Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
The Week that Was.
February 11, 2018.
By The CyberWire Staff
Negotiations over ShadowBrokers' take?
In a widely reported, still developing, but difficult to credit story, US intelligence services are said to have negotiated with Russian sources for the return of stolen information, called sometimes "documents," sometimes "code." The Intercept speculates negotiations were over material the ShadowBrokers took from NSA, although it's difficult to see how one could in any meaningful sense "return" stolen code. The Russian side is also said to have offered discreditable material about President Trump. The Americans are said to have paid $100 thousand, then backed out, fearing chicanery (New York Times).
Threat intelligence playbook helps make sense of indicators.
In 2017, ransomware advanced significantly and is now capable of taking out infrastructure and operations across the globe. As a result, many organizations are bogged down in reactive work and often overlook the value of crucial information. In this white paper, learn how to uncover some of the most critical insights from your organization’s alerts and indicators that will allow you to shift to a more proactive posture.
Infraud carding network and criminal souk taken down by Operation Shadow Web.
A US-led international effort has taken down the long-running "Infraud" carding gang, thought responsible for more than $530 million in losses to consumers over seven years. Thirty-six alleged hoods have been indicted; thirteen are in custody; the rest are on the lam. Infraud, known for its motto "In fraud we trust," began as a run-of-the-mill carding forum, moved into the sale of fullz, and eventually became a large and influential full-service criminal market where hoods traded and refined their attack techniques. It was both hierarchical and cellular, with participants often unknown to one another. Police in Australia, France, Italy, Kosovo, Serbia, the UK, and the US made arrests. Authorities in Albania and Luxembourg were there for the assist (Reuters).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
XXIII Winter Olympiad: international good-will, nationalist hacking.
The Olympic Games opened in PyeongChang Friday with customary pageantry and celebration of our common humanity. Government hackers got there first, notably from Pyongyang. Another prominent competitor is Fancy Bear: Team Russia may be banned for doping, the Russian anthem and tricolor nowhere on display, but the GRU showed up early (New York Times).
Officials Sunday identified problems that began during opening ceremonies as cyberattacks (Guardian, Yonhap). No attribution, but Russia preemptively issued denials (Reuters).
Apple filed a Digital Millennium Copyright Act notice asserting its injury by publication of iPhone source code on Github. Specifically, Apple objects to "reproduction of Apple's 'iBoot' source code" (CRN). Speaking through MacRumors on Thursday, Apple said, "Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." Observers think the leak both large and consequential (Motherboard). The leak affects iOS 9; some think the code has persisted into iOS 11 (Hot for Security).
Become a Cyber Spartan and Defend the Gates of America. At Invictus International Consulting we are hiring elite cyber, intelligence, and technology experts to serve our government and commercial clients. Join us.
Cryptominers in hospital, water utility...
Someone in all likelihood visited a site they shouldn't have, according to Radiflow; a user probably downloaded and ran the cryptojacker, whence it exploited network file shares to move through the utility's systems. The unnamed European water utility's operations are said to have been unaffected, and they're mopping up the infestation now (Register).
A Tennessee hospital is notifying patients that a cryptominer was found in its electronic medical records system. Decatur County General Hospital saw the first signs of infestation in November. It began disclosing the incident to 24 thousand patients on January 26th (Dark Reading).
Cyrptojacking has become more than a nuisance: some enterprises are finding that it renders them unable to operate (Ars Technica).
...nuclear facility (Gomr Simpsonov, underachieving the Plan).
Engineers at the All-Russian Research Institute of Experimental Physics in Sarov were detained for cryptopcurrency mining with Institute machines (Интерфакс).
Another reason to dislike Deepfakes and its progeny.
You'll be shocked to learn that a spinoff website is infested with cryptojackers (Motherboard). Deepfakes isn't alone here, either: this is becoming the norm in the online adult content industry (Motherboard).
Frothy cryptocurrency market back (or just a dead cat bounce)?
The sharp rise cryptocurrencies experienced at the end of 2017 fueled strong criminal interest in the new coins. Legitimate speculators were also strongly drawn, perhaps unwisely, to the new instruments. Cryptocurrency speculators were able to take a bit of comfort at midweek as prices of some of the more prominent alternative currencies surged up to twenty percent. That's still off their peak valuations, and it remains to be seen whether this is represents a return to a secular bull market, or a return to a speculative bubble, or just a dead-cat bounce (TechCrunch). Cybersecurity entrepreneur and Shark Tank shark Robert Herjavec sees a very big future for cryptocurrency (Money). (If Robert is wrong, he's dead to us.)
One market shift being observed is in the black market. Criminals operating in the dark web, particularly ransomware operators, have long favored Bitcoin, but that may be changing, as Litecoin picks up black marketshare (CNET).
Nakamoto-san goes to Washington.
