New ransomware, along with some golden oldies. Quantifying cyber risk.

Dave Bittner: [00:00:03:13] ISIS sympathizers return to the cyber attack, but once again they concentrate on defacing poorly defended targets of opportunity. Analysts conclude that HR data smuggled out by a disgruntled former ISIS insider are genuine. A new strain of ransomware is observed, but surveys of the threat landscape show that a lot of oldies are still golden. And Apple responds to prosecutors requests in that other All Writs Act case.

Dave Bittner: [00:00:30:06] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:00:53:00] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday April 19th, 2016.

Dave Bittner: [00:00:59:04] As the US steps up its cyber offensive against ISIS, hacktivists sympathetic to the jihadist group has resumed their own cyber attacks. "Team System DZ," an Islamist hacktivist group based in Algeria, defaced around 80 websites over the weekend. The affected sites were hosted in the UK, the US, France and Israel, but a substantial fraction of them belong to the government of Richland County, Wisconsin. The attacks are consistent with ISIS's record, hitting poorly defended sites that provide targets of opportunity. It's the third time in a little more than a year, for example, that Richland County has suffered website defacements at the hands of what CSO characterizes as "script kiddies."

Dave Bittner: [00:01:39:23] You may recall the recent defection of an ISIS member who carried away on a USB drive was essentially amount to the caliphates HR records. The US Military Academy's Combating Terrorism Center has worked through the data on that drive and concluded that they're genuine. The defector, who's going by the name "Abu Mohammed," said initially that he broke with ISIS over his disillusionment with the group's claim to be genuinely Islamic, too many Ba'athist alumni with no discernible religious commitment.

Dave Bittner: [00:02:08:21] A serious challenge facing organizations these days is how to appropriately allocate limited resources, balancing your assets against the potential damages a cyber attack could inflict. Chris Morgan is CTO at IKANOW and we asked him to give us some perspective on quantifying cyber risk.

Chris Morgan: [00:02:25:21] I think people are wrestling with, how do they measure actually the business value of their assets, against potentially a cyber risk position. So one of the things that we've been looking at doing and helping organizations with is measuring the business value within their assets themselves and then helping those organizations kind of understand, based on those assets, where the potential risk is from a vulnerability prioritization perspective.

Dave Bittner: [00:02:51:03] Quantifying cyber risk can seem complex, but Chris Morgan has some practical advice for organizations looking to explore the process.

Chris Morgan: [00:02:58:05] In looking at the cyber resiliency plans, coming up with just a few key metrics that they specifically would want to look at and measure quarter by quarter, there's improvements, so specifically things like IoC matching against the assets, but also looking at IoC matching against the assets, against the business value. So some measurement of confidence against that business value of the asset. So that basically you can instill in security operations a way for the analyst to make smarter decisions. Ultimately, that's what you're trying to achieve, is making your analyst make the smartest decision possible based on the limited information they have. And the only way to do that really is looking and measuring the type of work flows that are required to do that.

Dave Bittner: [00:03:44:00] That's Chris Morgan from IKANOW. Their website is ikanow.com.

Dave Bittner: [00:03:50:07] Proofpoint reports that it's found a new ransomware variant, "CyrptXXX," which it's traced to the criminal group behind Reveton. CryptXXX is being dropped by the Angler exploit kit.

Dave Bittner: [00:04:02:05] The GozNym "double-headed" financial malware being tracked by IBM Security is apparently enjoying a successful run, netting some $4 million from US and Canadian banks.

Dave Bittner: [00:04:15:07] Litigation over privacy continues even now that the US Department of Justice has withdrawn its request that Apple help decrypt the San Bernardino jihadist's iPhone. In a related All-Writs-Act case surrounding a New York meth trial, Apple has responded to the government's demand for assistance by claiming that prosecutors have failed to show that they require Apple's help. And Microsoft has cited EU privacy laws in its refusal to give US authorities requested data that reside in Microsoft's Irish servers.

Dave Bittner: [00:04:45:14] OptioLabs' Bill Anderson has offered the CyberWire his perspective on the issues surrounding such legal disputes. While it surely makes sense, under many circumstances, that the government would not want subjects of investigation to know that they're under surveillance pursuant to a criminal inquiry, where, he asks, does the process end? How, for example, does one return from being a "person of interest" to being an ordinary citizen again? "Are we all," he asks, "to be subjects of investigations forever?"

Dave Bittner: [00:05:14:16] And finally, in news of a law firm breach not involved Mossack Fonseca, a disgruntled former insider at Locke Lord LLP has been sentenced to seven years and a find of $1.7 million on his conviction of two counts of illegally accessing and damaging the firm's networks in 2011. And thus, we end with one bit of best practice recommendation, do pay attention to security when you out-process employees. In this, at least, the good guys seem to enjoy an advantage.

Dave Bittner: [00:05:48:14] This CyberWire podcast is brought to you by SINET ITSEF, the IT security entrepreneurs forum, meeting in Mountain View, California, April 19th through the 20th, 2016. Bridging the gap between Silicon Valley and the Beltway by bringing together the innovators, entrepreneurs, investors and police makers who are shaping the next generation of security solutions. Learn more at security-innovation.org.

Dave Bittner: [00:06:23:08] I'm joined once again by Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security, one of our academic and research partners.

Dave Bittner: [00:06:32:21] Markus we recently saw the release of a draft of a bill called the "Compliance with Court Orders Act of 2016." So far the reaction to this bill has not been positive.

Markus Rauschecker: [00:06:42:06] That's true, we did see this new cryptobill coming out and being proposed. Generally speaking I think the bill is a response to the encryption issue that we've seen in the legal battle between Apple and the FBI. Certainly, as you recall, there was this encryption issue and an issue about whether or not the FBI or law enforcement in general could compel a private company to assist the FBI in unlocking an encrypted phone. As you might also recall, the central legal issue in that battle between Apple and the FBI was whether or not this old All-Writs-Act of 1789 could be used to authorize the law enforcement to compel Apple to provide technical assistance. So I think this cryptobill is a direct response to that question. The cryptobill, that's being proposed by Senators Feinsten and Burr, would make it very clear and would require private companies to help law enforcement provide information or data that's unintelligible, I,e., encrypted, and provide that information or data in an intelligible way to law enforcement, pursuant to an authorized judicial order.

Dave Bittner: [00:07:53:16] And the reaction has been overwhelmingly negative. Even the White House has said they don't support the bill. How could they have released a draft of a bill that seemed to be so tone deaf to the realities of encryption as we know it?

Markus Rauschecker: [00:08:06:09] It's unclear why this bill would be proposed in this way, as it seems so obviously controversial and would seem like it would get a lot of opposition right from the get-go. But I think the bill is the first step in trying to address this encryption issue and I think to a lot of people, this bill seems to be a straightforward way of addressing that issue. Again, if the issue here is whether or not law enforcement can compel someone or some organization to provide technical assistance pursuant to a judicial order, then certainly this bill would provide the most straightforward way for law enforcement to get that assistance.

Dave Bittner: [00:08:53:03] So it may just be a matter of whether they have the right to request something, regardless of whether that is technically possible?

Markus Rauschecker: [00:09:00:12] I believe so, yes. I mean law enforcement doesn't want to live in this dark space where they can't get access to information that they might need in a law enforcement investigation. So the question really is how do we best address this issue? I think there are legitimate reasons on both sides, but it's going to require a solution that's a little more nuanced than what is being proposed by this cryptobill here.

Dave Bittner: [00:09:26:03] Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:09:30:22] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com. And while you're there subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.