CyberWire Daily - Daily: Does Fancy Bear care if it's caught? Retaliation, vulnerabilities, litigation, and more.
Episode Date: September 15, 2016In today's podcast we get an increasingly familiar update: Fancy Bear is dancing and prancing through poorly protected networks, and she doesn't seem to care who knows it. More politically motivated h...acking out of Russia prompts US promises of investigation and costs to be imposed. Failures in digital hygiene continue to be exploited. SCADA hacks worry the electrical grid. Joe Carrigan from the Johns Hopkins University Information Security Institute offers tips for safe device sharing. SentinelOne's Tim Strazzere describes an Android vulnerability his research uncovered. And some good news: NIST has released a new cyber self-assessment tool, and they'd like you to give it a spin. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The bears are back, and apparently not too worried about who knows it.
From the DNC to the Republicans to the World Anti-Doping Agency,
disbelief is getting harder to suspend.
More politically motivated hacking out of Russia prompts U.S. promises of investigation and costs to be imposed.
Failures in digital hygiene continue to be exploited.
SCADA hacks worry the electrical grid.
And some good news, NIST has released a new cyber self-assessment tool and they'd like you to give it a spin.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 15, 2016.
The bears are back, and we're not talking mama, papa, and baby,
but their Russian cousins, Cozy and Fancy.
Especially Fancy Bear, who no longer really seems to care whether anyone knows that her paws are in the honey.
More emails from U.S. political figures have leaked, this time from the Republican side
of the aisle.
Many of them are of relatively recent vintage.
Those drawing the most attention are from former Secretary of State Colin Powell, who
has some unguarded things to say about both
presidential nominees. As usual, email rarely displays its authors to good advantage.
The Republican National Committee says that, contrary to earlier reports, the RNC itself
wasn't hacked, but that various Republican operatives were. The emails are being posted
on DCLeaks, which for some time has represented itself as the work of American hacktivists who respect and appreciate freedom of speech, human rights, and government of the people.
Most observers, however, describe DCLeaks as connected to the Russian government.
ThreatConnect is more direct. They say the leakers are fancy bear.
leakers are fancy bear. U.S. authorities have declined to attribute these incidents,
and they've asked for public patience, but they've also said they intend to impose costs on those responsible. This brings up two trends we've heard much discussed recently
at last week's Intelligence and National Security Summit, Tuesday's annual Billington Cybersecurity
Summit, and this morning's Beat the Breach Symposium convened by Invincia. First, threat actors,
especially those run by the Russian intelligence services, seem increasingly indifferent to whether
the world knows they're involved. The last stages of Fancy Bear's incursion into the Democratic
National Committee, for example, was surprisingly noisy, and the compromise of the World Anti-Doping
Agency was similarly brazen. Sock puppets remain in ritualistic use,
but the deniability they afford is increasingly implausible.
The second trend the noisiness indicates, some observers say,
is that the threat actors really don't fear having consequences imposed on them.
Richard Clark, former White House cyber advisor, finds this a disturbing trend.
As he said this morning during Invincia's Beat the Breach session
at the National Press Club in Washington,
quote, the Russians are clearly very active in this election
and they don't seem to care that we know it, end quote.
He points out that when genuine emails are released,
as has been the case so far,
that sets up the possibility of future effective deception operations.
The next tranche of ostensibly stolen emails, for example, need not be genuine at all.
But at this point, clever fabrications will be generally believed and will be tough to disprove.
And that will carry weight.
The World Anti-Doping Agency was apparently breached by spear phishing,
and MacKeeper researcher Chris Vickery has reported that a misconfiguration on Donald Trump's official website exposed campaign intern resumes to the public
internet. Plixer's Thomas Poore told the Cyber Wire that in his view the campaign was fortunate
the website leak was ethically reported. Poore said, quote, the question that remains is who
else discovered the leak prior to its being reported?
Tim Straseri is director of mobile research at SentinelOne, a company that provides endpoint and server protection.
He's credited with the discovery of an Android vulnerability involving image files.
It's essentially very similar to StageFright, which has been in the news recently.
So it's essentially an issue in how there was a parsing of a JPEG file. Specifically, it's called the EXIF format. So it's E-X-I-F.
And that's essentially the details contained within a JPEG for where this photo was taken
or what kind of camera it was taken with, or maybe the shutter speed.
And by improperly parsing that data, we're able to cause remote code execution and also to crash devices remotely.
Because what happens is certain applications, like Gchat or Gmail, actually parse this file before the user has said,
like, hey, I want to download this,
or I want to view this image. So by me sending you an email and you opening it, this could cause a crash on your side or potentially remote code. Yeah, this really surprises me because I guess
in my mind, there aren't many things more benign than a simple image file.
Yeah, it was interesting because this has a more benign than a simple image file. Yeah, it was interesting
because this has a lot of implications where a simple image file could just be your avatar for
a game. Or, you know, if you're uploading maybe a picture to a social media site, or maybe you're
sharing something with some friends, those are all going to be static images, which we inherently
just assume are going to potentially be more safe than, let's say, oh, if I send someone a PDF, they might be more wary about that if they don't know who I am.
But an image, you know, it's just something you look at. So maybe that will be more safe.
So can you dig into some of the specifics? What kind of modifications do you make to the EXIF metadata to make things go bad? There's bits in that structure
that say something like, where was the GPS coordinates? And GPS coordinates are going to be
a set length. I don't remember exactly the length, but let's just say they should be, you know,
six digits long after the decimal place. Well, the format accepted more than that, which nobody
would really anticipate because GPS isn't getting
longer by any means. So if we could set something like that longer, we could cause an overflow.
