CyberWire Daily - Daily: US attributes DNC hacking to Russian government, promises to protect itself. Russia dismisses attribution as "rubbish." WikiLeaks posts Clinton campaign emails.
Episode Date: October 11, 2016In today's podcast, we hear about Industrial control system worries in the electrical power sector. IoT botnets spook the EU, and research into Mirai reveals some interesting features of last month's ...DDoS attacks. The US Intelligence Community says officially that the Russians are trying to influence US elections. The Russians say it's rubbish, and the candidates swap accusations. WikiLeaks doxes the Clinton campaign. Level 3's Dale Drew discusses the security of election systems. Smrithi Konanur from HPE Data Security explains credit card security. The FBI wants another terrorist's iPhone unlocked. Verizon mulls the price at which it might now buy Yahoo! And experts suggest best practices for Cyber Security Awareness Month. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Industrial control system worries in the electrical power sector.
IoT botnets spook the EU,
and research into Mirai reveals some interesting features of
last month's DDoS attacks. The U.S. intelligence community says officially that the Russians are
trying to influence U.S. elections. The Russians say it's rubbish. Hillary says Moscow wants to
throw the election to Donald. Donald says it's unproven. And besides, how about those State
Department emails? Investigation into the arrested NSA contractor proceeds,
and experts suggest best practices for Cybersecurity Awareness Month.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 11, 2016.
Worries about industrial control system security surfaced again late last week
as the International Atomic Energy Agency reported that an unnamed nuclear plant
sustained a successful disruptive cyber attack two to three years ago.
The attack posed no immediate threat to public safety,
but SCADA experts and utilities are expected to redouble efforts
at securing power generation and distribution facilities.
September's Internet of Things-driven distributed denial of service attacks against OVH and Krebs on security
continue to cause technical and policy alarm bells to ring around the world.
The European Union is moving toward some form of IoT security regulation.
So far it's unclear what form such
regulation will take, but the talk in the European Commission so far is about a labeling system
that would tell consumers their internet-connected devices are approved and secure.
The evolving policy will bear watching. Investigation into the details of the IoT
DDoS campaigns continues to center on the Mirai botnet.
Security company Imperva has published the results of its findings in its Encapsula blog.
The company says the Mirai botnet was both territorial, in that it disabled competing
malware on infected systems and prevented remote connection attempts on compromised devices,
and selective, in that its bots were coded to avoid IP addresses
belonging to, among other organizations, the U.S. Postal Service, the Internet Assigned
Numbers Authority, the U.S. Department of Defense, General Electric, and HP.
Late Friday, the U.S. officially attributed election-related email hacking to Russia's
government.
A joint statement by the Office of the Director of National Intelligence
and the Department of Homeland Security said the intelligence community
was not only confident the operations were conducted by the Russian government,
but that they could only have been authorized by, quote,
Russia's senior most officials, end quote.
So the U.S. intelligence community rules out not only the hacktivism
toward which Guccifer 2.0's sock puppetry would have misdirected attention, but also potential claims that
the breaches represented low-level, unauthorized freelancing.
The statement also calls document dumps by DCLeaks and WikiLeaks, quote, consistent with
the methods and motivations of Russian-directed efforts, end quote.
The ODNI and DHS profess clarity about the nature of those motivations.
These thefts and disclosures are intended to interfere with the U.S. election process.
Such activity is not new to Moscow. The Russians have used similar tactics and techniques across
Europe and Eurasia, for example, to influence public opinion there. Russian officials have, as one would expect, dismissed the attribution as rubbish,
designed to inflame what they're characterizing as unprecedented anti-Russian hysteria.
In the U.S. presidential campaign,
candidate Clinton has said that Russia's trying to throw the election to Trump.
Candidate Trump, despite being briefed earlier about the grounds for attributing the DNC breaches to Russia,
says it's unclear to him that Russia is actually behind the hacks.
He's also taken the opportunity to draw attention to Clinton's difficulties
with handling classified material during her tenure as Secretary of State.
Also late Friday, around the time the ODNI and DHS released their statement on the DNC hacks,
Wikileaks posted just over 2,000
emails purporting to be from candidate Clinton's campaign manager, John Podesta.
These emails look generally discreditable, as leaked emails usually do.
Wikileaks impresario Julian Assange has promised more regular revelations through Election
Day on November 8th.
The FBI wants another iPhone unlocked.
This one belonged to Dahir Adan, the apparent jihadist who went on a stabbing rampage in
a Minnesota mall before he was shot dead by an off-duty police officer.
The Bureau's efforts are expected to mirror those undertaken during investigation of the
San Bernardino massacre earlier this year.
Investigation into the NSA contractor arrested for allegedly having highly classified materials
squirreled away in his Maryland home continues.
The Intelligence and National Security Alliance is prompted to call upon the next Congress
and administration to modernize security policies, practices, and technologies in ways that would
more effectively mitigate this sort of insider threat.
