In this podcast, we look back at a week of ransomware. The FBI succeeds in unlocking the San Beranardino jihadist's iPhone without Apple's help (and Apple like the rest of us would like very much to know why). Policymakers consider their alternatives in cyber conflict, and they run from lawfare to warfare. Tay's briefly let out of her room, but quickly sent back (and that's no April Fooling).
Dave Bittner: [00:00:03:21] As MedStar recovers, experts consider the consequences of ransomware, and lessons from some recent infestations. Cyber conflicts between nations prompt considerations of both warfare and lawfare. We hear from experts in privacy law and the history of cryptowars, and, yet again, Microsoft's chatbot Tay has been bad.
Dave Bittner: [00:00:27:06] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date with engaging and informative videos. For a free seven day trial and to save 30 percent, visit itpro.tv/cyber and use the code CYBER30.
Dave Bittner: [00:00:50:11] I'm Dave Bittner in Dallas, with your CyberWire summary and week in review for Friday April 1st, 2016.
Dave Bittner: [00:00:58:11] MedStar, a healthcare system whose operations are centered on Baltimore and Washington, continues its recovery from the attack it sustained over last weekend. The healthcare provider sustained a ransomware attack at the beginning of the week that locked personnel out of electronic health records and other systems. By midweek the hospital system was able to restore care provider access to EHRs and related systems, but complete remediation remains an ongoing process.
Dave Bittner: [00:01:25:12] The particular strain of ransomware involved is said to be Samsam, also known as Samsa and MSIL. Documents obtained by the Baltimore Sun indicate that the hackers demanded $18,100 (payable in Bitcoin) for complete decryption of all affected files. Lesser amounts would buy, the ransom demand said, lesser levels of recovery. The amount is noteworthy. Hollywood Presbyterian, the last high-profile hospital victimized by ransomware, paid $17,000 to obtain decryption of its files from the attackers, so apparently this is how the criminal market is currently being set.
Dave Bittner: [00:02:04:05] Samsam is one of several ransomware variants in circulation. Others include Petya, which encrypts a victim machine's master boot record with a fake CHKDSK prompt, and the related CryptoLocker, TeslaCrypt, and Locky strains.
Dave Bittner: [00:02:18:23] Much criminal effort seems devoted to making ransomware more evasive and difficult to detect. Tim Erlin, director of IT security and risk strategy for Tripwire, offered these observations on the trend: “Ransomware authors are always trying to evolve to avoid detection, and using built-in Windows capabilities makes the malicious activity less noticeable. This ransomware may change its encryption technique, but it still requires an entry point onto the system. Malicious Word files sent through emails and the use of Microsoft Office macros is a very old vector for this new malware.”
Dave Bittner: [00:02:55:01] PowerWare, another recently discovered ransomware variety, this one featuring fileless infections, has also been observed in healthcare networks. But it's also turned up in a new series of crimes, those keyed to US income tax season - cyber criminals are reported to have begun using PowerWare against records taxpayers need in order to file.
Dave Bittner: [00:03:15:14] As always, the best insurance against ransomware's more devastating effects remains regular, secure, offline backup of important files. Sound digital hygiene, server hardening, and intelligent application of security products can help prevent ransomware infections. In particular, attention to patching can "blunt," as Recorded Future puts it, many ransomware attacks.
Dave Bittner: [00:03:38:12] But since well-resourced enterprises continue to fall victim to ransomware attacks, it's worth recalling that the criminals also adapt, and aren't without their own resources.
Dave Bittner: [00:03:48:12] Craig Young, a Tripwire computer security researcher, commented,“No protections against ransomware will ever be 100 percent effective at preventing an infection. The best defense is and always will be a comprehensive offline backup strategy and a proper disaster recovery plan. While AV tools can look for crypto API calls or patterns related to implementing crypto algorithms, this is a cat and mouse game where attackers generally have the upper hand.”
