Dave Bittner: [00:00:01:05] Hi everybody, Dave here, just a quick interruption. On behalf of all of us at the CyberWire I want to thank you for listening and for helping spread the word about our show. We're growing quickly and it's gratifying to hear from so many of you how much the podcast has become a regular part of your day. There are a few things you can do to help us to continue to attract new listeners. You can leave us a review on iTunes and you can subscribe in iTunes. Those two things help keep us near the top of the iTunes store podcast rankings which means more people find us which means more listeners. Of course you can share the podcast with your friends, colleagues and co-workers and your followers on social media. Thanks for taking the time to help spread the word about the CyberWire. We truly appreciate it. Here's the show.
Dave Bittner: [00:00:44:14] Baltic elves say they're taking on Russian trolls. Pakistan considers its cyber strategy. Investigation continues into the Bangladesh Bank hack. More hackers are interested in going after OS kernels, if the results of Pwn2own are any indication. Apple and the Department of Justice are poised for this week's hearings. And we hear from the University of Maryland's Markus Rauschecker, who tells us what it means to hack the Pentagon.
Dave Bittner: [00:01:10:16] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:01:33:06] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 21st, 2016.
Dave Bittner: [00:01:39:17] Social media remain a field for conflict among states and aspiring states, as ISIS resumes its push to inspire the disaffected, and disturbing levels of pro-Russian trolling resume in the Baltic States.
Dave Bittner: [00:01:51:17] The Baltic situation is particularly interesting. The Baltic States, Latvia, Lithuania, and Estonia have, alongside their neighbor Finland, long punched far above their weight in cyberspace, especially since the 2007 cyber rioting Estonia suffered in the wake of a dispute with Russia over the removal of a Second World War memorial. That rioting, sometimes referred to as "the first cyber war," and generally regarded as setting a template for plausibly deniable cyber action analogous to the "green men's" militias deployed by Russia in Ukraine, prompted Estonia and its neighbors to develop increasingly capable cyber defense capabilities.
Dave Bittner: [00:02:29:14] Those capabilities have also prompted volunteer efforts in information operations. The goal, in Lithuania most recently, has been to counteract pro-Russian trolls with benevolent "elves." Current conflict is worrisome, as observers in Lithuania worry that a Russian drawdown in Syria presages that country's turn toward the Baltic States, which fear that Russia will follow the template it established in Ukraine, information operations followed by initially deniable, then increasingly overt, military action.
Dave Bittner: [00:02:59:14] Pakistan considers its long-term interests in cyberspace as Google removes an app, SmeshApp, Pakistan's ISI allegedly used in espionage against Indian targets. Patriotic cyber rioting, plausibly deniable but arguably state-inspired operations, and alleged direct attacks by state security services have long been a feature of tensions in the subcontinent.
Dave Bittner: [00:03:22:22] Preliminary reports on the hack of Bangladesh's central bank suggest that the thieves were patient and sophisticated, covering their tracks and planting malware intended to support the apparent legitimacy of their fraudulent transactions. Reports differ on who much was stolen. They range from a low of $81,000,000 to a high of $101,000,000 but the crooks aimed much higher. They were prevented from pulling in a much larger take by alert staffers at Deutsche Bank whose suspicions were aroused by some careless proofreading in otherwise well-crafted spearphishing emails. Some $30,000,000 are thought to have gone to a casino junket operator. Bangladesh Bank officials say, with some understatement, that recovering the funds is likely to prove difficult.
Dave Bittner: [00:04:06:02] The US FBI is said to be assisting authorities in Bangladesh with the investigation. Since funds were transferred from a Bangladesh Bank account in New York to the Philippines, FBI involvement is hardly surprising.
Dave Bittner: [00:04:18:01] Authorities in Bangladesh are looking into the possibility of insider involvement. Preliminary reports suggest that several sets of difficult-to-spoof biometric credentials were used to enable the theft. Bangladesh's finance minister has claimed that "of course" bank officials were complicit in the crime.
Dave Bittner: [00:04:35:15] In response to this theft, administrators of the finance industry's SWIFT messaging system are working to reinforce recommended security measures with banks that use the system in managing funds transfers.
