CyberWire Daily - Daily: Zero-days, industry notes, the Intelligence & National Security Summit, and more.
Episode Date: September 12, 2016In today's podcast we wrap up our coverage of last week's Intelligence and National Security Summit, discussing some of the issues surrounding cyber conflict among nation-states and terrorist organiza...tions. Unresolved issues of cyber deterrence and where it should fit into the spectrum of conflict. Goals of election hacking and other influence operations, from propaganda through lobbying through bribery. Ransomware trends and credential breaches. Yisroel Mirsky from Ben Gurion University discusses air gap security. And sometimes your enemies are an even better recommendation than your friends. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. about cyber conflict with nation states and terrorist organizations, unresolved issues of cyber deterrence, and where it should fall on the spectrum of conflict, goals of election
hacking and other influence operations, ransomware trends and credential breaches, and sometimes
your enemies are an even better recommendation than your friends.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, September 12, 2016.
Last week's Intelligence and National Security Summit offered a great deal on cybersecurity policy and practice.
Cyber was not only addressed repeatedly in the plenary sessions,
but it was the focus of one of the conference's three breakout tracks.
That cyberspace is of prime concern to the intelligence community,
and those who support it is unsurprising,
but a walk through the exhibitors' hall offered some striking confirmation.
Cybersecurity vendors dominated the space.
Also interesting was the clear sense that the leaders INSA and AFSIA drew to the summit
were working through some of the same theoretical, practical, and conceptual issues defense thinkers have grappled with over the past century and a half.
How those issues will be resolved in cyberspace is in some cases clear. Elsewhere, it remains murky.
Questions of deterrence were particularly difficult to resolve. Several of the symposiasts
suggest that cyber deterrence today was in roughly the same state of theoretical immaturity nuclear deterrence was in 1950.
How to balance the need for certain attribution and credible retribution on the one hand,
with the competing need for freedom of action and desirable ambiguity in particular, remains an unsolved challenge.
The international norms we find in such places as the law of armed conflict
are also still missing from cyber conflict
The entire field remains to be developed
Coupled with this, an observation made by Lieutenant General Kevin McLaughlin
Deputy Commander, U.S. Cyber Command
to the effect that cyber attacks need not be met with retaliation in kind
and it's clear that the relationship between the virtual and the kinetic worlds
remains, to say the least, imperfectly understood.
For a full account of the summit, visit our website, thecyberwire.com.
The summit was hosted by AFSIA International and the Intelligence and National Security Alliance, INSA.
Among the topics taken up at the summit was the threat posed by nation-states, Russia prominently among them,
and by non-national actors, especially the Islamic State. The Islamic State, that is ISIS,
may be on the way to defeat. That's the assessment of Director of Central Intelligence Brennan
and his colleagues in the big six U.S. intelligence agencies, especially insofar as ISIS aspires to be
a caliphate holding, governing, and administering territory.
But Brennan and his colleagues don't regard this as unalloyed good news.
They expect to see a decline in ISIS cyber and information operations capability
as it loses the relatively secure enclaves it finds useful in producing what FBI Director Comey called,
quote, the kind of propaganda they use to influence screwed-up
individuals, end quote. But they anticipate problems as well, expecting a metastasis of
fighters to spread to other regions as ISIS loses control over its core territory.
There are reports today that law enforcement and intelligence agencies find ISIS an increasingly
elusive opponent online, less easy to track and trail than it formerly was.
This is in part due to ISIS's increasing use of encrypted chat,
but to a great extent, as the Wall Street Journal reports,
it's attributable to the caliphate's reversion
to the traditional terrorist cellular tradecraft,
face-to-face meetings, written notes, and misdirection.
Sometimes one advances capabilities by technological retreat.
The other class of threat that received a great deal of attention at last week's meeting was,
of course, the nation-state threat. Here, four states were singled out as particularly troublesome
China, Russia, Iran and North Korea. Australian authorities see a rising threat of foreign cyber
attacks aimed at eroding that country's government's legitimacy and the credibility of its political leaders.
Chinese efforts here pose the most immediate concern, although Russia is mentioned as well.
Chinese influence operations appear mostly economically motivated and to extend such things as traditional lobbying shading toward bribery.
is traditional lobbying shading toward bribery.
U.S. concerns about Chinese cyber operations have less to do with fear of influence
than they do with ongoing incidents of direct hacking
aimed at theft of intellectual property.
