DDoS, business email threats remain. How to set up your new machine.

Dave Bittner: [00:00:03:09] Ransomware's out there, but so are other familiar threats, like DDoS, and business email compromise. What you should think about in terms of security when you buy a new device and bring it online. Thinking about cyber deterrence. And what can happen when journalists invite you to become part of the story - alas, sometimes it's not so good.

Dave Bittner: [00:00:24:15] This CyberWire Podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date, with engaging and informative videos. For a free seven day trial and to save 30%, visit ITPro.tv/cyber and use the code CYBER30.

Dave Bittner: [00:00:47:09] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 31st, 2016.

Dave Bittner: [00:00:54:08] Ransomware and its particular impact on healthcare enterprises dominated the hacking news this week, but other threats haven't gone away, either. The continuing investigation into the Bangladesh Bank wire fraud incident serves as a cautionary reminder of the threat posed by business email compromise schemes. In this case, it would seem that anomaly detection might have flagged the fraud before it passed before the eyes of an alert, and linguistically sensitive, Deutsche Bank staffer. And it also seems that multi-factor authentication might have prevented the compromise of sensitive Bangladesh Bank credentials, which the criminals seem to have accomplished through a keylogger.

Dave Bittner: [00:01:30:16] Distributed denial-of-service attacks also have real consequences for real businesses. One of the earliest Bitcoin wallet service providers, Coinkite, an online cloud-based crypto bank operating from Canada, has exited its core business to concentrate on hardware. Part of the reason was the business fatigue of dealing with both DDoS and government suspicions. "Being a centralized bitcoin service does attract attention from state actors and other well funded pains in the... rear, and, as a matter of fact, we’ve been under DDoS since the first month we launched."

Dave Bittner: [00:02:05:22] And talk of enterprise security shouldn't drown out awareness of the importance of security to private users. What about your home network, your families' devices? CSO publishes a bit of a rant about how visiting sites one might be ashamed of makes users reluctant to remediate problems in their machines, preferring to simply discard and replace machines that have become "slow", which really means malware-ridden, rather than follow sound practices of digital hygiene. We all eventually will buy new machines, so how should we set them up? We have some good advice from one of our partners at the Johns Hopkins University. Joe Carrigan told us about what you should do with your new machine. We'll hear from him after the break.

Dave Bittner: [00:02:45:23] In defense policy, the UK and the US are upgrading the cyber protections in their Trident submarine-launched ballistic missiles. These systems are held to be central to the two countries' nuclear deterrent capability, and so, all considerations of nuclear surety aside, the systems' predictable reliability remains a priority for the US and Royal Navies.

Dave Bittner: [00:03:07:06] The US military continues to work out how it might "operationalize" cyber deterrence. That is, build enough credible capability to identify hostile actors in cyberspace and hold their capabilities, and other things those adversaries might value, at risk. The primary challenge in operationalizing that other, long familiar deterrence regime - nuclear deterrence, especially in its Cold War form - was assurance, making it clear to the adversary that they couldn't deprive you of the ability to retaliate for a strike. But with cyber deterrence, still very much a work in progress, you face other issues. As the Chairman of the US Joint Chiefs of Staff, Marine Corps General Joseph Dunford, put it in a talk at the Center for Strategic and International Studies this week, "We need to develop a framework within which to deter cyber-threats, and obviously attributing threats and managing escalation and hardening ourselves against cyber-attacks are all areas that require more work." We note particularly the difficulty of attribution in the cyber domain: it's notoriously difficult, and false flags, provocations, and the use of deniable third-party surrogates are all well-established techniques in cyber conflict.

Dave Bittner: [00:04:19:11] Finally, you listeners of a certain age will recall the "New Journalism" practiced during the final third of the last century by the late Hunter S. Thompson and others. The New Journalists permitted themselves to become part of the story, and neither held aloof from their subjects nor copped any pretense of lofty objectivity. So, from what we're hearing this week, we're pretty sure that must be going on at CNBC. The network ran an online story about the importance of using strong passwords. And, we're pretty sure, in an homage to that old participatory New Journalism, CNBC included a link to a password strength-tester where you, the consumer of the news, could become part of the news, by entering your password to find out if it was any good or not. And then - wait for it - that link also collected your passwords, and then put them into a Google Docs spreadsheet for everyone to see. But the spreadsheet was marked "Private". It was like fear and loathing in the Englewood Cliffs! Seriously, do keep your password strong.

Dave Bittner: [00:05:18:16] If you're in research, keep working on some alternatives to passwords. And don't be too hard on CNBC: fundamentally they were well-intentioned and trying to be on the side of the angels.

Dave Bittner: [00:05:33:10] This CyberWire Podcast is brought to you by the Digital Harbor Foundation - a non profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:05:52:19] Joining me once again is Joe Carrigan from Johns Hopkins Information Security Institute, one of our academic and research partners. Joe, I want to talk about some general security tips. I buy a new computer, which gets dropped off on my front door from Amazon, is that computer ready to go out of the box or are there security steps that I need to take to protect myself?

Joe Carrigan: [00:06:12:24] Generally ready to go right out of the box. There are some nice security tips I like to have on all of my computers. Number one, make sure that your automatic updates are enabled and don't disable automatic updates. There are two things you can do to protect your computer, which will protect you from most things, and that is updating your computer and making sure you're running the right software with some kind of application whitelisting software. There's not really a lot of consumer grade application whitelisting software. Whitelisting software is essentially a security product that before you start any program it says: "Is this computer allowed to run this program?" If it's not, it doesn't let the software run. That can prevent a lot of malicious software from running. So this is really not a consumer grade option for that for one or two computers at home. What I recommend is that people make sure they understand what it is they're installing and whenever they get asked to install a piece of software, think before you click on the buttons and say yes, go ahead and install this, what am I installing? What did I ask to have installed? Did I even ask to have something installed? A lot of times websites will start downloading something and people just click, "Yeah, okay," click and they'll install malicious software. So be mindful of what you're installing.

Dave Bittner: [00:07:29:21] And of course always consider the source of where you're downloading things from. Downloading something from Adobe is different than the latest thing you found on a bittorrent site.

Joe Carrigan: [00:07:40:03] Absolutely. Attackers can even make it look like you're downloading something from Adobe. The best bet is to check your browser - when you look in the address bar, see that you are actually connected to Adobe.com for example and that the security settings are valid and they match up. You can check that with a little lock. Depending on your browser, you can mouse over that lock and you can actually get the certificate information from the site that you're visiting.

Dave Bittner: [00:08:06:11] Good advice. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:08:08:21] My pleasure.

Dave Bittner: [00:08:11:19] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com. While you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner - thanks for listening.