Department stores suffer a paycard breach. Atlanta still working on SamSam recovery. Ransomware in India. SWIFT fraud attempt. Facebook's troubles. Kremlin doxed. Reality Winner case update.
Dave Bittner: [00:00:00:03] Saks and hacks, Lord and Taylor and JokerStash: a department store data breach. Atlanta still can't get fully back on its feet after SamSam. An Indian power utility's billing data is held for ransom. More SWIFT fraud reported - this round seems to have been unsuccessful. Russia gets doxed. Facebook on who really cares for you. Threats to avionics and undersea cables. And Reality Winner's defense team wants to subpoena a lot of witnesses. Maybe even you.
Dave Bittner: [00:00:37:03] It's time to tell you about our sponsor ThreatConnect. With ThreatConnect in-platform analytics and automation you will save your team time, while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform the products provide adaptability as your organization changes and grows. If you're headed to RSA this year stop by ThreatConnect's North Expo booth 3225 for a live demo of the ThreatConnect platform and of course pick up one of ThreatConnect's famous t-shirts. And, if you're not headed to San Francisco, well you can register for a free ThreatConnect account or learn more by visiting threatconnect.com/free. That's threatconnect.com/free to learn more. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:53:06] Major funding for the CyberWire podcast is provided by Cylance, from the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 2nd, 2018.
Dave Bittner: [00:02:05:15] A significant retail breach came to light over the weekend. Last Thursday the JokerStash "hacking syndicate" (also known as "Fin7") began offering more than 5 million payment cards for sale in dark web markets. The cards appear to have been compromised in a breach of retailers Saks and Lord and Taylor, both department store chains owned by the Toronto-based Hudson's Bay Company. The breach was disclosed yesterday, April 1, 2018, in a blog post by Gemini Advisory that was subsequently confirmed by the Hudson's Bay Company.
Dave Bittner: [00:02:39:21] Gemini Advisory believes the compromise dates back to May 2017 and has continued into the present. Most of the card data is thought to have been stolen from customers in New York and New Jersey. 125,000 records have been released for sale so far; the rest are expected to appear on the black market within the next few months. Hudson's Bay tersely says it's addressed problems in its network security, continues to investigate, and plans to offer affected customers the usual sorts of post-breach assistance, including "free identity protection services, including credit and web monitoring."
Dave Bittner: [00:03:18:22] The SamSam ransomware attack against Atlanta's municipal systems is proving distinctly difficult to remediate. Updates posted to the city's "Ransomware Cyberattack Information Hub" suggests that online payment systems Atlanta runs remain the most affected. Airport wi-fi was disabled, the city say, "out of an abundance of caution." They don't think personal information has been compromised, and so while they hope this will provide citizens and employees with some measure of reassurance, they caution that they're proceeding on the cautious assumption that such data may have been affected. The city is largely mum on how the attack happened, and on when they expect recovery to be complete. Investigation and remediation continue with an array of partners at Federal and state level, and from the private sector.
Dave Bittner: [00:04:08:05] Outside observers suggest that the city is running a number of disparate legacy systems, and that policing all of these up is an unusually messy process. Gizmodo quotes several who notice that the attack came a couple of months after a January audit and report of Atlanta's cybersecurity pointed out a number of vulnerabilities that the city was in the process of addressing. CBS described the report as saying inspectors found that "the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action." WIRED quotes Parameter Security's founder Dave Chronister as saying, "Not to be harsh, but looking at this their security strategy must be pretty bad."
Dave Bittner: [00:04:56:09] So the city of Atlanta is still struggling to recover and other cities of comparable size are rightly spooked by the prospect that they might be next. A number of them are reassuring their citizens and business communities that they're well-protected and well-drilled. But the Atlanta hack is a cautionary tale and cities would be well advised not to get cocky.
