CyberWire Daily - Daily: Grid hacking in Ukraine? German terror investigations. Airliner vulnerability dispute. NIST wants post-quantum crypto standards. Project Wycheproof. Wassenaar update.
Episode Date: December 21, 2016In today's podcast, we hear about Ukraine's investigation of Saturday's power outages around Kiev—speculation says it was either a demonstration or misdirection. German police track terrorists' spoo...r online. Pakistani hackers hit Google's Bangladesh domain, possibly for the lulz. (Speaking of the lulz, OurMine is back and messing with Twitter accounts.) Panasonic and IOActive disagree over reports of airline vulnerabilities. Verizon mulls its Yahoo! acquisition plans, post-breach. NIST is looking for some post-quantum standards. Google's Project Wycheproof gets good early reviews. Joe Carrigan from the Johns Hopkins University Information Security Institute discusses the utility of burner email addresses. Sam McLane from Arctic Wolf reviews your incident response plan. Wassenaar renegotiation goes on hold. And the ShadowBrokers offer a low, low price, for Equation Group code, if you act now. (But we say "pass.") Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine investigates Saturday's power outages amid speculation it might be either a demonstration or misdirection.
German police track terrorist
spore online. Pakistani hackers hit Google's Bangladesh domain, possibly for the lulz.
Speaking of the lulz, our mind is back and messing with Twitter accounts.
NIST is looking for some post-quantum standards. Bosner renegotiation goes on hold.
And the shadow brokers offer a low, low price for Equation Group code if you act now.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, December 21, 2016.
Ukraine continues to investigate Saturday's apparent cyberattack on the electrical utility serving Kyiv and its environs.
Authorities, who say the outage was remediated in less than an hour
and a half, disclosed the incident yesterday. There's no confirmation yet that the outage was
due to a cyber attack, although suspicions are running high. Last December's grid disruption
in western Ukraine is generally believed to have been the work of Russian intelligence services,
but there's no attribution so far of this latest incident. F-Secure's Mikko Hypponen speculated in an interview with Reuters
that if this is indeed a cyber attack, it could have two purposes.
It might be either a show of power,
aimed at driving home the message that Ukraine's government can't protect its citizens,
or it could be serving as misdirection and cover for some other,
as yet unknown or undisclosed, operation.
German police pursue suspected terrorists' online trail
as ISIS claims responsibility for the murders committed at the Berlin Christmas market.
ISIS appears to be concentrating its recruiting effort on children.
One 12-year-old is suspected of building a nail bomb for use against Crusader targets.
Much caliphate current chatter appears to fantasize
about attacking Christians observing Christmas.
In the subcontinent, the team pack cyber attackers
to face Google's Bangladesh domain with a security awareness taunt.
The incident seems more skid-caper than patriotic hacktivism
or any other serious attempt on Bangladesh networks by a regional rival.
OurMine is back, hacking a Netflix Twitter account and other high-profile online identities.
OurMine is thought to consist of a small group of youths,
with one of the leaders possibly operating out of Saudi Arabia.
Panasonic denies with some heat an IOactive report
that Panasonic in-flight entertainment systems could compromise airline passenger data or even open flight control systems to interference.
IOactive stands by its claims.
After last week's disclosure of Yahoo's second major breach, Verizon is rumored to be reviewing its planned acquisition of Yahoo's core assets.
What Verizon eventually does is likely to set significant precedents in M&A activity.
Incident response plans for cybersecurity breaches are kind of like smoke alarms and
fire extinguishers.
You hope you'll never have to use them, but if you do, you'll be really glad you have
them in place.
We heard from Sam McClain from Arctic Wolf about good IR planning and what's often overlooked.
The real keys revolve around sort of three areas.
They're sort of promote, plan, and then practice.
And what I'm talking about there from a promotion perspective is start with executive buy-in.
If you are a security person, a CISO, or even just a security manager, and you don't get buy-in at the highest, you don't
have an executive sponsor to help promote the plan within the company, when the rubber hits the road
and you actually need to draw from other people, you need a legal representative or someone from
HR, you need to pull more of the IT team in, you then have to go sort of barter to get their time
slices. And that should be all set up beforehand.
Everyone should understand the requirements, their roles within an incident response plan.
And that goes to the planning piece, which is have it written down.
This is not a large effort.
There's probably a couple of weeks' worth of work getting everything written down.
And then you maybe have a meeting once a quarter or once every six months with all the constituents so that they just understand, hey, here are the changes in the plan.
Maybe someone in HR is left and you need to get a new representative. But keeping that fresh,
even at a semi-annual sort of rate, is good enough so that when it does happen,
it's not like you're scrambling. And then practice. At least once a year,
does happen, it's not like you're scrambling. And then practice. At least once a year, you should do some kind of a drill where
you go in, you get an incident, and you run it to ground.
We participate in those all the time. Some people call them tabletop security
exercises where our champion at a customer will say, hey, I need
you to fake a ransomware incident. And so we'll call our
escalation chain within the customer.
Everyone knows it's happening, but then they follow the correct procedures. And we go through,
you know, initial response, remediation steps, postmortem documentation, and walk through the
whole thing for customers. And those three things are sort of the basic foundational
aspects of having a proper incident response plan.
And so what are some of the areas that people tend to overlook?
