Trends in phishing. Olympic hacking. Cryptojacking spreads. Litecoin gains black market share. Influence operations. Can Strava be exploited by bicycle thieves?
Dave Bittner: [00:00:03:22] Phishing gets more personal with conversation hijacking and attempts on direct deposit instructions. The Olympics have opened; do you know where your hackers are? Apple finds leaked iOS source code on GitHub. Cryptominers are found in hospital systems. Litecoin picks up black market share. We've got some notes on recent patches. Concerns about Russian influence operations continue as the US midterm elections approach. And are bicycle thieves going online?
Dave Bittner: [00:00:36:05] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless that's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017 so even at 99% you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight kernel level container where the malware's rendered useless. With Comodo's patented auto containment technology they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo you can say with confidence, I got 99 problems but malware ain't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com and we thank Comodo for sponsoring our show.
Dave Bittner: [00:01:52:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, February 9th, 2018.
Dave Bittner: [00:02:02:13] Phishing shows some fresh plausibility and sophistication as the criminals pay closer attention to their marks. Researchers report a spike in conversation hacking, where criminals interpose themselves into an email thread, spoofing one of the parties to the conversation in an effort to induce the other to open a malicious attachment that carries the Gozi Trojan as its payload.
Dave Bittner: [00:02:25:04] Other observers note an increase in phishing attempts that induce employees to give up their credentials so their paychecks can be directly deposited in the criminals' account. In this scam a trusted company resource is spoofed, and suspicious employees who respond to the initial phishing email with questions, are promptly reassured that, yes, this is legitimate.
Dave Bittner: [00:02:46:03] The Winter Olympics opened today, but state-sponsored threat actors have hacked in first. So far it's mostly phishing and doxing by North Korea and Russia, but McAfee and other security firms are warning that anyone interested in the Olympics should raise their anti-phishing alert levels a bit while the games last.
Dave Bittner: [00:03:05:00] Apple has filed a notice under the Digital Millennium Copyright Act to have GitHub remove leaked iOS source code. Their notice asserts that Apple has been injured by the publication of the code. Specifically, Apple objects to "reproduction of Apple's 'iBoot' source code." Speaking to MacRumors yesterday, Cupertino said, "Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products and we always encourage customers to update to the newest software releases to benefit from the latest protections." Observers think the leak both large and consequential. The leak certainly affects iOS 9, and some think it likely that this particular bit of code persisted into iOS 11.
Dave Bittner: [00:03:56:14] Cryptominers turn up in more uncomfortable places, among them a Tennessee hospital's electronic medical records system. Decatur County General Hospital saw the first signs of infestation in November. It began disclosing the incident to 24,000 patients on January 26th.
Dave Bittner: [00:04:14:06] It doesn't appear the hospital's operations were impeded,but some enterprises have reported that cryptominers have slowed their systems to a crawl, effectively preventing them from operating under anything approaching normal levels.
Dave Bittner: [00:04:27:05] As more criminals seek payment in Litecoin, that cryptocurrency appears to be taking black marketshare from Bitcoin. Researchers at security intelligence firm Recorded Future have taken a look at 150 of the dark web's top black markets and found that the rise in Bitcoin's price is driving crooks and drug dealers to look for a more affordable alternative. For now they seem to be finding that alternative in Litecoin.
Dave Bittner: [00:04:53:08] In patching news, NETGEAR has patched five vulnerabilities that Trustwave's SpiderLabs found in their broadband routers. And WordPress has issued an emergency patch for version 4.9.3 but users will have to apply it manually. Admins are finding the update comes with some headaches.
Dave Bittner: [00:05:12:04] US interest in forestalling Russian midterm election influence operations remains high, with Congress suggesting strategy to the Department of Homeland Security. Representative Will Hurd told the Atlantic Council symposium that the model DHS uses to counter violent extremism could be extended readily to countering Russian disinformation.
Dave Bittner: [00:05:33:11] Among those expressing concern about Russian influence operations is former President George W. Bush, who thinks evidence of Russian chaos-inducing disinformation during the last US election cycle is "pretty clear." He also offered, in a talk at a Milken Institute economic summit in Abu Dhabi, his take on Russian motivation. Speaking of Russian President Putin, Bush said, "He's got a chip on his shoulder. The reason he does is because the demise of the Soviet Union troubles him. Therefore, much of his moves are to regain Soviet hegemony."