US Federal regulators think cryptocurrencies have value. They also think the new currencies need regulation, especially with respect to initial coin offerings. The US Securities and Exchange Commission has been skeptical of ICOs, stopping a few of them as fraudulent, and objecting to others as offering, in effect, unregistered and unregulated securities. In testimony before the Senate Banking Committee yesterday, the heads of two major market regulating bodies, the SEC and the Commodity Futures Trading Commission distinguished the currencies themselves from their use in ICOs and from the blockchain technology that underlies them. They think consumers who trade in these novel currencies think the markets are better regulated than in fact they are. The regulators think that trading platforms should be regulated like exchanges, and that ICOs are in fact securities and should be treated as such (Motherboard). They also expressed their conviction that in fact cryptocurrencies could have, and did have, real value. If the hearings are any guide, cryptocurrencies are well on their way to normalization as financial instruments (TechCrunch).
Nakamoto-san will be accompanied by counsel.
Law schools have for some time taken note of blockchain technology. Courses in the legal ramifications of the blockchain are increasingly finding a place in law school curricula. The courses have, of course, special reference to the technology's realization in cryptocurrency, and the law schools have been working to collaborate not only with schools of engineering, but with business schools as well (New York Law Journal).
Le sixième oeil? Tiens...il y en a?
For the past year French intelligence services have been regularly sharing intelligence with the predominantly anglophone Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States). High-level meetings are being called "the Five Eyes plus France" (Defense News).
Terms of service and content moderation.
Twitter has joined other platforms in bouncing Deepfakes, the Photoshop-cum-CGI artificial intelligence of adult content. It's out for violating Twitter's terms-of-use forbidding users to "post or share intimate photos or videos of someone that were produced or distributed without their consent" (Motherboard). Reddit imposed a similar ban, modifying its terms-of-use to block sharing adult content "apparently created or posted without [the subjects'] permission, including depictions that have been faked" (TechCrunch). Deepfakes is an interesting test case for those who think our AI apprentices will be nice and good, and not inherit our own sketchy ways. Maybe they need some data scientists to train the AI? Nice data scientists. Would a "Hippocratic Oath" for statisticians who live in San Jose help (WIRED)?
YouTube Kids has stumbled in its efforts to become less of a stumbling block for children. A lot of the disturbing muck it was supposed to be rid of has crept back in, according to the BBC, which took one for the team by watching a lot more blood-spattered clown videos than we'd be prepared to survey. A Google rep promised to do better, saying the company was “very, very sorry for any hurt or discomfort” (Naked Security) and that in effect it promised to be less evil going forward. But content moderation isn't easy, even with pockets as deep as Alphabet's. and moderation is also inevitably very labor intensive with a relatively open social medium like YouTube.
YouTube has also temporarily suspended ads from video star Logan Paul, citing his "recent pattern of behavior." Young Mr. Paul was last month in trouble for a depraved and grossly insensitive video of himself yucking it up over a suicide victim. He tearfully promised to mend his ways, but his repentance was brief. Since returning, presumably chastened, from Japan's Suicide Forest, he's posted videos that advocate eating Tide Pods, showed the tasering of a rat, and done something else that YouTube primly describes as violating guidelines for advertiser-friendly content (TechCrunch).
Google continues to work on new approaches to content filtering, moderation, and classification. Some planning to deal with "fake news" came to light this week (Quartz).
How this might be done in a viewpoint-neutral way that respects freedom of expression remains unclear. In one case bots may have used to get a Tether critic temporarily banned from Twitter: "Bitfinexed" has long criticized the cryptocurrency that's pegged to the US dollar, also pla gadfly to the Bitfinex cryptocurrency exchange. The bots complained; Twitter listened. Twitter has described the ban, now lifted, as "a mistake" (Mashable). Others see it as a symptom of the ease with which dominant platforms can (and will) act as censors, and can be manipulated into special pleading.
Facebook has tentatively moved toward crowd-sourced epistemology with a "downvote" button for comments. It's not, Facebook explains, the "dislike" button many have called for (TechCrunch).
Fake news and AI-generated NSFW content aside, social media critics continue to see something deeply wrong with the bad behavioral incentives and disinhibitions infesting social media. An op-ed in the Times joins others who regard anonymity as the fons et origo of the "bile and disinformation" that thrive on the Internet. The writer particularly blames Twitter and Facebook, whom he says are worse than the sheep in Animal Farm, the ones who placidly drown out thought by bleating "four legs good, two legs bad." In other contexts, of course, anonymity is prized as privacy, and the desire for privacy has induced a lot of users to dissemble when they post personal information online. A study commissioned by RSA concludes that half of us do so (Sky News). The bots may be here to help as well: university researchers at Lausanne and Wisconsin say they've developed an AI that reads and analyzes privacy policies (WIRED).
Ich bin Tweeter. Ich komme aus Berlin (oder vielleicht aus Mainz, Augsburg, Bremen, u.s.w.).
