podcast

The CyberWire Daily Podcast

In today's podcast, we hear that the JenX botnet will conduct DDoS-for-hire, if you've got twenty bucks. South Korea's CERT warns of an Adobe Flash Player zero-day being exploited in the wild. Bitcoin's price drops below $9000, but miners and scammers are still after this and other cryptocurrencies. BeeToken's ICO is used to phish for Ethereum. ICS security reflections in the wake of the Triton/Trisis attack. The 9th Circuit rules that Twitter didn't provide material support to ISIS killers. Rob Lee from Dragos on the security of wind power systems. Guest is Dana Simberkoff from AvePoint, with a discussion on women working in privacy, and why it’s one area where we are doing well at getting and equal number of women engaged. And the Nunes Memo is out, declassified and unredacted.

Transcript

Dave Bittner: [00:00:03:02] The JenX botnet will conduct DDoS-for-hire, if you've got twenty bucks to spare. South Korea's CERT warns of an Adobe Flash Player zero-day being exploited in the wild. Bitcoin's price drops below $9,000, but miners and scammers are still after this and other cryptocurrencies. BeeToken's ICO is used to phish for Ethereum. ICS security reflections in the wake of the Triton/Trisis attack. The 9th Circuit rules that Twitter didn't provide material support to ISIS killers. And the Nunes Memo is out, declassified and unredacted.

Dave Bittner: [00:00:43:04] And now some notes from our sponsor, Cylance. You've heard of Emotet, the banking Trojan that re-emerged at the end of 2017 to trouble online banking customers. For now it's hitting financial institutions mostly in Austria and Germany but even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well, don't get cocky, kid. Your language community could well be in the on deck circle. The new Emotet has a bad new dropper that knows when you're sandboxing it and it evades attempts to analyze it. Fortunately you're in luck no matter where you are. Cylance can protect you. Check out Cylance's blog post about Emotet at cylance.com. That's Cylance and we not only thank them for sponsoring The CyberWire but we suggest you head on over to cylance.com for the skinny on Emotet.

Dave Bittner: [00:01:39:03] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, February 2nd, 2018.

Dave Bittner: [00:01:49:08] Radware has located a new Internet-of-things botnet whose functionality they liken to Mirai. The botnet is being called "JenX." They've traced the host to a hacking group, San Calvicie, which operates a server in the Seychelles. San Calvicie hosts the venerable online game Grand Theft Auto: San Andreas in an environment that enables players to create and share mods. They're also in the denial-of-service protection racket, and will keep you operating for just $16 a month. They offer denial-of-service-as-a-service, too. You can direct "Corriente Divina," that is, "Divine Stream," attacks against a target of their choice for $20.

Dave Bittner: [00:02:31:18] San Calvicie initially offered attacks at 100 gigabits per second. That offer tripled to 300 gigabits per second as the hacking group began to build the JenX botnet Monday. Radware says that the size of JenX is harder to gauge than was the size of the Mirai botnet. They do, however, think it could well run into the hundreds of thousands.

Dave Bittner: [00:02:52:21] Rockstar Games, producers of the base Grand Theft Auto game didn't offer any comment to CNET when they were contacted, and it's probably worth observing that San Calvicie isn't Rockstar. It seems worth noting that Mirai's creators, now enjoying a sabbatical at Club Fed, were similarly interested in gaming. In the case of Mirai, their game was Minecraft. San Calvicie is interested in GTA. Their advertisement for JenX-enabled attacks says, "God's wrath will be employed against the IP that you provide us."

Dave Bittner: [00:03:25:11] The chest-thumping blasphemy suggests a certain gamer detachment from the kinetic realities of meatspace. Radware thinks it likely that the attacks would be for the most part hired by hosts interested in taking down rival services. The prices seem low, which suggests either bad business acumen on the part of San Calvicie, or that they make their profits on volume. We hope it's the former.

Dave Bittner: [00:03:50:05] South Korea's CERT warns that an Adobe Flash Player zero-day is being exploited in the wild. Adobe is moving to patch its much exploited, often fixed product. Many security experts say the best patch for Flash Player is to simply disable it. Many observers think the exploitation, apparently in progress for two months, is the work of North Korean hackers, but that remains at the moment a speculative and circumstantial judgment.

Dave Bittner: [00:04:16:08] Bitcoin's price has hit a two-month low, falling yesterday to just under $9000 per coin for the first time since November. Ars Technica sees a wave of bad news stories contributing to the drop. Facebook's announcement that it will restrict cryptocurrency ads, the Securities and Exchange Commission's clamp-down on AriseBank, and rumors that Tether may be on the verge of insolvency. Tether is a cryptocurrency pegged to the US dollar that many Bitcoin traders use as a dollar surrogate, but there are reports that Tether has had difficulty gaining the banking system access it would need to convert Tether to dollars.

