CyberWire Daily - When BGP hijacking isn’t hijacking at all. The White Company’s Operation Shaheen. SWAuTistic pleads guilty. NPPD will become CISA.
Episode Date: November 14, 2018In today’s podcast, we hear that Monday’s BGP hijacking wasn’t hijacking at all, but rather a fumbled upgrade in an ISP. The White Company’s Operation Shaheen is a nation-state espionage cam...paign directed against Pakistan’s military. Sleazy gamer and hacker SWAuTistic pleads guilty to Wichita swatting charges, and to bomb threats just about everywhere else. And the NPPD will soon become CISA, and the lead US civilian cybersecurity agency. Emily Wilson from Terbium Labs on their recent Truth About Dark Web Pricing white paper. Guest is Gregory Garrett from BDO on their telecommunications risk report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Monday's BGP hijacking wasn't hijacking at all, but rather a fumbled upgrade in an ISP.
The white company's Operation Shaheen is a nation-state espionage campaign
directed against Pakistan's military.
Sleazy gamer and hacker Swatistic pleads guilty to Wichita swatting charges
and to bomb threats just about everywhere else.
And the NPPD will soon become CISA and the lead U.S. civilian cybersecurity agency.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 14, 2018.
We've seen some jitters recently over the prospect of Border Gateway Protocol, that's BGP, hijacking.
The concern is that it could reroute traffic through nodes where it might be subjected to sniffing and inspection,
in short, subjected to the administrations of an intelligence service.
There was a BGP leak Monday that for a bit more than an hour routed traffic through China
and to a lesser extent through Russia and Nigeria.
As Security Week summarized the incident,
traffic from Google Search, G Suite and Google Cloud Services
was directed through TransTelecom in Russia,
Nigerian ISP Main1 and China Telecom.
The unusual routing was reported by the network monitoring company Thousand Eyes,
which said the incident had little effect on consumer ISPs, but was very much noticed by
business-grade service providers. For those users, it amounted to a denial of service condition,
rendering their access to the affected Google services difficult, if not impossible.
The incident aroused suspicions immediately.
Traffic unexpectedly transiting China and Russia raises red flags of espionage warning.
But in this case, it appears nothing of the kind was afoot. The incident now appears to have been
the result of an error and not a malicious campaign. A misconfiguration in a Nigerian ISP
seems to have caused the rerouting. As Wired puts
it, the traffic wasn't hijacked, but it was out of control. Yesterday, the Nigerian ISP main one
copped to being the one to cause the problem. Quote, this was an error during a planned network
upgrade due to a misconfiguration on our BGP filters, end quote. They added that they were able to fix the error within 74 minutes.
There are a few familiar lessons worth drawing from the episode.
First, the tightly connected nature of the Internet can be a source of weakness as well as robustness.
Second, failure to follow best practices can have severe and cascading effects.
And finally, not everything that looks like an attack is an attack,
so reticence about attribution is sound policy.
Security firm Cylance is describing a nation-state espionage campaign.
It's unusually sophisticated, prepped, staged, evasive, and quiet,
and it's targeting Pakistan's military, especially the Air Force.
Cylance researchers call the campaign Operation Shaheen,
after the Shaheen Falcon that serves as the emblem and mascot of Pakistan's Air Force.
They call the threat actor the White Company,
because of the degree of care it takes to cover, to whitewash, its activities.
Cylance evaluates the White company as a nation-state actor,
but with customary reticence,
they don't say which nation-state that might be.
Global accounting firm BDO recently released
their 2018 telecommunications risk factor survey,
and the results had some surprising revelations
when it came to cybersecurity.
Gregory Garrett is head of the U.S. and International Cybersecurity Practice for BDO.
Well, I think it's more of what wasn't said than what was said.
Candidly, what we expected was to see cybersecurity reflected as a significant risk factor
in the assessments from the various companies that we surveyed. But rather, what we
saw was what we'd call the typical factors in the industry, things like exchange rates,
increased competition, growing interest rates, new technologies, and access to finance.
new technologies and access to finance, cybersecurity didn't even show up in the top five.
And so kind of reading the tea leaves there, I mean, what do you think that points to?
Prompted, I'll say, a number of discussions amongst our colleagues. And I'll say I've had to reflect on a lot of industry conversations I've had. And so what I've concluded is there's really two,
I'll say, groups of telecoms and how they look at cybersecurity in today's environment.