Dave Bittner: [00:06:09:04] Finally, an alert listener tells us we should warn you that the geolocations betrayed by Strava could also be used by thieves who want to steal your bicycle. We've looked into it and it appears that police in a to-us unpronounceable Welsh town, have been warning against this possibility since 2014. What's that town, you ask? Dyfed-Powys? DIFF-ed POH-weez? Dift-Pows? We'd know how to say it if we were from Central Pennsylvania or Western New York, but we're a Baltimore show, hon.
Dave Bittner: [00:06:41:00] Anyhoo, our listener tells us this is a thing in the US as well. He says, "My understanding is that cyclists like to map their rides and compete with other riders. They also list what their bikes are. Thieves go online and look for a bike, see where the ride always stops or starts, and this allows them to wait for the garage door to go up and no one is watching and they take off. These bikes can easily run north of five or $10,000 and up. Just an FYI."
Dave Bittner: [00:07:08:22] And a good FYI it is too. So thanks, listener. It's not just a military OPSEC matter, but a crime prevention issue as well. A bit of awareness we're happy to share.
Dave Bittner: [00:07:18:10] We'd like to include a special warning to whoever it is that's been seen in the Strava heat map pedaling their Schwinn around the Groom Lake airstrip at Area 51. The Gray aliens widely believed to be resident there are notoriously sticky fingered, so take your bike lock with you. It gets nuts in the peloton sometimes, but hey, the truth is out there.
Dave Bittner: [00:07:44:06] And now a few words about our sponsor DataTribe, the successful and growing cybersecurity startup studio. They're doing something different to bring on board some of the freshest talent to the sector. They're launching the DataTribe cyber competition, a competition to identify high technology start ups who've got a vision to disrupt cybersecurity and data science. The three finalists will split $20,000 in prize money but that's just the beginning. Finalists will be considered by DataTribe for up to 2 million dollars in seed funding. Start ups with less than 1.2 million dollars in seed financing are eligible to apply and contestants have until March 23rd to apply at datatribe.com/go/cybercompetition. And if you've got questions, DataTribe has answers. Email inquiries to email@example.com. Successful companies backed by DataTribe include ReFirm Labs, Enveil and Dragos which recently made headlines over CRASHOVERRIDE and TRISIS.So check it out. It's datatribe.com/go/cybercompetition. And we thank DataTribe for sponsoring our show
Dave Bittner: [00:08:56:24] And I'm pleased to be joined, once again, by Dale Drew. He's the Chief Security Strategist at CenturyLink. Dale welcome back! We wanted to touch today on this notion of victim notification and the importance of that, what do you have to share there?
Dale Drew: [00:09:09:13] We have a bit of a dilemma from a victim notification perspective. We, we took an initiative late last year and beginning of this year and made the decision to, to notify every victim that we identify with our threat intelligence platform. So as an example, just us alone, we're, we're tracking 178 million victims globally and there's about 60,000 new victims a day and so we want to do something about it and so we started--
Dave Bittner: [00:09:38:24] Now when you say a victim, what, tell me what is that? What's the breadth of what that could entail?
Dale Drew: [00:09:43:04] Aah that's, that's a compromised computer done by a piece of malware or a bad guy. So that could be a, that could be a desktop sitting at, on, on a consumer's home or that could be a, a server or a desktop sitting within a company or corporation.
Dave Bittner: [00:09:59:10] Okay.
Dale Drew: [00:09:59:12] So a company which has been compromised.
Dave Bittner: [00:10:01:13] Yeah.
Dale Drew: [00:10:02:09] And so we wanted to do something about it right, and so with regards to notifying our customers who might be victims, that's relatively easy. We've, we've got a trust path to those, to those customers and we can send them notifications and they, they can feel relatively comfortable that it's coming from a trusted source. But when we made the, the decision to start notifying anybody on the Internet who we saw as a victim of a, of a compromise, we're running into a conundrum of how do you notify a victim that they've been a victim of a computer intrusion without that notification looking like a phishing attack?
Dave Bittner: [00:10:41:13] Right exactly.
Dale Drew: [00:10:42:22] Yeah [LAUGHS] and so.
Dave Bittner: [00:10:44:09] How do you do that Dale [LAUGHS]?
