ISIS shows a slightly different face in cyberspace. BITAG issues advice to the IoT industry. Jackpotting and carding investigated.
Dave Bittner: [00:00:03:14] ISIS makes its way, quietly, back into the cyber news, and the Australian Signals Directorate is on the case. The Broadband Internet Technology Advisory Group wants the IoT industry to face some unpleasant facts, and the security industry calls for standards. Europol finishes its second sweep of money mules. ATM jackpotting spreads in Europe and Asia. India suffers a wave of carding. And security experts warn us all to be cyber savvy on Black Friday.
Dave Bittner: [00:00:37:02] Time for a message from our sponsor AlienVault. If you're a regular listener of the CyberWire you know that a typical attack goes undetected for more than eight months, and that's especially frightening considering that 90% of all businesses have suffered an attack. So it's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for complete threat detection in one easy-to-use and affordable solution. With its integrated security controls, and expert threat intelligence from the AlienVault Labs security research team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit alienvault.com/cyberwire today and download your free 30 day trial of AlienVault Unified Security Management. Take a moment, check it out at alienvault.com/cyberwire. And we thank AlienVault for sponsoring our show.
Dave Bittner: [00:01:48:02] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 23rd, 2016.
Dave Bittner: [00:01:54:14] ISIS hasn't left the news, but its activities have recently been eclipsed by election hacking, national privacy and censorship policies and, of course, risks of retail cybercrime, and we'll have observations on that cybercrime shortly. But ISIS shouldn't be forgotten. It's online recruiting continues, with disturbing rumors of attempts to quietly and surreptitiously recruit technical talent from schools and universities. The group is also showing signs of following a trajectory familiar with maturing terrorist groups: its online activities are increasingly difficult to distinguish from for-profit criminality. This shift can be seen in ISIS tactics, too: the familiar howling of inspiration to the lone wolves is still there, but observers are also seeing an upswing in phishing and spamming.
Dave Bittner: [00:02:40:09] ISIS opponents haven't been idle in cyberspace, either. Australia's Prime Minister Turnbull yesterday told Parliament that, yes, the Australian Signals Directorate has indeed been engaged in offensive cyber operations against the Islamic State. He declined to give details, for obvious reasons of security, but he also cautioned businesses and individuals to remain on their guard. In the US, disagreement over US Cyber Command's conduct of operations against ISIS is said by some to have contributed of rumored discord between the current Administration and the Director, NSA.
Dave Bittner: [00:03:15:00] As businesses continue to face a range of cyberattacks, various organizations and standards bodies continue to propose measures the would offer both carrots and sticks as incentives for better enterprise security. The hoods themselves are taking notice of the stick-side incentives. Heimdal Security sees signs that ransomware purveyors are adding the threat of regulatory and legal penalties to their extortion notes.
Dave Bittner: [00:03:39:06] Since the Internet-of-things has now been proven to contribute to the risk of cyberattack, particularly distributed denial-of-service attacks, the Broadband Internet Technology Advisory Group, BITAG, believes it's time the IoT industry faced what BITAG considers some unpleasant facts. First among those facts is this: forget about end-users actually updating the software on their devices. It's just not going to happen. So BITAG recommends that industry build mechanisms for secure automatic updating into their devices. BITAG is influential. It was founded in 2010 by industry leaders including Google, Intel, Verizon, Comcast, Microsoft, and Time Warner Cable. The CyberWire received reactions to the report from Synopsis and Rubicon Labs.
Dave Bittner: [00:04:25:09] Rubicon's Rod Schultz called the recommendations "comprehensive and insightful," but short on incentives. "The challenge is that the power of the IoT is rapidly being realized and so far, its velocity is not impacted by security. A Hammurabi’s code for IoT security needs to come with consequences, and unfortunately these recommendations may simply go down in history as aspirational dreams."
Dave Bittner: [00:04:50:06] Mike Ahmadi, of Synopsys Software Integrity Group, also had a mixed reaction: "While I certainly applaud efforts to set guidelines for addressing security in IoT devices, I remain concerned by a complete lack of baseline verification and validation of cybersecurity." He thinks some form of certification is in order, and necessary if guidelines are to ultimately have effect.
Dave Bittner: [00:05:14:21] Europol has released more details on its recent sweep of money mules. This second European Money Mule Action ran last week, from the 14th to the 18th of November 2016. Some 580 suspects were identified, and 380 were interviewed, leading to 178 arrests. The international police agency says it made the arrests with the cooperation of authorities in 16 European countries and the assistance of the US Secret Service and FBI. 106 banks and other "private partners" also supported the operation. The mules were implicated in crimes that inflicted an estimated 23 million Euros in losses.
