Android issues, SWIFT hacks, the cyber security marketplace.

Dave Bittner: [00:00:03:23] SWIFT is back in the cyber news as the international financial transfer system is said to be quietly warning customers of another caper. Outside observers suspect insider threats. Operation Icarus continues to annoy banks, mostly around the Mediterranean. The FDIC discloses five breaches and Congress isn't amused. Patch Tuesday has come and gone, but work for sysadmins remains. Law enforcement may be quietly making its peace with strong encryption. And my interview with Dr. Emma Garrison-Alexander, on her leadership positions with NSA, TSA, and UMUC.

Dave Bittner: [00:00:40:11] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute; providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:01:05:00] I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, May 13th, 2016.

Dave Bittner: [00:01:11:06] The international financial transfer system, SWIFT, reappears in security news today as reports surface of another attempt to use the system to divert funds from a bank. This bank, still unnamed in reports, is said to be a commercial bank in Vietnam. BAE investigators are reported to have seen similarities between code associated with this attempt and malware uncovered in the Bangladesh Bank case. It also sees some possible similarities to what's known of the Sony hack.

Dave Bittner: [00:01:39:23] The New York Times, late yesterday, obtained a copy of a letter to users the newspapers says SWIFT intends to post privately today. The letter is said to contain a warning about the Vietnamese bank incident, a conclusion to the effect that both this and the Bangladesh Bank theft are part of a "wider and highly adaptive campaign targeting banks." It appears, according to the Times, that the problems lie in the interface between SWIFT and the banks that use it, as opposed to SWIFT's core systems. It also seems likely that legitimate credentials have been compromised. SWIFT is expected to advise banks to shore up security on their end.

Dave Bittner: [00:02:15:17] Speaking in Frankfurt, Gottfried Leibbrandt, SWIFT's CEO, told a financial conference that SWIFT regarded the Bangladesh Bank raid as "customer fraud." Security Week quotes him as saying, "I don't think it was the first, I don't think it will be the last."

Dave Bittner: [00:02:30:05] FireEye, which is investigating the Bangladesh Bank incident, has, according to Bloomberg, found evidence of three groups' activity in the bank's systems: a Pakistani organization, one from North Korea and a third as yet unidentified actor. It's the third one that actually pulled off the theft. The Pakistani and North Korea groups are thought to be state-sponsored, but traces of their presence in the system do not appear to have been implicated in fraudulent transfers. North Korea's representatives at the UN, Bloomberg notes primly, did not respond to a request for comment. Pakistani ministries, the news outlet contacted, also didn't return calls.

Dave Bittner: [00:03:07:21] How the hackers got in remains unclear, but there's much continuing speculation that these incidents were inside jobs, at least in part. InfoArmor's Chief Intelligence Officer, Andrew Komarov, told the CyberWire that in his view the speed and ease of an attack like this is probably beyond the reach of typical underworld "money mule" services. "Such types of transactions almost certainly couldn't be organized without the help from either insiders or traders very familiar with operational controls in the affected institutions," he said.

Dave Bittner: [00:03:38:17] We also hear from Lastline security expert Craig Kensek, who thinks the heists suggest that someone who's worked in the financial industry has gone rogue. He also thinks data loss prevention systems used in financial transactions may need more granularity and more levels of control. "SWIFT needs to re-examine their processes and use outside experts to try and crack their system. They, if they haven't already, need to create a list of trusted IP addresses that larger funds can go to without 'eyes on' approvals."

Dave Bittner: [00:04:13:15] This CyberWire podcast is brought to you by Recorded Future; the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat Intel updates at recordedfuture.com/intel.

Dave Bittner: [00:04:39:18] And I'm joined once again by Markus Rauschecker from the University of Maryland's Center for Health and Homeland Security. Markus, we saw recently a story about some of the mobile providers, who are facing increased scrutiny from both the FTC and the FCC when it comes to security updates. What can you tell us about that?

