CyberWire Daily - Daily & Week in Review: Car hacking. Flash Player Patched. DNC hack updates, fighting terror in cyberspace.
Episode Date: June 17, 2016In today's podcast we continue to follow the developing story of the Democratic National Committee hack (Russia denies responsibility, but CrowdStrike stands by its attribution). DNC chair Wasserman S...chultz says no financial information was lost, and on cue Guccifer 2.0 produces some. The FBI continues its probe of possible ISIS connections to the Orlando killings. Researchers describe an approach to developing intelligence from social media. FireEye is said to be uninterested in being acquired. Tanium's not interested, either. Some serious bugs are addressed this week. Dale Drew from Level 3 compares honey pots to live data and Craig Smith from Open Garages takes us on the road to car hacking. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russia says, nope, we didn't hack the DNC, but CrowdStrike stands by its attribution.
Guccifer 2.0 shows up DNC chair Wasserman Schultz,
as both Snowden and Trump share their own speculations.
The FBI continues to probe possible ISIS connections to the Orlando shooter.
Some GitHub user credentials are compromised.
In industry news, some companies are looking at M&A,
but at least two prominent ones aren't.
Patches this week close Windows' bad tunnel and Adobe Flash player vulnerabilities.
Analysts express concern over IoT security, and we take a look at car hacking.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, June 17,
2016. The Russian government, to no one's surprise,
piously denies any involvement in the DNC hack.
Guccifer 2.0, the source claiming to be the lone hacker
behind the year-long persistent intrusion
into the Democratic National Committee's networks,
releases more documents.
In this case, the files are by name and by amount donor information,
which contradicts DNC Chair Wasserman Schultz's assurances that no financial data were lost.
CrowdStrike stands by its attribution of the hack to Russian intelligence services.
The company's co-founder and CTO Dmitry Alperovitch suggests the possibility
that Guccifer 2.0 is a disinforming catfish put forward to deflect suspicion from Russia's FSB
and GRU, Cozy Bear and Fancy Bear. Ars Technica and others point out circumstantial evidence that
the hacker was at least Russian-speaking, the use of a characteristically Russian form of a smiley
emoji, the Cyrillic text noting broken links, which suggests that doxed PDFs were converted on a Russian language
machine, and interestingly, the name Felix Edmundich, left by the last editor in document
metadata. Felix Edmundich is the name of Lenin's principal enforcer, and about as closely associated
with Soviet-era secret police as J. Edgar would be with the Cold War FBI. Not to imply any moral equivalence between the two, but you see the point.
The choice of the pseudonym argues, circumstantially,
that someone working on the documents has a nostalgic urge to be back in the USSR.
In any case, circumstantial.
Moving beyond the circumstantial to the realm of theoretical speculation,
Edward Snowden thinks the DNC hack shows someone wants to show they have the ability to manipulate elections.
Maybe.
And Donald Trump says it's possible the DNC may have hacked itself.
Few takers so far on this one.
The FBI cautions that it's found no link between Orlando shooter Mateen and ISIS, by which they mean no command and control, since Mateen said
plenty online about loyalty to ISIS. A study of ISIS sympathizers on Twitter reports predictable
social media behavior prior to attacks. The researchers from the University of Miami and
Harvard University also suggest it's possible to identify and track ad hoc web groups, aggregates,
as opposed to individuals. Tracking aggregates may prove a more tractable challenge than following individuals,
the difference between hundreds and hundreds of thousands of social media actors.
Such aggregate tracking in cyberspace might develop indicators and warnings of physical attacks.
In developing threat intelligence on cyberattacks,
attack traffic itself provides indicators and warnings of imminent or ongoing campaigns.
Such traffic can be collected in honeypots or as live data.
We spoke to Dale Drew from our research partners at Level 3 about the difference between these sources of information.
We'll hear from him after the break.
GitHub has sustained and is recovering from a password-guessing attack.
GitHub itself wasn't compromised, but many user accounts were.
It seems likely the account holders were for the most part victims of earlier breaches
from services like MySpace, Tumblr, and LinkedIn.
GitHub is notifying affected users and advising everyone to move to two-factor authentication.
This week has seen continuing reaction, mostly positive, to Symantec's
acquisition of privately held Blue Coat. Blue Coat's CEO is expected to move up to leadership
of Symantec, and the acquisition is regarded as a move toward repositioning Symantec away from some
of its legacy products and into emerging security technologies. Some analysts see the move
foreshadowing more competition between Symantec and IBM. FireEye still isn't for sale, and news that it turned down suitors, news that was broken
by Bloomberg earlier this week, seems to have given the company's share prices a boost. FireEye
had retained the services of Morgan Stanley to field inquiries and asset interest, according to
Bloomberg, but decided against taking any offers it received.
Tanium isn't for sale either. Rumors to the contrary,
the unicorn says it's not interested in being acquired.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm joined once again by Dale Drew.
He's the Chief Security Officer at Level 3 Communications.
Dale, there's been a lot of talk about the difference between analyzing honeypots versus analyzing live data.
