CyberWire Daily - The complexities of Olympic Destroyer. More blame for Russia in the matter of NotPetya. Congress mulls election security. New York cyber milestone. Ed Snowden as phishbait.
Episode Date: February 16, 2018In today's podcast, we hear more about Olympic Destroyer: its relationship status with known threat actors is "complicated." The US joins the UK in blaming Russia for NotPetya, and seems to be cons...idering sanctions. The US Congress considers election security, and considers a state-level option: let governors call in the National Guard. New York cyber law reaches its second milestone. Zulfikar Ramzan from RSA, discussing the hype around blockchain technology. Guest is Jack Rhysider, producer and host of the Darknet Diaries podcast.  And no, Edward Snowden has not moved in down the block and bought a two-terabyte iCloud storage plan. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Olympic destroyers' relationship status with known threat actors is complicated.
The U.S. joins the U.K. in blaming Russia for not Petya and seems to
be considering sanctions. The U.S. Congress considers election security and considers a
state-level option. Let governors call in the National Guard. New York's cyber law reaches
its second milestone. And no, Edward Snowden has not moved in down the block and bought a 2TB iCloud storage plan.
I'm Dave Bittner with your CyberWire summary for Friday, February 16, 2018.
Breaking news as we publish today.
The Justice Department has announced that Special Counsel Robert Mueller has indicted 13 Russian nationals and three Russian entities.
According to the court documents provided by the special counsel's office,
quote, the indictment charges all of the defendants with conspiracy to defraud the United States,
three defendants with conspiracy to commit wire fraud and bank fraud,
and five defendants with aggravated identity theft, end quote.
The indictment outlines attempts by the Internet Research Agency and the other defendants with aggravated identity theft, end quote. The indictment outlines attempts by the Internet Research Agency and the other defendants as
far back as 2014 to conspire with each other to, quote, defraud the United States by impairing,
obstructing, and defeating the lawful functions of the government through fraud and deceit
for the purpose of interfering with the U.S. political and electoral process, including
the presidential election of 2016, end quote.
We'll be following this story as it develops.
Recorded Future has taken a good look at the Olympic destroyer malware and concluded that
any attribution to a particular threat actor would be premature.
They offer some notes on their code similarity analysis.
Researchers at security firm Intezer point out that fragments of code bore some similarity to that used by, quote,
diverse threat actors in the general Chinese cluster, end quote.
Recorded Future itself found what they call trivial but consistent similarities to malware used by North Korea's Lazarus Group.
But this is very far from dispositive proof.
As Recorded Future puts it,
Such similarities are at least as consistent with false flag operations
or simple opportunistic code reuse as they are with conspiracy.
The U.S. government, specifically the White House, yesterday joined the British Foreign Office in attributing last year's NotPetya pseudo-ransomware campaign to Russia.
This was an unsurprising statement, as U.S. officials have long regarded Russia as the prime suspect.
NotPetya began with attacks in Ukraine and spread to other countries.
The U.K. was particularly affected.
Exploits leaked by the shadow brokers, who attributed them to NSA, were instrumental in the NotPetya attacks.
White House Press Secretary Sarah Sanders said Thursday,
White House Press Secretary Sarah Sanders said Thursday,
Thus, the U.S. seems to have promised some form of sanctioning, probably in concert with the United Kingdom.
The U.S. Congress continues to noodle the problem of election interference,
in which two different kinds of problems tend to be conflated.
One of those problems would be the issue of hacking proper,
in which vote tallies were manipulated or people excluded from or added to voter registration databases.
That would be essentially a cyber version of old-fashioned voter fraud,
the sort that people suspected, for example,
when Chicago's Major Daley said during the 1960 election that he wouldn't know how the vote went in machine-democratic Chicago
until the returns from machine-Republican downstate Illinois came in.
The other problem is that of influence operations,
the sort of disinformation and propaganda,
lies surrounded with a bodyguard of truth,
that Russian troll farms have busied themselves with.