Markus Rauschecker: [00:04:55:08] Yes. So the Federal Trade Commission and the Federal Communications Commission are asking mobile device providers and manufacturers to provide information on what they're doing to secure the devices that they're selling. I think both the FTC and the FCC and the public in general is recognizing that, as we use our mobile devices more and more, we're storing more and more sensitive information on these devices; so there's a real concern about securing and safeguarding that information. The FTC and the FCC want to make sure that these mobile device manufacturers and the software developers for these devices, are doing what they should be doing to protect the data that is being stored on these devices.

Dave Bittner: [00:05:37:22] I know sometimes people are concerned about overreach by these regulatory agencies, but in this case it seems like this is good for the consumers, yes?

Markus Rauschecker: [00:05:46:11] I think, overall, it should be good for consumers. Consumers should be concerned about the safety and security of the data that they're storing on these devices. Obviously, that data is very personal data, it's financial data, it's health data. There's a lot of stuff on those devices nowadays that needs to be protected and I think, overall, it's probably good for the consumer that the FTC and the FCC are getting involved here and wanting to know more about what manufacturers are doing to actually protect the data that is being stored on these devices.

Dave Bittner: [00:06:17:03] Markus Rauschecker, thanks for joining us.

Markus Rauschecker: [00:06:19:21] Thanks very much.

Dave Bittner: [00:06:24:03] This CyberWire podcast is brought to you be Recorded Future: the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web; to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat Intel updates at recordedfuture.com/intel.

Dave Bittner: [00:06:57:10] This week continued to see the expansion of Anonymous' Operation Icarus. OpIcarus is designed to, as Anonymous puts it, bring down the world financial system in retribution for that system's crimes against humanity. The engine of retribution is distributed denial-of-service. The hacktivist collective and its collaborators in BannedOffline and Ghost Squad began in Greece, moved to Cyprus, hit targets in Kenya, Panama, Bosnia and Herzegovina and, most recently, have surfaced in Montenegro, Monaco, Jordan and South Korea. In most cases, service has been relatively rapidly restored, but the campaign continues to annoy the financial sector.

Dave Bittner: [00:07:38:03] This week, the US Federal Deposit Insurance Corporation disclosed that it's suffered five major breaches since October. Individual banking consumer data are affected. Congress is investigating. The FDIC can expect to be called onto the Capitol Hill carpet in coming weeks.

Dave Bittner: [00:07:55:05] Early this week, the Panama Papers were posted in full searchable from by the ICIJ. No big cats escaped from the big bag of terabytes, and at week's end talk about the Mossack Fonseca breach has subsided into general murmuring; about the need to close tax loopholes, reign in offshore accounts, establish better transparency and so on. Most of the activity the data reflects seems more unseemly than illegal; or, when illegal, already known to law enforcement and under investigation.

Dave Bittner: [00:08:25:00] The Denim Group commented to us on what they characterize as a tenacious cross-site scripting problem GoDaddy experienced and has now resolved. Denim Group Principal, Dan Cornell, described the issue as "blind cross-site scripting" and said it's not unusual to encounter it during application assessments; especially in utilities and financial institutions.

Dave Bittner: [00:08:45:11] Exploitation can result in privilege escalation. He thinks developers could avoid this and other problems, by using solid threat models; appropriate coding standards and security testing integrated into the development process. Cornell said, "Stored, or 'blind' XSS actually appears to be easier to fix than reflected XSS based on some of our research. With stored XSS vulnerabilities taking on average 9.6 minutes per vulnerability to fix and reflected XSS taking 16.2 minutes to fix."

Dave Bittner: [00:09:18:00] This week's Patch Tuesday saw Microsoft issue 16 fixes, eight of them rated critical. For the most part they addressed remote-code-execution vulnerabilities in Internet Explorer, Edge, JScript and VBScript scripting engines in Windows, Office, Microsoft Graphics Component, Windows Journal, and Windows Shell.