So the biggest thing that we found is just maintaining good documentation.
In mid-sized companies, the people that are actually going to execute different aspects
of your incident response plan change quite frequently.
They either get promoted, they move departments,
or they just turn over.
And so you'll wind up having someone new in a job
that's never even heard of the incident response plan,
and we call them as your frontline help desk person
and say, hi, this is Sam from Arctic Wolf.
So-and-so just got phished, and here's the username,
and here's the workstation ID,
and they have no idea what to do.
And so we have to walk them through it and we
coach them. But that sort of keeping people trained, keeping people up to date, just understanding
who owns what in that is probably the biggest problem. Because at the end of the day, if it's
a significant enough security issue, you'll be able to get the right people and you'll go do
the work and it'll just happen. It's just how much pain do you want to go through when it occurs.
That's Sam McLean from Arctic Wolf.
In the U.S., the National Institute of Standards and Technology has asked cryptographers
for input on information security standards in a post-quantum computing world.
The Institute's call for proposals for post-quantum Cryptography Standardization is available online in the Federal Register.
Quantum computing is seen as posing a possible fatal threat to the widely used public key cryptographic systems that protect banking and other online transactions.
NIST hopes to be able to replace its three cryptographic standards most vulnerable to quantum computing.
The Week has seen another cryptographic initiative, this one from the private sector.
It comes in the form of Google's Project Weichproof, which aims to help developers
avoid replicating vulnerabilities in open-source cryptographic libraries.
We heard from security firm Synopsys on Project Weichproof, and they approve.
Adam Brown, Synopsys Security Solutions Manager, said,
quote,
This is great for developers who have considered security in the first place
to make sure they get encryption right.
In our testing activities in the field, where we take a data-centric approach,
we frequently see weak encryption or no cryptography at all.
End quote.
This is, he thinks, especially a problem in back-end systems
interacting with data stores.
Vossener renegotiation will be deferred, and in the U.S. that means it will be left up to the incoming administration.
The two-year effort to revise the agreements has adjourned without reaching consensus.
The major sticking point is the regime's language about intrusion control software,
which most in the security industry think would severely limit
legitimate and indeed essential white-hat security research.
And finally, the shadow broker's English hasn't improved
even to the point of broken plausibility,
but we suspect that may be in the broker's eyes a feature and not a bug.
As the grug has noticed, these guys are hilarious.
Equation group code is still being
offered at a deep, deep discount, if you act now, but few observers think the shadow brokers are
activists interested in sticking it to the man, or as the brokers would put it, wealthy elite.
Still less that they're actually interested in this as a commercial venture, however often they
describe what they're up to as a business. As far as the retail discounting is concerned, with apologies to Madman Months,
it seems unlikely that the boss is on vacation and they've all gone crazy.
Consensus has come to regard the Shadow Brokers as a Russian intelligence operation,
and we know for a fact that Vladimir Vladimirovich can be reached even if he's relaxing at his dacha.
Stay off Died Moris' naughty list, Vlad, and do say hello to Snegorochka for us.
Do you know the status of your compliance controls right now? Like, right now. We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. www.microsoft.com caught my eye about that leak of credentials was there was not an insignificant number of
addresses that were.gov and.mil addresses. Right. Right. What an opportunity for someone
who might have their hands on the OPM breach data. Right. Right. Right. Yeah. You know,
and obviously, you know, you could have extortion, you could have espionage, all those sorts of
things. But in this day and age, I thought we'd touch on just this notion of having burner email addresses.
Absolutely.
There is no reason, if you're going to do something like this, there's no reason at all to use a.gov or a.mil email address.
I have a.edu email address, and I send my wife emails from it and still feel a little bit funny doing that
because I have a Gmail address and a Yahoo email address.
And if I needed an email address for something that was of a temporary nature,
it's easy enough to go out and create another email address
on one of these providers.
Yeah, a Gmail address is free.
A Yahoo address is free.
They're free.
You can have them forward to
your primary email address. You can actually even set them up so you can read them on different
email clients. You don't have to use their web client. You can use an email client of your choice.
So, but there really is a security aspect to this as well. There might be situations where
you need to, you need to create an account
at somewhere where maybe you're not 100% sure that this is something you're either going to
stay with for a long time or even you might have a funny feeling about them. That might be an
opportunity to use a burner address as well. Exactly. Or you could do as I do frequently
and as I actually talked my mom into doing at one point in time, and that is just set up an address for all your affinity programs.
So that you have an inbox where somebody says,
what's your email address?
And you give them, it's joespam at yahoo.com.
Right, right, right.
Yes, right.
Okay, right.
So anywhere where you think you're likely to be spammed, that'd be great.
You have a spam catcher email.
Sure.
So just a black hole that you never check, or maybe you do check, but you just go in there and just select everything and delete it and move on.
Right.
Because it's not an email address where you would ever expect any actual communication to come from.
But the bottom line is, don't use your official email addresses for any of these.
For adult friend finders.
Yes.
Don't do that. Not a good idea. Nothing good can come of that. No good can come of that. For adult friend finder. Yes, not a good idea.
Nothing good can come of that.
No good can come of that.
And come on and get you in trouble.
All right, Joe, good talking to you.
My pleasure, Dave.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.