Dave Bittner: [00:04:15:23] So, not impossible, but there's no easy solution, either. Among the well-resourced enterprises that have been affected by ransomware include, according to the US Department of Homeland Security, some two dozen US Federal agencies since last July alone.
Dave Bittner: [00:04:31:07] It's not yet known who was responsible for the attack on MedStar, but linguistic evidence in the extortion communications suggest a range of usual suspects - criminal gangs operating, probably, from Eastern Europe. Michael Daly, CTO of Raytheon Intelligence, Information and Services, commented on the appropriate response to such attacks, if indeed they come from overseas.
Dave Bittner: [00:04:54:04] "In the last two years," he said, "we have seen an increased use of international legal frameworks that hold individuals and their countries responsible for crimes like the one against MedStar Health by engaging law enforcement in the source countries and charging those responsible. The U.S. law enforcement community has taken admirable action recently with charges being brought against individuals in Iran and Canada. The hackers in this case should take note."
Dave Bittner: [00:05:20:00] Daly's comments might prompt some reflection on international cyber conflicts, their prevention, management, and resolution. Since the cyber domain now constitutes a central theater for conflict between states, various governments are working on cyber capabilities as they seek to evolve a deterrence regime.
Dave Bittner: [00:05:38:16] This is going to be a different problem than that involved with nuclear deterrence during the Cold War. Attribution is difficult. A missile launch or an inbound flight of bombers are, relatively speaking at least, much less ambiguous events than cyber attacks, which offer all sorts of opportunities for false flags, deniable operations, and so on. And, as we've had occasion to point out before, the little discussed cyber Tonkin Gulf incident is at least as likely as the much discussed cyber Pearl Harbor.
Dave Bittner: [00:06:10:22] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:06:30:17] Joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben Yelin: [00:06:36:24] Ben, we have programs like the call detail records program and there are people who lean towards being civil libertarians and they like to see these programs overturned. But it's not so easy. What are some of the barriers keeping them from doing that?
Ben Yelin: [00:06:53:16] So I think the biggest barrier is this legal concept of standing. Standing just in its most basic form means that in order for a person to sue someone they have to have some stake in the outcome. So if I see you trip on the street, and you wanted to sue the government, I couldn't sue the government because it didn't happen to me. I didn't suffer some sort of injury.
Ben Yelin: [00:07:14:12] In the context of these programs, it's very hard to prove that you yourself were the target of a search. For one, the programs are very secretive so it's very unlikely that you would find out if you were being searched, and two, there's just a whole universe of data. It's very hard to pinpoint exactly which data the NSA is using for their ongoing investigations. And without knowing that you yourself have been the target of a search, it's very hard to argue that you have standing in a court of law.
Ben Yelin: [00:07:50:06] So I think there are ways of getting around that. There's a case Clapper v Amnesty Internationalwhich was a very bad case for civil libertarians that basically ruled that it was too attenuated to claim that you have standing just because your information may have been collected by the Federal government.
Dave Bittner: [00:08:09:16] So how are they being challenged then?
Ben Yelin: [00:08:12:02] So the challenges are usually bought by civil liberties groups who express some sort of general interest, or people who think that they can claim with some amount of certainty that their communications have been searched. So for example, one of the major call details cases, a gentleman by the name of Larry Klayman was a Verizon subscriber and the government, as part of the Stone leak, seemed to admit that all Verizon subscribers had their information collected as part of the bulk data collection program.
Ben Yelin: [00:08:46:08] The government argued that well, we're collecting all that information, but it's not necessarily all being searched. But the court in that case found that even though it wasn't being searched, to do some sort of online query you necessarily have to search through everybody's information so if you have a million phone numbers and you're searching for one, you have to search through that entire list. So in that case Mr Klayman, who was a Verizon subscriber, was able to convince the court that he did have some sort of legal standing.
