When BGP hijacking isn’t hijacking at all. The White Company’s Operation Shaheen. SWAuTistic pleads guilty. NPPD will become CISA.
Dave Bittner: [00:00:03] Monday's BGP hijacking wasn't hijacking at all but rather a fumbled upgrade in an ISP. The White Company's Operation Shaheen is a nation-state espionage campaign directed against Pakistan's military. Sleazy gamer and hacker SWAuTistic pleads guilty to Wichita swatting charges and to bomb threats just about everywhere else. And the NPPD will soon become CISA and the lead U.S. civilian cybersecurity agency.
Dave Bittner: [00:00:39] A few words from our sponsor Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operation center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with a threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more, and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:42] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 14, 2018. We've seen some jitters recently over the prospect of Border Gateway Protocol - that's BGP - hijacking. The concern is that it could reroute traffic through nodes where it might be subjected to sniffing and inspection. In short, subjected to the ministrations of an intelligence service. There was a BGP leak Monday that, for a bit more than an hour, routed traffic through China and to a lesser extent through Russia and Nigeria. As SecurityWeek summarized the incident, traffic from Google Search, G Suite and Google Cloud services was directed through TransTelekom in Russia, Nigerian ISP MainOne and China Telecom. The unusual routing was reported by the network monitoring company ThousandEyes, which said the incident had little effect on consumer ISPs but was very much noticed by business-grade service providers. For those users, it amounted to a denial of service condition rendering their access to the affected Google services difficult, if not impossible.
Dave Bittner: [00:02:57] The incident aroused suspicions immediately. Traffic unexpectedly transiting China and Russia raises red flags of espionage warning. But in this case, it appears nothing of the kind was afoot. The incident now appears to have been the result of an error and not a malicious campaign. A misconfiguration in an Nigerian ISP seems to have caused the rerouting. As WIRED puts it, the traffic wasn't hijacked, but it was out of control. Yesterday the Nigerian ISP MainOne copped to being the one to cause the problem. Quote, "this was an error during a planned network upgrade due to a misconfiguration on our BGP filters," end quote. They added that they were able to fix the error within 74 minutes. There are a few familiar lessons worth drawing from the episode. First, the tightly connected nature of the internet can be a source of weakness as well as robustness. Second, failure to follow best practices can have severe and cascading effects. And finally, not everything that looks like an attack is an attack, so reticence about attribution is sound policy.
Dave Bittner: [00:04:05] Security firm Cylance is describing a nation-state espionage campaign. It's unusually sophisticated, prepped, staged, evasive and quiet. And it's targeting Pakistan's military, especially the air force. Cylance researchers call the campaign Operation Shaheen after the Shaheen falcon that serves as the emblem and mascot of Pakistan's air force. They call the threat actor the White Company because of the degree of care it takes to cover to whitewash its activities. Cylance evaluates the White Company as a nation-state actor. But with customary reticence, they don't say which nation-state that might be.
Dave Bittner: [00:04:45] Global accounting firm BDO recently released their 2018 telecommunications risk-factor survey. And the results had some surprising revelations when it came to cybersecurity. Gregory Garrett is head of the U.S. and international cybersecurity practice for BDO.
Gregory Garrett: [00:05:03] Well, I think it's more of what wasn't said (laughter) than what was said. Candidly, what we expected was to see cybersecurity reflected as a significant risk factor in the assessments from the various companies that we surveyed. But rather, what we saw was what we'd call the typical factors in the industry - things like exchange rates, increased competition, growing interest rates, new technologies and access to finance. Cybersecurity didn't even show up in the top five.
Dave Bittner: [00:05:41] And so kind of reading the tea leaves there, I mean, what do you think that points to?
Gregory Garrett: [00:05:46] It prompted, I'll say, a number of discussions amongst our colleagues. And I'll say I've had to reflect on a lot of industry conversations I've had. And so what I've concluded is there's really two, I'll say, groups of telcoms in how they look at cybersecurity in today's environment. You know, one is the very sophisticated players who have made significant investments in enhancing their cybersecurity over the past couple of years from monitoring, detection and response services, multifactor authentication, layered defenses, the use of artificial intelligence in their monitoring - you know, the kinds of things that you would expect that a world-class company would do in this space that could potentially have significant attacks. Then there's the others. And unfortunately, I've chatted with more than a few that - because of the increased competition, the increased exchange rates and effects on their industries, that I've seen just the opposite with a significant number of telecom companies where they've actually significantly under-invested in cybersecurity. You know, they're doing minimal monitoring, not even on a 24 by 7 basis. They have not made the investments that you would expect big carrier class networks and internet service providers to provide from a multifactor authentication to even the level of education and training of their employees.