And then that basically meant that the program that's parsing it is going, well, I only expect
this many. So it should never be higher than this number or lower than this number. But by stuffing
something it didn't expect in there, it attempts to read it,
and now it's pointing to the wrong location.
So what are the ways that people can protect themselves
against this sort of thing?
So it's actually pretty interesting.
Since this is in the framework of the actual Android system,
there's not much that they can do.
My understanding, there's no real products on the market
that can protect you for this.
You basically need to get an update from Google.
So as of Tuesday, when they push this patch, all the OEMs have the patch, and Google has pushed out actual firmware updates for their devices that they control.
Hopefully, we'll see different OEMs actually pushing out updates as well to people. But what I suggest to customers
is to vote with your wallet who's getting updates and when was the last time you got an update.
So until you get an update for this actual patch, there's not much you can do.
That's Tim Straseri from SentinelOne. Tim's discovery earned him a $4,000 bug bounty from
Google. He pledged that money to a local non-profit organization called Girls Garage,
a makerspace for middle school-aged girls,
and Google matched the pledge for a total of $8,000.
Well done, Tim.
SCADA security maven Joe Weiss warns on Control's Unfettered blog
that intelligent relays are demonstrably susceptible to hacking.
This is a matter of immediate concern to electrical utilities,
but such relays are in widespread use by other industrial sectors as well.
Mark Sachs, senior vice president of the North American Electric Reliability Corporation,
spoke this morning at Beat the Breach.
He talked through the well-known attack the Ukrainian power grid sustained last December,
and he noted that the outage was enabled by, again,
some mistakes in fundamental network hygiene that any enterprise anywhere might make.
Susceptibility to phishing, password reuse, and failure to bring systems up to date.
That section of the Ukrainian electrical grid was using an unlicensed version of Windows XP as its OS.
It's easy to be caught up in the long human story of error, so we're pleased today to be able to
close with some good news. And no, we're not talking about City Escape becoming the national
anthem. NIST, the National Institute for Standards and Technology, whose doggedly non-regulatory and
collaborative approach to standards development has been winning friends and influencing people for years,
has issued a draft cybersecurity self-assessment tool,
and the Institute is asking for your comments.
The tool is called the Baldrige Cybersecurity Excellence Builder,
and it provides organizations a way of assessing how effectively
they're using NIST's well-regarded cybersecurity framework.
Deputy Secretary of Commerce Bruce Andrews said today in a statement
announcing the release of the draft document
that the builder will enable enterprises to better manage their cyber risks.
So go to the Baldrige Performance Excellence Center at nist.gov
and let them know what you think.
Comments are open until December 15th of this year.
open until December 15th of this year. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute.
Joe, you know, recently I had my teenage son here at the office with me,
and I was sort of keeping him busy.
I allowed him to use my laptop, and it struck me sort of midway through the day
that he was, I went over and looked at some of the stuff he was surfing,
and he was on a gaming site, and that site looked pretty sketchy to me.
It struck me that, you know, there's the whole issue of our teens,
protecting our teens and our kids and what they're doing, what they're not doing.
But also, if I'm sharing my computer with one of my kids,
how do I protect my stuff?
That's an excellent question.
The way I do it at home is everybody has their own device.
Everybody has their own computer.
Sure.
But not everybody can afford to do that.
Not everybody wants to do that.
Not everybody wants to pay the extra power bill that comes with having two massive gaming computers in their basement.
Hmm.
But one of the things you can do is you can set up an account for each individual in your house
and make sure that they don't have administrator privileges on that PC that will prevent them from installing
software and you can require that the installation of software asks for
administrator privileges and then they'll have to ask for the password of
course then you have to keep the password out of everybody else's hands
or else they're just gonna go ahead and enter it and put it in that you can also
if you have a situation like you had with your son using a laptop that
he might not always use these computers a lot of time, I know Apple and Chromebooks
and I don't know if Windows has it, but they have guest accounts.
You can just create a guest session and just go ahead and get access to the computer.
But you have extremely limited permissions, but you can still do things like surf the web and check your email.
Yeah, I really should have.
I wish I'd thought about that ahead of time because they're so easy to set up, but it just didn't cross my mind.
But I think that's part of it, too, is that, you know, when it comes to looking out for our kids, sometimes they can be their own worst enemies.
Right.
They know what they want and they want it right now.
Yep. sometimes they can be their own worst enemies. Right. They know what they want and they want it right now. And they're going to go and do what they need to do to get it
regardless of what the ramifications of that are.
And I think the biggest thing you need to do is to educate the kids.
Educate them.
Tell them that when you get on this computer,
there are going to be websites out there that don't do what they say they do.
They're going to be doing something in the background. There are going to be people out there who aren't what they say they
are. Not every 14-year-old girl you meet on the internet, 14-year-old son, is going to be an
actual 14-year-old girl. Right, right. Right, and they're collecting data about you, and everything
they ask you is being tucked away and filed somewhere. Right. So you don't want to take all the joy out of it, but you've got to instill a practical sense of caution, I guess.
Yeah, a healthy mistrust, I would say.
Healthy mistrust.
That's a good way to put it.
All right, Joe Kerrigan, thanks for joining us.
My pleasure.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.