Dave Bittner: [00:05:18:19] The issues aren't confined to the United States, either. City and regional governments in many countries appear to have become attractive targets for criminal hackers. The automatic meter reading system of Haryana Power Utilities in Panchkula, India, was raided last week, the hackers demanding ransom for data. The data held hostage is billing information, which of course poses a threat to the utility's cash flow. Police are investigating and looking for the perpetrators. Officials say that the billing data were backed up, and that they've been recovering from those backups.
Dave Bittner: [00:05:51:04] Malaysia's central bank, Bank Negara Malaysia, identified a series of fraudulent wire transfer attempts last week. Bank officials say that they stopped execution of the transfers before any money was lost and that the attempted fraud came through falsified SWIFT transfer requests. Banks in South East Asia are on alert.
Dave Bittner: [00:06:11:18] The Russian government is more accustomed to pwning than being pwned, but the Ukrainian Cyber Alliance, a hacktivist group strongly opposed to Russia's slow-motion re-engorgement of their country, have released a third tranche of emails which observers provisionally at least judge to be authentic. The emails detail Russian information operations aimed at destabilizing and delegitimizing Ukraine's government. Two points are particularly interesting. First, the emails name the Professor Moriarity of Russian information operations, one Vladislav Surkov, whom the Times of London describes as "a Kremlin spin-master said by some to be Mr Putin’s Rasputin." The other interesting point is the online astroturfing of kinetic demonstrations and street violence: they were apparently working to recruit "sportsmen" skilled in martial arts as muscle for protests in Ukraine.
Dave Bittner: [00:07:06:24] Tensions between Russia and Western nations remain high after the Salisbury nerve agent attacks and US findings that Russia is conducting ongoing reconnaissance and battlespace preparation of American power grids. But no significant new developments, either diplomatic or cyber have turned up so far this week.
Dave Bittner: [00:07:25:04] Facebook's rough ride continues. It's receiving uncomfortable attention in the UK for it's failure to do something or at least something more about anti-semitic content. The criticism has grown alongside the ongoing Labour Party scandal involving scurrilous social media activity by party leaders.
Dave Bittner: [00:07:47:00] Facebook's CEO Mark Zuckerberg did take some shots back at Apple, which last week didn't pass up an opportunity to repeat its view that, when services are free, it's the user and not the server that's the real product. Mr. Zuckerberg's rejoinder was a tu quoque of sorts: "I think it's important that we don't all get Stockholm Syndrome and let the companies that work hard to charge you more convince you that they actually care more about you." He's looking at you, Mr. Cook.
Dave Bittner: [00:08:16:13] Mr. Zuckerberg also claimed that Facebook was looking out for the many people who can't afford to pay a lot to be connected. On the issue of fake news, he said the company hadn't really understood the extent of Russian information operations, but that they do now, and they'll certainly be on the alert.
Dave Bittner: [00:08:33:21] There are two stories that might at this point count as evergreens. First, the recent minor and swiftly contained WannaCry appearance in Boeing's networks prompts observers to warn again about the risk of cyberattack against airline avionics, with the potential for disastrous disruption of flight systems. And, second, there are fresh warnings of Russian ships appearing in the vicinity of the transoceanic cables on which so much international and even domestic communication depends. Concerns about this have been raised several times over the past two years, especially in the United Kingdom, and the worries appear to be spreading.
Dave Bittner: [00:09:11:12] And finally in the case of alleged NSA leaker Reality Winner, the defense appears to be planning to drag in as many parties as possible. Politico reports that on Friday, Ms Winners lawyers filed an intention to subpoena representatives of the 21 states that the department of Homeland Security formerly notified last year of targeting by Russian hackers. They also intend to subpoena a number of well known cyber security firms and news services to testify, including Trend Micro, FireEye, CrowdStrike, Volexity, F-Secure, ThreatConnect, Motherboard, Secureworks and Fidelis Cybersecurity. The defense has also asked for records and testimony from the Central Intelligence Agency, the Department of Defense, the National Archives, the National Security Council, the Office of Director of National Intelligence, the Department of Homeland Security and the White House. Prosecutors call this an unchecked fishing expedition that would constitute an oppressive and frivolous waste of Government resources.