Dave Bittner: [00:04:53:06] But for all this cryptocurrency miners and scamming continue unabated. BeeToken speculators were just winkled out of another $1 million in Ethereum after succumbing to phishing attacks baited with BeeToken's ICO. Note that BeeToken isn't the fraudster, here. Rather, cybercriminals are taking advantage of its initial coin offering to dupe eager speculators.

Dave Bittner: [00:05:16:01] Threats to industrial control systems grow with the attack surface. A study by Positive Technologies finds that industrial systems are increasingly networked, but that many industrial IoT devices continue to be regarded as too unimportant to receive much attention, let alone serious security. Among their examples are building control systems for such functions as HVAC. It was, of course, through HVAC that Target was breached in 2013.

Dave Bittner: [00:05:43:21] A Mocana survey of operators shows some surprising results with respect to industrial system safety and security. ICS security maven Joe Weiss participated in the webinar during which the survey was conducted. The topic was the Trisis or Triton safety system hack, so participants were likely to have this recent incident in mind. The respondents thought production downtime and personnel safety were the most serious effects of an ICS attack, and Weiss found that answer reasonable and refreshing. What surprised him was that none of the respondents thought firewalls and network filtering were ways of improving defenses against ICS attacks. On the other hand a 41% plurality thought that hardening endpoint devices and gateways was an important defensive measure. This came after an explanation that Level 3 and Level 1 endpoint devices, process sensors, actuators, and drives, lack security or authentication.

Dave Bittner: [00:06:39:06] In legal news, the US Ninth Circuit has ruled in favor of Twitter in a lawsuit that sought damages from the social media platform on the theory that it culpably enabled terrorist inspiration. The ruling was in connection with a suit that alleged giving Twitter accounts to ISIS terrorists violated the Anti-Terrorism Act. The plaintiffs, representing the estates of two American contractors murdered by ISIS, claimed that the network's provision of accounts amounted to "material support" for the terrorist group.

Dave Bittner: [00:07:08:19] The House Intelligence Committee's controversial staff memo on surveillance practices, the "Nunes Memo," has just this afternoon been released, over the objections of the FBI. The memo, dated January 18th and originally classified Top Secret NOFORN, meaning that disclosure to foreigners was prohibited, was officially declassified today. The memo says its findings "(1) raise concerns with the legitimacy and legality of certain DOJ and FBI interactions with the Foreign Intelligence Surveillance Court, the FISC, and (2) represent a troubling breakdown of legal processes established to protect the American people from abuses related to the ISA process."

Dave Bittner: [00:07:53:03] Essentially the memo's findings come down to FBI and DoJ reliance on the uncorroborated Steele Dossier as its grounds for seeking a surveillance warrant against a former advisor to then-candidate Donald Trump, their use of news stories sourced from Christopher Steele as corroboration of the dossier he prepared, and their failure to disclose to the FISA Court the payment of $160 thousand to Christopher Steele by the Clinton campaign and the DNC. Other findings cover what the memo characterizes as evidence of political motivation on the part of FBI and Justice Department officials. The FBI disputes the findings, as does the Democrat minority memo which is expected to be released next week. The memo released today is brief and can be found in its entirety on Document Cloud by searching "Nunes Memo." You'll also find an annotated copy on the Washington Post's site. The minority memo isn't out yet, but you can read the press release on it at democrats-intelligence.house.gov/news.

Dave Bittner: [00:08:58:17] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to business today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze the computer, network or system data. But to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? You can test drive ObserveIT, no installation required at ObserveIT.com/CyberWire. That's ObserveIT.com/CyberWire and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:05:07] And joining me once again is Robert M. Lee, he's the CEO at Dragos. Robert, welcome back. You and I have been working our way through some of the various ICS categories, talking about security issues with them and today we're gonna talk about wind power. Bring us up to date here.

Robert M. Lee: [00:10:20:14] Yeah, what a, what a cool time in history. So, we're seeing diversify energy resources like DEFRA 4 and one of those big sources of energy into national economies and, and, and these national grids now are wind resources. And they operate kind of like, you know, you expect for the scan environment and control systems and visibly controlled environment and measuring and all the good stuff. But they do have their own additional challenges. So like, each turbine, as an example, has its own computer, has its own controller there with it. It's almost like each one of them is their own little island of success and failure. And so necessarily being dependent on other locations and even though you're gonna harvest the energy off of each one of those back to a central site, they each operate as like, little individual sites.

