CyberWire Daily - Daily & Week in Review: Hulk smash. Pokemon smish. And more on the Shadow Brokers.
Episode Date: August 19, 2016In today's podcast, we hear about emails flooding dot gov in-boxes. A re-tooled version of Locky ransomware is out in the wild. As we look back at the week, the big news surrounds the Shadow Brokers' ...data dump and implausible auction—they seem to have some genuine NSA goods. The brokers themselves are thought to be either Russian spies or rogue insiders, or some mix of both. Worries about US election hacking rise. More companies are concerned about insider threats. The University of Maryland's Jonathan Katz explains how to reverse engineer encryption, and Chris Fogle from Delta Risk tells us how board members can prepare for cyber challenges. And, yes, there's another Pokémon-GO hack. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. version of Locky Ransomware is out in the wild. The shadow brokers seem to have some NSA goods.
The brokers themselves are thought to be either Russian spies or rogue insiders, or some mix of
both. Worries about U.S. election hacking rise. More companies are concerned about insider threats.
We'll chat with Chris Fogel from DeltaRisk about security concerns and responsibilities
for members of the boardroom and C-suite. Then then yes, there's another Pokemon Go hack.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, August 19,
2016. Breaking Overnight was a story about a flood of emails clogging inboxes of people with.gov addresses. According to some observers, the emails, mostly newsletters the recipients didn't sign up for,
amount to a denial-of-service operation.
The problem is beginning to manifest itself outside the.gov domain.
According to Brian Krebs, who's been reporting on the incident,
Krebs himself has been getting newsletters he'd rather do without.
FireEye reports that a new, freshly retooled Lockheed ransomware variant is out in the wild.
The vectors are macro-enabled Office 2007 Word documents.
Healthcare organizations are again being hit hardest, and both sides of the Pacific are affected.
Infestations have been reported in the United States, Japan, Korea, and Thailand.
This week's big news, of course, is the apparent compromise of sensitive NSA files.
Consensus is that the material leaked by the shadow brokers is genuine.
The files they've released are ostensibly a teaser in a half-billion-dollar online auction
for even more interesting stuff the shadow brokers claim to have in their possession.
But this seems implausible. The auction
isn't really set up in such a way as to inspire confidence among the bidders, and in any case,
half a billion and change is a bit steep, even for wealthy elite, as the shadow brokers are
calling their ideal customers. Kaspersky thinks the encryption implementation in the files is
sufficiently unusual to tie them to the Equation Group,
a threat actor Kaspersky hasn't identified, but which is widely believed to be an NSA operation.
Other evidence suggesting the leak is genuine includes zero days for firewalls and other security products.
Cisco and Fortinet have confirmed that the zero days in the leak are genuine, and they've already issued patches.
zero days in the leak are genuine, and they've already issued patches.
Juniper Networks is evaluating the purported zero days in its own products,
and observers think those will turn out to be real as well.
So, with cases like this, spectators always want to know who done it.
The preeminent suspects in this case are Russian intelligence services.
A lot of people, including, oddly enough, Edward Snowden, think the Russians were behind the leaks.
Snowden's speculation, shared over Twitter and seconded by others,
is that the Russian services may have access files inadvertently left behind on an Equation Group staging server.
The timing of the incident also seems suspect,
coming as it does on the heels of Russian incursions into the U.S. Democratic National Committee and other political targets.
It's worth noting that the later stages of those incursions became noisy and relatively obvious,
as if being detected might serve the attackers' purposes.
Publication of the files may be intended to dissuade U.S. retaliation for the DNC hack.
Passcode quotes Immunity's CTO Dave Itell to this effect,
quote, we talk a lot about cyber deterrence. This is what it looks like. End quote.
This incident, following as it does compromises at the DNC, the DCCC, and the Clinton Foundation,
and prominent Republicans' accounts, has increased fears that the upcoming U.S. elections are vulnerable to disruption or manipulation.
But a lot of other people think those responsible were disgruntled insiders
who walked out with the files on a USB drive, the way Snowden walked out with his leaks.
There is material on the files released so far that observers think unlikely
to have been found exposed on a staging server, or indeed anywhere else susceptible to hacking.
This, they say, suggests an insider.
And of course, a disgruntled
or compromised insider could have worked with Russian intelligence, so the two hypotheses
aren't mutually incompatible. Insider threats cropped up elsewhere this week. An employee of
Sage, the accounting and business software provider, was arrested at London's Heathrow
Airport Wednesday in connection with a large data breach affecting between two and 300 Sage customers in the UK. The breach was accomplished by abuse of insider credentials.
