In today's podcast we hear more about possible other instances of fraudulent messaging in the SWIFT financial transfer network. We discuss an active Android ransomware campaign that appears to be using old Hacking Team exploits. US DNI Clapper thinks the acceleration of encryption, post-Snowden, really hasn't been a very good thing, and calls for a balance between privacy and security. The US continues to ramp up its cyber offensive against ISIS. Joe Carrigan from the Johns Hopkins Information Security Institute tells the tale of a scammer strung along.
Dave Bittner: [00:00:03:10] There may be more to SWIFT exploitation than just the Bangladesh Bank heist. An active ransomware campaign is targeting older Android devices. The US Military, like everyone else, is concerned about third-party cyber risk. Belgium asks for more EU monitoring of social media for terrorist traffic and the US Director of National Intelligence says Snowden accelerated the advance of commercial strong encryption by at least seven years (and that, coming from DNI Clapper, is not a letter of recommendation).
Dave Bittner: [00:00:34:07] This podcast is sponsored by SINET, the security innovation network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at security-innovation.org.
Dave Bittner: [00:00:56:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday April 26th, 2016.
Dave Bittner: [00:01:03:07] Reuters, which says it's seen a confidential report SWIFT circulated privately to its customers yesterday, reports that the international financial transfer network has warned that the Bangladesh Bank cyber robbery wasn't unique in exploiting software vulnerabilities to mask fraudulent transactions, what they referred to as "malicious insiders or external attackers" have submitted bogus messages to the SWIFT network on more than one occasion, according to Reuters' account of that warning.
Dave Bittner: [00:01:30:24] Observers think that one lesson to draw from the robbery is the importance of watching closely what goes on inside an enterprise’s perimeter. If an attacker gets in they've become functionally indistinguishable from an insider, and they shouldn't be allowed to romp freely. So the recommendation is that enterprises should be aware of, monitor and control what goes on inside their perimeter, look for lateral movement, privilege elevation and so on.
Dave Bittner: [00:02:34:17] The ransom demand is communicated through a truly implausible screen to purports to be from the "Cyber Police" of the "American national security agency." The "Cyber Police" have found that "all actions are illegal are fixed" (whatever that may mean) and that if you don't pay your fine by the deadline then Cyber Police will rat you out the "U.S. Department of Homeland Security." So there, you offender, you. By the way, the ransom is $200 which the Cyber Police of the American national security agency agency have thoughtfully agreed to accept in the form of iTunes gift cards.
Dave Bittner: [00:03:09:15] In the US senior military officers hint obliquely about concerns that foreign intelligent services could compromise defense supplier networks. Details beyond the public statements are understandably sensitive and being closely held, but the concerns seem similar to the third party risk worries that are widespread among commercial enterprises.
Dave Bittner: [00:03:29:04] The US Cyber campaign against ISIS also proceeds apace. Its objectives remain first to inhibit ISIS recruiting, second to damp down jihadist inspirational propaganda and third to interdict electronic cash transfers into the caliphate. An overarching goal is to deprive ISIS of its semblance of legitimate sovereignty by undermining "lower level extremists" sense of security. A caliph who can't protect his subjects is not much of a caliph at all.
Dave Bittner: [00:03:56:09] US Director of National Intelligence, James Clapper, said yesterday at a breakfast session hosted by the Christian Science Monitor, that Edward Snowden's leaks accelerated the development and widespread dissemination of commercial encryption by about seven years. "From our standpoint it's not a good thing," he said, making the now familiar point that encryption has been, or at least might have been, used by terrorists to secure their communications from collection by intelligence services. He went on to call ISIS "the most sophisticated user by far of the Internet," and that they've secured their communications with commercially purchased encryption. "Most sophisticated user by far of the Internet" seems construed literally to be a stretch, more sophisticated, for example, than Google or Facebook or, for that matter, SWIFT? Or more sophisticated than Russia's FSB? But construed charitably, it does indeed seem true that ISIS has so far been unusually effective at online inspiration. In any case DNI Clapper closed with a call for striking an appropriate balance between legitimate concerns for privacy and legitimate concerns for security.
Dave Bittner: [00:05:02:19] Turning to industry news, the SecureWorks IPO still shows no more than a dead cat bounce. Investors in cyber security are clearly looking beyond a story stock's story, and want to see profits and cost control.
