In today's Daily Podcast we hear about the ongoing story of the MedStar Health hack, which anonymous sources say was ransomware. The incident remains under investigation. We hear about ransomware's evolution, from Tripwire and others. Big Law finds itself in the crosshairs of a Russian (or Ukrainian?) cyber gang. The Justice Department hints at more litigation over decryption. We talk to the University of Maryland's Markus Rauschecker about the NIST Framework, and we finish our conversation with Zimperium about their successful experience integrating their mobile security solution with a big telecom's services.
Dave Bittner: [00:00:03:13] More on the MedStar Health hack. Although no one's talking on the record, off the record it's looking a lot like ransomware. Ransomware continues to evolve in effectiveness and in popularity among cyber criminals. An Eastern European gang is after Big Law's data and it wants to use it for illicit stock trading. As the FBI says it's opened that jihadist's iPhone, Apple wants to know how, and the Justice Department signals more litigation over decryption may be in the barrel. And Scotland Yard thinks you'd all be more careful if your bank didn't compensate you for losses to online fraud.
Dave Bittner: [00:00:38:08] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cyber security skills up to date, with engaging and informative videos. For a free seven day trial and to save 30%, visit itpro.tv/cyber and use the code CYBER30.
Dave Bittner: [00:01:00:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 30th, 2016.
Dave Bittner: [00:01:06:18] MedStar Health continues its recovery from the malware infection it sustained Monday. The hospital system, whose operations in the Baltimore and Washington areas are most directly affected, has been using backup paper records to continue patient care. Investigators, including investigators from the FBI, remain tight-lipped about details of the case. But as usual, anonymous sources close to the investigation, but not authorized to speak, are telling the press, anonymously, that the malware that hit MedStar was ransomware.
Dave Bittner: [00:01:37:13] There are plenty of possible ransomware variants under speculative suspicion, prominent among them being server-side malware SamSam and Maktub. PowerWare, the recently discovered and unusually vicious strain that uses innocent-looking Word files with malicious macros as vectors, is also being mentioned by observers. In the MedStar case, this remains speculation. What isn't mere speculation is the increasing interest ransomware controllers are taking in healthcare targets.
Dave Bittner: [00:02:05:16] Understandably, there's much advice circulating this week on protecting yourself from ransomware, including the usual counsels about backing up files and developing emergency plans for continuity of operations. Various good actors are offering protective measures, too. Bitdefender, to take one public-spirited example, is offering a free tool it says will provide protection against Locky, TeslaCrypt and CTB-Locker. Essentially the tool stops ransomware installation routines by communicating, falsely, that the targeted system is already infected. But note that such tools have an inherently short shelf-life, and that continued vigilance is required.
Dave Bittner: [00:02:44:00] Symantec has found a new cyber espionage Trojan, Backdoor.Dripion. Most of its targets are in Taiwan, and so we leave attribution as an exercise for the reader, but infestations have also been reported in Brazil and the United States.
Dave Bittner: [00:02:59:22] Cheetah Mobile reports discovering a remote execution vulnerability in the Truecaller phone call management app. There's more information on the bug, at Cheetah Mobile's blog at cmcm.com.
Dave Bittner: [00:03:12:19] Today we finish our discussion with another firm in the business of securing mobile devices. Zimperium's John Michelsen describes their experience developing and integrating their mobile security solution with Deutsche Telekom's services. According to Michelsen, from the outset it was critical that they build their tools with integration in mind.
John Michelsen: [00:03:31:15] You have to architect for extensibility. If we had made the mistake of not having an extensible architecture, then we would end up with a Deutsche Telekom version of all our software and then they made the other telco version of all of our software, and then our version that we sell directly, and then here's that end customer where we've-- and, and that would create an unmanageable mess where there would be incredibly high cost of change for us, and it would impact our ability to innovate. It would slow down our pace of change. We obviously don't want that. We're in a market that is still nascent and evolving. There are so many ways that our product needs to live within the ecosystem of our customers, that extensibility is really, really key.
Dave Bittner: [00:04:16:23] It's natural, says Michelsen, to be cautious when partnering with a massive company like Deutsche Telekom.
John Michelsen: [00:04:23:06] Make sure you're working with a partner who's committed to being friendly to partners, that's proven in the past that they've been friendly and responsible partners. And then work at sufficiently high enough level in the organization that, that these votes take that seriously. Right? They, they carry responsibility, they know that it's their job to do a good jo-- to do-- to be responsible with partnering and I think you'll be fine. We feel squeamish talking to partners at the level we do but it's the only way for them to know that you're the wrong partner for them to cheat. Right? And so we're in this together at the end of the day. So you really can't hide things from them. So it's a, it's a tough one, you've got to be careful, but at the end of the day you've got to do it and you've got to take some businessfirst.
