The CyberWire Daily Podcast 2.25.16
Ep 43 | 2.25.16

Hacktivism vs. Italy & the UN. Ransomware update. Report on healthcare's cyber threat model. Apple takes the 5th?

Transcript

Dave Bittner: [00:00:03:09] Anonymous protests on Adriatic pipeline on environmental grounds. TeaMp0isoN is back and effing with the UN. Operation Blockbuster fingers North Korea in the 2014 Sony hack. A study suggests that the healthcare sector is operating with the wrong threat model. Apple's lawyers surprise observers by preparing a Fifth Amendment repost to the Justice Department. Finally, the ghost of Jo Hill, or was that the Ice Wizard, walks the streets of Silicon Valley.

Dave Bittner: [00:00:31:14] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:55:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 25th, 2016.

Dave Bittner: [00:01:01:18] Anonymous surfaces again in attacks on government websites in Italy's Apulia region. The cause is said to be opposition to the Trans-Adriatic pipeline project intended to carry natural gas from Azerbaijan. The opposition is based on fears of environmental dangers the pipeline might pose to Apulia.

Dave Bittner: [00:01:19:02] In other hacktivist news it appears that TeaMp0isoN is back. The crew is widely believed to have been effectively dismantled over the past few years by arrests or by drone strikes, the group's most famous alumnus is thought to be the late Junaid Hussain, also known as TriCk. The UN's World Tourism Organization was briefly defaced this week and suffered a data dump by hackers claiming TeaMp0isoN membership. TeaMp0isoN's Jimmy gave the motive, "We owned the UN back in '11", said Jimmy, "It only seemed right to eff with them again."

Dave Bittner: [00:01:51:03] The industry group running Operation Blockbuster against the Lazarus Group indicates that their research points fairly conclusively to North Korea as the source of the 2014 Sony hack. This agrees with earlier U.S. government attribution and runs counter to Norse's 2015 argument that the incident was a kind of riot with many participants, the North Koreans among them, but instigated by disgruntled employees working with hacktivists. Operation Blockbuster also serves as an interesting case study of how cybersecurity companies can collaborate against threat actors.

Dave Bittner: [00:02:22:18] The usual churn continues in the world of ransomware. CTB-Locker also known as "Critroni" is back as a minor league counterpart of TeslaCrypt, CryptoWall, and Locky. It's likely to remain minor league in so far as it targets websites whose contents of course are routinely backed up and easily restored.

Dave Bittner: [00:02:41:17] Mobile health records, an attractive option to the healthcare sector for many reasons, continue to exhibit disturbing patterns of vulnerability and poorly resourced security, and it's not just mobile devices and networks that are problematic. Independent Security Evaluators has released the results of a two-year study of hospital cyber security it recently completed, and those results are discouraging, especially in so far as they suggest medical device vulnerability to cyber attack. The Baltimore Sun's account is a bit breathless suggesting the possibility of death by cyber, but the risks appear quite real. We spoke with Independent Security Evaluators CEO, Stephen Bono about the report.

Stephen Bono: [00:03:19:21] Our strife is based around the question, if one were to be so inclined, how difficult would it be for them to break into, cyber attack on a hospital of some kind. We were getting inter-web applications. We did a USB experiment where we distributed USB drives. We were able to access hospital systems from a lobby kiosk in one incident. Today, almost everybody's talking on medical records. What we found is that most efforts by security vendors is to provide security for hospitals, and most efforts by hospitals to be more secure, all centered around protecting the loss of these records, and not actually protecting the medical devices that its compromise could harm the person.

Dave Bittner: [00:04:08:06] You can read the hacking hospital's report at securityevaluators.com

Dave Bittner: [00:04:13:18] Proofpoint takes a look at hacker behavior and turns up some unsurprising trends. Cyber criminals want, for example, banking credentials and regard fraudulent wire transfers as their mother-lode. They also devote much attention to crafting spear-phishing messages for business e-mail compromise, but here's one surprising trend. Do you know that you're most likely to be phished bright and early on a Tuesday morning? Neither did we.

