CyberWire Daily - Daily: FBI hunts Russian bears, election hacking, chat bot warnings.
Episode Date: September 20, 2016In today's podcast we hear about how the FBI is seeking to impose costs on Fancy Bear and Cozy Bear. Election hacking fears remain, despite DHS reassurances, and industry sources warn of privacy risks... within campaign databases. Investigation continues into the ISIS-claimed weekend attacks. Cisco patches a firewall vulnerability related to a Shadow Brokers' exploit. Dr. Charles Clancy from Virginia Tech's Hume Center weighs in on the Muddy Waters Capital / St. Jude Medical legal battle. Casey Ellis from Bugcrowd explains how they crowdsource application testing. M&A activity, and another warning to beware of chat bots. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI is looking for ways to impose costs on Fancy Bear and Cozy Bear.
Election hacking fears remain despite DHS reassurances,
and industry sources warn of privacy risks within campaign databases. Investigation continues into the ISIS-claimed
weekend attacks. Cisco patches a firewall vulnerability related to a shadow broker's
exploit, M&A activity, and other warnings to beware of chatbots. They're out fishing.
chatbots. They're out fishing.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, April 20, 2016.
The FBI is looking hard for a way in which law enforcement could impose costs on Fancy Bear,
and probably on Cozy Bear, too. If you've misplaced your scorecard, Fancy Bear works for Russia's GRU, the country's military intelligence establishment,
and Cozy Bear is with FSB, which is the post-Soviet heir to the old KGB.
Reuters says the bureau is under pressure to do something,
but what thing it might be able to do is unclear.
There's a good bit of speculation about tighter sanctions.
What hasn't surfaced so far among the options are the names of any people behind the keyboards,
as FBI Director Comey has referred to state agencies' actual human operators.
The FBI has worked to bring indictments against named officers of China's People's Liberation Army
in industrial espionage cases brought in Pennsylvania.
So far, however, no named individuals have surfaced,
and so the cost to be imposed would appear likely to be sanctions as opposed to indictments.
Assurances and support from the U.S. Department of Homeland Security aside,
many in the security industry warn that vote hacking is possible and that it need not be
global or even widespread to affect an election. Security company LogRhythm, for one, pointed out a disturbing fact
to Dark Reading. There are about two and a half months between election and inauguration.
It takes an average of six months for companies to detect a breach.
Quite apart from voter fraud and foreign influence, the analysis of voter behavior
and preferences by campaigns poses its own threat to privacy.
Andrew Hay, CISO of security company Data Gravity, writes in Hack Read that political campaigns, like other organized and centrally directed marketing efforts, collect, analyze,
and use a great deal of personal information.
If you're in a demographic group of interest, expect campaigns to look closely at whatever
they can learn about you and your preferences.
of interest, expect campaigns to look closely at whatever they can learn about you and your preferences. The security with which those data are handled may not even be up to advertiser
standards. And the data can't be assumed to disappear once the campaign is over,
so the risk may be an enduring one. Other high-profile investigations currently
underway are looking into the weekend attacks in New York, New Jersey, and Minnesota.
The cyber dimension here is the ISIS information campaign
that successfully radicalizes, recruits, and inspires fighters to violence.
Investigators are looking into the online activities of suspects in the attacks,
but so far not much has turned up.
So in these cases, ISIS may be applauding and claiming people
with a tenuous connection to the caliphate.
In any event, centralized command and control have never been the ISIS way.
Their operations have depended more on inspiration than direction.
Many are calling for more effective counter-radicalization programs.
Most countries have versions of these in place,
but the problem lies in the messaging and in the conviction.
It's unclear what Western societies could offer or would be
willing to offer that could compete with the promise of transcendence that motivates the
convinced to murder and to willingly die in the act of murder. The shadow brokers released a large
tranche of genuine zero days early last month, which the brokers claim to have got from a
compromised NSA operation belonging to the Equation Group.
Some of the exploits affected Cisco products, and Cisco quickly patched.
Cisco has issued another patch that fixes a vulnerability it discovered in the course of researching the Shadow Brokers leaks.
It affects a Cisco firewall and is similar to the Benign Certain exploit closed earlier.
It's unclear from reports whether the bug was in the equation group tranche
of zero days or whether the revelation of the benign certain exploit prompted the research
that disclosed similar flaws. Probably the latter, but in any case, patch. Mozilla is due out with a
Firefox patch today. This one is expected to fix a man-in-the-middle vulnerability in Mozilla's
popular browser.
Last week at the Billington Cybersecurity Summit in Washington, D.C., we sat down with Casey Ellis.
He's the founder and CEO of BugCrowd, a company that aims to crowdsource application testing, connecting crowds of independent security researchers with companies to uncover vulnerabilities and collect bug bounties.
One of the challenges BugCrowd faces is convincing companies to trust their apps to a group of hackers.
I really see that trust evolution as a very similar one that the market went through
when pen testing first became a thing back in the early 2000s.
And really what it comes down to is they're assessing risk versus reward.
They're getting used to a novel concept
and trying to get their heads around
what those risks actually are.
And a big part of what BugCrowd built
is things to actually mitigate that risk
and make it controllable for the client.
So it's an interesting one
because I think the biggest initial issue
is the sense of aren't hackers bad?
There's this, I think, immediate kind of link
that most people draw that someone that can do something bad to a computer
is someone that shouldn't be trusted.
