Someone is after Tehran’s hackers. GitLab misconfiguration. AI’s attack potential. Amazon pursues hackers who defrauded sellers. DeepDotWeb indictments. Evil Clippy. Lunch hacks in San Mateo.

Dave Bittner: [00:00:03] The Green Leakers release more information about Iranian cyber operators, including details about MuddyWater and the Rana Institute. A misconfigured GitLab instance exposes data used by Samsung engineers. Thoughts on how AI can shift the advantage to the attacker. Amazon is after hackers who defrauded sellers. DeepDotWeb proprietors are indicted. Evil Clippy does VBA stomping. And a food fight in San Mateo's corner of cyberspace.

Dave Bittner: [00:00:39] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 9, 2019.

Dave Bittner: [00:01:54] There's been another exposure of Iranian hacking operations. Last month, an unknown actor going by Lab Dookhtegam dumped code and other information belonging to the OilRig APT. This week, another actor - perhaps independently, but more probably acting in coordination with the earlier leakers - dropped information via Telegram and various websites that describe other Iranian cyber operations.

Dave Bittner: [00:02:20] This new group calls itself the Green Leakers. The material released includes information on other Iranian cyber operators, specifically the MuddyWater APT and the Rana Institute. The latter has not hitherto been connected to Iranian hacking operations. This material doesn't, as the earlier leaks did, include source code, but it does include screenshots and some information about the threat actors and their victims. Who the leakers are remains publicly unknown, but it appears that someone is actively working against Tehran's cyber operators.

Dave Bittner: [00:02:54] According to TechCrunch, Samsung engineers inadvertently exposed code from sensitive internal projects on an instance of GitLab hosted on a Samsung-owned domain, Vandev Lab. It's another instance of data exposure in a poorly configured service, whose owners unwittingly left it exposed to inspection on the internet. This particular case was discovered and disclosed to Samsung by researchers at the Dubai-based security firm SpiderSilk.

Dave Bittner: [00:03:23] We continue our coverage of last week's Global Cyber Innovation Summit with two pieces linked in today's issue of the CyberWire Daily News Briefing. Among the presentations discussed is a keynote on the dark side of artificial intelligence by Shawn Turskey, who currently serves as the National Security Agency's senior executive representative to the Department of Homeland Security. Turskey pointed out that it's relatively easy to get into a network, but once you're in, knowing where you are is considerably more difficult. Figuring out where you are and what you can access usually takes a human operator.

Dave Bittner: [00:03:57] But suppose, Turskey asked, using the analogy of physical robots that use sensors and artificial intelligence to explore and map physical spaces, that we deployed thousands of bots, all of them artificially intelligent, inside a network. If that were done, he said, quote, "exploits would go through the roof," end quote. To be sure, you might consider automating patching, but when Turskey asked the audience who would be willing to take an automatically generated patch and apply it in their enterprise, he had no takers.

Dave Bittner: [00:04:28] So, Turskey argued, proliferation of AI and machine learning will dramatically increase the number of capable threat actors and decrease defenders' ability to detect those threats. This will increase the threat actors' willingness to attack. He concluded, I think offense wins. You can read more at thecyberwire.com in our Daily News Briefing for May 9, 2019.

Dave Bittner: [00:04:51] Colleges and universities from all over the U.S. organized cyberdefense teams to compete in the annual National Collegiate Cyber Defense Competition, which this year was sponsored by Raytheon. Mariah Kenny is a graduating senior at UVA, and she was team captain of the team that won the national championship.

Mariah Kenny: [00:05:10] There's three rounds. There's the qualifying round, and then there's the regional round, and then there's nationals. There's 10 regions across the country, and then the winner of each region then advances to nationals. So we're from the Mid-Atlantic region. And the premise of the competition is that there's a fictional business network that the students are in charge of defending. So the students are the blue team. The network is under active attack from the red team, who are industry professionals who are basically trying to break into the systems and, like, take down our services.

Mariah Kenny: [00:05:41] So the student side, we're trying to defend the network, and so we're - we have to maintain the services, like maintain business continuity, basically as if we're an actual company and we had customers that were trying to use, say, or website or our mail server or something like that. And then there's also business injects, where they basically ask us either to add something to the network, or we have to report to, like, the board of directors about something. So that's the general idea of the competition itself - the fictional business network that the students are defending, and it's under active attack from industry professionals.

Dave Bittner: [00:06:13] Well, as team captain, what was your role there?

Dave Bittner: [00:06:16] How did you organize everybody and, you know, keep your eye on all the goings-on?

