CyberWire Daily - Daily: ISIS, al Qaeda compete online. WikiLeaks doxes DNC (courtesy FSB, GRU).
Episode Date: July 25, 2016In today’s podcast we take a look at the doxing of the DNC, a story which will have, as they say, “legs,” if only because essentially everyone now sees Russian intelligence behind the hack. ISIS... and al Qaeda continue their competition to inspire lone-wolf jihad. Turkey’s crackdown on would-be putschists continues. Anonymous goes after targets in Turkey. Cyber M&A notes. Dr. Charles Clancy from the Hume Center at Virginia Tech tells us about the challenges and opportunities coming with Smart Cities. And a look back at Friday’s inaugural Billington Global Automotive Cybersecurity Summit. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me. Authorities miss some attempts, stop others.
And Motown meets malware.
Our notes on the inaugural Billington Global Automotive Cybersecurity Summit,
including notes on safety, autonomous vehicles, bug bounties, and information sharing.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, July 25, 2016.
WikiLeaks has released a tranche of documents taken from the U.S. Democratic National Committee.
They include donor lists, including, unfortunately, a great deal of personally identifiable information about individual donors,
which many observers think was an unintentional mistake on the part of WikiLeaks.
More interestingly, they include a lot of intra-party emails.
These are the documents exciting the most outrage,
particularly among supporters of Senator Sanders' candidacy,
because they appear to show close coordination between the DNC and the Clinton campaign.
The Sanders campaign said over the weekend that it expects accountability for all this, and some of the accountability the Sanders camp expects seems to have come in the form of the resignation of DNC chair Debbie Wasserman Schultz.
Consensus among observers holds that Russian intelligence services gave WikiLeaks the documents.
Essentially no one anymore buys the Guccifer 2.0 sock puppet story.
It's all cozy bear and fancy bear, that is, Russia's FSB and GRU.
Why Russian intelligence would have publicly
doxed the DNC is another question.
The DNC's spin is that it's because
President Putin would prefer to see
a President Trump than a President Clinton.
The Republican National Committee's
answering spin is that this is ridiculous.
Preference for a President Sanders
above both these alternatives seems to have escaped the speculators as a possibility. That the Russian
government would want influence over an American election seems clear enough, but what outcome it
might be pushing is not so clear. Even less clear is what, if any, the official American response
should be. Motherboard publishes a piece by King's College London's Thomas Ridd in which he argues
that the government of the U.S., and for that matter the government of the U.K., can't safely
remain officially silent to Russian attempts to manipulate an election. More terror attacks over
the weekend are attributed to ISIS inspiration, either definitively, as in the Middle East,
or tentatively, as in Bavaria. The shootings in Florida yesterday seem, police say,
to have no terrorist motivation or connection.
Online monitoring apparently enabled Brazilian authorities
to disrupt plans to attack targets around the Rio Olympics.
The judge presiding over the case in Brazil credits both Facebook and Twitter
with having helped police gain insight into the would-be terrorist intentions.
Both ISIS and its jihadist rivals in al-Qaeda continue to call for attacks throughout the Dar al-Harb,
that would be where most of you listening to this podcast live,
with al-Qaeda specifically urging lone wolf kidnappings of Westerners
to be held as bargaining chips for prisoner exchanges.
Turkey continues its post-coup attempt crackdown,
initiating a state of emergency and temporarily, at least, suspending adherence to the European Convention on Human Rights.
The EU has protested.
Turkey's government is also demanding that the U.S. extradite Muslim cleric Fethullah Gulen, who's been living stateside in self-imposed exile for some years.
in self-imposed exile for some years.
The Turkish foreign ministry says he was a leader of the failed coup and that failure to extradite him will adversely affect Turkey's relations with the U.S.
The U.S. says it wants more proof of a crime.
Anonymous hackers, generally pro-coup or at least anti-Erdogan,
are currently active against Turkish targets,
one of which is energy provider Izmir Gaz.
In industry news, Core Security has acquired
Damballa. The price Core paid for the Atlanta-based Damballa is reported by the Atlanta Business
Chronicle to be around $9 million, which represents, the Chronicle says, pennies on the dollar for
Damballa's investors. And TechCrunch reports a pretty noisy exit from stealth. StackPath has emerged with $180 million in funding, led by ABRI Partners,
and four acquisitions already queued up, MaxCDN, Fireblade, Cloak, and Staminas.
