Sovereign mafia state? Spearphishing with Pay Commission bait. IoT risks.

Dave Bittner: [00:00:03:19] Money-laundering, fraudulent wire transfers, and the possible emergence of a "sovereign mafia state" with no connection to the actual Cosa Nostra. Anti-racketeering and cyber criminals' return-on-investment. Android in malware developers' crosshairs. Irongate's ultimate purpose remains obscure: it's not in the wild, yet, but some variant of the Son of Stuxnet may wind up there. Pakistan-based threat actors target Indian government officials. And who in the world would use "dadada" as a password?

Dave Bittner: [00:00:34:17] Today's podcast is made possible by ThreatConnect. Join their free webinar and learn how security incidents happen at the seams between tools and teams, and how you can unite your people, processes and technologies behind an intelligence-driven defense. Sign up today at ThreatConnect.com/webinar.

Dave Bittner: [00:00:57:11] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 6th, 2016.

Dave Bittner: [00:01:02:24] As investigation into the SWIFT-linked Bangladesh Bank fraud continues, sources close to the inquiry tell Reuters that the New York Federal Reserve Bank blocked thirty-five transfer requests before approving the five that resulted in an $81 million loss. The first time the requests appeared, they were rejected for improper formatting: no corresponding bank was listed. The thieves then resubmitted them with the missing information provided, at which point the New York Fed released five of them. The remaining 30, interestingly, were flagged and held pending review for potential economic sanctions violations. They were only later discovered to be fraudulent. The New York Fed, SWIFT, and Bangladesh Bank continue to dispute where the primary responsibility for the theft lies.

Dave Bittner: [00:01:48:05] More observers find themselves convinced by evidence developed by Symantec that the North Korean government was involved in the fraudulent transfers. The DPRK’s spoor appears in malicious code linked to the Lazarus Group, widely held to be a cut-out for Pyongyang. The US Treasury Department last week tightened sanctions against North Korea. Observers see the DPRK as increasingly dependent upon traditional organized crime methods to fund itself—the Diplomat, for example, describes North Korea as “a sovereign ‘mafia’ state.” If so, expect more anti-racketeering measures to be deployed against it.

Dave Bittner: [00:02:23:17] Carbon Black, for one, thinks such an economic approach to cyber defense might be applicable to businesses as well. An op-ed in CSO argues that the hackers threatening businesses - mostly organized criminal gangs and rogue nation-states - are themselves best understood as business motivated, to find soft targets and reduce the time spent on attacks to the minimum. So, the argument goes, you can reduce your risk by taking steps to decrease the attackers’ return-on-investment.

Dave Bittner: [00:02:51:15] Cyber conflict in South Asia is attracting much attention in the Indian press. FireEye reported late last week that hackers operating from Pakistan successfully posed as journalists - complete with a registered but quite bogus news site - to mount a spearphishing campaign against Indian civil servants. The bait was well-chosen: news articles referencing India’s Seventh Pay Commission. Since the Pay Commission will have a direct effect on government salaries, the bait was snapped up. What the interested civil servants swallowed with it was a backdoor, specifically the BreachRAT payload.

Dave Bittner: [00:03:25:11] The goal of the campaign seems to be espionage. The threat group is thought to be the same one that’s been active for several years against the Indian government and Pakistani dissidents.

Dave Bittner: [00:03:35:08] Analysts continue to investigate Irongate, the Siemens-PLC-targeting malware FireEye described last week. There’s still no sign that it’s been used in the wild, but observers differ over what this Son-of-Stuxnet might actually be up to. Proof-of-concept? Developmental article intended for use against real targets? Security testing tool? Whatever it’s up to, Irongate is evasive. It keeps an eye out for VMware or Cuckoo sandboxes (whose detection stops Irongate’s dropper from downloading) and it uses malicious DLL library files to record traffic. The malware also exhibits man-in-the-middle functionality that remains poorly understood.

Dave Bittner: [00:04:14:15] Irongate’s discovery has contributed to rising concern about the Internet-of-things. So will a new report from Carnegie-Mellon which ranks the ten riskiest emerging technologies. Nine out of ten, arguably ten out of ten, are IoT tech: · augmented reality; smart homes; enterprise 3D printing; networked dashboard telematics; smart medical devices; smart robots; smart sensors; commercial drones; driverless cars, and car communication systems.

Dave Bittner: [00:04:43:17] We spoke with Malek Ben Salem, from our research partner Accenture, about the challenges posed by one aspect of the Internet-of-things, specifically device identity. We'll hear from her after the break.

Dave Bittner: [00:04:55:10] Odds are you've had to sit through your share of security awareness training videos - some of us have even had a hand in making a few of them. And when I say "training video," what comes to mind probably isn't the most entertaining thing you've ever seen. Zack Schuleris founder and CEO of Ninjio, and he wondered if it was possible to make security training videos that are both educational and entertaining.

Female in training video: [00:05:18:16] I'm still having trouble buying it.

Male in training video: [00:05:20:14] Pretty obvious to me. A copy of our movie leaks, he gets ahold of it, and decides to shut us down the only way he knows how - with a spearphishing cyber attack.

