David Bittner: [00:00:03:16] SWIFT works with it's clients to improve security. ATMs get looted in Japan. A final follow-up on the realization that 2012s LinkedIn's breach was bigger than thought. So old, but really big. Operation Ke3chang is back, now new and improved with TidePool Malware. ISIS information ops turn to inspiration and may betray some uncertainty about the group's ability to hold its core territories in Syria and Iraq. British and American officials get some cyber policy advice from business. Investors in the cyber sector see recent corrections as, perhaps, a buying opportunity. And how they keep Mom safe online, Baltimore style.
David Bittner: [00:00:43:08] Today's podcast is made possible by ClearedJobs.Net. Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company, where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at thecyberwire.com/clearedjobs.
David Bittner: [00:01:08:19] I'm Dave Bittner, in Baltimore with your CyberWire summary from Monday, May 23rd, 2016.
David Bittner: [00:01:15:14] The SWIFT financial transfer system is working with its customers to stop theft of the kind and scale the Bangladesh Bank suffered earlier this year. It's promising a security upgrade and in the meantime it's offering suggestions for superior, more secure implementation to its partners in the financial sector. Among the initiative SWIFT advocates is more sharing about attempted breaches, particularly those involving fraudulent transfers. Indeed, the system has told its clients that they're obligated to provide such information under the terms of service.
David Bittner: [00:01:46:15] Another robbery occurred last week but this was unconnected with SWIFT. ATMs in Japan were systematically looted of ¥1.44 billion, roughly equivalent to $12.7 million US, in the early morning hours of May 15th. The fraud appears to have involved around 100 collaborators who used forged payment cards. Whether the card data came from skimmers or some other compromise is so far unclear, but The Guardian reports that the card information was obtained from a bank in South Africa. Investigation proceeds.
David Bittner: [00:02:19:07] The CyberWire heard from John Gunn, Vice President of Communications at VASCO Data Security. Gunn sees ATM fraud is likely to increase in the US as EMV cards, commonly called 'chip and pin' cards, come into more widespread use at retail point of sale systems. Criminals, he suggests, are likely to follow the path of least resistance towards ATMs. "It's easy for fraudsters to buy stolen cards to make unauthorized withdrawals but it's nearly impossible to commit theft if they must also have the intended victims mobile phone physically at the ATM machine at the same time." Gunn says large banks are moving to integrate ATM security into their mobile banking apps and that we can expect to see them leverage customer's mobile devices to reduce fraud across all channels.
David Bittner: [00:03:07:09] Last week's report of a breach at LinkedIn turns out, we've seen, to have been simply a recognition that the breach the business focused social network sustained in 2012 was much larger than realized. Some 117 million users credentials were discovered for sale as a commodity on dark net criminal markets. So, not a new breach but belated recognition that an old breach was more serious than realized.
David Bittner: [00:03:31:17] Savvius' Director of Production Management, Jay Botelho, told the CyberWire that this case is an example of the way in which security experts have tended to be overwhelmed by poor quality data. The risk has been that even critical alerts can go unrecognized. Botelho says, "the good news is that automated data collection technologies are available today that help identify and capture the relevant network traffic for use in investigations, either at the time of an alert or months later." Such systems increasingly provide not only data, but sufficient context to examine a breach for what Botelho calls, 'the who, what, where and when'.
David Bittner: [00:04:10:15] We talk a lot about minimizing your attack surface, giving the bad guys and gals the least amount of opportunity to gain access to your network. One of the challenges these days, especially if your company has a bring-your-own device policy, is that most of those devices have one of more wireless systems built in like Wi-Fi or Bluetooth. Paul Paget is CEO of Pwnie Express.
Paul Paget: [00:04:31:01] We're used to seeing attacks come from afar through websites. We're used to seeing fishing attacks through email, and now we're starting to see attacks directed at users because of the susceptibility of the devices they carry. Those devices are bridges for the bad guy to get into the authorized network, because that user has credentials, so it's a stepping stone to get into the network.
David Bittner: [00:04:57:05] Paget says many companies are vigilant about protecting their internal network but have a harder time knowing what's going on in the wireless spectrum all around them.
Paul Paget: [00:05:05:16] So it started with the simple idea of, hey, can you show us what's communicating in and around our network, because we can't see this stuff anymore? We've actually tightened our firewalls and our rules so much that we can only see the devices that we know, authorized and provisioned, we can't see devices that are communicating wirelessly. To do this, you do need something with an antenna or receiver so you can see the signals. Fortunately the devices that we all use broadcast a lot of information about themselves, we can see all that, and all the intelligence is fed centrally into a cloud-based application.
David Bittner: [00:05:43:16] It's important to look for attackers trying to hit your Wi-Fi of course, but Paget warns it's not unusual to see vulnerable access points added to a network through the course of doing normal day-to-day business.