Mariah Kenny: [00:06:21] Sure. So the first year, we were basically just trying to figure out what the competition was and what we were supposed to do in the first place. And so that was a lot of, like, reading the rules and reaching out to people that we knew who understand the competition a bit better than us, kind of figuring out what we were supposed to do in the first place.

Mariah Kenny: [00:06:36] And then, so one of the things that I helped with was basically us figuring out how we were going to structure our team. So we ended up breaking it down so that I was the team captain, but then we had the Windows team who was in charge of Windows systems, the Linux team in charge of Linux systems, and then we had a networking firewall admin that was in charge of the firewall and networking and configuration of the network and everything. And we're still structured like that this year as well.

Dave Bittner: [00:07:01] So what do you suppose gave you all the advantage? What set you ahead that you were able to win the national competition?

Mariah Kenny: [00:07:08] Honestly, our, like, teamwork and communication was our edge. And so last year when we won, we were not the most technical team, but we worked together as a team really well. We obviously did have technical skills and understood those, but we worked together really well and did a really good job communicating. I think that helped us this year as well. We are a much more technical team this year. We definitely learned a lot from last year and took feedback on what we could do better, and we integrated that into our plans.

Mariah Kenny: [00:07:36] But, again, the communication and teamwork was a huge thing for us because it's a very stressful situation. It's a stressful competition. You're under attack. You're trying to defend your systems. And so, you know, you have to keep your cool. And if you need help with something, we would just ask somebody else for help, and we would work together to solve that problem. There was no yelling. There was frustration sometimes, but we were like, all right, let's take a deep breath. This is the problem. What are we going to do about it, and who's going to help you do that? And then we just kind of made it happen.

Dave Bittner: [00:08:04] What's your advice for other students who may be considering taking on these sort of capture the flag competitions?

Mariah Kenny: [00:08:11] My advice to students that want to get involved in the competition, first off, is do it. Even if you don't know anything, just start. A bunch of our team last year, we didn't know a whole lot about cybersecurity. We definitely had some people on the team that did, but some of us really did start at the beginning, especially me. And so having that goal of the competition itself and working towards that goal and figuring out what you need to learn to get there is super helpful, especially for me; I like to have, like, a goal or a project to work on, to learn along the way.

Mariah Kenny: [00:08:39] And then learning with each other is really beneficial because you're - you know, you might know something that somebody else might not know, and they know something you don't know, and so just learning from each other and working together is super helpful. So definitely get involved and get started, no matter where you are, because you'll be able to learn from each other.

Dave Bittner: [00:08:55] You know, you're going to be graduating later this year. What are your plans? What do you have your sights set on?

Mariah Kenny: [00:09:01] So I'll be working at CrowdStrike full time once I graduate.

Dave Bittner: [00:09:04] Oh, congratulations.

Mariah Kenny: [00:09:06] Thank you.

Dave Bittner: [00:09:07] That's Mariah Kenny. She was team captain of UVA's national championship-winning cyberdefense team.

Dave Bittner: [00:09:15] Bloomberg reports that Amazon has filed a suit in a British court seeking redress for hacking that compromised about 100 seller accounts, diverting funds from loans and sales to the hackers' accounts. Between May and October of last year, criminals managed to compromise accounts an Amazon's Seller Central platform and changed the banking information in them to the criminals' own accounts at Barclays and Prepay Technologies. Those financial institutions weren't themselves involved in fraud, of course. Amazon, which has been investigating the theft for some months, thinks it most likely that individual sellers were hoodwinked into giving up their confidential login credentials by phishing. How great the losses were is so far publicly unknown.

Dave Bittner: [00:10:00] The U.S. Justice Department has indicted two Israeli nationals on charges connected with operating the DeepDotWeb, a general directory that linked prospective buyers with dark web sites dealing in contraband, some of it lethal. The two who were indicted, Tal Prihar and Michael Phan, are alleged to have made millions providing a gateway to dark web black markets, thereby facilitating the sale of fentanyl, hacking tools, stolen credit cards and other contraband. They made their money through kickbacks from the sellers to whom they referred customers. Both the suspects are in custody. It was an international operation. Prihar was arrested in Paris, and Phan was taken into custody in Israel. Authorities in several countries cooperated in the enforcement action - Brazil, France, Germany, Israel, the United Kingdom and the United States.

Dave Bittner: [00:10:51] Those of you of a certain age will remember Clippy, the irritating anthropomorphic paperclip that cumbered Microsoft products in the 1990s, offering you unnecessary advice like, seems like you're writing a letter; want some help? Somehow Clippy never got to the big questions. For all Clippy's upbeat winking and chipper tone, we never noticed Clippy saying anything more useful, like, looks like as if you need to make a quick buck. Or, dude, your job is dead-end; want out? Or, dark night of the soul? Hey, I've been there - forget it Jake, it's Redmond.

