The CyberWire Daily Podcast 6.29.20
Ep 1119 | 6.29.20

Ransomware pays, in California. Kashmir utility recovers from cyberattack. Update on hacktivism vs. Ethiopia. Another misconfigured AWS account. Guilt and sentencing in high-profile cybercrime.

Transcript

Elliott Peltzman: The University of California, San Francisco pays NetWalker extortionists nearly a million and a half to recover its data. A Kashmir utility restores business systems after last week's cyberattack. The website defacements in Ethiopia continue to look more like hacktivism than state-sponsored activity. Our very own Rick Howard talks about wrapping up his first season of "CSO Perspectives." Our guest is Sanjay Gupta from Mitek, discussing how online marketplaces can balance security with biometrics. Data are exposed at an e-learning platform. Three prominent cyber hoods go down in U.S. federal courts. And Lion says the beer is flowing, post-ransomware.

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, in for Dave Bittner, with your CyberWire summary for Monday, June 29, 2020. 

Elliott Peltzman: The University of California has decided to pay a gang that infected, quote, "a limited number of servers" at its University of California, San Francisco unit with NetWalker ransomware, Computer Business Review reports. The university said the encrypted data were, quote, "important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay for a tool to unlock the encrypted data and the return of the data they obtained," end quote. The public good claim appeared to suggest that COVID-19 research was impeded, but Bloomberg, which put the amount of ransom paid at $1.4 million, says the university maintains its work on the virus was unimpeded. 

Elliott Peltzman: The BBC has an account of the negotiations between UCSF and the gang in which the extortionists explicitly threatened to release stolen student information. There was an extended negotiation between the criminals and the university. The initial demand was for 3 million, but UCSF succeeded in getting the amount knocked down to a million and a half, with the extortionists eventually settling for slightly less than that. Payment, and even post-negotiation for the NetWalker operators, was, of course, made in bitcoin. The university is working with the FBI and other law enforcement agencies on the case. 

Elliott Peltzman: In India, business systems were affected by an unspecified cyberattack against the Jammu and Kashmir Power Development Department, but the Kashmir Observer says the utility is well on its way to recovery. The most prominent of the affected systems had been the utility's bill-paying app, which was unavailable to customers, along with certain other online services. Power generation and distribution were apparently unaffected in this incident. 

Elliott Peltzman: In an update on last week's cyberattacks against Ethiopian targets prompted by an ongoing dispute between Cairo and Addis Ababa over Ethiopia's construction of a dam on the Blue Nile, Quartz reports that there's still no sign of any connection between the hacktivists and the Egyptian government. The Grand Ethiopian Renaissance Dam, GERD, has been under construction since 2011. 

Elliott Peltzman: Most of the attackers claim to be adherents of the Cyber Horus Group. Their activities have, for the most part, involved website defacements. One of those affected the homepage of a regional police training center. It threatened war for the Nile and uttered a Pharaonic curse upon Ethiopians. The hacker left messages on the homepage of an Ethiopian regional police force training center, threatening war over the Nile and a Pharaonic curse upon Ethiopians. Most of the hacked websites included the Pharaonic imprecation, quote, "If the river's level drops, let all the Pharaoh's soldiers hurry and return only after the liberation of the Nile, restricting its flow," end quote. 

Elliott Peltzman: The Pharaonic iconography is there in images the Cyber Horus Group used to mark its victims' pages - a skull wearing a pharaoh's headdress, two skeletal hands clutching a knife and a sickle, crossed bones beneath it all. Imagine a Middle Kingdom version of the talking skull on the "Pirates of the Caribbean" ride at Disneyland, the one that chatters "Dead men tell no tales!" to distract you just before your boat drops down a flume, and you'll get the effect. 

Elliott Peltzman: In any case, the UN is seeking to broker negotiations among the three involved countries - Egypt, Ethiopia and Sudan. The hacktivism seems, in Quartz's view, to be having little effect, if any. 

Elliott Peltzman: VpnMentor has discovered an exposed AWS database belonging to OneClass, a Toronto-based e-learning platform widely used in Canada and the US. VpnMentor says the database held 27 gigabytes of data, totaling 8.9 million records, and exposed over 1 million individual OneClass users. OneClass, which secured the database upon notification, says the data were on a test server and bore no relation to actual individuals. VpnMentor believes to the contrary that the database did, indeed, hold information on students and lecturers. 

