Hansa Market takedown. Recovery from EternalBlue exploits is a long slog. Banking malware rising. Power grid vulnerabilities. Devil's Ivy and the IoT. A look at criminal markets.

Dave Bittner: [00:00:01:07] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:18] An international raid takes down the illicit Hansa Market. Recovery from WannaCry and NotPetya continues its long slog. Banking malware is on the rise in the wild. Studies warn of power grid vulnerabilities. Devil's Ivy infests security cameras in the IoT. Digital Shadows offers a look at hackers' black markets and see similarities to the drug trade. And congratulations are due to the newest Fellow of the Royal Society.

Dave Bittner: [00:00:44:22] Time to tell you about a Black Hat presentation from our sponsor, Cylance. Did you know that Guardians of the Bios are failing? That the Bios is being betrayed? Well, okay, it's not exactly Benedict Arnold in your firmware, but there are still, Cylance will tell you, issues. Come to Cylance's presentation, Betraying the Bios, and learn the ins and outs of unified extensible firmware interface security from both an attacker's and a defender's point of view. Learn how some hardware vendors have left SMM and SBI flash memory wide open to rootkits, how UEFI rootkits work, how specific technologies aim to kill them and about weaknesses in those protective technologies. It's all there, Thursday evening, July 27th from five to six at the Mandalay Bay South Seas. You may not be interested in the UEFI but Cylance assures you the UEFI is interested in you. Learn more at Mandalay Bay or at least online at cylance.com under events. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:53:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 21st, 2017.

Dave Bittner: [00:02:04:03] International law enforcement enjoyed a big win yesterday, as a joint operation by the Dutch National Police, Europol and the US FBI and DEA took down Hansa Market, the contraband market that succeeded recently dismantled Alpha Bay as the dark web's leading source of illicit drugs, weapons and crimeware. The Dutch Police took covert control of the site over a week ago. Servers were seized and arrests made in Germany, Lithuania and the Netherlands. So Bravo Bitdefender, which supplied information vital to the operation.

Dave Bittner: [00:02:38:02] Companies continue their recovery from both WannaCry and, especially, NotPetya. The latter attack in particular has had a long-term effect on operations and a material effect on revenue. Concerns about the EternalBlue exploits involved in the attacks appear to have motivated closer attention to patching.

Dave Bittner: [00:02:56:18] A resurgence of Android banking Trojans is being reported by Dr. Web and other security firms. Google is now offering Android users of Google Mobile Services 11 and more recent versions Play Protect, which is intended to enable them to screen potentially harmful apps.

Dave Bittner: [00:03:13:24] Banking threats are, of course, not confined to Android. Kaspersky Lab reports its discovery of NukeBot, a ready-to-attack version of TinyNuke. The malware infects banks' sites with a view to stealing credentials.

Dave Bittner: [00:03:27:24] Trend Micro warns against a current malvertising campaign it's calling "ProMediads." It's distributing the Sundown-Pirate exploit kit, which is a mashup of ransomware and an information stealer. It may be related to the GreenFlash exploit, which appears ready for a reappearance in the United Arab Emirates.

Dave Bittner: [00:03:49:13] There are reports out this week from both GCHQ in the UK and the National Academies in the US. Both find their respective countries' energy sectors vulnerable to attack. GCHQ says the grid in the UK may already be compromised and the National Academies say there's a lot of work to be done on securing the electrical grid in North America.

Dave Bittner: [00:04:11:03] The Devil's Ivy Internet-of-things vulnerability, reported this week, occurs in the widely used open-source IoT code gSOAP. Viewpost's Chris Pierson emailed us some comments on Devil's Ivy. He points out that gSOAP is especially prevalent in physical security devices. Quote, "When developers share similar foundational code bases, bake these into the software running their devices, and fail to address or miss vulnerabilities as part of a well-oiled software development lifecycle, the impacts can be broad," end quote. Among the companies whose products Pierson says are afflicted by Devil's Ivy are Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony and Toshiba.

