Dark Web trading post compromised. Ransomware updates. Reactions to Risk Based Security's 2016 breach report. International cyber conflict notes, and a treason case in Russia.

Dave Bittner: [00:00:03:16] AlphaBay looks buggy. Some not-so-bad news on ransomware, and bravo to those Gateway City librarians. Risk Based Security's 2016 breach report says the USA is number one, but not in a good way. Sweden's armed forces recover from a cyberattack by unnamed parties. Saudi Arabia remains on high-alert for fresh infestations of Shamoon. And that Russian treason case may be closer to what would look like a corruption case.

Dave Bittner: [00:00:36:22] It's time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check out cybersecjobs.com and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for 1000s of jobs; and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more visit cybersecjobs.com. We thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:31:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, January 26th 2016.

Dave Bittner: [00:01:42:08] Bugs in AlphaBay, the big Dark Web "trading post" as ZDNet calls it, have permitted a hacker, gray, white, or black hat, take your pick, but the smart money seems to be on dark gray, to obtain and leak more than 200,000 messages exchanged on the site. It's worth noting, again with our partners at Terbium Labs, that not all Dark Web activity is necessarily nefarious, so don't rush to judgment. But it is nonetheless the case that a lot of dodgy stuff can and does get swapped at these trading posts. It's not all beads and other trade goods.

Dave Bittner: [00:02:16:07] The ransomware news today is mostly good, or at least not so bad. A new strain of VirLocker, an easily spread but also easily defeated ransomware variant, is out in the wild. Both Sophos and ESET have provided decryption tools for earlier versions, but this latest edition is even more easily thwarted than that, according to Malwarebytes researchers. Enter any 64 characters into the lock screen's text box, click "Pay Fine" and VirLocker touchingly, naively, even, believes it's been paid. So the criminal coding skills seem to be declining, at least in this instance. Nonetheless, VirLocker is no laughing matter; it spreads very aggressively from device to device.

Dave Bittner: [00:02:59:06] Amid reports that many victims of cyber extortion continue to pay up, there's a positive role model and a gratifying success story to be found in the St. Louis, Missouri, library system. They've successfully recovered from their own ransomware incident because they had an effective file backup program in place. Their systems have been restored and are reported to be back in business as usual, and they didn't send a dime the crooks' way.

Dave Bittner: [00:03:24:00] One thing most security researchers agree on is that ransomware is here, and it's here to stay. Dan Larson is Technical Director at CrowdStrike, and we checked in with him for his take on what's to come.

Dan Larson: [00:03:36:05] I think it's really expanding breadth, so we already have some evidence. We saw in January that, instead of just going after regular old end users computer, they're now targeting servers on the Internet. They started with servers hosting MongoDB. The reports look like about 25% of every single MongoDB server out there got hit with some ransomware a couple of weeks ago. And, they're taking that model and bringing it to more kind of infrastructure parts of the internet, like Elasticsearch servers and even Apache Hadoop servers. So basically it's going from attacking data on an individual's computer, from the assumption that, you know, the individual will pay ransom for that, to attacking other places where there's valuable information, and one of those places is obviously databases.

Dave Bittner: [00:04:32:19] Are we seeing what you would categorize as any sort of meaningful response from law enforcement?

Dan Larson: [00:04:37:20] There have been a number of useful collaborations between cyber security firms and law enforcement to do things like take down the infrastructure. A lot of the ransomware relies on asymmetric encryption, so it needs to reach out to a command and control environment. We have seen a handful of law enforcement initiatives to take down that infrastructure. We've also seen some collaborations. There's one out of the Netherlands which is called Stop Ransomware, it has Europol and a number of other private security companies that are providing a centralized place for decryptors and things like that. So they're doing what they can. But from an attackers perspective encryption is kind of a beautiful thing - if you implement it correctly, it's very difficult to undo and recover.

Dave Bittner: [00:05:34:17] Where do you suppose we are in this arms race? Are the good guys making progress or are we still playing a game of catch up?

Dan Larson: [00:05:44:06] I think there's a lot of catch up still being done. For example, I saw a report that said 49%, so almost half of all small businesses, were impacted by a ransomware attack. One in five small businesses that were impacted ended up going out of business, a few months later. So I think that in general there's a level of vigilance that just kind of isn't there. There's a lot of people who think, "Oh, you know, I have antivirus and that should protect me." But that's outdated thinking. We need to step up our game and get a lot more serious about how we defend our systems.

Dave Bittner: [00:06:21:12] That's Dan Larson from CrowdStrike.

Dave Bittner: [00:06:26:16] Risk Based Security yesterday issued its 2016 breach report, and the US is number one. In this case, unfortunately, that's nothing to take satisfaction in, still less wave a big foam finger to rhythmic chants of "USA!, USA!" America is number one in the incidence of data breaches. In part that's because the US creates, stores, and uses an awful lot of data, but still, there are clearly security issues here. Almost half the data exposed in breaches comes from the US, according to Risk Based Security.

Dave Bittner: [00:06:58:24] The CyberWire heard from a lot of industry experts eager to weigh in on this sorry state of affairs. John Gunn, from VASCO Data Security, sees three factors driving these results. First, he says, a massive number of the hackers that attack US targets are based in Russia and coordinate attacks on the US, with involvement of the State, while the US does not do the same. Second, there are a lot of valuable data in the US, so the country is targeted on the Willie Sutton-esque grounds that that's where the money is. And finally, he thinks breaches in some other countries, and he's looking at you, Russia, are probably significantly under-reported.

