CyberWire Daily - Who's the third man in the Shadow Brokers leaks? ISIS diaspora means more ISIS online. Monero miner identified. Tizi backdoored apps booted from Google Play. Scarab ransomware. M&A notes. Indictments in IP theft.
Episode Date: November 28, 2017In today's podcast we hear rumors that the third-man in the Shadow Brokers leak might soon become publicly known. ISIS enters its diaspora phase. Monero miner targets Macs. Google Play ejects app...s with the Tizi [tizzy] backdoor. Scarab ransomware blasted out in spam campaign. Uber's value takes a hit, post-breach-disclosure. Barracuda Networks taken private. Trend Micro buys Immunio.  Emily Wilson from Terbium Labs on the privacy of children online. Bryan Ware from Haystax on analyzing incoming data streams. And the Pittsburgh FBI office takes another whack at Chinese industrial espionage. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Is the third man in the shadowbroker's leak soon to be revealed?
ISIS enters its diaspora phase.
Monero miner targets Max.
Google Play ejects apps with the tizzy backdoor.
Scarab ransomware is blasted out in the spam campaign.
Uber's value takes a hit post-breach disclosure.
Barracuda Networks is taken private.
Trend Micro buys Immunio.
And the Pittsburgh FBI office takes another whack at Chinese industrial espionage.
office takes another whack at Chinese industrial espionage.
I'm Dave Bittner with your CyberWire summary for Tuesday, November 28, 2017.
In a developing story that we'll be watching, Brian Krebs thinks he has a lead on who the unknown leaker was whose device was looted for alleged NSA tools that found their way
into the hands of the shadow brokers last year.
It's too early to name individuals or companies, but the third person may become known before
too much more time has passed.
ISIS, effectively ejected from territory it once controlled, appears to be entering its
long-anticipated diaspora phase, which informed observers expect to be marked by more focus on cyberspace.
For the foreseeable future, this is held by most to mean increased attempts at online inspiration.
There may be an attempt to re-establish a territorial sanctuary, possibly in the Philippines,
and there are signs that the former caliphate may be trying to attract women to its cause,
in part through online matrimonial appeals.
Criminals continue their attempt on cryptocurrencies.
Security company SentinelOne today announced their discovery of a new cryptocurrency mining trojan,
OS X CPU Meaner, that targets Macs.
It's after Monero cryptocurrency, and it appears, SentinelOne researchers say, to have borrowed
some of the tactics and techniques used in the adware underground.
Google's latest sweep through Google Play turns up several apps equipped with the Tizzy
backdoor.
Tizzy has typically been used to install spyware on target devices.
There are other concerns about Android security, and especially privacy.
A study by Yale University concludes that about three-quarters of Android apps
come with third-party tools that track users' activity.
Forcepoint warns of a massive spam campaign that's distributing Scarab ransomware.
The crooks sent out about 12 million infected emails over a six-hour period.
Ransomware is enjoying a burgeoning demand in the black market. Carbon Black has reported a
2,500 percent rise in ransomware sales since last year, so the hoods still seem to think this is
the coming thing in crime. Ransomware is also growing more targeted and more difficult to
detect.
No one seems to be buying the whistling-in-the-dark Uber did before its recent shake-up in breach disclosure.
It strikes most observers as unlikely in the extreme that the criminals who hacked the ride service actually destroyed the data they stole.
There had been speculation last week that the company's value would take a hit,
and we now have a better idea of what the breach discount may be in this case. SoftBank's offer is out, and it seems to be about 30% lower than pre-disclosure expectations would have put it. Security analysts face a seemingly ever-increasing
stream of available data, and separating the signal from the noise can be challenging. Properly
dialing in what
generates an alert and demands your attention can make all the difference in the world.
Brian Ware is CEO at Haystacks Technology, and he shares techniques for using machine learning
to help cut through the noise. So often we discover that a breach has taken place
months after that breach took place. when you think through that, then you
realize that the data was there at the time that the breach was taking place. Maybe there was some
data there before the breach took place, but that data wasn't actionable. You couldn't make a
decision from it. And so we're in this era of artificial intelligence and machine learning
specifically where there's a great opportunity to build algorithms that look
for the kinds of anomalies or look for the kinds of changes that could be indications of, you know,
some kind of a threat and something that you'd like to bring as an alert, you know, to an analyst
or to a decision maker. So the approach that we've taken at Haystacks is what we call our
model first approach. And that is that we build models that represent what experts believe or
what analysts would do if they were trying to evaluate, is this a real threat or not? Or is
this a suspicious event or not? And those models are very human and conceptual terms. It's a form of kind of AI that is called Bayesian networks. So these are probabilistic networks that represent the belief of experts and the uncertainties in those beliefs.
connected to all those alerts that come from other machine learning approaches or specific pieces of data.
And so what it allows us to do is to really operate at scale in the sense that if you're
generating potentially hundreds of thousands of events per day, you'd never want to have
that many alerts.
But if you could resolve them in the way that your analysts would and prioritize them according
to the mental model they're going to use anyway,
kind of after the fact, but you do it at the time of the event, at the time of the transaction.
Well, then you can build a really scalable system and you can just let the analyst see the ones that are of serious concern.
The way I kind of describe that is that's building the physics of the problem space.
What does a suspicious event look like or what does an insider event look like? Or what does an insider threat look like? And once I've built
that out, then I know how I would use data as it becomes available to determine the degree to which
this person looks like an insider threat or the degree to which this looks like a suspicious
transaction. So yes, we do have to ultimately connect it to all of that data. But it's not so
much learning from the data as watching the data as it changes.
