In today's podcast we hear that the Dutch financial sector is well on its way to recovering from the recent DDoS wave, which could be the work of anyone from teenaged skids to some nation's intelligence service. Lizard Squad may have a connection to Mirai. The reptiles are also getting into the coin mining business. Patient phishing relieves IOTA cryptocurrency users of the contents of their wallets. UK's Snooper's Charter smacked down by High Court. US House Intelligence Committee votes to release classified memo on surveillance. Jonathan Katz from UMD on the “fuzzing” of private healthcare information. Guest is Michael Simon from Cryptonite with results from their 2018 Health Care Cyber Report. US military personnel get an OPSEC lesson on Strava.
Dave Bittner: [00:00:00:17] We've got good news for those of you who like to stay informed via Talking Cylinders, of course the CyberWire podcast is available on all of those. But also, you can add the CyberWire to your flash briefing if you have an Amazon Alexa, you can add the CyberWire to your flash briefing and move it to the top of your news, using the settings in your Alexa app and then you can say, "Alexa, what's my flash briefing?" or "Alexa, what's in the news?" to hear your CyberWire daily briefing. Hopefully it won't put me out of a job.
Dave Bittner: [00:00:32:04] The Dutch financial sector recovers from a DDoS wave which could be the work of anyone teenage skids to some nation's intelligence service. Lizard Squad may have a connection to Mirai, the reptiles are also getting in the coin mining business. Patient phishing relieves IOTA cryptocurrency users of the contents of their wallets. UK's Snooper's Charter is smacked down by High Court. The US House Intelligence Committee votes to release a classified memo on surveillance and US military personnel get an OPSEC lesson on Strava.
Dave Bittner: [00:01:09:03] And now some notes from our sponsor, Cylance. You've heard of a Emotet, the banking trojan that reemerged at the end of 2017 to trouble online banking customers. For now it's hitting financial institutions, mostly in Austria and Germany, but even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well, don't get cocky kid, your language community could well be in the on deck circle. The new Emotet has a bad new dropper, it knows when you're sandboxing it and it evades attempts to analyze it. Fortunately you're in luck, no matter where you are, Cylance can protect you, check out Cylance's blog post about Emotet at cylance.com. That's Cylance and we not only thank them for sponsoring the CyberWire, but we suggest you head on over to Cylance.com for the skinny on Emotet.
Dave Bittner: [00:02:05:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner from scenic Maple Lawn, Maryland, just outside of Baltimore, with your CyberWire summary for Tuesday, January 30th, 2018.
Dave Bittner: [00:02:17:16] The Coincheck hack is looking costly for the exchange that was victimized late last week. The exchange has pledged to repay about 90 percent of the funds people lost when NEM coins were looted from hot wallets. The amount to be repaid is thought to amount to some $425 million of the estimated $530 million stolen. This looks to us like 80 percent, but every news source covering the story calls it 90 percent, so we assume either the estimated losses are lower or the estimated repayments are higher. In any case, $435 million is a lot.
Dave Bittner: [00:02:54:00] Japan's Financial Services Agency, FSA, has ordered Coincheck to improve its cybersecurity. The exchange is still in operation, the trading it suspended Friday did not include Bitcoin trades, so the security upgrades have a serious purpose. They're not likely to be cheap, either. The incident is prompting regulators worldwide to consider tighter control over cryptocurrencies and speculation therein.
Dave Bittner: [00:03:19:00] Over the weekend and continuing through yesterday, the Dutch financial sector was subjected to a serious round of distributed denial-of-service attacks. The Dutch revenue service and several of the country's major banks were affected. ING, the Netherlands' largest bank, was hit Sunday evening. The country's third largest lender, ABN Amro, sustained three attacks over the weekend, augmenting the four others it had sustained over the past week. Rabobank, the second largest Dutch lender, underwent an attack that began Monday morning. All three banks are in the process of recovering normal operations and that recovery seems now substantially complete. Customers would have noticed problems with website availability. There's no evidence any systems were breached or data lost. Also targeted with a denial of service attack was the Dutch Revenue Service, whose website went down for a relatively brief ten minutes. The Netherlands' Ministry of Justice and Security said the attacks were "very advanced," but that the banks showed a reassuringly high degree of defensive preparation.
Dave Bittner: [00:04:22:12] There's no attribution or suspected motive in the attacks, the Ministry of Justice and Security said. But researchers at security firm ESET say they observed that the command-and-control servers for the botnets used in the attacks were for the most part located in Russia. That doesn't say much about motive. As ESET points out, the attackers could have been anyone from bored teenagers in it for the lulz to a state security apparatus either sending a message or engaging in misdirection.
