HBO hacked. Operation #LeakTheAnalyst targets individual security researchers. Election hacking notes. UK's Home Secretary opposes strong encryption. Russia bans VPNs. Bitcoin, crime, and punishment.

Dave Bittner: [00:00:01:02] If you go to patreon.com/thecyberwire, you can find out how to become a contributor, and at the ten dollar per month level, you gain access to the ad free version of our show. It's the same CyberWire, just without the ads. So check it out patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:21:06] HBO gets hacked and intellectual property is exposed. Operation #LeakTheAnalyst targets individual security researchers. Election hacking: machines, databases, and public opinion are all targets. The UK's Home Secretary wants Silicon Valley to rethink strong encryption. Russia, like China, is clamping down on virtual private networks. The BTC-e Bitcoin exchange is shut down amid allegations of money laundering. And write this 500 times: "I will not mine Bitcoin on my school computer".

Dave Bittner: [00:00:57:18] A quick note about some research from our sponsor, Cylance. The hoods at Shellcrew, an organized cyber crime gang are using and improving a family of malware Cylance calls Streamex. Unfortunately, Streamex flies below the radar of conventional signature-based antivirus solutions, and when it gets in, all kinds of bad things follow. Shellcrew can modify your file system or registry, create system services, enumerate your resources, scan for security tools, change browser settings and, of course, execute remote commands. Streamex is being served up by some legitimate websites, mostly Korean. It's a nasty rat, you want nothing to do with. To get the information on Streamex, go to cylance.com/blog and check out the paper on Shellcrew. That's cylance.com/blog. And while you're there, find out how to defend yourself from this and other threats with Cylance protect. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:59:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 1st, 2017.

Dave Bittner: [00:02:10:02] Hackers have compromised HBO. They claim to have pilfered 1.5 terabytes of data, and they've leaked a script from an upcoming episode of Game of Thrones online. Their motive is unclear. It may be extortion, it may be nothing more than counting coup, the lulz, as they say. The hackers also claim to have obtained unreleased episodes of other shows, including Ballers, Insecure, Room 104, and Barry.

Dave Bittner: [00:02:35:10] The incident is noteworthy in that, unlike earlier Hollywood hacks that exploited lax security at third-party vendors, especially post-production facilities, HBO itself appears to have been breached. The cable giant has confirmed the breach, but has been reticent about disclosing exactly what was stolen. The hackers are pleased with themselves, addressing themselves to "all mankind," and promising "the greatest leak of the space era," with more to come, so you ain't seen nothing yet, apparently. But what the actual impact of the leaks will be remains to be seen. Pirate torrent usage has been in decline for some months, and past escapades like this one have tended to lay an egg.

Dave Bittner: [00:03:16:02] We heard from security company Prevalent's Brad Keller, who in an email compared this hack to the Netflix loss of some Orange Is The New Black episodes. The lesson he draws from the HBO affair is that a company's intellectual property is an important asset that needs protection. "Too often companies only look at customer data and company financial information as assets requiring protection, forgetting that the release of a company’s intellectual property can have devastating consequences. The lost revenue from the theft of intellectual property is gone forever."

Dave Bittner: [00:03:49:13] No significant developments today in the "Operation #LeakTheAnalyst" story. It's worrisome because of the way a named individual was singled out for targeting. So far it appears that FireEye's own systems, including those of its Mandiant unit, were unaffected.

Dave Bittner: [00:04:06:00] Demonstrations of voting machine hacks at Black Hat last week prompt continued rumination over threats to election security. Concerns fall, generally, into three broad categories. First, the vulnerability of electronic voting to hacking and therefore direct manipulation of results—this is the sort of problem illustrated at Black Hat. It also seems not to have yet been realized in the wild. Second, exposure of voter databases. This has occurred, and is worrisome. Security firm LookingGlass has found some forty-million US records for sale in dark web markets. And third, of course, influence operations. These have so far largely been Russian in origin, and connected with both doxing—"enforced transparency," as it's been called in the political context—and straight disinformation—"fake news." The effect of influence operations remains the subject of investigation in the US and elsewhere.

