The CyberWire Daily Podcast 3.30.18
Ep 567 | 3.30.18

Under Armour fitness app breached. Warning shot from WannaCry. Lazarus Group update. Aadhaar security questions. Ransomware and city governments. FBI agent charged in leak case.

Transcript

Dave Bittner: [00:00:01:04] Thanks to everyone who's shown their support for the CyberWire by being a Patreon supporter. You can check it out at Patreon.com/TheCyberWire.

Dave Bittner: [00:00:12:10] Under Armour's MyFitnessPal app has sustained a data breach. Boeing's WannaCry incident is minor, but a timely warning that this particular threat hasn't vanished. The Lazarus Group is showing fresh signs of activity against its usual targets. Questions about the security of India's Aadhaar circulate. Baltimore and Atlanta incidents show the ransomware threat to city governments. An FBI agent is charged with leaking secret documents, and updates on the Novichok affair and the Facebook data scandal.

Dave Bittner: [00:00:47:02] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how any analysts you might have on staff and we're betting that, however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to RecordedFuture.com/intel, to subscribe for free threat intelligence updates from Recorded Future. That's RecordedFuture.com/intel, And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:57:22] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Friday, March 30th, 2018,

Dave Bittner: [00:02:09:02] Sports apparel manufacturer Under Armour disclosed yesterday that data associated with 150 million users of the company's fitness app, MyFitnessPal, have been exposed. Information at risk is said to include usernames, email addresses, and hashed passwords. The company began investigating on March 25th, when it discovered that an unauthorized party had accessed the data in February. Under Armour acquired MyFitnessPal for $475 million in February 2015, so it's not exactly a recent acquisition, but there are surely lessons to be drawn with respect to security due diligence during mergers and acquisitions. Despite the British spelling of its name, Under Armour is based in Baltimore, in fact quite close to Fort McHenry. The data security issue with MyFitnessPal is the latest in a series of incidents involving other companies' fitness trackers. Under Armour's public disclosure four days after realizing that there had been a problem seems commendably fast, especially given the company's notification of affected users before making a general announcement yesterday. Investigation and remediation are in progress.

Dave Bittner: [00:03:21:03] Boeing insists that reports of a massive WannaCry infection at its South Carolina manufacturing facilities have been massively exaggerated. The infection was minor and swiftly contained, and did not affect production or business operations. But it's worth noting that WannaCry is still a risk, and that enterprises shouldn't drop their guard.

Dave Bittner: [00:03:42:17] Unaffected by Pyongyang's recent diplomatic charm offensive, North Korea's Lazarus Group is showing fresh signs of activity, probing financial sector targets and looking for ways of obtaining cryptocurrency. This is a long-standing campaign on the DPRK's part as it looks for ways of redressing its sanctions-exacerbated financial shortfalls through cryptomining and cybertheft.

Dave Bittner: [00:04:08:03] Reports of vulnerabilities in India's Aadhaar national identification system circulate despite official assurances that all's well.

Dave Bittner: [00:04:17:03] Baltimore's 911 system hack last Sunday turns out to have been ransomware, city officials said yesterday. The city was able to restore service after a few hours of resorting to manual backup. Atlanta's SamSam infestation was far more serious and enduring. That city continues recovery and remediation. Consensus among observers is that US municipal governments need to devote some close attention to protecting themselves against such attacks, which are likely to continue.

Dave Bittner: [00:04:49:18] Lenovo is looking over its shoulder at Huawei's regulatory problems in the US. The FCC is pushing to restrict Huawei systems from use by US wireless providers, and Lenovo prudently thinks that it may be next Chinese firm to find itself in the security crosshairs of regulators.

Dave Bittner: [00:05:09:17] And a CryptoWars update. The US Department of Justice (especially the FBI) are meeting with researchers who claim to have a third-way that will satisfy both sides of the controversy. Such a mutually acceptable compromise seems unlikely to us, but we'll keep you posted. Some of the approaches being recommended involve key escrow systems, widely distributed keys that would require public consensus for decryption, and so on. In any case this suggests that another round of engagements in CryptoWar III is about to begin.

Dave Bittner: [00:05:40:00] The FBI is having a rackety week in cybersecurity and counterintelligence. First came a report that the imbroglio over decrypting the iPhone used by the San Bernardino jihadist gunman could have been avoided entirely with better communication among field, leadership, and techs. Now an agent has been arrested and charged with leaking secret documents.

Dave Bittner: [00:06:01:08] Terry Albury, an FBI Special Agent assigned to the Minneapolis Field Office, has been charged with unauthorized transmission of classified national defense information to a journalist, apparently to the Intercept. Albury's attorneys say he was "driven by a conscientious commitment to long-term national security and addressing the well-documented systemic biases within the FBI," and that he takes full responsibility for his actions. The Intercept, the same publication to which ex-NSA staffer and contractor Reality Winner is accused of leaking, made Freedom of Information Act requests that suggested to investigators they were already in possession of classified material they eventually published.

