The CyberWire Daily Podcast 9.27.16
Ep 193 | 9.27.16

Yahoo!'s Verizon deal still on. Mac trojan hits aerospace. Facebook poked by German privacy laws.

Transcript

Dave Bittner: [00:00:03:22] Yahoo!'s deal with Verizon is still on but also still in doubt. Industry observers wonder just who that state-sponsored hacker might be. Fancy Bear is back and distributing a Mac Trojan to aerospace companies. Investigation of the Shadow Broker's leak suggest inadvertent exposure, not hackers or moles. A new variant of Virlock ransomware is out in the wild. The US Justice Department warns of IOT threats. And a Hamburg magistrate finds Facebook in violation of German privacy law.

Dave Bittner: [00:00:38:02] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's cyber daily, and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:35:19] I am Dave Bittner in Baltimore with your CyberWire summary for Tuesday September 27th 2016.

Dave Bittner: [00:01:42:06] Yahoo!'s deal to sell its core assets to Verizon is still on, but it's also still in question. The agreement gave both parties an out should some cyber issue not discovered during due diligence come to light, and Verizon was, according to reports, unaware of Yahoo!'s massive breach until last week. Courts offers the assessment that "Yahoo! Wasn't lying when it told Verizon it didn't know about the biggest hack in history." Most accounts still link discovery of the breach to Yahoo!'s investigation of dark web claims, by cyber criminal "Peace" that he or she had about 200 million Yahoo! Credentials for sale. However, some reports late yesterday suggest that Yahoo! may have begun to have suspicions before Peace started the ballyhoo.

Dave Bittner: [00:02:25:18] Yahoo! Has claimed that a state-sponsored actor was responsible for the breach, but skeptical industry observers are offering theoretical grounds for thinking this unlikely. Security company A10 Networks commented dismissively in a CSO story that states are interested in intellectual property not emails and passwords from a Yahoo! account.

Dave Bittner: [00:02:46:19] It is true that states, particularly China, have indeed been interested in intellectual property. But one must also note that they are also interested in personal information,as we saw in the OPM hack, and that Russian intelligence services seemed to have taken an interest in White House and DNC email credentials. So A10's observation is interesting but hardly dis-positive.

Dave Bittner: [00:03:07:15] It's fair to say that blaming a nation state for a hack is hardly an admission against interest. Almost every company that sustains a successful cyber attack would prefer to be the victim of an intelligence service as opposed to an ordinary crook - even less, a skid hobbyist or a random script kiddie. You look less negligent if your hacker was the PLA or the GRU.

Dave Bittner: [00:03:28:02] It's also entirely possible, as security company Flashpoint told CSO magazine, that US law enforcement agencies may have asked that Yahoo! Refrain from saying too much about an ongoing investigation. Yahoo! Has the usual foreseeable legal exposure due to the breach. Not only is the Verizon deal in doubt, but several class action suits have been initiated. US senators have also asked the Securities and Exchange Commission to investigate.

Dave Bittner: [00:03:54:10] In other state-sponsored hacker news, Fancy Bear is poking at Western aerospace industry targets with a new Mac Trojan, Komplex. Palo Alto Networks Unit 42 reports that the threat group otherwise known as the GRU is distributing Komplex via phishing emails. There is no OS X zero-day being exploited here, it's all user interaction. It's probably worth running through the other names associated with Fancy Bear, since we've heard them before and we'll hear them again. APT28, Pawn Storm, Sofacy and Sednit. Different badges but the same familiar people.

Dave Bittner: [00:04:30:19] We hear over and over again that there is a serious shortage of qualified candidates for cyber security jobs. Kathleen Smith is chief marketing officer at ClearedJobs.Net, and she joined us in our Baltimore studio to discuss a recent study addressing this issue.

Kathleen Smith: [00:04:46:15] This is the hack in the skills shortage, which was commissioned by Intel, done in partnership with the Center for Strategic International Studies. Really looking at the global workforce challenge, along with what our government's doing and what level of education programs are available in eight countries globally. So what's interesting is all respondents in all eight countries said that they felt that their education programs were deficient, and they really felt that it was the government's role to be able to make sure that the educational programs were coming up to speed as far as providing enough cyber security programs.

Dave Bittner: [00:05:31:10] Take us through some of the key findings of this study?

Kathleen Smith: [00:05:33:20] 71% said that the shortage has caused measurable damage to their business. One in four said the insufficient staff strength that they had, meaning not only the number of people, but the depth and the breadth of the skills that the people had damaged their reputation and led to intellectual property loss.

Kathleen Smith: [00:05:54:17] The skills that were in the shortest supply were intrusion detection, secure software development, attack mitigation and these were more important than the lack of communication or leadership or team management that companies say that they were looking for.

Kathleen Smith: [00:06:11:06] While half of the companies prefer a Bachelor's degree for entry into the cyber security workforce, it was not an indicator of skills they found. Hands on skills and professional certifications were valued higher; 68% said that CTF's -Capture the Flag programs - are critical in developing skills within their organizations. Finally, nine out of ten respondents said that technology at some point will be able to take up the slack by providing automation.

Dave Bittner: [00:06:42:15] So I think a take away from that; if you're a student working your way up through your Bachelor's degree, what should you be doing?

Kathleen Smith: [00:06:51:07] You should be making sure that if there is any Capture the Flag program going on - locally or regionally - that you are part of it. There are also several of the Capture the Flag competitions available online. When I've done a recent search, you can find one pretty much going on every single week.

