CyberWire Daily - Daily & Week in Review: FBI has "high confidence" Russians hacked DNC. Olympic hacks, cyber vigilantes, criminal markets.
Episode Date: August 12, 2016In today's podcast we learn that the US Intelligence Community discovered the DNC hack sometime last year—much earlier than its public disclosure this Spring. We hear about threats to critical infra...structure, and we follow developments in the cyber criminal markets—ransomware's getting mighty picky, if you ask us. We hear about ISIS's appeal to disaffected petty criminals. The Olympics see both cybercrime and patriotic hacktivism. Quintessence Labs' John Leiseboer discusses redundancy and replication of data, and we interview Robert M. Lee from Dragos Security about ICS SCADA security, and preparing for cyber security jobs. And, of course, we hear more about how Pokémon-GO is driving security people quite nuts. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DNC hack was discovered by the U.S. intelligence community last year.
The FBI has high confidence Russian services were behind it.
Concerns about election
and other infrastructure hacking rise. More point-of-sale systems are compromised by the
Carbonac gang. Cyber criminals offer a new financial malware kit and ransomware gets
picky over whom it hits. The cybersecurity labor market is complex, but talent remains in demand.
The Olympics see both cybercrime and patriotic hacktivism. How safe are ICS and SCADA systems?
Industry expert Robert M. Lee weighs in.
And Pokemon gets kicked out of the Pentagon.
We think they all went to Crystal City.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, August 12, 2016.
Sources close to the investigation of the Democratic National Committee hack and related intrusions into the U.S. political party's networks
say the FBI has high confidence that the Russian government is behind the incidents.
The investigation has been going on for longer than the DNC's been aware it was hacked.
has been going on for longer than the DNC's been aware it was hacked.
Reuters reports that U.S. intelligence officials told the congressional Gang of Eight about the espionage last year.
They said back then it was a spear phishing attack,
which still seems likely enough.
The slow disclosures coming from the investigation
are prompting two reflections from observers.
First, this comes mostly from the security industry.
There seems to be a lot of interest in influencing the U.S. elections,
whether by hacking or by more widespread information operations.
Second, and this comes mostly from the foreign policy establishment,
this can't be good news for Russian-American relations.
Forbes reports that the same cyber gang who hit Oracle's Micros point-of-sale system
has also been discovered in compromises of five
other cash register vendors, Sin7, ECRS, Navy Zebra, Par Technology, and Uniwell. It's thought
that the gang is Russian, the same operators behind Carbonac, and that more than a million
point-of-sale devices are affected. Several new developments in the criminal economy are worth
noting. Bleeping Computer and Malwarebytes are tracking an evolution of the familiar tech support scam.
You know the kind. Someone calls you and tells you they're usually from Microsoft tech support,
that your computer's been infected with a virus and that they need to take control of your machine to clean it up.
In this case, you're the one who does the calling. A screen comes up that emulates a Windows
activation screen, then persistently nags you to call and pay for your activation key. So far,
rebooting seems to get rid of them, but they may get better. Malwarebytes can detect and clean the
infestation. Heimdall Security reports on a crook-to-crook vendor going by the name Others.
It's not clear whether Others is one or many.
Others is, or are, selling what he, she, or they
are billing as the next Game Over Zeus.
It's a financial crime kit called Silex,
and it can be purchased for $7,500.
And Kaspersky describes a new version of the Shade ransomware,
it's also known as Trolldash,
that comes bundled with a rat, a remote-access Trojan.
So far, Shade has mostly affected businesses in Russia and the near abroad,
that is, the former Soviet states.
The rat is the new wrinkle.
It's apparently there to help the criminals confirm that the infected business is solvent
before they expend too much effort in holding files for ransom.
There's no margin in blackmailing bankrupts.
Looking back on the week that's now coming to an end, we've seen some market turbulence
in the cybersecurity sector and even some layoffs, notably the 400 jobs FireEye cut.
We should note two things here.
First, a lot of talented people were caught up in the FireEye layoffs, and given the notorious
shortage of skilled workers in the sector, we trust they'll be given a look.
Second, there are a lot of jobs to be filled, so if you're looking for a position in the industry, you're probably going to find yourself in a seller's market.
Later in the show, we'll hear from Robert M. Lee, CEO of Drago Security.
He has some advice for transitioning military personnel interested in a cybersecurity career.
Concerns about the leak from Microsoft of the secure boot Golden Key persist.
The Cyber Wire heard from Ray Rothrock, CEO of Red Seal,
a company that specializes in cybersecurity resilience.