Dave Bittner: [00:04:51:09] And speaking of skids in it for the lulz, teenaged or otherwise, the Internet-of-things security company ZingBox has released a report on the Lizard Squad that connects it to the Mirai botnet. The researchers conclude that there's a connection after all between the Mirai botnet and the notorious and for the most part incarcerated, skids at Lizard Squad, well-known for their attacks on gaming systems like Playstation and xBox Live, as well as for their LizardStressor distributed denial-of-service service.
Dave Bittner: [00:05:20:15] ZingBox found four "distinct activities" that link Lizard Squad with Mirai: First, Mirai source code was publicly released nine days after the arrest of Lizard Squad founder Zachary Buchta, Second, the Ukrainian hosting provider Blazingfast was used by both the authors of Mirai and by the Lizard Squad parasites of the BigBotPein group. Third, the authors of Mirai engaged in a distributed denial-of-service attack against security blogger Brian Krebs shortly after he criticized Lizard Squad, saying, "I hope it's clear to the media that the Lizard Squad is not some sophisticated hacker group." This apparently stung. Fourth, there are references to Mirai on a Lizard Squad website hosted at a site whose url we won't read here because it's slightly more than half composed of vulgarities. This is to be sure circumstantial, but it's interesting. Also interesting are signs that the Lizard Squad members who remain at large have expanded their interests from renting out stressors for DDoS-as-a-service into the trendier crimes of Monero and Ethereum mining.
Dave Bittner: [00:06:26:08] Michael Simon is President and CEO of Cryptonite, a company that focuses on pro-active network defense. They recently released their 2018 healthcare cyber report and Michael Simon joins us to share their findings.
Michael Simon: [00:06:39:17] We're in the business of protecting critical vulnerability use cases and health care is sort of that perfect storm of connection of those use cases and that's what prompted us to do this.
Dave Bittner: [00:06:52:03] So take us through what were some of the key findings from the report.
Michael Simon: [00:06:56:21] There's sort of two directions of the key findings, one is there has been a pretty dramatic increase in the number of ransomware attacks and second, actually the number of records reported to have stolen has decreased, these are healthcare records. It's an interesting sort of dichotomy, if you will, we believe that one of the reasons that the records have decreased is because now attackers are really going to widen their attack vectors to more and more facilities, some of them might not have as many records and they're also seeing that they can get more money out of a ransomware attack than actually stealing a record itself.
Dave Bittner: [00:07:40:13] No, that's interesting because we often hear that, you know, a healthcare record in particular is more valuable than say a credit card number or something like that.
Michael Simon: [00:07:49:06] Yeah, it is and it still is, but, you know, if you look back into 2012 time-frame, a healthcare record would get somewhere in the neighborhood of $50 on the dark web. Today, you know, you're down to numbers that could be a dollar or 50 cents and it isn't because they aren't valuable, it's there are so many out there.
Dave Bittner: [00:08:11:05] Now let's revisit what you said about the ransomware because, you know, I guess the common advice from law enforcement is don't pay the ransomware. But yet it seems to me like particularly when it comes to health care, we've seen several incidences where people have paid the ransom, I guess to get systems up and running in a timely manner.
Michael Simon: [00:08:31:11] Unfortunately, we don't know who pays the ransomware or not publicly because according to the rules of how they have to report these attacks, they're simply reporting what records have been potentially accessed and what attacks have occurred. But they're not obligated to say whether they paid the ransomware attack, so we can only speculate whether organizations have paid them or not. From a health care hospital facilities perspective, all they care about is patient care. If a ransomware attack is potentially impacting the care of a patient, I'm guessing they're going to pay that fee pretty quickly. The concern though is there's nothing to stop that attacker from doing the same thing the next month, the next year, because they have the information to do it.
Dave Bittner: [00:09:25:20] So what's your perception on where these health care systems are in terms of properly protecting themselves? Are they catching up, are they getting ahead of the game?
Michael Simon: [00:09:33:24] I think to answer that question, you have to take a look at these organizations first and see why I use the term, perfect storm. Health care organizations in general weren't built around IT infrastructure, so they were built around how to care best for the patient. So IT and OT, operational technology, information technology, were sort of separate and there's not nearly as many IT professionals in the health care world as you'll find in the finance world for example. So the health care organizations are desperately trying to beef up the resources in the IT side, some are doing a lot better than others, others are not really doing very much at all. And then you have the situation of medical devices, what I call IOMT, other people use the same term, Internet of medical things. These are devices designed for patient care that really had no concept of security built in. So, you take the idea of not a lot of IT resources, these medical IOT devices and that really becomes the perfect storm for an attacker. So I think what's happening is these health care organizations are desperately trying to catch up, but there's still the perfect storm of opportunity for hackers.
Dave Bittner: [00:10:57:16] That's Michael Simon from Cryptonite.