Yet here, the experts at the Intelligence and National Security Summit
were in substantial agreement.
The cyber tensions with China can be and are being managed
through diplomacy and negotiation.
Matters stand quite differently with Russia. Here the concern is more serious,
as Russia shows a strong capability and willingness to wage hybrid warfare.
Both the President and the Secretary of Defense have warned Russia about interfering with U.S.
political processes, and last week's symposiasts agreed there was a threat there.
Director of Central Intelligence Brennan declined over the weekend to say that Russia was hacking the elections,
but he did counsel wariness over Russia's cyber capabilities, which he assessed as high.
Observers are arriving at a consensus that manipulating U.S. election results globally would be difficult,
although local mischief remains a real concern.
The dispersed and disparate nature of the state-run U.S. electoral process
is, by virtue of what FBI Director Comey last Thursday called its clunkiness,
relatively resistant to large-scale manipulation.
But such large-scale manipulation is thought unlikely to be Russia's goal.
As The Hill noted this morning,
the goal is not to change the results of November's elections,
but rather to call them into question, thereby undermining confidence in American democracy.
In cybercrime notes, as ransomware continues to morph and spread, researchers at Trend
Labs find the CryLocker ransomware exfiltrating user information as a PNG file.
Another big credential breach hits, this one involving Russian instant messaging service QIP.ru.
It's thought to affect 33 million users.
As President Obama nears the end of his second term,
the American Civil Liberties Union has opened a campaign
advocating a presidential pardon for NSA leaker Edward Snowden.
This Wednesday, the ACLU is expected to join Amnesty International
and Human Rights Watch in opening a petition to that effect.
They hope to take advantage of the attention generated
by the opening of Oliver Stone's film Snowden.
Appropriately enough, the petition will be conducted online.
Finally, we've on a few occasions been able to shout bravo in the direction of MSISOF's Fabian Vosar,
who's released several ransomware decryption tools.
Recently, he's received accolades of another kind.
The Apocalypse Criminal Coding Group has named a strain of ransomware after him.
Fabian Ansemware.
We hear it's poorly designed.
In any case, bravo Fabian and keep slugging.
Sometimes your best recommendation is the enemies you make.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined today by Israel Murski. He's a PhD candidate, researcher, and project manager at the Cybersecurity Research Center at Ben-Gurion University.
Thanks for joining us today. I know one of the things you wanted to talk to us about,
University. Thanks for joining us today. I know one of the things you wanted to talk to us about,
one of the areas of your research, is air gap security. So air gap security is a security measure in which an organization physically isolates their network from public networks
in order to evade attacks or really to evade direct confrontation. So for example, military
networks or financial systems and most commonly industrial systems such as power plants.
Although it's a great measure and it really does help minimize the attack vectors on the organization's network, it's not impervious to attacks.
For example, there are many malware out there that can get over this air gap, this physical separation between the two networks.
For example, Flame,
Goss, Agent, BTZ, Stuxnet, and so on and so forth. So when it comes down to it, the attacker's
challenge is two factors. One, command and control of his malware. Once he's gotten into the network,
how can he control his malware to get to whatever asset he has? And data exfiltration. As soon as he gets whatever data or asset he wants,
how can he get it out of the network?
In general, there are two types of channels that the attack would be interested in,
like I meant before, an inbound channel and an outbound channel from the network.
So for an inbound channel, there's one approach which is actually quite interesting,
is the idea that not every network
is completely isolated from all other networks for example most buildings have what's called an
hvac system a heating ventilation air conditioning system and this system will change the heating and
also allow you to control all sorts of other subsystems such as elevators, but many times has a web portal for
the technicians to connect to and administer the system from remote. Now, this web portal
connects to the public internet, but in parallel in the same physical space, you have this isolated
network. So, what we found is that if you compromise the HVAC system from remote, you can raise the
temperature and lower the temperature of the different rooms
and thus signal binary uh modulations over the air to the computers because every computer has
has basically um uh thermal sensors inside for the cpu and for the chassis and so on so on so forth
and you can actually detect these fluctuations quite well. So it just goes to show that you may be able to segregate your network completely,
physically and isolated,
but that doesn't mean that it's going to be impervious from attacks.
You have to think of all sorts of other outside-the-box kind of attacks
and side channels that can be affected.
Israel Murski, thanks for joining us. families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.