DPRK plays offense and defense. PyRoMine and EternalRomance. Russian disinformation on Syrian massacre. Alt-coin heist may be misdirection. Nakasone confirmed at NSA. Webstresser takedown.

Dave Bittner: [00:00:04:02] North Korea goes big with GhostSecret. Meanwhile, Pyongyang's elite tries to covers its online tracks. PyRoMine uses EternalRomance to disable security systems en route to cryptomining. A complicated alt-coin heist may be misdirection for something bigger. Huawei may be in trouble over Iran sanctions. Apple patches. Europol takes down Webstresser. General Nakasone is confirmed as Director NSA and Commander USCYBERCOM.

Dave Bittner: [00:00:38:17] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give info sec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from recorded future. It's timely, it's solid and the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:44:24] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 25th, 2018.

Dave Bittner: [00:01:58:07] North Korea seems to be escalating a global "data reconnaissance campaign." McAfee researchers are tracking Operation GhostSecret, which they say is particularly interested in "critical infrastructure, entertainment, finance, health care, and telecommunications." They attribute the operation to Pyongyang's Hidden Cobra group.

Dave Bittner: [00:02:19:19] In other North Korean news, Recorded Future reports that the DPRK elite is going to ground, virtually speaking, exiting Western social media and online services in favor of Chinese alternatives where they'll presumably be less accessible to hostile surveillance. It's not clear that Alibaba, Tencent, and Baidu are really that much more obscure than, say, Amazon or Facebook, but Pyongyang's bigshots are taking their trade elsewhere. They're also using more obfuscation services.

Dave Bittner: [00:02:51:19] Fortinet is tracking a Python-based Monero miner. They're calling it "PyRoMine," and they say it uses ShadowBroker-leaked Equation Group tool EternalRomance to disable security systems en route to cryptojacking. Disabling security systems could also enable PyRoMine's operators to stage further attacks.

Dave Bittner: [00:03:13:13] Radio Free Europe | Radio Liberty reports Russian disinformation concerning Assad's nerve agent attacks against a civilian population. State-run media are using year-and-a-half-old footage from a movie shot in Syria to "prove" that the recent Sarin attack against civilians in Douma is a Western hoax. The film in question was a dramatization, not a hoax, of an earlier nerve agent attack against the rebel-held town of Ghouta in 2013.

Dave Bittner: [00:03:43:04] Many of the conversations on cyber security these days center on the notion of the humans being the weak link in the chain. The bad guys and gals rely on the fact that there's always a certain percentage of users that they can trick into performing some action, that gives them access to what they want. Joe Cincotta is Managing Director of Thinking.Studio where they've been working on implementing better design for better security.

Joe Cincotta: [00:04:08:05] At the most basic level we think people act rationally, but they don't. However they do act predictably irrationally and psychologists have been figuring out what these kind of hacks are for our psychology for decades. Around 2000 this guy called BJ Fogg started looking at it and seeing how you can actually design computer interfaces to change people's behavior and change what they think and what they do and this research ended up being used in digital advertising, it ended up being used in social media platforms like Facebook, that's, that is a fundamental part of them and also if you look at, you know, a lot of, like, online gaming, it's all designed around these behavior patterns and how they can create addictive behavior patterns. But not all of those hacks are about addictive behavior patterns. In fact, some of them are just about facilitating good behavior change. What we saw is, there's this huge gap in security and when you think about it from a security standpoint, like, there's some ridiculous statistic going round like 98% of all security incidents are essentially caused by human error in some way, shape or form.

Joe Cincotta: [00:05:18:03] So if you can change the way humans are interacting with software, to mitigate some of that, you'll have a huge impact. Secure user experience design is about looking for these foundational design patterns that can leverage all that learning from psychology but apply it to just principles of user experience design to make people behave in a more prudent way when it comes to security.

Dave Bittner: [00:05:44:12] Can you give us an example of sort of the difference between an approach that would, that would be secure design versus what we've done traditionally?

Joe Cincotta: [00:05:52:06] A great example is one that you might have already seen which Google implemented on Gmail, Enterprise Gmail. So if you use Google apps for the Enterprise, you'll notice when you email someone who you've never emailed before, it gives you a little warning, especially if that person is outside the organization. It'll put a little message under the email address, saying, "Hey, this person, you've never messaged this person and they're outside of your organization, just make sure this is what you really want to do," and that little yellow bar stands out against that white background that you're used to seeing on Gmail's interface and what you're traditionally used to seeing is nothing. You're used to seeing just a to, a cc and a bcc bar, if you look at your standard Outlook or, you know, any, any email client you'd be used to using. So these changes can be quite subtle but their impact can be enormous, right? And that, that Google, that Gmail example is a perfect example of the subtlety but also the potential benefit from that impact.

