Bug hunters turn shorts. Cyber frame-ups, election fraud, spearphishing, whalephishing, and more.

Dave Bittner: [00:00:03:01] Election hacking fears rise with an FBI warning. Trident iPhone zero-days and the Pegasus tool that exploited them brings scrutiny to lawful intercept vendors. St. Jude Medical disputes allegations that its pacemakers are hackable and the security sector does some ethical introspection about disclosure. The IoT is beginning to be exploited in DDoS campaigns. Malicious EMV cards are implicated in Thailand's ATM skimming crime wave. And Angry Birds join Pokemon in the enterprise penalty box.

Dave Bittner: [00:00:37:16] I'd like to take a moment to thank some sponsors. The Johns Hopkins University Information Security Institute and Compass Cyber Security are hosting the third annual Senior Executive Cyber Security Conference on Wednesday September 21st from 8.30 am to 4.00 pm. That's going to be at the Homewood Campus of Johns Hopkins University, right here in Baltimore. Hear from industry leaders on cyber security best practices and trends that will help you better secure your organization's data. This year's agenda examines the current cyber security landscape threats and challenges ahead for organizations, and how senior leaders can work towards shifting their data to being safe and secure. You can find out more online at secsc.compasscyber.com or on the Johns Hopkins University Information Security Institute Website at isi.jhu.edu. Do check it out and we thank the Johns Hopkins University Information Security Institute and Compass Cyber Security for sponsoring our show.

Dave Bittner: [00:01:43:21] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 30th, 2016.

Dave Bittner: [00:01:50:02] The FBI, two weeks ago, quietly issued an alert to warn various concerned parties that an unknown actor was targeting state election systems. Yahoo! News learned of the warning and broke the story yesterday. In essence, "foreign hackers" last month penetrated two election databases, by consensus in Illinois and Arizona. (And for "foreign hackers" most observers are reading "Russian Intelligence Services") The attackers used SQL injection attacks and employed commonly available off-the-shelf tools, including SQLMap, DIRBuster, and Acunetix. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has also warned of incidents involving state election services.

Dave Bittner: [00:02:32:04] ThreatConnect told Yahoo! News that at least one of the IP addresses implicated in the attacks has appeared before in Russian criminal hacking fora. Wired reports that sources inside the US intelligence community have, on background, attributed the attacks to Russian intelligence services.

Dave Bittner: [00:02:49:17] Offering some useful perspective, motherboard points out that state election databases have not only been hacked before, but the information they contain is often made readily available by state officials themselves. Besides, the number of records affected was relatively small, about 200,000 in Illinois, reports say, and data were simply exfiltrated, not, as far as is known, destroyed or manipulated. What's troubling is not so much the breach itself but the foreign involvement (and foreign interest), the context provided by other recent hacks of political parties and campaigns and the fears of data manipulation. The data themselves are not particularly valuable, but the contribution the incidents make toward increasing distrust of US elections would be an information operations coup.

Dave Bittner: [00:03:34:19] St. Jude Medical strongly disputes the pacemaker vulnerabilities disclosed in the course of short-selling by Muddy Waters Capital and MedSec. The device manufacturer says the exploits as described aren't possible. Several observers find things to dispute in both Muddy Waters' charges and St. Jude's rebuttal, but the disclosure of vulnerabilities in the cause shorting a stock hasn't generally met with much approval. We spoke with the University of Maryland's Ben Yelin about the implications of this turn to stock speculation for the security industry and we'll hear from him after the break.

Dave Bittner: [00:04:07:08] And, of course, the disclosure of allegedly serious and exploitable pacemaker bugs has contributed to increased concerns about life threatening IoT hacks.

Dave Bittner: [00:04:16:02] Researchers from Level 3 Communications describe another risk in the internet-of-things: the growing possibility and likelihood of IoT-based distributed denial-of-service campaigns. The company has been working with Flashpoint to track the rise of DDoS botnets exploiting IoT devices. Criminal groups including Lizard Squad and Poodle Corp are investing in IoT malware and a large fraction of the bots observed engaging in these attacks are located in Taiwan, Colombia and Brazil.

Dave Bittner: [00:04:44:10] The RIPPER ATM malware FireEye found in Thailand, appears to use a rogue EMV chip. A specially crafted and malicious chipped card may have been used to introduce the skimming malware into the ATMs. Criminals are believed to have stolen roughly $378,000 from ATMs in Thailand last week.

Dave Bittner: [00:05:04:09] Senior executives represent a vulnerable attack surface at their own companies. We spoke with Dan Lohrmann, Chief Security Officer at Security Mentor, about preventing C-suite fraud.

Dan Lohrmann: [00:05:14:24] The phishing attacks, you know the links, the different ways people get you to click and download malware or go to bad sites or give information up, you know spearphishing was kind of the 2.0 were you've had, you know, a little bit more targeted, they know a bit more about you, maybe done some research. And then we've kind of gone to a new level, which the industry is calling whaling, going after the big fish if you will, that involves large sums of money. It may or may not involved clicking on links, the goal of the bad guys is to build your trust and then get you to take action, whether that be transfer money, whether that be give them information which they can then use. Whaling is really fraud committed against businesses and it's really rampant right now.

Dave Bittner: [00:06:04:01] And so take me through the process. I'm someone sitting in my office, maybe I'm someone on the financial side of the business, how are these people going to target me?

