Dave Bittner: [00:00:04:02] Finland investigates GPS signal jamming during NATO exercises. Russia’s the usual suspect, as usual Russia feels picked on. Jihadists seem to be feeling the effects of social media screening and may turn to account hijacking. Indian intelligence services look at ISIS use of Wickr. A look at Magecart. Cathay Pacific’s breach now believed to be worse than originally thought. And the “Paris Call for Trust and Security in Cyberspace” expresses eight aspirations.
Dave Bittner: [00:00:40:11] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays it also means all image or anthropomorphized incredibly, there's a serious reality under the hype but it can be difficult to see through to it. As the experts at Cylance will tell you AI isn't a self aware sky-net ready to send in the terminators, it's a tool that trains on data to develop useful algorithms and like all tools it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it visit threatvector.cylance.com and check out the report, "security using AI for evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:37:02] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 13th, 2018.
Dave Bittner: [00:01:49:10] According to the Times of London, NATO’s large Trident Juncture exercises conducted in and around Norway last week saw some apparent Russian jamming of GPS signals with the evident intent of disrupting the wargames. Russia had objected to the exercises - said to be largest since the Cold War era’s Autumn Forge annual exercises - they called them “sabre-rattling.” Trident Juncture opened on October 25th and wrapped up November 7th.
Dave Bittner: [00:02:19:14] GPS of course, was born as a US military technology but has since come to pervade civilian life. In this case GPS denial presented an apparent safety issue. A Norwegian airline said that its flights lost GPS signal while inbound to airports in northern Norway and Finland, and Finnish air traffic control warned of widespread GPS disruption in the northern part of the country. Deutsche Welle says that Finland is investigating.
Dave Bittner: [00:02:47:21] Finland’s Prime Minister Juha SIpila said, "Technology-wise, it's relatively easy to disturb a radio signal, and it's possible that Russia was behind it. We will investigate, and then we will respond. This is not a joke; it threatened the air security of ordinary people." That it did. Indiscriminate GPS jamming is a clear threat to safety of navigation.
Dave Bittner: [00:03:12:04] In statements today, Russia denied any involvement. Spokesman Dmitry Peskov said, “We know nothing of any Russian involvement in the disruption of the GPS system. You will have to ask the experts at the Ministry of Defense. But you know there is a tendency nowadays to accuse Russia of all sins, mortal or otherwise. As a rule, these accusations are baseless.” This alleged sin, if you’re keeping score at home, while not as bad as murdering people with nerve agent, would still seem pretty close to mortal. And we have to admit, for all the Russians’ sense that the rest of the world is picking on them, the GPS outages do look suspicious.
Dave Bittner: [00:03:52:14] Jihadist groups, pushed by social media into temporary online hiding, advises members to spread malign inspiration through hijacked accounts. Facebook reads this as an indication that its efforts to purge terrorist content from its platform are working. The social network has been under increased pressure, especially from the European Union, to clean out terrorist material. The effect of this will be to motivate ISIS and its allies to attempt more account hijacking, perhaps. The terrorist group’s online bark has been worse than its online bite, but insofar as the barking constitutes howling at the disaffected lone-wolves out there, it’s been troublesome enough.
Dave Bittner: [00:04:35:05] Authorities in India are keeping an eye on a shift in ISIS tactics in the state of Kerala. The counterterror National Investigation Agency and the Intelligence Bureau domestic intelligence service are watching the terrorist organization’s increasing use of the instant messaging service Wickr for command, control, and communications. Wickr, we stress, is a perfectly legitimate service. It’s attractive to the Islamic State for its encryption, for its ability to strip metadata from messages, and for the ability it gives its users to set expiration dates for their messages, at which point expiring messages are erased.
Dave Bittner: [00:05:14:08] Researchers at Akamai recently published the latest edition of their state of the Internet's security report focusing on web attacks such bot driven credential stuffing in the financial services industry. Rich Bolstridge is chief strategist for financial services with Akamai.
Rich Bolstridge: [00:05:31:02] So credential stuffing is kind of the second step of this fraud cycle if you look at the life cycle of it. So the beginning step is a data breach. These breaches many times involve usernames and passwords. Now the passwords are hashed or encrypted in some type in many ways but there have been many of these in the past and by the millions and by the billions. Secondly what will happen is those breached credentials will be made available to criminals or other bad actors on the web, for attempts at logging in to a variety of websites with those username and password errors, this is called the credential stuffing step.
Rich Bolstridge: [00:06:16:24] Now there's a lot of people that have your username is your email address and a lot of people use the same password across websites. This credential stuffing leads to a set of validated user names and passwords against commerce sites and financial sites or other shopping sites, and that leads to the third step which is really the kind of the weaponization, it's the account takeover.
Rich Bolstridge: [00:06:45:11] So what Akamai is doing is trying to move upstream from the actual account takeover and stop it at this credential stuffing phase and the numbers are staggering.
Dave Bittner: [00:06:58:08] So take us through, what did you see? What are some of the particularly interesting insights from the report?
