Banks are vulnerable to more than carding and transfer fraud. Ransomware updates. Lessons for users from the Three Mobile hack. Biometrics (with hedgehog). Election hacking retrospective.

Dave Bittner: [00:00:03:16] Cash-spewing ATMs coming to a strip mall near you. Bad news and good news about ransomware. Another Android backdoor is reported. The Conficker worm's still crazy after all these years. Lessons for users from the Three Mobile hack. Biometrics meets the Wind in the Willows? China's new Internet law and what have Fancy and Cosy Bear been up to, hibernating?

Dave Bittner: [00:00:31:02] Time to take a moment to tell you about our sponsor AlienVault. Do you know that the typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack. It's no longer a question of whether an organization will be breached it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform delivers all of the essential security controls needed for complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault lab security research team you don't need to deploy and manage numerous security products. Spend your time responding to threat rather than researching them with AlienVault. Visit alienvault.com/cyberwire today to download your free 30 day trial of AlienVault Unified Security Management. That's alienvault.com/cyberwire, and we thank AlienVault for sponsoring our show.

Dave Bittner: [00:01:38:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 22nd, 2016.

Dave Bittner: [00:01:45:02] Since July ATM hackers, probably affiliated with the Buhtrap mob, have been at work, mostly in Thailand and Taiwan, stealing cash by inducing installation of a bogus firmware update that directed the machines to empty themselves. Taipei police realized something was amiss when they started receiving reports of cash lying around ATMs. This isn't conventional carding, but a direct manipulation of the ATMs themselves. Buhtrap has spawned at least one associated gang, "Cobalt," which has been active in Europe, and the FBI warns US banks that they could be at risk as well.

Dave Bittner: [00:02:21:20] The CyberWire heard from Lev Lesokhin, of security analytics and risk prevention shop CAST Software. He thinks the Buhtrap capers and others like them show what can happen to financial institutions once their perimeter is breached. "As seen with the cyberattacks on ATMs in Taiwan and Thailand, once the perimeter is broken it is far easier for the attackers to carry out simple commands that drain the institution of consumer money and possibly sensitive information like social security numbers." Lesokhin would like to see more attention devoted to application security. "The danger with internal, application-based attacks, is that malware can be sitting dormant within your system for months, if not years, before the hackers choose to activate its malicious properties." And if you're curious about what can be done to protect data at the application level, Lesokhin thinks the code quality standards the Consortium for IT Software Quality put out are worth a look.

Dave Bittner: [00:03:19:02] Some good news and bad news on ransomware. First, the bad. The strain of ransomware known as C-E-R-B-E-R is back in the news. We spell out the allusion to the three-headed hound of Hades to avoid distressing the many listeners who reprehend our pronunciation as somehow Spanish. I'm looking at you, Phil! Researchers find that Pluto's guard-dog has now begun to target high-value database files for encryption and extortion. But here's the good news: ESET has released a free decryption tool for Crysis ransomware. So, bravo, ESET.

Dave Bittner: [00:03:55:19] Anubis Networks finds another Android backdoor, this one associated with software from Ragentek Group. The backdoor enables potential exploitation of over-the-air updating.

Dave Bittner: [00:04:06:22] In IoT news, a patch fixes exploitable issues with Siemens-branded security cameras.

Dave Bittner: [00:04:13:00] Check Point scans the malware landscape and finds that Conficker remains number one. Eight years after Conficker spawned, it's still the "worm that roared."

Dave Bittner: [00:04:22:17] We followed up with Balabit's Daniel Bago about the lessons the Three Mobile hack should teach us. He points out the too easily overlooked role customers - who are, after all, the users - have to play in security. "We as users also need to take actions in securing our personal information, and the best way to do so is to be constantly aware. Users must remember that the Internet comes with the same amount of benefits as dangers." He offers three bits of advice worth bearing in mind, particularly as the holiday shopping season arrives. First, pay close attention to where you share personal information, and, yes, do read those terms and conditions. Next, blind trust is always a bad idea. Be suspicious and look for signs that an apparent innocent link or request might not be legit. And finally, don’t forget that no one's more interested in your security and privacy than you are, and play your part in staying safe.

Dave Bittner: [00:05:16:14] Among the fixes for securing devices and data, biometric technology figures prominently among the near-term replacements for passwords and PINs. And biometric identification has now been shown to extend to our animal friends as well. A proof-of concept video being widely shared by Motherboard - and what's the Internet for, if not to share video of small animals being adorable? A pet hedgehog is shown unrolling his paw and using it to unlock an iPhone. It's as if Rat and Mole from The Wind in the Willows were visiting the genius bar at the Thames bankers' local Apple Store. We're not entirely sure this represents an improvement over the Piper at the Gates of Dawn, anyway, pretty cute.

Dave Bittner: [00:05:58:19] And all cuteness aside, biometrics are indeed serious business when it comes to security. We spoke with Derek Northrop, Head of Biometrics at Fujitsu, for his take on where things stand.

Derek Northrop: [00:06:09:14] In certain industries, for instance, policing, border security and things like that, it's quite a mature technology. It's been around for a while, it's been used for a long time, it is quite robust. When we start to move into the consumer space, biometrics has been around for a while. It never really had major mainstream adoption until things like Touch ID. But the interesting factor about things like Touch ID is that because you can still use the pin instead it's not necessarily an increased security factor, it's more of a convenience factor.

Dave Bittner: [00:06:47:18] I think a lot of us, when we think of biometrics, we think of things that we see in movies and in Hollywood with, you know retinal scans and people holding their hands up to scanners that scan their fingerprints and so forth. How much do those perceptions of biometrics align with reality?