Dave Bittner: [00:05:00:02] The President's Executive Order on Cybersecurity reached some of its agency reporting deadlines this week. There's also some interest being expressed in Congress on adopting some additional safeguards agencies could put in place to help safeguard citizens in their interactions with them. Senator Wyden, a Democrat of Oregon, who's long been interested in cybersecurity, sent an open letter to the Acting Deputy Under Secretary Responsible for cybersecurity at the Department of Homeland Security in which he urged DHS to takes steps to "ensure that hackers cannot send emails that impersonate federal agencies." Senator Wyden advocates general adoption of DMARC. That's the "Domain-based Message Authentication, Reporting and Conformance" standard. We received emailed comments from ValiMail's Alexander García-Tobar, on impersonation. He said, quote, "The FBI reports that impersonation attacks are rising in frequency, and cost the U.S. billions each year," end quote. He thinks adopting DMARC standards is something not only Federal agencies could do but that businesses could increase the security of their emails and reduce impersonation attacks by doing the same.

Dave Bittner: [00:06:12:07] Whitfield Diffie may now add FRS to his name. On Friday it was announced that the cryptology pioneer had been elected to the Royal Society National Cryptologic Museum Foundation. Our congratulations on a well-deserved honor. Dr Diffie joins the more than 8,200 fellows elected since the Society was founded in 1660. You may have heard of some of them, Charles Babbage, Daniel Bernoulli, Charles Darwin, Arthur Eddington, Albert Einstein. Well done, Dr Diffie.

Dave Bittner: [00:06:42:23] Security company Digital Shadows has a study of the cybercrime black market. They are specifically interested in the carding markets and how they've evolved. Their research suggests interesting comparisons to drug markets, with a complex structure designed to monetize the theft in several stages. There are data harvesters who intercept the paycard information, distributors who resell the card data, "fraudsters," who are typically low-end skids who run the highest personal risk, analogous to street dealers, and then various types used to monetize the take. Monetization can be done by dupes, or by mules, fences and others who move and sell fraudulently purchased goods.

Dave Bittner: [00:07:23:22] One interesting highlight, the criminal carding groups offer courses whose come-ons sound like the old "draw me" invitations you used to see in matchbooks and comic books. Most of the courses, unsurprisingly, are in Russian, but Digital Shadows offers a translation of a representative example. "Do you want to become a professional in the world of carding? WWH-Club offers you a new profession, a new source of income, a completely different quality of life! It will change your view on personal finance. It will show you how to earn money in an interesting, intellectual and amicable way, and find progressive friends and community!"

Dave Bittner: [00:08:00:15] That last sentence offers a sad insight into the behavioral economics of the carding world. Still, better written than the ShadowBrokers' stuff. Digital Shadows says the course costs you 45,000 rubles, which comes to about $745. There's an additional fee for "course materials" that will set you back 200 bucks. A decent investment for a criminal. As Digital Shadows points out, you might earn up to $12,000 a month or 17 times the average Russian compensation. Plus there are all those amicable and progressive friends. The training seems pitched mostly at prospective mules and fences.

Dave Bittner: [00:08:39:22] So hop to it, Progressive Community. It could be your ticket to joining the Wealthy Elite or...maybe not.

Dave Bittner: [00:08:52:06] Now some news from our sponsor, Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:51:24] And I'm pleased to welcome to the CyberWire podcast, Robert M Lee. He's the CEO of Dragos. Robert, welcome. By, by way of introduction, we want to start out as we always do with our new partners. Tell us a little bit about yourself and a little bit about Dragos.