Rich Bolstridge: [00:07:04:06] What we're seeing with the report, first of all there is an uptick in the volume of credential stuffing attacks. So across our platform, over the last year we've averaged about three billion malicious logins over the platform. We actually see these and handle these. What we saw with the latest study, the metrics for May and June of this year had an uptick to four billion malicious log in attempts across our platform. So this was noteworthy of course, as things are stepping up, but we also highlighted in the report attacks against two financial institutions and what's interesting is we looked at first was a credit union and second was a large financial institution.
Rich Bolstridge: [00:07:52:15] So it's from the biggest to kind of the smaller financial institutions that we're trying to highlight that the guidance here is, financial institutions of all sizes need to pay attention to this, keep up to date with it, and consider the gaps in their security defenses to be able to be prepared in case they are targeted with the credential stuff in tech.
Dave Bittner: [00:08:17:20] Are there misperceptions that people have about what are some of the best ways to deal with this sort of thing?
Rich Bolstridge: [00:08:23:21] I think it's still emerging. Companies and firms they're coming to grips with this. It's not a problem until it's a problem. So five, six years ago during the Operation Ababil, what they call the Qassam Cyber Fighters, the big attacks by the Iranian bank, the State of Iran against US banks. The big DDoS attacks from 2012 and 2013. You know DDoS was a very rare thing against banks prior to that and suddenly banks were being targeted and taken out, you know, 20 at a time in some of those weeks. So the industry as a whole got on board, raised their defenses and the DDoS defenses across the industry now are very, very good for the most part.
Rich Bolstridge: [00:09:06:20] We're kind of at that stage here I think again with Credential stuffing. A lot of firms feel, oh, we're too small, or oh, we don't have anything of value, or we haven't seen this so we don't think we're targeted, so we're in kind of this state where it's still emerging but yet many, many firms have had this problem and when it's a problem, it's a real problem because of resulting losses and, of course, what you see, the volume of these hundreds of thousands of log in attempts can slow down your website, slow down your mobile apps, impact your real users, and in some cases cause availability problems, that's particularly bad in investment sites with the Dow dropping in some cases hundreds and hundreds of points a day. Everybody's pulling out their phone and checking their portfolio multiple times a day. So just handling your traffic through your real users on some of these volatile market days is challenge enough, let alone being attacked by some large botnets with credential stuffing.
Rich Bolstridge: [00:10:14:10] So this is really an alert call to arms here for the industry to be ready for this.
Dave Bittner: [00:10:21:16] That's Rich Bolstridge from Akamai. You can find the latest edition of their state of Internet security report on the Akamai website.
Dave Bittner: [00:10:31:04] RiskIQ and Flashpoint this morning issued a joint report on Magecart, the family of carding campaigns against e-commerce sites. The researchers identify six criminal groups as responsible for Magecart activity, and they trace the threat from its modest origins as the Cart32 online shopping cart backdoor (discovered in 2000) to the present threat responsible for large-scale attacks on large enterprises including Ticketmaster and British Airways. Magecart proper emerged in 2015. The criminals monetize their theft of paycard data either by selling it to other pettier crooks in carding fora, or by enlisting mostly unwitting mules to buy goods and ship them to the gang. The six groups involved in Magecart have recently shown themselves increasingly active in their aggressive, successful attacks on e-commerce.
Dave Bittner: [00:11:24:09] Cathay Pacific airlines has told Hong Kong's Legislative Council data regulators that the breach it sustained was sophisticated and lasted for several months as the airline sought with difficulty to parry the attacks. The attacks were discovered in March; the airline struggled (at considerable effort and expense) with containment until August, at which time it began to be able to assess the extent of customer data loss: "far worse than thought," as the Star summarizes. The attack seems to have been unusually determined and difficult to root out. Cathay Pacific has established a customer-facing website where concerned passengers can check to see if their data is affected. There will be a lot of them - some nine million people appear to have been affected.
Dave Bittner: [00:12:10:22] Yesterday French President Emmanuel Macron sought to advance international norms for conduct in cyberspace. He issued “Paris Call for Trust and Security in Cyberspace” at the UNESCO Internet Governance Forum. The measure amounts to a declaration of principles. About 50 countries signed on but not China, Russia, or the United States, and it found favor with Big Tech, as both Microsoft and Google figured prominently among private sector supporters.
Dave Bittner: [00:12:40:12] The signatories commit to cooperation in eight areas: First, increase prevention against and resilience to malicious on-line activity; second, protect the accessibility and integrity of the Internet; third, cooperate in order to prevent interference in electoral processes; fourth, work together to combat intellectual property violations via the Internet; fifth, prevent the proliferation of malicious online programs and techniques; sixth, improve the security of digital products and services as well as everybody’s “cyber hygiene”; seventh, clamp down on online mercenary activities and offensive action by non-state actors; and eighth, work together to strengthen the relevant international standards.
Dave Bittner: [00:13:24:19] It’s seen as a framework within which nations can achieve a mutually satisfactory agreement in cyberspace, but obviously there’s a lot of work left to be done beyond this statement of good intentions.