Dave Bittner: [00:06:50:09] Now, it strikes me that particularly with security professionals, I think there's almost a point of pride of sitting down in front of the machine, in front of a stark command line, do you ever find yourself having trouble selling the idea of design to folks who, you know, like to strip things down to their basics?

Joe Cincotta: [00:07:11:11] Well, yeah, it's a funny question that actually. What we find is they're not normally our customer and that's-- I think that's part of the problem actually, is when security folk are really thinking about this a lot of the time, they're thinking about the tools they need to use to solve a problem, right? They're thinking either, you know, some might be thinking about perimeter security, they might be thinking about infrastructure layer, they might be thinking about, you know, user training and education that way. But the conversations we're having normally are with product owners. Those guys instead have the opposite problem. They don't necessarily understand the impact or the implication of the security issues until it's too late. So we don't, I suppose, have the representation of these security folk in those conversations, right? That's the problem. And that's why we still have the problem that we have. The guys that are out there designing software are not the guys that are out there protecting the organization a lot of the time and we need to bring those two much closer together, so that we instead have security-- I suppose, think of it like the secure development life cycle, should include user experience design, as much as it includes, you know, OWASP and all the other things that we've got for the software engineering team.

Joe Cincotta: [00:08:22:03] I think that's the place that we're getting now, where we're looking and saying, "Actually, you know what, just because it looks pretty, doesn't mean it solves the problem," and in fact, you have to bring secure coding standards up to secure design standards.

Dave Bittner: [00:08:35:03] That's Joe Cincotta from Thinking.Studio.

Dave Bittner: [00:08:39:23] A complex hijacking of cloud service IP addresses in Chicago raises concerns about not only the immediate crime, theft of about $150,000 in cryptocurrency by spoofing MyEtherWallet, but of a more serious intrusion by Russian actors who may be staging an attack on commodity trading platforms or other financial infrastructure. The incident happened yesterday morning and lasted for about two hours. It involved around 1,300 IP addresses on Route 53, which is Amazon's domain name service. Amazon wasn't itself hacked. As the company said, quote, "An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of the issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain," end quote. The upstream provider in question is reported by Ars Technica to be eNet, a large Ohio-based Internet provider. The reason the incident has prompted concern about Russian staging is that the MyEtherWallet was redirected to a Russian server via a man-in-the-middle attack at a Chicago server. That server belonged to an Equinix customer and was located at the Equinix IBX facility, that's international business exchange, on Eastern Cermak. The server's location aroused concerns that the connection between the Chicago Mercantile Exchange and the New York Stock Exchange may be susceptible to compromise.

Dave Bittner: [00:10:23:06] $150,000 may be a lot to you or me, but to the attackers it looks like chump change. Their wallet already seemed to hold around $17,000,000 in alt-coin, and that, too, is grounds for concern that something else may be afoot.

Dave Bittner: [00:10:39:04] Huawei has joined ZTE in US crosshairs over sanctions violations. The US Department of Justice is investigating whether the Chinese device manufacturer violated US sanctions against Iran.

Dave Bittner: [00:10:53:03] Apple has patched MacOS, iOS, and Safari. As always, it pays to keep your systems up-to-date.

Dave Bittner: [00:11:01:03] Bravo, Europol. With its partners the international police agency has taken down a major Internet irritant. They've seized the infrastructure of Webstresser, a notorious denial-of-service for-hire shop. Six alleged members of the Webstresser gang are under arrest. The criminals operated under the fig leaf of a "stresser" business one might hire to test one's defenses. But no, they were in fact were selling DDoS to skid criminals.

Dave Bittner: [00:11:30:07] US District Judge Vince Chhabria has delayed sentencing in the case of Yahoo! hacker Karim Baratov. His honor wants more information on Baratov's connection with Russia's FSB. He'd like to see more on Baratov's involvement with a conspiracy. Such involvement might justify the prosecution's request for the unusually long eight-year sentence.

Dave Bittner: [00:11:54:00] And finally, the Wall Street Journal, announcing this morning that Lieutenant General Paul Nakasone was to be confirmed as both Director, NSA and Commander, US Cyber Command, said the Senate has approved his "duel hat," d-u-e-l. We thought at first that this was a typo, that they meant "dual hat," d-u-a-l, as in the two of them, but maybe that's wrong. It could be a showdown, with Nakasone asking the GRU's Igor Korobov to smile when he hacks that, before they slap virtual leather. Well, hey, we can dream, right? At any rate, congratulations, General Nakasone and good hunting.

