CyberWire Daily - Daily & Week in Review: US Election Assistance Commission hacked. US, Russia, swap hard words over influence operations. Ransomware updates. More on the effects of the Yahoo! breach. Autonomous vehicles approaching.
Episode Date: December 16, 2016In today's podcast we hear about "Rasputin," a cybercriminal selling US Election Assistance Commission credentials. US investigation of Russian influence operations continues, with promises of eventua...l retaliation (nose-thumbing from Moscow received in response). UK and EU officials worry about Russian meddling with 2017 elections. The Yahoo! breach sinks in—some call it the "Exxon Valdez" of cyberspace. New ransomware strains and growing ransomware sector, but help in the form of an international public-private partnership. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security  discusses the National Cyber Incident Response Plan (NCIRP). We talk privacy and encryption policy Jacob Ginsberg from EchoWorx. with And we're closer to seeing robot drivers on the streets. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K.
Rasputin, no, not that one. The hacker is trying to sell admin credentials for the U.S.
Election Assistance Commission on the black market.
U.S. investigation of Russian influence operations continues, with promises of eventual retaliation.
Nose-thumbing from Moscow received in response.
U.K. and E.U. officials worry about Russian meddling with 2017 elections.
The Yahoo breach sinks in, and some call it the Exxon Valdez of cyberspace.
There are new ransomware strains in a growing ransomware sector, but help in the form of an international public-private partnership.
And we're closer to seeing robot drivers on the streets.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, December 16, 2016.
Election hacking and election influence operations, which may be connected but aren't necessarily the same thing, remain very much in the news.
Security company Recorded Future reports that it's found a Russian-speaking hacker, they're calling him Rasputin,
who's selling what he claims is access to compromised U.S. Election Assistant Commission networks.
Recorded future observed chatter that suggested credentials to Election Assistance Commission, or EAC, networks were for sale.
Further investigation enabled them to identify the vendor as a Russian speaker
who was negotiating with an unknown buyer working on
behalf of an unspecified Middle Eastern government. Approximately 100 sets of account credentials were
for sale, some of them apparently representing privileged administrative accounts. Such accounts
could be useful for a variety of purposes. They could be used, for example, as Recorded Future
points out, to install malware and establish a watering hole
on a U.S. government site. Rasputin, who's been knocking around black markets for some time,
is in Recorded Future's view probably a crook and not an agent of an espionage service.
Over the past two years, he's been connected with financial services compromise in the Middle East,
compromise of a Chinese e-tailer, and of course now with the attempted sale of EAC credentials.
The U.S. Election Assistance Commission is not a well-known agency, so some background
information may be useful.
The EAC is a small independent federal agency created by the Help America Vote Act of 2002.
It supports the conduct of elections through a variety of largely voluntary and advisory services,
testing and certifying voting equipment, maintaining the National Voter Registration Form,
but not any database of voters, administering a national clearinghouse on elections
to receive complaints of alleged fraud and so on,
and promoting development of shared practices and other ways of improving elections.
Thus, compromise of the EAC doesn't represent any real threat to the integrity of U.S. elections,
but it's an embarrassment, another black eye for a way of voting that's taken more than
its share of punches over the past year.
TechCrunch and others have noted that the EAC published an op-ed in the Washington Post
on October 18th with a reassuring headline, Don't Believe the Hype, Foreign Hackers Will Not Choose the Next President.
It seems likely that Rasputin was rooting around in their systems, even as they wrote.
The U.S. continues investigating more official Russian influence operations
mounted during the recently concluded election cycle.
Officials murmur about President Putin's direct involvement,
which Mr. Putin
dismisses as funny nonsense. In an NPR interview yesterday, President Obama promised unspecified
retaliation against Russian information operations, quote, at a time and a place of our own choosing,
end quote, to which the Kremlin said, in essence, put up or shut up. NBC News reports that the
administration didn't take action before
the election because, first, it didn't want to appear itself to be meddling improperly in the
election. Second, it didn't want to escalate cyber conflict with Russia. And finally, it thought
Democratic candidate Clinton was going to win anyway, so they could, as one unnamed source put
it, kick the can down the road. The U.S. intelligence community has blogged at its IC on the record site
that it doesn't intend to make anything else public until it's completed its investigation
and until it's satisfied that what it has to say won't compromise intelligence sources and methods.
British and European officials are expressing concern about similar Russian meddling
in their own upcoming elections.