Ben Yelin: [00:09:18:13] The government has sort of tried to push back against that by making a claim that has since been put into question that not all phone records are actually being collected. I think it was a couple of years ago they leaked to the Washington Post that only 30 percent of calls are actually being collected, and I think the reason they made that leak was to hint that a person can't establish standing because they don't know if their phone number was part of that 30 percent that was being collected.
Ben Yelin: [00:09:49:00] At least the judge in this case that I was referring to which was Clayman v Obama was not having it. Was saying that the NSA was being duplicitous in making that argument.
Dave Bittner: [00:09:58:06] Ben Yelin, thanks for joining us.
Ben Yelin: [00:09:59:21] Thank you.
Dave Bittner: [00:10:03:23] This edition of the CyberWire podcast is brought to you by Bob's House of Random Numbers, offering discount certified refurbished random numbers for over a decade. When you need a random number real bad, we've got a real bad random number. Online at checkyourcalendar.com.
Dave Bittner: [00:10:31:06] The US indicted, as expected, seven Iranian nationals said to have worked on behalf of Iran's government, for various cyber crimes that included the now famous reconnaissance of the Bowman Street dam in Rye, New York, as well as a range of attacks on US financial institutions. There's of course little prospect of bringing the accused to trial, but that's not the only desired outcome. The US has adopted a name-and-shame policy in its legal actions against agents of foreign governments.
Dave Bittner: [00:10:58:17] "Shaming" here may well be metaphorical. One doubts that anyone operating on behalf of Iran's Revolutionary Guard would regard a US criminal indictment for patriotic hacking as anything other than a badge of honor. But an indictment may well give a state-hacker pause. More than one hacker has been nabbed and extradited from a vacation spot.
Dave Bittner: [00:11:19:16] The dispute between Apple and the FBI over the unlocking of the San Bernardino jihadist's iphone may have been put on hold for now but many observers see it as reigniting the crypto wars - a battle first fought decades ago back in the 90s. Stephen Levy is editor in chief of the online site Backchannel, and the author of a number of books including Hackers, Heroes of the Computer Revolution, and Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age. He caught our eye with a recent article in Backchannel titled, Why are we fighting the Crypto Wars again? I spoke with Stephen Levy by phone earlier this week.
Stephen Levy: [00:11:56:08] I've been really struck by how much this flap between Apple and the US government has brought up a lot of the tropes and some of the exact language in terms of the arguments, of a battle that I chronicled in the 1990s, known as the Crypto War. The whole thing sprang from these discoveries made in the mid 1970s by private researchers. Before then pretty much all research about cryptography was either done by the government or someone did it privately. The US government had the power to declare it classified. Researchers couldn't even get access to their own papers when that happened.They couldn't share them with their colleagues or even in some cases, with themselves.
Dave Bittner: [00:12:46:06] The original crypto wars ended with the government acknowledging that code and crypto were a form of speech. Cryptography was officially legal.
Stephen Levy: [00:12:55:00] So the big things that happened after that war reached a stand down let's say, were of course 9/11 which just increased their surveillance stake, but then there's also the Snowden revelations which increased awareness of the surveillance stake. And an unease about it. Now also there was the explosion of mobile technology. We have our things with us all the time, so in a way we need even more protection.
Dave Bittner: [00:13:22:20] But was the government really completely comfortable with strong encryption? While researching an article for Wired magazine, Levy was invited to visit the NSA.
Stephen Levy: [00:13:31:22] The NSA has two responsibilities. One is to capture signals intelligence as they're called, to capture messages that might be of value to national security. And the second is to protect the communications of Americans both governmental and non-governmental. I felt that they really didn't do a very good job in the second one. They were concentrating on the offensive side of the coin, but not so much the defensive side of the coin.
Stephen Levy: [00:13:58:13] They were OK with a certain degree of encryption, but up to the line where they needed to read it. They said, "OK well we're fine with this. We're fine to have it built into every browser, and things like that." And probably you can get an indication of what they were able to break by what they let go by.