Dave Bittner: [00:11:25] Anyway, Clippy is sort of back, in a undead form. But it's a proof of concept from Dutch cybersecurity consultancy Outflank, so no harm, no foul. Evil Clippy, as Outflank calls their demo, uses VBA stomping to prevent most antivirus tools from detecting the macros it's compromised. VBA stomping removes the Visual Basic for Applications source code from a Microsoft document, leaving a compiled version of the macro behind. Security products that look for macros often do so using the VBA source code, and if that's gone, they may let a malicious document pass through unnoticed. Thanks, Outflank, because Evil Clippy sounds like a dream come true. Actually, thanks for real - it's a technique now being offered to red-teamers.

Dave Bittner: [00:12:13] And finally, here's another story from the courts. Who has not eaten in a school cafeteria? We've pretty much all been there. And now hacking has come for the lunchroom because catering those cafeterias is big business. Last month in San Mateo County, California, whose writ runs in much of Silicon Valley, one Keith Wesley Cosbey, CFO of Choicelunch, was arrested on two felony counts of illegal acquisition of student data from the website of Choicelunch's lunchroom rival, San Carlo-based LunchMaster.

Dave Bittner: [00:12:47] As the San Mateo County DA tells it, Mr. Cosbey's idea was that he'd hack the students' data and then complain to the authorities that LunchMaster wasn't properly protecting the kids' PII. Presumably, then the contract for delivering fresh baked muffins, chicken nuggets and beef cheeseburgers to young scholars would then be taken righteously away from LunchMaster, at which point Choicelunch would pick up the business.

Dave Bittner: [00:13:11] Actually, we don't know if fresh baked muffins would figure in the lunch wars, since technically they're a breakfast item at the San Mateo County schools. But in any case, this seems a dubious business strategy. So stay hungry, San Mateo County. And it would never happen in Baltimore - there's no Old Bay.

Dave Bittner: [00:13:33] And now a few words from our sponsor KnowBe4. Everyone knows that multifactor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, un-hackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4 chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:38] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. I wanted to touch base with you today on cyber insurance and where we find ourselves when it comes to that.

Justin Harvey: [00:14:52] Sure. Just like in our personal lives, we want to offset risk through the payment into a pool so that if something - in the unlikely event that something does happen, we get assistance for that, meaning a car crash, medical injuries, etc. Cyber insurance is no different. Companies are looking for ways to offset the risk of cyberattacks, and they need a little bit more. They need a little bit more from a response perspective, from an incident response team, from being able to work with PR teams, with legal. And it's not very common that global organizations have all of this figured out. They have a PR team ready to go. They have an outside counsel ready to go. They have an IR team on hot standby with the jet being fueled ready to go.

Unknown: [00:15:41] (LAUGHTER)

Justin Harvey: [00:15:42] So cyber insurance is a way to ensure that when something does go wrong, that there's adequate financial coverage and adequate legal coverage.

Dave Bittner: [00:15:52] Well, what's your advice for folks who are out there shopping for this? Are there any guidelines, things they should be looking for?

Justin Harvey: [00:15:57] Well, I think the - one of my main recommendations is find a cyber insurance offering that offers a breach coach. Now, a breach coach is typically your outside counsel. So it is a outside legal firm, outside of your own general counsel, that you are protected through client-attorney privilege. And this breach coach will actually step you through and guide you through the whole incident or breach. And they will help you - they will place you with an incident response firm that's ready to go. My team actually does this quite a bit.

Justin Harvey: [00:16:37] You will be placed with a public relations firm, if it is necessary in order to communicate to your customers. You may even take their recommendations on reaching out to a consumer credit reporting service. In case your business lost consumer identities, then they have these services ready to go. And it's all covered under your policy. So instead of you having to fork out the hundreds of thousands of dollars - or in some case, hopefully not - millions of dollars to these services individually, you go with one provider, one breach coach. They bring in all of the ancillary services, and it's covered - all covered under the insurance premium.

Dave Bittner: [00:17:16] Yeah, seems like one of those pay me now or pay me later situations.

Justin Harvey: [00:17:20] Yeah. I think that there are global institutions out there that are not doing cyber insurance; they're choosing to kind of roll your own. They have their own outside counsel, their own IR team, their own legal, PR and so on. But there is something to be said by having it all integrated under one umbrella.

Dave Bittner: [00:17:38] All right. Well, Justin Harvey, thanks for joining us.

Justin Harvey: [00:17:41] Thank you.

Dave Bittner: [00:17:46] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:17:58] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:18:27] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.