CyberWire Daily - Daily: Election hacking (again). Also key sharing risks, and more.
Episode Date: September 7, 2016In today's podcast we hear about cyber risks and cyber talks at the G20 summit. China may be looking to the Russian model in the Near Abroad as it thinks about its next steps in the South China Sea. T...he current state of Russian-American relations in cyberspace—they're dominated by election hacking and information operations. The risks of shared cryptographic keys. An Android Trojan evolves. Industry notes—contracts, patches, acquisitions, and lawsuits. John Leiseboer from Quintessence Labs outlines cryptographic and key management standards. Gabby Nizry from Ayehu explains the benefits of automation. And EXTRABACON is still a problem. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber risks and cyber talks at the G20 summit.
China may be looking to the Russian model in the near abroad
as it thinks about its next steps in the South China Sea,
the current state of Russian-American relations in cyberspace, the risks of shared cryptographic keys,
an android trojan evolves, industry notes, contracts, patches, acquisitions and lawsuits,
and you want extra bacon with that? Trust us, you don't.
Trust us, you don't.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 7, 2016.
The G20 summit, which concluded Monday in Hangzhou, the first time the session has been held in China,
saw foreseeable fears that those attending the summit would be the target of cyber espionage.
This has been par for the course at G20 sessions in recent years.
Policymakers and others attending were warned to expect a variety of hacks and other intelligence prospecting, warnings focused on Chinese intelligence and security services, and given point by
the current atmosphere of great and regional power competition over
territorial rights in the South China Sea.
That particular competition has had a cyber dimension that's widely expected to increase.
The Hague ruled against China's claims in July, and China's rivals for control over
the South China Sea, primarily Vietnam and the Philippines, have experienced cyber espionage
widely attributed
to Chinese intelligence services.
Observers think that Russian hybrid warfare in the near abroad, particularly against Ukraine,
may provide Chinese security service with an attractive template for action in the matter
of the South China Sea.
Hacking and the construction of artificial islands would seem consistent with that assessment.
Hacking and the construction of artificial islands would seem consistent with that assessment.
China is also widely suspected of having been responsible for the OPM breach discovered and disclosed last year.
The U.S. Congress has just released the results of its long inquiry into the compromise that affected tens of millions of Americans who held or applied for security clearances.
It's highly critical of the way the Office of Personnel Management
handled and secured the personal data it collected and held. We'll hear more about this breach in
upcoming podcasts. If concerns with respect to China have mostly to do with regional territorial
claims and industrial espionage, the principal concern in the U.S. with respect to Russia
currently involves fears of election hacking. Circumstantial evidence
of Russian involvement in recent compromises of U.S. political sites has induced U.S. officials
at the meetings to seek a firmer line with Russia over cyber conflict and cyber norms.
Russian involvement in U.S. elections could take the form of a direct attempt to hack paperless
balloting systems, but that's less certain than the information campaign Moscow is generally regarded as operating, the goal of which appears to be casting doubt
on the legitimacy of U.S. elections and the U.S. political system as a whole.
Those operations are believed to have had so far at least three known components.
First, intrusion into election databases, which demonstrate vulnerability even though
the content of such databases is widely and often legitimately available.
Second, high-profile hacking of political party and campaign organizations, initially
quiet, then late this spring, noisy.
And the shadow broker's sock puppetry that purports to have exposed equation group attack
code.
There may be a fourth incident, possible compromise of former
Secretary of State Clinton's private email server during her tenure in office. House Minority Leader
Pelosi has called upon Republicans to stop exploiting alleged Russian cyber capers
involving Democratic campaigns. The FBI released its findings last Friday.
This morning at the Intelligence and National Security Summit in
Washington, Director of National Intelligence James Clapper declined to comment on these incidents
on the grounds that they're being investigated by the FBI. He did, however, say that he foresaw
increased cyber activity by adversaries that include Russia, China, and transnational actors
like ISIS and ISIS's successor groups.
We'll have more notes on the Intelligence and National Security Summit later this week.
SEC Consult warned last year that too many embedded devices were sharing cryptographic keys.
The situation apparently hasn't improved, and concerns about those devices' vulnerability to man-in-the-middle attacks continues to rise.
We'll hear shortly from John Liesbauer from our partners at Quintessence Labs, who tell
us all about cryptographic and key management standards.
Kaspersky warns that an evolved version of the Googie Trojan is now able to bypass Android
6 defenses against phishing and ransomware.
Most people agree that cyberattacks are coming in faster and moreware. Most people agree that cyber attacks are coming in faster and more frequently.
