Industry notes, including a look at labor markets. Cyber gangland and its neighborhoods.

Dave Bittner: [00:00:03:15] Nation-state hacking gets mixed reviews. Three cheers for the American red, white and blue versus ISIS, but thumbs down to those colors when they fly over Russian ops in Scandinavia. Privacy seems to be intentioned not only with security but with transparency as well. Crimeware is merging for new functionality and some ransomware gangs are finding the blockchain a good infrastructure alternative. We take a look at educating the rising cyber labor force and we learn something about the challenges of data security in the cloud. And finally, we look at the good, the bad and the ugly. You can tell them apart by the color of their hats.

Dave Bittner: [00:00:42:00] This CyberWire podcast is brought to you by SINET ITSEF, the IT security entrepreneur's forum meeting in Mountain View, California, April 19th through the 20th, 2106. Bridging the gap between Silicon Valley and the Beltway, by bringing together the innovators, entrepreneurs, investors and policy makers who are shaping the next generation of security solutions. Learn more at security-innovation.org.

Dave Bittner: [00:01:14:05] I'm Dave Bittner in Baltimore, with your CyberWire summary and weekend review for Friday April 15th, 2016.

Dave Bittner: [00:01:21:22] The week that's ending saw the return of ISIS to prominent online information operations. In this case, making its inspiration specific by marking individual apostates and crusaders for death. One hopes that security authorities are properly alert. In any case, the US has stepped up military offensive cyber operations against the self-proclaimed caliphate, and there have been few objections from other nations. Not even, apparently, from Russia with whom the US and Turkey have found themselves at cross purposes in Syria.

Dave Bittner: [00:01:52:18] The Panama Papers and the coming implementation of the Privacy Shield Data Handling Agreement between the European Union and the United States, brought into focus an under appreciated tension. It's long been clear, and it's long been discussed, that there are certain conflicts between security and privacy. The Mossack Fonseca data loss suggests that the relationship between privacy and transparency is also problematic.

Dave Bittner: [00:02:16:13] This hasn't gone unnoticed by Department of Justice partisans in the FBI Apple iPhone breaking dispute. One DoJ attorney speaking for himself noted this week that Apple seems to have more in common with Mossack Fonseca than it does with the EFF. We're paraphrasing what Jeff Breinholt wrote in War on the Rocks is that Apple was acting like an offshore tax haven.

Dave Bittner: [00:02:39:00] The FBI by the way, still hasn't found much of anything on that jihadi's iPhone and consensus is that the Bureau's unlikely to tell Apple just what its hired gray hat hackers did to gain access.

Dave Bittner: [00:02:50:03] The security industry saw a mixed week in the stock exchanges as investors grapple with appropriate valuations. One issue companies and governments are struggling with is recruiting skilled cyber workers. US Federal CIO Tony Scott addressed a Passcode session in Baltimore this Tuesday about the sector's need to close the talent gap by opening careers to people who may have been overlooked due to their background, formal education and the like, or even overlooked because job descriptions are written in ways many people find unappealing. Not everyone wants to think of herself as a cyber ninja for example.

Dave Bittner: [00:03:24:22] One promising way of attracting younger talent to the industry is competitions. We spoke with Jack Harrington from Raytheon on one of these, the National Collegiate Cyber Defense Competition. Here's what he had to tell us.

Jack Harrington: [00:03:36:03] About 180 schools compete and it's all about them being able to prove that they can defend and protect against network attacks and cyberattacks. So they get a real network, there'll be different types of red teams which are the actual hackers that are coming in, and attacking their networks, and they have to keep up the services, they'll have customers, et cetera. And as it goes through these ten regions, then the winner of each one of those regions meets in San Antonio in April for the national title, and that's coming up here very quickly.

Jack Harrington: [00:04:13:16] The best of the best schools make it each year, but it gives the kids real world experience. That's the biggest thing I think for me is seeing how real life it is. They have real life customers, they call them and they get bosses that give them tasks that they have to produce white papers and presentations on, in the midst of all this attack going on. So it's a very interesting event.

Dave Bittner: [00:04:35:12] Harrington expressed the importance of improving the pipeline of workers for both our industry and our nation.

Jack Harrington: [00:04:41:03] We are not only protecting ourselves, we're protecting our customers, we're protecting the products that we provide, and we don't have enough talent, nor do our customers have enough talent out there. And so we've been involved in a program for many years in science, technology, engineering, and math (STEM) education and careers, and it's called Maths Moves You, focused on grade schools. Getting more kids, middle school math students and getting them involved in that science engineering because we don't have enough engineers in our country.

Jack Harrington: [00:05:12:06] Well the same thing is happening in cyber. So this is a natural extension of our STEM involvement and it really is, I think at this point, about getting to the college kids because universities are starting to put Bachelors programs together, starting to put Masters programs together. But the numbers of students that actually are aware of a degree or an opportunity and career in cyber is very low. I think it's a national imperative we get more and more kids involved.