Dave Bittner: [00:05:01:18] Officials in Germany, where the next major Western elections will be held next month, are on the lookout for all three threats.

Dave Bittner: [00:05:10:06] Michael Janke isn't afraid of challenges or big ideas. He's a former Navy Seal and co-founder of cyber security incubator DataTribe, plus Cylance Circle and Blue Pacific Studios. After being asked repeatedly by reporters why our nation couldn't do a better job protecting itself from cyber attacks, he put his mind to it and proposed an effort that he calls "The National Institute of Digital Security." As ideas go, it's a big one.

Michael Janke: [00:05:36:18] If you think about the commercial sector, whether it is on one end a Lockheed that's building our latest generation fighters or it's a small design shop that is innovating with IP, and all in between or the Disneys, the banks, the Fords. You know, it's literally open season on them. Then you have government. Outside of NSA, CIA and a few other places, their level of cybersecurity protection awareness and skill is just extremely low. You take a look at what happened at OPM, right? You think about the cost of a single aircraft carrier and you think about an organization that fits in the middle. It's not a government organization and it's not a Wall Street, you know, a publicly traded company that's got to make revenue every quarter. You take the best of both. You take very experienced large company management, very streamlined, you take talent that exists within the intelligence community, and then you take, you know, universities and some of the real raw talent in Silicon Valley, and you bring them together for a mission. That mission is we are going to create basic fundamental software and you begin to build this repository where American corporations, whether they're publicly traded, or a mom and pop, can go utilize this software for free, and you begin immediately getting into our ecosystem, a level of basic digital hygiene, including the government. Basic features that can rapidly build up their defense profile.

Michael Janke: [00:07:30:08] Now from the commercial side, how do they win? Well, now you have these companies that are able to donate some money to it, like a non for profit. They can sponsor certain things. They can draw talent out of there. They can build on this free software. You have to first understand the stakeholders.

Dave Bittner: [00:07:51:04] And so from a practical point of view, how does this National Institute of Digital Security run? Is it an independent organization? And where does it get its funding?

Michael Janke: [00:08:00:24] Yes, it is an independent organization that is run by seasoned executives, not government. However, both private sector, both publicly traded venture, as well as large and small cyber security in any firm, can put money into it. Government puts money into it. Like I said, you could run this per year for the cost of a single battleship. So the idea would be you take some of that, you bring in the private sector and, you know, you build a ten billion dollar budget that can run you five years. Professionalize it, allow our companies the ability to access, download and begin deploying.

Dave Bittner: [00:08:48:05] That's Michael Janke from DataTribe. The organization he's proposing is the National Institute of Digital Security.

Dave Bittner: [00:08:56:12] British Home Secretary Amber Rudd is in California, working to convince Silicon Valley's tech industry that "real people" don't need strong encryption. Only terrorists do, she says, making her position in the crypto wars quite clear. So two of the five eyes, at least, are squinting very hard at strong encryption.

Dave Bittner: [00:09:16:18] Last week it was learned that Apple had agreed to knuckle under to Chinese authorities who directed the company, and others, to block virtual private network services from their stores and offerings. Over the weekend Russia also banned VPNs. Amnesty International isn't happy and neither is Edward Snowden, who for some reason seems surprised that the Russian government would exhibit ambitions to control online speech.

Dave Bittner: [00:09:41:16] In the cryptocurrency world, Alexander Vinnik, co-proprietor of BTC-e, a large and popular Russian Bitcoin exchange, was arrested late last week in Greece, by Greek police executing a US warrant. Vinnik faces money laundering charges stateside. He's also suspected of playing a part in the Mount Gox fraud and implosion

Dave Bittner: [00:10:03:15] Now US authorities have also taken control of BTC-e's domain in a cooperative takedown executed by the FBI, the Secret Service, and the Department of the Treasury pursuant to a seizure warrant issued by the US District Court for the District of New Jersey. BTC-e customers are concerned about their funds. It's unclear whether they'll recover them or whether they'll be forfeited.

Dave Bittner: [00:10:26:24] Coinbase, the legitimate California-based digital asset exchange, is widely reported to be under a denial-of-service attack, but this seems to not to be the case. The availability problems it's suffering seem not to be an attack, but rather heavy usage by customers concerned about this month's anticipated Bitcoin fork.