Robert M Lee: [00:10:05:05] Thanks, yeah, thanks for having me. So as far as myself, I really focus on sort of the industrial control system space. A lot of my background was starting out in the US Air Force, and then over in the US Intelligence community, looking at and setting up a mission to identify nation states breaking into industrial control environments, like manufacturing sites, water facilities, electric power grids, et cetera. That was all fun and maybe too popular, too, too productive. It would have been a better mission maybe if we'd turned out we'd found that there was nobody attacking anywhere. That wasn't the case. So my team and I jumped out and created Dragos. So Dragos is a fellow Maryland-based company. We are a bunch of folks that focus on industrial security, we've got our technology and we've also got instant response and intelligence teams trying to tackle this very specific and niche industrial problem.

Dave Bittner: [00:10:57:13] So let's dig into that a little bit. Tell me a little more about Dragos. What are the specific types of challenges that you all are hoping to address?

Robert M Lee: [00:11:04:21] So I really see two major challenges in the-- in ICS or industrial control system security space. Challenge number one is we simply don't have enough people in this field. Estimates range between 500 and 1,000 ICS cybersecurity professionals worldwide. I think it's probably closer to the thousand number but that's still very, very trivial in terms of overall skill sets. And the second big issue is we don't really understand the ICS threat landscape and this also, of course, leads to a little bit of hype when we see things like, “Oh, my gosh, somebody got a phishing email, the power grid's going to come down.” I was, like, whoa, whoa, whoa. There's a little bit more nuance than that. And so sometimes, over the years, we've seen IT best practices copy and pasted in ICS environments inappropriately.

Robert M Lee: [00:11:49:17] So when we try to tackle the problem and we've got our threat operation center who goes out and does instant response and, like, threat hunting and services in the field and the real purpose of that is, can we see intrusions first-hand? And from those intrusions, can we pass in to our intelligence team to generate real intelligence? Not just indicators and stuff like that but insight into the adversary landscape that I mentioned is fairly unknown. And then, ultimately, can we draw that to our project in a way that we start scaling and automating best practices and response efforts and how we tackle these problems because, at the end of the day, I think civilian infrastructure should be off limits to adversaries and we're only getting more and more aggressive adversaries.

Dave Bittner: [00:12:30:12] It strikes me that ICS is one of those areas where just about everyone can wrap their heads around what would happen if, you know, if they get attacked, the lights are going to go out or the water is going to stop flowing or that dam is going to burst.

Robert M Lee: [00:12:44:21] Yeah, I mean, so that's, that's the, the tricky area, right? This is a topic that is fundamentally important to everybody's life. We all are impacted in a major way by industrial control systems, whether we realize it or not, and it is easy to wrap your mind around, "Oh, my gosh, what if the power goes out?" But the nuance in how that would take place is often lost and that is really where a lot of the expertise comes in, knowing what really can and can't happen related to specific events. And in that sort of chasm of a lot of people being super interested but also not a lot of people responding first hand and seeing and having expertise on the nuance on it, in that, in that chasm between those two points we often find a lot of hype. And so folks that are well-intentioned but talk in the media or elsewhere about the potential and really miss that it's really not fear and gloom and doom. I mean, there are some scary scenarios but not, not quite, you know, movie level land as yet.

Dave Bittner: [00:13:47:12] All right. Well, Robert M Lee, welcome to the show. We're happy to have you. We're looking forward to what you have to say.

Dave Bittner: [00:13:57:02] Time for one more message from our sponsor, Cylance. You know, good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They have concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications and develop nation state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiqués within a massive cloud of noise. Backdoors for the good guys mean backdoors for the bad guys and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to cylance.com and take a look at their blog for reflections on surveillance, censorship and security. That's cylance.com. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:15:06:22] My guests today are Leslie and John Francis. They're co-authors of the book Privacy: What Everyone Needs to Know. Leslie Francis is a distinguished Professor of Philosophy and Distinguished Alfred C Emery Professor of Law at the University of Utah where she also serves as Director of the Center for Law and Biomedical Sciences. John G Francis is a Professor of Political Science at the University of Utah.

John Francis: [00:15:31:23] I think a lot about privacy that matters to people is choosing the terms on which you reveal yourself to others. I think that's a-- that, that kind of is a theme that wanders through a lot of the privacy literature.