European officials are expressing concern about similar Russian meddling in their own upcoming elections.
The prospect of what ThreatConnect calls fictivism, false flags and covert information operations, is particularly troubling to them.
The magnitude of the Yahoo breach continues to sink in, and security industry observers express displeasure over both weak crypto practices and slow breach disclosure. The company's stock price has seen sharp declines as investors lose confidence
that Verizon's acquisition of Yahoo's core assets will actually go through.
Chris Pogue, CISO at security intelligence firm NUIX, offered us representative reaction.
Wow, he said. How many times have I said that data breaches are almost always worse than initially thought?
A lot.
If Verizon was going to purchase Yahoo for its intellectual property and brand reputation,
both of which are pretty much shot at this point, my money is on Verizon walking away after this.
Netscope has discovered new variants of Locky ransomware circulating in the wild.
Malwarebytes has published more information on Goldeneye,
which is a rebranded strain of Petya Misha ransomware.
This criminal sector continues to grow.
An IBM security study released this week says that ransomware operators
are expected to net a billion dollars from extortion in 2016,
up from a relatively paltry $24 million in 2015.
So it's worth remembering that regular, secure backup is always a sound practice.
There's some compensating good news on the ransomware front.
The international public-private partnership NoMoreRansomware
has added new partners and expanded free services for ransomware victims.
Bravo to all the partners in this effort.
Too many for us to
list here, but all deserving a pat on the back. In industry news, well-known security executive
Amit Yaran is stepping down as president of Dell's RSA unit. He's moving to Tenable Network Security,
where he'll serve as CEO. Finally, autonomous cars take a few more steps closer to hitting the asphalt.
GM announces that it's going to begin building and testing self-driving vehicles at the Michigan
facility where it currently produces the Chevy Bolt. And Uber has begun operating a few robotic
vehicles on California streets. They have human operators on board ready to take over if necessary,
but the state of California says the vehicles are in violation of state regulations.
How this will play out is to be decided, no doubt, in the courts.
Such things usually are.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Joining me once again is Marcus Roshecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, the National Cyber Incident Response Plan
recently went through a public comment period.
This is a plan that has really been ripe for some updates.
What's the latest with it and where can we expect it to go?
Yeah, the National Incident Cyber Response Plan has come out of the Presidential Policy Directive 41 that came out in July 2016.
out of the Presidential Policy Directive 41 that came out in July 2016. Basically, the Department of Homeland Security, in conjunction with the Federal Emergency Management Agency, has taken
a lead in developing this National Incident Cyber Response Plan, which is going to basically outline
how the federal government would respond to a cyber incident in this country. DHS and FEMA have been working with
other federal government agencies like the Department of Justice or Department of Defense,
as well as representatives from state and local governments. And they're getting a lot of
involvement from the private sector as well, critical infrastructure owners and operators,
for example. So it's really a multi-stakeholder effort that's
underway here to update the National Incident Cyber Response Plan to really outline how the
government is going to respond. Now, Marcus, FEMA is taking a lead role in this effort. I think a
lot of people would be surprised. I don't really think of FEMA as being a cyber agency. It might
be surprising to hear that FEMA is a lead agency in developing the cyber plan.
But when you take a step back and you see that the National Cyber Incident Response Plan actually will fall under the National Preparedness System, which is the national system for dealing with any kind of threats or hazard.
It outlines how we prevent as a country, how we prevent and protect against threats, how we mitigate against them, how we respond to them,
and how we recover. So it's this overarching framework that we have here, this national
preparedness system. And FEMA, of course, is a big part of that. So I don't think it's too
surprising to now see that FEMA is involved in developing this national cyber incident response
plan, when that cyber incident response plan really is just a subset of this larger national preparedness system.
All right, Marcus Roshecker, thanks for joining us.
My guest today is Jacob Ginsberg. He's the Senior Director of Products at EchoWorks,
a provider of email encryption solutions and managed encryption services.
With a new president headed to the White House in the U.S.,
we wonder what the transition could mean for the encryption debate
and how encryption affects our daily lives when it comes to protecting our privacy
and our valuables in an increasingly connected world.
Obviously, things are a little bit up in the air right now, at least in the U.S.,
with the change of office happening right now in the executive branch.
But on the whole, internationally, it looks like we might be at the beginning of a bit of a downswing,
if you ask me, or at least from my perspective, certainly not from the law enforcement's perspective. What do you mean by a downswing?