Gregory Garrett: [00:07:29] Just one observation here - one of the questions I always ask is - when I'm talking with senior executives is, what percentage of their overall IT spend are they spending specifically on information security? Over the years, I've seen this evolve. And it does vary by industry sector with, for example, financial services and health care industries at a much higher end than, I'll say, the average retail company. But typically, I've found that telecommunications are usually in the 3 to 5 percent range of their overall IT budget. And what I've found sort of alarming is there's two groups. There's the group that invest at the 5 percent and higher, and then there's the group that invest at the 1 percent or lower. And there's actually very few of the major, you know, carrier class companies that are operating in the 3 to 5 percent sort of typical range.
Dave Bittner: [00:08:33] I don't know. It strikes me as being shortsighted, certainly. But I can't help thinking it's a pay me now or pay me later kind of situation.
Gregory Garrett: [00:08:42] Well, it absolutely is. And unfortunately, Dave, I wish I could say this is the only industry where I've seen that behavior, but it's really not. You know, I've seen it in financial institutions. I've also seen it in health care. I've seen it in critical infrastructure where you have what I'll call the world class companies really making significant investments and really amping up their cyber defenses in a very significant and meaningful kind of way.
Gregory Garrett: [00:09:11] And then you've got the mid-tier companies, and we're seeing a lot of them that are significantly under-invested in cybersecurity across all the different industries. You know, in many of them, it's - you know, they're looking to maximize profitability. This is a cost. This is an investment. If they haven't experienced a significant breach, then they're only doing what they have to minimally do to be compliant with regulatory standards and just hoping and praying that a big attack doesn't, you know, affect them.
Dave Bittner: [00:09:45] That's Gregory Garrett from BDO. The report is the 2018 Telecommunications Risk Factor Survey. You can find that on the BDO website.
Dave Bittner: [00:09:55] Tyler Barriss pled guilty to federal charges related to his involvement in a Kansas man's swatting death last year. The U.S. Department of Justice says Mr. Barriss acknowledged guilt on one count each of making a false report resulting in a death of cyberstalking and of conspiracy. It's believed he'll receive at least 20 years in prison. Mr. Barriss, who went by the hacker name SWAuTistic, was an unusually active participant in swatting and other dangerous capers - bomb threats and so on. The three counts mentioned above are just the ones he was involved with that had their sad outcome in Wichita, Kan. He also copped guilty pleas for hoax bomb threats to FBI and FCC headquarters, the latter because he was a fan of net neutrality and because the obvious way to put your policy views before the government is by telling people there's a bomb at a government office.
Dave Bittner: [00:10:48] In the Central District of California, his home state, he was unusually active and faced 46 counts that included - Department of Justice said - "making calls with false reports that bombs were planted at high schools, universities, shopping malls and TV stations. He made the calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada," end quote.
Dave Bittner: [00:11:19] The crimes to which Mr. Barriss admitted are deeply repellent. He got a completely uninvolved man killed just for the lulz and to put some other gamers in their place. Many have remarked not only on his striking lack of insight into the consequences of his actions but also for his striking lack of remorse. He continued woofing online while in jail awaiting his day in court, taking advantage of some technical loophole he discovered to get internet access from within the facility.
Dave Bittner: [00:11:48] Mr. Barriss is 25, which makes him the graybeard of the trio charged in connection with the Wichita swatting. The other two, "Call of Duty" gamers who had a falling out, are Jason Viner, 18, of North College Hill, Ohio, and Shane Gaskill, 20, of Wichita, Kan. Those two are still awaiting trial. They're involved because Mr. Viner asked Mr. Barriss to swat Mr. Gaskill. And Mr. Barriss sent the SWAT team to Mr. Gaskill's former address, since occupied by the late and innocent Andrew Finch. We mention this case not because cases of accidental negligent death are so rare as to be noteworthy. Alas, while they're not commonplace, they're not unheard of either. Rather, this case merits attention because of the way it illustrates the strained disinhibition that seems to lie beneath so much misconduct in cyberspace.
Dave Bittner: [00:12:41] And finally, to turn from sordid skid crime to something more pleasant, to the gratification of the U.S. Department of Homeland Security, Congress has passed legislation to re-establish the department's National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency - the CISA. Once the president signs the bill, CISA will become the lead U.S. civilian cybersecurity agency.
