Patriotic hacktivism in South Asia? US, Russia cyber stare-down continues. IoT devices exploited as proxies. Cyber sector sees market volatility. Cartels launder money through games.

Dave Bittner: [00:00:03:11] Patriotism or deniable state-hacking? IoT devices exploited as proxies. Exploit kits continue to serve up ransomware against poorly managed systems. Market volatility puts cyber stocks on a roller coaster. The US continues to work out its proportional response to Russian election hacking. Russia says it's willing to ride out all that domestic American messiness in the hope of better relations. And criminal cartels use in-game currencies for money laundering.

Dave Bittner: [00:00:36:24] And I want to take a moment to tell you about our sponsor E8 Security. You know once an attacker's in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like. There'll be visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages of fully, a qualified domain name or a distinct IP address or the association of a website with a limited number of user agents. That's tough for a busy security team, but it's easy for E8's behavioral intelligence platform. For more on this and other use cases, visit e8security.com/dhr and download the white paper. E8 Security. Detect, hunt, respond. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:31:23] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 13th, 2016.

Dave Bittner: [00:01:39:03] Patriotic hacktivism, possibly state-directed, flares again in the long-running antipathy between India and Pakistan. The difficulty of determining which crews, if any, are working under state control, again points out the notorious difficulties of attribution.

Dave Bittner: [00:01:56:22] Compromised IoT devices have other roles to play in the criminal underground aside from being stampeded into distributed denial-of-service attacks. KrebsOnSecurity reports that a researcher (who wishes to remain anonymous) has observed criminals exploiting IoT-looking honeypots as proxies to hide their, that is, the criminals', actual location. Concerns about the ease with which Internet-connected security cameras can be exploited also arouse continuing concerns about the threat of such networked cameras being used to spy on their owners, users and passersby.

Dave Bittner: [00:02:30:14] Criminals continue to use exploit kits to serve up various forms of malware, with ransomware continuing to lead in market share. Cerber, in particular, is being widely distributed. As many observers have noted this week, this is another abject lesson in the importance of patching and other forms of good digital hygiene. The exploit kits enjoying success are exploiting little known vulnerabilities that people have simply left open.

Dave Bittner: [00:02:55:07] Symantec warns that Locky ransomware is being distributed in malicious Windows Script File attachments, WSFs. More people are wary of EXE files than they are of WSFs, but the WSFs can be just as dangerous.

Dave Bittner: [00:03:11:04] In industry news, cybersecurity stocks show unpleasant volatility as traders react to Fortinet's downbeat guidance on security spending trends. Investors looking beyond short-term declines are seeing long-term opportunities, particularly in Cisco. Barracuda Networks has so far bucked this week's downward trend with share-price gains, analysts attribute the company's performance to a healthy growth in subscriptions. Long-running speculation about Imperva being an acquisition target now center on Silver Lake and Thoma Bravo, rumored to be looking seriously at a takeover bid.

Dave Bittner: [00:03:48:05] In addition to the embarrassing emails WikiLeaks published last week, we can add another online problem for US Presidential candidate Clinton's campaign manager, Podesta. His Twitter account was hijacked yesterday to tweet, "I've switched teams. Vote Trump". WikiLeaks says there are more dox to come. US Federal officials at the Department of Justice Defense and Homeland Security continue to evolve plans for protecting state and local election infrastructure.

Dave Bittner: [00:04:17:11] The US continues to mull its response to Russian election hacking. That response, when it comes, whatever it may prove to be and if it's not, in fact, under way right now is promised to be "proportional," a concept whose home is just war theory. Most observers think it likely to feature sanctions. Others wonder what's become of the US naming-and-shaming strategy, and then answer their own question. Naming-and-shaming works against an adversary who's concerned about being shamed.

Dave Bittner: [00:04:47:04] The Russian Embassy to the US crocodile-tweets its own take on the state of Russo-American relations, which they say they see as unreasonably damaged due to disorderly and discreditable US domestic politics. As the embassy puts it, in just 129 characters, minus the hashtagging, "bilateral relations became collateral damage in domestic debate in US. We are open to restarting dialog and restoring normalcy." So there you have it.

Dave Bittner: [00:05:17:15] UK Foreign Minister, Boris Johnson, while acknowledging the less than fully successful state of Russian relations with the UK and her allies, tells Parliament that it would be going too far to characterize those relations as a new Cold War.

Dave Bittner: [00:05:33:10] Security experts tell us to never reuse passwords, to never use personal information or easy to guess words in our passwords and yet many of us still do. Amber Steele is from LastPass, a password manager company, and she joins us to share the results of a recent password survey they conducted.

Amber Steele: [00:05:49:19] We know that breaches have been dominating the headlines. It feels like every couple weeks we learn that millions more passwords have been breached, but we wanted to really dig into whether people were doing anything about it. Experts at LastPass have continued to warn against password reuse and encourage the use of strong passwords and good password security, but we just don't really seem to see people following that, and so we really wanted to dig deeper into why. What were the reasons behind it? Why are they creating simple weak passwords?

Amber Steele: [00:06:27:16] So for the survey we survey 2000 adults around the world. We looked at their password habits, we asked them about their beliefs around on-line security, we asked them about their understanding of what secure password behavior looks like. Then, when we collected those results, really what we saw was just a password paradox. At a high level, the results showed that people do understand the risks both with weak passwords and with reusing passwords but a large majority, 60%, continue to practice those behaviors anyway.

Dave Bittner: [00:07:02:13] And why do we think that is? What's the disconnect?