Dave Bittner: [00:04:37:01] Turning to industry news KEYW gets a nice boost in the markets after reporting better than expected earnings. The company is also restructuring, selling off its SETA unit, that's systems engineering and technical assistance, to a Massachusetts firm for $12 million. CEO, William Weber, tells the Baltimore Business Journal, that KEYW is considering strategic alternatives for its Hexis subsidiary.

Dave Bittner: [00:05:00:14] CryptoWar is being adjudicated in the courts now, and Apple's lawyers are preparing a case, as unexpected as the Department of Justice is basing its own case on the All Writs Act. It was expected that Apple would cite the First Amendment as it apparently intends to. It wasn't expected that they'd also cite the Fifth Amendment's protections against self incrimination. Some quick clarification on the case from the University of Maryland's Jonathan Katz, who recently took us through the technical implications of Apple's dispute with the Department of Justice. Apple didn't give FBI access to the disputed phone's iCloud data. The FBI didn't need Apple's help. The phone was owned by San Bernardino County and therefore it was within the County's ability to grant access. It was widely, but misleadingly, reported that Apple had provided the iCloud data in this case, probably because Apple had been served with a warrant. They didn't provide the iCloud data: they didn't have to. While the case may be decided in the courts, it's also playing out in public.

Dave Bittner: [00:05:55:09] Apple CEO, Tim Cook, says that delivering compromised encryption would be like distributing a carcinogen. The company is said to be working on devices that Apple itself will have no means of breaking into. Verizon comes down on the side of Strong Crypto, and thus of Apple, but Arizona's Maricopa County District Attorney says, his department will no longer buy Apple phones. Put down Maricopa County then, in the FBI's column.

Dave Bittner: [00:06:18:16] Finally, there are signs of employee discontent in Silicon Valley, and in this case we mean literal signs. Someone stuck posters to lampposts on University Avenue in Palo Alto calling on Palantir employees to stand up for startup employees' rights, and specifically telling them they should strike for bigger, or at least non-zero equity stake in their companies. We have absolutely no idea what conditions are like at Palantir, or in any other Silicon Valley company, but we do know that the posters feature a dead unicorn. To one of our stringers that unicorn looks more like an Adventure Time Rainicorn. Finn and Jake, call your office.

Dave Bittner: [00:06:58:22] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the federal hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:07:17:09] Malek Ben Salem is the R&D manager for security at Accenture Technology Labs, one of our academic and research partners. Malek, obviously we all know authentication is important, but your research is taking it to the next level with behavioral biometrics.

Malek Ben Salem: [00:07:30:12] Well, as you know, existing access control mechanisms and authentication mechanisms are limited, in the sense that we rely a lot on passwords which are easily still run or guessable using password crackers. So, we want to compliment those types of access control and mechanisms with behavioral biometrics. They're not easily visible. They're hard to mimic, and there's not a significant impact from losing them. So, if you lose a copy of your fingerprint, that may have more great consequences than your behavior which is not easily observable or mimicked.

Dave Bittner: [00:08:13:14] Give me a rundown of what kinds of things fall into the category of behavioral biometrics.

Malek Ben Salem: [00:08:18:12] So, things like how do you type? How do you use keyboards? How do you use a mouse? How do you interact with a system? All of those are types of behaviors that we can use to authenticate or de-authenticate users. The type of research we're focused on in our labs is to look at how users use application, and the reason we focus on those rather than keystroke dynamics is that an adversary, for example, may log into the system and feel information without having to necessarily type anything on the keyboard.

Dave Bittner: [00:09:01:16] So, the system is learning about my behavior over time, and then on an ongoing basis comparing my behavior to what it knows about me.

Malek Ben Salem: [00:09:10:11] Correct. We build a baseline of your normal behavior and then in real time we compare the behavior of the user using the system with the historical behavior, or the behavioral model that we built for the illegitimate user of the system, and if there are any significant deviations than we can de-authenticate the user or take them out of that session.

Dave Bittner: [00:09:35:04] Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:09:39:14] ...and that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our Editor is John Petrik. I'm Dave Bittner, thanks for listening.