Last Friday, we attended the inaugural Billington Global Automotive Cybersecurity Summit in Detroit.
The summit drew leaders of the automotive and security industries,
as well as from universities, the U.S. federal government, and the state of Michigan.
The summit was held immediately after AutoISAC, that is the Automotive Information Sharing and
Analysis Center, released its set of industry-specific cybersecurity best practices.
Several themes emerged during the proceedings. First, the automotive industry believes it's in a good position to build in security before it sustains a serious
dedicated attack on its products and it views the auto isac recommendations as a good initial step
the u.s. department of transportation is also preparing to release a set of guidelines for automotive cyber security in the near future, and it's noteworthy that the industry's focus, at least insofar as the summit's discussions were concerned, is on the cybersecurity of its products.
Second, senior automotive industry leaders said they were determined to regard vehicular
cybersecurity as akin to a safety issue and not a field in which they intend to see competitive
advantage. The U.S. Department of Transportation, too, sees automotive cybersecurity
as a space where it should be possible to realize significant gains in highway safety. Thus, there
was much talk of collaboration and threat intelligence shared by executives from several
automotive manufacturers. There were also many welcoming overtures to the white-hat vulnerability
research community and considerable willingness on display to use crowdsourced
bug hunting, as Fiat Chrysler is already doing.
Toyota's and Honda's participation suggested that this interest is not confined to U.S.
manufacturers.
Third, the industry appears intensely interested in lessons to be learned from other sectors,
with the defense and aerospace sectors in particular seen as a useful well of experience.
Finally, looking toward the future, it's clear that the industry sees the coming advent of fully autonomous vehicles as both transformative and effectively inevitable.
It's possible, several experts said, that we may see fully autonomous cars operating on the roads within 10 years
and available on an ordinary retail basis.
And, while the automotive industry is concerned about drivers' privacy,
it's clear they're more concerned with their safety.
As one industry analyst said during the event,
I love my privacy. I want to be alive to enjoy it.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, I know you wanted to tell us about security and privacy for smart cities.
Let's start off by telling our audience, what do you mean when you're talking about a smart city?
A smart city is a new concept that is gaining a lot of traction across both the local and regional government area,
but also companies that are involved in big data and analytics.
And it's essentially where you take the IT systems of a municipality and begin to integrate the systems and the data that's generated by those systems.
And this could include things like schools, libraries, transportation systems, public utilities, and public safety and law enforcement.
And the idea is that if you're able to aggregate all this information, you're able to run analytics on it that can generally improve the quality of life for the residents of that city.
And there have been a number of really interesting pilots that have happened over the last few years across the world
looking at different aspects of this, things like the sorts of instrumentation that might be useful for developing a smart city
to open platforms for analytics that might run on the data that's generated by these smart cities.
And, of course, anytime you're gathering and aggregating data, you've got issues with security and privacy. So how does that apply to smart cities? Exactly. So law
enforcement, for example, is very interested in being able to leverage this data for things like
predictive policing, which raises a lot of concerns about civil liberties and privacy.
In general, there are key challenges with identity management, privacy of citizen data and how that data gets
used, and then security of the systems that are holding that data. There's a number of emerging
protocol standards in the world of machine-to-machine communications, a new IETF standard
called the Constrained Application Protocol, a number of legacy messaging protocols such as
MQTT and AMQP, all of which support security features like TLS and
DTLS for encryption of data. But so far, I haven't seen really much in the way of robust authorization
of that data, mostly because these pilots so far have been fairly rudimentary in their development
and demonstrations. So personally, I think there needs to be a lot more work in the area of authorization and how this data gets used. And I think so far,
really, people haven't even begun looking at the cloud backends and the security of those
to make them resilient to hackers who may seek to mine a significant amount of data all in one place.
Are there any cities that are on the brink of implementing these kinds of things? Anybody
doing any pilot projects in the real world? Indeed, there are pilots going on across
the United States and in Europe as well. Here in Arlington, Virginia, Virginia Tech is very
involved with the Smart City Initiative here in the National Capital Region, and it's a cornerstone
of our current research thrust in cyber-physical system security. Dr. Charles Clancy,
thanks for joining us. And now, a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Thank you.