More North Korean malware identified. EOS scanned for misconfigurations by parties unknown. Canadian banks won't pay extortion. Stay away from Joker's Stash. Crime and punishment.

Dave Bittner: [00:00:00:01] A quick note about some changes we've made to our Patreon page, we've updated some of our goals and funding levels and one of the things that we're hoping to fund is having transcripts made of our podcasts library. Not only does it make it easier to search for stories we've shared on the CyberWire, but it helps make the show more accessible to people with hearing issues. We hope you'll take a few minutes to check it out and choose to support our efforts, that's at Patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:32:16] The US attributes two more strains of malware to North Korea and whether you call them hidden Cobra or the Lazarus group, it's the same reliable crew of Pyongyang hoods. More trouble for the ICO world as unknown, but probably bad actors, scam for misconfiguration in EOS block chain nodes. Canadian banks decline to pay extortion. Joker Stash counterfeits show there's even less honor among thieves than you may have thought. Baratov gets five years for the Yahoo hack and Kavasea gets a solid ten-year sentence for multiple crimes.

Dave Bittner: [00:01:12:17] A few words from our sponsor Cylance, you've probably heard of next generation anti malware protection and we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed. Be perplexed no longer, because Cylance has published a guide for the perplexed. Sure they call it Next Generation Anti Malware Testing for Dummies, but it's the same principle, clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti malware techniques and the advantages of artificial intelligence. Why you should test it for yourself, how to do the testing and what to do with whatever you find. You can check it out at Cylance.com. That's Next Generation Anti Malware Testing for Dummies at Cylance, and we thank them for sponsoring our show.

Dave Bittner: [00:02:09:02] Major funding for the CyberWire podcast is provided by Cylance, from the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 30th, 2018. The on-again, off-again, US North Korean summit is back on but relations between the countries in cyberspace remain frosty. There's a good bit of speculation that DPRK hacking will figure among the agenda. In the meantime, the FBI and the Department of Homeland Security yesterday through the US CERT, attributed two more families of malware to the DPRK's Hidden Cobra threat group.

Dave Bittner: [00:02:47:21] The Bramble Worm and the Jonapp Trojan are both said to be the work of Pyongyang. Jonapp is a two stage back door, remote access Trojan that allows both data exfiltration and installation of other threats onto the victim's system. Bramble, worm that it is, abuses the SMB protocol to spread the addiction area attacks on other systems. Once it's in, as security week summarizes, Bramble also harvests system information, accepts command line arguments, then executes a suicide script.

Dave Bittner: [00:03:23:08] You may know Hidden Cobra by its other name, the Lazarus Group. The Lazarus Group has got a pretty long rap sheet, albeit with no convictions since nobody in the world has any kind of extradition agreement with Pyongyang. The threat group has been credibly blamed for the Bangladesh bank SWIFT caper, the Sony Pixar's hack, which appears to have been part of a larger campaign, outlined in the operation Blockbuster investigations. Operation Dark Soul, a 2013 campaign, that affected two South Korean television stations, and at least one bank. And Operation Troy, a cyber espionage campaign, unmasked in 2013 that was directed against South Korea and in particular against South Korean military cooperation with the United States. The Five Eyes have also said the Lazarus Group was responsible for WannaCry, last year’s misfiring but still very damaging ransomware campaign. That's one attribution we think you can take to the bank.

Dave Bittner: [00:04:22:20] Bleeping computer reports that threat intelligence shop Grey Noise has observed someone, presumably a threat actor, scanning for EOS Blockchain Nodes that have accidentally exposed private keys through inadvertent misconfiguration. The scans began yesterday, shortly after Qihoo 360 reported a remote execution flaw in the EOS Blockchain platform. EOS is currently the subject of an initial coin offering.

Dave Bittner: [00:04:50:09] The Canadian banks hit with a hacker induced data breach over the weekend are indeed the targets of extortionists. The attackers are demanding a million dollar ransom. If they're not paid, they threaten to release the information online. The Bank of Montreal and the Canadian Imperial Bank of Commerce, have both said they won't pay the ransom. Bravo, banks. There's some speculation as to why the hackers tried extortion as opposed to simply selling the stolen data on some of the usual dark web markets. They may have come to believe that stolen data simply wouldn't fetch as much as they could make through extortion or they were hoping that embarrassment would induce the banks to pay up, even if the data wasn't that valuable. Or of course, they may have been interested in getting whatever they could from the banks and then going on and selling the data anyway. Since honor among thieves is much frayed nowadays.

