Each week the CyberWire’s Hacking Humans podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that make headlines and take a heavy toll on organizations around the world. We talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). We also hear from people targeted by social engineering attacks and learn from their experiences. Check out the first episode and subscribe today. And special thanks to KnowBe4, our sponsors for season 1.
Technology today makes keeping up with cyber security measures seem impossible. For 72% of US and Canadian utility professionals, physical & cyber security was the most pressing issue in 2017. Get the critical information you need to take your cyber security to the next level. Watch our webinar featuring cyber experts who will walk you through how you can improve your cyber security program and reduce risk.
Hybrid warfare: states and gangs. Cobalt gang is back. Content moderation woes. Courts, crimes, patches, and industry notes.
North Korean hacking tools called out by US-CERT.
Brambul and Joanap are both being actively used by Pyongyang's Hidden Cobra, the threat actor also known as the Lazarus Group (Infosecurity Magazine). The FBI and the US Department of Homeland Security have made an unambiguous attribution of the two strains to North Korea (US-CERT).
The Lazarus Group has continued to target financial institutions for cybertheft, but it appears to be on selective good behavior, at least for now, avoiding US banks and companies during the run-up to the June 12th summit between DPRK leader Kim and US President Trump (SecurityWeek).
A subunit of the Lazarus Group, which researchers at AhnLab track as the Andariel Group, has been active against South Korean targets. It's been using an ActiveX zero-day in its campaign. Bleeping Computer reports that an anonymous source close to the investigation has told it that the zero-day is being used to exploit Samsung SDS Acube installations.
We hear about the themes of resiliency and collaboration everywhere and they are underscored by the innovation coming out of the cybersecurity industry. But what does this really mean for IT, security and development teams day-to-day? Join Mike Brown, RADM, USN (Ret), former Director, Cybersecurity Coordination for DHS and DOD for a discussion on industry direction, the type of collaboration that can yield immediate results to teams and the criticality of protecting application infrastructure.
The Cobalt Gang carries on in its leader's absence.
The Cobalt gang is back at work despite its leader's arrest in Spain two months ago. Group-IB has found spearphishing emails from the thieves that pretend to be alerts from Kaspersky Lab. Employees of Russian and Eastern European banks are being targeted. The email is nicely, if bogusly, branded. It tells the victim that they've detected unspecified illicit activity from the victim's machine, and it threatens the victims with actions that will be taken against their employer's online resources if they don't click the link provided and explain themselves within forty-eight hours. Clicking the link will install the CobInt Trojan (Bleeping Computer).
Security analysts need fast, easy, and secure access to the web, including the dark web. Traditional browsers betray you by exposing you to dangerous web code and revealing your identity. Instead of wasting time spinning up a VDI or using Tor, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world. Learn more about complete web isolation for CISSPs with Authentic8 Silo, the cloud browser.
Hybrid war and the industrial IoT.
Hybrid war, which combines significant elements of both cyber and kinetic conflict, and where the means of combat are kept as deniable as possible, has been seen in several pats of the world, most prominently in the Russian effort to re-engorge Ukraine (Kyiv Post). Observers warn that the industrial Internet-of-things contains high-value and high-payoff targets (SecurityWeek).
Recognizing an attack and doing something about the attackers, however, is a challenge. Attribution is almost always uncertain, circumstantial, slow, and problematic. Steve Grobman, McAfee's Chief Technology Officer, told us that "false attribution keeps me up at night." He observed, with considerable justice, that the private sector quickly assigns and accepts attribution, which rapidly becomes public. He thinks only a trusted government entity should make an attribution. False attribution is easy and can be fatally plausible.
The problem is further complicated by the complex relationship between state and non-state actors. A study of cybercrime commissioned by Bromium at the University of Sussex concluded that effectively state and private actors operate in a "Web of Profit" in which they can be difficult to disentangle (Bromium). For some considerations of attribution, responsibility, retaliation, and sovereignty, see this session from the last NATO CyCon conference (The CyberWire).
