The CyberWire Daily Podcast 12.5.18
Ep 738 | 12.5.18

DDoS and BEC risks rising. Ukraine says it stopped Russian cyber campaign. EU looks to stopping disinformation. NRCC email compromise. Facebook emails released by Parliament.

Transcript

Dave Bittner: [00:00:03] CoAP-based DDoS attacks are on the rise. A Nigerian gang has done some industrial-scale work on business email compromise. Ukraine says it stopped a major Russian cyberattack. The EU looks toward its May elections and determines to do something about disinformation. The U.S. National Republican Congressional Committee sustains an email compromise. Attribution of a phishing expedition to Cozy Bear grows dubious, and Westminster doxes Facebook.

Dave Bittner: [00:00:38] Now, I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:35] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 5, 2018.

Dave Bittner: [00:01:46] There's an emerging distributed denial of service risk reported. RFC 7252, the lightweight IoT protocol - also known as CoAP, the constrained application protocol - is being exploited in the wild. Some of the DDoS incidents are coming in as high as 32 gigabits per second, researchers tells ZDNet. CoAP is relatively new, introduced only in 2014. And it's designed to serve in the memory and computation resource-poor world of IoT devices. It's also vulnerable to packet amplification and IP spoofing. While CoAP's designers added security features to mitigate those risks, implementing those features bulks up the protocol significantly, reducing its attractiveness to IoT users. Expect more DDoS attacks to abuse CoAP devices.

Dave Bittner: [00:02:40] There's been a rise in business email compromise attacks being carried out by a Nigerian gang security firm Agari calls London Blue. London Blue, which is thought to have cells in both the U.K. and the U.S., has done its homework and compiled a list of some 50,000 executives whose emails they're spoofing to induce the unwary to wire company funds to accounts the criminals control. London Blue's research is both detailed and large-scale. Businesses should emphasize to their employees the policies they have in place for stopping business email compromise, like reminding everyone that no executive will ever direct them by email to transfer funds. And if your business doesn't have that kind of policy and training in place, for heaven's sake, get to work on them soon.

Dave Bittner: [00:03:29] Governments around the world are recognizing the ongoing need to train the next generation of cybersecurity professionals. CyberWire U.K. correspondent Carole Theriault did some digging to see what kind of efforts are taking place on her side of the pond.

Carole Theriault: [00:03:44] So there's this weird Catch-22 out there when it comes to working in cybersecurity. On one side, we're seeing a huge growth in people interested in working in the field, and no surprise. I mean, think about it. Despite us being in the nascent days of digital connectivity, we've already seen frightening attacks on systems, data and privacy. I mean, it doesn't take a rocket scientist to see that this industry is a hot one. And it's going to be for some time to come. But still, the cyber industry says it's desperate and can't find the right talent. And governments are worried, too, pouring in money into cyber. The U.S. president budget includes 15 billion for cyber-related activities for next year. That's up 4 percent over this year. And the U.K. government is pouring 1.9 billion in to help tomorrow's cyber workforce.

Carole Theriault: [00:04:35] Now, the SANS Institute, a U.K.-based IT security training company, has been selected to provide the government-backed Cyber Discovery program. That's a 20 million pound, or roughly $25 million, effort designed to teach students about things like cryptography, digital forensics and web attacks. I got a chance to speak with James Lyne from the SANS Institute to find out more about the program.

Carole Theriault: [00:05:02] Thank you for coming to the CyberWire, James. I know you're a busy man, so thanks for making the time.

James Lyne: [00:05:07] Absolute pleasure to be here. Thanks for having me.

Carole Theriault: [00:05:09] Now, tell me, why is the U.K. government worried about the future of cybersecurity?

James Lyne: [00:05:14] You know, security is kind of rapidly becoming a supporting pillar of pretty much everything we do in our lives, right? Anywhere we're using technology - in our homes, in the workplace - security is really a key concern. And most nations across the planet have also recognized that there's a distinct shortage of people with the right skills to help keep us safe. So this is an initiative to identify and expand that next generation of security practitioners that'll help us secure everything from internet of things devices to future banking or even military.

Carole Theriault: [00:05:48] But I keep hearing from graduates saying, look, I've gone to school; I studied IT security at college or university, and I'm not getting into the industry; no one wants to hire me. Where's the disconnect here?

James Lyne: [00:06:00] Starting kind of at the top end of the funnel there, people that have maybe done some study, have some existing skills - there's a real challenge when lots of industry organizations are looking for people with five years experience, with proven skills as practitioners. And in many cases, people coming out of traditional academic study roots don't have that kind of level of experience required to get into those roles. So there's a shortage of internships or apprenticeships to make people be able to pivot. Even with that group of people that are trying to make it through to those roles, there's still kind of a collapsing of cybersecurity down to a single profession. It's seen as this one thing when there's a huge plethora of different types of roles which need lots of people with diverse skills, different interests, which often doesn't get reflected in the recruitment processes of many organizations.

