CyberWire Daily - DragonFly 2.0 in power grids. Cyberespionage in the South China Sea. Russian Facebook ads. "Fake News" survey.
Episode Date: September 7, 2017DragonFly 2.0 is up to some very bad things in several nations' power grids. China ramps up cyberespionage against South China Sea rivals. Facebook finds that a Russian front company bought more than ...$100,000 in influence-ops ads on its service over the last two years. US info ops stumble over a dog. Jonathan Katz on encryption bit depth. Kyle Wilhoit from Domain Tools with the results of a Black Hat survey on "fake news." And a Japanese 13-year-old is in hot water for trying to sell malware. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. To learn about combining threat intelligence, analytics, and orchestration, check out ThreatConnect’s webinar. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Dragonfly 2.0 is up to some very bad things in several nations' power grids.
China ramps up cyber espionage against South China Sea rivals.
Facebook finds that a Russian front company
bought more than $100,000 in
influence op ads on its service over the
last two years. U.S. info
ops stumble over a dog.
And a Japanese 13-year-old is in hot water
for trying to sell malware.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, September 7, 2017.
The warnings about Dragonfly, sounded this week by Symantec, continue to reverberate.
It amounts, observers say, to a sabotage warning,
since the threat actor is believed to have established access to operational networks controlling the power grid.
The U.S., Switzerland, and Turkey are said to be particularly heavily infested.
A nation-state is said to be behind Dragonfly.
Which nation-state hasn't yet been publicly identified?
Dragonfly has been seen before, starting in 2014, as we're reminded by Moreno Carullo of Nozomi Networks. He commented to us that the
earlier wave of Dragonfly heavily targeted pharmaceutical firms. He said, quote,
Dragonfly 2.0 appears to have been weaponized to specifically target industrial control systems
field devices, and then feeds that information back to the command and control server,
which will be monitored by the attackers.
He notes that Dragonfly 2.0 is patient. He said, quote, rather than installing an infection immediately, this latest iteration of Dragonfly bides its time, waiting 11 days before automatically
installing a backdoor. Using this new entrance, the attacker can then install or download
applications to infected computers,
particularly targeting Windows XP with known vulnerabilities and even circumventing
permission restrictions on user accounts. Carullo says that research by Nozomi supports
the conclusion that Dragonfly 2.0 is exploring ICS works in depth and that such knowledge could
readily be used to disrupt operational networks.
Representatives of the electrical power industry at the Intelligence and National Security Summit
made the familiar point that there are no easy solutions to this threat.
It's an aspect of risk that must be known and managed. Those we heard speaking made two points.
First, when the power industry talks about intelligence,
they're talking about the intelligence they themselves develop.
They're not waiting to be fed by government,
although they welcome cooperation with and assistance from government.
Second, they reject the notion that security should be something
that affords a company a competitive advantage,
and they advocate sharing intelligence with the sector as much as possible.
and they advocate sharing intelligence with the sector as much as possible.
Votiro, Fortinet, and FireEye re-emphasize findings that groups associated with Chinese intelligence services are working actively against countries with whom China is disputing territorial claims in the South China Sea,
Indonesia, the Philippines, and Vietnam, especially Vietnam.
the Philippines, and Vietnam, especially Vietnam.
Facebook says that over the last two years, between $100,000 and $150,000 in some 3,000 Facebook ads were placed by the Internet Research Agency, a St. Petersburg outfit known to operate on behalf of the Russian security and intelligence organs.
The topics the ads addressed were characterized as divisive, concentrating on race, immigration, equal rights, and so organs. The topics the ads addressed were characterized as divisive,
concentrating on race, immigration, equal rights, and so on. $150,000 is not much in terms of
advertising dollars. If it was a Russian ad buy aimed at disruption, then Moscow achieved a
spectacular return on its investment. Some, like Virginia Senator Warner, who addressed this news
at the Intelligence and National Security Summit this morning, are calling this the tip of the iceberg.
The ads were fairly well distributed across the political spectrum, not apparently pushing any consistent viewpoint, but rather they were evidently placed to exacerbate the worst tendencies of those who might read them.
The U.S. continues its minor stumbles over information operations.
Anti-Taliban leaflets dropped in Afghanistan alienated their target audience
by carelessly juxtaposing the Taliban flag with a Quranic verse and a dog,
a ritually unclean animal.
An international panel of counterterrorism experts at the Intelligence and National Security Summit
discussed information operations by both state and non-state actors.
In response to a question about developing technology that could monitor social media,
they replied that the technology was already here, right in front of us.
It's Facebook, Google, and Twitter.
They know the content that's transiting their networks.
What they or a government might do with that knowledge, however, remains an open and contentious question.
By now, we're all familiar with the phrase fake news and the variety of ways it gets invoked.
The folks at Domain Tools wanted to get a snapshot of how cybersecurity professionals perceive fake news,
so they conducted a survey this year at Black Hat.
Kyle Wilhite is a senior security researcher at Domain Tools.
How does the fake news issue get solved? Realistically, a majority of the respondents
from the actual survey had gone out and said that realistically this falls back on social
media sites themselves, meaning the Twitters of the world, the Facebooks of the world,
they're the ones that actually would need to go out and write algorithms and figure out ways to
help filter out some of this fake news. So that was one of the more interesting questions that
we were asking kind of surrounding this. And additionally, we had asked if the government
needs to intervene and help to shut down these actual sites. And a majority of the respondents
also had answered that the government
does in fact need to intervene and shut down those actual websites. So a couple of interesting data
points there, just kind of gauging, you know, again, what cybersecurity professionals are
kind of feeling and what they view and how they view fake news in general. It's interesting. I
didn't really expect it to kind of come out that way. Some other interesting results from the survey, you had a significant percentage of people thought
that cyber war is the current state of warfare. Explain that to us.