Kathleen Smith: [00:07:10:22] Some of the other components that I really like to balance - this study was really looking at the employer dynamics. While many studies will say we need to invest in more students, we need to invest in more education, a core aspect in this is the employer dynamics. It is not just filling butts on seats. It's really looking holistically at how you're going to recruit, cultivate and retain your workforce. So many of the employers said that they were just interested in filling the seats. They were not interested in looking at further investment which it is a challenge because candidates in the workforce say, "I need to be able to stay at this company, I need to be sponsored to participate in events, I need to be sure that there's certifications that you are requiring me to have that you're going to help pay for those." Therefore, it is really looking at shifting the dynamics of the employers, not just on how they recruit but how they retain their workforce.

Dave Bittner: [00:08:16:11] That's Kathleen Smith from ClearedJobs.Net. We'll hear more from her on tomorrow's CyberWire podcast, including her views on what companies need to do to attract and retain the best of the best.

Dave Bittner: [00:08:29:21] Many Cisco routers vulnerable to the zero-days exposed by the Shadow Brokers remain unpatched. The FBI's investigation into where the Shadow Brokers got the material they leaked, is said to be moving away from the theories that Russian services accessed NSA Networks, or that a Snowdenesque insider compromised NSA tools and toured the NSA's own view. Someone inadvertently left the material exposed on a server.

Dave Bittner: [00:08:54:12] Ransomware continues to concern enterprises, especially in the health care and educational sectors. Netskope researchers warned this morning against a new strain of Virlock ransomware. Virlock is itself about two years old, but its newest variant is polymorphic. It both encrypts and infects and it's particularly troublesome in a cloud environment where Virlock can spread through syncing and file sharing.

Dave Bittner: [00:09:18:02] The DDoS campaign that took KrebsOnSecurity offline last week continues to arouse fears around internet-of-things security. The very large denial of service attack was evidently accomplished using IOT botnets. The US Justice Department is issuing new expressions of concern over IOT based threats.

Dave Bittner: [00:09:37:03] And, finally, if you didn't much care for Facebook's use of Whatsapp user data, you're not alone. In Germany, Hamburg's Commissioner for Data Protection and Freedom of Information has found the social media giant in violation of privacy laws. So the relationship status here should be set, at best, to complicated.

Dave Bittner: [00:10:00:07] We've got another message from our sponsor, Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2016 in Washington DC, on October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cyber security depends on actionable intelligence, network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:01:11] And I'm joined once again by Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, I spent some time over the previous weekend helping my father with his computer. Just updating the OS and it struck me that, when it comes to older folks, which my father is, they are particularly vulnerable when it comes to people trying to come after them to steal their stuff in the cyber world.

Joe Carrigan: [00:11:27:11] Yes. They are more vulnerable because they didn't grow up in the kind of environment that they exist in now. I don't know what study I could point to, but I have this general feeling that, as we get older, we get a little less adaptive to change and to the way things are becoming different around us. If you think of this generation that's now retiring, they have seen a significant amount of change in their lifetimes. They have gone from having no computers in the world, or in their life rather, to having computers all around them and that's a hugely significant change that's happened.

Dave Bittner: [00:12:04:19] One of the things I ran into was that he was a couple of versions of the operating system behind.

Joe Carrigan: [00:12:11:19] You don't like to see that because you want him to be up to date because that's a best security practice.

Dave Bittner: [00:12:16:06] Exactly. That's kind of my point. While I want to have him on the latest version for all of the security reasons, it's hard to bring him up to date because things change in the operating system and that's a discomfort for him.

Joe Carrigan: [00:12:31:00] The user interface changes and he's gotten accustomed to using the old interface and now he gets a new system, and there is a completely new interface.

Dave Bittner: [00:12:39:18] Right. You and me, and I'm sure most of the people who are probably listening to this show, end up being the default tech support.

Joe Carrigan: [00:12:47:12] Correct, yes.

Dave Bittner: [00:12:47:12] For our older parents and our loved ones. They look to us. From the security point of view, I basically have my father trained so that, whenever something unusual happens on his computer, I get a phone call or an email.

Joe Carrigan: [00:13:02:13] Yes, I get the same thing.

Dave Bittner: [00:13:05:03] I think that's a good thing.

Joe Carrigan: [00:13:06:08] I would agree, I think that's very important. You certainly don't want them picking up the phone and calling some scammer and saying, "Well what do I do now?"

Dave Bittner: [00:13:13:14] Right.

Joe Carrigan: [00:13:13:16] The answer is always, "Well you give me your credit card number."

Dave Bittner: [00:13:16:00] Right. Sometimes I have to check myself, because it can be frustrating to be interrupted in whatever you're doing to take care of their basic needs.

Joe Carrigan: [00:13:25:13] Yes. I find that that's not something that happens just between me and say my older parents, but even between me and my wife or my kids or other kids. I get this feeling of why don't you understand this? The answer to that is that they don't understand it like you don't understand it because they're not steeped in it every day.

Dave Bittner: [00:13:47:16] I remind myself that our day will come and someday our children will be looking at us, shaking their head ruefully at our inability to understand the latest technology the same way that we are with our parents.

Joe Carrigan: [00:14:02:19] How do you work the Snapchat?

Dave Bittner: [00:14:05:19] That's right. Alright Joe, good talking to you.

Joe Carrigan: [00:14:08:07] Good talking to you too.

Dave Bittner: [00:14:10:15] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if our daily podcast just isn't enough for you to get your fill, I'm a regular contributor on the Grumpy Old Geeks podcast for their Security, ha! Segment. It's a bit looser than what we do here and it's a lot of fun so do check it out.

Dave Bittner: [00:14:33:20] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.