Money laundering, cyber fraud, lost laptops, & how cyber criminals get paid.

Dave Bittner: [00:00:03:14] Bank fraud, money-laundering, and more. Science and sanctions point to North Korea. Awareness grows of how big some very big breaches were. One weird trick to earning a living from home with ransomware. Extortionists look for embarrassing digital exhaust, big claims for AI making for big claims in court, too. And, hey, NFL, don't fumble your laptops. Say, maybe deflating mobile devices would improve your ability to hold onto them. Any Boston area cyber companies have thoughts on this?

Dave Bittner: [00:00:32:16] Just kidding, we like to kid. We're kidders.

Dave Bittner: [00:00:38:04] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.

Dave Bittner: [00:01:00:15] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday, June 3rd, 2016.

Dave Bittner: [00:01:08:00] New evidence surfaced this week of possible North Korean involvement in fraudulent funds transfers over the SWIFT network. Anomali Labs has joined BAE and Symantec in saying it's found the malware spore of the DPRK-connected Lazarus Group in the affected banks.

Dave Bittner: [00:01:24:11] Coincidentally or not, on Wednesday, the US Treasury Department tightened sanctions on North Korea. Citing the DPRK as a center of money-laundering, Treasury moved to restrict the country's ability to transfer funds by limiting the amount of correspondent accounts to process transactions involving North Korea.

Dave Bittner: [00:01:42:23] The illicit transfer that prompted the SWIFT and its partners in the global financial services to review and upgrade their security measures, was February's theft of $81 million from the Bangladesh Bank via SWIFT transfers through the New York Federal Reserve. This week, responding to a Reuters Freedom of Information Act request, the Fed's board of governors disclosed 51 cybersecurity incidents at its Washington location between 2012 and 2015.

Dave Bittner: [00:02:09:12] The report covered only Washington, not the 12 regional branches, and included several incidents attributable to espionage.

Dave Bittner: [00:02:17:18] This has been a week of big data breaches: not new breaches, but old ones that turned out to be a lot bigger than originally thought or feared. LinkedIn began the trend two weeks ago when it was determined that its 2012 breach was orders of magnitude larger than previously believed. The business-focused social network has since been joined by Tumblr and MySpace, both of whom have also significantly upped estimates of the number of data lost.

Dave Bittner: [00:02:41:09] The stolen credentials are for sale in dark web markets at surprisingly low prices.

Dave Bittner: [00:02:47:09] One familiar name mentioned in connection with the breaches, Dropbox, seems on further review to have sustained no security breach after all. KrebsOnSecurity reports that Lifeline and other identity theft protection companies, warned customers that Dropbox had leaked 73 million usernames and passwords, but this appears quite wrong. The lost data seems to have come from the Tumblr breach.

Dave Bittner: [00:03:11:01] The low prices cybercriminals put on such stolen information - just $2,800 for nearly half a billion stolen MySpace credentials - suggests that the black market is continuing its race to the bottom. Some criminals are selling zero-days or malicious code, and even these don't carry prohibitive price tags. An alleged Windows zero-day is being auctioned with bids starting at $95,000, and Jigsaw ransomware is being offered for the fire sale price of $139.

Dave Bittner: [00:03:39:14] Crimeware markets are shifting toward a volume model, looking for sales to the skid mass market.

Dave Bittner: [00:03:45:19] So, how much do ransomware crime lords stand to make? We haven't actually seen pop-ups offering us the one weird trick that will let us earn thousands working from home. But the criminal gig economy doesn't appear to be making anyone spectacularly wealthy.

Dave Bittner: [00:04:00:04] Flashpoint has been poking around the Russian criminal underground since December, and it seems to them that a diligent, successful head of a ransomware campaign, stands to pull in around $7,500 a month, or around $90,000 a year. That is, if they stay on the good side of the militsiya long enough to get paid. The FSB's announced on Wednesday that it collared 50 hackers who rifled Russian bank accounts of some 1.7 billion rubles, or $25 million.