Yeah. So realistically, whenever we're asking kind of around the current state of cyber warfare,
et cetera, we asked a specific question, essentially asking,
is there specific reasons that you might view the United States, for instance, as being targeted,
et cetera? And many respondents were saying that the U.S. realistically had the most to lose,
meaning from an intellectual property standpoint, it makes a very attractive target. Now, we're not
necessarily downplaying other nations or other good information or other proprietary information that other nation states are generating.
What the respondents seem to think is that, you know, the U.S. realistically had the most to lose
and that ultimately made them one of the more attractive targets. And then we also asked
specifically about kind of where we think or where do you specifically think that attacks will actually happen.
And a majority of individuals in the actual survey had said that electricity generation systems were going to be more than likely going to be one of the first assets to fall victim to an attack.
And then closely following that was telecommunication systems.
then closely following that was telecommunication systems. Was there any sense from the survey as to whether people think that things are getting better or worse in terms of our ability to protect
against those types of attacks? Yeah, so we didn't go into great detail as far as how they feel
from a protection standpoint or if they feel that everything is good. But ultimately,
what it boils down to is that a
majority of the individuals, meaning 63% of the people, had mentioned that the cybersecurity
architecture or the lack of robust cybersecurity architecture is one of the main driving forces
that could cause one of those breaches, which, again, I think is a pretty accurate
assessment, a pretty accurate realization as to what's happening in the world. Also, ultimately, what was also interesting
was the simple fact that some of the biggest factors, you know, from a policy perspective
is the fact that many people think that inadequate policy is actually second or third in place
behind inadequate security architecture.
So most respondents to the survey had gone out and said, hey, we think that the security architecture is bad.
But other respondents, meaning the second place, was inadequate policy.
So other individuals are also realizing that there's policy gaps, that there's policy issues, etc., that I think is also accurate.
That's Kyle Wilhite from Domain Tools.
Google's September Android security bulletin addressed 81 bugs,
13 of them critical remote code execution vulnerabilities.
In other industry news, WebRoot is welcoming a new CEO.
Mike Potts will take over for Dick Williams,
who's retiring after leading the Colorado-based cyber company through 14 consecutive quarters of growth.
Best wishes to Mr. Potts and congratulations to Mr. Williams.
Enjoy your retirement.
Finally, we're all for teaching kids to code, but kids, sometimes you go too far.
Witness the 13-year-old Japanese boy who's come to the attention of the Nara Prefectural Police.
The youngster was busy looking for a dark web market
in which he could hawk malware, he'd written.
Boy, boy, these wild ways of yours
will break your mother's heart.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney Plus.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. executives, and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Jonathan Katz. He's a professor of computer science at the University
of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, we're going to
get back to some basics today,
and we want to talk about bit depth when it comes to encryption.
Give us an overview. How does bit depth affect things?
Well, the strength of the key or the strength of the encryption that's being used
is directly related to the length of the key.
That's at least the case for symmetric key algorithms like we're talking about here.
And essentially, if your encryption algorithm is good enough,
then the only way to break it is to do a brute force search or an enumeration of all possible
keys that can be used. So if you have, let's say, a 4-bit key, that means you have 2 to the 4 or 16
different possibilities, which isn't very much. If you have a 256-bit key, then the number of
possibilities for the key is 2 to the 256, which is an astronomically
large number. And essentially what that means is that every bit you add on to the key is going to
double the difficulty of doing a brute force search for the key. So as computing power increases,
is it inevitable that today's uncrackable encryption will be crackable in the future?
Well, that's a great question. And it turns out, actually, that you can do the calculation
and you can see exactly how long it might take
to do a brute force search over keys of a particular length.
And, for example, if you imagine that you have a computer
that's capable of checking a key once every computer cycle
and it's been running, say, I don't know,
since the beginning of the universe,
then it turns out if you do the calculation,
you get that you can search through a 96-bit key space.
So it looks pretty safe to say that we're not going to be cracking keys that long anytime
soon.
And in fact, you can even use a lot of physics to get an upper bound on how many keys you
could potentially search through.
There's a calculation online somewhere where if you even extract all the energy coming
out of the sun and do this brute force searching over the timescale of the universe,
you can search through about keys of length 187 bits.
So 256-bit keys look pretty safe until we start computing with things
other than matter and energy.
All right, so we're safe for the time being,
but why use a key that complex?
Is there a computational penalty for using a key that's that complex?
Right. Well, everything I was talking about so far assumes that the best way to attack the system
is a brute force search over the entire space of possible keys. And so from that point of view,
a 256-bit key would protect you forever. The concern that people have, of course,
is that the encryption algorithm may not be perfect. Somebody five or 10 years from now may
come up with a method to break the encryption scheme that not be perfect. Somebody five or ten years from now may come up with a method
to break the encryption scheme that's slightly faster than a brute force search,
and so you want protection even in the event that people are able to kind of
shave a few bits off the effective strength of the key.
People are also concerned about the possibility of quantum computers
that might be able to speed up the attack.
The jury is still out over whether that's actually possible in practice,
but the theory says that on a quantum computer, you can cut the effective key strength in half.
So from that point of view, a 256-bit key would have only the strength of a 128-bit key against a quantum computer.
Jonathan Katz, thanks for joining us.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.