Anonymous vs. Israel. Panama Papers. The view from Japan.

Dave Bittner: [00:00:04:00] Israel was prepared for #OpIsrael, as it usually is, but #OpIsrael may play a larger HR role in the cyber underground than is often appreciated. Law firms do some security introspection in the Panama Papers aftermath. An adware variety moves from Windows to OS X. Adobe distributes its expected emergency patch for Flash Player. Tech industry observers see layoffs coming this year. We share some of the aphoristic advice for business we heard yesterday at the Cybersecurity Risk Management 360, and we wonder, what's the connection between the Mission Impossible theme music and hacktivist bad judgment?

Dave Bittner: [00:00:42:13] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect the execution of advance persistent threats and malware. Learn more at cylance.com.

Dave Bittner: [00:01:05:16] I'm Dave Bittner in Baltimore, with your CyberWire summary and weekend review for Friday April 8th, 2016.

Dave Bittner: [00:01:13:12] Yesterday was Anonymous's annual's #OpIsrael, the regular hacktivist action whose stated goal is to “erase the Zionist devil from the Internet," which of course it didn’t succeed in doing. Hack Read called #OpIsrael "more hype than harm," and indeed the attacks, DDoS being the favorite tactic, didn't rise above the nuisance level.

Dave Bittner: [00:01:35:11] But as a famous space pirate once said, "Don't get cocky, kid." Re/code puts the warning rather breathlessly: "Anonymous’ ‘Hack Israel Day’ Could Impact the Entire World." Behind the screamer headline is a serious point. Hacktivist actions, especially #OpIsrael, recruit effectively, and they can also serve as surprisingly effective training opportunities for aspiring hacktivists who eventually find their way into the cyber criminal market.

Dave Bittner: [00:02:02:05] That criminal market, according to a new study by Dell SecureWorks, remains immature, but it's growing in sophistication, with improved "customer service," more sophisticated offerings, including some surprisingly comprehensive business dossiers, and an increasingly collaborative dark web ecosystem.

Dave Bittner: [00:02:19:04] Analysts continue to look into the Panama Papers hack, or at least look at it, since details of how the hack was accomplished remain sparse. They're offering much speculation - we stress speculation - about the potential role lax security could have played in exposing the data. Since some form of lax security somewhere contributing to a successful cyber attack is as close to a sure thing as we're likely to have in this life, the analysts are making a pretty safe bet, but details remain far too thin on the ground for any more interesting conclusions to be drawn. But law firms are taking the incident as a cautionary tale, and show signs of doing some security introspection.

Dave Bittner: [00:02:57:17] Japan is taking advantage of the prominence of influential Chinese families to score public relations points against its regional rival.

Dave Bittner: [00:03:06:04] And speaking of Japan, this advanced country has a significantly different cybersecurity landscape than what Westerners may be accustomed to. William Saito is special adviser to the Prime Minister of Japan.

William Saito: [00:03:17:10] The startup scene in Japan is definitely different from other parts of the world. It's still definitely in its infancy. We don't have any major players yet and I think a lot of the type of security products that we use still tend to come from the United States, Israel and other countries. So there's not much of a domestic presence quite yet.

William Saito: [00:03:34:18] There is venture capitalist play here. There are a lot of government subsidies as well. The venture capital is not traditional venture capital that you see in places like the US, but there is a lot of activity in this area, so to give it credit, I think [INAUDIBLE] activity has definitely increased in the last 18 months, two years.

Dave Bittner: [00:03:53:16] In many western nations, academic institutions are a common incubator for cybersecurity startups, but according to Saito, structural differences in Japan's educational system can present challenges.

William Saito: [00:04:04:22] The educational basis of Japan doesn't teach many of the students, for example, who come from the sciences, managerial skills, humanity based accounting, marketing, and so you see a skills delta compared to other countries and so that's unfortunate but there is tech that comes out of school and academia, whether they survive for X number of years, that's questionable.

Dave Bittner: [00:04:33:11] Saito noted that when recommending cybersecurity products and services in Japan, it's important to recognize the cultural differences in how they prioritize risk.

William Saito: [00:04:43:01] Doesn't do well to try to sell it as a theft prevention thing. That a lot of companies still feel that their data, their intellectual property is not necessarily data bound yet and so they feel some level of reluctance to protect something. So I think cybersecurity is looked at from a different angle and specifically things like integrity. So your data may not be worth much if you get it stolen, but if it was changed, then schematics, wire transfers, contracts, if they were surreptitiously changed by a competitor, what kind of impact would that have?