Dave Bittner: [00:13:36:20] Finally, as people wonder about data abuse, the Telegraph asked UK Information Commissioner Elizabeth Denham if there will be another Cambridge Analytica scandal. She bets on form, saying, "I suspect there will."
Dave Bittner: [00:13:55:24] And now a bit about our sponsors at VMware. They're trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption and they'll round out what they can do for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you though the details and much more. You'll find it at the cyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. The cyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:14:56:14] And joining me once again is Joe Carrigan, he's from The Johns Hopkins University Information Security Institute and also my co-host on the Hacking Human's podcast. Joe welcome back!
Joe Carrigan: [00:15:06:04] Hi Dave, how are you?
Dave Bittner: [00:15:07:01] I'm doing well. You recently attended a conference...
Joe Carrigan: [00:15:10:12] Yes.
Dave Bittner: [00:15:10:19] ...and came back with some interesting things to share. Fill us in here.
Joe Carrigan: [00:15:14:01] I attended the NICE conference which is from the National Institute of Standards and Technology and NICE stands for the National Initiative for Cybersecurity Education.
Dave Bittner: [00:15:23:09] Okay.
Joe Carrigan: [00:15:24:05] Being in cybersecurity education it's a kind of an important conference for me to attend I think.
Dave Bittner: [00:15:28:19] Right, sure.
Joe Carrigan: [00:15:29:24] And one of the presentations I saw was from Dr. Calvin Nobles who is a Professor over at University of Maryland University College among other places.
Dave Bittner: [00:15:38:24] Right.
Joe Carrigan: [00:15:39:09] And his topic was the inclusion of psychology based professionals in cybersecurity. And we've kind of been talking about this here and there and at the Information Security Institute as well about how important these things are but let me read what Dr. Nobles says is the quote of the presentation.
Dave Bittner: [00:15:58:05] Okay.
Joe Carrigan: [00:15:59:00] And he says, that human factors psychologist said "as researchers and educators we must address all the many different roles that we humans play in cybersecurity. Beyond just the security practitioner who administers firewalls, tunes intrusion detection systems and monitors networks, we must also educate the software developer, lawyer, policymaker, and all of us users who are unwitting accomplices of the attacker." And he says that there is a real position for psychology majors to be taking a role in cybersecurity and says that the multidisciplinary domain of cybersecurity includes computer science of course, mathematics, right?
Dave Bittner: [00:16:41:12] Yes.
Joe Carrigan: [00:16:41:19] Economics which we talk about frequently on Hacking Humans.
Dave Bittner: [00:16:44:08] Right.
Joe Carrigan: [00:16:44:23] Law, psychology and engineering.
Dave Bittner: [00:16:47:14] Yes. I think this is a really important point and it's one I've heard at several trade shows.
Joe Carrigan: [00:16:53:18] Right.
Dave Bittner: [00:16:54:03] This need, cause there's so many jobs available...
Joe Carrigan: [00:16:57:10] Correct.
Dave Bittner: [00:16:58:02] ...on the cyber side of things but it's not just the people from the stem backgrounds.
Joe Carrigan: [00:17:02:06] Right.
Dave Bittner: [00:17:03:02] We need people in all those positions.
Joe Carrigan: [00:17:04:17] We do and we really need people who are behavioral scientists and people who understand how other people think to really be involved, not just in the obvious point of where these attacks are coming from, but also like in the design of the tools. You should have a human factor's engineer or psychologist looking at your tools to make sure that this tool is telling me what I think it's telling me.
Dave Bittner: [00:17:33:10] Right. Yes. You need those artists as well...
Joe Carrigan: [00:17:35:18] That's correct.
Dave Bittner: [00:17:36:17] ...the tech people. It's on us to help spread that word to get out there to the high schools and the middle schools and say look, you don't have to be a math whiz or a science whiz to have a place within the cybersecurity ecosystems.
Joe Carrigan: [00:17:52:19] Since you've brought that up I will tell you there was another presentation I went to, I don't remember which one it was, but the teacher was saying if you're good at math, maybe you can take a look at the cybersecurity field and the very first thing she said was, "You don't need to be good at math to get involved in cybersecurity." And it was a Girl Scout event that she was talking to, and a couple of Girl Scouts came up with their parents afterwards and said, "Thank you that was life changing." So that's an important point is that no, you don't necessarily need to be good at math or be an engineer to get in the cybersecurity. There are plenty of fields out there, plenty of sub-fields within this discipline that don't necessarily require a heavy math background.
Dave Bittner: [00:18:33:21] Yes. I mean it touches every part of the organizations now.
Joe Carrigan: [00:18:39:04] It's touching every part of our society now.
Dave Bittner: [00:18:41:12] Yes.
Joe Carrigan: [00:18:42:04] It's part of what we are.
Dave Bittner: [00:18:43:13] Yes. Alright well it's good information and I think it is an important thing. Like I said, I think it's on all of us to help spread that word. So thanks for bringing that message back. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:18:55:02] It's my pleasure, Dave.
Dave Bittner: [00:19:00:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:28:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:19:38:05] Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.