Dave Bittner: [00:04:28:10] So, what does a ransomware boss have to do? It's like any other multilevel marketing scheme you might run from your home: get code, recruit distributors, collect ransom, and pay the distributors a commission.

Dave Bittner: [00:04:41:02] Not all online extortion involves ransomware. Criminals are getting into an enterprise's network, finding information that shows they've been there, and then contacting the hacked enterprise with an offer to disclose the vulnerability in exchange for payment. Effectively black hat pentesters, the bug poachers are asking about $30,000 a pop.

Dave Bittner: [00:05:00:17] And there's more traditional blackmail, too. You will recall the Ashley Madison affair in which the threat was exposure and humiliation. The US FBI has warned that more of this sort of thing is on its way. Attackers look for potentially embarrassing information, then contact the victim with an offer to keep such information private, for a fee.

Dave Bittner: [00:05:19:21] The information might be any number of relatively accessible things, like rude emails one would rather not have generally disclosed, or interactions with adult websites. We suggest you remember philosopher Immanuel Kant's categorical imperative, or at least the Washington Post test version of it that's passed into folklore in all of your online communications. Always act in such a way that you'd be happy to have everyone do as you do.

Dave Bittner: [00:05:47:18] This CyberWire podcast is brought to you by the Digital Harbor Foundation: a non-profit that works with youth and educators to foster learning, creativity, productivity, and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:06:13:19] Joining me once again is Ben Yelin. He's a senior law and policy analyst with the University of Maryland's Center for Health and Homeland Security. Ben, there was a recent story about a northern California district judge ruling on Facebook, allowing a class action suit from people in Illinois who don't like the photo-tagging feature on Facebook with facial recognition. Where's this case going?

Ben Yelin: [00:06:37:04] I'm sure most of your listeners would be interested to find out where the merits of this case are going to go. I think we're all interested in whether a private company can use this facial recognition software, and whether a plaintiff has some sort of privacy interest that would prevent it. Unfortunately, I think the way this case is turning out, we're so far from the merits because of all of these legal hurdles that both sides are jumping through.

Ben Yelin: [00:07:03:00] So, just to give a little background here. The dispute in this case is around choice of law issues. So, when each of us click the "agree to terms of use" on our Facebook pages, which we've all done, we agree that if there's ever any dispute between us and Facebook, that dispute will be adjudicated in California courts. And this is what Facebook wants, they have expectations for California courts, that's where they're located, all of their lawyers are out there. So, it's a favorable policy towards Facebook.

Ben Yelin: [00:07:34:00] What this judge decided, he didn't make any indication of the merits of the case, he didn't say anything about the privacy interests involved in facial recognition software. And he even said that that choice of law provision in the contract you sign when you click on those terms of use, is not technically invalid. He did, however, point to a part of a test on choice of law issues.

Ben Yelin: [00:07:59:18] And that test is whether the choice of law clause in a contract is "contrary to a fundamental policy of Illinois, and, if so, whether Illinois has a greater interest in the determination of this case." In other words, are we dealing with an issue that the Illinois state legislature has decided it's of such importance to its people that it would not be in the interests of justice or fairness to have the case adjudicated elsewhere.

Ben Yelin: [00:08:28:22] This judge in northern California decided that Illinois had expressed the fundamental importance of that case and had determined that Illinois actually has a greater interest in determination of the case. So, he has moved this case back into the venue of Illinois.

Ben Yelin: [00:08:47:08] The reason I think it could be problematic is that it creates a level of uncertainty both for Facebook and for plaintiffs who want to challenge some of the privacy, or perceived privacy intrusions of Facebook. We're now in this area of uncertainty as to whether, if the state passes a law that governs something in this area, whether it is of such fundamental policy importance that a California court would transfer it back to that original state. And that's just a very, very big standard that I think will be difficult for California judges to adjudicate going forward.

