The CyberWire Daily Podcast 5.25.16
Ep 107 | 5.25.16

Ransomware & DDoS combining. Malicious USB chargers. Cyber ops aren't bombs?

Transcript

Dave Bittner: [00:00:03:14] Ransomware remains a problem and now it's being combined with DDoS. A Kansas hospital finds that paying the ransom may no longer get you your files back. TeslaCrypt is giving way to CryptXXX. The FBI warns that malicious USB charging devices are being found in the wild, they contain keyloggers. Are US cyber operations cyber bombs? Or are they battlespace preparation? And I wonder, those passwords I find easy to remember? They're still good, right?

Dave Bittner: [00:00:33:19] Today's podcast is made possible by ClearedJobs.net. Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at thecyberwire.com/clearedjobs.

Dave Bittner: [00:00:59:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 25th, 2016.

Dave Bittner: [00:01:05:16] Ransomware continues to trouble enterprises worldwide. It's increasingly being teamed with distributed denial-of-service attacks, that earlier form of cyber extortion, and both sophisticated and blunt instruments of attack are being used in the wild. More criminals are making use of combined ransomware and DDoS attacks. KnowBe4, Invincea and FireEye are tracking this development, and many observers think it represents the new normal.

Dave Bittner: [00:01:33:02] Such attacks are inexpensive to mount and promise a good payoff, we can expect more of them. We heard from Travis Smith, a security researcher at Tripwire, on why ransomware has become so attractive to criminals. Compared with other forms of cyber crime, he said, ransomware is easy to monetize, profiting from spamware or purloined data is time-consuming, and in many cases requires more expertise than the typical criminal has. These forms of cyber crime also carry a higher risk of your being detected and apprehended. It's also grown easier to get ransom demands paid. Smith said, "the rise of anonymous crypto currency, such as Bitcoin, has made it easier than ever for attackers to infect a machine with ransomware. The success of ransomware has made it possible for cyber criminals to make hundreds or thousands of dollars per infection and they get paid immediately."

Dave Bittner: [00:02:25:17] So, looking at the currently available ransomware, TeslaCrypt still seems to be on its way to retirement, we stress "seems" because of the frequency with which malware, botnets and threat actors have returned from what was thought to be their graves. Trend Micro adds its voice to those who see TeslaCrypt's former users moving to CryptXXX, one of the more sophisticated criminal tools.

Dave Bittner: [00:02:48:19] The blunt instrument is represented again by Cyber.police, whose foolish and unpersuasive lock screen message shows a 12-year-old's scareware design sense. As in, "you're caught, the cyber police have got you, are you ever in trouble," but all that aside, Cyber.police is a nuisance and remains a problem for Android devices.

Dave Bittner: [00:03:10:03] Backing up your data remains a sound approach to protecting yourself against ransomware, especially if you're an individual user, it's a good practice for an enterprise too, but in that context it's more complicated and more difficult. Many enterprises have been tempted to pay the ransom in order to restore crucial systems to operation, this has been true in particular of healthcare enterprises where availability of data and systems is crucial to patient care. Hollywood Presbyterian Hospital in Los Angeles paid ransom in such circumstances and succeeded in restoring its systems.

Dave Bittner: [00:03:43:00] But payment is no longer a reliable path to recovery, if indeed it ever was. Kansas Heart Hospital in Wichita sustained a ransomware attack and made the judgment that it was better to pay the ransom, as Hollywood Presbyterian did, than to fight through the attack as MedStar did. So, Kansas Heart paid, but the attackers reneged on their promise to release the encryption keys, the criminals decrypted a fraction of the affected data then demanded further payment. Kansas Heart has had enough, it's no longer paying.

Dave Bittner: [00:04:13:07] Keyloggers are still with us. The US FBI recently issued a warning that it had found USB charging devices bearing keyloggers, be careful what you plug into your device no matter how innocent it may have looked at that trade show, or just sitting there in the parking lot.

Dave Bittner: [00:04:29:03] In industry news, it appears that Blue Coat, privately held for the last six years, may be preparing for an IPO. There are rumors of a move in this direction as early as next week.