Control Risks says non-compliance is a truly enterprise risk for companies operating in the EU. It burdens already taxed programs with particular measures to protect personal data and disclose security issues. Many worry that resources catching up to GDPR before an incident occurs trade-off other critical initiatives, leaving them vulnerable nonetheless. Companies must get executives and experts involved in managing the risk and competing priorities. Let Control Risks help you be both secure and compliant.
Verification or censorship? Bias or too much trust in algorithms?
France's evolving policies designed to thwart information operations that take the form of fake news arouse suspicion that what's really going on is indistinguishable from censorship (Foreign Policy). The task of providing some form of ground truth as a background against which disinformation might be recognized is proving challenging to the private sector as well. Google continues to struggle with its "knowledge panels," information that accompanies searches. The search (and advertising) giant has been using Wikipedia as its epistemic gold standard, but this is proving problematic. Wikipedia is both crowd-sourced and dynamically edited, as its users well understand. So, while it's possible for a troll to slip something bogus or tendentious into a Wikipedia entry, the encyclopedia has earned a reputation for relatively quick self-correction. It also provides context against which the trolling can often be recognized. Not so the knowledge panels, which not only serve as an easier alternative to Wikipedia, but also appear with the full weight of Google behind them (Motherboard).
Insider threat incidents come with a hefty price tag, according to the “2018 Cost of Insider Threats: Global Organizations” report released by independent research group, The Ponemon Institute. Make sure that you understand the full context (and cost) of these threats by downloading the full report. Get your copy today.
Cryptocurrency markets continue to attract cyber fraud.
Several cryptocurrency heists came to light this week. Someone stole $1.35 million in Ether from the Taylor cryptocurrency trading app (Bleeping Computer). A wave of 51% attacks had hit Bitcoin Gold and other cryptocurrencies the previous week, inflicting more than $20 million in damages. In such attacks someone controlling more than half a mining network's hashrate can double-spend coins (Fortune).
The Anti-Phishing Working Group estimates that cryptocurrency theft amounted to $1.2 billion in 2017 (Investing). Bubble-blown fraud is now so common that regulators are having difficulty keeping up with it (New York Times). Market analysts are tending toward a consensus that cryptocurrencies will have to shed their air of connection to crime before they achieve complete respectability (CanTech Letter). And, innocent or not, announcing you've been robbed is now greeted with suspicion that the announcement itself is part of a fraudulent exit strategy (Bleeping Computer). So, like, your coins are gone; sorry, harsh realm dude (cf. The Producers).
Crime and punishment.
Karim Baratov, the Kazakhstan-born Canadian gentleman who helped Russia's FSB hack Yahoo! has received his day in US Federal court, and also a sentence of five years in Club Fed (Hot for Security). It's a hacking-for-hire case, and the US attorney who prosecuted the case says that the US intends to treat this kind of crime seriously (Ars Technica).
Grant West, a.k.a. "Courvoisier," has received a sentence of ten years from a British court, where he was called "a one-man crime wave." He was convicted of charges related to phishing, drug sales, and other illicit online activity (Computing).
Police in Paris have arrested two teenagers for defacing a popular YouTube video. The duo, "Nassim B" and "Gabriel KAB," with the alleged respective noms de hack "Prosox" and "Kurois'h," are thought to have compromised Vevo syndication (Naked Security).
A Russian court has found Tor exit administrator Dmitry Bogatov not guilty of inciting terrorism. The court agreed that Bogatov wasn't responsible for the traffic passing through his node, and that he wasn't the author of the posts that advocated bringing an array of improvised weapons to an "unsanctioned protest" (Naked Security).
Another apparent hoarder of classified information has been found. Reynaldo Regis, formerly a contractor working at the CIA, has pleaded guilty to charges involving his having squirreled away classified notes between 2006 and 2016 (CIO).
Courts and torts.
The German intelligence agency Bundesnachrichtendienst (BND) won a victory in court as a challenge to its surveillance authority was dismissed by the Federal Administrative Court in Leipzig. The Frankfurt-based De-Cix exchange had sought to prevent the BND from monitoring traffic flowing through its data hub (SecurityWeek). De-Cix claimed that the BND was in violation of German privacy laws because some of the data swept up involved domestic German communications (SecurityWeek).