Carole Theriault: [00:06:51] So how is SANS stepping up to kind of bridge this gap?

James Lyne: [00:06:55] Yeah, it is a fascinating experiment that started kind of four or five years ago. I remember sitting in a local cafe writing some of the first lines of code for this. And thankfully it's been taken over by far more competent developers now than me.

Carole Theriault: [00:07:08] (Laughter).

James Lyne: [00:07:09] So we took each of the major disciplines - forensics, kind of binary exploitation, reverse engineering, penetration testing - and worked backwards abductively to the skills and problem-solving that you would need to be effective. And then we wrapped it in a game with narrative where people go and work for the cyber protection agency - leveling up their skills, solving these kind of fun challenges. So this program at the moment is for people in the U.K....

Carole Theriault: [00:07:35] OK.

James Lyne: [00:07:36] ...For 14- to 18-year-olds although there's also the ability to be a club leader. So if you're teacher, maybe a parent, or you want to be a volunteer, you can lead a set of young adults through the challenges in a club and help inspire them with that passion. That's much needed for this next generation of security practitioners. That being said, we are looking at running programs elsewhere. We'll be expanding over the next couple of years to other countries. We're looking for opportunities to do that. And based on how the inaugural year of cyber discovery has gone so far, we can see it's going to make a huge difference for the level of talent that's out there.

Carole Theriault: [00:08:18] My fingers and toes are crossed. If you or someone you know are between the ages of 14 and 18, based in the U.K. and want to learn more about this SANS free cyber training program check out, join cyberdiscovery.com. James, thanks so much for joining us today. This was Carol Theriault for the CyberWire.

Dave Bittner: [00:08:41] Ukraine's SBU security service says it detected and stopped a massive Russian attempt to compromise judicial targets. The attack vectors were malicious accounting documents distributed as attachments to phishing emails. The SBU says they traced the malware's command and control infrastructure to Russian IP addresses. The SBU speculates that the campaign's intention was both espionage and the disruption of judicial services. The report comes at a time of heightened tension in Russia's hybrid war against Ukraine - most recently Russia's engagement with and capture of Ukrainian naval vessels in the formerly binational but now disputed Sea of Azov. It's perhaps noteworthy that NotPetya, which started its worldwide romp in Ukraine, was spread through compromised accounting software widely used for tax preparation in that country.

Dave Bittner: [00:09:36] The EU continues to push Big Tech on election security, especially as elections for the European Parliament scheduled for May approach. Their principal concern is disinformation, and the announcement of the EU's action plan explicitly names Russia as the principal concern now and going forward. The announcement outlines four areas in which the union intends to take action. First, they commit themselves to improved detection with strategic communication task forces and the EU Hybrid Fusion Cell taking the lead. The responsible agency, the European External Action Service, will see its strategic communication budget double with a view to more effectively addressing disinformation.

Dave Bittner: [00:10:19] Second, the EU will establish a dedicated rapid alert system to facilitate data and assessment sharing. Rapid alerts are expected to serve the goal of coordinated response. Third - and this one will be of most significance to industry - the EU will effectively implement the commitments made under the code of practice. These involve first a requirement of transparency and authenticity. Bots and people who are not what they claim to be are to be expelled from the platforms they use. And second, there will be an expanded rumor control effort that will draw upon fact-checkers and academic researchers who will monitor the internet for disinformation and post responses in a more visible way. Finally, there will be a coordinated effort to promote media literacy among EU citizens.

Dave Bittner: [00:11:09] In the U.S., as initially reported by Politico, The National Republican Congressional Committee, the NRCC, reports that emails of four senior staffers were compromised. The NRCC was responsible for coordinating the recently concluded midterm campaigns. They discovered the compromise in April. And security firm CrowdStrike, already on retainer to the NRCC, conducted the internal investigation. The case has now been referred to the FBI who is investigating. There's no attribution yet, nor has stolen data surfaced anywhere so far. As Wired reports, the breach while serious was more limited than those the Democratic National Committee sustained during the 2016 election cycle. There seems to have been no malware installed in NRCC systems, and the attack seems to have been accomplished by using compromised credentials to gain access to emails in a cloud service.

Dave Bittner: [00:12:03] The responsible party is widely assumed to be Russia. And this is being taken as an instance of what Defense Secretary Mattis last week called Moscow's ongoing efforts to muck with U.S. elections. It's important to note that such attribution at this stage rests - publicly at any rate - on a priority plausibility. While elections receive the most media attention - practically the lion's share - the Center for Strategic and International Studies warns of Russian influence operations aimed at undermining trust in the U.S. judicial system. The think tank has an ongoing project monitoring such activities, and they report that here, as elsewhere, the adversary's goal is to weaken civil society and trust in institutions. This objective can be expected to be pursued opportunistically without any particular ideological commitment or consistency.