Dale Drew: [00:10:46:04] Yeah it's, and that's, that's and that's exactly our, our dilemma is we are, we are trying to navigate away to be able to notify, you know, in essence 178 million people who have been compromised by some form of, of malware, that they've been a victim and here are the steps that they need to take to be able to, to repair their system in such a way that, that person can trust that notification and not think it's a phishing attack. And so imagine having to send a notification with no links, you know, if you want more information you should go to the following locations but not providing any reference information because if you provide a link then someone can replicate that and put their own link in it. And so we definitely have this dilemma of, you know, we're sort of on, on this teetering edge of, of, you know, how do you build a trust infrastructure to a large base of people that, that you don't have a relationship with to make them aware that they've been compromised somehow? So that you can, you can protect and increase the level of, of security within the global Internet.
Dale Drew: [00:11:56:19] If we can get 178 million people who are currently compromised and either participating in larger botnets or having their information stolen, if we can notify them and have them take action the moment that they've been compromised, we could have a significant dent in, in the amount of global Internet theft that's occurring today and that's, that's the dilemma that, that we don't currently have an answer for but it's one that, that, you know, I think is, is a very emerging problem that we have to solve for to dramatically increase the security of the, of the Internet.
Dave Bittner: [00:12:32:03] Yeah it seems to me like it's sort of the equivalent of a, almost a digital postcard where, you know, you're sending out this message but at the same time you're not really looking for interaction with them, you can't become their text support, so you're notifying them but you, you can't have the expectation, with that volume you can't have the expectation of any really significant interaction, right.
Dale Drew: [00:12:51:14] Yeah exactly. I mean how many, how many people have gotten one of those car warning T-expiration letters.
Dave Bittner: [00:12:57:22] Sure.
Dale Drew: [00:12:58:21] You know that looks extremely official and it looks like it came from your dealership and it really is an insurance scam. And so, you know, we have to find a way, and, and my largest concern is let's say we do find a way to send a communication whether it's via a portal or, you know, some other mechanism through, through their Internet service provider as an example. If we do discover a way of sending a trust communication to these victims, we had to do it in such a way that can't be replicated for bad purposes by a bad guy.
Dale Drew: [00:13:29:13] And so it's, it's a bit of a double-edged sword where, where we definitely are tired of seeing victims being taken advantage of and nothing being done about it. And so we made a decision that, that we were going to invest in notifying anybody we saw being compromised, and like I said, it's about 60,000 new victims a day. But we had to do it, you know, we had to do it in such a way where we can establish some trust with those people and we can have them have some confidence that when they do that corrective action, they're, they're, they're doing it to really protect their systems and not opening themselves up as another victim.
Dave Bittner: [00:14:06:12] Well you've got your work cut out for you that's for sure. Dale Drew thanks for joining us.
Dale Drew: [00:14:10:04] Right, thank you for having me.
Dave Bittner: [00:14:16:01] And now a word from our sponsor the Johns Hopkins University Information Security Institute. They're seeking qualified applicants for their full time Master of Science in Security Informatics. The program covers the most current topics in information security with core courses covering security and privacy, cryptography, computer forensics, software vulnerabilities, ethical hacking and more. And it's a quality program too, not just because it's from one of the world's great research universities, but because the Institute is an NSA and DHS designated Center of Academic Excellence in Information Assurance and Cyber Defense and Research. So apply by March 1st, 2018. Scholarships are available, so apply today. Visit isi.jhu.edu for more information.
Dave Bittner: [00:15:03:00] Fire up that browser and head on over to isi.jhu.edu and we thank the Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:15:23:00] My guest today is Deidre Diamond. She's founder and CEO at CyberSN, a staffing firm specializing in cybersecurity professionals. A few years ago while attending an industry conference, she grew frustrated with seeing so many booth babes on the show floor, scantily clad women hired to attract attendees into the booth. She couldn't help thinking there had to be a better solution, a win win for everyone.
Deidre Diamond: [00:15:47:14] I thought, oh gosh why don't we make them brain babes and I said brain babes out loud and everybody, we all looked at each other and we said 'let's go to RSA'. My team was around me, a lot of my team, let's wear shirts to RSA that say booth babe crossed out and brain babe instead. And we got stopped and talked to so much that I realized my story was so rare, me being a female at the time, you know, mid 40s and having a successful resume in building, you know, technology and, and cyber companies and, and I realize wow I really had such a rare story.