William Saito: [00:05:16:05] So I approach cybersecurity in Japan definitely from a different angle because theft is not necessarily articulable as, say, other Western cultures.

Dave Bittner: [00:05:26:03] He also suggested the Japanese market provides ample opportunities for companies looking to do business there.

William Saito: [00:05:32:01] Given the pressures that cybersecurity plays and that it's inherently a global issue, there are huge opportunities here to arbitrage and enter into a market that's just finally waking up and going "Wow, this is a problem." Then on top of this, we have the Olympics coming in four years, and so this is definitely raising priority on cybersecurity and risk and security in general. So these things are definitely of interest because you can't grow domestic innovations and companies overnight. So I think there is that vacuum and it's an opportunity for other countries and people.

Dave Bittner: [00:06:06:19] Many consider Japan to be relatively insulated from cyber attacks, in part due to the language barrier, but recent attacks like Operation Dust Storm have highlighted the global nature of criminal cyber activities.

William Saito: [00:06:18:02] The first generation would say that "Yes, Japan is an island and therefore we're inherently protected." Obviously that doesn't hold true in an ICT connected world where internet tears down these borders. The second generation would say that "Oh hackers couldn't read Japanese." It's really no longer true because at its core, coding is coding.

William Saito: [00:06:37:22] To make matters worse, in Japan you have this radically aging society, and so this kind of society is really gullible to social hacking and other issues. So you see that once you could get past the first layer on many of these things, you have a very rich populus that is really old and not very IT sophisticated. So it's lucrative from a criminal standpoint if you can get into this and again, language is actually not that huge a hurdle. So these are areas I try to really emphasize to companies and going that security obfuscation is not really something that one should bet their company on.

Dave Bittner: [00:07:16:22] That's William Saito, special adviser to the Prime Minister of Japan.

Dave Bittner: [00:07:22:06] In other hacking news, Cybereason reports finding a version of the Windows-based Pirrit adware affecting Macs. "OSX.Pirrit", as Cybereason calls the new strain, has so far mostly served up benign, if unwanted, ads, but the researchers warn that the adware has the potential to evolve into a significant attack vector. Right now it infects Macs, creates a proxy server, and inserts advertising into web pages. But Cybereason has said the adware could easily be adapted to install a keylogger or other data theft and exfiltration tools. Samples of OSX.Pirrit have been carried by bogus Adobe Flash updates, and by other compromised files.

Dave Bittner: [00:08:01:19] Speaking of Adobe, they issued their promised emergency patch for Flash Player yesterday, for Windows, Macintosh, Linux and ChromeOS. The Magnitude exploit kit is actively exploiting Flash Player in the wild, so all users would be advised to update, with the actual patch, not a bogus one, as soon as possible. Cerber ransomware is among the malware being distributed through this zero-day.

Dave Bittner: [00:08:25:11] Ars Technica looks at other ransomware incidents and glumly notes that this form of attack now offers criminals an "easy payday." Sure, the victims don't always pay up, MedStar, for example, didn't, but the crime is still a very low-risk, high-reward proposition. Some $24 million are said to have been paid to ransomware purveyors by their victims in 2015, and most observers expect the figure to rise. US Federal authorities are now firmly on record as advising against paying cyber ransom.

Dave Bittner: [00:08:54:17] Security researcher David Longenecker reports that the Arris SURFboard cable modem, SB6141 model, is vulnerable to reboot attacks. A firmware patch is expected for the widely used modem, but it's not available yet.

Dave Bittner: [00:09:11:21] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date with engaging and informative videos. For a free seven day trial and to save 30 percent, visit ITPro.tv/cyber and use the code CYBER30.

Dave Bittner: [00:09:36:18] Joining me is Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and he's also Director of the Maryland Cybersecurity Center, one of our academic and research partners.

Dave Bittner: [00:09:44:20] Jonathan, I was at a conference recently and one of the presenters was talking about fully homomorphic encryption. I have to admit it was a little bit over my head, but I thought to myself, "I know who I can ask about this and also have him share it with our listeners." Fully homomorphic encryption. What is it?

Jonathan Katz: [00:09:59:17] Well fully homomorphic encryption is really fascinating. It's been one of the holy grails as it were of cryptography since the 1970s and for a long time it was unclear whether any sort of fully homomorphic encryption scheme could even exist. And it wasn't until a breakthrough by Craig Gentrya few years ago that the cryptographic community even thought that such a thing would be possible.