Dave Bittner: [00:04:39:22] US Army Cyber Command has integrated cyber operations into more comprehensive, combined arms training, and the other services have similar programs underway, so the capability is being increasingly mainstreamed. In essence, as NSA Director and Cyber Command head, Admiral Rogers, put it last week, the Department of Defense is determined not to give an enemy uncontested freedom of action in cyberspace.

Dave Bittner: [00:05:03:20] US Secretary of Defense, Ashton Carter, has been surprisingly open about the offensive cyber operations against ISIS, even describing them as "dropping cyber bombs," this is, for the most part, metaphorical and some observers take exception to it. Defense One, for example, argues in an opinion piece that cyber operations are better understood as, "what they are: changing spreadsheets, intercepting email, jamming comms and a lot of deception." Thus not so much bombing as battlespace preparation, and battlespace preparation is indeed what the tactical cyber exercises appear to include.

Dave Bittner: [00:05:41:11] Finally, Microsoft's Azure Active Directory is now blocking weak passwords that have appeared among leaked data. Thus, reports the Register, "M!cr0$oft", even with an exclamation point for an I, a zero for an O and a dollar sign for an S, will not be accepted. No word yet on Ninja, let me in, or 123456, so I figure I'm still good, right? I mean, I use that for everything.

Dave Bittner: [00:06:11:13] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:06:32:07] I'm joined once again by Markus Rauschecker, from the University of Maryland's Center for Health and Homeland Security, one of our academic and research partners. Markus, we've been seeing recently that the FCC and congress, well, when it comes to the internet of things they're saying that this might not be the best place to impose a lot of regulatory law.

Markus Rauschecker: [00:06:50:11] Yes, well, at this point it seems that imposing regulatory schemes on the internet of things area would probably be premature. We're seeing a tremendous explosion of IoT devices, of course, it seems like these days everything is starting to be connected to the internet, and we're certainly seeing some pretty cool things come out of that, and consumers are demanding this interconnectivity. At the same time, this also raises tremendous vulnerabilities when it comes to these devices, as more and more devices are connected the vulnerabilities are increased. The real problem is that a lot of these devices, while they are connected to the networks, are not secure enough when it comes to securing people's privacy or personal information, and there's a real concern that more needs to be done when it comes to securing those IoT devices.

Markus Rauschecker: [00:07:41:04] Implementing a regulatory scheme on top of this IoT field seems to also run counter to the incredible innovation that we're seeing in the IoT field. Certainly there are new ideas and new devices being developed almost on a daily basis, and the fear is that, if a regulatory scheme is placed on top of this, it would severely diminish the innovation that we're seeing these days. So there's a natural tension here between the innovation part and the security part of IoT, there's no real good solution right now, I think, but certainly everyone recognizes that more needs to be done when it comes to securing these IoT devices.

Dave Bittner: [00:08:24:20] There was a story in The Hill recently where they quoted one FTC commissioner who said that they needed to exercise regulatory humility, I think that's an interesting take on the situation.

Markus Rauschecker: [00:08:36:11] I think there's a recognition on congress' part and the community at large that the regulatory scheme does have a role to play, but, when it comes to a new field like IoT one really needs to think about how to best implement those regulations. We certainly don't want to stifle innovation, but we do also need the security that is going to protect those devices and the data that is being stored on them. Right now we're a little premature in terms of trying to implement some sort of regulatory scheme, but I think, further down the road, we'll probably see more action in this field.

Dave Bittner: [00:09:17:11] Alright, Markus Rauschecker, thanks for joining us.

Markus Rauschecker: [00:09:19:08] Thanks very much.

Dave Bittner: [00:09:23:09] And that's the CyberWire. If you enjoy our show we hope you'll help spread the word and tell your friends and co-workers and recommend us on social media. It really does help and we really do appreciate it. The CyberWire is produced by Pratt Street Media, our editor is John Petrik and I'm Dave Bittner. Thanks for listening.