Cyber retaliation for a kinetic attack, again. Industrial espionage from China. Botnet does sextortion. Typosquatting the other candidate. A poor approach to reputation management.

Dave Bittner: [00:00:03] The U.S. may have retaliated in cyberspace for Iran's strikes against Saudi oil fields. China's new C919 airliner seems to have benefited greatly from industrial espionage. An old botnet learns new tricks. Typosquatting as an election influence trick. A look at price lists in the criminal-to-criminal marketplace. Recovering from ransomware. And when it comes to reputational management, there's not so much a right to be forgotten as there is a right to forget about it, if you get what we mean. 

Dave Bittner: [00:00:40]  And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions in boxes one on top of the other, hoping to improve their security posture. Its convoluted and overloaded security stack can't hold up in today's micro-segmented borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:12]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 16, 2019. Reuters reports that the U.S. retaliated for Iranian kinetic strikes against Saudi oil facilities with cyberattacks against Iranian information operators. Two officials, speaking on condition of anonymity, told Reuters that the attacks did some physical damage and that they were conducted to degrade Tehran's ability to spread propaganda. 

Dave Bittner: [00:02:44]  China's Comac C919 airliner was built from industrial espionage, a report from CrowdStrike concludes. The complex operation was the work of Turbine Panda, a unit of the MSS Jiangsu Bureau, the Chinese intelligence Service widely believed responsible for the 2015 breach of the U.S. Office of Personnel Management. The campaign on behalf of Comac was long-running, patient and multifaceted, encompassing forced technology transfer, joint ventures, physical theft of intellectual property from insiders and cyber-enabled espionage. The news comes as the U.S. shows signs of cracking down on Chinese espionage activity, as the Asia Times puts it, particularly those related to Beijing's Thousand Talents Program of recruiting insiders to collect against Western industry. The C919 would seem to indicate how dependent China economic development may be upon industrial espionage. The current U.S. crackdown may be intended, in part, to turn that dependence into a strategic vulnerability. 

Dave Bittner: [00:03:53]  A well-known botnet has been turned into an instrument of extortion, showing randomly selected users one of their previously compromised passwords and threatening to expose them for things it's seen them doing within view of their webcam. Security firm Check Point has found that the botnet Phorpiex, also known as Trik, which over the last 10 years has moved into ransomware and crypto-jacking distribution, is now sending extortion emails. Two things are worth noting. First, and we hope this will be clear enough to most victims - it's a pure hustle. The blackmailers don't have anything on anyone except a list of email addresses and old compromised passwords. They use this to lend legitimacy to what would otherwise be a bald and unconvincing narrative. Second, and this is more unusual and interesting, the secret to the crooks' business plan is volume. They're pushing up to 30,000 emails out per hour, and they're using compromised machines to do it. The users being exploited to send the spam are probably unaware that they're even compromised, Check Point says. 

Dave Bittner: [00:05:00]  Raytheon has teamed up with the Girl Scouts of the USA for their first-ever national STEM challenge event. It's called The Girl Scouts Cyber Challenge brought to you by Raytheon. The challenge scenario puts participants in the middle of a hypothetical ransomware attack on a moon base. And over 2,500 girls across the country will take part in the pilot program. We spoke with a young woman named Aashka. She's a high school junior from Texas who's been part of the planning for the event. 

Aashka: [00:05:28]  The summer before my sophomore year, I took a Girl Scout cybersecurity camp. It was a week-long camp. And it really just changed my life. It brought light to a new camp that I took this summer before my junior year. It was a five-week-long camp for cybersecurity. And it really just lifted how I think about it. Like, some of the instructors there, not all of them were in, like, the core cybersecurity field. Some of them were doing like cybersecurity but with marketing or cybersecurity but with management information systems. Like, it was just - I learned that, like, there was a lot more to just what meets the eye in cybersecurity. Like I said, it was - there is, like, business involved in it, fashion. There's just so much more than just coding and programming. Back when I was in my sophomore year, so around this time about a year ago - they came to us. It's a national team who have joined together, and Raytheon is helping support this, and it's just to help girls, like, raise awareness about - like, technology and STEM play, like, such an important part in their lives and how it's a really good career to invest yourself into. Personally, for me, I wasn't as big of a cyber type of girl, but I learned, like, basically that cybersecurity isn't just coding, sitting and programming, and I think that's a really valuable lesson that we're trying to teach the girls - that you can have fun while working in STEM and that it's not just - sit down and technology. It's not like the average picture you'll see of, like, a hacker sitting and doing those things. Like, it's not that. It's a lot of, like, communication and things like that. There's just so much more to cybersecurity than what meets the eye. 

