CyberWire Daily - Updates on Triton ICS malware attack. DPRK and WannaCry. Cryptocurrency crime and an alt-coin market correction. Fancy Bear sightings.
Episode Date: December 22, 2017In today's podcast we hear some updates on the Triton ICS malware campaign. North Korea amplifies its denials of responsibility for WannaCry. Cryptocurrency markets undergo a strong correction. "Bloc...kchain" remains a word to conjure with. Citing a potential risk to national security, Lithuania's government bans Kaspersky software. ESET thinks Fancy Bear is growing more cunning and evasive. Chris Poulin from BAH on the transition to self driving cars, and the problem with selling fear and uncertainty. Guest is Kim DeCarlis from Gigamon on marketing cyber security. And how does Siri handle various linguistic challenges? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. amplifies its denials of responsibility for WannaCry, cryptocurrency markets undergo a strong correction,
blockchain remains a word to conjure with,
citing a potential risk to national security,
Lithuania's government bans Kaspersky software,
ESET thinks Fancy Bear is growing more cunning and evasive,
and how does Siri handle various linguistic challenges?
I'm Dave Bittner with your CyberWire summary for Friday, December 22, 2017.
The company affected by the attack on industrial control systems,
the attack has been called Triton or Trisis,
is said to have been in the Middle East, but hasn't generally been named.
But now it's said, according to foreign policy, to be Saudi Aramco.
Foreign policy sources their story to a report they say they've obtained that was prepared
by Area 1 Security.
Circumstantial and preliminary attribution continues to point toward Iran.
Both the attribution and the name of the target remain speculative.
Aramco has denied it was the target of an attack of this kind.
The company said, quote,
Saudi Aramco corporate and plants networks
were not part of any cybersecurity attack or breach, end quote.
The Shamoon attack of 2012, generally attributed to Iran,
did strike Aramco networks.
Triton, of course, is a different matter altogether
and affected an
industrial control system's safety features, which is why Dragos and other security firms
have called Triton a game-changer. North Korean denials of responsibility for WannaCry have moved
away from the lofty, statesman-like form quoted yesterday and into more familiar rhetorical terrain. The North Korean Foreign Ministry said,
The U.S., a source of all social evils and a state of global cybercrimes, is unreasonably
accusing the DPRK without any forensic evidence.
This cannot be construed otherwise than an expression of its inveterate repugnance toward
the DPRK.
While they can't be troubled to reply to every American grave political provocation,
this one can't be tolerated because it's aimed at
tarnishing the image of a dignified country, in their words.
An article in online magazine Salon more or less agrees with the Supreme Leader's representatives,
seeing the Five-Eyes' attribution of WannaCry
to Pyongyang as resembling other bogus war-scare ruses grounded on thin and ambiguous evidence.
But most observers think the attribution, while inevitably circumstantial to some degree,
will probably hold up.
It's been a long time coming, some six months after officials in the United Kingdom reached
the same conclusion.
coming, some six months after officials in the United Kingdom reached the same conclusion.
It's worth noting that the UK had a particular interest in WannaCry, since its National Health Service was caught off guard and heavily affected by the malware.
It's also worth noting that this is more than historical interest.
WannaCry remains in circulation, still hitting the unprepared and unpatched.
The DPRK is also thought to be taking a particular interest in cryptocurrencies.
South Korean police unsurprisingly see North Korea as a prime suspect
in the UBIT cryptocurrency exchange hack.
Ordinary criminals continue their interest in cryptocurrencies too.
Here there's a lot of installation of miners going on.
In several regions of the world,
Facebook Messenger is reported to be used to fish the miners into victim systems.
Bitcoin and other cryptocurrencies crashed hard this morning, losing up to a third of their valuation.
It's probably not the end of the speculative bubble, but it's at least a sharp correction.
There are more than 100 cryptocurrencies currently trading,
and Gizmodo reports that all but two of the top 100 were down significantly this morning.
Coinbase, one of the more important exchanges,
showed Bitcoin trading at a bit less than $12,000, down from a high of nearly $20,000.
Coinbase itself intermittently suspended trading last night and again today
It appears that high-volume trading, more than the exchange could readily handle, was responsible
Not hacking or any decision to halt a speculative tumble
To return to North Korea in this context
TechCrunch comments that Pyongyang's alleged raids on financial institutions
The fears it's aroused with missile and nuclear testing Have amounted to a kind of pump-and-dump scheme for cryptocurrency, and that speculators frightened by threats to conventional financial systems have fled to the alt-coin world, where North Korea seems recently to have turned its attention.
This is interesting, but reports of such wheels-within-wheels should always be treated with cautious skepticism, pending further confirmation.
But blockchain-fueled speculation will continue.
The magazine Computing reports that yesterday the Long Island Ice Tea Corporation, which as you'd imagine makes ice tea,
announced plans to change its name to Long Blockchain and said that while it would continue to sell beverages,
it would also be developing other blockchain-based products and services.
Its share price popped from $2.49 to $9.49,
then stabilized to just below $7.
So hop to it, world, we guess.
What are they drinking in Pyongyang these days?