Dave Bittner: [00:05:53:03] The other major, longstanding cyber crimewave currently under international investigation involves jackpotting, that is, manipulation of ATM firmware to induce the machines to kick out large quantities of cash, like a one-armed bandit disgorging a jackpot. Russia-based security firm Group 1B, which has been investigating, says the Cobalt gang has been jackpotting ATMs in Europe and Asia. A great deal of the activity has occurred in former Soviet republics. The crime wave has been in progress since July of this year; the Buhtrap group has earned its own notoriety for hitting ATMs in Thailand and Taiwan.
Dave Bittner: [00:06:29:24] Indian authorities are dealing with their own crime spree, and this one looks more like conventional carding. Some 3.2 million pay cards are thought to have been compromised. The police are looking into it, and consumers are advised to pay close attention to the security of their accounts.
Dave Bittner: [00:06:46:01] In the US, we're just two days away from the oddly named Black Friday, by recent tradition the door-busting start of the holiday shopping frenzy. The Americans aren't alone here, either; Thanksgiving may be an American holiday, but shoppers are hitting their stride elsewhere as well. And there's no shortage of advice on staying safe over the long weekend and into the new year. You'll find a full sampling of that advice in today's CyberWire Daily News Briefing, so please, read and heed.
Dave Bittner: [00:07:16:17] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyses the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want: actionable intelligence. Sign up for the Cyber Daily email and every day you will receive the top trending indicators Recorded Future captures crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:08:26:24] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, nice to have you back. I know you recently attended the NICE conference, and you wanted to share some of the things you learned from there. First of all, tell us what is the NICE conference?
Joe Carrigan: [00:08:40:07] The NICE conference is for the NICE program which is the National Initiative for Cybersecurity Education within NIST, which is the National Institute for Standards and Technologies. All these great government acronyms.
Dave Bittner: [00:08:52:00] That's right.
Joe Carrigan: [00:08:53:10] One of the things that the NICE project does is they release the NICE Framework for Cybersecurity Education, and they just released a new draft and that's actually open for public comment. If you go to the NICE website at NIST, you can download that, read it and actually comment on it if you were so inclined.
Dave Bittner: [00:09:11:20] And you came back having some insights. There were some interesting discussions that you were part of.
Joe Carrigan: [00:09:18:02] One of the most interesting things that I found was, this is a meeting of people in government, academia and business, and there was a general consensus of something I've suspected but haven't really been able to articulate. In cybersecurity there is a real disconnect between the employee pool, the recruiters and the hiring managers. I'm not saying there isn't a shortage of cybersecurity workers, there is, but there's also this disconnect. I heard this horror story where there was a position that was opened, an entry level position, the hiring recruiter listed a CISSP as one of the requirements for this entry level position. The CISSP is a credential that takes five years in the industry before you can hold the credential. So, this is a recruiter who doesn't understand the industry. And this is not unique to cyber security in my experience this is fairly common across a lot of technical fields.
Dave Bittner: [00:10:18:19] So let's just back up and dig into that a little bit. I mean so basically they're saying it's sort of a Catch 22 because they're saying this is an entry level position with an entry level salary, however--
Joe Carrigan: [00:10:28:16] However, we're going to require that you have this experience credential that usually pays a lot more; it usually requires a premium of the employer to the employee when they have it.
Dave Bittner: [00:10:39:10] And then they wonder why they aren't getting--
Joe Carrigan: [00:10:40:16] Then they wonder why they can't fill the position, exactly. It's because nobody with a CISSP is going to even apply for an entry level position because they've already got, at a minimum, five years experience in the field.
Dave Bittner: [00:10:52:12] I mean, to be fair, certainly we can't put the blame on all recruiters. I am sure there are some out there who are up on these things and have been successful in hiring. But what you're saying is that this sort of disconnect exists, it is a real thing, people are talking about it. It's a big enough deal that it was being talked about at this conference, and so it's an area where people need to be aware and try to fix it.
Joe Carrigan: [00:11:16:16] I'm not disputing the problem that there's not enough people in STEM and in cyber security but I think that this situation, this disconnect that we're talking about, just exacerbates that problem.
Dave Bittner: [00:11:28:11] Ah, got you. Alright Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:11:31:15] My pleasure.
Dave Bittner: [00:11:38:09] My guest today is Gordon Corera. He's a journalist with the BBC covering national security. His latest book is Cyberspies:The Secret History of Surveillance, Hacking and Digital Espionage. On Tuesday, November 29th, Gordon Corera will be appearing at the International Spy Museum in Washington, D.C. to discuss the book.
Dave Bittner: [00:11:57:18] The preface of your book starts with the sentence "The computer was born to spy." Explain what that means.
Gordon Corera: [00:12:03:09] Well, I mean it in two senses. One is that, if you go back into the history of it, the first computer in what many people consider to be a computer, the semi programmable electronic machine was, in my mind, built at Bletchley Park and it was built to help with spying. So it was a machine called Colossus, built in Britain to help with code breaking, one specific area of spying. So in that sense, the first computer was born to help with spying. But then I think in the more general sense, what I mean is that computers are uniquely useful for, and vulnerable to, spying and espionage. In other words there's something intrinsic to computers, and especially networked computers, that makes them valuable to spies and also vulnerable to being spied on by other people. And I think that history, that spying and computers are intrinsically linked, and there's an interwoven history there right from the last 70 years through to today which I think explains much about cyber security.