Dave Bittner: [00:07:15]  Well, take us through the simulation itself. It's quite a story that you all have come up with here, quite compelling. 

Aashka: [00:07:23]  It'll be a lot of fun for them. It'll be like a typical Girl Scouts journey. However, at the end of the day, they'll earn the new badge, which is the cyber badge, and hopefully, they'll go away from - like, they'll leave the event with a newfound love for cybersecurity. 

Dave Bittner: [00:07:41]  And my understanding is that there's a story here. There's part of it where you're protecting a colony on the moon. 

Aashka: [00:07:49]  Yeah. So we had a few discussions about spies or, like, space or environment or something and - like, a school or something. It's like, which event seems the best? And almost unanimously, it was the space one. I feel like that one is just such an interesting thing to do, protecting a colony on the moon, since, like, a lot of people do have an interest in space. But I think it was a very good thing to do. There's something for everyone. Like, even the girliest of girls can find something in Girl Scouts and in the Cyber Challenge. She'll find, like, new friendships and things like that. Even someone like me - I also found, like, the Cyber Challenge, and it's just a very good way to, like, bring you along and bring you to new experiences. And I really do want to pursue a career in it and gain some experience, I think. It's not work if I love it. 

Dave Bittner: [00:08:41]  Once again, the event is called The Girl Scouts Cyber Challenge brought to you by Raytheon. 

Dave Bittner: [00:08:47]  Flashpoint looks into the criminal-to-criminal market's pricing structure. The security firm trolled through various dark web markets to see how things had changed since their last systematic survey in 2017. They found that prices are up, but in a small way. Physical passports are the most valuable commodity and command top dollar. Exploit kits, on the other hand, are selling at a discount, no longer commanding the premiums they once did. DDoS for hire services are way up. Fulls - full information on a person - they're about where they were, just slightly up - unless they include financial information about the victim, including credit scores, in which case you might as well be shopping at a really toney boutique. 

Dave Bittner: [00:09:29]  In a bit of slamming the door after the vandals have come and gone, the city of Baltimore's Board of Estimates has approved the purchase of two cyber insurance policies that could pay up to $20 million in damages if or when the city sustains another attack like the ransomware that hit its systems in May. The city will pay just over $800,000 for the policies, and each policy carries a million-dollar deductible. The city has estimated its losses in the May incident at around $18 million, but there's a fair bit of uncertainty around that figure. Some of the losses, city officials say, may have been clawed back, and there may be other costs associated with the attack that have yet to be figured into the total - for instance, 800,000 and change in insurance premiums. 

Dave Bittner: [00:10:17]  And finally, some news from the world of online reputation management. You've heard the commercials. If someone is giving you bad reviews, the reputation managers will give your online reputation a nice, thorough scrubbing, but there are good ways and bad ways of doing this. Speaking hypothetically, repeatedly mass emailing people who reviewed you as a big flop-a-roo would seem to be a mistaken and even self-defeating course of action, especially if you escalated to threatening the reviewers with going after their advertisers. That's not the way the people who advertise on the radio say they do it, but we're not in Kansas, are we, Toto? For Kansas is indeed the venue of our story. Wichita Attorney Brad "The Bull" Pistotnik, whom one would have hoped would know better, has taken a guilty plea to three counts of being an accessory after the fact to making an extortionate threat over the internet, The Wichita Eagle reports. The misdemeanors will earn him no jail time, but he will pay a $375,000 fine and just over $55,000 in restitution. The incident arose from Mr. Pistotnik's retention of reputation management services that allegedly threatened sites that had posted discreditable material about the accident attorney. If Wichita were in, say, Bavaria or Luxembourg, Brad "The Bull" could invoke his EU-guaranteed right to be forgotten, and the whole thing would be bygones, right? Pay no attention to that man riding the bull in his personal injury practice commercials on the TV, though that is kind of hard to forget, especially when it happens in the nice-mannered Jayhawk State. 