A number of senators and people testifying before them
have one proposed solution,
bring in the cyber elements of the National Guard.
How that might help with influence operations is more difficult to see,
but Guard cyber units could presumably help governors secure their state's voting IT,
subject, of course, to the sorts of personnel shortages and so on the security sector is notorious for.
Some notes from one of the United States, specifically New York,
that will have implications beyond the borders of the Empire State.
The state's Department of Financial Services' cybersecurity regulation, 23NY-CRR-500, was
enacted in March of 2017.
Yesterday marked a milestone.
Banks, insurers, and other financial service companies doing business in New York, and
that's a lot of them, had to certify their compliance with the rules.
The requirements of the regulation mandate risk assessments, vulnerability assessments,
penetration testing, multi-factor authentication, and end-user awareness training.
This represents the second tranche of compliance.
The first has been in effect since last August.
It gives companies 72 hours to report a security incident that has a reasonable likelihood of producing material harm to operations.
As Dark Reading points out,
The third tranche comes on September 18th of this year and will include rules on security personnel, data access, and data use.
And finally, hey everybody, did you hear that crazy Ed Snowden is back in the U.S. of A?
We did. There was this email from Apple, well it sort of looked like it was from Apple,
that said $9.99 had been billed to the zany privacy advocate and retired NSA sysadmin for an iCloud 2TB storage plan.
Why would we get that anyway?
You've just got to click to see more, maybe find out where he's living, right?
And what he needs those 2TBs for.
Our money was on his living at Mar-a-Lago because, well, who wouldn't want to live there?
And maybe using the storage for old episodes of Celebrity Apprentice because, well, who wouldn't want to live there? And maybe using the storage for old episodes of Celebrity Apprentice,
because, well, who wouldn't want to watch that?
But alas, it turned out to be a scam discovered by Malwarebytes.
Why it occurred to the fishers to use a Snowden receipt as fish bait is difficult to say.
Would its very implausibility induce people to click?
Because how could anything so odd be bad?
Or are they trying to weed out the wary and concentrate their efforts on the gullible?
If it's the latter, then we have a pro tip for them.
Put in the email that Mr. Snowden
had become a Nigerian prince.
You're welcome.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. some joie de vivre. Well, look no further, honey, because Sunwing's Best Value Vacays
has your budget-friendly escapes
all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th
with your local travel advisor or at...
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Zulfikar Ramzan. He's the Chief Technology
Officer at RSA. They're a Dell Technologies business. Zulfikar, welcome back. We wanted
to touch on the blockchain today. Obviously, lots of hype about blockchain and Bitcoin and all that sort
of stuff. You wanted to make the point, though, be careful about hype versus reality.
That's right. I think blockchain has become the new AI, if you will. In 2017,
that was the buzzword du jour. It's continued in 2018, obviously driven by this erratic price
fluctuation of Bitcoin and people really trying to jump on the bitcoin bandwagon if you will but to me i think the interesting point is when you look at blockchain
in isolation of bitcoin there are some fundamental assumptions about what's required to make
blockchain work correctly so for example when you look at something like bitcoin uh part of
the security analysis of bitcoin involves the idea that if people were trying to game the system if
people tried to do things that would somehow interfere with the way Bitcoin operates,
that same effort could then be used to legitimately mine Bitcoin. So there's an
incentive economically for people to essentially abide by the rules. When you start looking at
applications of blockchain that are outside of Bitcoin, some of those same financial incentives
or economic incentives no longer start to apply.
And on top of that, I think there's also an element where people don't look at all the
assumptions around which blockchain is successful.
So for example, blockchain is designed for more decentralized and distributed environments
where there may be no single point of trust.
If you start to look at problems that involve maybe a single point of trust or that are
centralized, there may be better solutions out there than using blockchain-based technologies.
And I think what is happening is when there's a new concept out there, a new buzzword in the IT lexicon, people rush to the shiny new object without considering whether there are simpler ways to solve those same problems.
Yeah, absolutely.