Robert M. Lee: [00:11:08:21] And so, a wind farm has a more diversified approach to their security than many other energy industries. And there's also the considerations of once you produce that energy, how do you get it to the grid? And some of the familiar work with one, one big wind balancing authority who does a fantastic job at it, actually, based out in California where they, a big portion of their business model was developing the control center that could serve as the energy management system for all these diversified wind farms. And so basically you have the mom and pop wind farms can start up and then connected to them, so that they can then balance the electricity that goes and flows into the grid, because there's a whole ecosystem and market there of, you know, promising you can produce a certain amount and actually being able to connect it up. Just because you produce energy doesn't mean you can connect it to the grid, but if you do produce energy and, and follow the right guidelines then you can. And they basically have built their model on that.

Robert M. Lee: [00:12:09:06] What that introduces though from a security concept is really interesting. The, the centralized control center in of itself is operating like their own little fetal system right? Doing their own little security. They're dependent on the, the security taking place in the wind farms but these can be mom and pop type wind farms that definitely are not thinking about security. And more importantly, the specialize skill sets around optimization of wind farms can be remote. And so there are wind farms that might be managed and maintained not on a day to day basis but sort of from the optimization perspective or even just from the scan environment, remotely. We know of places doing it like, from Spain as an example, where the physical asset is located in one country, like the United States. The consumer is located in, in the United States and all the stuff in the middle is the near normal control center and electric grid infrastructure. So it, if you sort of have this BYOD kind of mentality but to your electric resources.

Robert M. Lee: [00:13:02:13] So you can't trust anything in there. You can't assume that, you should assume, actually, that your Spanish-based company's compromised. You should assume that there's compromises inside of your wind farm itself. You should assume that the control center itself might be compromised from its own internal assets.

Robert M. Lee: [00:13:26:19] There's, there's a lot of risk there from the compromising. Now, it doesn't mean it all stops. And because these are diversified resources if you manage to do an attack to one it's not like it all goes down. So there's been some research put out there, like, oh my gosh, I figured out a way to take down all, all solar panels or all wind farms. So like, eh, not really. And it still is very difficult in obviously operation scale. But it's still something to be considered. So in short, I would say an awesome opportunity for economies, but it does change the energy diversification and the energy portfolio that we have as a country, which has its own pluses and minuses. But at the same time, we've gotta make sure that we're introducing security in those locations, because as mom and pop type shops can open up or smaller companies and startups can open up and start producing energy for our grid and open those connections up to locations that are not necessarily being well-monitored. That introduces a lot of information attack space. So this is also an area where like, being very proactive and going hunting for the threats actually makes a lot of sense for the wind farm owners and their operators.

Dave Bittner: [00:14:29:22] Alright, Robert M, Lee, thanks for joining us.

Dave Bittner: [00:14:36:19] And now a moment to tell you about our sponsor Control Risks. Control Risks is a specialist risk consulting firm that helps its clients seize opportunities while being secure, compliant and resilient. They believe that taking and managing risks is essential to success. So Control Risks provides the inside and intelligence you need to realize business growth and support critical decision making. They enable senior executives to build organizations that operate security, are truly compliant and have the resilience to manage the challenges of a rapidly changing global marketplace. And they ensure that the challenges global organizations face, including acute security problems, major regulatory issues, investigation and litigation, reputational harm and other crisis can be managed and resolved effectively. From the board room to remote locations, Control Risks has developed an unparalleled ability to bring order to chaos and reassurance to anxiety. Find out more at controlrisks.com/cyberwire. That's, controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:15:54:01] My guest today is Dana Simberkoff, she's the Chief Risk, Privacy and Information Security Officer at AvePoint, a company specializing in Microsoft Cloud solutions. Our conversation centers on the opportunities available in data privacy, especially with regulations like GDPR coming and how privacy is one area of tech where gender equality is close to being a reality.

Dana Simberkoff: [00:16:16:22] In my role at AvePoint, I serve in a dual function both as Chief Privacy Officer and Chief Security Officer and then working for a technology company, I really wear three hats and I'm a woman in privacy technology and security. And so as part of my work in a privacy profession, which I have been a part of for almost my entire career now, I'm happy to report truly close to gender equity if not absolute equity. In fact, the International Association of Privacy Professionals, IAPP, which is the global industry association that certifies privacy professionals around the world, has done a number of studies on this and they have found that there are an equal number of women and men in the privacy profession and an equal number of women to men in senior roles and privacy as well. So I think that's a very positive note and something hopefully that can serve as a, as a goal for other professions as well.

Dave Bittner: [00:17:13:10] Is there any data behind why that particular subject area is doing better? Do you, do you have any suspicious for why we find more women in the privacy area?