Elliott Peltzman: In the world of crime and punishment, some fairly high-profile criminals received their sentences last week. Sergey Medvedev, a Russian national and one of the leading figures of the Infraud Organization carding gang - known for their swaggering slogan, in fraud we trust - copped a guilty plea Friday in the US District Court for the District of Nevada to a charge of RICO conspiracy. Infraud did a lot of damage. The US Justice Department says the gang inflicted actual losses of 568 million. KrebsOnSecurity reported Saturday that Aleksei Burkov, formerly of St. Petersburg, Russia, and one of the admitted bosses of CardPlanet, got nine years from the US District Court for the Eastern District of Virginia. It's a stiff sentence for a guilty plea, which led some observers to speculate that Mr. Burkov didn't give the prosecutors much. And one of the hoods who faced the music was an American, Kenneth Currin Schuchman, who received 13 months in Club Fed from the US District Court of the District of Alaska. Mr. Schuchman was sentenced for his role in creating the Satori botnet, one of the more troublesome successors of Mirai. 

Elliott Peltzman: And, finally, the beer is flowing again from the Lion brewery to thirsty customers in Australia and New Zealand. Gizmodo says the beverage firm - they also do juice and milk in addition to beer - has restored operations to the ransomware attack it sustained earlier this month. Some of the better-known brands the company produces include XXXX, Tooheys, Little Creatures and James Squire. Lion is a subsidiary of Japan's well-known Kirin. 

Elliott Peltzman: The attack Lion suffered was from the REvil gang, which usually steals information as well as rendering it unavailable. Lion said in an update on the incident it issued late last week that it didn't think it had lost any data, but it was properly cautious - quote, "to date, we still do not have any evidence of any data being removed. As we indicated last week, it remains a real possibility that data held on our systems may be disclosed in the future. Unfortunately, this is consistent with these types of ransomware attacks," end quote. 

Elliott Peltzman: REvil has threatened, according to Security Affairs, to release stolen data. Pay up, they told Lion, quote, "otherwise all your financial and personal information, your clients and other important confidential documents will be published or put up for auction," end quote. 

Elliott Peltzman: Our guest today is Sanjay Gupta, who is VP and global head of product and corporate development at Mitek. He sat down with Dave to discuss how online marketplaces can balance security with biometrics and also the unnerving practice of creating synthetic IDs. Here's Sanjay. 

Sanjay Gupta: I think people know there's been a lot of data breaches over the last few years. There's probably hundreds of millions of records that exist out there. But additionally, as people - you know, they die, and their data is still available. These fraudsters - they've kind of gotten onto this. So in the previous stages, the idea was called ghosting, where you would just steal information from a recently deceased person, then maybe look at their bank account, et cetera. But recently, what's been happening is that they've been using these individuals' Social Security numbers and then tying it to the data that's been stolen to create a synthetic ID. So they would basically take a Social Security number, come up with a name and address, user date of birth. And then with the recent technologies around deepfakes, you can also attach a photo to it. And so all of that would be used to create, let's say, an ID. And that ID would be used for very nefarious purposes. 

Dave Bittner: And so what are your recommendations for folks to protect themselves against this? 

Sanjay Gupta: So first of all, I give you the second area where these fraudsters get Social Security numbers are from recently born kids. So, you know, you have a kid who's got - just got born. They have a Social Security attached to it. What I would recommend there is actually set up a bank account for these kids upfront. So soon as you have a bank account, then they become part of the system, whereas for recently deceased, you should really look at just filing all the paperwork that are relevant and making sure that, you know, notifying all of the different companies that maybe use - utilizing that particular individual's assets. 

Sanjay Gupta: And for companies that are trying to onboard individuals that look like fraudsters, you typically want to ask for their ID to kind of look at. So at Mitek, what we do is, you know, we have the capability of reading an identity card or a driver's license and tell you to a certain extent if it's fake or not, but then also asking for their selfie. And the selfie brings two pieces of the puzzle. The first one is we can actually check to see if the person's live at the time when they're enrolling for a new account. But also, after the selfie's taken, match the photo to the actual selfie that was just recently taken before you set up the account. So those are kind of the things that I would recommend. 

Dave Bittner: Now, what happens to the families of these deceased people who get their identities taken over? I mean, can the spending sprees of these crooks come back to haunt them? 

Sanjay Gupta: Typically, in the synthetic world - now we're dealing strictly in the synthetic identities - it's really a victimless crime 'cause they state - they've taken stolen information from various disparate parties and even made some stuff up. So, really, the victims are going to be - first of all, you know, if you are a, let's say, just a recent grad or an immigrant, then potentially you may be asked to provide extra documentation and/or you may be given a loan but at a higher interest rate amount. Typically, these cases last - you know, they're not done overnight. You're talking 12 to 15 to two years. So they're very crafty, done by, you know, very, very hardened criminals. And they're going to wait the long game to kind of take advantage of this. 