Dave Bittner: [00:06:45:08] And the FBI will receive more uncomfortable attention from the Justice Department's Inspector General. The IG has opened an inquiry into “compliance with legal requirements” in applications the Bureau filed with the US Foreign Intelligence Surveillance Court relating to an unnamed US person.

Dave Bittner: [00:07:02:23] Russia has responded to punitive US diplomatic moves with tit-for-tat expulsions and a consular closure of its own. US official policy toward Russia is hardening, with concern running high about Russia's threat to the grid. The Russian ambassador to the US is having trouble getting officials to take meetings with him. It's thought that the US closing of Russia's Seattle consulate may have been particularly painful to Moscow. It's thought to have been a major center of spying on technological development.

Dave Bittner: [00:07:33:13] For their own different reasons, Facebook's Mark Zuckerberg and WikiLeaks' Julian Assange have had a bad PR week. Mr. Zuckerberg's response to Facebook's data scandal hasn't gone over particularly well with users, and his Silicon Valley peers aren't showing him much love, either. Apple CEO Tim Cook's commentary on the Facebook and Cambridge Analytica affair verges on schadenfreude.

Dave Bittner: [00:07:57:11] And Mr. Assange looks more like Russian stooge than libertarian activist. He's still got support from Pamela Anderson, but a number of others who've applauded his conduct of WikiLeaks are very much put off by his retailing of the Kremlin line in the matter of the attempted murder in Salisbury of Sergey and Yulia Skripal by nerve agent.

Dave Bittner: [00:08:24:03] And now a word from our sponsor, LookingGlass Cyber Solutions. An open letter from the malicious botnet on your network.

Male voiceover: [00:08:34:04] So, here we are, it's just you and me at this Godforsaken hour. You're looking right at me too, I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week; I'll be in Kabul by then, working on my tan. I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kick-butt technology that fends off cyberthreats like me, data breaches, ransomware and stolen credentials, in real time. Be a hero with the LookingGlass ScoutShield Threat Intelligence Gateway. See the video at LookingGlassCyber.com.

Dave Bittner: [00:09:41:09] And joining me once again is Professor Awais Rashid. He's a Professor of Cybersecurity at the University of Bristol. Welcome back. You know, certainly Bitcoin has been in the news lately, with the wide range of prices as it's been swinging back and forth, and we wanted to touch today on block chains and specifically issues of trust. What do you have to share about that today?

Awais Rashid: [00:10:02:22] So, Bitcoin is actually a great example of block chains and there is a view, which is not incorrect, that Bitcoin, because of the underlying cryptographic algorithms that underpin it, is trustless by design. As true as that might be for the cryptographic protocols that underpin Bitcoin, some of the studies that we have actually undertaken show that the wider ecosystem in which Bitcoin exists and where the transactions happen, actually shift quite strongly by both human and organizational aspects of trust.

Dave Bittner: [00:10:35:10] So when we're talking about these trust issues, what sort of factors come into play?

Awais Rashid: [00:10:39:09] Well, if you think about it, Bitcoin itself is cryptocurrency and yes, it was designed to be not under the control of any institution per se and be a purely decentralized ledger based system. But, as Bitcoin has evolved, there are a number of organizations that have evolved in the ecosystem. So you have got the exchanges, you've actually also the core development team as well which is also, in some form, a group or organization. You've got escrow systems and all those kind of things.

Awais Rashid: [00:11:11:20] So, while the cryptocurrency itself may not require any centralized control or trust, when transactions happen you still have to trust all these parties. You have to trust, for example, that the core development team is doing its job properly; you have to trust that you can exchange currency through the exchange mechanisms that exist; you have to trust in escrow systems and so on. And of course, the only thing that the ledger confirms is that the transaction has taken place, it doesn't actually confirm that goods have been delivered, and that's why you have all these additional systems that have come into play.

Awais Rashid: [00:11:43:19] So the key thing to think about is, that as we are moving towards a world where block chains are being seen as a key solution for a number of applications from, for example, thinks like energy trading, to even providing security for Internet of Things devices and things like that, it is very important to understand that it is not just the block chain that matters. There are lots of complex human and organizational aspects of trust that come into play when people use these systems, and there will need to be organizations or systems that would need to evolve beyond the block chain, in whatever context it is deployed for that trust to be engendered and people actually being willing to engage with that particular application of block chain.

Dave Bittner: [00:12:27:16] As always, Awais Rashid, thanks for joining us.

Dave Bittner: [00:12:33:10] And now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spearphishing, those can never be discounted, but here's a twist: Cylance has determined that one of their ways into the grid is through routers, they've found that the Bears are using compromised core routers, to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phishnet could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on Energetic DragonFly and DY Malloy Bear 2.0, you'll find it interesting and edifying. That's threatmatrix.cylance.com and we thank Cylance for sponsoring our show.