Dave Bittner: [00:11:57]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire, and we thank ThreatConnect for sponsoring our show. 

Dave Bittner: [00:13:11]  And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. We wanted to talk today about the growing prevalence of esports and the potential that that holds for folks in cybersecurity. What do you have for us today? 

Justin Harvey: [00:13:28]  Well, what I've got for you today is that esports apparently is no longer just for computer games and for console games. Esports is the general terminology that we use for competing either in person or virtually against others and having that broadcasted. There are games like "Counterstrike," "PlayerUnknown's Battlegrounds," "Dota 2" and, of course, my favorite, "Overwatch," that are all on the esports Arena. But what's happening is that in the cyber defense and cybersecurity realm, we are seeing more and more of the commercialization and the popularization of capture the flag. That would be teams of attackers - so that would be the red team - and teams that are defending - that would be the blue team. 

Dave Bittner: [00:14:14]  I have absolutely seen the increase in popularity with that, and I've also seen that more and more employers want to see that experience on someone's resume. 

Justin Harvey: [00:14:26]  Participating in these events, most notably the capture the flag events - it's a great way to credentialize yourself. It's a great way to demonstrate that either you have the offensive capabilities or that you have the defense capabilities. The capture the flag scenarios and games that are being run at conferences like Black Hat and Defcon are serving several purposes. First is it is showing the public and other practitioners exactly how it's done. What does it look like inside of an attack, and what does it look like inside of the blue team defending it? I think it's also broadening the appeal of cybersecurity past the technology practitioners to show them that there is a wide array of roles and a wide array of applying that in an exciting manner, and I think it only helps our industry drum up interest in everything that we do. 

Justin Harvey: [00:15:28]  The other side effect to this is that the attackers and the defenders, they've got to be innovative. In order to win, they have to think outside the box. And this is - after being an avid gamer, a 30-plus-year gamer - and actually, I've done esports in the early 2000s with "Counterstrike" - I'm fascinated by this in the sense that when you play a computer game, you're playing on a playing field or on a map that everyone knows. You're playing it at home. Then you go to the esports arena, and you play it in there, and there's not that much innovation or disruption. There might be some little tactics and techniques you can employ to thwart the enemy, but we pretty much know how those games are going to go. And if we were to take esports to the next level around cybersecurity, then we're seeing people innovate and adapt and overcome the obstacles that are put in front of them, and that's good for a couple of reasons. First is it shows us practitioners new ways to apply it, but it also elevates our playing field when it comes to disrupting the enemy or disrupting our adversaries. So I, for one, am very excited about this. I'm not sure that there's going to be a huge appeal. Like, I'm not sure if it's going to be in the top 10 of channels on Twitch, for instance, but I do think that we're going to start to see more and more of this. I'd love to see a company step in and start to do rankings and do teams. I mean, I'd love to have my incident response team go toe-to-toe with our competitors that we see every day out there as long as there's a fair and even playing field. 

Dave Bittner: [00:17:04]  And it's interesting, too, I think, that there's this emphasis on teams, which I think goes against that stereotype of, you know, the lone hacker, you know, banging away on the keyboard by themselves. That teamwork is really a part of this. 

Justin Harvey: [00:17:19]  There is a battlefield analogy, and that is, you want to go into battle with people that you trust, that you have experience with, that you can anticipate their every move. And I think it's like that. Even though it's a little bit of a different analogy, but it's like that in the corporate world as well. You want to train like you fight, and you want to fight like you train. And this is a great way to do it, and it's a fun way, and it keeps people interested. 

Dave Bittner: [00:17:43]  All right. Well, Justin Harvey, thanks for joining us. 

Justin Harvey: [00:17:45]  Thank you. 

Dave Bittner: [00:17:51]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [00:18:32]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.