Derek Northrop: [00:07:04:22] With a lot of those spy and crime and all of those sort of things, they have unrealistic expectations about the performance of biometric systems. If I walk past a scanner that takes my photo, it's not going to know what I had for breakfast, it's not going to know my first high school friend and all that sort of thing. It's not magic. It doesn't know these things. Essentially it can't recognize me unless I'm already in the system and so for a lot of these instances, there's all these unfounded fears about these biometrics systems going to going to take over the world and do this sort of stuff and it's like well, it can't because this country is not going to share that information with that country. There's no central like system, there's none of these sort of things. On the flip side of that, they're super easy to spoof and we cut people's hands off and everything is fine we can break into the system, also not quite right. And so an understanding of how the different biometrics work is very important in determining what type of biometric to use.

Dave Bittner: [00:08:02:01] What about the concerns that, you know, your biometrics don't change. Where I can cycle through, you know, multiple different passwords, my fingerprints are my fingerprints and they're going to be mine for my whole life?

Derek Northrop: [00:08:12:22] And so it's one of those things that a biometric, in and of itself for high security applications, should never be the only factor. For things like logging into your phone, you only use one finger, you can change finger you can do all those sorts of things. But for criminal justice and things like that yeah, it doesn't change. That's a high security application that you should be layering factors on top of each other, so if one factor is compromised the chain of trust isn't compromised and people don't gain access to the information.

Dave Bittner: [00:08:43:12] That's Derek Northrop from Fujitsu Biometrics.

Dave Bittner: [00:08:48:24] In industry news, Oracle announces it will acquire Dyn, recently famous as the victim of October's Mirai-herded IoT botnet denial-of-service attack. Telstra is buying security analytics shop Cognevo, one of the pieces of the dissolving New Zealand security firm, Wynyard.

Dave Bittner: [00:09:07:03] Recent Chinese moves to either restrict the Internet or bring the Mandate of Heaven, depending on how you look at it, appears to critics likely to inhibit innovation in that country's tech industry and elsewhere as well. George Haour, Professor of Technology and Innovation Management at IMD, is among those critics. He thinks the new law will require a level of intellectual property exposure during the certification process that should trouble any company with potential Chinese competitors. Haour hopes Chinese companies themselves will recognize the ways in which the Great Firewall holds them back, too, and will push for a more open Internet regime.

Dave Bittner: [00:09:44:10] Finally, in a look back at election hacking, it's worth noting that, for all the crying of havoc, and legitimate concerns about interference with US voting, other places probably had it worse. Consider Montenegro's experience, as described by Wapack Labs, in which the country experienced DDoS and heavy information operations, even an incipient coup d'état, directed against the pro-NATO ruling party. So, concerns in France and Germany about upcoming elections may not be misplaced. Russian intelligence services, of course, remain the prime suspects, but we have to say we haven't heard from Fancy Bear or Cozy Bear in a couple of weeks. [WHISPERS] Shhh, it's late November, so maybe they're hibernating. Heaven knows they've been two busy, busy bears and must have a lot of sleep to catch up on. Fancy? Cozy? If we've been disturbing your slumbers, have a nice bowl of porridge and roll back over. There's a good bear.

Dave Bittner: [00:10:46:15] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want: actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedruture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:56:05] And I'm pleased to be joined once again by Rick Howard. He's the CSO at Palo Alto Networks. Rick, we talk a lot on the CyberWire about this notion of there being a communications gap between the technical teams in an organization and the CEO. Do you agree this is an issue that needs addressing?

Rick Howard: [00:12:15:24] Yes. It's a problem that our industry has had for a long time and one of the reasons is that, you know, especially the security people, they've come up through the ranks, usually through the technical lane. They used to be you know, UNIX administrators or network administrators and things like that, and they think about problems in different ways than, you know the way that most C-level executives do. What I think we've done wrong here in our approach to the problem as we communicate risk to the business is, we know that the C-levels, they manage risk as their job description. That's their job, they manage all kinds of risk, and they're making decisions every day about the risk to the company.

Rick Howard: [00:12:56:21] I think one of the problems the network defenders have done is tried to make it out that cyber security is some sort of special thing, and it's not, it's just another kind of risk and we don't talk about it like that to our bosses. You know, in my younger days I used to think it was really fun to grab a spreadsheet of the latest vulnerability scan and run it up to the leadership and say, "Hey, look at all these bad things I found," and they looked at me like I had a horn growing out of my head like, "What am I supposed to do with this?" What we've got to learn to do as an industry, as a network defender community, is learn how to convey business risk to these C-level leaders and also to board members.

Dave Bittner: [00:13:34:11] One of the ways I've heard it described is that the board members tend to think in terms of dollar signs and the technical teams tend to think in terms of red, yellow and green.

Rick Howard: [00:13:45:11] Yes, it's true and, you know, I've been known to make that mistake in my career. You know it's a high, medium and low risk and if anybody asks me how I got to high I'd do something like "Blah-blah-blah, you know, I've been doing this a long time you should pay attention to me." [LAUGHS] But, you know, that's probably not the best way to do it. And it's hard for cyber security practitioners, network defenders to put a monetary value on risk. So, here's a hint, though. I think that we should focus on material risk to the business, right, and that will help us focus our efforts on talking to these kind of leaders. Because there are so many threats out there and we can kind of get lost in the weeds trying to deal with every single one of them. But if you can focus on material, what is material to the company, I think you will have a better shot at this going forward.

Dave Bittner: [00:14:32:09] Alright. Rick Howard, thanks for joining us.

Dave Bittner: [00:14:37:10] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.