I mean, I think when we come to trade shows and so forth, you can look around and see what is the flavor of the month this year. And I think you're right,
a blockchain is certainly hot right now. And I think there's a lot of people sort of capitalizing
over the fact that it can be complicated and hard to understand. Right. To me, it reminds me of what
happened a number of years ago when you looked at the whole financial meltdown on Wall Street,
where people were essentially investing in these complicated derivative instruments, things like mortgage-backed
securities, without fully understanding the underlying mathematics, without fully understanding
all the assumptions that were required to make those equations and those types of instruments
reliable. And I think everybody who knew the math understood that there were fundamental
assumptions being made in derivatives that were maybe not that valid in real life around things like the independence of people's default rates
happening at the same time. And so I think when you look at something like blockchain,
I think we're in a similar situation where people have gotten so caught up in this whole Bitcoin
concept that very few people, I think, really understand how Bitcoin works underneath.
And I get worried that people are going to overinvest in these areas without a true understanding.
And we're going to see another bubble that's going to completely deflate.
And I think it could hurt a lot of people.
I mean, hearing stories about people who are literally taking out second mortgages on their homes or using, you know, instead of paying back their loans or taking out credit card debt just to invest in Bitcoin.
And so there's a lot of people out there who I think could be negatively impacted by a bubble bursting in this area. Yeah. So buyer beware. Zulfiqar Ramzan,
thanks again for joining us. My pleasure.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Jack Recider.
He's been a network security engineer for the past decade or so, doing blue teamwork, securing firewalls, and threat hunting in a sock.
But he came to our attention as the host of the Darknet Diaries podcast.
In this episode, we're going to hear a story from Jason E. Street.
What's up?
Jason is one of those guys that has endless stories of incredible things that have happened to him.
He's also a Diet Pepsi addict. When you talk to him, you hear him say random things like,
It's never drinking the Diet Pepsi that gets me. It's usually trying to get rid of the Diet Pepsi
that gets me. I almost died peeing off a cliff in Bulgaria. While I was talking to him, I was
kind of curious to hear the backstory of all these little footnotes that he was throwing at me.
But it didn't take long before I heard him say something that I just had to hear the whole story. I accidentally robbed the wrong
bank the last time I was in Beirut. Jason started out in law enforcement, but for almost the last
20 years, he's been working in InfoSec. He's done considerable work defending the network,
but he's also done numerous penetration tests. One of his favorite things to do is what he calls security awareness engagement. He's hired by
companies to test the physical security of a place. For instance, it shouldn't be possible
for a guy to just walk off the street, walk right into an office, walk directly past reception,
sit down at a random computer, and do work, and then walk out. He should be stopped,
right? The door should be locked, reception should not let him pass, and the computer should be
locked, and then someone should notice that he shouldn't be there. This is what should stop him,
but companies hire Jason to actually test if this kind of thing is possible.
When I do these engagements, they're not red team engagements, they're not pen testing,
they're literally security awareness engagements. I don't mind getting caught. And if I don't get caught, I try to get caught by the end of the engagement
because I'm trying to teach the employees how to be better. Makes you want to hear the rest, right?
Yeah, me too. Here's my conversation with Jack Recider. I'm kind of scratching my own itch with this whole podcast.
There was a talk I heard a few years ago about Heartbleed, the open SSL vulnerabilities,
and they gave a lot of follow-up to that. Like they said, there was a fork with Libra SSL,
and then there was some additional funding that got added to open SSL, and there were all these extra bits of details after the vulnerability was
disclosed that we didn't hear. It didn't hit our news cycles. And I started to realize I'm missing
like the whole aftermath of a lot of breaches and vulnerabilities. And so I wanted to do kind
of a deep dive in a lot of big vulnerabilities and breaches that I've heard of in the past to hear
what happened to the hackers. Did they get arrested? Were they ever caught? And all these things. So I wanted to know more about some of these breaches. Instead of being
at this breakneck speed of the latest, greatest news, I kind of wanted a slow roll of give it to
me in its entirety. That was one of the things. But then also attending all these security
conferences and hearing all these amazing security stories from people,
I feel like some of that stuff should also show up.