Dave Bittner: [00:12:38:06] I'd like to give a shout out to our sponsor, BluVector. Visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise? The reason for this is simple, most organizations aren't prepared to detect it. Last year BluVector introduced the security market's first analytic specifically designed for fileless malware detection on the network. Selected as a finalist tor RSA's 2018 Innovation Sandbox contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware or just want to learn more, visit bluvector.io. That's b-l-u-v-e-c-t-o-r.io. And we thank BluVector for sponsoring our show.

Dave Bittner: [00:13:41:05] And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cyber security at Lancaster University. Daniel, welcome back. We wanted to talk about cyber security in the financial services sector. You have some thoughts here. What can you share with us today?

Daniel Prince: [00:13:55:16] So I think one of the really interesting things about the financial services sector is that it's almost like one of the mis-underrepresented critical national infrastructures globally and we've seen a number of significant attacks against that-- those infrastructures. Fortunately though, operationally, financial services has a very strong response to cyber security attacks and that is in part due to significant regulation around operational resilience and operational risk. But increasingly, as we know, the financial services sector is becoming digitized. There are a number of new approaches, new start ups, selling slightly different variants on financial services that consumers can get apps for on their mobile phones or enable them to develop new approaches to managing their finances and then now the new regulations that have come out to open up the banking sector add a new dimension for that and that brings out a, a much wider economy for new startups and new businesses to develop. So my specific concern is that or interest here is that the financial services operate on the concept of trust and confidence. We have to trust that the banks are going to be able to do the right thing and we have to have confidence in them, that they know what they're doing. But we've seen from cyber security that nothing erodes trust and confidence quite as quickly as having a failing digital service.

Daniel Prince: [00:15:31:18] So it's that challenge between an increasingly digitized financial services sector that operates fundamentally on trust and confidence, against this idea that digital systems can quickly and rapidly erode trust and confidence and how do we manage that conflict.

Dave Bittner: [00:15:49:22] Yeah, and it seems to me like there's a disproportionality there where, I guess, it's almost a cliché that, you know, things can go wrong very quickly in the cyber realm.

Daniel Prince: [00:15:59:18] Yeah, and that, that's one of the, the slightly more concerning things, so if you look at the-- sort of the, the recent financial crashes, what we saw there was the fact that within the financial services sector we were building up considerable amounts of financial risk in these commodities that were being sold around mortgages or bad mortgages and bad debts. And it only took one or two little things to happen and then it cascaded and created a global failure. And now what happens when we set up systems that start to take people out of the loop even more. So for example imagine we've already got, you know, computational trading, algorithms, sitting there, looking at the stock market doing things but imagine that then combined with smart contracts, which are designed to start to sell physical commodities based on interactions within the digital realm. What I am concerned about is the accumulation of this hidden risk within the financial services sector, where one thing will happen that could cause a cascading failure across several systems, not necessarily failing, but cascading actions across several systems, which doesn't then have humans in the loop to be able to protect that from happening and causing a significant global failure. I don't want to be too doom and gloom about it, but that's one of the things that keeps me awake at night.

Dave Bittner: [00:17:28:00] Well, it's sort-- I suppose is it fair to say, it's sort of that unknown unknown, that systems are being put in place and no-one's 100% sure how those cascading effects might kick in?

Daniel Prince: [00:17:38:17] Yeah, certainly, so, you know, if I'm writing a smart contract on a distributed ledger system of your choice, then, you know, I don't know what other potentially smart contracts that will be out there, that might be affected by that. Particularly if say my smart contract is triggered based on some action in the real world and the output of another smart contract is to trigger that action in the real world. It could be very difficult, in terms of the complexity, to add all these things up and then the other thing is-- to think about, is that smart contracts and their evolution will make it much easier for individuals to be able to create these kind of automated trades and sales of commodity items or any other money based system that you want and therefore nobody is really going to be able to have that big overall picture and whereas now to create a contract for something is actually quite a lot of effort, there's a lot of cost involved, you have to get lawyers involved and so they tend to be very large, tangible things that you would put that effort into. But what happens when you can create smart contracts for selling items for $2 or $3 or pounds? You know, you've got this really complex interplay between all these things that can potentially cause a lot of problems because we just don't understand how they are all interconnected.

Dave Bittner: [00:18:59:13] Daniel Prince, thanks for joining us.

Dave Bittner: [00:19:03:19] And that's the CyberWire. Thanks to all our of sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.