Rothrock noted that Microsoft is working on a third patch for the issue,
and he advised,
quote,
Every network administrator and every Windows device owner should not only apply all three patches,
but also run analytics to see if their networks and devices have already been compromised,
and if so, how vulnerable the high-value assets on their networks
—business plans, customer information, credit card numbers, financial reports, are to being hacked, end
quote.
The secure boot issue, he says, makes every Windows device on your network a potential
avenue of compromise.
ISIS and its information operations remain a matter of perennial concern.
Studies describe how the terrorist group's promise of meaning and transcendence transform
petty criminals, particularly disaffected men in
the Dar al-Harb, into willing fighters. And some close to the hacking world think Anonymous might
do well to eavesdrop on ISIS networks as opposed to shutting them down through DDoS attacks.
That may prove a hard sell. DDoS is relatively easy and gives immediate gratification.
Eavesdropping is slower and, at least for An anonymous adherents, smacks too much of snitching. The Olympics are in the home stretch. Cyber
criminals in Brazil have made their mark. Strategic cyber ventures Tom Kellerman told NBC News it's
the equivalent of an industrial revolution in Brazil with respect to cyber capabilities.
Terbium tells the Cyber Wire they've seen considerable criminal chatter and traffic
related to the Olympics on the dark web this week, and incidentally some early evidence
of what might be a new Yahoo breach.
We'll follow up as we learn more.
Anonymous had earlier protested the Olympics with attacks on some Brazilian government
sites, but the latest hacktivist operation comes out of China.
Swimming Australia's site was
subjected to a denial-of-service attack after Australian medalist Mac Horton dismissed his
Chinese rival Sun Yang as a doper and a cheater. This seems, most observers think, to be a genuine
cyber-riot by patriotic Chinese hacktivists, and probably not the work of the People's Liberation
Army. Finally, will someone stop the Pokemon Go madness?
Earlier this week, MI6 had to tell the 00s not to chase Pokemon inside the service's headquarters.
Now it's the U.S. Department of Defense making the Pentagon off-limits to Pokemon.
So troops, at ease. Keep your noses clean and your hands off the Pikachu.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm joined once again by John Liesbauer.
He's the CTO at Quintessence Labs.
John, when it comes to security, there are issues with redundancy and replication, things to consider with those.
What can you tell us about that?
To many people, security means confidentiality, authentication, and non-repudiation.
We immediately start thinking about cryptographic algorithms, things like AES, RSA, elliptic curves, and we perhaps also think about protocols like IPsec
and SSL. But security also means availability of information. It means protecting against loss
of information. And this means that we need to consider backup, redundancy, and replication
of that information. This is especially important with key management systems.
It's easy to see that if I have a disk full of information encrypted with a single key,
and if I lose that key, I've also lost that disk full of information.
Even if the encrypted information itself has been backed up, the key is lost or damaged
in the original data, and all the backups are also lost.
So is this simply a matter of regular backups,
or is there more to it than that?
Well, it's important to backup information
and from building, deploying, and selecting a key management system
to ensure that there's sufficient redundancy in place
to maintain system availability,
both normal operations and also for replication backup purposes.
Imagine I have two key management nodes that are deployed, each backing each other up.
When a new key is generated on one node, it'll be replicated to the other node, ensuring
there's always at least one backup copy of the key.
Now consider that that's two different modes of replication, what I'd call asynchronous and synchronous modes.
If a client requests the server to create a key
and the server returns the key to the client
before copying it to the backup server,
this is called asynchronous replication.
It's fast.
The client doesn't have to wait for the key to be copied,
but it has a fatal failure mode.
If the key replication process fails for any reason,
and it could be like a network going down
or the backup node is offline
or even the node that created the key originally
has been offline for maintenance, which is breaks,
then if the original node loses or corrupts that key,
there's no backup.
So we've potentially lost the information on the client.
The other mode of replication,
as opposed to asynchronous, is synchronous mode. In this mode, the server that creates the key waits until the key has
been safely replicated to the backup node before providing the key to the client. This
guarantees that there will always be at least one copy of the key. It's a much safer mode
of operation, but it introduces latency into delivering the key to the client.
So we have this tradeoff between latency and safety of the key.
All right, always things to balance.
John Lisebar, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more dot IO. My guest today is Robert M. Lee. He's the CEO and founder of the critical infrastructure
cybersecurity company, Drago Security. Prior to that, he spent time in the U.S. Air Force
and the intelligence community. I asked him to give us some background on ICS SCADA systems.