Amber Steele: [00:07:05:18] When we really dug into the survey results, what it really showed was that, like other areas of our lives, there is a cognitive dissonance when it comes to passwords. For example, you know that sugar is bad for you but you want to reach for that second piece of pie. We kind of do the same thing with our passwords. We know that reusing them is bad, we know that using short words that are based on dictionary words or words that are personal to us, we know all of that is bad but we do it anyway because it's easy and because we're not being forced into better behavior.

Amber Steele: [00:07:41:23] People know that they're not doing it right or they might go out of their way to do it right in a couple situations. So, for example, we saw that people are very concerned about protecting their online financial accounts, which makes sense, you want to protect your money, you want to protect your assets, but the behavior falls off from there. So when it comes to protecting other areas of our online lives, it becomes less important and easier to fall back into bad habits.

Dave Bittner: [00:08:07:13] Some of the statistics you were talking about, people using the same passwords, which, of course, we know, but then also similar passwords and it strikes me that I think a lot of people think that if they're doing minor variations of a core common password between the different sites that they use, that maybe that will protect them but that's not necessarily the case.

Amber Steele: [00:08:27:16] In general, we discourage from using similar passwords across sites because it just makes it that much easier for the password to be cracked. If you're significantly changing the password across websites then, yes, in theory, your risk goes down, but we always say here at LastPass that the best password is actually the one that you can't remember, because if you struggle to remember it, that probably means that it contains a mixture of character types, so letters, numbers, symbols. It's in a pattern that's random enough that no one else would really be able to guess it. That's the level of password security that you should be aiming for on every single website.

Dave Bittner: [00:09:12:22] That's Amber Steele from LastPass. You can check out the survey on their website.

Dave Bittner: [00:09:19:04] Widely used consumer IT products continue to arouse security worries among high-value targets in Five Eyes governments. Australia's leadership has sworn off WhatsApp as a security risk. And, in the UK, security fears have led Her Majesty's Government to exclude iWatches from cabinet meetings. Industry observers acknowledge that worrying about being spied on by your iWatch may seem "paranoid", but on the other hand it's not exactly a crazy fear. Q would certainly understand. Right Q? Q!

Dave Bittner: [00:09:51:16] And, finally, you probably thought those in-game currencies were only good for spawning dragons, or buying sombreros for Skylanders, or upgrading your Farcry crossbow. For the win, right? Not so, gamers. It turns out they're being exploited in the real world for less than savory purposes. Trend Micro reports finding a brisk trade in which criminals, actually criminal cartels, farm and trade in game currency, selling it to lazy players in exchange for real cash. So gamers, play fair. Buying coins may not be illegal, but it just doesn't seem right and you may be helping fund some pretty nasty stuff. No sombrero is worth it, however good you think it might look on Stealth Elf or Ninjini.

Dave Bittner: [00:10:41:18] Time for a message from our sponsor, ClearedJobs.net. If you're a cyber security professional and you're looking for a career opportunity, you need to check out the free cyber job fair on the first day of Cyber Maryland. Thursday, October 20th at the Baltimore Hilton hosted by Clearjobs.net. They're veteran- known specialists at matching security professionals with rewarding careers. The cyber job fair is opened to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face to face with over 30 employers like Swift, DISA and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free, from career expert and air force veteran, Patra Frame. To learn more visit ClearedJobs.net and click job fairs in the main menu. Remember that's ClearJobs.net and we'll see you in Downtown Baltimore. And we thank Clearjobs.net for sponsoring our show.

Dave Bittner: [00:11:43:00] I want to welcome our latest academic and research partner to the show, Ran Yahalom is the Project Leader at the Malware Lab of the Cyber Security Research Center at Ben-Gurion University. Ran, welcome to the show. By way of introduction, why don't you tell us a little bit about yourself and the type of research that you do?

Ran Yahalom: [00:11:58:18] I'm a PhD student at Ben-Gurion University and what we do here is we have different research involving different types of protocols and malware that operates on different types of protocols, communication protocols, USB protocols and other such protocols. My specific area of research is detecting anomalies in those protocols; more specifically detecting attacks that represent anomalies in those protocols. That's how I got into USB research.

Ran Yahalom: [00:12:30:12] During the last year, I've been researching all types of different USB based attacks and my goal is to implement a general anomaly detection method in order to be able to detect and, hopefully, maybe prevent USB attacks before they happen.

Dave Bittner: [00:12:49:13] And what is it about USB that makes it such a prime target for attackers?

Ran Yahalom: [00:12:53:14] I think the most important thing is that users tend to trust USB devices to do exactly what they think that the device is supposed to do. This trust just opens a wide range of attack platforms because the standard doesn't prevent USB devices to change persona. In other words, they can enumerate once they're plugged in. They can initially enumerate as a keyboard and then re-enumerate and that's completely compliant to the protocol as a different device. Further, there's no restriction as to what the other device can do, and I think that's the main problem with USB devices. That's what opens so many avenues of attack.

Dave Bittner: [00:13:41:07] Well Ran Yahalom, welcome to the CyberWire. We look forward to hearing more about your research. And that's the CyberWire. It's fleet week here in Baltimore and let me tell you it is not easy to record a podcast while the Blue Angels are rehearsing right outside your office.

Dave Bittner: [00:14:06:06] Go Navy!

Dave Bittner: [00:14:07:24] For links to all of today's stories, along with interviews, our glossary and more visit thecyberwire.com. Thanks to our sponsors for making the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.