Recent studies suggest that companies are uneasy with respect to their ability to detect and
protect themselves from insider threats. Matthew Ravden, CMO at Balibit, commented to the Cyberwire
on trends in insider threats. Quote, the problem with insider breaches is that so many of the preventative technologies
that companies have spent millions on are powerless to detect malicious activity once
the user has been authenticated, end quote.
He sees enterprises reposing too much faith in password management systems and notes that
once privileged users log on, they've too often got unrestricted access to sensitive data.
Quote, privileged users pose a serious threat to every company, and passwords just aren't effective.
End quote.
He pointed to a recent survey by SailPoint that found one in five employees saying they'd be willing to sell their work passwords,
some for as little as $150.
passwords, some for as little as $150. And of course, this week has seen more news about Pokemon Go than Ash Ketchum or any other trainer would like to see. Adaptive Mobile reported finding a
large Pokemon SMS spam campaign, and Plixer's Thomas Poore offers this commentary to the Cyberwire.
With Pokemon Go being the fastest growing game ever, until popularity severely declines, we can expect to see villains hacking various attacks.
Gamers need to be wary that with popularity comes the potential for cybercrime, end quote.
In particular, Poore sensibly warned gamers that anything that looks too good to be true is, and to be wary of phishing scams, whether they came by email or SMS.
of phishing scams, whether they came by email or SMS.
Quote, with recent news of Pokemon Go ransomware,
it's unlikely that attacks against the trainers will subside anytime soon.
End quote.
Finally, we need to point out that whatever the evidence for Russian involvement in the Shadow Brokers incident, broken English isn't among it.
The Shadow Brokers sound far more like a screenwriter's lazy idea of a Hollywood foreigner
than they do any known version of non-native English speaker.
Our linguistic staff called it more Hakawi than Fancy Bear,
but we have heard from a listener, JB we'll call her,
who pointed out that the Shadow Brokers sound a lot like the Incredible Hulk,
although of course a lot more verbose than the ever-loving Hulk ever was.
Our linguistic staff has been doing some thinking,
and they think JB may actually be Natalia Romanova,
a.k.a. the Black Widow.
Who else would be so quick to recognize the voice of the Hulk,
and say, Russian too?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm joined by Jonathan Katz. He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center.
of Computer Science at the University of Maryland and Director of the Maryland Cybersecurity Center.
Jonathan, I remember when I was a kid, there was a boy who lived across the street from me,
and we used to send each other encrypted messages for fun. We would come up with some simple way to encode a simple phrase, and part of the fun was trying to figure out how
the other person encoded the message. And we wouldn't make them too hard. It was just sort
of a game we'd play to send messages back and forth. And I was thinking about that,
and it got me thinking today, where obviously things
are a lot more sophisticated.
If someone presents you with something that you know has been encrypted, but you don't
know the method by which it was encrypted, how do you go about trying to figure out what
was the method that was used to encrypt a pile of data?
Well, I think you can actually distinguish two general classes of encryption.
So the first is
where people are using some encryption scheme that's been standardized and analyzed and is
generally considered to be secure. And the second is where the people who are communicating are
using an encryption scheme that they developed on their own, that they made up. And what's
interesting is that in the first case, the encryption algorithms that are used nowadays
are meant to be secure,
even if all the details of the algorithm are known.
So the only thing that they rely on for their security is the fact that the parties are using a key
that is unknown to the eavesdropper.
But revealing what method you're using for encryption doesn't undermine security at all.
So if you have somebody maybe using one of those encryption schemes,
even if they tell you what they're
using, it wouldn't impact security. And if they didn't tell you what they were using,
you could guess from among a set of a relatively small number of possibilities, maybe 10 or
15 different possibilities of how they might have encrypted it, and then you can try attacking
it with all 15. So then the interesting thing is, if somebody comes up with their own algorithm,
you might think that that gives them better security, because the eavesdropper wouldn't even know what method
they're using. And it's sort of true, but the problem is that, in general, when people develop
their own encryption schemes, kind of like you and your friend, they tend to be easily breakable.
And usually what you can do as an analyst or as an eavesdropper is try to look for patterns
in the underlying
data and then exploit those.
So what kinds of patterns would you be looking for?
Well, for example, a lot of encryption schemes that people come up with will have the property
that when you repeat letters or words in the underlying message, then you'll see repeated
letters or words in the ciphertext.
So modern encryption schemes, secure encryption schemes don't have that property,
but if you think about
kind of the maybe historical
encryption scheme
that would work by substituting
one letter for another
or one phrase for another,
those would have that property.
So if you get enough encrypted text,
you can start looking
for repeating blocks of letters
and then try to use that
to figure out what the parties
are communicating about underneath.