Deidre Diamond: [00:16:25:03] And so I, I started getting out and publicly speaking about, you know, the types of cultures that will foster women and why my career was successful and what the environments that I walked into had for me and that I was able to take advantage of. And then, fast forward two more years, going back to RSA and I'm walking the floors and realizing that all we've done is just change the clothing on these women and we're not training them and I said 'gosh this is such a shame, these would be great jobs for students', you know, to, to come see our environment in terms of the events that we put on and the educational tracks and hear about what we're doing and all the jobs.
Deidre Diamond: [00:17:03:24] And, and so I said I wish we'd made these jobs for students. And when that sort of, when I realized you know what? I know how to, I run a staffing agency, this is a staffing job, why don't I do this? And so brainbabe.org launched in conference connection and that means we take STEAM students from local geographies of wherever the event is, you know, of all genders and we provide them for booth services and event services. And we give them videos and training on what cyber and all the different types of jobs and, you know, also give them some instruction on how to work a booth and how to help the, the folks that are hiring them to work.
Dave Bittner: [00:17:42:04] So to play devil's advocate. If I'm someone who's running a booth at RSA or somewhere else. What's, what's the problem with me having attractive people there at the entrance to my booth if really they're only job is collecting people's badge numbers, scanning their badges and saying hello and having a nice, you know, welcoming presence? What's the downside for me to hire a professional actress to do that?
Deidre Diamond: [00:18:05:23] So the downside is that we're sexualizing what is a work environment and you selling sex. If it was just about a pretty person or a pretty human, which is also relative in terms of what's pretty, but let's just go with it, then why not have men if we're not sexualizing the, the environment? And so the argument is, look we're struggling to be cre--, you know, treated as equals and we go to these work events and that sort of vibe really takes away from us as women, our ability to be taken seriously or treated correctly. And then from a man's perspective and if you ask a man this, they're not, it's not why they're going to these events, and the ones that are, you know, they flush out pretty quickly. Like they don't want to just, you know, be talking to this beautiful women in, in, you know, bikinis. They want to learn about products [LAUGHS] and they want to understand what the services are.
Deidre Diamond: [00:19:05:14] And so, not only are we making these jobs for all genders and heck, those models can come to brainbabe and we'll give them the training such that they understand the feel and they show up interested, I'm happy to do that. The problem is we're not utilizing their brains and the problem is dressing them scandalously, right. And so, even with changing their clothing, if we're not willing to educate them on the industry and what's here and what, you know, what we're doing and all that, then we're really just utilizing them to sell sexuality.
Dave Bittner: [00:19:39:23] Yeah, let's go through some of the, the practical things that you're getting at here. With the, the situation with the lack of women in cybersecurity, you know, you, you make the point that there are a lot of reasons why we need to be focused on this.
Deidre Diamond: [00:19:54:17] Absolutely, it's a national security issue first and foremost. We are short over a million people, the numbers are showing to be up to two million by, in the next few years and we still socialize young girls to think that attack and cyber is a keyboard and a hoodie in a dark room. Which means they're not coming into our fields, you know. So, this allows us to spread the word and to show folks and particularly women, however, there's a ton of young men out there who think the same thing and think it's not for them. And the reality is I came, I'm in cyber, I came through the sales of divisions of companies and then becoming a CEO of cyber companies to include the ones I'm running now, and so there's all kinds of different ways to be involved in cyber.
Deidre Diamond: [00:20:47:08] All those jobs aren't just the keyboard and hoodie job. In fact, without the sales folks and the marketing people and, you know, and, and all the folks that manage projects, you know, we're going nowhere. So it's really a collective team effort of high EQ and, and high skills in, in whatever, you know, your, your intellectual focus is, whether it's tech or sales or marketing, we need everybody. And so yeah, this is all about, you know, all genders and spreading the word to so many people that were, that aren't looking into this industry because they didn't think it was for them.
Dave Bittner: [00:21:27:08] That's Deidre Diamond. You can learn more about the STEAM Con Connection at brainbabe.org.
Dave Bittner: [00:21:36:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor E8 Security. All of the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:21:57:21] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.