Code signing certificates for sale. Impact of cybercrime on the world economy. Reaper out from under Lazarus's shadow. Catphishing. Cyber intelligence against terror. Ransomware and other hacks.

Dave Bittner: [00:00:00:19] A quick program note, I am the guest on this week's Smashing Security podcast. So when you're finished listening to today's CyberWire head on over to smashingsecurity.com and check it out.

Dave Bittner: [00:00:14:06] Counterfeit certificates are on sale in criminal markets. Cybercrime is said to cause $600 billion globally every year. Russia objects to being called a back actor in cyberspace. North Korea's Reaper threat actor steps out from the shadow of its big brother, the Lazarus Group. Catphish from Lebanon spread spyware through Facebook. Israel says it gave Australia a cyber assist against Isis terror last summer. Ransomware notes, Harper's was hacked and so was Allentown, Pennsylvania.

Dave Bittner: [00:00:49:23] Now a moment to tell you about our sponsor ThreatConnect. They've teamed up with DomainTools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. And in order to stay ahead of malicious actors it is crucial that security teams add context and enrichment through their threat data. The combination of the ThreatConnect threat intelligence platform and DomainTools Iris investigative platform, empowers security professionals to hunt APT's efficiently and effectively.

Dave Bittner: [00:01:21:15] Watch Director of product integrations at DomainTools, Mark Kendrick, and threat intelligence researcher at ThreatConnect, Kyle Ehmke, as they explain how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. You can check it out today at threatconnect.com/webinar. We thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:05:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, February 22nd, 2018.

Dave Bittner: [00:02:15:10] Researchers at threat intelligence firm, Recorded Future investigated a spike in the use of certificates to enable malware infections. Their researchers found that contrary to general opinion, the certificates so used weren't, in general, stolen. Instead they're counterfeited and registered using stolen corporate identities. As their report puts it, "Contrary to a common belief that the security certificates circulated in the criminal underground are stolen from the legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective."

Dave Bittner: [00:02:59:23] Code-signing certificates are used to verify that code has been written by a particular author, the certificate holder, and that the code hasn't been altered or tampered with. The certificate includes a cryptographic hash that validates the signed code's authenticity and integrity. Certificates served up by malware do more than the obvious damage of helping the malware establish itself in victim systems. They tend to make deep packet inspection on infected systems less effective.

Dave Bittner: [00:03:29:04] The criminals don't appear to be making a killing in this particular black market, so certificate sales appear likely to remain a boutique niche for criminals. Nation-states are a different matter. They'll probably see considerable advantage to using fake code signing and SSL certificates in their highly targeted operations.

Dave Bittner: [00:03:49:23] Russian diplomats denounce British attribution of NotPetya to Russian security services. They also denounce American contentions that Russia is a safe haven for cyber criminals, in large part because of a cozy relationship between those security services and organized cyber gangs. The common theme comes down to a complaint that there's no evidence. No Western intelligence service, Russia says, has offered any proof that Russia is a bad actor in cyberspace. To strengthen his accusation of American bad faith, Petr Svirin, First Secretary of the Russian Embassy in Washington, asks why, if the Americans are so concerned about cybercrime, they have turned down all of Moscow's efforts to get some cooperation in crime fighting.

Dave Bittner: [00:04:35:04] First Secretary Svirin's complaint came at a DC event yesterday, covered by CyberScoop, in which security firm McAfee and the Center for Strategic and International Studies think tank, presented the results of their joint study of the economic impact of cybercrime. They see that impact rising. They say, it's now up to $600 billion worldwide annually, up 100 billion since a similar study in 2014. Discouragingly, they also conclude that whether countries spend a lot or a little on security against cybercrime, they wind up with similar outcomes. And yes, the study does call out Russia. In fact it calls out several centers of cybercrime: Brazil, India, and Vietnam, where the issues aren't so much state policy as they are the lawlessness of an entrenched and technically capable criminal subculture. North Korea is a different matter. There the government itself arranges the crime, and has the state security and intelligence apparatus commit it directly.

Dave Bittner: [00:05:35:18] And, of course, there's the interesting case of Russia. The contention that so angered Mr. Svirin is that the Russian security services, notably the FSB and the GRU, connive with cyber mobs and permit them to hit the right targets. Right, of course, from the point of view of the Russian government. The organization is like a reverse protection racket. Nice little ransomware program you got there, shame if something happened to it. Of course, if you'd like to take out a Ukrainian power utility, well all might be overlooked.