What's the advantage of either of those approaches?
You know, we believe that honeypot data and live data are both critically important,
and they're important for very different reasons.
You know, now, a honeypot is basically, if you want to catch a bear,
you put out a pot of honey, and then you watch the bear go to that pot of honey.
And that's essentially what a honeypot is.
It's a system that is specifically and solely designed to attract a bad guy
and have that bad guy break into it and then watch what the bad guy does.
And so honeypots provide a pretty significant advantage.
You know, you have the ability of capturing everything the bad guy does
as they're trying to break into the system and once they've broken into the system
and then what they're searching for when they're on the system.
So there's a pretty wide variety of honeypot capabilities
to respond to each of those sort of notions.
Remote access, local access, and even content analysis.
So we think honeypots provide a pretty significant advantage
in getting the context of what a bad guy is doing
and how they're doing it.
But the live data is also pretty
important. And one of the advantages that you have as a network provider is that you've got a view of
the entire neighborhood. So you don't have to, the disadvantage of honeypots is that you have
to wait to be a victim. You have to wait to be compromised to know when a bad guy is after you.
If you already know where the bad guy is, using live network data allows you to see that bad guy access
customers or access the network before they even hit a honeypot.
And so when we stop network traffic, when we stop the bad guys, we're able to see that
bad guy move and manipulate and try to regain access back to the network live without having
to wait for a honeypot to be compromised.
Is there any sense that the bad guys are getting a better notion of when?
Are they detecting the honeypots better?
Are they able to know when they're being lured into one?
Yeah, I would say honeypot technology is a very vicious cat and mouse game.
Technology is a very vicious cat-and-mouse game.
Bad guys will specifically be looking for honeypot technology and honeypot behavior.
And a lot of malware is designed to either not operate at all or to operate differently when it detects a honeypot.
Same thing with a wide variety of detection technologies.
It's always sort of a cat-and-mouse game of the bad guy trying to get around that sort of security detection technology so they can be more focused on getting access to the victim.
All right, Dale Drew, thanks for joining us.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Looking back, this was, of course, June's big week for patching.
Microsoft published its customary Patch Tuesday fixes,
the most interesting of which addressed a widespread network traffic hijacking vulnerability
that's going by the name of Bad Tunnel.
Bad Tunnel can be exploited through all versions of Microsoft Office,
Edge, Internet Explorer, and some third-party Windows apps.
Tencent's Shonshu Lab in Beijing, which discovered the flaw,
describes Bad Tunnel as affording a way to spoof NetBIOS across networks.
Adobe issued its promised Flash Player patch for Windows, Macintosh, Linux, and Chrome OS late Thursday.
The zero-day it fixes is being exploited in the wild,
especially in an espionage
campaign by the Scarcroft APT group. Internet of Things concerns touched at least three areas this
week. Booz Allen Hamilton published an extensive report on industrial control system security.
Booz notes the familiar array of threat actors interested in ICS attacks, nation-states, criminals, hacktivists, and
insiders.
The report sees the barriers to entry dropping as ICS attack tools show the same movement
toward widespread availability and commoditization visible in other criminal sectors.
And a senior NSA leader's public musing about the intelligence that could be garnered from
connected medical devices excited widespread, often slightly paranoid comment.
As our cars become more connected and as self-driving systems are under advanced development
in many places around the world, many wonder about the future of automotive cybersecurity.
We'll go that speculation one better.
Today we talk about the present of automotive security with Craig Smith,
founder of Open Garages and an expert on hacking cars.
In the beginning, you know, we had vehicles that are all mechanical.
The nice thing about that, of course, is that when you bought a vehicle, you pretty much have got the bill of materials with the vehicle.
It's made it easy to work on it and tinker and all that good stuff.
And eventually we started getting these electronic components put in. But eventually the boxes had to talk to each other, and then the discrete logic chips actually,
microcontrollers, which is running firmware, and the complexity grew as we started switching
to a network-based model.
So we weren't quite to the area of having cyber risk yet.
You didn't really run to a real threat guess, a real threat until we started adding
more and more connectivity. You know, it started pretty small, you know, some digital radio stuff,
you know, XM satellite, those kinds of things. But now they've gotten to the point where most of the
communication that, you know, external are things that most people recognize from a normal network or normal laptop, such as
wireless access points and Bluetooth and cellular uplink. And things like the cellular uplink is a
great example where you've gone from a closed system to one that's not reachable from anywhere
in the world. Smith says it's only in the last few years that automotive manufacturers have
started to put significant resources into the cyber-related security of their products. They are doing threat modeling. You know, they are
looking at the architecture from a security perspective, which is great. It does take a
long time, you know, in a automotive production world to kind of see the fruit of the labor.
Typically, if you buy a car today, that car was designed five years ago. So there's a lot of challenges there.
And without an over-the-air update system, those vehicles are also pretty much just stay the way they are for the next 10-plus years on the road.
And as you know from the software world, making a piece of software that doesn't need fix of any type in 10 years is kind of unheard of.
