The CyberWire Daily Podcast 5.24.16
Ep 106 | 5.24.16

Good guy update: SWIFT. Bad guy update: Turla, CryptXXX, DMA Locker, Flash 0-day... Bonus: Scunthorpe Problem.

Transcript

Dave Bittner: [00:00:03:09] Turla Malware returns, this time in Switzerland. Lessons we should all learn from the Panama Papers, and that's you too, Congress. TeslaCrypt's proprietors seem to have found it easier to move on to CryptX than to go straight. The recently patched Flash zero-day has appeared in the Angler, Neutrino, and Magnitude exploit kits. SWIFT gets ready for a security upgrade. The US Department of Justice investigates allegations of retaliation against whistle-blowers. Guccifer cops a plea. And the Scunthorpe Problem is with us still.

Dave Bittner: [00:00:35:01] Today's podcast is made possible by ClearedJobs.Net. Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at thecyberwire.com/clearedjobs.

Dave Bittner: [00:01:00:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 24th, 2016.

Dave Bittner: [00:01:07:05] Turla Espionage Malware is back and it recently hit Swiss defense firm, RUAG. Switzerland CERT describe the incident as a patiently staged and executed attack using Epic Turla, previously seen in espionage directed against governments, military organizations and embassies.

Dave Bittner: [00:01:24:18] The attacker used complex sets of vectors to gain access to closely targeted accounts, then pivoted through the compromised networks to achieve their goals. The campaign appears to date to 2014 at least. No attribution yet but Turla is generally held to have an Eastern European, almost surely Russian, provenance.

Dave Bittner: [00:01:44:05] The Panama Paper's post-mortems proceed reaching some consensus amongst observers that Mossac Fonseca was the victim of a SQL injection attack, "the oldest hack in the book", as IT Pro Portal puts it. AFCEA's SIGNAL blog offers lessons from the incident and they're familiar: segment data, impose access controls and encrypt information. Also, monitor your network traffic and respond quickly to evidence of compromise.

Dave Bittner: [00:02:10:03] Similar advice is also being offered, in a bipartisan way, to the US House of Representatives by two its members. Representatives Will Hurd, a Republican from Texas and the 23rd district, and Ted Lieu, Democrat from California in the 33rd. They emailed their colleagues Monday to offer some good advice on security. Of interest, they show some love for encryption.

Dave Bittner: [00:02:32:07] You'll recall that ESET recently received the keys to TeslaCrypt, along with expressions of remorse and implied promises of reform from the ransomware's criminal masters. There was, it appears, less altruism here than met the eye. Bleeping Computer says TeslaCrypt's impresarios appear to have made a simple business decision to transition to CryptX.

Dave Bittner: [00:02:53:11] Ransomware has recently hit health-care enterprises. The medical sector faces other challenges as well, notably securing the privacy of patient records. We spoke with Robert Lord from Protenus about why this is difficult and what can be done about it.

Robert Lord: [00:03:07:09] What we noticed from the inside was that it was a real challenge to protect electronic medical records because there's a huge attack surface that's inherent to medicine itself. What this means is that, if you have any access to an electronic medical record, you essentially have ubiquitous access to it. You can't necessarily use Robeks-based access control or network segmentation or a lot of the other tools that are used to control and protect data in these networks. Because the challenge is, in health care, everyone needs to be able to access most of the data most of the time.

Dave Bittner: [00:03:44:07] One of the challenges the medical industry faces is that medical records can be extremely valuable on the black market.

Robert Lord: [00:03:50:22] Depending on the source, while Social Security number goes for about a quarter on the black market and a credit card number a dollar, an electronic medical record can go upwards for $1,000. And this is because medical records can be used for a wide array of very specific and dangerous threats. They can be used for Medicare fraud, they can be used for prescription fraud, they can be used for good old fashioned identity theft. They can be used for medical blackmail, in cases where individuals might have sensitive diagnoses.

Dave Bittner: [00:04:16:00] Robert Lord warns that a lack of confidence in the security of medical records isn't just a consumer issue, it could be slowing down the development of new treatments as well.

Robert Lord: [00:04:25:05] There is still a lot of issues around trust with this data. Until you have systems that ensure the appropriate use, user by user, patient by patient, scenario by scenario of all of this data, you're not really going to be in a situation where people are going to feel comfortable processing, analyzing and using that data for anything from clinical trials to personalized medicine to the wide array of promises that have been levied by the EMR industry.

Robert Lord: [00:04:53:09] So, I guess where I see things going is, I think that privacy and security enhancing technologies like Protenus will really pave the way for advances that, right now, have been slowed and blocked for a variety of different reasons. But I think that once we can restore that trust in health care, we're going to see an explosion using all of the data that we have, using all of the information, and people feeling that not only is it providing benefit but they don't need to make that privacy and security trade-off that, right now, I think people feel a lot of tension around.

Dave Bittner: [00:05:24:11] That's Robert Lord from Protenus.