And as the data changes, then the model updates as well so that the beliefs change.
Let me give you a really, really simple example.
We might say that an insider threat would be someone who comes into work at an unusual hour and prints documents that they don't usually have access to or wouldn't normally print to an unusual printer.
And maybe there's a bunch of other little bitty things, too.
Now, it turns out that if you just built an alert on printing to an unusual printer,
or you just built an alert on printing a large file, or you just built an alert on came into work after 6 o'clock,
then you'll end up, for any large company company with lots and lots of alerts that are almost
always easily explained. The model that says, well, I would want to know about someone who's
potentially thinking about leaving the firm and printing documents and coming into work that
usual. It's all together. I'd love to know that. But now, you know, those are different kinds of
data and different kinds of alerts. So we have the model that says, this is how I would fuse
that together and how I would reason on it if I knew all of those things, and maybe even some other things about this
employee's performance. And then we have machine learned algorithms that basically say, well,
what is the normal times that Brian comes into work? And what are the normal places that he
comes into work? What doors does he go through? And what does he normally print? Those are all
machine learned from the data. But the way that I combine all those different alerts is a model that, for the most part, is static for
a pretty long period of time. It represents what the experts, what analysts really, really believe.
And we do learn some new things, and we do change our beliefs, and we learn some new indicators.
For the most part, those models stay pretty stable, even though the data is changing constantly. That's Brian Ware from Haystacks.
In industry news, Akamai has announced that it's completed its acquisition of Numinium.
Trend Micro announced that it's bought Immunio, a company that specializes in application security.
It's thought that Trend Micro sees the acquisition as a way of moving its hybrid cloud security offerings into the DevOps market.
Tama Bravo is taking Barracuda Networks private.
The private equity firm paid $1.6 billion for the company.
Some analysts think this will be good for both buyer and seller.
Barracuda may become more focused and agile,
and Tomabravo may have picked up a business the markets tended to undervalue.
And finally, there's been another international indictment in the U.S.,
this one of three Chinese nationals
associated with the APT3 cyber-spying operation.
The operation is also called Boyusec,
short for the Guangzhou Boyu Information Technology Company,
a contractor for the Ministry of State Security that's known for domestic surveillance of targets in Hong Kong.
The U.S. regards the firm as basically a front for an espionage operation.
The indictment charges the three Boyusek workers with theft of intellectual property
belonging to Western Aerospace and defense firms. The indictment mentions theft from Trimble, Siemens, and Moody's Analytics.
And how did they get indicted? Through the hard work of the Pittsburgh FBI office.
Alien Vault's Chris Doman reached out to us to share his appreciation for the Pittsburgh
field office's work. He said, quote, it's not a surprise this indictment comes from
the FBI's Pittsburgh office. They have been very aggressive at going after cyber criminals,
end quote. We agree. And to the Steel City G-men, yins are doing a great job.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, you were at a conference recently
where the subject of the privacy of children came up,
and it led to an interesting discussion.
Why don't you share with us what happened?
I was at Cybersecurity Week in the Netherlands and someone in the audience in a discussion
raised the point that kids these days don't care about their data.
Kids don't care.
They're just giving all of their data away for free.
Right.
And one of the panelists pushed back on that, I thought appropriately,
saying, you know, we have protections in place for plenty of other aspects of kids' lives.
We don't allow them to drive or to drink or to vote or to join the military until they are old
enough to understand the implications and the consequences of their actions. So why are we treating data privacy like it's something different?
And it is a hard thing to figure out how to solve, right?
Partially because plenty of organizations are and have been collecting data on children for years.
are and have been collecting data on children for years. And we've already seen some companies that specialize in devices for children having data breaches.
But it's also, I don't think it's fair to characterize it as kids today don't care about their data
when plenty of adults don't understand the implications of all of the data that they're sharing either.
And we sort of have this generational divide where the people who are setting policy
are not digital natives.
So this sort of thing isn't reflexive to them.
It isn't reflexive, but I also,
and this was another point that one of the panelists made,
we can't wait to look at best practices
and regulations and data privacy
and think about how this is impacting adults
and children alike
until we have digital natives in office or in positions of authority to help influence policy.
These are decisions that we need to be making now. And I think the other question, something that I
think about a lot is, you know, when and how are we going to start seeing the fallout from some of
this data?
And not just data that's being shared, not just data that you're, you know, putting in to sign up for some app.
But, you know, in the work that I do, I'm lucky enough to be working away from some of the more unpleasant parts of the dark web
where children are exploited more directly.
But I do see plenty of data leaks
involving children. And I mean children, not university students. I mean children. Whether
this is social security numbers of children being sold or data leaks from elementary schools,
it's awful to see. So we can understand beyond the obvious, the horrific things,
So we can understand beyond the the obvious in the horrific things, the child exploitation, that sort of thing. Is there a particular other cases, and honestly, this is the part that makes it worse,
is that people don't particularly care who data belongs to
or where it comes from as long as they can use it.
And so you may have the information for a 17-year-old
being mixed in with the information for a 45-year-old.
And the difference is that one of those people
is going to be checking their credit score more regularly.
And so the 10-year-old who gets their information breached
may not know there was ever a problem
until they're 16 and try to get a driver's license
or 18 and try to get a credit card
and the other information's been out there for a decade.
Exactly.
And that's the kind of thing
that I don't think we are seeing
yet at scale, but I imagine we will start to see over the next, call it 10 years. And I don't know
what that's going to look like. And I don't think many other people do either, but it's a question
that's beginning to be raised. And I think that's good. All right. Emily Wilson, thanks for joining us. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.