Germany's laws against incitement to hatred strike many observers as a test case for how large-scale content moderation might work. A WIRED columnist describes her experience resetting her Twitter location to Germany and falling thereby under German laws, updated since their initial enactment in 1960, that make race-baiting a crime. Their effect is largely felt against neo-Nazi memes, and is accomplished for the most part by requiring tech companies to remove objectionable material within twenty-four hours of notification with penalties of up to $60 million for noncompliance. The columnist finds their enforcement patchy and in some case unintelligible, but on balance effective in purging her exposure to social media of this particular form of objectionable content. The most recent version of the law, the Netzwerkdurchsetzungsgesetz, took effect in June of last year. It remains to be seen how its targets will eventually adapt, at which point the law will doubtless adapt, too.
Anti-captcha bouncer keeps humans out of Club Bot.
It's like a reverse Turing Test. An Internet artist created an algorithmic test to see if he can exclude humans from a community of bots. For the most part it seems to work, although some humans say they've beaten it (Motherboard).
The Nunes Memo and its sequelae.
The Nunes Memo on the surveillance warrant the FBI obtained from the FISA court during the last US election cycle remains a partisan Rorschach test. More related memos are expected to be released soon (Business Insider). The White House has delayed declassification of the corresponding House Democratic memo (Los Angeles Times). A letter from the Senate Judiciary Committee referring Christopher Steele to the Justice Department for investigation was declassified and released Tuesday, to much the same effect as the Nunes Memo (Business Insider). Christopher Steele is the source of the "Steele Dossier" prepared with funding deriving from Democratic opposition research into then-candidate Trump (Politico). The knock-out blow both sides promise to land in matters of collusion with Russia seems unlikely to be thrown soon.
On Tuesday Adobe patched the Flash Player zero-day that had been exploited against South Korean targets (Security Boulevard). Microsoft issued its own patch for this zero-day as well (MS Power User).
Cisco revisited its ASA bug patch after an earlier fix proved incomplete (SC Magazine).
Intel released another Spectre patch, this one for Skylake processors (Ars Technica).
WordPress patched more than thirty bugs this week. Users will need to apply them manually, which means, of course, that it's possible for you (or your host) to overlook them (Naked Security). The patch is reported to be causing admins considerable trouble (Bleeping Computer).
NETGEAR fixed five vulnerabilities Trustwave found in NETGEAR's broadband routers (ISP-Review).
AnchorFree patched a Hotspot Shield information-leak bug, but said the vulnerability was not particularly severe (Axcess News).
Fortune sees signs of a cybersecurity bubble deflating, arguing that the sector is ready for consolidation: too many venture-funded start-ups in search of too few customers will be looking for an exit during 2018. Among the sub-sectors undergoing maturation by consolidation is the simulated phishing market (KnowBe4).
Akamai's quarterly results exceeded expectations, but the company is trimming its workforce by some 5%. Most cuts are expected to come in its media division (ZDNet). Gigamon, undergoing restructuring after its recent acquisition by a hedge fund, has also announced layoffs, planning to shed about 25% of its Santa Clara workforce (Silicon Valley Business Journal). FireEye reported its first quarterly profit (Proactive Investor).
Proofpoint has agreed to buy Wombat Security Technologies for $225 million (Globe Newswire). Wombat intends to stay in Pittsburgh, and not move west to co-locate with its new corporate parent (Pittsburgh Tribune). Fulcrum IT Services has bought the PTR Group with a view to expanding its presence in the Intelligence Community market (Washington Technology). LogMeIn announced that it's buying business communication tools shop Jive Communications (not to be confused with Jive Software) for something north of $342 million (Xconomy). Qualcomm has rejected another acquisition offer from Broadcom. This one was for $121 billion, which Qualcomm thinks is still a lowball bid (TechCrunch).
Power-plant security specialist Aperio has picked up a $4.5 million seed funding round (TechCrunch).
Users of certain Apple and Cisco products will now be able to receive a discounted rate on certain cyber insurance policies issued by Allianz (IT Pro Portal).
The US Department of Homeland Security and Kaspersky Lab trade legal salvoes over the DHS ban of Kaspersky products from Federal systems (Law360). Meanwhile, Congress considers legislation to block Huawei and ZTE from doing business with the Federal Government: the Register calls it "the Kaspersky treatment."
Today's issue includes events affecting Albania, Australia, Canada, China, France, Germany, Democratic Peoples Republic of Korea, Republic of Korea, Kosovo, Luxembourg, New Zealand, Russia, Serbia, Ukraine, United Kingdom, United States.
ON THE PODCAST
Our Research Saturday podcast went up yesterday. If you haven't heard it yet, give it a listen. We talk with Limor Kessem, an executive security advisor with IBM Security. She describes IBM's X-Force investigation into IcedID, the banking Trojan they've recently discovered and tracked. IcedID is a nasty that targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the US.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.