Leslie Francis: [00:15:43:24] And one of the problems is that people may not have the range of choices that they want so, yeah, I need a cellphone. That comes with some risk. I would rather have it come with fewer risks. We all know that there are certain risks of data getting stolen.

Dave Bittner: [00:16:05:01] As we head towards these GDPR standards in Europe coming up next year, it strikes me that, you know, different cultures have different standards for privacy and as we become more of a global community how do you see that playing out?

John Francis: [00:16:19:12] In Europe, there has been, as you know, a great deal of concern particularly in the-- about social media or search engines that can reveal a great deal about people's records that make them accessible to a larger audience and I think it is that there are, I mean, cultural variations so that in the United States the debate is often over the right to know versus, say, the right to be forgotten. And Americans tend to go a bit more on the right to know, on having access to information about others that they would like to see and the Europeans I think have been somewhat-- much more constrained in, in that notion. And that's probably shaped to some extent by the fact that all of the firms that gather the data and transmit information tend to be giant American firms. So in a way, this has accelerated the debate in Europe, at least I would suggest, that you're not only dealing with the right to know versus the right to be forgotten, you're dealing with the fact that the data might be shipped to another country, to some of that discussion.

Leslie Francis: [00:17:35:16] One other difference between Europe and the United States that we might mention is that the United States has been much more concerned about government gathering of information whereas in Europe there is a great deal more concern about the private sector and control of information. Some of that is ironic because some of the history of European privacy attitudes has actually been shaped by the legacy of fascism.

John Francis: [00:18:01:12] And communism in Eastern Europe.

Leslie Francis: [00:18:03:04] Yeah.

Dave Bittner: [00:18:04:00] What about encryption? What are your thoughts on that?

John Francis: [00:18:06:13] It's, it's a, it's a fascinating debate because it does actually highly-- highlight the whole question of security questions as it did over the phone that Apple declined to de-encrypt. And I think, at the, at the same time, it's, it's also equally clear that you can address encryption. It's not that much of a total firewall as people would say but I, I think it is going to be forever kind of one of the great challenges ahead because we're now in an age of ever-growing hacking and encryption is one way to address that but maybe not always the best, so I think, yes, encryption is there, yes, people will figure out how to break encryption but I think that is part of the ever going cat and mouse aspect of security on the net. It changes and who has the advantage seems to change on a regular basis.

Dave Bittner: [00:19:03:06] As we go forward, looking forward from this point in time, where do you think the discussion on privacy needs to go?

Leslie Francis: [00:19:09:18] I think it needs to go to whether, in the United States, we should have a more overarching single approach to privacy rather than what people call the sectoral approach that we now have. So one of the things that's very difficult for people to understand is that the protections for your educational records are different from the protections of your banking records and they're different for the protections of your credit. It seems like it's all financial information, right, so why are the protections different with your bank than if it's a credit bureau? Or credit reporting agency? The rules also vary depending on who has the data, so why should the protections for my health information be different if it's possessed by my doctor than if I store it in a secure website called a personal health record? And I think we, we're going to have to look at the question of whether we should have a more general overarching consumer privacy approach the way it exists in Europe.

John Francis: [00:20:18:12] And one other-- maybe I would just add one thing. Justice Breyer had a famous quote, that if you over regulate you under regulate, that is if you make, if you make regulatory policy so complicated, people simply avoid implementing it. And in some senses, that has to be constantly a consideration in privacy policy because if it gets too complicated, people just go around it and so I think probably more weight should be given to people being sensible, to kind of educating them about how you use information and the risks you employ and your willingness to entertain the risk.

Dave Bittner: [00:20:59:21] That's Leslie and John Francis. They are the co-authors of the book Privacy: What Everyone Needs to Know. It's from Oxford University Press.

Dave Bittner: [00:21:12:06] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:21:24:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Have a great weekend, everybody. Thanks for listening.