Dave Bittner: [00:09:23:17] And looking forward, you have Facebook, which is a global company. Could we find ourselves in a situation where local jurisdictions are saying, we're not going to allow this thing. We perceive, for example, facial recognition being an intrusion of privacy, and so could that mean that Facebook would have to shut that down globally?

Ben Yelin: [00:09:43:19] I think it's possible. I think the more likely scenario is that Facebook is going to be faced with legal chaos and lawsuits in various states. If the decision of this northern California judge is of any guidance, then state legislatures will know that if this breaks some sort of fundamental policy, then they can get suits adjudicated against Facebook in their state courts. And that's Facebook's worst nightmare: they do not...

Ben Yelin: [00:10:11:13] Especially on questions of fundamental privacy interests, they do not want to be traveling around the country responding to suits in 50 different states based on the whim of the 50 different state legislatures. So, if the ruling of this judge is upheld, it could be an absolute logistical nightmare for Facebook and, I think, if they are interested in avoiding some of these difficult choice of law questions, that might impact their policy on facial recognition.

Dave Bittner: [00:10:44:07] All right, Ben Yelin, thanks for joining us.

Dave Bittner: [00:10:49:20] This podcast is made possible by the Economic Alliance of Greater Baltimore: helping Maryland lead the nation in cybersecurity, with a large highly-qualified workforce, 20,000 job openings, investment opportunities, and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:11:19:02] WordPress is under active attack. Hackers are exploiting a zero-day in the content management system's mobile detector plugin. There's reason to believe that many large organizations are using older, even more vulnerable versions of both WordPress and Drupal. So, review and, if necessary, upgrade your installations.

Dave Bittner: [00:11:38:02] U.S. schools approach their summer vacations, but the Air Force Association will be offering its popular cybersecurity bootcamps for students interested in the field. This summer, the AFA says it will hold a record number of camps in 85 locations. One organization looking to the state of the cybersecurity profession is the Military Cyber Professional Association. We spoke with the MCPA's founder, Joseph Billingsley, about his organization and its role in the professional community.

Joseph Billingsley: [00:12:05:13] Based upon my experience out in the field in all different types of capacities, whether you're talking more in the intel side of the house or on the more IT signal comm side of the house, or in strategy, policy world. I noticed a real gap, a real need for people to cross-talk more with each other within the space, within the military cyber community in particular. And I really focused on this particular community because it is very, very clear from my own experiences and also from the findings in multiple documents and policy documents as well, that this is a national security priority: cybersecurity, cyber operations, and as anybody could also see from looking at CNN.com or your local newspaper, cyber breaches are a very real thing, and intellectual property that is hemorrhaging out of the United States is a very real thing and impacts our nation in a very serious way.

Joseph Billingsley: [00:13:06:21] So, that's why I decided at the time as a strategist, Functional Area 59 strategist, to focus my energies on this particular community.

Dave Bittner: [00:13:15:03] Among the functions of the Military Cyber Professionals Association is providing activities, opportunities, and education for its members on both a local and national level.

Joseph Billingsley: [00:13:24:21] At the national level, we have high-impact nationwide types of events. Most recently, we participated in the Navy League's national exposition at National Harbor. We hold capture the flag, cyber capture the flag CTF events. Most recently, the JCC, the Joint Cyber Challenge, was a national-level event with teams from across the American defense community, which was great.

Joseph Billingsley: [00:13:52:24] Then we also have a number of chapter-level events. So, also a cyber capture the flag event run by our St. Louis chapter based on the folks over at the Scott Air Force base, more regionally-based participation from all over the place. That was called Hack the Arch.

Joseph Billingsley: [00:14:11:13] We have a scholarly journal called Military Cyber Affairs with very legitimate processes, an editorial staff in place with representatives from all these different institutions of higher learning across the defense community, such as the Naval Postgraduate School, Army War College, Air Force Institute of Technology.