Dave Bittner: [00:05:44:05] Speaking of black markets and the general absence of honor among thieves, it's worth noting that KrebsOnSecurity has a piece up about Joker Stash and it's very imitators and counterfeits. Joker Stash is an illicit carders forum, where hoods buy and sell stolen pay card credentials. Mostly for what amounts, relatively speaking to chicken feed. Joker Stash has been tied to a number of retail breaches, including those at Sachs, Fifth Avenue, Hilton, Wholefoods, Japola and Sonic. The counterfeit Joker Stash sites are out there to con the conmen. If you, Mr and Miss Criminal think you are going to get some cards from Joker Stash, look carefully because you may find the Bitcoins you virtually plunked down are gone baby gone, without so much as a log in credential left behind. We won't offer anymore specific advice, since at some level criminals who let themselves be defrauded by other criminals deserve what they get, but do stay away from Joker Stash.

Dave Bittner: [00:06:46:16] When word comes down from the bosses upstairs that it's time to improve productivity and security. Or to do less with more, many organizations turn to automation to make it happen. But that can be easier said than done. Ruby Kitov is CEO and Co-Founder of security firm Tufin and he's got some words of wisdom for companies looking to automate.

Ruby Kitov: [00:07:09:12] There is a good crawl, walk, run model. A lot of times when we speak with customers or organizations who have nothing of this sort, no automation, usually it also means that very often they won't know what their security policy even is. When we ask organizations, "What is your security policy?" Let's look at zone to zone segmentation, so which networks can talk to other networks and which networks should not be allowed to talk to other networks. Just connectivity, a lot of times people scratch their heads and there might be a document written in the CESO office, some security architect wrote it, there's a big gap between that concept of a security policy and the actual implementation on the ground. And then after accessing, usually there's a clean up phase where people for two to three months they go and they start cleaning up all of the vulnerabilities they discovered and there is a lot.

Ruby Kitov: [00:08:09:23] You want to reach a steady state, pretty healthy and clean state of network security, at that point the question is okay, I've done some work, I've cleaned up and I think I'm in pretty good shape but if I don't maintain that hygiene, I'm going to be vulnerable again, I'm going to have all sorts of problems, very soon, because dozens of changes occur on my network on a weekly basis. How do I maintain that continuous compliance? The next phase would be taking the policy element and actually analyzing every single change that is about to be implemented to see whether it adheres to the policy. So then, once you're in a pretty healthy place, you would probably want to have zero mistakes, done on a production network. Because you want to move from being reactive, like okay let's look at my network and figure out what's wrong with it to, I've cleaned it up and now I don't want any mistakes even reaching the production network. I want to avoid those things to begin with during the change process. There's additional challenges as people are adopting the cloud and they're migrating more and more applications to the cloud, there's a whole another set of challenges that have to do with policy. What we are seeing is a lot of organizations at DevOps or a cloud team that are responsible, not just for the application but also for the infrastructure on the cloud side and they're managing, for example maybe the AWS configuration.

Ruby Kitov: [00:09:46:06] We're seeing a lot of friction between the DevOps team and the firewall team where DevOps teams want to build kind of their own security controls and they don't want a very heavy and manual process of requesting changes from the network security team to allow them connectivity. So we're seeing a lot of issues between DevOps teams and network security teams and we think that a key thing is how to bake security into the DevOps cycle, so that essentially the network security will have much deeper visibility into the security posture of the cloud. And a lot of our organizations are actually flying blind today. So you have DevOps teams making changes in the cloud with very little security oversight, which we believe is a huge mistake. So one of the things that we would recommend is to get tools that allow, first of all, security practitioners to see the security posture in the cloud and the second phase would be to actually bake security into the DevOps, CICB tool chain so that every time you want to make a change that actually affects security in the DevOps tool chain, it will be vetted against some kind of a security policy and we think that's critical as organizations are moving to the cloud.

Dave Bittner: [00:11:07:14] That's Ruby Kitov from Tufin.

Dave Bittner: [00:11:12:12] A US Government look at the cyber security of federal agencies offers a depressing vista. Three out of four agencies are said to be at significant risk of cyber attack and poorly prepared to manage that risk.