Dan Lohrmann: [00:06:13:07] First of all their goal is to get your trust and to build that trust, and we've seen a wide variety of ways they do that; they get to know you or they come in as a customer. More likely they're building a relationship, so they're getting background, they're trying to learn about you, your likes. First of all they're targeting maybe a CEO in a company, or a COO, or someone who has authority to make transfers, wire transfers, that kind of a thing. After they've built up the trust, maybe they're just like kind of a normal relationship, maybe doing different types of things for weeks or months, usually something out of the ordinary happens. For example there's been a case where they actually built a relationship up with an accountant and then they were able to get the information about the CEO, he actually was on a trip, a vacation. They compromised the CEO's personal account, not via normal channels; an email came in to the accountant saying, "Hey, I'm on this trip, I can't process this, I'll get you the paperwork tomorrow, but please transfer this information to this partner." There was a block of social security numbers and names, it was a file, it wasn't necessarily just a financial transfer, but the person thought this was legitimate, thought it was from the CEO, the person was gone that day. They had a relationship with this other person that they knew of, so it seemed like it made sense although it was out of the ordinary. They went ahead and did the transfer and they only really uncovered it later, when fraudulent IRS tax returns were coming in, and they traced it back to the fact that this individual had given up that sensitive information on their clients.

Dave Bittner: [00:08:07:04] What are the things that people can do to protect themselves? How do we defend against these sort of attacks?

Dan Lohrmann: [00:08:12:22] You know I think people need to be trained, they need to know what the processes are, they need to be re-trained, they need to understand the threat environment that's always changing; the bad guys are always adjusting their techniques to try and get in. And then lastly, I think you really need to have executives that understand and have executive buy-in, I mean getting that executive buy-in overlaying this. They need to understand, this is a really serious issue and they can't wait till the horses get out of the barn before they fix the barn door. I mean it's too late at that point.

Dave Bittner: [00:08:44:14] That's Dan Lohrmann from Security Mentor.

Dave Bittner: [00:08:48:15] In Australia, you can bring-your-own-device to work, but you'd better not bring-your-own-birds, if the trendwatchers at MobileIron are to be believed. At least not if the birds are ill-tempered. Angry Birds is the most commonly blacklisted app in the Lucky Country. This kind of makes sense to us if you think of emus or cassowaries, we wouldn't want them around the shop either, (although the geese around the CyberWire world headquarters fancy themselves little velociraptors, too.)

Dave Bittner: [00:09:14:20] Niantic Labs, the wildly successful if harried purveyors of Pokémon-GO, earlier this month threatened players who downloaded unauthorized apps that enabled cheating with a "lifetime ban." But their relenting a bit. If you didn't really know what you were doing was wrong, you downloading cheaters, Niantic will overlook it just this once. But if you do it again? No Picachu for you, ever. Got that? Hope so.

Dave Bittner: [00:09:42:11] And finally France's Education Minister wants Pokémon-GO out of the schools for a host of good reasons, not the least of which is the sensible desire to keep dodgy outsiders away from the students. At least the rarer Pokémon should stay away, the Minister says, thereby reducing what the lawyers would call an attractive nuisance. As always, there are collateral consequences and we'd like to point out some of them to our many younger French listeners. Nicolas, Clotaire, Alceste, Louisiette, you're on notice. When your homework's missing the excuse, "Tiens, les Charmandres l'auront du mangés" is no longer going to fly. So sois sage, nos copains. Do you know our Podcast is actually really big in France? Well it used to be anyway!

Dave Bittner: [00:10:33:09] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:38:01] Joining me is Ben Yelin, he's from the University of Maryland's Center for Health and Homeland Security. Ben, I wanted to follow up with you on this story about Muddy Waters Capital and these medical devices, the short-selling of stocks, what is your take on this?

Ben Yelin: [00:11:53:06] Well, I think we have both legal and ethical problems here. I'll start with the legal problems. The hacking itself is actually not illegal. The US Copyright Office last year approved an exception to the relevant copyright laws that says that hackers, if they are acting in good faith, can attempt to discover the security flaws in medical devices. That exception has been in place since last October. In terms of MedSec emailing this information to the investment firm, so far there's no illegal activity in that; the SCC may look into this issue, but it's certainly not something like insider trading, at least the definition as we understand it.

Dave Bittner: [00:12:35:05] You use the word "good faith" I mean I think people would question good faith motivations here.

Ben Yelin: [00:12:41:08] Absolutely. I mean I think you certainly question good faith when it seems that the purpose of discovering this flaw was to enter into some sort of financial arrangement where the investment firm is shorting the stock and MedSec itself is benefiting financially. MedSec would argue that they have acted in good faith, that they're trying to have the market correct for St. Jude's failure in securing the product. But again that presents major ethical issues and I think that there might be a decent argument that the good faith standard here has not been met.

Dave Bittner: [00:13:16:24] So where do you think this will go from here?

Ben Yelin: [00:13:19:01] I think the SCC will look at, from a market perspective, whether this is something that will be legal. I think this is such a novel question that they just haven't had a chance to look at it yet. In terms of whether the hacking will continue, I think that's the biggest potential for trouble. If cyber security organizations see that they can turn a profit by discovering information and essentially selling it to investment firms, they would have incentive to continue doing that, and by doing that it creates a significant risk. I mean now you have the potential that hackers, or bad actors, will use these vulnerabilities to try and hack into this medical devices and obviously when we're talking about pacemakers that can have extremely serious consequences. I mean you and I were talking before we came on here about what if somebody did some sort of ransomware attack and demanded a million dollars or "I will use my hacking capability to shut down your pacemaker." I think that has very, very dangerous implications.

Dave Bittner: [00:14:21:05] Alright we'll keep an eye on it. Ben Yelin, thanks for joining us.

Ben Yelin: [00:14:24:08] Thank you, Dave.

Dave Bittner: [00:14:27:05] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.