Dave Bittner: [00:13:10:14] I think certainly there's this Hollywood notion of spying, of this sort of gamesmanship. You know, James Bond and Mission Impossible those sorts of things. How much do those align with the reality?
Gordon Corera: [00:13:22:12] Well I think, you know, for a long time the public perception of intelligence work was out of sync with the reality, and I think for a long time people still in the popular imagination had the visions of John le Carre and dead drops for documents, or they had the vision of James Bond and the kind of guns and fast cars. It took a long time really for the popular imagination and understanding to catch up with what data and technology had done to spying. It's interesting, and it took a while for the spies to really understand what data was going to do to them. If you look at the world of human intelligence, so put aside the kind of NSA and GCHQ and the electronic signals intelligence, I mean data has been transformative for human spying because ten to 15 years ago suddenly these intelligence agencies like the CIA, like MI-6, realized that all the ways they operated were no longer going to be possible. So you couldn't just pick up a passport and a false name and travel to another country any more to meet an agent, because suddenly there were biometric databases, suddenly people were going to do online searches and look at your social media to see whether your cover, your legend, stood up.
Gordon Corera: [00:14:44:20] So suddenly there was this realization that, actually, the data trails people left were going to fundamentally transform the spying business and so even the old world, if you like, of human intelligence has now been totally transformed by technology and by data, and it's enabled it in some ways but it's also challenged it enormously. Effectively only those who can adapt to that will survive in the future because, in a data rich environment, if you don't know what data trail you're leaving you can get caught if you're a spy. But also, if you understand how to exploit data you can find the people you are after, the potential agents you want to recruit, much better. So that's just the world of human intelligence, let alone the kind of speed at which the technical intelligence world, the signals intelligence world, has changed over the last few years where they are constantly trying to keep on top of the data volume, the data velocity, the variety of different applications people are using.
Dave Bittner: [00:15:44:23] I think about how people are encrypting their day to day communications today. You know, things like iMessage has end to end encryption. Your book mentions that there was a meeting at Stamford in the '70s that was a bit of a turning point when it comes to these sorts of things.
Gordon Corera: [00:15:59:14] That's right and I think, you know, you hear the talk about the cryptowars that are going on at the moment, and this battle over how far there should be strong encryption and end to end encryption available to people in the '70s. I talked to Martin Hellman and Whit Diffie, who went on to develop one of the most famous public key encryption techniques and who were at this meeting in Stamford, effectively over the table from people from the NSA who had come over to talk to them and to have this debate about how strong encryption should be that the public could use. And back then, I mean this was a huge battle, and Diffie and Hellman were there arguing that people could not trust the state and, therefore, they needed to have stronger encryption, and to be sure there were no back doors in it, and to be confident about it. And when you read the transcript and the audio of that meeting, which still survives, it's very interesting because the context is Watergate and a concern over how the state might exploit that information and a fear about it.
Gordon Corera: [00:17:10:20] On the other side of the table you've got veterans of the NSA, one who had been Bletchley Park in World War II, who is offended by the idea that he might be breaking codes in order to spy on the American people. In his mind, it's something that's vital for national security because enemy actors, adversaries, are using the same forms of encryption and if they're released into the public then those adversaries will be using them. So, you know, these battles about encryption, which I think is absolutely central, go back decades and that Stamford meeting, I think, is a really important starting point.
Dave Bittner: [00:17:44:19] As you were writing the book, were there any things that surprised you or provided unexpected insights?
Gordon Corera: [00:17:51:09] I think it surprised me how deep the history was of cybersecurity and computer security. I mean, we think of them as very recent terms and cyber being something that's kind of last ten years but, as I said, if you go back you can find computer security way back in the '60s. And some of the reports, like this famous Anderson report, written for the US Government in the early '70s, actually outlines much of what people worry about today and this was kind of 45 years ago. I think if you look at some of the phrases about big data, and exploiting big data and understanding anomalous behavior, it's talked of as if it's very new. Actually the intelligence agencies were doing this in the Cold War with Soviet communications, and doing large scale traffic analysis. So I think what was interesting writing it, was understanding what's really new, and what's not new but we just kind of think of as new because we didn't really understand the history enough.
Dave Bittner: [00:18:51:09] That's Gordon Corera who will be discussing his book Cyberspies, next Tuesday, October 29th, at the International Spy Museum in Washington, D.C.
Dave Bittner: [00:19:05:19] And that's the CyberWire. We'll be taking a break for Thanksgiving, but we'll be back as usual on Monday. In the meantime, our best wishes to all of you for the holiday. On behalf of everyone here at the CyberWire, we're truly thankful that all of you value and enjoy the work we do.
Dave Bittner: [00:19:21:01] For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.