Presidential Commission on Cybersecurity offers its recommendations to the next President. Russia says its financial system is under cyber threat. Cybercrime notes, and a scorecard.

Dave Bittner: [00:00:03:17] The US Presidential Commission on Cybersecurity released its long-anticipated report late Friday. Russia's FSB says today's the day foreign intelligence services are going to try to disrupt the Russian financial system. Ransomware author Pornpoker gets collared. Distributed guessing attacks might have been made against Tesco. Gooligan's business model is mostly advertising and garbage apps and Tenable's Global Cybersecurity Assurance Report Card tells the globe it's got room for improvement.

Dave Bittner: [00:00:38:00] Time for a message from our sponsor Netsparker. You know web applications can have a lot of vulnerabilities? I'm sure you know that. You're listening to this podcast. And, of course, every enterprise wants to protect its websites, but if you have a security team, you know how easy it is for them to waste time culling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too and even presents a proof of exploit. Netsparker Cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at netsparker.com. But don't take their word for it. Go to Netsparker dot com slash cyberwire for a free 30 day fully functional trial of Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:41:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, December 5th, 2016.

Dave Bittner: [00:01:47:06] The US Presidential Commission on Cybersecurity reported Friday. The long-expected report offers six imperatives yielding 16 recommendations and 53 action items. The recommendations and action items will perforce be left to the incoming Administration. The report strongly emphasizes resilience. Its six imperatives, which the commissioners take to be essential to US security and prosperity in cyberspace include: First, "Protect, defend, and secure today’s information infrastructure and digital networks." The recommendations associated with this imperative stress the importance of public-private collaboration, especially with respect to securing cyber-physical infrastructure, improving identity management and building on the success of the NIST Cybersecurity Framework.

Dave Bittner: [00:02:14:09] First, "Protect, defend, and secure today’s information infrastructure and digital networks." The recommendations associated with this imperative stress the importance of public-private collaboration, especially with respect to securing cyber-physical infrastructure, improving identity management and building on the success of the NIST Cybersecurity Framework.

Dave Bittner: [00:02:35:06] Second, "Innovate and accelerate investment for the security and growth of digital networks and the digital economy." Here, the emphasis is on securing the Internet-of-things and on research and development of "usable, affordable, inherently secure, defensible, and resilient/recoverable systems."

Dave Bittner: [00:02:53:08] The third imperative, "Prepare consumers to thrive in a digital age," calls upon IT and communication industry leaders to work with both consumer organizations and the Federal Trade Commission to help consumers make informed decisions about buying and using connected devices and services. There's also an emphasis on research into understanding how humans interact with connected systems.

Dave Bittner: [00:03:15:18] Fourth, and this one will be especially familiar, "Build cybersecurity workforce capabilities." Here the commissioners recommend moving on both labor and technology. They also urge the Federal Government to accelerate its technology refresh cycle, to move from requirements management to enterprise risk management and to improve engagement with the Executive Office of the President.

Dave Bittner: [00:03:38:10] The fifth imperative is the inside baseball one. "Better equip government to function effectively and securely in the digital age." This calls for clarity in agency cyber roles and missions.

Dave Bittner: [00:03:50:06] Finally, "Ensure an open, fair, competitive and secure global digital economy." This enjoins the incoming Administration to engage the "international community" to develop cybersecurity law and "global norms of behavior."

Dave Bittner: [00:04:05:05] The CyberWire received reactions to the report from Ray Rothrock, CEO of cybersecurity analytics shop RedSeal, who not surprisingly liked the emphasis on resilience. "Resilience looks inside the network at the various components and connections. That’s where the bad guys are, lurking and probing for vulnerabilities." He thinks that, where the attackers enjoys an advantage, as seems to be the case in cyberspace, resilience has to be seen as the responsibility of any organization's highest levels. Rothrock would carry this relatively far, elevating it to a board-level responsibility.

Dave Bittner: [00:04:41:05] Elsewhere in the world, Russia's FSB claimed Friday that it had foiled a plot by "foreign special services" to disrupt Russia's financial sector with a mix of hacking and disinformation aimed at fueling speculative panic. D-day for the operation was supposed to have been today, but as far as we can tell, it hasn't yet materialized. Russia's FSB, the successor to the Cold War's KGB, has apparently been given the lead in defending the banks. They're coordinating defenses with various financial stakeholders. The Russian government says the operation was to have been launched through the Ukrainian ISP BlazingFast's servers in the Netherlands. BlazingFast says, in effect, you got me! It hasn't seen any signs of an attack being staged through its systems. BlazingFast does add that it wants everyone to know it's happy to cooperate with any legitimate law enforcement authority, but that it doubts the FSB really needs any help.

Dave Bittner: [00:05:35:20] Russia hasn't said which foreign special services, as they call them, are prepping the attack, but it's pretty clear they're scowling in America's direction and, especially in the direction of that Kremlin bête noire, Vice President Biden, who said the US would take action "at a time of its own choosing" against attempted Russian interference with US elections the US Intelligence Community said it discerned.