Dave Bittner: [00:05:28:07] The recently-patched Flash zero-day has now been integrated into at least three exploit kits, as FireEye, Proofpoint, Cyphort and Kafeine have told Threatpost. It's being distributed with Magnitude, Angler and Neutrino.

Dave Bittner: [00:05:41:19] In industry news, the SWIFT funds transfer system plans to release a plan for upgrading security some time today. The organization plans to improve information sharing, harden security requirements for it's member institutions and offer those members help in detecting fraud through some form of pattern recognition.

Dave Bittner: [00:05:58:20] IBM may be preparing another round of layoffs but that doesn't mean it's not hiring. It is, just not in those areas supporting business lines it's exiting. Security types remain in demand.

Dave Bittner: [00:06:10:09] VArmour has raised $41 million to support expansion of its data center and cloud security business.

Dave Bittner: [00:06:17:02] US Cyber Command has announced the companies who've won places on its big, that's $460 million big, cyber IDIQ contract. The primes include KeyW, Vencore, Booz Allen Hamilton, SAIC, CACI Federal and Secure Mission Solutions.

Dave Bittner: [00:06:36:01] Romanian hacker, Marcel Lehel Lazar, better known by his nom-de-hack, Guccifer, is preparing to plead guilty to several charges in US Federal Court. Guccifer is famous for his claims to have doxxed former President Bush and to have pwned former Secretary of State Clinton's now famous and controversial homebrew email server. The latter claim is disputed by both Ms Clinton, who says it never happened, and the State Department who says, there's no evidence it happened.

Dave Bittner: [00:07:03:10] In the US, dismissed Department of Defense Assistant Inspector General John Crane, has filed charges with the Office of Special Counsel, alleging illegal retaliation against whistle-blowers. At least one of the charges has been referred to the Justice Department for investigation.

Dave Bittner: [00:07:19:01] Finally, if you didn't think that acting against terrorist information operations was technical tough, consider the pitfalls the ambiguity of natural language places in the technologist's path. Residents of Oxfordshire are having trouble with PayPal, which, with the best intentions in the world and considerable official encouragement, is blocking payments headed for ISIS. Unfortunately there's an Isis River nearby and plenty of innocents live on streets with names that include the word ISIS. We'll leave it as an exercise for you to come up with other innocent usages of ISIS. This issue of having problematic words embedded in innocent words is known as the 'Scunthorpe Problem', and we'll also leave it to you to figure out why. We are, after all, a family show.

Dave Bittner: [00:08:08:04] This CyberWire podcast is brought to you through the generous support of Betamore, an awarding co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:08:28:24] Joining me once again is John Leiseboer, he's the CTO at Quintessence Labs, one of our academic and research partners. John, I know you all do a lot of research with cloud data storage, particularly on how to protect your data in the cloud.

John Leiseboer: [00:08:41:16] Yes. Cloud data storage is one of those areas that we're seeing increasing take up by many, many different individuals and organizations. Most of us have subscriptions to some sort of cloud storage service, like Dropbox or Drop or maybe at enterprise level we're using Google AWF or Glacier or something like that.

John Leiseboer: [00:09:04:17] What we're doing when we're using these services is we're handing over our information, our data to the operators of those services. In some cases that's okay, we might not be too worried about having our information stored and managed in someone else's system. In fact, from a cost and operational point of view, it's very advantageous, it's a lot easier to use someone else's well-managed and secure, to some degree, system to store our data.

John Leiseboer: [00:09:36:12] But when it comes to data that is particularly concerning with respect to loss, and by loss I mean loss of confidentiality information, then we need to have a bit of a harder think about how we use cloud storage data services. I'm not saying we shouldn't trust cloud storage vendors but like most of the listeners here today, I am concerned that when I hand over my data to a third party, that third party not only contractually is bound to look after my data properly but actually does look after it. Even in the face of perhaps a subpoena from a relative authority or even from accidental revealing of information stored in their services.

John Leiseboer: [00:10:23:16] With cloud data storage how to protect it? I guess if we have those sorts of concerns, I think the only one real answer is to look at encryption technologies to protect that information. When using those encryption technologies make sure that encryption is performed in such a way that the provider that's storing information is not in control of the keys. That might mean encrypted data before you pass it out to a storage service, or it might mean use two or more different vendors out there to handle a different part of each piece of the storage solution. So that's one vendor manages the keys, another vendor manages the actual storage itself. Through that methodology you can provide a bit of a higher level of protection around that information that you're giving to someone else to look after on your behalf.

Dave Bittner: [00:11:16:22] John Leiseboer, thanks for joining us.

Dave Bittner: [00:11:21:05] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible and if you're interested in reaching a global audience of security influencers and decision-makers, well, you've come to the right shop. Visit thecyberwire.com/sponsors to learn more. Don't forget to review us on iTunes, like us on Facebook and follow us on Twitter.

Dave Bittner: [00:11:44:12] The CyberWire is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.