Dave Bittner: [00:10:15:19] Now I'd like to share some words about our sponsor, Akamai. You've heard of the zero trust security model, well Akamai is the expert in deploying zero trust architectures to address the evolving security threats you face every day. That's because they're also the cloud experts. Akamai's approach to security was built for the cloud because it was born in the cloud. In the age of zero trust networks, the enterprise network is no longer the perimeter, the entire cloud is the perimeter with no inside or outside. And the threats can come from anywhere and anyone at any time. Akamai's zero trust security model accelerates secure digital transformation, protecting your business and enabling growth. Visit acamia.com/zerotrust to learn more. That's akamai.com/zerotrust. And if you're going to RSA this year stop by and say hi to me and the CyberWire team at the Akamai booth, North Hall booth 3625. We hope to see you there and we thank Akamai for sponsoring our show.
Dave Bittner: [00:11:27:03] And I'm pleased to be joined once again by Malek Ben Salem. She's the R&D Manager for Security at Accenture labs. She's also a new America Cybersecurity Fellow. Malek, welcome back, you and I have been making our way through some tips for getting ready for deployment of cryptography. We talked about some short term plans last time we spoke and today we're going to look a little more at the long picture, what tips do you have for looking at your long term plans?
Malek Ben Salem: [00:11:52:00] So we are talking about post quantum cryptography and getting ready for that. One thing that companies can do in the long run is establish a process to verify the maturity of post quantum crypto algorithms, we know that today, NIST has already launched a project to evaluate post quantum crypto algorithms for public encryption. As a matter of fact they are having their first conference in April in Florida to review some of those proposed algorithms, which will go through a three to five years evaluation process probably. So in three to five years we may have a recommendation or a standard by NIST which companies can start deploying. By that time companies should establish a process to verify the maturity of that algorithm, is it still being under development or is it already endorsed by NIST or by ISO or some other standardization body? They should have an understanding of the degree of integration of that algorithm and the degree of adoption of that algorithm by companies like Apple, Microsoft, or Intel and then they should decide for themselves whether they should be early adopters or not.
Malek Ben Salem: [00:13:12:24] So we know that quantum computing technology, at least in the way that it's going to pose a threat to crypto, is not going to happen at least in ten to 15 years and that's by most optimistic accounts. But for companies that have to or that are archiving long term data, meaning that they have data that needs to be secured in the long run, they will probably want to encrypt that data in advance using these post quantum crypto algorithms so that that data doesn't get exposed. So if they have that type of data then they may need to adopt early those types of post quantum crypto algorithms.
Dave Bittner: [00:13:54:10] We've heard stories were nation states in particular have started gathering up data, even though it's encrypted and they can't decrypt it now with the hope that some time in the future they will be able to decrypt it.
Malek Ben Salem: [00:14:05:11] Exactly and that's why companies should be aware of and they should be planning for that. If they have data that needs to be safe in the long run, they should upgrade their key links at least today.
Malek Ben Salem: [00:14:21:02] The second step that they need to think about or they need to go through, is once they've identified the post quantum crypto algorithm to deploy then they'll have to define which applications will be affected. You have Secure Mime, you have SSL, SSH, VPN and obviously in long term data archiving you may have authentication systems that will be affected. So it's important to identify all of those applications, all of those communications channels and then decide again the keys and the certificates that have to be renewed and within which time.
Dave Bittner: [00:15:04:02] Alright so as we've been discussing, really trying to get ahead of the game rather than finding yourself having to play catch up.
Malek Ben Salem: [00:15:10:17] Absolutely yes.
Dave Bittner: [00:15:12:01] All right Malek Ben Salem as always thanks for joining us.
Malek Ben Salem: [00:15:15:02] Thank you, David.
Dave Bittner: [00:15:20:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of Artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at VMware.com.
Dave Bittner: [00:15:42:02] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're code building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with Editor John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe and I'm Dave Bittner, thanks for listening.