Dave Bittner: [00:05:59:15] That such concerns aren't entirely idle may have been demonstrated Friday, when the Russian Central Bank reported that cybercriminals got away with two-billion rubles, about $31 million, in attacks on corresponding accounts. The Bank thinks the crooks may have been after up to five billion rubles. The CyberWire heard this afternoon from security firm Plixer's Director of IT and Services, Thomas Pore, who noted social media and SMS mass-messaging that coincided with the theft. "SMS messages have a 98% open rate, with 90% being read within 3 seconds. That type of inbound attention already attracts digital marketers, so it’s not surprising that someone would want to market chaos as well." But we must note that cybercrime and market manipulation aren't the exclusive, or even typical province of hostile intelligence services.

Dave Bittner: [00:06:51:16] We also heard from Group IB, who point out that some stories on the bank fraud were misleading. The total given was a total for attacks over the course of 2016, not a single crime spree, and Group IB would know, they're over there in Moscow. They think some of the English-language news services may have been misled by a translation error.

Dave Bittner: [00:07:11:06] Russian authorities did secure a win over the weekend. They arrested malware author "Pornpoker", no other name was given for the gentleman. Mr. Poker was attempting to reenter Russia from his Thailand hideout; the police were waiting for him at Domodedovo Airport.

Dave Bittner: [00:07:27:21] Elsewhere in the world of what's clearly, unambiguously cybercrime, British researchers demonstrate a "distributed guessing" method that could enable criminals to determine security details on Visa cards: expiration date and three-digit security code. Observers speculate the technique might have been used in the Tesco Bank attacks.

Dave Bittner: [00:07:48:06] And Gooligan, the rapidly spreading Android malware strain reported last week, apparently uses a business model that generates revenue from ads and "garbage apps."

Dave Bittner: [00:07:58:24] And finally, cybersecurity company Tenable this morning released its annual Global Cybersecurity Assurance Report Card. We'll get insights from Tenable's Cris Thomas on tomorrow's show, but in the meantime, the commentary in the report warns of the risk of emerging technologies and the "overwhelming threat environment," by which it means the relative advantage attackers enjoy over defenders. Since they're publishing a report card, Tenable naturally offers grades and, unfortunately, no one's making the Dean's List. The GPA for the countries surveyed comes in at 1.6. India scores highest, with a solid B. Japan gets an F. The United States? A gentlemanly C+. The average is even worse when they look across seven sectors: just 1.6. Retail leads with a C. Financial services, manufacturing, and telecommunications get a C-. Health care, education, and government pull in, alas, an unsurprising D. So, since we're all being advised to avoid the FUD and look on the sunny side, the grades are good news. We guess. Maybe if you're Bart Simpson. Miss. Krabappel, call your office.

Dave Bittner: [00:09:11:22] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it everyday. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no many how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to Recorded Future dot com slash intel to subscribe for free threat intelligence updates from Recorded Future.That's Recorded Future dot com slash intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:16:21] And I'm pleased to be joined once again by Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland Center For Health And Homeland Security. Markus, we've been seeing these huge botnet attacks and they've been making the use of ordinary devices; DVRs, cameras and things like that. There's an interesting question that comes up with all of this is who's responsible if my DVR or my camera is part of an attack? Do I have any responsibility for that?

Markus Rauschecker: [00:10:45:13] That's a good question and that's a question that we're unfortunately asking more and more these days. We have seen massive denial service attacks recently. So the question is, who's ultimately responsible for these kinds of attacks? Well, I would say, first and foremost, of course, the hackers who are actually doing the attack. But it's oftentimes very difficult to get at those hackers. They might be located abroad. It might be hard to actually attribute the attack to any particular person or organizations. So, the next question is what else can be done to protect from these kinds of attacks and do consumers or the manufacturers of the devices that are being used in these kinds of attacks, do they share some sort of responsibility in all of this? I think there's really two ways of looking at this. I think, on the one hand, manufacturers do have some degree of responsibility to make sure that the devices that they're selling have security measures put in place into the devices. Security should be built into these devices.

Markus Rauschecker: [00:11:46:06] Unfortunately, more often than not, security is an afterthought when it comes to building these devices or developing these devices and manufacturers don't really have an incentive to really put into these devices any kind of security measures, or very robust security measures. And then consumers who are buying these devices, they don't really have a full understanding of what the risks are, or at least for the most part, generally speaking, don't have the understanding of what kind of risk a device could pose to the larger networks around them. I think it's a little bit unfair, perhaps, to ask a regular consumer to institute security measures for the devices that they're purchasing and that they're using at home. But I think you could have more of an educational campaign for consumers, so that they would know a little more about the risks that are associated within and out of devices and to tell consumers a little bit about what they could be doing to ensure a greater security for those devices.

Dave Bittner: [00:12:52:04] Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:12:56:05] And that's the CyberWire.

Dave Bittner: [00:12:57:06] For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. While you're there, be sure to subscribe to our CyberWire daily news brief delivered daily to your email. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.