Dave Bittner: [00:11:02:09] Users of IOTA cryptocurrency were successfully robbed of some $4 million by an unusually patient criminal who set up a malicious seed site that assigned users predictable seeds, an eighty-one-character seed necessary to create a wallet. Once this was done, the criminal, "Norbertvdberg" phished to land users on his site. On January 19 Norbertvdberg used the logs he'd accumulated over six months of operation to empty the users' IOTA wallets. His site is now closed, and he is on the lam. It's worth noting that a DDoS attack on IOTA network nodes occurred at the time Norbertvdberg was looting the wallets. The attack seems to have been misdirection, a common use of DDoS.
Dave Bittner: [00:11:48:12] In a setback for HM Government, the High Court in London ruled the Snooper's Charter unlawful. The surveillance law had been challenged in court by a Labour MP. It had been enacted during Prime Minister May's tenure as Home Secretary.
Dave Bittner: [00:12:03:22] The US House Intelligence Committee has voted to release its presently highly classified memo on alleged surveillance abuses. It is thought that both the majority staff-prepared memo and its minority counterpart will be made public.
Dave Bittner: [00:12:18:19] And finally, we return to the curious case of Strava, the fitness app whose aggregated and anonymized heat map shows stuff like someone riding a bicycle around the runway at Groom Lake, Nevada, and troops running for exercise at various US bases around the world. White House cybersecurity coordinator Rob Joyce says "It's really clear that that heat map is a security risk," and that the Administration is thinking through what to do about it.
Dave Bittner: [00:12:45:05] As we thought when we spoke about this incident yesterday, a number of service members are receiving some Strava-related OPSEC guidance. A Defense Department representative said, "Secretary Mattis has been very clear about not highlighting our capabilities to aid the enemy or give the enemy any advantage. The secretary is aware of the breach and we are taking a look at our department-wide policies to determine if they need to be updated." We imagine Secretary Mattis expressed himself rather more vividly in his communication with the chain of command. And we say again to the troops, thanks and good hunting.
Dave Bittner: [00:13:25:20] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to business today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze the computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? You can test drive ObserveIT, no installation required at observeit.com/cyberwire, that's observeit.com/cyberwire and we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:33:04] And joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland and also director of the Maryland Cyber Security Center. Jonathan, welcome back, I saw a story in Science News and it had to do with the health care information, patient information and attempts to de-identify large patient data sets because of these privacy issues, can you take us through, what are we talking about here?
Jonathan Katz: [00:14:54:12] Well basically there's always a concern when working with medical data or other data collected about individuals that the data itself will reveal information about PII of individuals or other sensitive information about people who participated in the study, whether that's being released to the researchers or whether that's released to the general public in case data from that study is ever released. And so it's really nice to see here actually, that medical researchers are aware and taking great care to try to anonymize the data that they're working with and the data that they're publishing in order to prevent this kind of de-identification of the individuals in the data set.
Dave Bittner: [00:15:32:15] And how do they go about doing that?
Jonathan Katz: [00:15:33:19] Well there are various ways you can do that, a lot of different techniques have been developed over the years. The ones that they were looking at in the study, that you were talking about, seemed to be based on an idea called k-anonymization where basically what you do is, you modify certain data in the data set, to ensure that there's always a large group of people sharing any given number of attributes. So that basically means that rather than, if an attacker go their hands on the data, they wouldn't be able to look at a row of a database, for example, and then correlate that with a particular individual taking part in the study. More recently people have looked at other techniques like differential privacy, which actually give more rigorous guarantees about what can be learned from individuals based on the data.
Dave Bittner: [00:16:15:19] So what's your take on the technique that they used in this example?
Jonathan Katz: [00:16:19:15] Well, from what I could read about and this is only based on the news article, I wasn't actually able to get a copy of the paper itself, it looked like they had used a technique based on k-anonymity and some fuzzing, which involves changing some of the data values and then they evaluated the effectiveness of that against a specific attack and they showed that that particular attack was unsuccessful. And that's a good start but what worries me about that, is that it leaves open the possibility that there are other attacks that the researchers didn't think about, that would allow an attacker to learn information about individuals and so what you'd really prefer is, you know, rather than preventing one specific attack, you'd rather have a technique that would de-anonymize the data is such a way that it was secure against all possible attacks and that's what something like differential privacy would allow for and you know, I hope going forward that they try to integrate those techniques into what they're doing as well.
Dave Bittner: [00:17:11:22] Jonathan Katz, thanks for joining us.
Dave Bittner: [00:17:16:15] And that's the CyberWire. Thanks to all of our sponsors, for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit cylance.com and thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit e8security.com, to learn more. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:17:48:02] Our show is produced by Pratt Street Media with editor, John Petrik. Social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Test drive ObserveIT today – no installation required.