Dave Bittner: [00:05:15:21] And finally, to return to the Bangladesh Bank heist, the criminals behind the fandation (as they inadvertently spelled their foundation) that received the $81 million taken from the Bangladesh Bank remain unknown and presumably at large. Perhaps they'll eventually be collared with the help of alert proofreaders like those at Deutsche Bank who stopped the theft short of its $951 million goal. Happy editing, English majors. And schoenen dank, Deutsche Bank.
Dave Bittner: [00:05:50:00] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:06:13:24] And joining me once again is Joe Carrigan from the Johns Hopkins University Information Security Institute, one of our academic and research partners.
Dave Bittner: [00:06:21:04] Joe, you've got a great story to share. One of your colleagues at Hopkins sort of had an inside view of a scammer recently.
Joe Carrigan: [00:06:29:00] That's correct, at the Information Security Institute, we have a very smart and capable network engineer by the name Chris Venghaus and he got a phone call one day that was somebody from Microsoft telling him that he had a virus on his computer. Now Chris actually is an Apple user and doesn't have a Microsoft computer, so realized exactly what it was the moment he heard the person's voice on the other end describing the problem to him. Being as quick-thinking as he is, he immediately went over to his ESXi machine which is a VMware product and created a new virtual machine.
Dave Bittner: [00:07:03:07] Just for our listeners, what's a virtual machine?
Joe Carrigan: [00:07:05:16] A virtual machine is a computer that runs in software. So what you get is shared resources and these computers exist only in the memory of the ESXi device.
Dave Bittner: [00:07:16:15] So it's a way to build sort of a simulated computer that is self-contained and insulated from the rest of the world, yes?
Joe Carrigan: [00:07:23:22] Correct. You can do whatever you want with it actually. It's actually very powerful and an excellent way to virtualize systems.
Dave Bittner: [00:07:31:03] Alright, so your colleague jumps on this virtual machine. What happens next?
Joe Carrigan: [00:07:34:18] He installs the screen sharing software that the guy tells him to install. The guy takes control of the machine and opens up a command prompt and says, "I'm going to do a scan of your computer." And he just types a tree command, which if you run from the root directory of a drive will list all of the directories, sub-directories and files that are contained on that drive. Now while this is running, he starts typing again and he types the words "virus found."
Dave Bittner: [00:08:04:21] This is the bad guy typing?
Joe Carrigan: [00:08:05:19] This is the bad guy, correct. And he hits control C which effectively stops the tree command from running and down at the bottom there is a message that he has typed that says "virus found." Now, no viruses have been found, tree doesn't scan for viruses it just lists the contents of your drive.
Dave Bittner: [00:08:23:15] So it made it look like there's a whole lot going on on this system, even though it was completely benign?
Joe Carrigan: [00:08:27:23] Right, to the uninitiated it might look scary, but to us it was laughable.
Dave Bittner: [00:08:34:18] So what happened next?
Dave Bittner: [00:08:36:19] Chris actually did a very good job of keeping this guy on the phone for about two hours and eventually when it came time for Chris to enter his credit card information, Chris turned off his network connection and said, "Oh my Internet just went down." [LAUGHS] It's actually wasted two hours of this guy's time, preventing him from scamming somebody else.
Dave Bittner: [00:08:55:17] [LAUGHS] Turnabout is fair play.
Joe Carrigan: [00:08:57:07] Correct.
Dave Bittner: [00:08:58:05] But it's a good lesson to our listeners that this is the kind of thing you need to be careful about.
Joe Carrigan: [00:09:03:05] Correct. Yeah, Microsoft will never call you and say, "Hey you have a virus on your machine." When you get that call, just hang up. I mean Chris took the opportunity to play with this guy and investigate, because Chris knows what he's doing and can stand up a virtual machine that he can then instantaneously destroy and have no ill effects. If someone's not an expert and doesn't know what they're doing, then they can wind up installing software on their machine that they don't want having installed. You're giving control to your machine to these people, at some point in time and if it's a disposable machine, that's fine, but if it's actually your machine, that's probably bad.
Dave Bittner: [00:09:33:11] Alright, words to the wise. Thanks Joe, for joining us.
Joe Carrigan: [00:09:36:11] My pleasure.
Dave Bittner: [00:09:39:16] And that's the CyberWire, for links to all of today's stories, visit thecyberwire.com. And while you're there subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Wide Angle Youth Media is a non-profit that provides free media education to Baltimore youth to tell their own stories and become civic leaders. Learn, watch, and connect at wideanglemedia.org.