CyberWire Daily - Patch Tuesday. Infrastructure hacking and hackers. Industry notes. Influence operations. Jamming a radio station.
Episode Date: July 12, 2017In today's podcast we share some Patch Tuesday notes: Microsoft and Adobe both offer updates. Kremlinology goes cyber as infrastructure attacks remain under investigation. A cyber company emerges fro...m stealth. The US General Services Administration removes Kaspersky Lab from Schedule 70. Election influence investigations turn to the question of Russian opposition research. Jonathan Katz from the University of Maryland explains a side-channel attack on 1024-bit encryption. Cisco's Jennie Kay wants to ease your trade show anxiety with a helpful webinar. And, Sheriff of Nottingham, call your office, because Robin Hood was no winker. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got some Patch Tuesday notes, with Microsoft and Adobe both offering updates.
Kremlinology goes cyber as infrastructure attacks remain under investigation. I'm Dave Gosselin. call your office, because Robinhood was no winker.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 12, 2017.
Yesterday was Patch Tuesday, and both Microsoft and Adobe issued security updates for their products.
Microsoft's 55 security fixes included updates to Windows,
Internet Explorer, Edge, Office, the.NET framework, and Exchange. Among the patches were two that addressed vulnerabilities preempt security found in Microsoft's NT LAN manager,
that's NTLM, that they quietly disclosed to Redmond back in April. Experts advised users
of NTLM to address these issues
as soon as possible. NTLM is a set of security protocols used for authentication. They're
managed through Active Directory's group policy. The vulnerabilities fixed this week both enable
credential relay attacks, theft of negotiated NTLM credentials, which are then forwarded to
a server for successful authentication.
Adobe's patch has addressed Flash Player, one fixed to remote code execution bug, and Adobe Connect for Windows.
Observers like Brian Krebs make the usual remarks to the effect that users should perhaps
simply get rid of Flash entirely at this point, but Flash will no doubt retain many of its
users, and those users should
pay attention to Adobe and patch Flash promptly.
The phishing attempts against U.S. power plants, including most famously the Wolf Creek Nuclear
Facility in Kansas, continue to be generally regarded as Russian in origin.
They are affording a good opportunity to observe the young Kremlinological sub-discipline of threat actor tracking.
Where security intellectuals once looked at the lineup atop Lenin's tomb on May Day for indicators of succession, influence, and personal decline,
we now look at reused and repurposed code.
The Kremlinological metaphor should be borne in mind when assessing attribution.
Kremlinologists often had it right, but they also whiffed on occasion.
Who saw Konstantin Chernenko coming, for example, back in the day?
A few, maybe, but it's always been an inferential and circumstantial game.
Wired has a nice scorecard of Russian infrastructure hacking suspects.
They draw attention to three.
Two of them are relatively well- known, the other more obscure. The first is intelligence-gathering
Energetic Bear, also known as Dragonfly, Koala, and Iron Liberty. Energetic Bear has been tracked
by security companies CrowdStrike and FireEye since 2014, but is believed to have been active since 2010. It began by distributing the Havax Trojan in watering hole campaigns,
then turned to fishing.
Energetic bear seemed initially most interested in collecting
against the oil and gas sector,
but also showed interest in electrical power.
Energetic seemed to become less energetic after it came under scrutiny in 2014,
and is held by some to have vanished, but who knows, might just be hibernating.
Number two on Wired's list is Sandworm, also known as Telebots or Voodoo Bear,
Fancy Bear's GRU cousin.
Sandworm is held to be a destructive actor,
and is generally credited with the Ukraine grid takedowns of the last two and a half years.
Sandworm is also thought to be in some fashion behind the recent crash override pandemic.
Last comes Palmetto Fusion. This is the quiet one.
FireEye has been observing them since 2015, and they, like the other two, have shown an interest in the energy sector.
Palmetto Fusion is not only quiet, like Cozy Bear, but is also
thought, maybe, to be associated with the FSB, the quieter, more sophisticated agency that's the heir
to the old KGB. Fancy is noisy, cozy is not, so Palmetto Fusion may indeed trace its lineage back
to the LaBianca. In any case, investigation into the attempts on the U.S. grid continue.