From the perspective of myself, coming from the perspective of kind of a more privacy-conscious
citizen, I would say that a lot of the protections that are in place are in the process of being eroded. And how is that happening?
It's happening, again, it's easy to speak globally for a second,
and then we can shift to the U.S.
because the most recent example, I would say,
comes out of the U.K. with the investigatory power bill,
which is not necessarily specific to encryption,
or at least the whole of it,
but more with regard to privacy.
You know, it mandates
record collecting by ISPs and removes the barrier of requiring a warrant to get at that information.
And then there's also, you know, little pieces in there about encryption. And as you know,
talk seems to spring up whenever it can, whether it be in Canada or in the U.S., also about,
you know, the government wanting to put in back doors and mandating access and things like that.
Those calls seem to be increasing in both volume and frequency.
Is it mutually exclusive?
I mean, can you have strong end-to-end encryption,
but also have some sort of backdoor access for law enforcement?
I would say yes, they are.
They're absolutely mutually exclusive.
There's a couple of catchphrases that are thrown around. One of them is, today's backdoor is tomorrow's vulnerability. That's something that's generally well accepted in the security industry. There's little to no guarantee if a backdoor or a mechanism for access is put in place that it won't be exploited down the road by someone else.
There's always that very real risk.
And what's your response?
I mean, we hear from law enforcement who say that, you know, they have real needs to be able to get at some of this data.
You know, some of them are really tug at your heartstrings, you know, trying to solve murders of people and so forth.
How do you respond to those kinds of stories?
Right. Well, first off, let me just say that, you know, at no point do I ever, I don't blame kind of law enforcement or people in the intelligence community for wanting some of
these tools like backdoors. Everyone wants tools to be able to do their job more effectively.
or is that everyone wants tools to be able to do their job more effectively?
And, you know, assuming, of course, obviously,
that everyone has everyone's best interests in mind,
what they are interested in doing is, say,
helping people and capturing terrorists and criminals and whatnot.
So no blame or kind of anger thrown their way.
But I guess the answer would be that, you know,
no one would argue that if the police could go into a domicile or a residence whenever they wanted without a warrant,
certainly they would be able to catch more criminals and possibly even prevent more crimes.
But kind of we as a society have decided that that's too far. And we've kind of drawn a line around you know protections and privacies um and and it's
kind of it's not up to the police it's up to the rest of us as a public into the courts and
politicians when you can depend on them to to kind of reinforce that line um it's a reasonable request
from their perspective but it's it's i would say that um given the scope of technology and people's
digital footprint nowadays it's a bit too far.
This phrase that's bandied about a lot of times in the U.S., often in sad contexts, that freedom isn't free.
A lot of time, you'll see it on Facebook or something overlaid with a picture of caskets coming back from the Middle East of American soldiers or service members.
picture of caskets coming back from the Middle East of American soldiers or service members.
And that's kind of generally the context that the quote is thrown around in, which is, again,
a tragedy, of course, as well. But really where I think is most applicable is this context,
is if we want a society, a free society, and a free society is one where you're sure of your persons and property, and there are protections around them and what you can say and not say, that's
the cost of freedom, that there are going to be crimes that you can't solve. There are going to be
murders that happen. There are going to be things that slip through the cracks. And it's difficult
to say that to people who are, you know, tangentially
involved, let alone victims. But that's my personal opinion, that that's the cost of a
free society. That's really the proper context for that quote. When it comes to these sorts of
things, you know, legislation inevitably lags behind the technology. Do you agree with that?
Yeah, I agree with that 100%. And it goes both ways. It doesn't
necessarily favor privacy or kind of, you know, look unfavorably on technology. It can certainly
cut both ways. And I mean, that has been an aspect of the conversation kind of for as long as law
enforcement and technology have collided. I mean, that's the basis, that assumption is the
basis of the All Writs Act of the late 1700s in the U.S. that would allow courts to compel
companies or bodies to act in a certain way where there are gaps in legislation.
The All Writs Act was, again, uses the basis of the New York Telephone Company versus the
United States in the Supreme Court decision in 1977. That is the framework for a lot of our surveillance and being able to look at pen registers for
phone records, which is, again, used as a lot of the basis for kind of email communications
and digital surveillance today.
So it is a really important issue.
It's almost impossible to overstate its importance.
This is a very real inflection point, potentially, in terms of our
relationship with the data that we own and create and who we are and our governments.
That's Jacob Ginsberg from EchoWorks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.