There's a good bit of media attention about hackers remotely accessing cars
while they're on the road and taking control of them.
But Craig Smith says that for now, that's not the kind of attacks they're seeing.
What we're seeing as far as the malicious users right now,
they're really just taking cars.
They're not doing anything more complex than that yet.
Once the threshold for stealing a car electronically becomes easier
than just rashing a window, you go that route.
What we're seeing, at least from the electronic side, is we're seeing things that attack the key pop system.
Things that will basically amplify a signal of your passive key entry system.
So the ones where you walk up to the car and the car unlocks for you.
And so what they'll do is they'll amplify the signals of the vehicle to make it seem like you're closer to the car than you are. So if you park near your house or something of that nature,
they can get the car to unlock. They won't be able to easily drive the car away. It's a pretty
easy one. You can build an amplifier for like 40 bucks. So again, the technical threshold has
dropped to a point where it's pretty easy to build one of these things, throw it in a backpack,
and walk up and down a street. Like any rapidly evolving attack surface, Smith expects to see exploits evolving too.
So I think what you're going to probably see as we get more of a traditional hacker,
malicious element into automotive is you're probably going to see things such as
data harvesting. You know, you're going to try and locate things such as like undercover squad
cars. It's worth a lot of money. Listening in on the microphone
inside of vehicles, especially
for high-profile vehicles,
limo services, things of that nature.
Those are worth a lot. And then,
hopefully not, but you could even see things like
ransomware and stuff of that nature.
I think, regardless, we're going to see that kind of stuff
before we start seeing people trying
to hurt other people with it.
It's possible, of course.
I would demonstrate that it's possible.
But, you know, you kind of have to be a little bit messed up
to decide that that's a normal thing to do, isn't defacing a website.
We're already seeing cars that assist their drivers,
and as self-driving cars develop,
Smith sees interesting challenges and opportunities for passenger safety.
NIST has said in 2018 that, you know, we basically need vehicles that can, you know,
sense if a car is in front of them and automatically apply the brakes.
All right, so that is a vehicle who will override the human.
The humans that are saying, I want to get a gas.
The car decides, no, I'm not going to get a gas.
As a matter of fact, I'm going to do the opposite of what you just said.
I'm going to apply the brakes.
All right, so that's the car riding a human.
Simple system. Self-driving cars
have a much larger attack surface,
but they're designed differently.
And we have cases
like in California where
judges are saying, okay,
we need a steering column inside of
the self-driving car so humans can override
the car. You can't have both.
So as we're moving forward, we can't have humans overriding cars while the cars are
overriding humans.
We have to decide which one we decide is safer and go with it.
I prefer, even though it's a higher tax surface, the self-driving cars because when they don't
have the luxury of relying on a human to blame for mistakes, they have to do a lot of self-check.
So they don't trust their own sensors.
And this is a key piece.
And so we have a bunch of different types of sensors to determine, you know, if what's in front of them is a pile of leaves or, you know, a dog laying on the road.
You can't just go and say, well, that human should have taken over.
They have to use their different sensors to determine it. And having an internal network that doesn't trust the output of its own
sensors, it has to have a consensus, is way better. So even though there's a lot more tax
efforts in self-driving, we're looking at a better starting point. So it's very interesting,
because you wouldn't naturally think that's the case. There are also interesting intellectual
property implications implications as automotive
systems come to rely on crypto for updates and security. As we have this kind of newfound
automotive manufacturers interest of, you know, stepping up the security and kind of getting
closer to modern day security, we're going to move to over-the-air updates, which is going to be like
a PKI kind of system. You know, it's going to use public key cryptothe-air updates, which is going to be like a PKI kind of system.
You know, it's going to use public key crypto.
So, you know, if you push an update over the air, then you know it's from the manufacturer,
which is great.
You should totally do that.
But there's an additional challenge if we go to that type of system in that we could
potentially lock out mom-and-pop shops and individual car owners from doing any kind of firmware changes or
integration with the existing component. Because with a public key infrastructure type system,
you would need a key. And unless they're going to do some significant key management,
we could really get down to a point where even though you paid a bunch of money for your Tesla,
you may not really own it because you can't make any changes to it. And actually, the reason I'm bringing it up is I see people in the security community
make this mistake more than I see the automotive community making this mistake.
Automotive community kind of gets the right to repair and right to tinker.
Security people are like, lock everything down.
Only you get the key.
We did a good job.
Let's go home.
And that's not how it's going to work with cars.
You have to do the hard step.
And make it so, yes, you can remotely update firmware,
but we need a way for consumers to be able to say,
nah, I know what I'm doing.
I want to make these changes,
or maybe I want to invent something new,
or whatever it is.
I paid for this car to make modifications,
and it's my car.
How do I do that?
And we have to solve that problem.
That's Craig Smith, the founder of Open Garages.
We've really got to get Tesla as a sponsor.
And that's the Cyber Wire. We are proudly produced in Maryland by our
talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.