CyberWire Daily - Daily: Russians interested in US elections? Russia says nyet, but DNC says da.
Episode Date: July 26, 2016In today’s podcast we catch up on the big story in cyberspace—the expanding scope of the Democratic National Committee email hack. Most observers continue to see a Russian hand behind it, but some... point out that the evidence remains circumstantial. Experts see the hack as a cautionary tale in the importance of authentication and encryption. Stu Sjouwerman is the founder and CEO of KnowBe4, and he provides his take on the possible Russian hack. ISIS continues its attempts online to inspire lone-wolf jihadists. A young cyber start-up emerges from stealth, and we get an update on cybersecurity in the automobile industry from CyberWire editor John Petrik. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The DNC hack seems to be spreading.
Campaign consultants' private accounts may also have been compromised.
Forensic evidence points to Moscow, but some still see room for doubt.
Experts say the moral should be encrypt.
ISIS claims to have inspired the most recent bombing in Germany.
Industry news includes a look at automotive cybersecurity.
And WikiLeaks' Assange says of the DNC docs, you ain't seen nothing yet.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, July 26, 2016.
The scope of the Democratic National Committee hack seems to be wider than initially believed.
Not only were the party's networks compromised, but so apparently were personal records of Democratic consultants and Clinton campaign workers. DNC consultant Alexandra Chalupa began receiving pop-up warnings on her Yahoo! mail account
shortly after she began searching for connections between Trump campaign chairman Paul Manafort
and Ukrainian or Russian businesses as part of the DNC's opposition research.
The automated warnings from Yahoo! security said,
We strongly suspect that your account has been the target of state-sponsored actors, end quote.
Other campaign officials' personal accounts and devices may also have been accessed by those state-sponsored actors,
who are widely believed to be what CrowdStrike calls Fancy Bear and Cozy Bear, a.k.a. Russia's GRU and FSB.
CNN says federal authorities warned the Democratic National Committee of a potential
network breach months before the party acknowledged and addressed the problem. The DNC says the
warnings it received from the FBI were nonspecific. The FBI is currently investigating the hack.
Most observers concur with CrowdStrike's attribution of the DNC hack to Russian
intelligence services, and there's much speculation about Russian motives,
largely centered on President Putin's conjectured wishes
to throw the U.S. presidential election to the presumably simpatico Mr. Trump.
Some security firms like eSentire and Rook do note that forensic analysis
of the kind CrowdStrike offers in evidence can be more circumstantial than dispositive.
Finding a Kalashnikov at a crime scene doesn't mean the Russians did it, as Rook puts it.
But signs do seem to point towards Moscow.
What, if any, response the U.S. will make is unclear
and will probably await the outcome of investigation.
Krebs looks at both Democratic and Republican email practices and finds them wanting,
specifically because they flunked authentication by not having implemented DMARC.
Other observers think there are additional lessons to be learned as well.
The big takeaway, according to several security industry experts who contacted the Cyber Wire,
is this.
Encrypt your email.
Here's a sampling of what they told us.
InfoArmor's Byron Rashid said, quote,
When dealing with sensitive information through email, it should always be encrypted, end quote.
Sure, this can be inconvenient, but it's important if you want to deny hackers access to it.
John Gunn of Vasco Data Security told us, quote,
Encryption is simple to use, inexpensive, and highly effective.
It doesn't guarantee the hackers could not have obtained the information,
but it certainly would have made their job a lot more difficult, end quote.
He sees a systematic email failure of this kind as further evidence of the shortage of
security professionals and campaigns' unwillingness to pay for their help, quote,
There are many commercial solutions that do exactly what was needed to protect these leaked
emails. It just takes a pro and some dough, end quote.
Lastline's Giovanni Vigna notes that encryption, while important, doesn't render you bulletproof,
especially if a nation-state is after your data.
Using encrypted email would have helped.
Encryption adds another layer of protection,
which requires an attacker to obtain the encryption keys of a user in order to decrypt the messages.
However, if a nation-state is involved,
it's not unthinkable that a compromise might include access to the secret key of the email recipients, end quote.
Stu Showerman is CEO of KnowBe4 and the author of the book Cyber Heist, the biggest financial threat facing American businesses.
He gave us his take on the DNC hack.
You know, you kind of have to look at how these guys operate and what they have done before.
You kind of have to look at how these guys operate and what they have done before.
Generally speaking, state-sponsored hacking organizations use particular types of tools,
usually developed in-house with a very specific signature.
If you see these tools come back over and over again, then you know who you're dealing with because that's a unique kind of identifier.
It's not all that hard when you know who you're dealing with to point to what the source is
of a particular hack.
And so what about the notion that this represents an attempt by the Russians to influence the
U.S. elections?
Where do you come down on that idea?
Typical Putin.
elections. Where do you come down on that idea? Typical Putin. Most people remember that Putin is originally a KGB man. That's called FSB these days. But once you're spook, always a spook is the
expression. This is fairly normal operations from their perspective. So I'm not surprised at all. They're very good. They are extremely
sophisticated. They have the best of the best over there. And if they really put their mind to it,
you know, Russian hackers can get into pretty much anything.
Schauermann is particularly intrigued by the use of Wikileaks to distribute the documents. The fact that they're using Wikileaks is interesting.
Wikileaks doesn't seem to care that they are being used this way, but the documents are real.
So it's a sword with a double edge in a case like this.