A US judge has dismissed Kaspersky's suits challenging the US Government's ban on the company's products (Computing). The company had filed two suits. One claimed (under the Administrative Procedure Act) harm to Kaspersky's reputation and sales without due process. The other asserted that the National Defense Authorization Act making the ban a matter of law amounted to an unconstitutional bill of attainder, inflicting punishment without a judicial trial. On Wednesday the District of Columbia District Court tossed both suits. Kaspersky has expressed both disappointment and intent to appeal (Federal News Radio).
Responding to a whistleblower's complaint, the US Department of Defense is auditing contracting practices involved in awards to cybersecurity unicorn Tanium. The Inspector General is looking at the Army, the Air Force, and the Defense Innovation Unit Experimental (DIUx). The IG and the Pentagon have little to say, beyond that the audit it in progress. Tanium points out that the investigation involves contracting practices, not vendor actions, and so the company isn't a party to any of this (Bloomberg).
Facebook is being sued by the small startup Six4Three. The startup sells a buck-ninety-nine app called "Pikini," said to enable you to find pictures of your Friends (Facebook term-of-art sense) in their swimwear. Facebook blocked the app in the course of its reeling around over privacy concerns, presumably on the understandable grounds that whole the thing seemed creepy, and so now Six4Three is taking the House of Zuckerberg to court (Naked Security).
Proprietors of nuisance phone-call firms (bad telemarketers and other voice pests) have hitherto been able to avoid hefty fines under British law by simply declaring bankruptcy and moving on. That's the advantage of incorporating as a limited liability corporation. This however will change, if the Department for Digital, Culture, Media and Sport has its way. A proposed change to the Privacy and Electronic Communications Regulation would make directors of such companies personally liable for the fines their activities incurred (Naked Security).
ICANN is suing EPAG, a DNS registrar based in Germany that will no longer collect WHOIS information for fear of running afoul of GDPR. ICANN doesn't really have a beef with EPAG. It's stated purpose in bringing the suit is to get the EU to introduce some clarity into GDPR, especially with respect to WHOIS (Threatpost).
Google issued Chrome 67 to the stable channel Wednesday. The release included patches for thirty-four vulnerabilities (SecurityWeek).
President Trump's proposed conditions for permitting ZTE to regain access to US markets include a $1.3 billion fine, "high level security guarantees," leadership changes, and the hiring of US compliance officers (TechRadar). Relief or not, many observers think it unlikely that ZTE will return to its former glory: it's been hit hard (CNNMoney) and its shares haven't resumed trading on major exchanges (Bloomberg). Security concerns over both ZTE and Huawei persist in the US (Wall Street Journal) and elsewhere, including Canada (Globe and Mail) and Australia (Telecoms Tech News). They're just too close to Chinese security and intelligence services for many people's comfort, and there's even some sentiment in Washington that what many perceive as the Administration's current protectionist mood doesn't go far enough (TheHill). ZTE's reputation in Australia is particularly shady, with allegations in court that the company was "built to spy and bribe" (Sydney Morning Herald).
The US Department of Homeland Security's Science and Technology Directorate has issued four Small Business Innovation Research grants under the topic Automated & Scalable Analysis of Mobile & IoT Device Firmware. The four companies to receive awards are Kryptowire LLC (Fairfax, Virginia), RAM Laboratories, Inc. (San Diego, California), Red Balloon Security (New York, New York), and Sekurity LLC (Jersey City, New Jersey) (Newswise).
SoftBank Tech Fund has placed a big bet on General Motors' autonomous vehicle efforts, investing $2.5 billion in GM's self-driving car unit (Wall Street Journal). SoftBank and GM describe their thinking on the investment, and the project (TechCrunch).
Verint Systems is in talks to acquire Israeli surveillance shop NSO Group for a rumored $1 billion. NSO Group is best-known as the source of the Pegasus spyware (or lawful intercept) tool (Wall Street Journal). Some reports are calling the transaction a "merger" (CTECH). The combined company would be a very large one (CNBC). It presumably would assume the controversial reputation NSO has earned as more weapons manufacturer than security vendor (Haaretz). Citizen Lab has asked Francisco Partners, the private equity firm that controls NSO, to explain the implications of the company's surveillance tools as they're used by the governments that buy them (CTECH).