Dana Simberkoff: [00:17:24:02] Well I think, I have my opinions and I'm happy to share those, I'm not sure that they're based on anything scientific or, or have been studies, but I, I think there are a couple of reasons. Privacy is an emerging field, it certainly has not been around, well, well, actually privacy has been around since the dawn of man. So I won't, I won't say that, but privacy as a, as a profession, is a newer profession than security and IT certainly. And as such, it's really come to the forefront over the last, really just the last few years, the last several years and we see this in terms of the numbers of members of IAPP and the number of people getting certified which have just sort of doubled year over year over year every year for the last few years, but prior to that the growth was relatively slow and relatively new. So that being said, I think that there were more, one, opportunities that were available in privacy and also because it wasn't a really high profile job, it wasn't as well know, I think there were a lot of women that, you know, were there to raise their hands to say this is something I'd like to do, or I'd like to try and there wasn't as much as a sort of dominance already in, in that marketplace as there is in other professions. That's one piece.

Dana Simberkoff: [00:18:42:01] The other part of it, is I think that a lot of people in privacy come to privacy with a legal background or a compliance background. And because there's also a lot more, I think gender parity in that legal background versus security and IT which are traditionally in sort of looking at just even education and, and what students are going into, there are less women in those fields. And so I think that there's also that. That has helped women be more a part of this profession as well.

Dave Bittner: [00:19:13:19] Yeah, let's, let's dig into that a little bit. I mean, for, for either the young woman who's coming up through school or maybe someone who's considering a career change, what advice do you have for women who are looking for a career in cyber security or data privacy?

Dana Simberkoff: [00:19:28:13] Well, I think personally and this is something that is something I, I believe in very strongly, that there should be a lot more education at the secondary school level, certainly at the college level and definitely at the graduate school level in privacy. Privacy is personal, it affects 100 percent of our population. So unless you live entirely off the grid, privacy is definitely relevant to you. And so it's something that I believe very much like constitutional law and you know, basic education, it's something that we should all learn just as part of our every day lives because it's important.

Dana Simberkoff: [00:20:02:23] As is security, but I think that there are many things that you can do on your own to, to learn more about it. Again, I've mentioned IAPP, the International Association of Privacy Professionals. That is the de facto global industry association of privacy professionals, they do a lot of education. A lot of the education that they do is free and available to students so whether or not you're a professional who is looking at expanding your horizons and looking at new careers, IAPP has some great resources for you. But also if you're a student and you're early in your career, they do a lot of professional education, they do a lot of networking and training. Again, that is free, to both members and, and to non members as well. And there's just some great resources. For example they have newsletters that you can sign up for, that anyone can sign up for, that just give you information about privacy, privacy news around the world every day. And I think that's a great way to educate yourself on what's happening in this space. And to begin to you know, explore whether it's a potentially a career that might be of interest to you.

Dana Simberkoff: [00:21:09:20] The other advice that I give to everybody, to young women, and to young men in their careers and I, I do a lot of mentorship both formally and informally in my role at AvePoint and in my work with IAPP is a member of some of their advisory boards. I think it's important to have mentors, to find mentors throughout your life, whether they're professional mentors that you have in your workplace, where you actually connect with somebody in a, in a senior position. But that you also have these role models informally in your life too. I had many in my life, they were both people that I worked with and worked for and people that I knew through, you know, non work relationships, people that I modeled myself after. I think even today in my career, I always think, "What do I wanna be when I grow up?" and finding those people that you can emulate, ask them for advice, asking them for coffee and, and getting guidance is always a really positive things, it's a way to grow your career and grow your professional network.

Dana Simberkoff: [00:22:04:23] I do think that it's important for you know, specially on the topic of, of women advancing in IT and security. I think it's important for women to support other women in their, in their career paths but also I always like to add that some of my, my best mentors and, and best managers throughout my career have also been men. So I don't think it's a women's issue, I think it's a people issue. And I think it's a question of building a culture in which people are recognized based on their talents. More, first and foremost above anything else, and I think it is, you know, incumbent on everybody individually regardless of whether you're a man or a women, to do your best at your job and to make sure that you're your own advocate as well. So this is something I think women sometimes are not as good at as men and that is to, to really be your own advocate, to promote yourself and your work and to make sure that you, you gain recognition for what you're doing and that you do it in a positive and appropriate way of course.

Dana Simberkoff: [00:23:07:02] But there, there are many great resources out there for helping, helping to do this, whether you're a young professional man or woman, I think it's, it's important to continue to make those connections and to build your confidence inside and outside of work.

Dave Bittner: [00:23:20:14] That's Dana Simberkoff from AvePoint.

Dave Bittner: [00:23:26:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the treat. Visit e8security.com to learn more.

Dave Bittner: [00:23:47:11] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they are co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
Cylance
Cylance

Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com

ObserveIT
ObserveIT

ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Test drive ObserveIT today – no installation required. 

Control Risks
Control Risks

Control Risks is a global specialist risk consultancy. We help clients find opportunities and grow, build secure, compliant and resilient organizations, and resolve critical business issues and crises. Our unique expertise and geographical reach support decision-making with crucial intelligence and insight. Learn more at controlrisks.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire