The team matters in the world of industrial security.
No single piece of software can secure society, and no single person—or organization—can guard against the unforeseen. That’s why it’s critical to bring together the leading experts from across industries, and from both the public and private intelligence communities to address the critical challenges of industrial security. Learn more about Dragos, builders of the first industrial cybersecurity ecosystem, and the team of leading practitioners they put together.
The Week that Was.
November 5, 2017.
By The CyberWire Staff
BadRabbit looks like misdirection.
BadRabbit's odd behavior—sophisticated, noisy, and above all brief—may now have an explanation: the campaign may have been misdirection, or at least that's how it appears to authorities in Kiev. Ukrainian police have told Reuters that the same threat actor behind the ransomware campaign operated a quiet phishing campaign during BadRabbit's activity. The goal, investigators think, was to obtain undetected remote access to financial and other confidential data.
The IOC and IOA playbook: making sense of your indicators.
Acronyms such as IOCs (indicators of compromise) and IOAs (indicators of attack) are ubiquitous in the security industry. However, a recent SANS survey revealed a vast majority of security professionals don't even know how many indicators they receive or can use. Join DomainTools Senior Security Researcher Kyle Wilhoit to get clarification on the use and value of IOCs and IOAs and how they can enrich your investigations and overall security strategy.
Fancy Bears' wish list.
A wish list of Fancy Bear's (that is, GRU's) persons of interest is out, and it's very long. It's also global. Aerospace and defense sector workers receive particular attention, as do political figures. (Among American politicians, Democrats are in the majority, but Republicans are also represented.) Foreseeably, there are many Ukrainian targets on the list (Fifth Domain).
Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com
Mr. Kim objects...
Westminster is reported, breathlessly and implausibly, to be in a "panic" over threats from North Korea to avenge its injured self-regard over British attribution of WannaCry to Pyongyang (Express). Panic in HM Government seems unlikely, but banks are taking the North Korean cyber threat seriously, and are preparing their defenses accordingly (Reuters).
The DPRK has also allegedly continued conventional cyber espionage, accessing warship plans at South Korea's Daewoo Shipbuilding and Marine Engineering (Dark Reading).
Concerns about Pyongyang's ability to carry out an electromagnetic pulse (EMP) attack persist. The EMP phenomenon and the fears it prompts are real enough, the probability of an attack more controversial (WIRED).
What do AI and machine learning mean for cybersecurity?
We hear about them everywhere in cybersecurity. They sound cutting-edge, but what do they mean? And what value do they add? Find out exactly how significant AI and machine learning are, and how small nuances in their use can make a big difference.
Equation Group notes and the future of Kaspersky.
Kaspersky's account of its relationship to leaked Equation Group material continues to attract interest and analysis. Essentially the company's account is that the material turned up inadvertently, in a scan of an NSA contractor's (or employee's) computer whose owner had (presumably also inadvertently) backdoored the device by installing pirated software (TechTarget).
Should Kaspersky lose access to the US market entirely, the company assesses that loss at under 10% of revenue (CISO Magazine). Other countries have not reacted to public suspicion as has the US: German markets, for example, remain open to continued use of Kaspersky, with many observers there regarding it as unlikely the company colluded with Russian intelligence services (Deutsche Welle).
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
An arguably lone, possibly known, wolf kills in New York.
Sayfullo Saipov, arrested for killing eight people Tuesday in New York City, ramming cyclists and pedestrians with a rented truck, was apparently inspired by ISIS online videos and images. Investigators found some 90 videos and 3,800 images on his phone (Washington Post). Saipov was reportedly interviewed by the US Department of Homeland Security in 2015 about possible ties to terrorist organizations. He was apparently not a member of any known terrorist cell, and is at least provisionally regarded as a lone wolf (ABC News). His online activities are being closely scrutinized by investigators.
A Tashkent native residing in Paterson, New Jersey, Saipov is seen as an example of ISIS success in Central Asian recruiting, especially in predominantly Muslim former Soviet Republics like Uzbekistan. The Caliphate has ramped up its Russian language service, Russian having persisted as a lingua franca in the Near Abroad (Foreign Policy).
Uzbek participation in terrorism is regarded by foreign affairs and security experts as involving a paradox: tranquility at home, but susceptibility to recruitment while living abroad (Foreign Affairs).
In the UK, the Manchester bomber now looks like more of known wolf than ever (Times).
Black market economy.
Ransomware and other malware may be well on their way to becoming commodities in criminal markets, but that doesn't mean they can't be lucrative for developers of malicious code. Carbon Black reports that the median price of a "DIY ransomware kit" is just $10.50 (prices range from $0.50 to $3000) and that low prices and wide availability have driven a 2,500% year-over-year increase in the size of the ransomware market. And a ransomware developer can earn twice what a legitimate coder of comparable skills can (Carbon Black).
Venafi took a look at commodity contraband to see what fetches the most money in black markets. They found that illicit code signing certificates are more valuable than either handguns or passports (Venafi).
Crypto wars update.
US Deputy Attorney General Rod Rosenstein in an address delivered Monday at the North American International Cyber Summit reiterated his call for what he characterized as "strong and responsible encryption." He summarized his position (quoted by Naked Security) as follows: "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so… When a court issues a search warrant or wiretap order to collect evidence of crime, the company should be able to help. The government does not need to hold the key."
Thus companies, essentially any who carry or store communications for their users and customers, would be required to hold a key to any encrypted content their systems handle, and to produce such key when properly required to do so by a warrant.
Deputy AG Rosenstein did say nice things about encryption, calling it "a foundational element of data security and essential to safeguarding data against cyber-attacks," but he wants it to be "effective, secure encryption, coupled with access capabilities" (Naked Security).
The tech community generally seems not to buy such "strong and responsible encryption." (Cyber Security Hall of Famer Susan Landau recently described it in Lawfare as "keys under doormats.") There's no way, critics argue, of ensuring that only governments exercising legitimate investigative authority would have access to such keys. The Electronic Frontier Foundation predictably gives the Deputy AG's position poor reviews; their take is representative.
US Senate grills tech companies in hearings on Russian influence operations.
So how would you know if a Russian outfit were buying political ads from you? Payment in rubles might be one indicator, but Facebook seems to have missed it when they banked payment from the St. Petersburg troll farm now famous as the Internet Research Agency.
Facebook's general counsel retrospectively acknowledged before the Senate, "Many of the [Russian] ads and posts we’ve seen so far are deeply disturbing, seemingly intended to amplify societal divisions and pit groups of people against each other. They would be controversial even if they came from authentic accounts in the United States, but coming from foreign actors using fake accounts they are simply unacceptable." Senator Franken (D-Minnesota) asked how it happened that Facebook's extensive and well-funded big data analytics "somehow [did] not make the connection that electoral ads, paid for in roubles, were coming from Russia?" He wasn't the only one wondering (Times).
Facebook wasn't alone in receiving the hostile witness treatment: Twitter and Google were similarly questioned (BBC). A lot of the posts and ads attributed to Russian trolling seem risible, a few even funny, like the Senator Sanders Muscle Beach pose-down coloring book offered by trolls themselves posing as Sanders supporters (Motherboard). That is, the content amounts to convincing simulacra of the kinds of things actual people post all the time (BBC). The ads and posts on display generally suggest, again, that the Russian goal was disruption and erosion of the possibility of trust, as opposed to achieving any particular electoral outcome (Ars Technica). And while Facebook's analytics may have overlooked payment in rubles (which of course would have been on the business side), their famous rifle-shot accuracy enabled Russian trolls to reach tightly defined demographic profiles with content intended to inflame passion and mutual suspicion left, right, and even a little bit center (TechCrunch). The tech companies testified that they had found no evidence that Russian operators used voter registration data to direct delivery of their content (WIRED).
Many of the Senators' questions were striking in their readiness to conflate trolling with warfare, bogus advocacy with aggression (Fifth Domain). The tendency toward Internet policing much of the questioning expressed suggests how difficult such measures would be, short of out-and-out censorship. Various repressive regimes elsewhere in the world try this reflexively (Quebec Telegram).
Back in Menlo Park, Facebook CEO Zuckerberg said he was "dead serious" about curtailing problematic activity on the social media platform. He framed this as a security issue, and warned that the company's security investments would be significant in the coming year, markedly increasing operating expenses (USA Today).
The force that through the AI fuse drives the chatbot. Drives politi-bots' green age.
Tech companies are pursuing "relatable" chat bots for all sorts of business reasons, many of them related to enhancing customer service while reducing labor costs. The technology behind them will inevitably continue to be adapted to political discourse, where bots are playing an increasingly important role. Their presence, and amplifying power, pervade social media and offer the prospect of being as transformative as the printing press and radio were in their day. (Motherboard).
US Special Counsel secures two indictments in continuing Russian influence investigation.
As expected, Special Counsel Robert Mueller's investigation into possible complicity in Russian election meddling resulted in two indictments, announced Monday. Paul Manafort and his associate Rick Gates were charged with multiple counts related to money laundering and improperly disclosed foreign representation. George Papadopoulos was also revealed to have entered a guilty plea to charges of lying to the FBI, and was now cooperating with investigators. All three men had been involved with the Trump campaign. There had been speculation of the campaign's involvement with Russian services in attempts to obtain copies of Democratic campaign emails (New York Times).
The Special Counsel's investigation is not over, and most observers expect more indictments. The Podesta Group, a Democratic-connected lobbying firm, is one of the companies alluded to in the indictments (as "Company A"). The company and its founder, Tony Podesta, remain under investigation. Podesta himself stepped down from the firm Monday, and the firm announced it would reconstitute itself under new leadership and a new name (The Hill).
And there may be indictments of Russian government officials in the DNC hacking case.
In a Federal investigation distinct from Special Counsel Robert Mueller's, sources say US prosecutors have identified at least six Russian government officials allegedly involved in the Democratic National Committee hack during the last election cycle. Indictments are expected early next year (Infosecurity Magazine). Such indictments aim to "name and shame," not convict and imprison (Politico). The strategy was pursued against cyber operators from China's People's Liberation Army during the last Administration as well.