We spoke with Gabi Nizri from Ayahu, where they specialize in automation that they say can help
combat the increasing velocity of incoming threats. It's not only any more firewalls and
antivirus and endpoint detections, it's now protecting against internal users and protecting people
and protecting machines from people, actually. Describe to me, where are some of the areas
where automation can really make a difference? So, you know, automation is a game changer.
The moment you add automation to the game, you are able to reuse, you enrichment, collecting data, investigation,
forensic work, and so on.
It can take all the long process from the moment you have an incident until you are
kind of able to analyze what's going on, kind of cut it by 90%.
So take only this part of data investigation and forensics,
and basically you can squeeze it into minutes and even sometimes seconds.
It's a huge advantage to have that because you can actually response quite faster.
to have that because you can actually respond quite faster and to contain and maybe even to remediate the incident before it's impacting the entire business. And why do you think that so
many people are afraid of automation? Fear of not being able to control the process. Fear of what will happen if the machine will do
something instead of us. And again it's just about education and it's just about
people to trust automation. We know that most of the attacks and most of
the hacks that are being now today these days, are being, you know, done by machines.
So the war is against machines, not against real hackers that sit on the other side of whatever the planet is where he sits.
And he, the guy, is actually in real time now doing some stuff.
Machine against machine.
To kind of beat the machine, you have to be on the other side
using machines so i think it's a process that people will start to see how machines evolve in
their day-to-day and again in i.t i i believe it's already a mature market. I wish security could learn from IT what they have achieved so far with automation.
So it's not only tools, it's processes and knowledge and content that these guys need
in order to be able to fulfill their responsibilities on the cybersecurity risks.
That's Gabi Nizri. He's CEO at IEHU.
In industry news, Google has issued patches
for the recently discovered quad-router vulnerabilities.
Iovation has acquired authentication shop LaunchKey.
And the Department of Homeland Security has selected
Imperva's SecureSphere web application firewall
and SecureSphere database firewall
for inclusion in its blanket purchase agreement for continuous diagnostics and mitigation tools,
continuous monitoring as a service.
And in less pleasant news, well-known intelligence unicorn Palantir
is said to be suing one of its early investors.
The allegation is IP theft.
Finally, you want extra bacon with your router?
Trust us, you don't.
It appears that Cisco ASA devices were among the more prominent targets
threatened by the extra bacon exploit leaked by the shadow brokers.
Too many of those devices are said to remain unpatched for comfort.
Cisco did promptly develop and push a patch after the exploit leaked.
So as always, keep your patches up to date and hold the bacon.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm joined once again by John Lisebauer.
He's the CTO at Quintessence Labs.
John, I know you wanted to share some information with our listeners about the standards when it comes to cryptographic and key management.
What do we need to know about that?
Common standards help enable interoperability.
It's important, though, that the standards we use are properly defined, unambiguous, and vendor-independent.
There are standards for almost every technical field.
For cryptography and key management, there are standards from organizations such as the IETF, Oasis, OSI, the IEEE, NIST, ANSI,
the payment card industry, and plenty of others.
There's no problem finding a standard in the cyber security world.
Two of the most more important interoperability-focused standards, though,
for cryptography and key management would be PK-SYS11,
which is public key cryptography stand number 11,
and KMIP, or K-M-I-P, the Key Management Interoperability Protocol.
Both of these standards are currently managed by OASIS,
the Organization for the Advancement of Structured Information.
And so, digging into those, I mean, how do we deal with them,
and what part do they play in cryptography and security?
TKSIS 11 is a standard for cryptographic application programming interface. It defines a vendor
independent API forming cryptographic operations such as encryption and digital signatures
and also key generation. PK-11 turned 25 this year, so it's quite an old standard. It was
originally managed by RSA as an industry standard
that moved to Oasis just over three years ago.
P11 is widely used in cryptographic products,
from smart cards to hardened security modules
and database encryption to web servers.
Similar standards to PIC-H11 would be Microsoft CMG,
or CAPI in the old days,
the OpenCell API and the Java JCE interface.
In fact, both OpenSSL and JCE support cryptographic providers
that present a PK-11 interface.
The other standard I mentioned, K-MIM, specifies a protocol
for the exchange of key management messages
between key management clients and servers.
It specifies operations such as create, register, and get
for objects like symmetric keys, key pairs, and certificates.
It's a relatively new standard.
It was first published in 2010.
All right, interesting stuff.
John Lisebar, thanks for joining us. families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.