All right, fun stuff. Jonathan Katz, thanks for joining us. and then try to use that to figure out what the parties are communicating about underneath.
All right, fun stuff. Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. My guest today is Chris Fogel, founder and executive advisor at DeltaRisk,
where he has more than 20 years of experience in the diverse areas of cybersecurity,
emergency management, and contingency planning and operations.
Mr. Fogel is presenting at the upcoming Cyber Texas conference,
and his topic is Perspectives on Cybersecurity for Boards and Business Executives.
I spoke with him earlier this week.
on cybersecurity for boards and business executives. I spoke with him earlier this week.
Do you think that boards are properly or adequately educating themselves when it comes to this stuff?
I think they're making a very good effort. Just the fact that we get a lot of calls from boards, and we work with several, tells me that they're not stupid. You don't become a member of a large company's board
because you don't know what you're talking about. One of the best things that is happening in the
landscape today is that some of the details about these large data breaches are making them into
reports and case studies. Board members read this, and they can picture themselves in that,
or their companies, in that situation.
In fact, that's what we encourage through our exercise processes is, you know, you don't have
to invent some really unique data breach or technical threat in order to have an effective
exercise. Just go get the Wall Street Journal, any of the cyber breach case studies that are
put in there or news stories,
plop it down on the conference table in the boardroom and talk about it.
When people can picture their own decision-making in those cases or in those stories, and when they understand that a lot of the expense that comes from cyber attacks or cyber
breaches or data breaches is on the incident response side. So it's not being
prepared, taking longer than it should have, not being able to contain it. Well, then they start
to understand that, well, we have to be a little more proactive in our spending. And if we can
prevent that, then we know based on these three or four case studies that we'll save billions of
dollars or at least hundreds of thousands of dollars on the response side. I've heard it said that, you know, IT people tend to speak in terms of
things like threat levels of red, yellow, and green, whereas boards, you know, want to talk
in dollars and cents. And so there's that communications disconnect. But I've also heard
that people have actually sort of been shifting around some of the positions within their companies, shifting around some of the C-level people to have people in
positions to take responsibility to bridge that gap. Is that something that you've seen?
Yes, absolutely. In fact, speaking with one of the large financial institutions in Wall Street
about two weeks ago, I was surprised, but not totally unexpected,
that what they said was, you know what I really need is I need cyber guys that understand banking.
Right. So I so that that told me right there that they were more interested in teaching
their technical staffs on on the business than vice versa. And again, I think that that's reasonable to expect, right? The money,
the investments come from the boards, come from the C-suite decisions. So they have to be processed
in terms of the business. We are seeing that. I think it's a good thing. I like the idea of
folks being moved around. I think the only position that I might, not really cringe,
but really question is when someone becomes a CISO, a chief information security officer,
I think that person has to have a good grounding, a good basis in cybersecurity,
or they're going to be kind of ineffective leading a technical staff.
I'm curious, what would be your advice to someone who's heading into a board-level position
with a company that has to deal with a lot of cybersecurity type of issues?
What would your advice be to someone like that?
First of all, if you're looking for your immediate feedback on some investment,
focus on your incident response capabilities.
Again, that's where most of the dollars are spent when it comes to data breaches and cyber attacks. It's the
inability or the unpreparedness of a company to actually handle or contain the event. And it's
not just technical. This is how you communicate to the media. When do you make the notifications?
Do you involve your outside counsel? So I would really encourage them to
get smart on incident response and work with their leadership and staff on different types
of exercises or scenario, at least discussions. The second thing that I would tell them is
don't be typical or normal. Because right now in today's business landscape, typical or normal doesn't indicate
that you're secure or that what you're doing is adequate. So you always have to strive for
how can we do better. And that's where a lot of the challenge comes, because in order to be
better than normal, you have to spend money. And we understand that that is tough.
And then finally, I would say, just remember, done is better than perfect.
There are no perfect solutions in cybersecurity. It doesn't matter what the vendors tell you. It
doesn't matter what the consultants say. It's a continual process of understanding
where your critical assets are, what is threatening them, what your risks are,
where your critical assets are, what is threatening them, what your risks are,
and are you mitigating to the latest evolution of the threat.
You can look for the best return on investment numbers before you can make your investment, and the only outcome will be that you won't make the investment because it's just not possible.
So done is better than perfect.
Do something and don't be satisfied with the status quo.
That's Chris Fogel from Delta Risk.
Mr. Fogel will be presenting on this topic at the upcoming Cyber Texas conference in San Antonio, August 23rd and 24th.
We've got more information about Cyber Texas in the events section of our website, thecyberwire.com.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.