And the reality of it is, you know, people like myself
and people like the folk that we have in the crowd,
they enjoy that type of thinking.
They enjoy thinking like a criminal, essentially,
but they have absolutely no desire to be one,
which makes them incredibly useful and, you know, really necessary at this point. You look at where the cybersecurity
industry is up to, there's a chronic shortage of resources. I actually think the big driver
for all of this is people are looking for more creative ways to connect talent to the
problems that they have.
In addition to connecting security researchers with companies, BugCrowd provides opportunities for the hackers to connect and learn from each other.
Basically getting the crowd to educate itself. So we've got, you know, forums, we've got like
channels that we've set up and different things. And like we encourage wherever we can,
communication between the researchers to help teach each other how to be better at all of this
stuff.
And for the better part, they're actually quite collaborative.
I get asked often, like, isn't this a competitive thing?
Sometimes it is.
You know, sometimes they have a secret sauce they don't want to share.
But for the better part, it's actually quite a supportive group of people.
You know, new people come in, and as long as there's this humble attitude and desire to learn,
like, that's the hacker mindset, right? So they kind of take them in as one of their own and it goes from there, which is
just, it's a wonderful thing to watch. Ellis believes that crowdsourcing helps bring a level
of proportionality to the fight. In my mind, this is not about bug bounties or vulnerability
disclosure as much as it is about just this
absolutely crying need we have to deliver more human creativity into this problem space.
Get people that don't think like security.
The thing is that engineers, people that are outside of security generally don't think
like an adversary.
They don't have an adversarial mindset.
And the problem, I think, with a lot of people in security is that we assume they do because that's just how we walk around, right? We're looking at the lock door and thinking about
how safe the lock is or whatever else. They don't do that. So there's this essence of
mutual understanding that needs to happen and this feedback loop that needs to be created.
And there's not enough people to do that. and the way that we're doing it right now is broken so the way i see this progress over time is is basically for for you know coordinated
disclosure people actually saying okay if you find something reactively i'll provide a channel
for you to communicate that to me that i, is going to become completely ubiquitous.
And then this idea of basically crowdsourcing
as a way of accessing talent and solving security problems,
I see that as being a necessary way to combat
just the lack of professionals we've got right now.
So it's going to be an interesting,
particularly in the next three years in this space, I think it's going to be pretty radical in particularly in the next three years in this space,
I think it's going to be pretty radical in terms of some of the shifts we see.
That's Casey Ellis from BugCrowd.
A quick rundown of some industry news.
Vista Equity Partners is taking Infoblox private, acquiring it for $1.6 billion.
Colorado-based WebRoot has acquired San Diego-based machine learning shop
CyberFlow Analytics for an undisclosed sum, and KBR has picked up Honeywell Technology Solutions,
which has a cyber practice. Finally, there are some warnings out there about chatbots.
As they get better at imitating human chit-chat, call and response, do keep your Turing test guard up. It's inevitable
that chatbots will be used for phishing. Indeed, Dark Reading reports that some chatbots have been
chumming around the Tinder dating app. Yes, believe it or not, some lovelorn gentlemen have been
hornswoggled by a chatbot who convinced them that it, or she, really truly cared, or at least was
up for a good time.
So be wary, friends, especially if that chatbot calls herself Tay.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Dr. Charles Clancy
Dr. Charles Clancy
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
I know you wanted to talk today about the situation that's been brewing
with St. Jude's Medical and Muddy Waters Capital and MedSec Cybersecurity?
I think it's a really fascinating series of events that I think is unprecedented right now in the world of cybersecurity.
And for those of your listeners who haven't been following the news quite as closely over the last couple weeks,
the news quite as closely over the last couple weeks. Basically, a couple weeks ago, Muddy Waters announced a short position on St. Jude's, which is a company that creates pacemakers and other
medical devices, basically saying that they had discovered through their consultant MedSec
a number of cyber vulnerabilities that were able to kill the
battery in pacemakers or change the therapies delivered by pacemakers, both of which could
have lethal consequences.
This was particularly interesting, in my opinion, because it was the first time we've seen a
hedge fund actually take a financial position against a company with respect to a potential cyber vulnerability
and the impact that that would have on their long-term stock value.
And many in the community were kind of upset by the tactics,
indicating that it wasn't really a responsible disclosure of a vulnerability,
while others felt that it was kind of an interesting way to really get people's attention and highlight the vulnerabilities in this domain.
Yeah, and we saw just this week that St. Jude has responded and has sued Muddy Waters and MedSec for defamation,
which is an interesting response.
It seems legal people are saying they have an uphill battle, but it's a response nonetheless.
Legal people are saying they have an uphill battle, but it's a response nonetheless.
Indeed it is, and they're basing a lot of their assessment on some work that was done at University of Michigan,
where they have a research center that's been funded by the National Science Foundation for the last few years,
looking specifically at medical devices.
And the researchers at University of Michigan basically say that the error messages that MedSec was able to demonstrate were perhaps not as catastrophic as they indicated they were.
And so while they weren't necessarily saying that the vulnerabilities weren't there,
they were just saying that the proof that's been presented so far is perhaps not conclusive.
So it's interesting to see the St. Jude's response, and I think what has a lot of people in the community on edge is whether or not this is an anomaly
or this is the new normal in terms of major vulnerability reporting.
All right, well, keep an eye on it. Dr. Charles Clancy, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.