Credit cards continue to be a popular target of criminals both online and with skimming devices.
Smriti Koninar is Global Product Manager for HPE Data Security,
and we checked in with her for some details on credit card security.
The old credit cards that are the maxed-extract credit cards,
they didn't have essentially a lot of security enabled in the cards themselves.
Hence, it was really easy to read the payment information through the magnetic stripe.
It was easy to duplicate those cards also, and hence the payment fraud was really rampant previous to EMV.
So with EMV chip-enabled cards, right now, the payment information of the consumer
is embedded into the chip itself, which is a secure device. And also, on top of that,
there's a lot of cryptographic operations that take place
for the authentication of the consumer and also for the transmitting the information,
the payment information into the EMV-enabled terminals. It's also cryptographically done.
What about, you know, on-device technologies like Apple Pay? Yeah, so that's a totally different security and payment technology there.
There's a concept called tokenization.
What we mean by tokenization is that the PAN number, the credit card number itself,
will be replaced by a random surrogate value.
So that way, it's basically used as a security reason.
Initially, it came about as a backend security. However, with Apple Pay and mobile wallets,
EMV, again, EMV core standards body, again, came about a new standard, which is called
as payment or EMV tokenization, where the tokenization is done
prior to the authorization. So what I mean by that is when you register to Apple Pay and you
enter your credit card information, the process that what it goes through is that that credit
card information will be sent to the network or the issuer based on your credit card information.
network or the issuer based on your credit card information and then the issuer or the network will send a token a payment token back to the apple wallet so whatever is stored in the wallet
in your mobile wallet is a token it's a payment token instead of the credit card number so that
essentially um enhances the security for payments quite a bit because the token is
essentially the one that is used for the transaction or the payment authorization.
However, that token itself cannot be used even if there's a data breach in Midway or
when there's a hacker that tries to get your information, the token itself is of no use
to that hacker because, again, he doesn't have the same device or even with the Apple Pay,
it also comes with biometric authentication. So it is additional authentication and security there.
So it's very hard to use that same token for other fraudulent purposes.
That's Smriti Konanar from HPE Data Security.
In industry news, Verizon continues to mull whether its acquisition of Yahoo's core assets should proceed and at what kind of discount.
Finally, a CISO, a consultant and a security vendor walk into a bar and the bartender says,
So, got any good best practices to share?
Just kidding. It's not really a joke.
It's just week two of Cybersecurity Awareness Month.
That CISO, consultant, and vendor are actually sharing
some worthwhile thoughts on best practices
with the readers of Healthcare IT News.
They're worth a review.
Among them are share information,
cultivate multiple sources
of intelligence, and don't neglect the dark web, plan and exercise your incident response,
keep your patches current, and above all, approach cybersecurity in the spirit of risk management.
You can read their comments at healthcareitnews.com.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default- default deny approach can keep your company safe
and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, as we get closer to the election here in the United States, we're seeing more and more stories about the potential for voter hacking.
What's your take on this? Is there something to this or is there more smoke than fire?
You know, I'd say there's a lot of discussion around online voting and voting security.
voting and voting security. You know, voting security in general has always had a little bit of a black mark associated with it, not only because of the accuracy of the voting machines
and their ability to be tampered with. You know, for example, there was a couple of years ago where
someone loaded Pac-Man on a voting machine. You know, I'd say the general consensus for voting security right now
is just, you know, the need for holistic standards across the voting space, the ability for,
you know, the back office infrastructure that is supporting as well as collecting voting data
to be better protected. There's a fair amount of concern that a lot of these
infrastructures are more susceptible to compromise than the voting platform itself.
The other one is, as I say, the motivation is today, there is this sort of accepted
half-truth, which is the belief that online voting or better voting security is not really going to
increase voting turnout. And what we've seen in other countries is, I'd say that's half-true.
In some countries, turning to online voting and better voting security doesn't have a material
impact on voter turnout. We've seen a couple of cases where it's been,
you know, a 10% increase or a 12% increase. But other countries have experienced between a 30%
to 40% increase in voter turnout because they made it more convenient for the end user to be able to
vote. And here in the United States, you know, voting is handled by the individual states,
which strikes me as a mixed blessing because you have a lack of a standard across all the states.
But on the other hand, it allows for experimentation.
Yeah, and the exact concern I'd say is just the lack of consistent standards.
Each state can decide based on their expertise at the time and their resources at the time what voting security means to them.
We believe that global standards are the key to fixing this, not just standards within the U.S., but standards across the globe.
There's a lot of countries that are doing online voting today.
Some of them have their entire ecosystem is oriented around people-based certificates, as an example.
around, you know, people-based certificates as an example. And, you know, we're not advocating that, but what we are advocating is more of a global approach to understanding the risk profile
and developing sort of approved methods for it so that each state now has access to a larger sort of
think pool or think tank of capability to provide better voting capabilities for their citizens.
All right, Dale Drew, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.