Dave Bittner: [00:13:12] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:14:13] And I'm pleased to be joined once again by Emily Wilson. She is the fraud intelligence manager at Terbium Labs. Emily, welcome back. Over at Terbium, you all released a white paper recently, and it's titled "The Truth About Dark Web Pricing." Let's walk through this. So what prompted you all to create this report?
Emily Wilson: [00:14:31] Originally, it started off as a project to do a meta analysis of the pricing reports about the dark web available in the security industry, right? Every so often, a security company will put out a report which will include some pricing information about dark web goods and services. And we were curious to see what what we could gather from that information doing a meta analysis of those prices over time.
Emily Wilson: [00:14:54] And it quickly turned into a slightly different project because we discovered that the data was really very inconsistent, and the prices were anecdotal at best. There was not a lot of methodology. And so it turned into what we have here, which is a white paper addressing some of the issues the industry is facing. And honestly, the industry is creating for itself by having less-than-rigorous standards in talking about dark web pricing.
Dave Bittner: [00:15:18] Let's explore that some. I mean, the title of it is "The Truth About Dark Web Pricing," which is a bit provocative, indicates that maybe we haven't had the truth up to this point.
Emily Wilson: [00:15:27] I don't think we've had the truth. Or rather, I don't think we've gotten past a very surface-level conversation, right? The things that we do see are, here's how cheap your Social Security number is, or here's how - and I won't name names, but there was a particular report that came out where the prices, you know, the cost of your identity on the dark web. And the prices were vastly overstated. Something like a bank account costs $500. It costs a tenth of that price, right?
Emily Wilson: [00:15:58] And so we get these headlines. We get these one-off stories. And instead of using those to have a bigger conversation about the well-developed fraud economy or the way that goods and services change over time or even what drives value, what drives these prices on the dark web, and does it matter how much something is different from one market to another - we just get stuck on that first thing. And we never really get to the truth of it because we're too caught up in the flash and the sexy headlines.
Dave Bittner: [00:16:26] Is this a case of someone who has something to sell you trying to scare you into thinking that something is more valuable than it actually is?
Emily Wilson: [00:16:34] Sure. Fear is a very effective tactic. There's a reason that so many vendors in the security industry rely on selling you fear. You create a problem, and then you invent a solution for it. And you make everyone feel better because you'll keep them safe. We really need to move beyond that, right? We know that data can't be fully secured. We know that there's going to be a data compromise. We know that systems are going to come under attack, and we need to start there.
Emily Wilson: [00:16:58] And so in that same way, as we've matured that view of what the security industry needs to look like and how it needs to help supply solutions, we need to move beyond this very basic, you know, look at this bright and shiny headline of a price without context or information or discussion of what the potential fallouts are that it's so easy to buy infant socials or credit reports or W-2s or Facebook accounts on the dark web.
Dave Bittner: [00:17:27] So what is the truth about dark web pricing? What's the take home from it?
Emily Wilson: [00:17:31] The truth about dark web pricing is we don't have a good sense of it yet. And that's a problem, right? The white paper - in it, we propose that we need to develop a shared taxonomy to begin to look at these things more consistently, right? If you have 30 descriptions of a credit card across a bunch of different reports, how many of those are actually different from one another? There aren't going to be 30 different categories of credit cards for us to look at that are being sold on the dark web. There might be six, you know. How many variables matter? We know that freshness and validity drive dark web pricing. That makes sense. Something that's newer that you can cash out more easily, those are important.
Emily Wilson: [00:18:08] But what about the difference in pricing between a business credit card versus a platinum credit card, right? How do we think about the valuation between prepaid cards and gift cards? How do we measure price fluctuations throughout the year? You know, when is it that the W-2s start to come on the market, and how long after tax season are they still available? You know, we're not, as an industry, gathering enough data. We're not looking at this in a consistent enough way that we can actually tell those stories yet. It's a difficult problem. Collecting on the dark web is hard. It changes very quickly. There's a lot of nuance. It's going to take a full industry lift to actually look at this, and that's what we're proposing.
Dave Bittner: [00:18:48] All right. Well, the white paper is titled "The Truth About Dark Web Pricing." It's over on the Terbium Labs website. Emily Wilson, thanks for joining us.
Dave Bittner: [00:19:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:19:20] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.