Dave Bittner: [00:09:36:18] Adobe also patched this week, with updates to PDF Reader and Cold Fusion provided on Tuesday. They also promised to patch a Flash Player zero-day and did so yesterday. That fix closed some 25 issues, including two type-confusion flaws; one of which is the zero-day. The other bugs addressed could all be exploited for remote code execution. They include 12 memory-corruption issues, eight use-after-free problems, buffer-overflow and heap-buffer-overflow problems and a direct search path vulnerability.

Dave Bittner: [00:10:07:01] Cut your sysadmins appropriate slack as they deal with these patches and update appropriately.

Dave Bittner: [00:10:13:16] Signs indicate that the FBI may be quietly making peace with widespread encryption; recognizing it as an investigative inconvenience as opposed to an existential threat.

Dave Bittner: [00:10:24:18] A Lego-guy-Play-Doh hack may be joining the nearly forgotten, although not forgotten by us, Gummy-Bear hack; in which imprints of fingerprints on sticky candy or modeling clay are used to unlock biometrically protected devices. But we don't know. You'll recall that the FBI got a controversial warrant to require a woman in California, not a suspect in the case under investigation, to unlock a phone with her fingerprints. Well, they tried all ten fingers but, alas, no joy. They asked her for the password. "Sorry," she answered, "It's not my phone." But did they offer her a Gummy, we wonder? Swedish fish? Turkish taffy?

Dave Bittner: [00:11:20:07] My guest today is Dr. Emma Garrison-Alexander. Dr. Emma, as she likes to be called, has over 30 years of combined federal experience at NSA; where she served as Deputy Counter-Terrorism and as a Senior Operations Officer and at TSA where she led their IT organization as Chief Information Officer. She's currently Vice Dean for the Department of Cyber Security and Information Assurance at the University of Maryland University College. Dr. Emma, welcome to the CyberWire. I'm curious, when you were a kid growing up were you someone who was interested in science and mathematics?

Dr. Emma Garrison-Alexander: [00:11:53:20] I have always liked math and science, right from the beginning of school. When I got into high school, without my parents pushing me, I wanted to take all the advanced math. I wanted to take the algebra, I wanted to take the geometry, the trigonometry, I wanted to take the physics and the chemistry; because I felt like I was going to learn a lot more if I took those more advanced courses instead of taking just the general courses. They work very well if you're interested in a career in computer science or electrical engineering.

Dave Bittner: [00:12:27:21] You complete your college education, you get your degree and now you're looking for a job. Did that lead you directly to government from there?

Dr. Emma Garrison-Alexander: [00:12:37:09] Yes it did. At that time, the National Security Agency, along with other companies and government organizations, they were recruiting at my school and one of the interviews that I had was with the NSA. Ultimately, they made me an offer and I accepted it.

Dave Bittner: [00:12:53:09] I'm curious, did you run into any roadblocks; either being a woman, or even specifically being a woman of color?

Dr. Emma Garrison-Alexander: [00:12:59:18] I think that there were challenges. One of the things I benefited from is, when I started my career at NSA, while the number of women in the field were low at the time, I was hired at a time where a number of other women were also being hired; therefore, I was one of a few women, but I was not the only woman within the field. I think that helped some. I was determined to be successful, I was determined to contribute to the mission, I was determined to be relevant to what was needed in the organization and, through some of the challenges, I learned a lot. I learned the importance of making sure you look out for yourself and not expect someone else to do that for you.

Dave Bittner: [00:13:46:09] You wrap up your time there and the opportunity from TSA comes along. How are the challenges at TSA? How do you contrast them against your experiences at NSA?

Dr. Emma Garrison-Alexander: [00:13:56:21] I always tell people that government is government and there are some things that are common to being a part of a government organization. But what was strikingly different between NSA and being there and TSA and being there, was the fact that one organization is very private, very closed, very quiet and do fantastic work for the nation, but it is not a public institution. It's a very internally-facing and community-facing type organization.

Dr. Emma Garrison-Alexander: [00:14:32:09] TSA is the direct opposite. Their whole reason for existing is to engage the public. They are most notably known for what they do in the aviation arena, the airports. But they have responsibilities in all modes of transportation. You know, highways; rail; mass transit; pipeline; maritime; as well as aviation. The truth of the matter, the biggest adjustment was going from a place where I had been hiding, working in these highly classified areas, to an organization that's very much public-facing.