Dave Bittner: [00:10:46:10] And, finally, an employee of New York City's Department of Education, one Vladimir Ilyayev, a computer systems manager who's worked at the Department for more than ten years, has been disciplined for using his work computer to mine Bitcoin. Since Bitcoin mining now takes a lot of computational and electrical power, it's not so easy to do it at home, and Mr. Ilyayev hit on the idea of just leaving his work computer to do the digging. New York's Conflicts of Interest Board fined him four vacation days—worth about $600—but he's kept his job. No word on whether they had him write "I will not mine coin on the job" five hundred times? After all, it's what Mrs. Krabappel would've done.

Dave Bittner: [00:11:32:16] Here's some research from our sponsor Cylance that we think you'll enjoy. If you've been a CyberWire listener or reader, you're familiar with iPyramid, a cyber espionage tool that had been quietly active in Italy's political and financial services for several years, until the brother and sister duo, who were controlling it, were snapped up by Italian police. It's a clever keylogger that exfiltrated sensitive information from infected machines and it did so while quietly disabling firewalls and various Windows updates and services - the better to remain undetected. You can get the lowdown on these still dangerous iPyramid at cylance.com/blog. See what Cylance's threat spotlight can show you about iPyramid and how to protect yourself against it. That's cylance.com/blog. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:26:15] And joining me once again is Professor Awais Rashid. He heads the Academic Center of Excellence in Cyber Security research at Lancaster University. You all have done some research on encouraging security cultures among software developers and, through that research you'll have a few tips to share with us today.

Professor Awais Rashid: [00:12:44:02] Yes. Thank you for having me back again. Indeed, software now plays a fundamental role in our society, from apps that you may use to the smart devices that we deploy in our homes or in our workplaces and the question that naturally comes is, who has developed that software and what kind of security practices that were followed by those who developed the software? And so we have been doing some research in terms of understanding what kind of interventions can actually help build better security cultures within teams, but also, of course, you know, we know that good interventions like, for example, penetration testing, work really, really well, but then they tend to be quite costly. Similarly, code reviews are a really effective way of understanding security, but they require quite a lot of disciplines from the security team and the developers themselves. So we did some interviews with experts, who have been engaged in encouraging security cultures within organizations and developing security cultures within development teams, to try and understand what are the perhaps, low cost interventions. The ones that don't require a lot of effort or investment of resources, but also don't require a huge amount of discipline from the development team to carry out. And through this research we actually identified five main interventions. So for example, tech modeling can be a good way of encouraging security cultures, just getting the team together in some kind of brainstorm to model the various types of attackers, threats and commercial impact of attacks on the systems under development. A really good low cost way of doing things is an incentivization workshop. So to motivate the developers themselves to understand the security problems and how to prevent them, and some of the experts, for example, suggested that it's not simply a case of scaring the developers into security, but if you can, for example, shock them by showing some particular security problems, but leave them knowing how to solve them, then that can actually particularly encourage them to do this.

Professor Awais Rashid: [00:14:42:15] The other thing that we found was that low hanging fruit, in the sense of component choice, can be quite useful. So, for example, if a developer is using plug ins, then, you know, knowledge about the security vulnerabilities or good security practice followed in those plug ins can be quite useful. And the other things that we also found were the things like static analysis tools can be a particular thing. And another very simple thing, a continuous reminder of some sort, you know, to just simply remind the developers that they need to sort of think about it on a regular basis. So not only an initial motivational talk, but actually thinking about reminders in the way of say security competitions or positive feedback, when a team achieves a secured product, you know, or using public security disasters. We saw that in the case of the NHS in the UK. And then use that as lessons. You know, these kind of things can also help encourage build a security culture. So I want to emphasize again, it's not at the expense of things like penetrating testing, but these are things that any team can do at a fairly low cost and don't require a huge amount of discipline to keep carrying them out.

Dave Bittner: [00:15:55:04] Alright, good advice. Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:16:01:02] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out more about Cylance and how they can help protect you using artificial intelligence, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. The executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.