Dave Bittner: [00:12:57] For all the stick Moscow is receiving in the west this week, it's worth noting that not all the news today necessarily reflects badly on the Russian government. The recent phishing campaign against the U.S. State Department and various think tanks that FireEye and CrowdStrike tentatively attributed in mid-November to APT29. That's Cozy Bear. A unit of Russia's SVU or FSB now looks less clearly the work of the Russian operators. Research by Microsoft, whose office suite was the conduit for the phishing and which is in a position to have access to considerable data concerning the incidents, concludes there's not enough evidence to warrant that conclusion.

Dave Bittner: [00:13:37] Redmond tracks a threat group YTTRIUM, whose activities overlap those of APT29. And the verdict on YTTRIUM and so on APT29 should now probably be - well, not quite not guilty but probably not proved. And finally, as hoped or feared depending on one's preferences or allegiances.

Dave Bittner: [00:13:58] Westminster has released the internal Facebook emails the U.K.'s parliament strong-armed out of a third-party litigant. The high-level emails outline various ways Facebook considered monetizing users' data. Motherboard and other outlets consider the emails damaging to Facebook. But they do seem to show, mostly, that Facebook actively considered the revenue opportunities that might be found in their users' information. But at this point, few will be surprised that the itch to monetize data is the temptation of the 21st century.

Dave Bittner: [00:14:35] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult even for the most technical users to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:15:44] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He's also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.

Joe Carrigan: [00:15:53] Hi, Dave.

Dave Bittner: [00:15:54] So today I wanted you to explain to me all about the National Centers of Academic Excellence. What's going on with this organization?

Joe Carrigan: [00:16:03] So this is not really an organization. But it's kind of a program run by two organizations in the government - the National Security Administration, the NSA, and the Department of Homeland Security. And they jointly sponsored the CAE project. And what this is - it's a way of recognizing schools who have good cybersecurity programs. And Johns Hopkins University Information Security Institute is a CAE Center of Excellence.

Dave Bittner: [00:16:28] OK.

Joe Carrigan: [00:16:28] The way this works is you have to apply to the program and have your curriculum evaluated, your facilities evaluated. And the community is very involved in this. In fact, I'm involved in the application review process. And it's a great way to make sure that number one - as an academic institution, you're training people in what is necessary for cybersecurity...

Dave Bittner: [00:16:51] Right.

Joe Carrigan: [00:16:51] ...Because we use these tools for evaluation that map directly to the NICE framework. Now, I talked previously here about going to the NICE Conference. The National Initiative for Cybersecurity Education has a conference every year. And they also produce the NICE framework, which tells you, you know, the job roles and the things those people need to fill. It's a great resource from the National Institute of Standards and Technology on how cybersecurity organizations should be laid out...

Dave Bittner: [00:17:22] OK.

Joe Carrigan: [00:17:22] ...Depending on what you need to protect.

Dave Bittner: [00:17:24] Right.

Joe Carrigan: [00:17:24] Right? So this Centers for Academic Excellence process maps directly to that so that you know that you're meeting the needs that are out there in the marketplace right now.

Dave Bittner: [00:17:34] So what's in it for the academic institution other than this sort of vetting? Are there any other - does it give you access to anything? Can you - is it - does it make it easier for you to place students in some of these government institutions? How does it work?

Joe Carrigan: [00:17:48] It does make it easier to place students in government institutions.

Dave Bittner: [00:17:50] Yeah.

Joe Carrigan: [00:17:51] Absolutely. I know that there's a number of institutions. I know that Capitol Technology University has a great relationship with the NSA. And they're also a Center of Academic Excellence. You're denoting yourself as someone who's meeting current needs and that your students are going to have a much better opportunity for employment when they get out.

Dave Bittner: [00:18:09] So it's something - if I'm a student shopping around for where I might want to study cybersecurity...

Joe Carrigan: [00:18:15] Right. So if you see that the college you're applying to is designated as a CAE institution, then I would consider that more than one that wasn't - not to say that if it doesn't, it's a bad program. That's not what I'm saying.

Dave Bittner: [00:18:27] Yeah.

Joe Carrigan: [00:18:27] What I'm saying is that the program that is a CAE designation is meeting certain criteria for current requirements.

Dave Bittner: [00:18:36] Now, is this just four-year universities? Can community colleges...

Joe Carrigan: [00:18:39] Nope.

Dave Bittner: [00:18:39] ...Take part in this as well?

Dave Bittner: [00:18:40] At community college, there's a two-year designation. There's a four-year designation, and then there's a research designation as well. So it can also be applied to master's programs like ours at the Information Security Institute...

Dave Bittner: [00:18:50] Right.

Joe Carrigan: [00:18:50] ...And Ph.D. programs as well.

Dave Bittner: [00:18:52] All right. All right. Well, thanks for the update there. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:18:56] My pleasure, Dave.

Dave Bittner: [00:19:02] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.