Dave Bittner: [00:05:03:01] Zimperium's website is zimperium.com.
Dave Bittner: [00:05:07:07] Law firms take note. A Russian gang is after your clients' data. Or it may be a Ukrainian gang. The evidence is ambiguous. 46 of the biggest US firms and two members of the UK's "Magic Circle" are apparently being prospected for data that could enable the gang's so called "mastermind" the ability to execute profitable, and illicit, algorithmic trades in stock of companies undergoing mergers and acquisition. The FBI also has this one under investigation.
Dave Bittner: [00:05:35:21] And as if the FBI didn't already have enough on its plate, the Bureau continues to do whatever it's doing to the San Bernardino jihadi's iPhone. But Apple has served notice that it wants to know however the Bureau did whatever in fact it did to get into that phone.
Dave Bittner: [00:05:50:22] Looking across the Atlantic, we see that the Commissioner of the Metropolitan Police has told banks they shouldn't compensate customers who are the victims of online fraud. Doing so only rewards carelessness. Maybe if people lost their money, they'd be more sensible and responsible in the future, says Scotland Yard. And that sounds exactly like something Inspector Lestrade would have said to Sherlock Holmes. So caveat investor, patch your systems, back things up, and keep your eyes on your virtual poke, sir.
Dave Bittner: [00:06:24:14] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:06:44:14] Joining me once again is Markus Rauschecker. He's from the University of Maryland's Center for Help and Homeland Security. They're one of our academic and research partners. Markus, back in 2014, NIST released their cyber security framework. Tell us about that.
Markus Rauschecker: [00:06:57:05] Yeah, so the President Obama ba-- in 2013 actually already, issued an Executive Order, Executive Order 13-636, and that required NIST to create the Improving Critical Infrastructure Service Security framework. So the framework is a really big deal. It was created by NIST by bringing together thousands of stakeholders from every level, from the government level, from the private industry level and from academia and these thousands of experts got together to create this framework that is a collection of existing standards, guidelines and best practices that any organization really can use to improve their critical infrastructure. We've seen that, since its creation, the framework has been adopted by many companies and many organizations. There's been a vow to use the framework to help their cyber security efforts. And overall, I would say that the framework has been a big success.
Dave Bittner: [00:07:50:01] Yeah, I mean, one of the remarkable things about it is that the response has been overwhelmingly positive.
Markus Rauschecker: [00:07:55:11] Absolutely. The response has been overwhelmingly positive. Like I said, we, we see big companies, like Apple and Bank of America, but also companies in the critical infrastructure sector and really organizations across the board using the framework and implementing the framework for their purposes. And, and this doesn't just apply to the private sector. Government is using this too. We've seen Congress endorse the framework in the recent Cybersecurity Enhancement Act of 2014. We're seeing state governments implementing the framework in their state-wide IT plans. We're also seeing that in the private sector use of the framework is becoming part of any contractual agreement between organizations that will work together. So a condition of working together might be that companies are implementing the Service Security framework.
Dave Bittner: [00:08:43:05] Has the framework shown up in the courtroom yet? Has it been tested there?
Markus Rauschecker: [00:08:46:14] That is really another important piece of it. So the framework itself is voluntary and it's really important to note that it is voluntary. No-one is required to use the framework. But there's a sense that once there are lawsuits against organizations for data breaches, for example, I mean, we've seen inevitably that there are a lot of lawsuits that come out of these kinds of cases, and there's a sense that courts may start looking to the framework to establish a standard of care by which companies and other organizations have to behave. Given that there's no comprehensive standard of care out there and no law that courts can look to really clearly see what the standard of care is that a company should implement, there's a sense that courts may end up looking to the framework to, to really set that bar, to, to establish the standard of care by which a basic negligence claim is going to be decided.
Dave Bittner: [00:09:40:07] Markus Rauschecker, thanks for joining us.
Dave Bittner: [00:09:44:11] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
This CyberWire podcast is made possible by the generous support of ITProTV: *the* resource to keep your cyber-security skills up to date with engaging and informative videos. For a free 7-day trial and to save 30%, visit itpro.tv/cyber and use the code CYBER30.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.