anonymous
cybercrime. Failure to render your encryption keys to police who require them in the course
of investigation can earn you up to five years in prison. But of course, this isn't legal advice.
Skids, do consult your attorney. We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
for $1,000 off. She's back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina.
The only investigating I'm doing these days is who shit their pants.
Killer messaged you yesterday?
This is so dangerous. I got to get out of this.
Based on a true story.
New season premieres Monday at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
Cyber threats are evolving every second. And staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
I'm joined by Jonathan Katz, professor of computer science at the University of Maryland.
He's also the director of the Maryland Cybersecurity Center.
They're one of our academic and research partners.
Jonathan, Bitcoin is always all over the news when it comes to all things cyber. It is the way that people exchange funds anonymously.
Just give us an overview of how
Bitcoin works. So just to give a high level overview, there are obviously a lot of technical
details involved, but there are two key components, I think. The first of those is how Bitcoins are
created. And that's done by having miners run a cryptographic algorithm on their computers.
And what they're doing is essentially looking for solutions to a moderately hard cryptographic problem
that they expect to solve at predetermined time periods.
So that prevents people from just mining an infinite amount of Bitcoins
or from mining all the Bitcoins in existence
and releases or ensures that Bitcoins are created at some fixed rate.
The second key component is the idea of the blockchain.
And again, at a very high level,
this is a distributed mechanism
that people running the Bitcoin protocol will use
to guarantee some kind of consistent view
of the transactions going on in the system.
So every time one person sends a Bitcoin to somebody else,
they will tell the other people participating in the protocol
about that transaction, and then they'll all run this people participating in the protocol about that transaction and then
they'll all run this distributed protocol involving the blockchain to make sure that
everybody agrees that indeed this person sent some amount of bitcoin to somebody else what's
the mechanism for converting a bitcoin uh into cash well some people would argue that bitcoin
is good of cash because if you can spend it then it's just like cash uh but if you did want to take
your bitcoin and then convert them to US
dollars there are online exchanges that will allow you to do that. Bitcoin is
really interesting because it kind of came up out of nowhere it certainly
didn't come from as far as we know any academic institution and it was
developed by somebody anonymously who just floated the idea out there and then
all of a sudden it was adopted and so part of what makes that interesting is
that nobody really has a good understanding
of the security that the Bitcoin protocol provides.
There was no analysis really in that paper, no formal analysis certainly.
And as far as we know, there may be flaws in the protocol that haven't yet been found.
So one thing we're trying to do at the University of Maryland is come up with formal models
of what security properties you might want from a protocol like this and then trying to determine whether the Bitcoin protocol actually satisfies them.
And on that note, I'll mention that you led off with your first question saying that Bitcoin
is anonymous, and that's actually not true.
It's a misperception.
Bitcoin provides anonymity to the extent that it doesn't release your name when you're spending
a Bitcoin, but there are, in fact, ways that you can trace Bitcoin transactions.
And one of the other directions of research that we're looking at
is trying to come up with extensions of Bitcoin,
generalizations of Bitcoin, next-generation versions of Bitcoin
that might provide stronger guarantees like anonymity, true anonymity,
or other things that you might want to improve about the Bitcoin protocol itself.
All right, so buyer beware.
Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.