Dave Bittner: [00:06:07:06] With so many security products out there, it can be a challenge to comparison shop and evaluate what might be the best fit for your organization. Virus Bulletin is an organization that's been in the security software testing business for over two decades, giving them a unique view of the industry. I checked with Martijn Grooten, the editor of Virus Bulletin for his perspective.

Martijn Grooten: [00:06:29:04] I think the major change we've seen, and it's a very subtle one, but I think over the past decade or two decades, anti virus has changed from software that hardens your PC or your device to software that protects you against things you shouldn't do, like download things off the Internet that are dangerous or open, sort of email attachments that enable macros. The current operating systems are a lot more secure than they were a few years ago, and if you are someone like quite a few security professionals, if you're someone who knows that they should and shouldn't do and really trust yourself not to accidentally click on things, you're probably okay without anti-virus. It's just that 99% of the people are not like that and nor should we expect them to.

Martijn Grooten: [00:07:13:00] So I think that's a major change. I think in the early days there were these mass viruses that spread and everyone really needed antivirus to protect against them. These days it's more subtle but it's still very important.

Dave Bittner: [00:07:24:15] As you look across the landscape of the various products that are offered, do you feel like we've hit a point where most of them offer a good value, there maybe differences between them, but if you get one of the big name ones, you're probably going to be in good shape?

Martijn Grooten: [00:07:37:17] I would say so, yes. Unfortunately it depends how you use it, how you set it up, what kind of threat you're facing. I mean they typically are better at protecting you against mass malware than against very targeted. That's not to say that their powerless against very targeted attacks, but I wouldn't just focus on the big names. I mean there are a lot of smaller names that are doing an equally good job, sometimes for half the price of a big name, or less. The product landscape is quite varied but overall products are doing a pretty decent job, and much better than they often get credit for.

Dave Bittner: [00:08:10:05] And as operating systems have gotten more sophisticated and the attacks have gotten more sophisticated, how have you had to adapt your testing procedures?

Martijn Grooten: [00:08:18:20] An anti virus product has many different layers and to test it you need to be more clear about which layers you test. In the past it was all about whether the product is able to protect this virus or not. And these days there are so many different layers, and you need to focus on specific layers or on several layers at once, and depending on what you do and depending on what the purpose of your test is, you get different results. You have to be more careful about the kind of claims you make. I'm always very hesitant about us, or the testers making very, big claims about, the product's detect this, or all products missed this. Things are a lot more subtle in practice.

Dave Bittner: [00:08:57:22] What advice do you have for people who are trying to shop around to decide which product is best for them?

Martijn Grooten: [00:09:04:10] I think the general advice at first is always try to see what kind of threats are you concerned about. Which kinds of threats does your organization face? What kind of threats are you prepared to defend against? Maybe you're a small business, and maybe you are worried out an advanced attacker from overseas who maybe very skilled and have a lot of money to spend on attacking you, but maybe you decided that's a risk worth taking. Hopefully, or even more likely, you'll decide that actually this is not something you should worry about.

Martijn Grooten: [00:09:34:17] I've seen a trend among security professionals working in not the security industry - people working in the real world, so to say - get overly worried about all the fear mongering going on in security, the things that we say, almost trying to overprotect themselves - buying solutions that look very nice but maybe offer only a tiny bit of extra protection that is just not worth for the kind of organization you have. At the same time if you are an organization in special fields, or you're very big organization, then you need to be aware that what works for a small company but works for an average home user is not good enough for you.

Dave Bittner: [00:10:08:21] That's Martijn Grooten from Virus Bulletin.

Dave Bittner: [00:10:13:12] More spyware has been found being distributed by Facebook catphish. Winsome profiles of fictional people named Rita, Alona - yes, Alona, who would no doubt have suggested she no longer wants to be a loner - and Christina were seeking contacts whom they would infect with spyware. The campaign, which seems to have originated in Lebanon, was discovered and described by Prague-based security firm Avast. If you wanted to connect with Rita, Alona, or Christina, you're too late, their profiles are all gone from Facebook, probably enjoying a digital afterlife somewhere in the company of Robin Sage.

Dave Bittner: [00:10:52:02] Israeli Prime Minister Netanyahu this week credits his country's Unit 8200 with detecting an ISIS plot last year to destroy an airliner, and with tipping off Australian security authorities in time to stop the bombers. Two men were arrested, the plane wasn't bombed.

Dave Bittner: [00:11:09:17] A paper in the Journal of the American College of Cardiology describes increased hacker interest in implantable medical devices. The probability of attacks against devices like pacemakers may be rising.