Dave Bittner: [00:10:21:17] Can you give us a description of how it works?

Jonathan Katz: [00:10:24:06] Well at a high level what fully homomorphic encryption allows you to do is to compute on encrypted data. So the basic idea is that I can take some data, I can encrypt it and send it to you. You can then perform a set of operations on the ciphertext that I send you and compute anything you like about the underlying encrypted data - all the time without learning anything about what's been encrypted - and then send it back to me, at which point I can decrypt and recover the answer.

Jonathan Katz: [00:10:51:06] So this basically, among other things, allows me to outsource computation to you, and to get back a result without violating the privacy of my data at all.

Dave Bittner: [00:11:00:17] Are there any drawbacks?

Jonathan Katz: [00:11:02:24] Well the problem is that right now the schemes we know of are inefficient to the point of being completely impractical. And the overhead that's introduced by fully homomorphic encryption is several orders of magnitude over the underlying computation itself. Nevertheless, researchers continue to work on it and we can hope that within a few years or maybe a decade, we'll see systems that bring down this overhead to something much closer to practical.

Dave Bittner: [00:11:25:18] Alright, interesting stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:11:32:21] This CyberWire podcast is made possible by the generous support of Cylance, offering cybersecurity products and services that are redefining the standard for enterprise endpoint security. Learn more at cylance.com.

Dave Bittner: [00:11:59:16] Industry news is mixed. On the good-news side, KEYW lands a five-year, $152 million cybersecurity training contract with an unnamed US customer, and the company moves closer to the long prepared sale of its Hexis unit. Dell and EMC, as they prepare for their upcoming merger, are also divesting themselves of several units, including cyber player SecureWorks, whose initial public offering is expected later this month.

Dave Bittner: [00:12:26:20] On the less-than-good-news side, several big tech companies are expected to go through a cycle of layoffs this year. While this is an IT story as opposed to a specifically cyber story, the sectors overlap enough to make layoff predictions interesting. Here's how InformationWeek sees it. VMWare is expected to shed 10-15% of its employees, Symantec 15%, Yahoo 30%, EMC 15-20%, Cisco 20%, HP 30%, Microsoft 15%, Oracle 20%, Hewlett Packard Enterprise 30%, and IBM 25%.

Dave Bittner: [00:13:02:14] Two observations are in order. First, these figures represent informed analyst conclusions, not firm corporate announcements, so the news may turn out to be much better, or, alas, somewhat worse, than predicted. Second, should the layoffs occur, other companies should recognize that there's a lot of solid talent that's now back on the market, and hire accordingly. After all, we hear there's a shortage of cybersecurity workers out there, right?

Dave Bittner: [00:13:28:05] We attended the Cybersecurity Risk Management 360 yesterday. You'll find a summary of the proceedings on our website, thecyberwire.com, but we wanted to share a few aphorisms the speakers left with us. On risk, "People think it's never going to happen to them. Until an event occurs, we have a hard time getting their attention." On insurance, "You buy property insurance, why not cyber insurance? A cyber attack is more likely than a fire." On the quantification of risk, "It's important to communicate costs to small businesses. The costs of insurance, and the costs of potential incidents." And, finally, on change, "The number one thing that drives change is customers. If you lose a customer because you don't have adequate security, you've lost money."

Dave Bittner: [00:14:17:03] Finally, a gentleman in Oklahoma City is looking at ten years in prison for various forms of illicit online harassment of a security researcher who helped put one of his fellow hackers behind bars back in 2009. The two hackers, handles c0aX and GhostExodus, were members of what they styled the "Electronik Tribulation Army" or ETA. That's "electronic" with a final "k," if you're keeping score at home.

Dave Bittner: [00:14:42:24] Mr. cOaX sought to avenge Mr. Exodus's 2009 arrest with various online capers that include masked and be-hoodied videos of himself. But perhaps the real blame for Mr. Exodus's arrest should be laid to the 2009 video he posted to YouTube, featuring himself uploading malware to a former employer's system, accomplished to the tune of the "Mission Impossible" theme.

Dave Bittner: [00:15:05:08] So here's some free advice to the hacktivist underground. Pick your battles, and, when you fight them, don't feel you need to go the full good-morning-mister-phelps. After all, nothing on the Internet self destructs in five seconds.

Dave Bittner: [00:15:21:10] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.