Dave Bittner: [00:05:42:03] For the coming generation, computers and mobile devices are the most natural things in the world, but according to Harrington we need to do a better job at making sure that they consider security with those devices, and the possibility of a career in the field.

Jack Harrington: [00:05:54:07] Kids are born with a device in their hands today. I look at my son, he's 21 and he's texting and snapchatting and doing all the things that young people do, and it's ubiquitous in their life. But they don't think about cybersecurity even from their own IP security, hygiene perspective. Click on anything, two seconds and things are launching, and I think it's a failure at the national education level to get the word out and to say "Hey, protecting yourself is important." And that this is an area that we need to get young people involved in.

Jack Harrington: [00:06:32:17] One of the surveys we did about 50,000 companies were advertising for jobs that require a CISSP certification last year. So that's a cyber and information security certification, and what we found in looking out there is there's only about 65,000 people across the country that have these certifications, and they're all employed already. So you've got 50,000 more that are out there. So we need to be able to create more and I think that that's a matter of getting to the grade schools, high schools and then most importantly getting to these college students.

Dave Bittner: [00:07:11:15] The finals are coming up April 22nd through the 24th in San Antonio, Texas and according to Harrington it is a spectator sport.

Jack Harrington: [00:07:19:00] The biggest thing I'd say is come on out to San Antonio and it's a great weekend. You get to see all the excitement. Saturday afternoon's probably the most exciting time when the red team really unleashes their fury against the ten finalists and before that they're kind of prepping as they go out. So to really see a team, you get down and you see a red team of hackers - these are the best of the best across the country that get recruited and compete to be a part of that prestigious red team. So it's an exciting event.

Dave Bittner: [00:07:50:22] That's Jack Harrington from Raytheon. You can learn more about the National Collegiate Cyber Defense Competition at nationalccdc.org.

Dave Bittner: [00:08:01:03] IBM X-Force researchers report that two banking Trojans, Nymaim and Gozi, have combined into a single malware package, GozNym. It uses Nymaim's two-stage malware dropper, then deploys Gozi's injection of a malicious dynamic link library. More than seventy banks are said to have been infected. GozNym is being delivered for the most part by malicious macros in email attachments. This isn't the first time malware has been combined. Attackers have done this sort of thing before as an effective way of packaging desired functionality. The ShifuTrojan that appeared in 2015 for example, integrated aspects of Shiz, Gozi, Zeuss, and Dridex.

Dave Bittner: [00:08:41:24] CTB-Locker ransomware is now using the Bitcoin blockchain to deliver decryption keys to victims, and also to take victims' payments, according to Sucuri. This approach makes it easier for the criminals running the extortion. They no longer have to maintain an elaborate infrastructure of gateways to their back end server.

Dave Bittner: [00:09:04:09] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.

Dave Bittner: [00:09:25:17] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and Director of the Maryland Cyber Security Center, one of our academic and research partners.

Dave Bittner: [00:09:34:19] Jonathan, I know an area of research for you and your colleagues at the University of Maryland is the security of data in the cloud.

Jonathan Katz: [00:09:41:15] Well one of the issues that comes up with cloud computing is that you have users that are outsourcing their data to the cloud, and then either doing computation over that data in the cloud, or just perhaps using it as a storage medium and then retrieving the data afterward.

Jonathan Katz: [00:09:55:03] So there are two concerns that come up, most naturally. One of them is privacy of the data, keeping the data hidden to the extent possible from the cloud. And the other that comes up is the issue of integrity, that is making sure that the data that you've uploaded to the cloud is not being tampered with, modified or accidentally deleted.

Dave Bittner: [00:10:12:05] Alright, so what areas are you all exploring when it comes to this stuff?

Jonathan Katz: [00:10:15:20] Well on the area of ensuring integrity, one thing we're looking at is outsourcing schemes that allow a user for example to upload their data to the cloud, as I mentioned. And then be able to post queries on the data, for example search queries, range queries, exact matches, what have you. And be assured that the results they get back is actually correct with reference to the original data that they uploaded.

Jonathan Katz: [00:10:38:05] So the challenge here is to make sure that the scheme is efficient, namely that the user doesn't have to store very much data, doesn't have to do a lot of computation. But nevertheless can be assured that the answer they get back from the cloud is indeed correct, and like I said, hasn't been tampered with or fabricated completely.

Dave Bittner: [00:10:54:08] So how about the privacy angle?

Jonathan Katz: [00:10:56:17] Well there, one of the challenges is to ensure that the user can access their data obliviously, because even if the user encrypts their data so that the cloud can't actually view any of the underlying data itself, the cloud provider may be able to learn a lot of information by looking at which items in the data the user is constantly accessing. So for example if they see the user repeatedly accessing one item, they know that that's currently an item of interest.

Jonathan Katz: [00:11:21:01] So one thing we're working on here is the development of so called oblivious data structures that allow a user to obtain their data without revealing to the cloud even when they're accessing the same data multiple times and without revealing in fact anything about the access pattern to the data. This is just one mechanism that can be used to ensure privacy for the data being stored by the client.

