CyberWire Daily - Daily: Shadow Brokers: zero-day hoarding (or not) and firewall exploitation.
Episode Date: August 23, 2016In today's podcast we discuss the Shadow Brokers' leaks, reviewing ongoing speculation and speaking with some experts who offer insight into the matter: Jason Healey, the principal investigator in Co...lumbia University's study of NSA zero-day disclosure policy, and RedSeal's CEO and CTO discuss firewall security and vulnerability. Juniper joins Cisco and Fortinet in confirming that Shadow Brokers' zero-days affect its products. IoT encryption R&D updates. Security start-ups attract more investment. And some thoughts on what not to say to your VC. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeletete me.com slash N2K, code N2K.
Juniper joins Cisco and Fortinet in confirming Shadow Broker's zero days.
We hear from the principal investigator in Columbia University's study of NSA Zero Day
Disclosure Policy, and we talk with Red Seal about firewall security and vulnerability,
IoT encryption R&D updates, security startups attract more investment, and what not to say to
your VC. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 23, 2016.
Juniper Networks joined Cisco and Fortinet in confirming that the Shadow Brokers leaks include zero days for its products.
Net screen devices running ScreenOS are vulnerable.
Most observers who've expressed an opinion have concluded the Shadow Brokers leaks are genuine.
There's more divergence on attribution of responsibility, although consensus continues to point to Russian intelligence.
A minority argues that this couldn't be the case, because the Russian organs would have held the material quietly and exploited it for their own purposes,
and that hence the leaks were the work of a rogue NSA insider.
and that hence the leaks were the work of a rogue NSA insider.
But more observers, Edward Snowden of all people among them,
argue that disclosure is a deliberate move on the part of the Russian government to discredit NSA and place American intelligence collection in bad odor.
And of course, the complicity of a compromised insider
is consistent with a Russian intelligence operation.
That the shadow brokers are private actors
with a mix of hacktivist and
mercenary motives seems unlikely. Their online auction of the material has seen no serious
bidders, and as CIO points out, the loss leaders with which they've teased the market would have
brought a great deal of money from zero-day brokers, whether white, gray, or black hat.
As it stands, their bids yesterday totaled only a little more than $1,000.
There's been much speculation over whether or not the NSA has been hoarding zero days.
We spoke with Jason Healy, senior research scholar at Columbia University.
You led the study at Columbia University of NSA's zero-day policy, and you presented that
at DEFCON this year. And you suggested that there wasn't a big horde of zero days being kept by the agency.
Can you summarize those conclusions for us?
The research did a couple of things.
One, we wanted to get in and get some detail on this actual process that the government uses,
whether they're going to keep vulnerabilities to themselves or tell the vendor.
Second, we looked at how many does it seem like they keep per year.
And there, and so I'm a former White House staffer,
director of cyber policy, former NSA-er.
And if you had asked me beforehand, I probably would have said in the hundreds.
I don't think in the thousands, but it was possible.
When I talked to other folks that were like me, they were kind of inside outsiders, right?
I mean, they didn't know the real number, but they knew a lot about Washington, D.C., and about national defense.
And that seemed to be about right.
And it looks like that today the number is in the single digits.
I mean, we saw one number that said two in 2015. They retained
two vulnerabilities, at least two that the White House is aware of, far, far less than I think
anyone else would have guessed. What do you advocate as a policy with respect to government
discovery and disclosure of vulnerabilities? Well, you know, having been a former NSA,
former White House, right? NSA has got a spot, right? I mean, they are there and they've helped
to make sure that we haven't had additional attacks like 9-11.
You know, they're keeping an eye on what the Russians and the Chinese and the Iranians are up to.
And spying versus cyber means is one of the most effective ways to do that.
So we know that it has to have this role.
So one of the things that we'd like to get across to folks is there's actually a relatively good, mature process that seems to be happening right now.
You know, NSA is potentially a lot less nefarious than I think a lot of people fear.
We've already done a fair amount of transparency.
You know, most of it was forced on the White House, right?
They weren't talking about this process until Heartbleed came out,
and then that forced the White House, NSA and the White House,
to come out and start telling us more about this process. Has this Shadow Brokers incident, you know,
led you at all to reevaluate the conclusions of your study?
Not so far. I'm very open to it. I'm quite concerned that I might have to. You know,
Samantha came out, you know, they said last year we discovered 50 zero days in the wild in 2015.
So again, you know, an NSA arsenal of dozens sounds about right if you said,
all right, well, we discovered 50, and that covers all of the U.S. ones,
all of the Chinese ones, all of the Russia ones, all of the organized crime.
And so right now, I'm prepared to come off of that,
but I haven't seen anything so far that shakes us.
That's Jason Healy, senior research scholar at Columbia University.
Red Seal is a cybersecurity company that specializes in network resilience.
They also found themselves mentioned in some speculative reports about the NSA leaks last week.
We wanted their take on that, as well as their thoughts on protecting firewalls.
I spoke with Ray Rothrock, CEO of Red Seal.
Last Friday, Salted Hash published a piece where they reported, with some skepticism,
that hackers with the handles Brother Spartacus and 13John said that someone called Dark Lord
was conducting a red team engagement of some Red Seal tools on behalf of In-Q-Tel,
and that they walked off the job with
a copy of the vulnerabilities the shadow brokers have published. Do you have any comments about
that piece? We really don't. We have no knowledge of any of that. And we were, the reporter did
call us and we don't have any knowledge of that at all. That headline and that article stunned us.