FireMon, the network security policy management shop, has agreed to acquire Lumeta, which specializes in network visibility. The acquisition is expected to close in the second quarter of this year. FireMon will operate Lumeta as a stand-alone business (FireMon).
Identity and transaction security firm Vasco has taken the occasion of a new anti-fraud platform launch to announce its rebranding as OneSpan (Globe Newswire). The company has also announced its acquisition of Dealflo, a customer onboarding shop (Globe Newswire).
DeferPanic has rebranded itself a month after closing its $1.5 million seed round. The company will henceforth be known as NanoVMs (PRNewswire).
On Thursday private equity firm Thoma Bravo announced that it had acquired a majority interest in next-generation Security Information and Event Management (SIEM) firm LogRhythm (PRNewswire). LogRhythm believes itself poised for growth (Denver Post).
Thoma Bravo has been picking up cybersecurity companies for some time; its tech portfolio includes Datatel, Digital Insight, Entrust, SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Bomgar, Barracuda Networks, Compuware and SolarWinds (Computing). One Thoma Bravo company, Barracuda Networks, is itself looking to acquisition to drive growth (Register).
Blackpoint Cyber, whose SNAP Defense platform offers "lateral spread detection and network visualization," has received a $6 million funding round. The investment is led by Adelphi Capital and Telcom Ventures with participation by the Maryland Venture Fund (PRNewswire).
Encryption specialist Virtru has secured $37.5 million in an investment round led by Iconiq Capital and joined by existing investors Bessemer Venture Partners, New Enterprise Associates, Samsung, Blue Delta Capital, and Soros Capital (VentureBeat).
CyberInt has closed an $18 million funding round led by Viola Growth, with participation by existing investors. The company specializes in managed detection and response services (PRNewswire).
Darktrace is now officially a unicorn, making Cambridge proud: just five years old and valued at $1.25 billion (Business Weekly).
E-commerce fraud protection shop Signifyd has raised a Series D round amounting to $100 million. Premji Invest led the round. Existing investors also participated: Bain Capital Ventures, Menlo Ventures, American Express Ventures, IA Ventures, Allegis Cyber, and Resolute Ventures (SecurityWeek).
Duo Security has been using last year's $70 million Series D for expansion (Silicon Prairie).
Domain5 launched Wednesday in Columbia, Maryland. The cyber risk-management shop spun out of Federal Data Systems LLC, where it had done business for six years as Nobus Technical Counterintelligence. Domain5 will "help organizations quantify, understand, and manage cyber risk" (BusinessWire).
Also on Wednesday Tel Aviv-based Vulcan Cyber announced a $4 million seed round. The company offers a "continuous remediation" platform (BusinessWire).
Brinks is buying Dunbar Armored for $520 million. The two "cash management" companies are best known for their armored cars, but both firms also have cybersecurity units (Daily Record).
Having itself endured an anti-trust case two decades ago, Microsoft offers Facebook some unsolicited advice about how a company needs to act once it's no longer a start-up. A grown-up company needs to be more willing to compromise, more alert to the possibility that it's arousing anti-trust sentiment, and aware that a failure to exercise certain forms of self-control will bring regulation down on its head (CNBC). Facebook's COO Sandberg says the company didn't see the Cambridge Analytica trainwreck coming because it was focused on the wrong kinds of threats, that is, old threats (TechCrunch).
Google is conflicted about doing business with the US Department of Defense, and even more conflicted about the ways in which folkloric anxieties about artificial intelligence could hurt the company's image and bottom line. Other large companies are not so shy (CNBC). Microsoft, for one, which just picked up a big US Intelligence Community cloud contract and is positioning itself for an even bigger piece of Defense IT, is on its way to a $1 trillion valuation (Financial Times). And it's now bigger than Google, again (Mashable).
Today's issue includes events affecting Australia, Canada, China, European Union, France, Democratic Peoples Republic of Korea, Russia, Ukraine, United Kingdom, and United States.
In addition to the Hacking Humans podcast, Research Saturday is up. This week we hear about Flashpoint's study of the dissemination of Islamic State propaganda from Ken Wolf.