There's been no effect on operations so far, but experts are warning that the Americans can't count
on that forever. Avanti Markets, makers of the food kiosks compromised by hackers, is getting
good reviews for their swift and open disclosure of the issue. The compromise included both pay card and biometric information.
In industry news, a security startup emerged from stealth this morning
as Edgewise Networks announced itself in Burlington, Massachusetts.
Edgewise Networks' announced goal is to focus on trusted application networking.
The company is backed by three venture capital firms,
.406 Ventures, Accomplice, and Pillar. Kaspersky Lab has been under a congressional
cloud for some weeks as various members have made noises about banning the Russia-based
security company and its widely used products from U.S. federal, especially defense, systems.
Following reports by McClatchy and most recently Bloomberg that Kaspersky has done business
with Russian state security organs, the company has been removed from two GSA procurement
vehicles.
After review and careful consideration, the U.S. General Services Administration says
it has removed Kaspersky from Schedule 70, which covers IT, and Schedule 67, which includes
procurement of photographic equipment and related supplies and services. It's not, as some have
reported, an outright ban, and there's no statement on the GSA site that connects the removal with
allegations that Kaspersky's in bed with the FSB, but that's how the general media are treating the matter.
Agencies will remain free to hire Kaspersky under other contract vehicles,
but the action does remove an easy avenue for the company to sell into the federal government.
Kaspersky denounces the Bloomberg story about the company's alleged connection to FSB as a politically motivated hack job. Congressional interest in restricting Kaspersky
continues unabated, and some observers see the GSA action as a Trump administration shot across
Russia's bow. The story is developing, and it's worth noting that there are at least two issues
here. It would be difficult, not impossible, but difficult, to find major security companies that
don't do work for their home country's
intelligence or law enforcement agencies. But doing that sort of work doesn't necessarily
mean that a company is selling out the rest of its customers to the cops and spies.
So the story will bear watching. Investigation of election influence operations continues in the U.S.
Donald Trump Jr.'s campaign season email exchanges
with Russian sources of opposition research receive foreseeable scrutiny.
Finally, a radio station in the U.K., in Nottinghamshire to be precise, has been suffering
interference by someone playing the 1978 novelty hit The Winkers Song over and over.
That's the title that appeared on the single's cover. a 1978 novelty hit, The Winker's Song, over and over.
That's the title that appeared on the single's cover.
It's unclear whether it's a case of hacking or jamming.
As some reports suggest, the Winker fan is using a pirate radio transmitter.
We assume the Sheriff of Nottingham is on the case.
Our UK desk insists this is a story because they say it illustrates a trend the convergence of cyber and
electronic attack reminding us that at the beginning of the first gulf war u.s airstrikes
announced that the campaign had begun by flying in behind jammers playing the clashes rock the
casbah and so on maybe but the fact that the uk desk has enthusiastically pointed out that the Winkers song foreshadowed similarly themed hits by The Vapors in 1980,
Cyndi Lauper in 1983, and The Divinals in 1990
makes us think our UK desk is still mentally and probably emotionally in the 10th grade.
Either that or aspiring pop music historians.
the 10th grade. Either that or aspiring pop music historians.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We had a story come by from Security Affairs,
and it was talking about a side channel attack on some RSA encryption.
They were claiming that they can crack 1024-bit RSA encryption.
Bring us up to date here. What's going on?
So this is an example of a side channel attack where basically the attacker is using information
that they're obtaining by watching the execution of the algorithm, say if they have a virus running
on the same machine that the algorithm is executing on. And by looking at very small
differences in the timing that various parts of the algorithm take,
it turns out that it's possible to extract bits of information that allow them to recover the secret key for 1024-bit RSA, as you say.
And one of your colleagues at the University of Maryland had a hand in this.
Yeah, that's right.
Actually, Daniel Genkin is one of the co-authors of the paper describing this work,
and he's currently a postdoc splitting his time, actually, working with me at the University of Maryland,
and also working with Professor Nadia Henninger at the University of Pennsylvania.
So how big a deal is this? Is this something to be taken seriously, or is this more of an academic
kind of thing? Well, it's a little bit mixed, actually. So it's something to be taken seriously
from the point of view that there are actually deployed products, in particular the GNU PG crypto library, that are vulnerable to this attack.