Elliott Peltzman: That's Sanjay Gupta from Mitek. 

Dave Bittner: And I'm joined once again by Rick Howard. He is the CyberWire's chief analyst and chief security officer. But more important than either of those things, he is the host of the "CSO Perspectives" podcast. Rick, great to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: So you've had quite a season with "CSO Perspectives," and you're wrapping up your first season of the show. How are you wrapping things up in a bow for your listeners this week? 

Rick Howard: Well, you know, it's been quite a ride. We really didn't know what this thing was going to turn out to be. You know, we had some big idea, and most of the shows, or at least some of the first shows, started out as, you know, things that Rick was interested in, right? So it finally kind of focused down into trying to figure out what do I think is kind of a unified theory of information security using first principles. And we've gone through a number of shows that talked about that. We talked about zero trust. We talked about intrusion kill chains, resilience, DevSecOps, risk and cyberthreat intelligence. This last episode to summarize the season is going to hit those points at a high level and talk about why we need a unified theory, as opposed to, like, maybe one of the famous frameworks, like the NIST Cybersecurity Framework, which, by the way, I love. But it's not really a unified theory. 

Dave Bittner: Well, it's an ambitious goal. Can you give us a little preview of what you're aiming at here? 

Rick Howard: Yeah. Because - you know, the NIST framework is fantastic, by the way. Let me just say that, OK? It's probably one of the best examples of a public-private research program. NIST ran it, and then they brought in everybody from the academic community and from the commercial sector to figure out what everybody was doing in cybersecurity and to identify what the best practices were. And it is a fantastic research document. But the thing I'm going to point out in this show is, yes, it is a great example of what everybody is doing, but the question is, are those the things we should be doing, right? And I'm challenging that in this episode. 

Dave Bittner: All right. Can you give us a little sneak peek? What sort of things are you going to recommend? 

Rick Howard: Well, when we think about what's important, when we try to get down to the essence of, you know, what we're trying to do for our program, that's why we bring in first principles. This idea of first principles have been around for, you know, a long, long time in - but even famous people like Elon Musk can use it to design their programs, right? And the idea is in order to build some big framework, the thing you have to identify first is what are you trying to do. You need to find the atomic element of the thing you're trying to accomplish and then build up from there. And until you find that first principle, it's very difficult to come up with a framework. 

Rick Howard: Now, don't get me wrong. The NIST Cybersecurity Framework has all the elements of a great infosec program. If you try to manage that, I think you will have a great program. But what I'm trying to make sure is that we don't have any inconsistencies, right? There was a famous story back in the early 1900s. The math community had a problem, OK? They - you could get a different answer using the accepted best practices, the accepted rules in the math community. You'd get a different answer. They called it the Russell (ph) paradox. And these two British mathematicians spent - wrote a huge book to rebuild the math community from the ground up using first principles again. So I'm trying to get at that in this last episode. 

Dave Bittner: Yeah, it reminds me. Wasn't there a thing back - I want to say back in the Pentium days, the computers were - like, depending on which processor you asked a particular math question to, you might get a slightly different answer. 

Rick Howard: Yeah, that's right. 

Dave Bittner: Remember that? 

Rick Howard: 'Cause they were trying to preload it. Yeah, I do remember that. It's like, oh. 

Dave Bittner: Yeah. 

Rick Howard: Wait; maybe that's not precise enough. 

(LAUGHTER) 

Dave Bittner: Right. It's like the one thing we thought computers were good at, right? Like... 

Rick Howard: Yeah. 

Dave Bittner: ...The one thing, yeah. 

Rick Howard: Giving the same answer over and over again at home. Maybe that's (laughter)... 

Dave Bittner: Yeah, yeah. 

Rick Howard: Well, that's kind of what we're talking about here, right? 

Dave Bittner: Yeah. 

Rick Howard: So how do you make sure you're - the result you get in your infosec program is consistent? 

Dave Bittner: Yeah. All right, well, the show is "CSO Perspectives." Head on over to thecyberwire.com. You can find out how to subscribe. Rick Howard, as always, thanks for joining us. 

Rick Howard: Thank you, sir. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team, working from home, is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Elliott Peltzman, filling in for your faithful host, Dave Bittner. Thanks for listening.