Cyber Threat Analysis for 23 Jun 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Cybercrime market sells servers for $8 to launch attacks

A major underground marketplace acting like an eBay for criminals is selling access to more than 70,000 compromised servers. It offers access to hacked computers owned by governments, companies and universities in 173 countries. Access goes for as little as $8 for a compromised server pre-equipped with software to mount DoS attacks, spam campaigns, illicit bitcoin mining or compromise online or retail payment systems. Low prices, searchable feature lists that advertise attack capabilities, together with services to protect illicit users from becoming detected attract buyers from entry-level cybercriminals to state-sponsored espionage groups. (Financial Review)

Why cyber security is losing, in a nutshell. What is our answer to such illicit marketplaces? What about our approach is going to change in response to the economically superior approach of our adversaries? The short answer is: nothing. Or viewed the other way: everything, as long as you can afford it. Cyber security has become a racket. It wasn’t intended to be, no one started out to be a war profiteer, but this is where we find ourselves and this is where we’re remain until we can figure out how to compete on price.

FBI approach to investigations puts security at risk, experts say

In an essay to be published on June 17, 2016 in Science magazine Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute (WPI), argues that the FBI’s recent and widely publicized efforts to compel Apple Computer to write software to unlock an iPhone used by a terrorist in California reflects an outdated approach to law enforcement that threatens to weaken the security of all smartphones, potentially putting the private information of millions of smartphone users at risk and undermining the growing use of smartphones as trusted authenticators for accessing online information. (Science Daily)

The benefit of the rapid growth/use/evolution IT is the ability to come up with new ways to do things. Law enforcement, like most governmental organs, can only seem to shoe-horn old ways into modern contexts. Poorly.Better investigative solutions that leverage technology in novel ways is more likely to come from an engineer, not a special agent, which is problematic in an agency that treats anyone not a special agent as a second-class citizen. Developing new investigative tactics, techniques and procedures that keep pace with advances in IT can help investigative agencies avoid the sticky legal, political and social problems they’re dealing with now. Success will depend not so much on technical expertise, but forward thinking leadership that is willing to blaze a trail vice trod well worn ground.

A massive cyber attack could trigger NATO response

A major cyber attack could prompt a collective response by NATO, according to secretary general Jens Stoltenberg. “A severe cyber attack may be classified as a case for the alliance. Then NATO can and must react. How, that will depend on the severity of the attack.” In 2014 the US-led alliance assessed that cyber attacks could potentially trigger NATO’S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber attack with conventional weapons, although the response would be decided by consensus. (IT News)

What constitutes a “severe cyber attack” isn’t defined, which is important because recovering from a cyber attack can be a relatively trivial thing when compared to recovering from an airstrike. The more severe the impact of a physical weapon the less analogous they become to digital ones. All the usual means and mechanisms for proving and confirming adversary action in meat space quickly fall away in cyber space. In the time it takes to achieve a high level of confidence in a perpetrator, and get sufficient support to act, and get agreement on what a proportional response is, the enemy has achieved its goal.

Ransomware scum build weapon from JavaScript

New ransomware written entirely in JavaScript has appeared encrypting users files for a $250 ransom and installing a password-stealing application. Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA. Bleeping Computer malware man Lawrence Abrams described the ransomware: “RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js. To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim’s computer.” (The Register)
The ingenuity of our adversaries is not to be underestimated. As long as there is a buck (or bitcoin) to be made, there will be a tool that helps separate the innocent from their assets. As with all cyber security threats, combating this one will require a mix of technical and personal effort. “Don’t click on random attachments” is a mantra we as practitioners have been chanting for years with mixed results. Good training, incentives for good behavior, and a reasonable and enforceable policy on bad user behavior – actually enforced – is more likely to produce the kinds of results that help minimize the scourge of malware of all types.

Inside the Pentagon’s secretive preparations for a ‘cyber 9/11’

The massive coordinated cyber attack began with rolling blackouts throughout the electrical grid stretching across the Midwest. Then came the inexplicable malfunction at a large oil refinery in Texas. In southern California, the attack shut down several major ports by disabling hydraulic systems. Attacks on DOD networks threatened the systems that monitor North American airspace and the radars on which the U.S. military relies.This fictitious scenario was laid out for nearly 1,000 military, government and private sector personnel at this year’s Cyber Guard exercise, the nation’s largest test of its network defenses. (Military Times)
As with offensive tests of any type, the most valuable information is not necessarily what the bad guys did that worked, but what they did that didn’t work. Absent such information we are left to speculate that the good guys probably fared as well as most do in such circumstances, which is to say ‘not well’. Perhaps the most useful data to be generated from exercises like this is lost in the discussion of things-martial: what can we do to establish greater resilience in the face of an attacker’s inevitable success? ‘Keeping out bad guys’ is a goal we will never achieve; rapid detection and recovery is something within everyone’s grasp.

China-Based Hacking Incidents See Dip, Cybersecurity Experts Say

Chinese hacking of corporate and government networks in the U.S. and other countries appears to be declining, according to computer-security experts at companies hired to investigate these breaches. The drop-off is stark and may date back two years.  (WSJ)
Far ranging conclusions drawn from a relatively small data set. Ascribing a decline in observable activity from a set of actors to any particular governmental action is reasonable, but it also ignores myriad factors that argue in other directions. Far more in- and exculpatory data is going to be required before anyone can speak with any level of accuracy and authority about what works and does not work with regards to political/diplomatic/economic actions in cyberspace. As a former intelligence officer the thing that concerns me the most in situations where a source of information suddenly goes dark is: what am I missing?