Dave Bittner: [00:11:25:08] Whether or not it's reprieved from US Commerce Department sanctions, analysts thing ZTE will find recovery difficult. ZTE and Huawei remain under widespread suspicion of posing security risks. Nadium premiere Justin Trudeau is being asked by many to take a close look at what Huawei's up to in its penetration of the Canadian market.

Dave Bittner: [00:11:49:06] Karim Baritov, convicted of hitting Yahoo on behalf of Russia's FSB has been sentenced to five years. The US Justice Department points out that the verdict should indicate to people that hacking for hire is a serious crime.

Dave Bittner: [00:12:05:15] You remember the fellow who went by the name Kavasea, he isn't French, but English. He's the heavy handed gent who ran virtually amok in Kent. Anyhow Kavasea whose given name is Grant West had his day in Court and was convicted of charges related to phishing, drug sales and other illicit online activity. He will be her Majesty's guest for ten years which is by British standards a pretty stiff sentence. Mr West is 26, he will be in his mid 30s by the time he gets out, assuming he serves his full time. He was caught when authorities tracked the IP address of his girlfriend's computer and picked Mr West up on a train bound for London, the relationship is doubtless strained at this point or as Facebook might put it, complicated, because the co-conspirator girlfriend got community service.

Dave Bittner: [00:13:00:17] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network, the good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120,000,000 new pieces of malware were created in 2017 so even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99%, and neither should you. They put those 3,000 daily problems into a lightweight, colonel level container where the malware is rendered useless. With Comodo's patented auto containment technology they bulletproof you down to hour zero every time. Solving the malware problem. So with Comodo you can say with confidence, I've got 99 problems but malware isn't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform, that's enterprise.comodo.com. We thank Comodo for sponsoring our show.

Dave Bittner: [00:14:16:00] And joining me once again is Justin Harvey, he's the global incident response leader at Accenture. Justin welcome back, I feel like we have been running towards this finish line which of course was the implementation of GDPR. We have crossed that line and now here it is, it's active, it's a real thing, do you think that companies are ready? Do you think these months of preparation are going to pay off for them?

Justin Harvey: [00:14:42:05] The glib answer is, I believe my clients are. I don't think that the majority of companies are truly ready for the GDPR. Based upon what I've been seeing in the market, many organizations are scrambling, they're getting their incident response plans going, they are giving the ambiguous nature and the wording of the regulation, it's almost like I should say it's anyone's ballgame. Because with regulations, particularly of this nature, you can't read a document that says, this is an incident and when this type of incident hits this threshold then then you need to report it to regulators. It's almost like regulators want to keep it loosey-goosey and they want to see companies demonstrate that they are trying. I don't believe any organization is truly 100% compliant with any regulation. But what matters is are they demonstrating the right steps? Do they have the right intent and if and when something does happen, are they being forthcoming with regulators?

Dave Bittner: [00:15:53:19] It's interesting because it strikes me that there's been wait and see on both sides, as you described, the regulators waiting to see, are people making a good faith effort. But I think there's been a lot of wait and see on the other side to see, are these potential fines actually going to come down?

Justin Harvey: [00:16:08:17] That's right, I was speaking with a colleague the other day and he made an observation that he doesn't think that GDPR is here to last. And the reason is it will be one large organization, one large company that will unfortunately have a breach and maybe they lose a lot of personal data and then they're looking at quite a lot of fines and perhaps even drives that company out of business and then where does that leave regulators at that point? Who wants to participate in a regulation where the downside is you can lose up to four or however many percent of your global, annual revenue. So time will tell. I think that this is an interesting experiment, it's funny that I call a regulation an experiment, but I think that this is a new kind of regulation, applied to a large region. And I think if it works, if they are able to pull it off and it does enforce change and allows society to operate where people can be forgotten on the Internet, if they can really, truly have better controls around people's privacy, I think it will be positive. And even then the United States should definitely pay attention, keep notice of what's happening with the EU and the GDPR, considering all of the privacy concerns we've been having on this side of the pond.

Dave Bittner: [00:17:32:12] As you say, time will tell. It's going to be interesting to watch. Justin Harvey thanks for joining us.

Justin Harvey: [00:17:39:04] Thank you.

Dave Bittner: [00:17:43:00] And that's the CyberWire, thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Work Space One Intelligence. Learn more at VWware.com. The CyberWire podcast is proudly produced in Maryland out of the start up studios of Data Tribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with Editor, John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.