The CyberWire Daily Podcast 1.27.16

Dave Bittner: [00:00:03:06] More utility hacking, this time in Israel. Al-Qaeda takes a sorry information operations page from the rival ISIS playbook. At least two cyber reconnaissance campaigns are reported in progress. Shaky Wi-Fi security affects info-sharing and IoT products. Business email compromise hits a Belgian bank, and threat intelligence providers talk about what can be learned from watching the Dark Web. France seeks legal reach into data held in foreign servers, China's PLA goes Sun Tzu on cyber deterrence, and legislators in New York and California display an urge to weaken encryption.

Dave Bittner: [00:00:38:02] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:01:00:23] I’m Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 27th, 2016.

Dave Bittner: [00:01:07:06] Israeli officials said yesterday that the country's electrical grid came under cyber attack this week. Energy Minister Steinitz called the attack "severe," but said that it was being successfully mitigated. Details are scarce, but it appears computers in the utility's networks were infected with malware, and that response teams isolated the infected machines to prevent the malware's spread. Electrical power seems not to have been disrupted, but efforts at defense and mitigation are continuing.

Dave Bittner: [00:01:33:14] There's been no public attribution of this attempt on the Israeli grid, but the incident is likely to increase security worries at utilities worldwide, especially since it follows closely on the heels of the attack on power distribution in Ukraine. Utilities in Western Europe have already identified cyber security as their top investment priority for 2016.

Dave Bittner: [00:01:53:11] From North Africa, Al-Qaeda in the Islamic Maghreb releases a video of a Swiss nun kidnapped in Mali to warn unbelievers to stay clear of Islamic territory. In this Al-Qaeda is taking a page from rival ISIS's information operations playbook: demonstrations of resolution against the infidel as a way of displaying zeal, power, and inspiration.

Dave Bittner: [00:02:14:10] Palo Alto Networks describes a new campaign by the Chinese ATP group Codoso (sometimes spelled with zeros substituted for the letter "o," and also known as "the Sunshop Group"). Best known for compromising a portion of Forbes's website, Codoso appears engaged in espionage against targets in the telecommunications, tech, legal services, education, and manufacturing sectors. Codoso is still using spear phishing and watering holes to gain access, but this time it appears to be going after servers as opposed to endpoints.

Dave Bittner: [00:02:45:20] Symantec reports seeing a different campaign in the wild. This one, said to have infected some 3,500 servers worldwide, involves an injection code attack and appears to represent reconnaissance and possibly battlespace preparation for some future, more damaging attack. The attackers appear to be collecting, SC Magazine says, "page title, URL, refer, Shockwave Flash version, user language, monitor resolution and host IP address."

Dave Bittner: [00:03:12:19] Core Security reports multiple vulnerabilities in Lenovo's ShareIT product. Lenovo's now patched them. Some vulnerabilities involved an easily guessed default Wi-Fi password: that password was "12345678." Other vendors have seen comparable problems with Wi-Fi passwords. Sophos reports Wi-Fi security issues with home routers and smart doorbells.

Dave Bittner: [00:03:35:22] Businesses wonder whether cyber crime will increasingly come to be regarded as a cost of doing business, the way retailers regard predictable inventory shrinkage. US hamburger chain, Wendy's, is investigating a possible paycard breach—that might well be seen as a risk comparable to shrinkage. But it's hard to take that view of the large losses fraudulent fund transfers impose. Belgian's Crelan bank reports losing €70 million (that's nearly $76 million) to a business email compromise scam. Such scams operate by gaining executive credentials, observing behavior on a targeted network, and then sending plausible-looking emails instructing employees to transfer money to an account controlled by the criminals.

Dave Bittner: [00:04:16:20] In industry news, Her Majesty's Government continues to push programs that would support incubation of British cybersecurity start-ups.

Dave Bittner: [00:04:24:12] ThreatStream makes a case for hanging out in the creepier precincts of the Dark Web with a view to doping out cyber criminals' next move. They also tell V3 how they keep an eye out for data stolen from customers, often the first indication that a customer's been compromised.