Dave Bittner: [00:11:23:02] Colorado's Department of Transportation is struggling with a large SamSam ransomware infestation, according to the anti-phishing specialists at KnowBe4. SamSam is financially motivated, but other ransomware strains aren't. Annabelle ransomware, for one, seems motivated by the lulz, and the desire to show off. MalwareHunterTeam is tracking it. The good news, reported by Bleeping Computer, is that Annabelle is a variant of Stupid Ransomware, that's a proper name by the way, not a description, and can be removed with an updated StupidDecryptor. Bravo to Mr. Michael Gillespie, proprietor of the StupidDecryptor.

Dave Bittner: [00:12:02:07] Two other incidents are worth mentioning. Harper's, the venerable American journal of opinion, has warned subscribers that their passwords may have been stolen. And, in a municipal hack, the Rust Belt gets a cyber wire brushing. The city of Allentown, Pennsylvania, is struggling with a major Emotet infestation. The self-propagating, credential-stealing malware has disabled the city's financial department, no more external banking transactions, knocked out all the city's 185 public safety surveillance cameras, and is keeping the Allentown Police Department from accessing Pennsylvania State Police databases. According to the Allentown Morning Call, the virus hit last week. The city thinks the initial infection vector was a phishing email. Remediation is expected to cost between $800 and $900.

Dave Bittner: [00:12:56:22] Now a few words about our sponsors at E8 Security. If you've been to any security conference over the past year you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzzwords - they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as impossible flood of data. Go to e8security.com/cyberwire and let their White Paper guide you through the possibilities of these indispensable, emerging technological tools.

Dave Bittner: [00:13:28:11] Remember the buzz around artificial intelligence isn't about replacing humans. It's really about machine learning - a technology that's here today. So see what E8 has to say about it. And they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. Follow the behavior, find the threat. We thank E8 security for sponsoring our show.

Dave Bittner: [00:14:01:09] It's my pleasure to welcome back to the show, Professor Awais Rashid, he's a professor of cybersecurity at the University of Bristol. Awais, welcome back. We wanted to touch on educational issues today, specifically what cybersecurity professionals should be learning in your estimation? What can you share with us about that?

Professor Awais Rashid: [00:14:19:22] Thank you for having me back. I think the key thing that we need to bear I mind is that cybersecurity is becoming an increasingly complex issue. One of the big problems is the focus that we tend to have is very much stemmed from the mindset that there is a single device that is being attacked and being used. Of course, we teach people about security of networks and all those kinds of issues, but really we need to be thinking beyond that. We are moving towards very highly connected infrastructure. We are not talking about a device, small number of devices, a network that is often under the control of a single organization potentially - we are really talking about thousands, tens of thousands, hundreds of thousands of devices interacting with each other, interacting with the users, new devices coming into that environment, and that is a very complex landscape.

Professor Awais Rashid: [00:15:12:18] At the moment we are not focusing enough, in terms of what the future problems are. We still very much tend to be very reactive, which is important, we want to teach about what are the problems of today, or the immediate future, and solve them. But ultimately, as we connect our infrastructure more and more, these issues are going to become very, very pertinent, and we also need to think about what we should be teaching professionals in terms of how to protect infrastructure of the future.

Dave Bittner: [00:15:40:13] So in terms of someone who is a student who's looking to set out their road map of the classes they want to take and the things they want to study, what suggestions do you have?

Professor Awais Rashid: [00:15:51:13] Well I have of course a little bit of a biased view at the moment, in the sense that I lead a project called the Cyber Security Body of Knowledge Project. Anyone who is interested can actually go and look at www.cyber.org and there is a detailed document which has been built through a consultation with stakeholders in academia industry, as to what are the key knowledge areas that people need to know about. There are a total of 19 knowledge areas divided into five categories. We highlight things like infrastructure security, of course, software and platform security, system security, but very importantly also understanding attacks and defenses, and human organizational and regulatory aspects.

Professor Awais Rashid: [00:16:36:02] The fact of the matter is that none of these things exist in isolation. All of these interplay in complex ways, in the complex infrastructures that we are increasingly developing and will continue to develop in the future. Not everyone will be an expert in everything, but it's important that when people become experts in a particular aspect of security, we are still cognizant of the fact that all these other factors influence what happens, so that they can look at the big picture rather than just only a very narrow part of it.

Dave Bittner: [00:17:05:07] Professor Awais Rashid, thanks for joining us. The Cyber Security Body of Knowledge is at cybok.org.

Dave Bittner: [00:17:20:02] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security - follow the behavior, find the threat. Visit E8security.com to learn more.

Dave Bittner: [00:17:41:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're code building the next generation of cyber security teams and technology.

Dave Bittner: [00:17:51:03] Our show is produced by Pratt Street Media with editor John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe; and I'm Dave Bittner. Thanks for listening.