Dave Bittner: [00:07:36:11] Willy Leichter, of CipherCloud, warns other countries not to get cocky, kid. That the US leads the world in data breaches is unsurprising, but the disparity between it and the rest of the world should be a wake-up call, and not a source of complacency.

Dave Bittner: [00:07:51:04] So the US presents a large attack surface. If you consider regions as opposed to individual countries, however, there may be less to the ranking than meets the eye. Brian Laing at LastLine thinks so. Quote: “We analyze millions of potentially malicious files every day for our clients in the US, and throughout the EU. We believe that the difference noted in the data can be attributed to the attack surface in the US, as opposed to individual countries. The US is simply a much larger market with highly centralized aggregations of data. But when taken as a whole, the volume of attacks in the EU and in US are nearly even.” End quote.

Dave Bittner: [00:08:29:17] Balabit's Dániel Bagó sees a problem in over-concentration of security researches on perimeter defenses, as opposed to detection of malicious activity inside networks, especially in the form of abuse of privileged accounts.

Dave Bittner: [00:08:43:15] NuData Security's Robert Capps finds the report dismaying but not surprising. He said, quote: What is frustrating about seeing these US numbers is that the data these criminals are going after is most often private user data that is being sold and used for identity fraud, among other types of cybercrime. It’s no accident that breaches are up and so is identity fraud. End quote. He thinks work on strong behavioral analytics and passive biometrics offer the prospect of some technological amelioration of the breach problem.

Dave Bittner: [00:09:14:19] Turning to international cyber conflict, we hear that Sweden's armed forces have disclosed that they've sustained a cyberattack from an unnamed source. The incident required the services to shut down their Caxcis IT system; recovery is in progress.

Dave Bittner: [00:09:30:12] Saudi Arabia remains on high alert for further infestations of system-killing Shamoon 2 malware. The infection is thought to be carried, for the most part, by malicious emails. Symantec has been tracking Shamoon's possible connection to the Greenbug cyber espionage group.

Dave Bittner: [00:09:47:11] We close with a quick update on the case of Russian Stoyanov, the "hacker hunter" arrested earlier this week by Russian authorities on charges of treason. As we noted yesterday, it seems unlikely that Stoyanov's employer, Kaspersky Lab, is involved, since the alleged crimes are said to have occurred before he entered Kaspersky's employ, and while he was working for Russia's Interior Ministry. The treason statute he's been charged under permits secret trials, so it may be some time, if ever, that details become public, but most observers think it likely that the alleged offenses are more along the lines of corruption than, say, espionage.

Dave Bittner: [00:10:28:22] Time for a message from one of our sponsors, E8 Security, and you know I've got a question for you; do you fear the unknown? Lots of people do of course. The technicolor phantoms; the ghost of Merlin. Stuff like that. But we're not talking about those. We're talking about real threats. Unknown unknowns lurking in your network. The good people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching, and human watch standing. Go to e8security.com/dhr and download their free white paper Detect Hunt Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no one's ever seen before. The known unknowns, like the Viking ghosts, or the moon monster, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Go to e8security.com/dhr and check out that free white paper. We thank E8 for sponsoring our show.

Dave Bittner: [00:11:32:22] Joining me once again is Markus Rauschecker, he's the Cyber Security Program Manager at the University of Maryland Center for Health and Homeland Security. Markus, I saw recently that the Department of Commerce came out with a report. It's called Fostering the Advancement of the Internet of Things. It's something that certainly caught our eye. What's the process for these kinds of reports? How do they come to be and what are they hoping to achieve with them?

Markus Rauschecker: [00:11:57:09] I think we all have now recognized that the Internet of Things really is the next big thing, and cyber security law and policy. Everyone's trying to wrap their heads around how we as society are going to tackle this issue. We are seeing through the connectivity of all these new devices certainly great promise for individuals and organizations, and lots of opportunities there to improve our lives. But also with all that comes a great deal of vulnerability. I think what the Department of Commerce is trying to do here with this report is highlight some of the benefits of Internet of Things devices, but also highlight some of the concerns that are out there. Certainly the Department itself has its views, but they really wanted to get some input from the general public as well. So, these reports, as is the case with many other types of reports that come out in the Federal Government, are open to public comment for a period of time. So interested stakeholders can provide comments to the government agency, and then the government agency will consider those comments, and move forward based on those comments. So I think that's what we're seeing here, and I think it's probably a very good way forward when we're talking about such a complex issue as Internet of Things.

Dave Bittner: [00:13:13:18] So once they've gathered up the comments is it then a process of commerce then going to law makers themselves and making recommendations for legislation?

Markus Rauschecker: [00:13:23:19] It could be. All these comments are public comments, so anyone can review them, but hopefully these comments shed some light on some of those important issues. When it comes to, in this case, Internet-of-Things, how do we promote industry but also ensure security? So all of that is going to be taken into consideration. And based on what the comments are, I think a strategy is going to be set forth in terms of how to proceed.

Dave Bittner: [00:13:51:20] Markus Rauschecker thanks for joining us. The name of that Department of Commerce report is Fostering the Advancement of the Internet of Things, and it's easy to find online.

Dave Bittner: [00:14:02:05] If you have a question for any of our academic or research partners feel free to send us your questions at: questions at thecyberwire.com. We'd love to hear from you.

Dave Bittner: [00:14:13:24] That's The CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, and special thanks to our sustaining sponsor Cylance. To find out more about how Cylance can help protect you, visit cylance.com.

Dave Bittner: [00:14:31:21] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.