Dave Bittner: [00:04:46:20] Pwn2own wrapped up last week. Observers see an increased interest in achieving privilege escalation by exploiting OS kernel flaws. Of the twenty-one vulnerabilities on display, six were in OS kernels, six were in browsers, and the rest were either in operating system components and processes or in Flash Player.
Dave Bittner: [00:05:05:17] Late last week the Department of Justice asked for an evidentiary hearing on the case of the San Bernardino jihadist's iPhone. Apple is said to regard this as a sign that the Justice Department is losing confidence in its case. Hearings are set for this week.
Dave Bittner: [00:05:19:06] The Department of Defense has been notably more crypto-friendly, and thus more industry-friendly, than has the Department of Justice. The Pentagon is in the midst of a major outreach to the tech industry. Prominently featured in that outreach is its "Hack the Pentagon" program, effectively an invitation to bug hunters. We spoke with Markus Rauschecker, of the University of Maryland's Center for Health and Homeland Security about hacking the Pentagon. We'll hear from him after the break.
Dave Bittner: [00:05:42:15] As the US continues, we hear, to prepare indictments against Iranian hackers for poking around, in a virtual sense, that flood control dam in downstate New York, the cyber commentariate again returns to its favorite reassuring bedtime story. That is, of course, the squirrel threat. The Cyber Squirrel website has been tracking these and has racked up a tally of 1,139 confirmed successful squirrel attacks on critical infrastructure, which is 1,138 more, so far, than confirmed Iranian incursions into critical systems.
Dave Bittner: [00:06:16:14] We have no quarrel with squirrel awareness, although we do object to those who would impute malicious intent to the hapless squirrels themselves. But we do object to the general ignorance of the snake threat to the power grid. Especially in Guam, where Brown Tree Snakes are so much the leading cause of power failures that, we hear, residents call them "snake-outs." We're pleased to see that Cyber Squirrel has added snakes to their tally sheet. Bravo, Cyber Squirrel, for helping all achieve more snake-awareness.
Dave Bittner: [00:06:47:23] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.
Dave Bittner: [00:07:07:18] Joining me once again is Markus Rauschecker from the University of Maryland Center for Health and Homeland Security. They're one of our academic and research partners. Markus, when we were back at RSA recently we heard about the Pentagon's new "Hack the Pentagon" program.
Markus Rauschecker: [00:07:21:12] Right, so the Pentagon announced the "Hack the Pentagon" initiative. This is going to be a pilot program that's going to start in April of this year and essentially the Pentagon, the Department of Defense, is asking outside hackers to help them find any vulnerabilities or weaknesses in their networks. This is something that's sometimes referred to as a "bug bounty program" and we've seen this in the private sector for many years where a company will hire outsiders to try to get into their systems in order to test the security and the safety of their systems. The "Hack the Pentagon" program was interesting because it's really the first time that the Federal government is using this kind of bug bounty program to test its systems.
Dave Bittner: [00:07:59:16] Of course there's no shortage of people who are trying to hack the Pentagon every day but in this program what are the boundaries that they're setting on the people who volunteer to help with this effort?
Markus Rauschecker: [00:08:09:05] So anyone who is going to be involved in this program, any hacker that's going to be involved will be heavily vetted before they're allowed to participate. They'll have to undergo extensive background checks and furthermore once they are accepted into the program they're only going to be allowed to target pre-determined systems by the Pentagon and any of those systems at this point will not be connected to any critical operations of the Pentagon. So that's really a way to ensure extra safety in terms of, in terms of the program.
Dave Bittner: [00:08:38:01] So does this sort of thing signal more cooperation between government and industry in your view?
Markus Rauschecker: [00:08:43:21] I think so. We're seeing that government is looking more and more towards the private sector to try to work with the private sector to enhance cyber security overall. And government is seeing that the private sector has a lot of solutions out there, a lot of approaches that are working in the private sector and I think there's a sense that some of those valuable tools can be applied on the government side as well. So we're seeing closer and closer collaboration, I think, between the public and private sectors, absolutely.
Dave Bittner: [00:09:11:05] Alright, Markus Rauschecker, thanks for joining us.
Dave Bittner: [00:09:17:00] And that's the CyberWire. For links to all of today's stories visit thecyberwire.com. CyberWire is a production of CyberPoint International. Our Editor is John Petrik, I'm Dave Bittner. Thanks for listening.