Dave Bittner: [00:15:08:13] Take me through the decision process. You decide to wrap up your career, or the portion of your career, with TSA and so where are we now?

Dr. Emma Garrison-Alexander: [00:15:17:07] I decided to take an early retirement. I then took a year off to just take care of some family matters and then I decided to re-engage. I had been adjunct faculty at the University of Maryland University College since 2010 and I really wanted to do something in academia. That's something I had wanted to do for a while. It just so happens that, at the time that I was looking to re-engage, there was an opportunity at the University of Maryland University College that I interviewed for and I've been the Vice Dean for Cyber Security and Information Assurance in the graduate school since November of last year.

Dr. Emma Garrison-Alexander: [00:15:54:06] I am responsible for four graduate programs, cyber security technology; cyber security policy and management; digital forensics and cyber investigation and we have an information assurance program. I oversee those programs at the graduate level.

Dave Bittner: [00:16:11:18] I mean, that's kind of a different world for you, isn't it? How has that transition been?

Dr. Emma Garrison-Alexander: [00:16:15:24] It is a different world, but because UMUC is a non-traditional university, it has a lot more elements of business to it than you would in a traditional university; like University of Maryland at College Park.

Dave Bittner: [00:16:28:18] I'm curious, you know, looking back on your time at TSA and your time at NSA, what are the lessons that you've learned? What are the takeaways from your time at those places?

Dr. Emma Garrison-Alexander: [00:16:38:14] One is take advantage of all the opportunities that are afforded to you. One of the things I give NSA great credit to and I will say that's why they have a world class workforce, is training. When I say training, it was all the way from your formal college education. They paid for my Masters degree and they paid for my Doctorate degree. In addition to that, they also paid for other training; you know, whether it was at Learning Tree, or if it was Cisco training, or some other type of training. As an organization, NSA values training and so it's important that, when you have an organization that's willing to invest in you, that you take advantage of that investment.

Dr. Emma Garrison-Alexander: [00:17:21:08] The second thing is, as you're going through your career, you need to make your career a priority. You need to ensure that you're doing those things that you need to do in order to move forward; in order to progress; in order to move into the positions that you are interested in; in order to succeed in the pathway that you've actually laid out. Thirdly, I think it's important that you plan out your career; that you do not leave it to happenstance. I think it's really important to create a pathway. The fourth thing, it's very important to have mentors and coaches. My mentors were invaluable to me all the way from having peer mentors to having senior mentors. They were very, very important to helping me through my success.

Dr. Emma Garrison-Alexander: [00:18:09:18] I think it's important that we really work as a nation, through various organizations, to get more women and more minorities into the cyber security field. I think that it's really, really important. I know there are many initiatives that are going on right now to do that. I think we should stay on top of that and follow it through; ensuring that our nation is well protected and that we take advantage of all the rich resources that we have in those communities; to bring them into the fold and to be a part of solving the cyber security challenges that we're facing as a nation. In 2010, President Obama had made a statement, that he identified cyber security as one of the most serious economic and national security challenges we face as a nation. All of us need to be involved in addressing that challenge.

Dave Bittner: [00:18:59:18] Our thanks to Dr. Emma Garrison-Alexander for joining us. You can hear an extended version of our conversation; which includes Dr. Emma's views on cloud computing, as well as the specific cybersecurity challenges she faced at TSA, on our website, thecyberwire.com.

Dave Bittner: [00:19:18:17] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The people who are interested in those stories tend to be people who read or listen to the CyberWire. If you'd like to reach them, visit cyberwire.com/sponsors and find out how you can sponsor the news brief or podcast. Thanks to all our sponsors who make the CyberWire possible.

Dave Bittner: [00:19:41:05] The CyberWire is produced by Pratt Street Media. Our Editor is John Petrik and I'm Dave Bittner. As always, thanks for listening and have a great weekend.