And they've ended up patching their system and fixing the bug that led to this attack.
So they certainly took it seriously.
On the other hand, the conditions that an attacker would need in order to carry out this attack are pretty severe. And like I said earlier, the attacker would basically have to be running on the same machine that the cryptography was
being executed on. If that's the case, if you have an attacker running on your machine,
you probably have bigger problems to worry about. Right, right. So they're probably more practical
ways to get what you need if you already have full access to the machine itself.
Yeah, potentially. I think that this is one in a line of work that highlights the
potential problems that can occur. When you're implementing cryptography in the cloud,
you might have actually different users' programs being run on the same physical machine.
And it's potentially possible in that case that an attacker running on the same machine
as an honest user would be able to
get the information that's needed to carry out this attack in that case as well.
All right. Jonathan Katz, thanks for joining us.
Now I'd like to tell you about some research from our sponsor, Delta Risk. We all depend on the
power grid. You've heard a lot over the last few months about the grid's vulnerability.
Crash Override, in particular, threw a scare into the energy distribution sector.
It's a real threat, and its masters demonstrated what they can do last December in Ukraine.
Even a minor disruption to the power grid could be devastating to all of us.
Download DeltaRisk's new white paper, Cybersecurity and the Grid, the Definitive Guide,
for insight into how the North American power grid works, Download Delta Risk's new white paper, Cybersecurity and the Grid, the Definitive Guide,
for insight into how the North American power grid works,
an overview of current regulations, and a look at potential cyber threats.
You'll find the guide at deltarisk.com slash grid hyphen white paper.
Delta Risk LLC, a Chertoff Group company, is a global provider of strategic advice, cybersecurity,
and risk management services to commercial and government clients.
Learn more about DeltaRisk by visiting DeltaRisk.com,
and while you're there, get that guide to cybersecurity for the grid. It's DeltaRisk.com slash grid hyphen white paper.
And we thank DeltaRisk for sponsoring our show.
DEF CON and Black Hat are coming up.
And if you've never been, chances are you might be a bit unsure of what to expect.
Jenny Kay is a researcher at Cisco, and she's put together a webinar to help trade show first timers.
It was very intimidating the first time I was there.
I didn't speak to anybody my first DEF CON really.
I tried to blend in and keep to myself and figure out what was going on.
And I don't want anyone to have that kind of experience because there is actually, I've discovered through the years,
there's so much more to see at DEF CON
and it's so much better when you do speak to people.
And I just wasn't sure who was safe to talk to and where to go and what to do. And so I just want everyone
else to have a better experience than my first experience at DEF CON. So give us an idea,
what can people expect from this online panel you put together? So a lot of questions I hear are about what are the difference between Black Hat and DEF
CON and do I need to do both?
Or there's also B-Sides Las Vegas and some of the smaller co-located parties and conferences.
And so I have a diverse group on the panel to explain sort of who belongs where and if you're interested in which topics,
maybe which villages or which parties to hit or not to hit, as well as, you know,
how do I stay safe in Vegas amongst all these hackers? Now, is this panel specifically targeting
women who are taking their first trip out there or can anyone tune in? We welcome anybody to tune in.
The panel does happen to be six ladies whom I've all met and worked with,
and we all have a very different, diverse opinion.
So while there will be tips specific to women, just a few,
the safety tips really apply to everybody about keeping your drink safe and,
you know, shady
characters that may approach you. And we'll give examples of the types and experiences that we've
either had or have friends who have encountered at DEF CON.
So give us the details here. When is the panel? How can people take part?
So our panel is this Thursday, July 13th at one in the afternoon Pacific time, 3 p.m. Central. And
for those in New Zealand, like our panelist Kate, it's actually July 14th, Friday morning at 8 a.m.
New Zealand time. We know DEF CON is a very global event. People come in from all over. So we try to
accommodate a variety of perspectives and time zones.
They can register for the webinar.
There's a link from my tweet, at TXJennyK, just the link from my pinned tweet.
Okay, so check out your Twitter account, and that's the quickest way to find out how to sign up.
Yes.
And once again, that Twitter account is at TXJennyK.
That's J-E-N-N-I-E-K. That's Jenny Kam from Cisco.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.