Dave Bittner: [00:11:41:24] Interesting stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:11:48:03] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:12:20:01] This was the week of patch Tuesday. If you were worried about the mysterious Badlock vulnerability, take heart. Badlock turns out to be bad, but not truly horrific and Microsoft has now patched it.

Dave Bittner: [00:12:31:02] Sysadmins should pass Cisco's Unified Computing System, UCS Central Software. Researchers have discovered that a remote unauthenticated attacker can compromise UCS.

Dave Bittner: [00:12:42:10] Users of Quicktime for Windows should also take action. It's at the end of its life. Apple will no longer support it, and it's affected by known vulnerabilities. In this case, users should follow Trend Micro's advice and simply uninstall the software as soon as possible.

Dave Bittner: [00:12:56:24] Returning to international cyber conflict, we note that several sources are reporting that Sweden's infrastructure has been under threat of a cyber, or at least an electronic attack from Russia since November of last year. The incident under most discussion is a series of outages Sweden's air traffic control system experienced between the 4th and 9th of November 2015. Krasukha mobile jammer, a very modern but also very blunt electronic warfare instrument. While the Krasukha-4 is said to be clever and agile, it's still a big jammer that puts out massive RF energy designed to shutter hostile surveillance and communication systems as far away as low earth orbit.

Dave Bittner: [00:13:16:21] These disruptions are thought to have been caused by Russian testing of its Krasukha mobile jammer, a very modern but also very blunt electronic warfare instrument. While the Krasukha-4 is said to be clever and agile, it's still a big jammer that puts out massive RF energy designed to shutter hostile surveillance and communication systems as far away as low earth orbit.

Dave Bittner: [00:13:39:20] And the fact that such alleged jamming would have posed a problem for civilian air traffic control systems is unsurprising. What's mildly surprising is the suggestion that the threat to Sweden's infrastructure came either from Russian military forces, or by actors supported or directed by the Russian government, specifically an advanced persistent threat group.

Dave Bittner: [00:13:59:04] This suggests a more conventional cyber attack than the heavy electronic warfare operation implied by Krasukha. Heavy duty jamming would also seem easier to attribute, after all it's unlikely that a group of hacktivist hobbyists say in Kaliningrad would have fabricated their own Krasukha. There's also reports that Swedish power generation and distribution networks may have also been probed.

Dave Bittner: [00:14:22:16] Russia and Ukraine continue to host the world's most active and capable cyber criminal gangs. LookingGlass and LIFARSoffer an overview of Eastern European gangland in the Cyveillance blog. They make a good bit of money from direct theft, but they also realize considerable profit from the sale of products and services. Off the shelf Trojans and DDoS bots are particularly popular items.

Dave Bittner: [00:14:44:17] The gangs also offer hacking services, dedicated server sales, and bullet proof hosting, spam and flooding services, download sales, DDoS services, traffic sales, file encryption services, and exploit writing services and sales. One mild surprise in the Cyveillance report is the minority but influential participation of German black marketeers. Eastern Europe obviously overlaps central Europe, at least for the cyber gangs.

Dave Bittner: [00:15:11:03] One trend in cyber gangland is making the Eastern Europeans infrastructure more robust and resistant to takedowns. According to a Team Cymrureport, more of them are using fast flux networks to change the A Records of a domain rapidly, which yields a swiftly changing list of IPs hosting that domain. This makes it more difficult to take the domain down.

Dave Bittner: [00:15:32:08] Fast Flux network servers are located for the most part in Ukraine and Russia. They're hosting major carding sites as well as TeslaCryptpayment sites, and TreasureHunter point-of-sale controllers.

Dave Bittner: [00:15:44:06] Before we leave cyber gangland, we note that Dmitry Fedotov aka Paunch, the Blackhole exploit kit impresario, was just sentenced to seven years by a Moscow court. Whatever protections Paunch thought he had either reached their expiration date or perhaps he overstepped his bounds or overstayed his welcome. In any case, Paunch and several other cyber criminals are now out of circulation.

Dave Bittner: [00:16:07:22] Finally, on the subject of hackers, here's a quick guide to the various colors of the metaphorical hats they wear. Metaphorical because as everyone knows, all hackers literally wear hoodies. They also say, we hear, "I'm in" a lot, but we might have just heard that on television. Think of the distinction in terms of use and disclosure. White hat hackers are vulnerability researchers, penetration testers and the like. They operate within the law to find security bugs and disclose them to the people who can fix them. Sometimes they earn a bug bounty.

Dave Bittner: [00:16:39:02] Black hat hackers are criminal hackers in the classic sense. They find vulnerabilities and exploit them for illicit gain and somewhere in between are the ones in gray hats. What they do can be a little unclear, whether because the law is unsettled, or because they themselves operate on both sides of the law, or because they disregard commonly accepted precepts of ethical disclosure. Fairly or unfairly, exploit brokers are often grouped with the gray hats.

Dave Bittner: [00:17:06:10] So there you have it in cyberspace. The good, the bad and the ugly.

Dave Bittner: [00:17:15:17] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.