One is the very sophisticated players who have made significant investments in enhancing their
cybersecurity over the past couple of years
from monitoring, detection and response services, multi-factor authentication, layered defenses,
the use of artificial intelligence in their monitoring, you know, the kinds of things
that you would expect that a world-class company would do in this space that could potentially
have significant attacks.
Then there's the others.
And unfortunately, I've chatted with more than a few that because of the increased competition,
the increased exchange rates and effects on their industries, that I've seen just the opposite with a significant number of telecom
companies where they've actually significantly under-invested in cybersecurity. You know,
they're doing minimal monitoring, not even on a 24 by 7 basis. They have not made the investments
that you would expect a big carrier class networks and Internet service providers to provide from a multi-factor authentication to even the level of education and training of their employees.
ask is when I'm talking with senior executives is what percentage of their overall IT spend are they spending specifically on information security? Over the years, I've seen this evolve
and it does vary by industry sector with, for example, financial services and healthcare
industries at a much higher end than I'll say the average retail
company. But typically I've found that telecommunications are usually in the three to
5% range of their overall IT budget. And what I've found sort of alarming is there's two groups.
There's the group that invest at 5% and higher. and then there's the group that invest at the 1% or lower.
And there's actually very few of the major carrier-class companies that are operating in the 3% to 5% sort of typical range.
I don't know. It strikes me as being short-sighted, certainly.
But I can't help thinking it's a pay-me-now-or-pay-me-later kind of situation.
Well, it absolutely is.
And unfortunately, Dave, I wish I could say this is the only industry where I've seen that behavior,
but it's really not.
I've seen it in financial institutions.
I've also seen it in health care.
I've seen it in critical infrastructure
where you have the, what I'll call the world-class companies really making significant investments
and really amping up their cyber defenses in a very significant and meaningful kind of way.
And then you've got the mid-tier companies and we're seeing a lot of them that are significantly
And we're seeing a lot of them that are significantly underinvested in cybersecurity across all the different industries.
And many of them, they're looking to maximize profitability.
This is a cost. This is an investment.
If they haven't experienced a significant breach, then they're only doing what they have to minimally do to be compliant with regulatory standards and just hoping and praying that a big attack doesn't affect them.
That's Gregory Garrett from BDO.
The report is the 2018 Telecommunications Risk Factor Survey.
You can find that on the BDO website.
Tyler Barris pled guilty to federal charges related to his involvement in a Kansas man's swatting death last year.
The U.S. Department of Justice says Mr. Barris acknowledged guilt on one count each
of making a false report resulting in a death, of cyber-stalking, and of conspiracy.
It's believed he'll receive at least 20 years in prison.
Mr. Barris, who went by the hacker name Swatistic,
was an unusually active participant in swatting and other dangerous capers,
bomb threats, and so on.
The three counts mentioned above are just the ones he was involved with
that had their sad outcome in Wichita, Kansas.
He also copped a guilty pleas for hoax bomb threats to FBI and FCC headquarters,
the latter because he was a fan of net neutrality and because the obvious way to put your policy views before the
government is by telling people there's a bomb at a government office. In the Central District of
California, his home state, he was unusually active and faced 46 counts that included,
Department of Justice said, making calls with false reports that bombs were planted at high He made the calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts,
Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida, and Canada.
End quote.
The crimes to which Mr. Barris admitted are deeply repellent.
He got a completely uninvolved man killed just for the lulz
and put some other gamers in their place.
Many have remarked not only on his striking lack of insight into the consequences of his actions,
but also for his striking lack of remorse.
He continued woofing online while in jail, awaiting his day in court,
taking advantage of some technical loophole he'd discovered
to get Internet access from within the facility.
Mr. Barris is 25, which makes him the gray beard of the trio
charged in connection with the Wichita swatting.
The other two Call of Duty gamers who had a falling out
are Jason Viner,
18 of North College Hill, Ohio, and Shane Gaskell, 20 of Wichita, Kansas. Those two are still awaiting
trial. They're involved because Mr. Viner asked Mr. Barris to swat Mr. Gaskell, and Mr. Barris
sent the SWAT team to Mr. Gaskell's former address, since occupied by the late and innocent Andrew Finch.