Industrial control systems have been around for decades.
Control systems themselves have been around since Egyptian times.
And they've always had the focus of controlling some physical component.
Automating part of the world has been our big push, industrial automation.
The intent was never to plug these
things up to the internet, to be pulling off data into large databases for business purposes.
They were supposed to be segmented systems. So security was an afterthought. You couldn't
actually reach the system if they were all segmented. You didn't really care about the
security of the software. But business demands
have changed over time. And as companies try to get more efficient and try to return more value
to the stockholders and the company executives, there's a push to get more and more data out of
these environments. And so from your point of view, where are the areas of most concern?
So from an industry perspective, the ones that always get the most amount of
attention are things like the power grid, which I think obviously is very important. We don't want
folks messing around the power grid. But there are other industries that just don't have the
same level of national focus, but are also extremely important. Like water industry,
as an example. If you go to an energy control center that controls a portion
of the US power grid, you'll find that they're doing a pretty good job. We definitely need to
take security more seriously. We need to increase the budgets and work harder at it. But overall,
they've really been raising the bar over the year. Go to your average water utility,
though. They just don't have the budgets and folks to do that. So from an industry perspective, I would just say that we're very lopsided. We start seeing a lot of different places that are
using control systems that as industries go, haven't been as secured as some.
What are the take-homes for you? What are the things that you think it's most important for
people to know when it comes to this stuff? A couple of key things.
Number one, we most certainly need more people in the industry.
There's different classes out there.
There's plenty of resources online.
You can do it for free.
There's, you know, buy some eBay equipment.
There's tons of ways to get in this community
and to do it responsibly without any sort of hype or false resumes.
Number two, we need more visibility in these environments,
or false resumes.
Number two, we need more visibility in these environments,
both with the people to start figuring out what kind of threats are we actually up against and what's the potential impact.
We don't just need to put more boxes on the network.
We need more trained people who will then effectively choose the right solutions
or come up with better solutions.
And then number three is sort of a big takeaway from me is a lot of this is
undefined. And from a political perspective, we really need to start getting some definitions
and common terminology and some frameworks around this. The government's constantly talking about
critical infrastructure security, but its role is not to deploy National Guard troops into power stations and infrastructure
sites. Its role is not to send taxpayer-owned teams to do free assessments. That's the place
of private industry. Its role is to do things around policy and opening up the pathways for
these companies to be more protected. These environments have big consequences and there are real threats out
there, but they are also the most defensible environments in the world. When you talk about
an energy control station or a substation or a transmission site, you're talking 10, 15,
maybe 100 at max IP connected devices. And your little control system shouldn't be updating its
Facebook status or going
to LinkedIn. So these are networks that are easily patternable. They're smaller, they're more static.
The difficulty is data collection. But once you actually get the data,
these are environments that you can look through pretty quickly. And the adversary has so much more
work to do. It's not about identifying a vulnerability and getting access.
It's about knowing what to do once you're there.
It's physical engineering, not just cyber stuff.
And so, again, in my opinion,
the adversary has to do more
and the defenders have traditionally
a technically easier job,
even though there's definitely difficulties involved.
So I would say we've got issues.
We need more people,
but these environments are
defensible. And one day, I think defense is most certainly going to succeed in this area.
I wanted to address this job shortage that we have in the industry right now,
and come at that from a couple of different angles. I mean, your experience in the military,
what would your advice be for someone coming out of the military who's looking to exploring a career in cyber?
So I think the first thing to do when leaving any job, especially the military, is to not rest on your past experience, to realize that you're going to be hitting a completely new area, a new field.
And no matter if you were the smartest expert on your old team, maybe you just had a team of folks that weren't
necessarily top quality. And I don't want to put anybody down, but I see this where the smartest
guy in the room leaves the room and realizes that it wasn't a really good test of their skills.
So I think it's very important to be humble. I think it's very important to be passionate
and come at the problem very thirsty for knowledge. And I also wouldn't jump into a
bunch of paid classes. I teach at SANS. I think very highly of the SANS classes.
But the right approach, in my opinion, is to first start off with a free education.
There's so many resources online, YouTube videos, research papers, etc. And if you're not willing
to sit down and teach yourself something, you're probably
also not going to really excel in this industry that's sort of fast moving. Once you get a basis
of doing that, then you seek the paid classes, then you seek the professionals. And so you can
really take advantage of that time, instead of trying to figure yourself out while taking a
couple thousand dollar risk. That's Robert M. Lee. He's the CEO and founder of Dragos Security.
And that's the Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.