ISIS war on families. Cryptomining botnets. The weaponization of Spectre and Meltdown. Phishig with bogus emails spoofing Google, Microsoft. Apps that know too much.

Dave Bittner: [00:00:00:21] Thanks again to all of our Patreon supporters, you can find out how you can become a supporter at Patreon.com/thecyberwire.

Dave Bittner: [00:00:11:04] ISIS inspiration is increasingly directed at children. Cryptomining botnets use same EternalBlue exploit as WannaCry. Criminals experiment to weaponize Spectre and Meltdown vulnerabilities. Phishing campaigns exploit well-known services including Google Docs and Outlook. We've got some patch notes and Geolocation and other app-collected info raise OPSEC concerns.

Dave Bittner: [00:00:39:10] And now I'd like to share some words about our sponsor, Cylance. You know you've gotta keep your systems patched, right? Patching is vital and WannaCry which hit systems that hadn't been patched against a known vulnerability, well, that's Exhibit A. but you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern endpoint protection. Think about protecting the end points from the threats you never see coming. Cylance Endpoint Security Solutions will do exactly that. Fend the bad stuff off and do your patching quickly but systematically. Its artificial intelligence and it's a natural for security. Check out the Cylance blog Another Day, Another Patch at Cylance.com and we thank Cylance for sponsoring The CyberWire. That's Cylance.com for cybersecurity that predicts, prevents and protects.

Dave Bittner: [00:01:39:07] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, February 1st, 2018.

Dave Bittner: [00:01:49:09] Its Caliphate may have been extirpated from the territory it once held, but ISIS continues to recruit and inspire in its online diaspora. They concentrate on the young, mostly teen and tween boys, feeding them music, slogans, and, alas, beheading videos. Foreign Policy magazine calls it a continuing "war on families," many of whom have already lost, mostly sons, to terrorist inspiration. A lot of the fighters killed in Iraq and Syria were teenagers, and ISIS has concentrated, patiently, on wooing boys online over the course of years with its promise of transcendence and authenticity. Jihad's religious appeal is a central part of ISIS messaging. Anyone who has observed how online gaming, music, and video can capture a child's attention will have at least some sense of what Syrian parents are up against.

Dave Bittner: [00:02:44:18] A very large cryptomining botnet, called "Smominru," has been in circulation since last May. It's believed to have infected more than half-a-million Windows machines and earned its criminal masters millions. It's coin of choice is Monero, and the bots it's herded are found mostly in Russia, India, and Taiwan. The botnet's current daily take is estimated at $8500. Researchers at security firm Proofpoint say that Smominru gets its entrée to victim machines through the EternalBlue exploit (CVE-2017-0144). EternalBlue, dumped by the Shadow Brokers in what they characterized as the release of stolen NSA Equation Group exploits, is the same one used by the WannaCry ransomware attack of last spring.

Dave Bittner: [00:03:33:09] The WannaMine cryptominer described last week by CrowdStrike continues to circulate. This fileless malware also uses the EternalBlue exploit. It appears that Smominru and WannaMine are distinct campaigns run by different threat groups, but these stories continue to develop.

Dave Bittner: [00:03:51:18] Hackers are also working on other malware to hit those who haven't yet patched EternalBlue and other alleged Equation Group exploits the Shadow Brokers released last year.

Dave Bittner: [00:04:02:13] AMD has, like Intel, announced that its next generation of chips will not be burdened with either Meltdown or Spectre. In the meantime patching efforts continue. The vulnerability has so far not been exposed to threats designed to take advantage of it, but of course we can't count on that forever.

Dave Bittner: [00:04:20:00] In fact malware exploiting Spectre and Meltdown CPU vulnerabilities is expected to break into the wild in the near future. Researchers in a number of security firms have observed more than one-hundred-thirty distinct samples of malicious code designed to attack these flaws. The security firms studying the activity—AV-TEST, Fortinet and Minerva Labs—have concluded that exploits aren't proofs-of-concept, at least not for the most part. Instead, researchers believe they're observing criminal experimentation with new attack tools. The experiments appear to be making use of proof-of-concept code publicly released shortly after the vulnerabilities were disclosed. We are therefore seeing weaponization of a vulnerability follow the familiar post-disclosure path.

Dave Bittner: [00:05:05:12] Who's doing the experimenting with Spectre and Meltdown the researchers either don't know or aren't saying, but some of them are speculating that some nation-state and not cybercriminals will be the first to use them once they're ready.