You know, if Wikileaks say, yeah, well, we don't care where it came from,
even if it's the Russian state-sponsored hackers, we still promote it.
That's just an interesting angle.
That's Stu Schauerman. He's the CEO of KnowBe4.
There is news in cyberspace beyond the precincts of the U.S. presidential campaign.
ISIS remains sadly active online,
posting a pre-suicide video allegedly from the Ansbach bomber in which the young man
declares his adherence to the Islamic State and his commitment to jihad. German authorities are
increasing their scrutiny of potential terrorists, particularly among that country's recent influx of
refugees. In industry news, Akalvio Technologies has emerged from stealth.
The company, which has been operating for some two years,
announced a combined $17 million in Series A and B funding.
Acalvio describes its offerings as fluid deception,
a shifting and less resource-intensive set of decoys for attackers.
Last Friday, the Cyber Wire covered the inaugural
Billington Global Automotive Cybersecurity
Summit in Detroit.
Our full report is available online at thecyberwire.com, but today we caught up with our editor for
an overview of what we heard there.
We'll hear from him after the break.
Finally, forgive us if we return in closing to the DNC hack and its attribution of Russia.
There are a few notables who dissent from that attribution.
They include WikiLeaks founder Julian Assange,
who says no one has any real proof the Russians gave him the documents.
Assange says he's got lots more documents and will release them soon,
and that they'll be enough to put Hillary Clinton in jail,
which of course will be believed when it's seen.
Russian Foreign Minister Lavrov also says Russia had nothing to do with it. Lavrov's denial
is more denial by dismissal than non-denial denial. He said he wouldn't comment because he doesn't
wish to use four-letter words. That's some good cultural awareness and knowledge of demotic
American idiom on the foreign minister's part. If he'd been speaking Russian, those words would
surely have run to five letters.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is John Petrick. He's the editor of the Cyber Wire. John, last Friday you were at the Billington Global Automotive Cybersecurity Summit in Detroit. Just for our listeners, give us a brief description. What was this conference like? General Motors. They were very much present there. It brought together a lot of experts from
the automotive industry, from also the security industry, from sectors that the automotive
industry thinks it has something to learn from, notably aerospace and defense. And it brought
some people in from universities and government as well. So what were some of the bigger trends
that you saw in the conference? There's a strong sense at the conference that the automobile industry thinks that it's getting ahead of the problem of cybersecurity. They think that they
have a chance to get it right from the outset because they, unlike many other sectors, they
think haven't really been hit by a devastating cyber attack. So they think they've got a good
chance to get it right from the beginning.
And just before the conference opened, the AutoISAC released the set of best practices for automobile cybersecurity that they'd been developing. The AutoISAC is an industry group
that does that sort of thing. Any surprises that came out of the conference?
The concern of the conference was overwhelmingly for vehicle security and safety, that there wasn't a lot of talk about protecting IP.
There wasn't a lot of talk about protecting your networks against the kinds of hacking that we're familiar with in other corporate sectors.
It was also interesting to hear that nobody at the conference thought that the industry was moving too rapidly down some of the technological lines of advance it's moving.
moving too rapidly down some of the technological lines of advance it's moving. No one, for example, thought that autonomous vehicle technology should be slowed down or stopped. In fact,
people from both industry and government argued that autonomous vehicle technology
probably represented a very important advance in safety. So that was interesting.
Some of the surprises came out of some familiar things. We've heard at many conferences over the last several years, people from the FBI and the Department of Justice talking about the importance of investigating cyber attacks and about imposing costs on the people who are committing them.
So we heard a lot about that from the FBI and the DOJ.
But there were some very interesting things that came out of there. One of the speakers was David Johnson, who's the Associate Executive Assistant Director,
if I've got that long title correct, the Associate Executive Assistant Director of the FBI.
And he was very interested in encouraging any company, any automobile manufacturer or supplier
who came under cyber attack to come to law enforcement.
And that's a familiar theme, of course. The FBI always says that. And I have no reason to think
they mean anything but that. He talked about the importance of getting to know your local FBI.
But one thing he was very insistent on, and I think this was very interesting in what he said,
he said, we're not going to treat you as anything other than the victim of a crime.
So we're not going to treat you as the person who's responsible or liable for any crime.
And in fact, he said, and he said this very slowly and very clearly,
we will not provide opinion or comment to regulatory agencies.
So what's behind that? What's the subtext there?
The subtext is that there's been a lot of aggressive regulatory policing by some federal
agencies.
And there are many people in industries, not so much the auto industry, but other industries,
mostly health care, I think, who think that there are federal agencies who are kind of
out to get them.
And there was a little bit of a taste of that in the talk by the Federal Trade Commissioner.
taste of that in the talk by the Federal Trade Commissioner. And she started her little presentation on her panel by saying, ironically, with some self-deprecating humor, I'm from the
FTC and I'm here to help you. So that got the laugh. But she herself was in a kind of peacemaking
mood. She talked about the importance of understanding that perfection is not the
standard. It can't be the standard. We're
interested in working together with people to get it right. But those are the kinds of, when people
like the FBI say regulatory body, regulatory agency, they mean groups like the SEC, the FTC,
the FCC, that kind of body, the people who develop and enforce regulations.
And the Bureau apparently
wants people to understand that if they come to them with a problem, the Bureau is not going to
dime them out to the regulators. John Petrick, editor of the Cyber Wire, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you.