We mention this case not because cases of accidental negligent death
are so rare as to be noteworthy.
Alas, while they're not commonplace, they're not unheard of either.
Rather, this case merits attention because of the way it illustrates
the strained disinhibition that seems to lie beneath
so much misconduct in cyberspace.
And finally, to turn from sorted skid crime to something more pleasant,
to the gratification of the U.S. Department of Homeland Security,
Congress has passed legislation to re-establish the Department's National Protection and Programs Directorate
as the Cybersecurity and Infrastructure Security Agency,
the CISA. Once the president signs the bill, CISA will become the lead U.S. civilian cybersecurity
agency. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson. She is the Fraud Intelligence Manager at
Terbium Labs. Emily, welcome back.
Over at Terbium, you all released a white paper recently, and it's titled The Truth About Dark
Web Pricing. Let's walk through this. So what prompted you all to create this report?
Originally, it started off as a project to do a meta-analysis of the pricing reports about the
dark web available in the security industry, right?
Every so often, a security company will put out a report
which will include some pricing information about dark web goods and services,
and we were curious to see what we could gather from that information
doing a meta-analysis of those prices over time.
And it quickly turned into a slightly different project
because we discovered that the data was really very inconsistent
and the prices were anecdotal at best.
There was not a lot of methodology.
And so it turned into what we have here, which is a white paper addressing some of the issues the industry is facing.
And honestly, the industry is creating for itself by having less than rigorous standards in talking about dark web pricing.
Let's explore that some.
I mean, the title of it is The Truth About Dark Web Pricing, which is a bit provocative.
It indicates that maybe we haven't had the truth up to this point?
I don't think we've had the truth, or rather, I don't think we've gotten past a very surface
level conversation, right?
The things that we do see are, here's how cheap your social security number is or here's how and
I won't name names but there was a particular report that came out where the prices you know
is the the cost of your identity on the dark web and the prices were vastly overstated something
like a bank account costs five hundred dollars it costs a tenth of that price right and so we
we get these these headlines we we get these one off stories.
And instead of using those to have a bigger conversation about the well-developed fraud
economy or the way that goods and services change over time, or even what drives value,
what drives these prices on the dark web, and does it matter how much something is different
from one market to another? We just get stuck on that first thing and we never really get to the truth of it
because we're too caught up in the flash and the sexy headlines.
Is this a case of someone who has something to sell you,
trying to scare you into thinking that something's more valuable than it actually is?
Sure. Fear is a very effective tactic.
There's a reason that so many vendors in the security industry rely on selling you fear. You create a problem and then you invent a solution for it and
you make everyone feel better because you'll keep them safe. We really need to move beyond that,
right? We know that data can't be fully secured. We know that there's going to be a data compromise.
We know that systems are going to come under attack and we need to start there.
And so in that same way, as we've matured that view of what the security industry needs to look like and how it needs to
help supply solutions, we need to move beyond this very basic, you know, look at this bright
and shiny headline of a price without context or information or discussion of what the potential
fallouts are, that it's so easy to buy infant
socials or credit reports or w-2s or facebook accounts on the dark web so what is the truth
about dark web pricing what's what's the take-home from it the truth about dark web pricing is we
don't have a good sense of it yet and that's a problem right the white paper in it we propose
that we need to develop a shared taxonomy to begin to look at these things more consistently, right? If you have 30 descriptions of a credit card across a bunch of different reports, how many of those are actually different from one another?
cards for us to look at that are being sold on the dark web. There might be six, you know,
how many variables matter. We know that freshness and validity drive dark web pricing. That makes sense. Something that's newer that you can cash out more easily. Those are important. But what
about the difference in pricing between a business credit card versus a platinum credit card, right?
How do we think about the valuation between prepaid cards and gift cards? How do we measure price fluctuations throughout the year?
When is it that the W-2s start to come on the market and how long after tax season are they still available?
We're not as an industry gathering enough data and we're not looking at this in a consistent enough way that we can actually tell those stories yet.
It's a difficult problem.
Collecting on the dark web is hard.
It changes very quickly. There's a lot of nuance. And it's going to take a full industry lift to
actually look at this. And that's what we're proposing. All right. Well, the white paper
is titled The Truth About Dark Web Pricing. It's over on the Terbium Labs website.
Emily Wilson, thanks for joining us.
Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.