Dave Bittner: [00:05:19:13] Barracuda warns that it's found criminals impersonating Google Docs, Outlook, and DocuSign. They send emails that purport to be from these trusted services, and that claim to remind you that you have unread messages. The links in these phishing emails are of course malicious. Don't be fooled.

Dave Bittner: [00:05:38:12] Imagine you've got a system or process you need to test safely in a controlled environment. One method you might use is a cyber range in a Cloud Sandbox. Shashi Kiran is from Quali, a Cloud Sandbox provider, and he explains the use cases.

Shashi Kiran: [00:05:54:13] For those of you who are familiar with shooting ranges or gun ranges where you're in a position to go exercise arms in a safe and controlled manner, think of something what is similar but in the context of cyber security environment. So a cyber range essentially is an environment set up either for testing complex applications, testing certain production scenarios or for training purposes.

Dave Bittner: [00:06:22:13] And so setting up a cyber range within a Cloud Sandbox, what are the advantages for doing that from a security point of view?

Shashi Kiran: [00:06:29:18] A Sandbox is essentially a replica of any environment. It could be IT production environment, it could be something that's in the data center that could be in the context of a lab or potentially even something that represents a physical environment. You could relate this to like an air traffic control situation, power grids, water supplies, security ops centers. No matter what the environment is, if you wanna bring that in the context of a representative simulation of sorts, then you can create a Sandbox which essentially models all of these different components and exposes them to either developers and testers or to security professionals or to your networking staff who needs to get exposed to this environment, to come up to speed on security posture. And so the Sandbox allows modeling of these environments, bringing them up and then allows them to be torn down then this activity's complete. So that's really the notion of the Sandbox.

Shashi Kiran: [00:07:35:14] We call it a Cloud Sandbox because this environment can be deployed onto any cloud. It could be in a private Cloud environment, over bare metal or it could be in a public cloud environment, on Amazon, Azure, OpenStack in a private construct. Or even in a hybrid cloud environment. So that's really the notion of the Cloud Sandbox, which is deploying any environment on any cloud, bringing it up and tearing it down. So if you were to now bring this up to reconstruct of cybersecurity environment and expose that for either development testing or assimilation or training, then it becomes a cyber range and that's really where we're seeing a lot of pull from defense institutions, from larger corporates that want to train their staff in security administrators and professionals, as well some of the front line security staff to just make them very savvy about the entire end to end security posture.

Dave Bittner: [00:08:40:07] And so the benefits for a company to invest in this sort of thing, can you outline that for us?

Shashi Kiran: [00:08:45:19] Yeah, today if you look at the type of threats that are coming in, they're exponentially increasing, and you also see that the complexity of the environment is also increasing. Everything is connected, whether it be power grid situations, things on the battlefield, we have Internet of Things coming in where endpoint devices and wearables and smart meters. The more connected things become, the more complex the environment is as the value chain gets fragmented and the harder it is to really detect what you're end to end security posture is, and to ensure that environment is reasonably fortified. This is where we're seeing a lot of interest come in to model such a complex environment, particularly in the context of larger enterprises and corporations as I mention. But also service providers that want to take the notion of a cyber range and offer it to their end user customers, and allow them to customize sophisticated protocols quickly, or use it for certification and training purposes or to create and test different strategies as they harden their security posture.

Shashi Kiran: [00:10:01:19] And we're also seeing this in the context of defense institutions, where they want to, let's say take battle time, which again is a connected entity or a submarine. You wanna be in a position to model this and bring this and ensure that the communication protocols are tested, and your ability to handle certain situations is done in a very authentic manner. So these are some of the situations that crop up very frequently, Dave.

Dave Bittner: [00:10:28:18] That's Shashi Kiran from Quali.

Dave Bittner: [00:10:33:00] In patching news, ManageEngine has fixed several zero-days disclosed to it by Digital Defense. Mozilla has fixed a remote-code execution issue the Firefox user interface: Firefox version 58.0.1 has the patch.

Dave Bittner: [00:10:49:22] Apps that geolocate devices continue to raise OPSEC concerns. "OPSEC" is of course the military acronym for "operational security," but civilians have related concerns. Sure, you want to know where you are, and you're happy your device can help you find your way around, but, with all do apologies to member of the extravert, exhibitionist, and inveterate show-off communities who may be listening, most of us don't necessarily want our location uploaded and made available to the idly curious, still less to the many who might wish to audit our daily activities for their own purposes.