Dave Bittner: [00:04:39:03] The CyberWire spoke with threat intelligence company ThreatConnect about how understanding the threat can help enterprise security.

Andy Pendergast: [00:04:44:09] If you can gain an understanding of the threats or adversaries that wish to do harm to your network through various means and for various reasons you can better defend against them at not just a detector level of matching in a SIEM, but you can also understand the adversaries better, growing your understanding so that you can better place your defenses to their capabilities and better predict or be better positioned to react to their capabilities as well.

Dave Bittner: [00:05:16:00] That's ThreatConnect's Andy Pendergast. ThreatConnect recently launched a new version of their platform. You can learn more at ThreatConnect.com.

Dave Bittner: [00:05:24:18] In policy news, France moves to gain more investigative access to data held in foreign servers. US state legislatures, notably those in New York and California, continue to moot restrictions on smartphone encryption. Wired says these proposed encryption bans "make zero sense" because of cyberspaces inherent lack of borders, "an idea roughly as practical as policing undocumented birds crossing the Mexican border."

Dave Bittner: [00:05:50:18] But about the larger effect such gestures could have, we don't know. Migratory bird policing aside, state laws, whether well-conceived or ill-conceived, have played on out-sized role in American policy development in the past. Consider the role of California law (indeed, of Los Angeles County law) in shaping automotive environmental standards, or the place Delaware occupies in business law. So, good ideas, bad ideas, or just politicians' posturing, what goes on in the state houses isn't necessarily just for the birds.

Dave Bittner: [00:06:23:04] This CyberWire podcast is brought to you through the generous support of Betamore, an award winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:06:43:07] Once again joining me is Markus Rauschecker, Cyber Security Program Manager at the University of Maryland Center for Help and Homeland Security, they are one of our academic and research partners. Marcus, Cyber warfare, with the situation recently in Ukraine with their power grid being attacked, the question comes up, is that an incident of cyber warfare?

Markus Rauschecker: [00:07:03:02] Well, that's a really important question and it's not one that's easily answered. What constitutes an act of war in cyberspace, what constitutes use of force in cyberspace, it always seems to depend on who is asking questions and who is answering the question. In the real world, in the physical world, I think it's very easy to determine what constitutes the use of force and what might even amount to an act of war, but when we're talking cyber space it's a lot more difficult. When we don't have any physical consequences from a cyber attack I think, generally, experts would agree that we haven't seen an act of war, what would amount to an act of war or a use of force even, when it comes to cyber space. In the instance of the Ukraine we did see some physical consequences resulting from a cyber attack. An argument could be made that this was a use of force and potentially even an act of war but that's something that legal experts and international experts are going to be debating.

Dave Bittner: [00:08:09:20] In the cyberspace, I mean it's even harder to know often who is the party attacking us.

Andy Pendergast: [00:08:16:22] Exactly, that's what makes cyber warfare so difficult. There's this whole problem of attribution. Again, in the real world it's pretty easy to see who is attacking you, when you see the troops crossing the border or the planes comes into your airspace, but in cyber space it's often very difficult to determine accurately who is doing the cyber attack, where it's coming from and who is behind it.

Dave Bittner: [00:08:42:23] And where does international law stand on this? Has it caught up to cyber warfare?

Andy Pendergast: [00:08:48:01] Well there's been a lot of discussion among international experts when it comes to cyber warfare. We have seen that international legal experts are applying existing law like the United Nations Charter to cyberspace. There's a general agreement that international law does apply to cyberspace. And then you have other legal experts who have gotten together to create documents like the Tallinn Manual, which kind of outline how these legal experts see the international law applying to cyber space and how international law applies to cyber warfare.

Dave Bittner: [00:09:28:04] Alright, Markus Rauschecker thanks for joining us.

Dave Bittner: [00:09:32:11] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit the CyberWire.com. The CyberWire podcast is produced by CyberPoint International and our Editor is John Petrik. Thanks for listening.