The CyberWire Daily Podcast 6.5.17
Ep 363 | 6.5.17

ISIS claims responsibility for inspiring attacks in London. More are expected during Ramadan. Hacks roil Middle Eastern diplomatic waters. Ransomware updates. Indian investigates possible aircraft hacking.

Transcript

Dave Bittner: [00:00:01:01] I want to give a quick shout out to our latest Patreon supporters. Thank you so much for helping us do what we do here. If you want to help support the CyberWire, go to patreon.com/thecyberwire to find out more.

Dave Bittner: [00:00:15:02] ISIS claims responsibility for Saturday's terror attacks in London. The UK reacts with strong words against terrorist safe spaces online. The Prime Minister wants restrictions on end to end encryption and a very hard line against extremist messaging. Hacking has diplomatic consequences for Bahrain, Qatar and the United Arab Emirates. India investigates a possible cyber attack against a fighter aircraft. Ransomware purveyors are also selling stolen data and EternalBlue exploits remain active.

Dave Bittner: [00:00:49:13] A quick note about some research from our sponsors, Cylance. The hoods at Shellcrew, an organized cybercrime gang, are using and improving a family of malware Cylance calls StreamX. Unfortunately, StreamX flies below the radar of conventional signature based antivirus solutions and, when it gets in, all kinds of bad things follow. Shellcrew can modify your file system or registry, create system services, enumerate your resources, scan for security tools, change browser settings and, of course, execute remote commands. StreamX is being served up by some legitimate websites, mostly Korean. It's a nasty rat you want nothing to do with. To get the information on StreamX, go to cylance.com/blog and check out the paper on Shellcrew. That's cylance.com/blog and, while you're there, find out how to defend yourself from this and other threats, with Cylance Protect. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:11] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, June 5th, 2017.

Dave Bittner: [00:01:59:20] ISIS had called for jihad during Ramadan, and sadly, terror returned to the UK this Saturday evening. ISIS was quick to claim credit and, in fact, its various online publications have called for car and knife attacks on "civilians of the crusader nations." UK Prime Minister May yesterday, in an "enough is enough" speech delivered at 10 Downing Street, excoriated Internet and social media providers for giving terrorists a safe space to recruit and inspire. She called for a purge of extremism in general and radical Islamism, in particular from cyberspace. The Prime Minister also advocated restricting the widespread availability of strong, end-to-end encryption. Police are rounding up a suspected network for the attackers who drove into pedestrians on London Bridge and at Borough Market, then dismounted and slashed bystanders with knives. At least seven victims are reported dead, and forty-eight injured. Police shot three attackers dead.

Dave Bittner: [00:02:58:21] Authorities continue to comb jihadist networks and media for clues. They had made twelve arrests by Sunday evening. The London attacks appear, unfortunately, to be additional instances of action by known wolves. One of the London Bridge terrorists had been reported to police some time ago for his efforts to radicalize children. Police, security, and public safety agencies worldwide move to heightened alert. ISIS newspaper al-Naba's Thursday issue had promised more attacks would be coming to the UK. Attacks have picked up during Ramadan, the Islamic holy month, which is expected to end June 25th with the sighting of the waxing crescent moon. Afghan police arrested a prospective suicide bomber believed ready to target a funeral. Afghan authorities say they have evidence that jihadist support networks afflicting that country are based in neighboring Pakistan. The Manchester terror-bombing had already prompted more discussion in the UK about restricting encryption. Prime Minister May's Sunday reaction to the London attacks indicates that this will become a government priority.

Dave Bittner: [00:04:05:02] Apart from vandalism and defacement of soft-target websites, the terrorist threat in cyberspace has mostly manifested itself in information operations, not proper cyberattacks. The web affords extremists a propaganda, recruitment, and inspiration channel with very low barriers to entry. Countering those information operations assumes greater urgency after a massacre; responses usually take the form of blocking, tighter surveillance, or counter-messaging. Blocking tends to strike public opinion as the most promising first response, but attempts by social media providers to filter content have shown blocking to be problematic. Not only does it seem practically impossible to disentangle interdicting extremist messaging from more obviously objectionable forms of censorship, but it's also just a lot harder than it looks. In Pakistan, to take one country's experience, more than forty banned extremist groups operate with impunity on Facebook. And it's not just Facebook: people game and hijack Twitter, too, and that can have significant implications for information operations. On May 24, Qatar News Agency (QNA) published remarks favorable to Israel and Iran. QNA and the Qatar government say they were hacked and the remarks were a fabrication and provocation, but this morning members of the Gulf Cooperation Council (Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt severed diplomatic relations with Qatar). On Saturday, Bahrain's Foreign Ministry saw its own Twitter account hijacked by hacktivists protesting Bahrain's crackdown on opposition groups.

Dave Bittner: [00:05:40:11] A group calling itself "GlobalLeaks" has told the Daily Beast it will soon release hacked emails belonging to the United Arab Emirates' ambassador to the US. GlobalLeaks says the emails show attempts to manipulate public opinion in ways that are not to the US advantage. As governments are targeted by phishing attacks, particularly in the run-up to elections or other sensitive periods, they may wish to devote close attention to the security of their web apps. Netsparker's CEO, Ferruh Mavituna, told us in an email that, while government personnel and political campaign workers undoubtedly would benefit from training to recognize phishing, we also should incentivize more secure web application development. He argued, "There should be legal consequences of insecure web applications, especially in this day and age when everything is being shifted to web based applications and services, or as everyone knows it, the cloud.”

