CyberWire Daily - Who's behind the Android malware infestations? Mirai and Erbus updates. Industry notes. Brussels takes the pro-crypto side in the crypto wars. CrashOverride as a weapon. IG report on NSA insider threat management.
Episode Date: June 20, 2017In today's podcast, we hear that some believe they've seen the Professor Moriarity behind 2017's Android malware outbreak. Erebus is back, and this time it's in Linux. Mirai may be about to become mor...e resistant to cleaning. Crytpo wars flare in the UK and EU as terror investigations proceed. A quick look at SINET's Innovation Summit. Raytheon's DHS cyber contract survives challenge. CrashOverride looks to a lot of experts like a proven cyber weapon. Ben Yelin from UMD CHHS discusses a "right to know" privacy law. Perspectives on attribution from John Brick of the DNG-ISAC. And did the dog eat the Fort's homework, or did some Bear feed said homework to the dog? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some believe they've seen the Professor Moriarty behind 2017's Android malware outbreak.
Erebus is back, and this time it's in Linux.
Mirai may be about to become more resistant to cleaning. Crypto wars flare in the UK and EU as terror investigations
proceed. A quick look at Synet's innovation summit. Raytheon's DHS cyber contract survives
a challenge. Crash override looks to a lot of experts like a proven cyber weapon. And did the
dog eat the fort's homework or did some bear feed
said homework to the dog? I'm Dave Bittner in Baltimore with your Cyber Wire summary for
Tuesday, June 20th, 2017. If you've been wondering about the recent increase of malware infestations
in Google's Play Store, there may be a single hacker behind much of it.
Bleeping Computer is tracking someone whose nom to hack is MazaIn in various underground fora.
He or she seems to be the one who both created and shared the code for BankBot and MazarBot,
unusually evasive and irritating bits of malicious code that have been taken up and used by other hoods.
Maza-in appears to be engaged in a bit of dark web boasting, which suggests that he or she is off his or her OPSEC game.
Trend Micro says Erebus has resurfaced in the form of Linux ransomware.
The initial infestation is in South Korea.
The initial infestation is in South Korea.
Erebus had been known for two things, going after Windows systems and not restoring files upon payment of ransom.
The first feature has changed as Linux systems are now in the crosshairs.
The second? Probably not.
Back up your files.
Mirai is back in the news, in a way, security firm Pentest Partners has found a vulnerability in widely used DVRs
that could be exploited to permit a Mirai infection to survive a reboot.
In industry news, with contract award protests over,
Raytheon will keep its billion-dollar contract to provide cybersecurity services and solutions to the U.S. Department of Homeland Security.
The company sees the win as helping it not just domestically, but internationally as well.
We're at Cynet's Innovation Summit in New York today.
We'll have a full report of the proceedings tomorrow,
but we will say for now that there's much attention being given to emerging standards of care,
particularly with respect to the Internet of Things and GDPR implementation.
French police begin rolling up the networks of a jihadist killer in Paris.
In the UK, no such network has so far been discerned in the case of the killer who attacked Muslims leaving their Ramadan place of worship.
Such attacks have sharpened the crypto wars in the UK,
with Her Majesty's government calling for severe restrictions on the wide availability of end-to-end encryption. The EU is not following suit. A recent ruling from Brussels
puts Europe firmly on the other side of the crypto wars, so Prime Minister May, in this respect,
is increasingly playing a lone hand. Last week on our podcast, we spoke with Robert M. Lee from
Dragos about the crash override malware and its potential to take down electrical grid systems.
In the time since then, we spoke with John Brick from the Downstream Natural Gas Information Sharing and Analysis Center, that's the DNG ISAC.
He's been pleased with the way the ISACs have been functioning in an event like this, getting information to their members quickly. He also shared an interesting analogy in regards to attribution.
If you have a cabin in the woods and a forest fire is sweeping towards it, you really don't
care who started the forest fire. You care about protecting your property, putting water on it,
or calling the fire department, etc. Who started it is a question for the government agency, for the local fire department, for the FBI.
And it's the same thing with malware.
It's not really useful for us to know who did it at the operational level.
It's very interesting for me at the threat analyst level, but we can't take action upon that
because we're not law enforcement. We're not able to issue a diplomatic demarche. We can't do those
kind of things. Now, having said that, if we work backwards and we look at the forest fire example,
we might not know or care who started it, but if we look around our
cabin, we can see that there's dry brush. We can see that perhaps we have a neighbor who's storing
fuel outside or who's doing open welding. These are the kind of things that contribute to our
problem. We might not be attributing the actual attack or problem to these people,
but they're contributors.
It's very important in the cyber world for everybody to take the kind of
corrective or preventive measures that are available, whether those are patches,
whether those are following advisories from the industrial control system,
CERT, ICS CERT.
If everybody plays the game, everybody's safer. It's that guy who ignores the problem or remains
unpatched or doesn't take any effort, and then that allows everybody else to fall victim to
these kind of things when they sweep through the networks. That's John Brick from the DNG ISAC.
through the networks. That's John Brick from the DNG ISAC. Experts think the crash override malware used against Ukraine last December represented the culmination of a long and patient campaign
prepared by infestations of Havax and Black Energy. Wired puts it directly. Ukraine, quote,
became Russia's test lab for cyber war, end quote. Observers think Russia now has a proven cyber weapon ready for use.