We don't know what happened with the
shadow brokers leaks in terms of any details of what they did or how they did it or whatever.
We just don't have any knowledge of that. But there's some other information on the web that
indicates that the tools leaked are legitimate and that there is some connection to the NSA.
And watching the fallout through other articles like FedScoop this morning, it's quite serious.
And companies like Cisco and whatever are taking this as a five-alarm drill.
So that's what we know.
So the story is that this may have involved firewall zero days.
We're wondering what your take is on, you know, how does an enterprise
know that it has a problem with its firewalls? So the nature of the vulnerability in some of
these firewalls comes from SNMP, and this is a management protocol. Dr. Mike Lloyd is Red
Seal's chief technology officer. What you need to think about if you want to understand what that
means for an organization, you have to think about traffic to a firewall as distinct traffic through a firewall, right?
A firewall exists to police some edge,
some boundary between one place and another.
And so you set these things up certainly at your outer edge,
but also for internal segmentation.
A lot of organizations over the last several years,
for reasons of resilience,
to try and increase their ability to withstand attacks,
they started using internal segmentation.
And this means you use firewalls at a lot of boundary locations,
and they're supposed to send all traffic through these devices.
So that's normal.
If you want to use the network, your traffic needs to go through a firewall.
But as a typical network user, you should never need to send any traffic to the firewall.
Now, what that means is you normally set up a network to have a distinction between the people who can send traffic to the firewall and Now, what that means is that you normally set up a network
to have a distinction between the people who can send
traffic to the firewall and those who can't.
Right, this is different from all of the regular traffic
that has to pass through it.
So the trick with the to traffic is you set up
a network management zone inside a network.
It's a standard best practice,
but it's a quite difficult thing to do.
Right, this may sound a little bit abstract,
and well, because it's a little bit abstract,
organizations struggle to understand whether they've got good control of the traffic to their firewalls.
This is what scares them when news like this comes out.
The scary part is, okay, there's now a vulnerability,
and if anybody can send this SNMP traffic to my firewalls,
they may be able to get onto them and do all kinds of nasty things,
and they can't easily tell whether they've got control of traffic to the firewalls.
What can an enterprise do to protect themselves?
A very good starting point is to audit who has access to your firewalls.
Where do you allow access from?
You'll see this in the advisories from all of the makers of the firewalls as well.
They're all in a scramble right now to build patch software that is no longer vulnerable.
That's the routine response to a zero day. There's also a lot of focus not just on the
firewall devices, but on how you manage your network. Do you have a well-built enclave
where only your network management personnel who need to do this have access to the firewalls?
And so one of the first things you have to do is go check, okay, did I get that network
management zone built correctly?
That's Dr. Mike Lloyd, Chief Technology Officer at Red Seal.
Interest in and concerns about the security of the Internet of Things continue to grow.
Yesterday, researchers at Tohoku University in Sendai, Japan, announced development of what they describe as more efficient compression of encryption for IoT devices.
U.S. scientists at NIST are also working on standards for lightweight crypto of the kind
IoT devices will need. The task apparently is giving them the willies. Short keys of the kind
they're considering are relatively weaker. They're working to arrive at standards for devices that
will be lightweight enough to work on simple IoT devices, but that will remain strong enough to accommodate useful security.
In industry news, Threat Quotient announced this morning it had received $12 million in Series B funding.
The round was led by New Enterprises Associates, joined by existing investors Blue Venture Investors
and the Center for Innovative Technology.
Tempered Networks has said that it's raised an
additional $10 million in funding. Rally Capital joined existing investors in the round.
And finally, TechCrunch offers advice on how not to pitch your startup to venture capitalists.
Have you thought about saying, we are the Uber of our industry, applying curated,
user-generated gamification of the sharing economy. Well, TechCrunch says don't. The VCs will run for the exits.
We might add leveraging synergies to this short list of cliché elevator speech text.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Joining me is John Petrick, editor of the Cyber Wire.
John, what other news is coming in about this NSA leak?
We had the third major company confirm that, in fact,
some of the material leaked does include zero days that affect its products that's juniper networks that both cisco and fortinet had last week said that
yes they confirmed that the zero days did affect their products how about attribution are we
narrowing that down at all most people continue to believe that the leaks are ultimately the work of the Russian government. Most people don't find
the apparent identity of the shadow brokers particularly plausible. That being that they
are kind of disinterested activists who are also in it for the money, who want to strike a blow
against the people they call wealthy elite and so on and so forth. James Bamford, a journalist
who's written a lot about the NSA for many years,
his book The Puzzle Palace was the first general study of the NSA to be published several decades ago.
Bamford has looked at it and he said that he doesn't think it could have been the Russians.
It's foolish to speculate that it was the Russians because had the Russians had access to this material,
they would have been the last people in the world to disclose it, to reveal it.
Okay, but there are alternative explanations as well. I mean, the grounds for thinking that it
has to be an insider come largely down to observations people have made that some of
the content of the leaks of the material that's leaked so far, appears to contain words that would have only been accessible to someone
who had access to an air-gapped system.
So the notion is that there's another Snowden, as people are calling him,
pilfering this stuff, taking it out on a thumb drive or some other storage medium.
So that's possible.
And it's worth noting, however, that the existence
of a rogue insider is by no means incompatible with the whole operation being a Russian
intelligence operation. John Patrick, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.