There's more bad news for Kaspersky Lab. we guess. What are they drinking in Pyongyang these days?
There's more bad news for Kaspersky Lab. The Lithuanian government has banned the company's products from Lithuanian infrastructure.
A government statement characterized the software as a potential threat to
national security. Reuters says the deputy director of Lithuania's
state cybersecurity agency told the news service that, quote,
information from computers using the
software can leak into countries where we don't want it to end up, end quote. Kaspersky disputes
this assessment, as it has similar assessments by the U.S. government, and is considering its options.
Cybersecurity company ESET has followed up on the threat actor they call Sednit, also known as Strontium, APT-28 or Sophocene,
and of course our favorite, Fancy Bear.
Fancy Bear is generally thought to be Russia's military intelligence agency, the GRU.
They're still active and still making heavy use of email phishing,
but their attack tools are now more nuanced, less obvious, more selective.
Fancy had the reputation of being relatively noisy,
at least in comparison with its sibling, the FSB's Cozy Bear. That may be changing.
ESED is based in Bratislava, Slovakia, albeit with major offices elsewhere, especially San Diego.
We mention this because it turns out that Slovak is not one of the languages Apple's Siri AI can
handle, which seems a shame.
After all, it's spoken not only in Bratislava,
but in many places in North America as well.
Pittsburgh, Pennsylvania, Clifton, New Jersey,
Niagara Falls, Ontario, and so on.
So give it a shot, Siri.
Here's something to ponder.
Does or should Siri do idiomatic and rhetorical style
as well as basic language?
Thus, in answering a California's question, would Siri begin the answer with the word,
So, as in,
Question, Siri, should I take Sepulveda or Van Nuys Boulevard?
Answer,
So, you should take Sepulveda.
Or consider a question one might ask in Pyongyang or Sinanju.
Siri, where can I find radishes?
Answer, Our glorious self-reliance has answered the radish question to the discomfiture of the miscreant
dotard Trump and his reekers. And how would Siri communicate with the shadow brokers? Question,
Siri, we are asking why the people's no-be-buying equation group exploits, even in big, big sale.
people's no-be-buying equation group exploits, even in big, big sale?
Answer?
Wealthy elites is finding their bitcoins not worth squat.
Which reminds me, why haven't we been hearing about the brokers lately?
Kind of miss their dialect, if not the brokers themselves.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Chris Poulin. He's a principal and director for Booz Allen's Dark Labs,
where they focus on IoT security and machine learning.
Chris, welcome back.
I saw an announcement recently that Waymo has started their fully self-driving car program.
It's taking place in Arizona.
I believe they have 100 cars, and they're geofenced within a 100-square-mile area,
and you basically have to sign your life away to use them.
So there's a lot of restrictions and caveats and all that sort of thing.
But the fact of the matter is those cars are out there, and they're on the road.
It's true.
And, in fact, we're both in the Boston area, and the seaport has actually made the seaport an area where self-driving cars can actually operate within
the Boston area. So we're starting to see it in many different areas. And I think there'll be a
lot of pilot programs, like you said, geo-fenced, because I think people are still a little bit
wary of autonomous vehicles. That's not surprising. People are resistant to change. I mean,
quite frankly, I have an all-electric vehicle,
and I can't tell you how many people just can't wrap their minds around the fact that there is no place to pump gas into it. And they don't understand how you can drive it as your primary
vehicle because they just don't understand where you get electricity. So, you know, part of it is
sort of this change thing where I think there's going to be some reluctance for people to embrace autonomy.
But once they sort of get used to it in a controlled environment and they're able to understand that it's not as dangerous as they think it is, there will probably be some adoption point where it will go from autonomy being – I think there was a Gartner survey that said 55% of people said they wouldn't even ride in an autonomous vehicle.
And to the point where, you know, they embrace it.
You know, you go have a couple drinks in the seaport and let an autonomous vehicle drive you home instead of calling a Lyft or an Uber or something like that, right?
Yeah, and I've heard historical stories about how people had similar problems with the transition to elevators that had no elevator operators inside.
similar problems with the transition to elevators that had no elevator operators inside. They were afraid of getting in this box by themselves. The doors would close and, you know, they would
surely fall to certain death if there weren't a human being operating the elevator. And we seem
to have gotten over that. Yeah, I think that's so I actually just wrote an article, as a matter of
fact, for and it's posted on Ion's research. And the point of it is that we need to stop selling fear
and uncertainty. And it's kind of a problem in our industry, in the cybersecurity industry a little
bit, because there are people who, it gets attention. But the reality is, if we can stop
saying, if we can stop putting so much fear and certainty about how people can hack connected
vehicles, autonomous vehicles, which it's a concern, don't get me wrong, but that's all we
talk about. We don't talk about the benefits. And I don't have the statistics right off the top of my head.