So it's not just like documentary style topics of a breach,
but sometimes it's just a single person's story of what they had, an InfoSec story they have.
And your storytelling style is noteworthy.
I personally enjoy it.
You have a mix of music and sound effects and so forth.
Did you have any particular inspirations there? So after getting the idea, it took me a couple
years before actually making the first episode. And it was because I really wanted to have that
great storytelling feeling. So I spent a lot of time researching things like how does Pixar tell
a good story and how does NPR tell great stories? And I did a lot of time researching things like how does Pixar tell a good story and how does NPR tell great stories.
And I did a lot of research on storytelling just to really try to get that feeling out of suspense and high stakes and resolution and all these things that go into a great story.
So it was a lot of work, but I'm still learning.
You're a dozen shows into it as we record here and you publish every other week or
so. What have you learned along the way in terms of sticking to a schedule and the challenges of
making these sorts of stories? Yeah, it's really hard. I'm the only person who makes it. So I've
got to do all the research, find the guests, do the writing. And I script out the entire thing
and then, of course, add some music and get it all edited.
And that's a big challenge.
And I barely make it under the wire every two weeks.
I really wanted to get ahead over the holiday break, but I didn't get a chance.
So it's just going at breakneck speed here.
And I've got a full-time job, so it's really hard to keep up.
But somehow by miracles, I keep making one every two weeks.
Let's talk a little bit about your background. You work in security?
Yep. So I've been, I would say, a firewall administrator for the last 10 years,
writing the rules for the IPS units and firewalls. And I do that for an MSSP. But recently,
we've been trying to get a SOC together at this MSSP. And so that's something
I've been working on too, is designing the SOC and building it out and training the SOC
analysts and building an SIEM and all that kind of thing. And so once I started doing the SOC stuff
is when I really started digging into threat intelligence and red teaming and blue team.
And I got really, really deep into security once I started working in the SOC.
And so why do you think it's important
to be sharing these stories with the rest of the community?
I feel like when we meet other InfoSec people,
we probably have the same question,
but we just don't talk about it.
And it's because we're under an NDA
or we work for the government or something,
so we really can't share our problems.
It's just too highly classified and secret.
And so I really think that that's a problem.
I think we should be sharing our problems
so that I can hear what it is that you faced
and how you solve that
so that I can try solving it in a similar manner.
So I think it's really good to share it.
And another thing about my podcast
is I try to make it reachable to more of a general audience
and not just people who are super deep into InfoSec.
And so when they hear about how easy it is to social engineer something or how dangerous
it is to leave your Bitcoins on an exchange, that reaches a whole new audience that sometimes
doesn't go outside of our bubble.
The other thing is that this seems to be the topic wherever I go. I go to a family meeting, I meet my neighbors, they're always talking about InfoSec
and the latest breaches and Equifax hack, whatever it is. And I'm like, even the most common people
are talking about security today. So I think they're also interested in to hear how these
hacks take place and is it hard or easy to defend or what are all the nuances behind it?
And how do you categorize yourself? Do you consider yourself a journalist or a storyteller?
I don't know. I struggle with that. I think I'm just a presenter, maybe a speaker. And just the
same way you would hear somebody talk at a conference, they prepare their slides, they do
some research and they show you what it is that they've been working on. And I feel like I'm the same kind of way. But you're right,
it does lend into the journalist world, because I am digging deep into maybe 20-year-old stories
that I have to dig out of archive.org, because they're all completely gone, to find the
information that I want to share. So there is a lot of journalistic work that I have to do.
Yeah, it's hard.
I don't really describe myself in any one of those roles.
I think it's a little bit of all of them.
Yeah, well, it's good stuff.
I recommend everybody check out Darknet Diaries.
Jack, thanks for joining us.
Thank you so much.
This has been a real pleasure, and I really appreciate your show.
a real pleasure and I really appreciate your show.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly
evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.