Crash override is disturbing, apparently purpose-built from scratch
and used in deliberate, highly targeted campaigns.
There are indications that U.S. policy, at least,
is more firmly titling to the Ukrainian side
in that country's long-running hybrid war with Russia.
Reports that say President Trump will meet Ukrainian President Petro Poroshenko
before he meets Russia's President Putin are causing a sensation in Kiev,
where it's being perceived as a strong signal of diplomatic support, at least.
The European Union has decided to adopt a united front
with respect to answering cyberattacks with sanctions.
The EU thus joins NATO in adopting a collective posture with respect to answering cyber attacks with sanctions. The EU thus joins NATO in adopting a
collective posture with respect to cyber warfare. Results of a U.S. Defense Department Inspector
General look at NSA's Insider Threat Program suggest the agency has a lot of work ahead of it.
The results of the 2016 inspection conducted at congressional request are at best mixed, and in this context, mixed isn't
good. The IG looked at seven of the most important measures NSA undertook in the wake of the Edward
Snowden leak incident, and the IG found that the agency was falling far short of where it should be
in managing personnel with privileged access to its data and systems. In many cases, NSA was unable to say who had such access.
Records were kept in a manual spreadsheet, but that spreadsheet could no longer be found.
As Motherboard unsympathetically puts it, either the dog ate their homework or someone fed that
homework to the dog. The second possibility is more disturbing. We can think of a couple
of bears who might be interested in dishing up
that kind of puppy chow.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight
Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the university of
maryland center for health and homeland security ben welcome back a story came by from the chicago
tribune about the illinois senate approving a right to know online privacy bill what's going
on here so we saw at the federal level a major rollback of internet privacy rights. Of course,
Congress passed and the president signed a bill that repealed an FCC regulation that prohibited
internet service providers from sharing subscriber information. That has left the state to sort of
fill this void and protect internet privacy. And the first major effort we've seen is taking place
in the state of
Illinois. As you mentioned, their state Senate passed a bill this past week called the Right to
Know Act. And this measure would require online companies like Google, Facebook, Amazon to
disclose to their consumers the exact data that has been collected and shared with third parties.
data that has been collected and shared with third parties. And this sounds like a very promising idea for privacy advocates, but there has been a significant pushback from the industry and from
some of the trade groups, internet trade groups, and also the Illinois Chamber of Commerce,
saying that this bill is really a bonanza for trial lawyers couched in a privacy bill.
I was listening to a radio segment in Illinois with the head of the Chicagos of the world if they don't reveal the information that they've collected.
So it's not necessarily that we would be stopping Google and Facebook from collecting that information.
We would just be holding them liable for a lawsuit in the state of Illinois if they didn't properly disclose that information.
lawsuit in the state of Illinois if they didn't properly disclose that information. And what he argued is that it would actually have a reverse effect against data privacy because Google and
Facebook would be so conscious about maintaining data, about complying with this new law, that
they would actually collect more data to ensure that they were in compliance, whereas previously
they wouldn't be as concerned with
exactly what they were collecting. So I think this is a noble effort at digital privacy,
but I think it's an incomplete effort at this point. The bill is now headed for the state house,
where I think lobbying pressure will certainly increase. So far, it's been opposed in the state
Senate by Republican legislators. And the reason that that's significant is that Illinois has a Republican governor.
So this bill is subject to a potential veto if it comes to that.
So just to be clear, this is not a direct replacement for the rollbacks that just happened with the FCC.
No. So the bill that Congress passed and the president signed rolled back an FCC regulation that applied to internet service
providers like Comcast, AT&T, and Verizon. That rule would have prohibited those service providers
from sharing private information with third-party vendors. This bill in the Illinois legislature
applies to sites like Amazon, Google, and Facebook. So not the providers themselves,
but the providers of content. So the bill is slightly different in its scope. It's not
intended to be a one-to-one replacement of the overturned federal regulations.
It is more intended to be a concurrent effort to show that there is still some momentum for
digital privacy. And I think it's also a recognition that with a Congress and
a president that's been hesitant to some of these digital privacy measures, that the action for
advocates is going to have to be at the state level. But this could be a potential nightmare
for these global providers, right? If they have to deal with state by state regulations?
Yeah. So that's one of the reasons they're apoplectic about it. The one thing that
providers want is regulatory certainty. They do not want to be in a situation where they're
going to have to defend against a million lawsuits from Illinois plaintiffs in Illinois courts,
and they don't want to have to tailor their policies just to avoid
lawsuits from one particular state. And that's the argument that a lot of the bill's opponents
were making in the Illinois state legislature is that it would be an enormous burden on e-commerce
and it would be just an inordinate burden on these providers because they would be subject to a whole slew of lawsuits and would be pretty sour about
doing any business in the state of Illinois. All right, Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.