But if we enter into this in a measured way and assess all the risks that we in the cybersecurity
space look at the risks of autonomous vehicles and connected vehicles, and we do the best we
can to make them safe for people and give them the comfort level by having these pilot programs
in different cities what ends up happening is that we save a ton of money it's like
in hundreds of billions of dollars and fuel costs and uh that's something like a 90 i'm not even
going to try to guess i'm going to get get it wrong but there's a huge benefit in safety in
terms of the vehicles are going to make better decisions than people do
anyway, even if they do make a mistake once. And there's where the fear, uncertainty, and doubt
comes in sometimes is that we say, look, an autonomous vehicle made a mistake once. Oh,
my God, let's never get in one again. Whereas there are hundreds of thousands of accidents
every year in the United States alone, and people still persist in jumping into their car. And in
many cases, they shouldn't be behind the wheel. So, you know, once we start looking at it rationally and we can start talking about all the
savings to, you know, cost of fuel and the cost of time it takes to commute, the safety side of the
equation, I'm hoping that everyone will start to understand how much benefit, and it can actually
be so transitional, we can actually get rid of parking garages. So again, I think I'm hoping that everyone will start to understand how much benefit, and it can actually be so transitional.
We can actually get rid of parking garages.
So, again, I think I'm really glad to see that there's a lot of pilots being rolled out,
and I'm looking forward to the day when people do embrace autonomous vehicles.
Chris Poulin, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
client. We often focus on technology here at the Cyber Wire, but of course you can have the best technical solution in the world. But if you don't know how to get the word out through sales and
marketing, your chances of success are slim. Our guest today is Kim DeCarlis. She's the Chief
Marketing Officer at Gigamon, a network visibility and
traffic monitoring technology vendor headquartered in California. Messaging in the security space is
definitely a challenge. When I moved into the security space about four years ago, the first
thing I did was go to RSA. And I was overwhelmed by the number of messages and the similarity of messages by companies that did very different things.
buzzword security bingo and tie your security message to business needs and try to rise above the tech terms and really talk about the business need, the outcome that the buyer is trying to
avoid in some cases or the outcome that they're trying to have for their enterprise in other cases
and really connect more on a human
level than on a technology level. Do you think that represents a maturation of the industry?
I mean, I hear people saying that more than ever, companies are talking about these things in terms
of risk rather than technology. I think that's absolutely true. And rule number one in marketing is know your audience. And so if
you're speaking to a CISO, know what they care about. If you're speaking to somebody who actually
works in the security operations center, the SOC, then you're probably going to need to dig down a
little bit more deeply into technology speak. But I think it's really incumbent upon us to be mindful of the
audience. I think the other thing that we're seeing is security and risk are certainly becoming
board level discussions. And that requires another level of thinking and messaging so that board
members and members of the C-suite really understand what the technology is about,
what the risk terms are about, and what they need to do to put their businesses in the best position
to stay away from the constant attacks, or at the very least, to identify and contain
attacks as quickly as they possibly can. So it's different language for different buyers
than, again, Marketing 101. Yeah. And as you put together your marketing team,
how do you strike that balance between, I guess, the necessary technical knowledge,
but also balancing that with the skills of a marketing professional?
Yeah, that's a great question, Dave. And as I've worked here with the team at Gigamon, it's really been on a per position basis. So there are some areas where
it's absolutely required that somebody have a background in security. Those positions are
product management, product marketing, certainly. And on the other side of the equation, analyst relations, you know, I need somebody who's
credible speaking to the various influencers and analysts out there. So those positions require
security background. Other positions like somebody managing the website, somebody doing analytics for
our marketing spend and our campaigns, those positions don't need to be quite as steeped in the technology. So you really have to look at it, you know, position by position
and group by group. You know, as you walk around the floor of the trade show and you see other
people putting their messages out there, are there things that you see that sort of make you shake
your head and you wonder, you know, gosh, if only these people did a better job, are there any
common mistakes that you see people making? As I see messages at trade shows, I think there are a couple of mistakes. One of them is jargon,
using too many TLAs and using the same, as I said earlier, security buzzwords that everybody's using.
One of the things I've tried to do is really speak more humanly, because in a lot of cases,
to do is really speak more humanly because in a lot of cases, security starts with people doing things right. And the number of APTs and next generation firewalls and IPSs and WAFs
and UEBA tools that you have isn't going to really matter if you can't really put your people
in a position to be successful.
So I've liked some messages that I've seen that talk about keeping people informed and educated and stopping them from doing natural people things like inserting the USB key that they found,
you know, on a desk to save a file.
Who knows where that could have been?
But it's really taking the message up to something much more relatable that I think can be a difference maker.
You're running a team there at a large company, certainly Gigamon, hundreds of employees and a lot of success there.
Do you have advice for that person who's just starting off in their basement or their garage, who's trying to figure out how they're going to get the message out?
I think the most important thing that any marketer can do is spend time in a customer-facing position.
I personally started my career in sales.
And at the end of the day, what you're trying to do with your marketing messages
and with great products such as those that we have here at Gigamon is solve a customer problem.
So anybody that really is wondering about how to get a
message out needs to spend a lot of time out in market. And I think a great first job is something
where you're in customer support, you're in inside sales. I personally started in an outside sales
quota carrying role because at the end of the day, everything you do is about solving a
customer need better than somebody else can. And maintaining that foundational focus on the
customer is critical. That's Kim DeCarlis. She's the Chief Marketing Officer at Gigamon.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.