Female in training video: [00:05:30:15] How much time is left?

Male in training video: [00:05:35:15] Whoever it was, they're smart. Made sure they gave us just enough time to not be able to do anything.

Zack Schuler: [00:05:41:05] I just had this epiphany - like, "Wow! We really have to focus on the human beings, and just from personal experience, every piece of corporate training that I've ever gone through, I would start it, I would minimize it on my computer, I would go about doing my e-mail or whatever else. I would listen for audible cues to say, "select the answer," or "click next," but I wouldn't actually pay attention to any of it. And so I said, "All right, let's start with a blank canvas, and if I wanted to be trained on a topic, what would that look like?" First you need to be a storyteller.

Female in training video: [00:06:20:03] How soon after the patient died did you learn the reason you couldn't access the records was because of a computer breach?

Male in training video: [00:06:26:08] News spread fast. Minutes, I'd say. Not long after, I was contacted by our chief of staff. He told me the hospital's network had been infected with something called ransomware.

Zack Schuler: [00:06:35:24] These episodes are things that people actually watch, and we can measure engagement that we're getting, and they really watch, and we focus on a single attack vector so we don't overwhelm them with a bunch of information all at one time, and then we release a new one every month.

Dave Bittner: [00:06:54:21] The videos are animated using a Western anime style, and they are bold, and a little bit edgy.

Zack Schuler: [00:07:00:01] So for every one of those who say, "Hey, it's too racy. It's too this; it's too that," I get ten people that go, "Oh my gosh, this is racy! This is great!" [LAUGHS]

Dave Bittner: [00:07:12:20] That's Zack Schuler from Ninjio - that's NINJIO.

Male in training video: [00:07:17:16] Do not click the link. It means it's from a hacker, and clicking that link would enable them to launch a ransomware attack, turning your worst fears into our reality.

Dave Bittner: [00:07:28:24] Criminals are giving Android security some close and unwelcome attention. They’re looking for ways to exploit various APIs, with UsageStatsManager attracting considerable interest. They’re also using GitHub as a de facto collaborative R&D platform. Hackers’ ongoing attention to Android, along with smaller but significant recent signs of interest in iOS, prompt observers to think that the new wave of major data breaches may well begin with a mobile exploit.

Dave Bittner: [00:07:56:20] Finally, over the weekend hackers in India appear to have compromised Facebook boss Mark Zuckerberg’s Twitter and Pinterest accounts. Twitter and Pinterest both cleaned up the disruptions to Zuckerberg’s account, which appear to have lasted just a couple of hours. The Saudi hacking group OurMine appears to have been responsible. Akamai has seen OurMine involved in both social media hacks and DDoS since 2015. Sources tell Softpedia off the record that the group is composed of four to six teenagers. In this case they seem motivated by the lulz: they tweeted that Zuckerberg was using dadada as his LinkedIn password.

Dave Bittner: [00:08:39:07] Today's podcast is made possible by E8 security - detect, hunt, respond. E8 Security is transforming the effectiveness of enterprise security teams. Read their informative white paper, a unified use case for preventing unknown security threats, at e8security.com/dhr.

Dave Bittner: [00:09:04:22] And joining me once again is Malek Ben Salem - she's the R&D manager for security at Accenture Technology Labs, one of our academic and research partners. Malek, we talk a lot about the Internet-of-things, and I know you've pointed out that one of the challenges of the IoT is dealing with identity.

Malek Ben Salem: [00:09:20:23] So the IoT is witnessing tremendous growth - we've anticipated more than $20 billion of connecting things by 2020, and the ability to accurately establish and validate identity is critical, to everyday life, but particularly to things and the Internet-of-things, as machines have to communicate with each other. Identity has been the cornerstone of security for the Internet - we build trust based on our understanding of who we are communicating with - but translating that into the Internet-of-things, as machines now communicate with each other, we need to think about identity within that space differently.

Malek Ben Salem: [00:10:08:09] We have to think, also, about privacy - in a space where machines will be communicating, we want to preserve the privacy of the people using those machines, so we need to think about IoT or identity mechanisms where identity of an individual device can be grouped with other devices, so that we get some privacy protections there.

Dave Bittner: [00:10:34:13] And why is it that traditional device identity isn't adequate when we're talking about the IoT?

Malek Ben Salem: [00:10:39:18] So, the traditional identifiers that are available today are things like an IP address, for example, or a Mac address. What's also available as a traditional identifier is what is known as the UUID, or the Universal Unique Identifier, which is a 128-bit number used to identify identities. And then we have the device serial numbers that manufacturers allocate to devices. All of these are easily spoofed, or easily copied and reproduced, so none of them actually are secure against cyber attackers, so a new approach really has to be devised to ensure that machine-to-machine communication can be established in an automated and secure fashion.

Dave Bittner: [00:11:29:14] All right, Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:11:34:13] And that's the CyberWire. Thanks to all of you who've helped spread the word about our show. You can find more information and subscribe to our daily news brief at thecyberwire.com. Our editor is John Petrik; I'm Dave Bittner. Thanks for listening.