Equifax breach fallout continues.
The major breach credit bureau Equifax sustained this summer has prompted a large number of class action lawsuits (Naked Security). It's also prompted New York State Attorney General Schneiderman to propose tighter data protection laws (New York Law Journal).
In mid-October Equifax's TALX division reopened its Work Number service, which provides prospective employers with automated employment and income verification, thus millions of people's salary histories. A user PIN for the site can be guessed from a social security number and date of birth, information which of course was compromised in the breach. There are also some knowledge-based authentication questions, but KrebsOnSecurity is unimpressed with the security enhancements.
The US Senate isn't through with Equifax, either. The current and former CEOs will be called to testify on data breaches this coming week. So will former Yahoo! CEO Marissa Meyer (Reuters).
More AWS misconfigurations.
Nearly 50 thousand Australians recently had their information exposed. 48,270 personal records from employees working in government agencies, financial institutions, and a utility were compromised in a third-party contractor's misconfigured Amazon Web Services cloud account. Information exposed at the affected organizations includes include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expense (Infosecurity Magazine).
At the beginning of the week Oracle issued an emergency patch for an easily exploitable flaw in Oracle Identity Manager. An unauthenticated network attack could completely compromise the system, and users were urged to patch without delay (Oracle).
WordPress fixed an SQL injection flaw in its blogging software (Threatpost). Apple has addressed the KRACK vulnerability in its devices (Help Net Security).
On Thursday Microsoft issued five "quality improvements" to address the external database bug that surfaced in Windows during mid-October. But these patches may be problematic, as some users report the fixes reinstall older, buggy patches (Computerworld).
Black Duck has made a nice soft landing at semiconductor design software company Synopsis: a $565 million exit. Massachusetts-based Black Duck, which specializes in automating open-source software security and management, has raised a bit more than $75 milllion in venture capital over the course of its fifteen-year history (TechCrunch).
Carbon Black is said to be looking for a different sort of exit, as the company is believed to be preparing a 2018 IPO (Boston Business Journal).
CenturyLink's acquisition of Level 3 Communications has been approved by the US Federal Communications Commission (CenturyLink). Deloitte has acquired JKVine, a consultancy based in Melbourne, Australia, that specializes in "platform test management, test execution platform monitoring and optimisation" (CRN).
Continental is said to be in talks to buy Argus Cyber Security. The German company is interested in the Tel Aviv shop's technology for securing connected cars (Automotive News). Analysts estimate the price of the acquisition at about $500 million, which would be the largest exit for an Israeli start-up since 2013 (Israel National News).
As the certificat authority business shifts (TechTarget), security firms sell off their CA businesses (ZDNet). The Comodo Group has sold its CA unit to private equity firm Francisco Partners. The new standalone company will do business as Comodo CA (eWeek). DigiCert has completed its acquisition of Symantec's website security and related PKI solutions (DigiCert). Mozilla still has issues with trusting the business's certificates, and adopts a wait-and-see approach against the possibility that the change in ownership may make little difference to its concerns (SecurityWeek).
Recorded Future announced $25 million in Series E funding from Insight Partners, a venture capital firm that's also backed Cylance, Firemon, and DarkTrace (PRNewswire). Fortune notes that Recorded Future's niche is dark web intelligence, with particular expertise in the areas where state activity intersects cybercrime. Rollbar, which provides real-time error monitoring, secured a $6 million Series A funding round (TechTarget). Montréal-based ROOT Data Center plans to use a $90 million investment from Goldman Sachs to expand its operations (Marketwired).
The Israeli start-up "foundry" Team8 announced the formation of a new cybersecurity startup, Sygnia, that will specialize in consulting and incident response (CTech). Team8 is also opening a New York City hub to complement its headquarters in Tel Aviv (PRNewswire). In Australia, accelerator CyRise announced the admission of four start-ups to its Melbourne program: Brooklyn Dynamics, NetCrypt, CYDARM, and Cybercitadel. CyRise is backed by Dimension Data, Deakin University, and Victoria's state development agency, LaunchVic (ARN).
ICS and OT security company Dragos moves into new, larger quarters in Hannover, Maryland (PRNewswire).
Midweek saw a sell-off in cybersecurity stocks, as FireEye, Symantec, Palo Alto Networks, and Check Point share prices dropped as investors reacted to conservative guidance (Investor's Business Daily).
Today's issue includes events affecting Australia, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Russia, United Kingdom, United States, and Uzbekistan.
ON THE PODCAST
The CyberWire's weekly Research Saturday podcast is up, featuring a conversation with Jordan Wright, Senior Research and Development Engineer at Duo Security. He’s the author of the research report, “Phish in a Barrel,” and he describes his work gathering and examining thousands of phishing kits from around the web.
If you'd like to suggest a topic we might cover on Research Saturday, drop our Producers an email (email@example.com) and let them know what you'd like to hear about.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.