Joseph Billingsley: [00:14:33:13] We also have a magazine called Cyber, which is more accessible and a fresh opportunity for folks across the community to publish in and to be kept up to speed on what's going on out there.

Dave Bittner: [00:14:47:21] The organization also encourages participation with K through 12 STEM programs.

Joseph Billingsley: [00:14:52:21] At the local chapter level, the chapter leadership is empowered and encouraged to get out there into the local community, find existing opportunities for our members to volunteer in. So, a great example of that is the CyberPatriot Cyber Defense Competition, which is actually run by our partners over at the Air Force Association. They are a very well-oiled machine that also has a military aspect to it. We have partnered with them and encourage our members to go plug in and easily volunteer their technical skills in mostly middle school and high schools with that particular program.

Joseph Billingsley: [00:15:37:23] More recently, I was approached by the Smithsonian Institution here in the DC area about having some of our members partner up with their new innovation center called the SparkLab and try to bring in some K through 12 community members from across the region and act as a mentor and a coach type of role for those kids who are interested in the STEM fields, particularly IT or computer sciences.

Dave Bittner: [00:16:06:12] Mentorship is an important part of their educational mission and for that, military veterans are an essential asset.

Joseph Billingsley: [00:16:13:03] With a lot of veterans, whether they got out after serving a fresh tour of duty or if they retired after decades of uniformed service, they have a lot of great real-world experience that they can impart on to the next generation. And so another aspect of what we do is purposefully doing matchmaking between mentors and mentees. Our mission is very much focused on developing this particular community within the military, because we have a huge need to develop this community.

Joseph Billingsley: [00:16:49:07] And the other aspect of our mission with the K through 12 education, our outreach activities with the K through 12, because that's really how we're going to get our nation right long-term, whether you're talking about security-wise, or economic-wise as well. The national priority that we're focusing on right now, is a military cyber community.

Dave Bittner: [00:17:14:06] Joseph Billingsley is a major in the United States Army, but he spoke to us in his capacity as the founder of the Military Cyber Professionals Association.

Dave Bittner: [00:17:24:03] Finally, sports fans and healthcare professionals will be interested in the continuing story of a stolen laptop. The device was used by a Washington Redskins trainer, was apparently unencrypted, and was stolen from a car last month. It contained medical information on not only current and former players, but on any player who attended the National Football League's Scouting Combine from 2004 to 2016. The CyberWire heard from several experts who weighed in on the breach and its implications.

Dave Bittner: [00:17:52:17] Lastline's CTO and co-founder, Giovanni Vigna, noted that data at rest are notoriously vulnerable when they're unencrypted. The Redskins said in a statement reported by ESPN that no HIPAA-sensitive information was compromised. We confess it's difficult to imagine how they might be sure of this, but note that the team was clearly aware that HIPAA might be a problem.

Dave Bittner: [00:18:15:09] Michael Magrath, current chairman HIMSS Identity Management Task Force and Director of Healthcare Business, VASCO Data Security, told the CyberWire that, "This is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League."

Dave Bittner: [00:18:34:05] He suggested teams might protect their medical information with the same diligence they apply to their playbooks. He also noted that laptop thefts remain depressingly common, yet organizations continue to overlook their encryption.

Dave Bittner: [00:18:47:09] Balabit's Matthew Ravden sees the incident as a violation of trust, whether or not it involved HIPAA violations as well, and would go so far as to suggest not storing any sensitive data on a mobile device.

Dave Bittner: [00:18:59:20] Well, in any case, team, here's our halftime speech for the weekend. When it comes to encryption and multi-factor authentication... don't punt.

Dave Bittner: [00:19:11:22] For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. We help you stay on top of the news in cybersecurity and information assurance, we can also help you get your product, service, or solution in front of an informed audience of influencers and decision-makers. Visit thecyberwire.com/sponsors to find out how.

Dave Bittner: [00:19:35:20] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening; have a great weekend.