Dave Bittner: [00:06:36:14] In a disturbing development touching Internet-of-things security, the Indian Air Force has convened a court of inquiry to investigate the crash of one of its Russian-built Sukhoi-30 fighters on May 23rd. It's disturbing because there seems to be a real possibility that a cyberattack on the aircraft's avionics may have contributed to bringing down the aircraft. OneLogin disclosed a data breach last week, possibly compromising multiple passwords its users stored with the service. Experts still recommend password managers, but they're getting queasy over the possibility that such tools can constitute a dangerous single point-of-failure. The WannaCry ransomware may have largely run its destructive course, but the EternalBlue exploits used to distribute the ransomware are still very much out there. FireEye reports that they're also being used to distribute the Gh0st RAT Windows Trojan. And there are other reports of odd probes suggesting various threat actors may be seeking to use the leaked exploits to establish persistence in a wide range of networks, presumably in the service of some future campaign. Finally, researchers at Heimdal Security have found evidence that the purveyors of Jaff ransomware have gone beyond extortion, and are selling victims' data in dark web markets. Another reason, as if any more were needed, not to trust the word of cyber criminals when they hold you up for ransom.

Dave Bittner: [00:07:58:23] And now some information from our sponsors at E8. We all hear a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics - you can't recognize the anomalies until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality and some insights on how these technologies can help, go to e8security.com/cyberwire and download E8's free White Paper on the topic. It's a nuanced look at technologies that have both future promise and present pay off in terms of security. When you need to scale scarce human talent, AI and machine learning are your go to technologies. Find out more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:09:15] And I'm pleased to be joined once again by Dr Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back. We've seen recently the story about the FCC rolling back privacy regulations for ISPs, but there's an aspect of this that you say is being under reported.

Dr. Charles Clancy: [00:09:31:23] Indeed. Much of the current reporting around the roll back of the FCC privacy regulations by Congress has focused on the privacy aspect in particular. For those that haven't been following the debate that closely, there's basically two fundamental philosophies in how consumer data should be protected. The FCC's approach, that they came out with in October of last year, basically said that all consumers had to opt in for things like browsing history and other online activity to be shared with third parties. However, the Federal Trade Commission, the FTC, has essentially had the philosophy that subscribers need to opt out. Both groups agree that personally identifiable information, things like social security numbers, medical history and credit cards, all of that needs to be protected regardless, but it's all this sort of lower tier activity that would be of interest to advertisers that is in debate - with the FTC having this opt out approach and the FCC proposing an opt in approach. This ran its course and, ultimately, ended in Congress deciding to roll back the FCC's provisions in favor of the FTC's provisions and I think it will be interesting to see where this goes. Cyber Security Framework, that we've all been hearing about over the last couple of years, within telecommunications critical infrastructure sectors. And so behind the scenes, the FCC used a provision that allows an individual bureau to stay a portion of a larger order, without having to go back to the full committee for vote and then in March 2017, the Competition Bureau actually stayed the cyber regulations that were in this order. So not only have we seen a rollback of privacy, which has debatable impact, I'd say, across the entire sector, there's also been this cyber security regulatory rollback as well.

Dr. Charles Clancy: [00:10:46:22] The FCC and FTC have both agreed that they need to come together and come up with some common framework and advance that in such a way that it uniformly affects both the telecommunications, broadband provides and the service providers like Google, Amazon and Facebook. In particular, the part I wanted to talk about was another part of that same FCC Order. It was actually rolled back a month earlier, right after the administration switchover. There is a portion of the original FCC Order that covered cybersecurity regulations. In particular, it was going to require that broadband provide breach notification and inform the FCC if they've been hacked. Right now, publicly trading companies have to report when they have been breached to shareholders but only significant breaches so there are a lot of breaches that the members of the boards of these companies decide don't quite pass the threshold because it would have an adverse impact on stock price. Further, lots of smaller internet service provides have no breach certification requirements at all. Currently, telephony operators have to provide notification to the FCC whenever there is an outage of telephony service but there is this loophole where large telecommunications providers only have to report major breaches so they can elect to define things as not major and small non-publicly traded ISPs don't have to report intrusions at all.

Dr. Charles Clancy: [00:12:12:10] This would have changed that and required mandatory reporting to the FCC of breaches. It also had an entire set of provisions around deployment of a risk-based management framework for cyber protection - things like the NIST cybersecurity framework that we have all been hearing about over the last couple of years within telecommunications critical infrastructure sectors. Behind the scenes, the FCC used a provision that allows an individual bureau to stay a portion of a larger order without having to go back to the full committee for a vote and in March 2017 the Wireland Competition Bureau actually stayed the cybersecurity regulations that were in this order. Therefore, not only have we seen a roll back of privacy which has debatable impact across the entire sector, there has also been this cybersecurity regulatory rollback as well.

Dave Bittner: [00:13:04:09] Alright, Dr Charles Clancy. Thank you for joining us.

Dave Bittner: [00:13:09:21] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit cylance.com. Thanks once again to all of our supporters on Patreon and to find out how you can contribute to the CyberWire, go to patreon.com/thecyberwire. I want to remind you all to check out the Grumpy Old Geeks podcast, where I join Jason and Brian for what is quite often a colorful and sometimes salty review of the week's cyber security news. We do have a lot of fun and you can find Grumpy Old Geeks, wherever the fine podcasts are available, so check it out. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.