Dave Bittner: [00:14:16:16] When considering what was the FBI's case against Apple, Levy says it's important to remember that encryption is widely available from a variety of sources. Not just the version that comes built in to a particular device.
Stephen Levy: [00:14:28:06] If Apple said "Yes, we're able to give the government the use of the phones there" that wouldn't solve the problem. There was a really interesting transcript which the government made available to people, showing a couple of would-be terrorists talking. They were people planning terrorist attacks. And they were just discussing what communications to use and one of them said to the other, "Let's use the Apple phone because that's something the government can't get into." And the government is using that as an example of saying, "This is why we can't have this." But actually it's quite the opposite example. It shows that people considering committing horrible acts are taking a look at what is breakable, at what is going to be turned over to the government, and what is not going to be turned over to the US government.
Stephen Levy: [00:15:15:14] So if the US government had its way with Apple, that conversation would have gone quite differently. They would have said, "No, don't use the Apple phone. The government gets access to that. Let's use Turing or some other system that the government can't get."
Dave Bittner: [00:15:29:13] I asked Stephen Levy where he thought this latest round of crypto wars would leave us.
Stephen Levy: [00:15:34:06] There's a pretty good chance that we're going to reach the same outcome we did before, and the NSA's going to figure out how to get hold of what it really needs to get hold of. The law enforcement entities are not going to be too happy because they're not going to be able to get the mass of access to communications that they would have, had they not been encrypted by default there. I think mainly that's what they're talking about.
Stephen Levy: [00:15:57:06] There used to be a phrase in the '90s that if crypto was outlawed, only criminals would have crypto, meaning that default things that most of us use won't be safe, but the systems that are harder to use but readily available around the world will be adopted by criminals and people committing horrible acts.
Dave Bittner: [00:16:16:00] He added that there are some areas where more encryption, not less, could help make us safer.
Stephen Levy: [00:16:21:22] You know, there's a big national security argument to be made for stronger default encryption here. Our national infrastructure is vulnerable. If dark-side hackers or threat actors from overseas break into them there. So we really should be looking about using more of these encryption technologies to batten down our infrastructure and other things, rather than leave zero-day exploits unreported, so intelligence agencies and law enforcement agencies can take advantage of them.
Dave Bittner: [00:16:54:14] Levy says that in the end, encryption is here to stay and that means law enforcement will come to rely on other methods of gathering information.
Stephen Levy: [00:17:03:00] But you can't lock up math. You're not going to get rid of encryption. Ultimately the government in a very practical sense is going to figure out how to get as much as it can, how to break as much as it can, get access to as much as it can, and it's like lots of other ways to get hold of things besides breaking keys will go on.
Dave Bittner: [00:17:24:13] Stephen Levy writes online at backchannel.com.
Dave Bittner: [00:17:29:11] Although we're here in Dallas for the Women in Cybersecurity Conference, we'd like to close with a shout out to this weekend's regional finals in the Collegiate Cyber Defense Competition. The Mid Atlantic rounds are being held today and tomorrow in Baltimore at the Johns Hopkins University. Good luck, and good hunting to the competitors.
Dave Bittner: [00:17:47:08] And finally, Tay, that potty-mouthed chatbot, made a brief return to social media this week as Microsoft let the teenage-emulator out of her room on an evident promise of good behavior. But while Tay's language had cleaned up, her behavior hadn't, as she ruthlessly spammed her followers. So back to the room, grounded from Twitter indefinitely. Well, if you build a teenage emulator, we suppose you should count it a success if the emulator emulates a teenager.
Dave Bittner: [00:18:19:07] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
This CyberWire podcast is made possible by the generous support of ITProTV: *the* resource to keep your cyber-security skills up to date with engaging and informative videos. For a free 7-day trial and to save 30%, visit itpro.tv/cyber and use the code CYBER30.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.