Dave Bittner: [00:13:38:00] My guest today is Laurin Buchanan, she's a principal investigator at Secure Decisions, but she joins us today to talk about NICE, the National Initiative for Cybersecurity Education, where she serves as co-chair of the Competitions Sub Group.

Laurin Buchanan: [00:13:52:22] The National Initiative for Cybersecurity Education is a working group that is a cooperative work alliance between the government. NIST is currently heading the National Initiative for Cybersecurity Education, but lots of government agencies participate. There are members of academia, from both higher education and K12, and informal education and industry as well. So it's kind of the entire universe coming together, to say "We need to do more and to educate the cybersecurity professionals, as well as create pipeline for the next generation of cybersecurity professionals."

Dave Bittner: [00:14:35:15] And you are a part of that pipeline, you're the co-chair of the Competitions Sub Group. What does your group do there?

Laurin Buchanan: [00:14:41:19] The Competitions Sub Group is really trying to promote a wide spectrum of cyber competitions, that are intended to advance knowledge, skills and abilities in the cyber fields. The idea is to help public and private competition develop, providing guideline standards and best practices. We have a number of projects that are currently focused on identifying how to build a cyber competition, as well as how to participate in a cyber competition, because we recognize that not everybody is clued in to the fact that these competitions exist and how they can participate.

Dave Bittner: [00:15:19:00] And can you give us an idea of the range of ages of people who participate in these competitions?

Laurin Buchanan: [00:15:25:00] Oh, well, there are competitions for middle school kids, clubs and groups like the CyberPatriots that have teams of students to learn while they're competing and then actually have the joy of going off and doing a national competition if they have made it through the qualifying rounds. There are college students, high school students, people in the workforce, people who are transitioning into cyber but have spent years working elsewhere. It's the full gamut of novices to experts from middle school on up and I think that, probably in the next few years, we'll actually see some form of competitions for elementary school students.

Dave Bittner: [00:16:05:15] And what does the actual environment of having this be a competition provide versus, you know, things like regular classroom learning, continuing education, those sorts of things?

Laurin Buchanan: [00:16:16:24] Well, depending on the competition, whether it's a solo competition, an online competition or a team competition, you can get different things out of it. But, in reality, most of the competitions allow you the opportunity to practice something that you may have conceptually learned, but now you actually get to apply those skills and knowledge into solving a problem, a challenge that's been set for it. Sometimes these challenges are incredibly real world based. There are some competitions at the collegiate level, where an organization entity has been described, an environment has been set up, there are real world regulatory concerns and real world failures, both in terms of cybersecurity or maybe even just business failures, that you now have to understand and deal with and confront, just as you would in the real world. So it's a microcosm of the things a cyber professional might actually do in their day to day job, and when I say cyber professional, we're talking the gamut here, from cyber defense, to forensics, to policy. Competitions address all topics in cyber domain at this point.

Dave Bittner: [00:17:28:01] If folks want to find out more, what's the best way for them to get more information?

Laurin Buchanan: [00:17:33:04] The National Initiative for Cyber Security Education has a website that's part of the nist.government website and the Competitions Sub Group has a page there and many of our publications are available for download there. We also have a letter that is Ten Things Parents Need to Know About Cyber Competitions, which is useful in case parents are wondering, "Well, cyber competition, doesn't that mean hacking?" Because it's not at all what it means. People can also go to CyberCompEx, the cyber competition exchange at cybercompex.org. It's a social media kind of website, social networking site, for people who are interested in cyber competitions. They have calendars, they have information. They are hosting the podcasts that the Competition Sub Group is currently doing, which actually talk with various people who are involved in cyber competitions, whether you're looking to host a competition or you're interested in participating as a competitor event, it's a great way to learn more, even if it's a solo online competition, just seeing the questions that are asked and the things that are presented in terms of the competition is always a learning experience.

Laurin Buchanan: [00:18:29:22] I think it's important that people understand that cyber competitions, while they're incredibly serious because they are a competition and people want to win, they're also an excellent way to get to know other people. That is, not just the competitors, but people who are at different stages in their careers, who may be able to connect you with additional resources. They're an excellent way to find people who are trying to hire cybersecurity professionals in various roles and it's a great way to discover more about cybersecurity. Because, even in a narrowly focused competition, there are going to be people with different backgrounds, and if you meet them and have a conversation with them at the [INAUDIBLE] event, it's a great way to learn more. Even if it's a solo online competition, just seeing the questions that are asked and the things that are presented in terms of the competition is always a learning experience.

Dave Bittner: [00:19:29:05] That's Laurin Buchanan, she's a Principal Investigator at Secure Decisions and she's also the Co-Chair of the Competitions Sub Group for NICE, the National Initiative for Cybersecurity Education.

Dave Bittner: [00:19:43:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Cylance.com. And thanks to our supporting Sponsor, VMWare, creators of Workspace One Intelligence. Learn more at VMWare.com. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.