Paul Paget: [00:05:54:03] The kinds of things we see as anomalies are pretty interesting, things that are mis-configured by employees. Somebody comes in an plugs in an HP printer, you plug it into the network, it's a network printer. But the Wi-Fi is on by default and password is password, so it's an open connection, not just to that printer but also to that network that anyone can access. Those are the kinds of things that become a risk to the organization.
David Bittner: [00:06:19:19] That's Paul Paget, CEO of Pwnie Express.
David Bittner: [00:06:24:19] Palo Alto's Unit 42 reports that Operation Ke3chang has resurfaced, now with new TidePool Malware. Ke3chang is a cyber espionage campaign and it's targets remain mostly Indian diplomats. There's not attribution yet, and Unit 42 is cagey about offering hints but they do go so far as to suggest that, as the Magic Eight Ball might put it, signs point to China.
David Bittner: [00:06:49:12] ISIS returns to inspiration in cyberspace, calling for lone wolf attacks in Europe and the US, should you the Jihadi, be unable to reach the front lines in Syria or Iraq. It's also stepping up recruiting in India by promising vengeance for Muslim deaths in 2002's riots in the state of Gujarat. These efforts suggest, to some observers, a loss of confidence in ability to hold its core territory.
David Bittner: [00:07:13:15] The US meanwhile, is running an info ops campaign in the form of both physical leaflets and social media image sharing, designed to undermine ISIS's hold on its nominal capital in Syria. Residents are advised to flee to safety.
David Bittner: [00:07:28:12] Both Indonesia and Japan announce plans to establish new cyber security agencies. Japan's is being characterized as a 'white-hat' operation and will devote attention to the security of the upcoming Olympics.
David Bittner: [00:07:41:07] American and British officials received some advice from industry. Insurers in the United Kingdom want Her Majesty's government to establish and maintain a national database of cyber incidents. In the US start-ups tell Congress that data security (read, encryption) makes us all strong and that Congress should draw the appropriate policy implications once it realizes this.
David Bittner: [00:08:03:17] In industry news IBM plans another round of lay-offs as it continues its long repositioning of itself as a service provider. Investors continue to wonder whether recent rough times for cyber stocks represents a buying opportunity. Many seem to think so.
David Bittner: [00:08:19:13] Finally, we often hear about the importance of two-factor authentication in staying safe on-line, yet the redoubtable Graham Cluley posts a video from across the pond about at least one service provider who seems unclear on the concept. This provider offers two-factor authentication, that's good, but requires customers to agree to receive advertising from various partners in order to get it. Wait, hold on, not so good. Really, chaps?
David Bittner: [00:08:51:19] This CyberWire podcast is brought to you through the generous support of Betamore, an awarding co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.
David Bittner: [00:09:12:18] Joining me once again is Joe Carrigan from the Johns Hopkins University Information Security Institute. Joe, we've spoken before about some of the adventures that your mother has had with her computer. You've got a new story, right?
Joe Carrigan: [00:09:24:22] Right. As the guy with the computer science degree, I get all the phone calls and all the tech support calls from the family.
David Bittner: [00:09:31:01] I'm familiar with that.
David Bittner: [00:09:32:01] To give you a little background on this; my Mom had a sound playing on her machine that was telling her that she was infected with some kind of virus. She called me, right off the bat, and said, "what do I do?" I said, "just turn the machine off and bring it up to me." Then I came in here and talked about it, having not seen it yet and imagining that she had someone downloaded some kind of malicious software or something.
Joe Carrigan: [00:09:55:06] When I did get the machine it turns out it wasn't even that sophisticated, it was just a web page that she had been visiting, which I didn't even consider was actually an option, although I have seen these things happen. It seemed so basic and so simple that nobody would fall for it, but it was convincing enough to get my Mom to pick the phone up and call me. Someone she knows actually picked up the phone and called the people that the web page was telling them to call and got scammed by these folks.
David Bittner: [00:10:25:18] They're doing it because it works, right, these bad actors. By the time I got the machine, the website had been pulled down. I couldn't even see what she was seeing at the time.
David Bittner: [00:10:36:14] So what's our advice to our parents, friends and family? Something like this pops up, what's the best thing to do?
Joe Carrigan: [00:10:43:24] Well, turn off the computer and call somebody and ask for some help or disregard it. Nobody's ever going to call you and say you have a virus on your machine. I don't know of a virus product that opens up and says with a voice you've got a virus on your machine, call this number and then they're going to ask you for a credit card number, install more software. Those should be red flags that go up and you should not be participating in that activity.
David Bittner: [00:11:11:10] Alright, Joe Carrigan, good advice for all of us who end up being the lifetime, unlimited tech support for our friends and family.
Joe Carrigan: [00:11:17:21] That's right.
David Bittner: [00:11:21:06] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your products, service or solution in front of people who want it, you'll find few better places to do that than the CyberWire. Visit thecyberwire.com/sponsors to find out how to sponsor our podcast or daily news brief. The CyberWire is produced by Pratt Street Media. The Editor is John Petrik. I'm Dave Bittner. Thanks for listening.