Dave Bittner: [00:11:24:04] The Strava fitness app has worried the US Department of Defense for the potential it had to reveal troop locations in its heat map. You might wonder why Strava would collect, aggregate, and anonymize user data and publish it in a heat map. Strava' CEO James Quarls explained their thinking. "Our heatmap provides a visualization of activities around the world, and many of you use it to find places to be active in your hometown or when you travel. In building it, we respected activity and profile privacy selections, including the ability to opt out of heatmaps altogether. However, we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations."

Dave Bittner: [00:12:14:01] In any case, US Secretary of Defense Mattis thinks it's enough of a problem that he's considering banning not only fitness apps but smart phones from the Pentagon entirely. He's directed Under Secretary of Defense for Intelligence, Joseph D. Kernan to explore the issue and develop an appropriate policy since the location of the Pentagon is no mystery, it's clear that the concerns aren't that a heat map is going to betray its position. After all the old, now gone, hot dog stand that used to do business in the Pentagon central courtyard had the Cold War nickname Ground Zero Cafe. We have to ask if the Secretary has considered the morale effects of a ban. What will all the lieutenant colonels do for stress-relief on their breaks if you take away their Clash of Clans? Walk across Columbia Pike to the mall? That's a hike-and you'd to go all the way across the parking lot without so much as a Fitbit to track your caloric expenditure or a Waze to keep you from getting lost. Don't kill morale, we don't want to see the Joint Staff's readiness posture degraded.

Dave Bittner: [00:13:19:01] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to business today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze the computer, network or system data. But to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? You can test drive ObserveIT, no installation required at ObserveIT.com/CyberWire. That's ObserveIT.com/CyberWire and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:26:04] And joining me once again is Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back, we saw an article come by from the National Law Review, it was talking about how the National Association of Insurance Commissioners, the NAIC, are gonna be adopting a model data cybersecurity law in response to some of the hacks that we've seen, specifically the Equifax breach. Take us through what's going on here.

Ben Yelin: [00:14:54:17] So the NAIC is finalizing what would be a model data cybersecurity law. It's premise largely on what New York State has done, specifically in response that Equifax breach. But we've seen this in other areas of the law where you have interest groups; they want to develop some sort of national standard but they don't think either Congress is capable or willing to put it into play at the federal level, and they realize how much power states have, state agencies have, state legislators have, so they develop a model piece of legislation. They basically bring it to every state legislator in the country and look for volunteers to get in enacted. We've seen that in the criminal context with the model penal code, and in recent history we've seen that with a number of pieces of legislation. So I think the approach is particularly novel, trying to come up with model legislation for the states to adopt.

Dave Bittner: [00:15:49:15] So is this kind of an end around to get in front of before the Fed's set the policy that you can go to the states? It seems like, I mean this is a trade group who's trying to get this done, right?

Ben Yelin: [00:16:02:20] Yeah, so in some ways it could be seen in that way. There are also, you know, we know that Congress only has enumerated powers, they can only enact laws in areas under their jurisdiction. Well, most cyber policies are gonna have some sort of effect of interest day commerce, that's not necessarily always gonna be the case. But more from a practical level, I think because Congress is so paralyzed, this interest group sees more potential in state legislatures, you're not confined by filibuster rules, or national hot button political debates. I think it'll just be a more expeditious and easier way to enact these minimum standards and, I think states are gonna be more amenable after seeing the high profile events that have happened over the past several years.

Dave Bittner: [00:16:49:15] Now, when these sort of things get presented to state legislatures, do they pass through with few changes or is this just a starting point for a conversation?

Ben Yelin: [00:17:01:02] I think the less controversial the topic, the few changes that you're gonna see. I don't think you're gonna have partisan legislatures fighting over the details of minimum data security standards, especially at state legislators where many legislators are part time, aren't as well versed and experienced in the issues as members of Congress are. My hunch is that this is, these standards are more likely to be rubber stamped in state legislatures than in or federal Congress and that might be the impetus behind undergoing such an effort here.

Dave Bittner: [00:17:34:24] Alright, Ben Yelin, thanks for joining us.

Dave Bittner: [00:17:40:00] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit E8Security.com to learn more.

Dave Bittner: [00:18:00:18] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor is John Petrik, social media editor is Jen Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.