CyberWire Daily - US midterm election cybersecurity updates. PortSmash side-channel proof-of-concept. Botnets compete to cryptojack Android devices. And will the GRU get its "R" back?
Episode Date: November 5, 2018In today's podcast, we note that US midterm elections end tomorrow evening, with officials on high alert for election hacking. Russia sends poll watcher to the US to make sure democratic norms are obs...erved. Side-channel attack proof-of-concept announced for CPUs, but risk seems relatively low. Botnets are fighting over Android devices for cryptojacking power. And Russia's GU, né GRU? It looks like it's going to get its "R" back. Rick Howard from Palo Alto Networks with thoughts on DevOps and the future of orchestration. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. midterm elections end tomorrow evening
with officials on high alert for election hacking.
Russia sends a poll watcher to the U.S. to make sure democratic norms are observed.
Side-channel attack proof-of-concepts been announced for CPUs,
but the risk seems relatively low.
Botnets are fighting over Android devices for crypto-jacking power.
And Russia's GU or GRU?
Looks like it's going to get its R back.
Or GRU? Looks like it's going to get its R back.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 5th, 2018.
U.S. midterm elections will be held tomorrow.
With early voting having been in progress for some weeks, it may be more accurate to say that they will end tomorrow,
with polls closing around 8 o'clock p.m. local time.
There's been much concern about election security, but at the 11th hour, most of that concern has shifted from fear of direct manipulation of voting
or disruption of polling toward worries about voter suppression efforts
or other last-minute influence operations.
A flurry of reports suggest efforts to penetrate election-related databases,
but most of these have been in the context of state officials announcing their successful
defense against such penetration. And it's not clear that this isn't largely a matter of the
officials attending to the regular background of attempts to steal personal data.
The main adversary, of course, is Russia,
and state and federal officials in general say they're seeing lower levels of activity than they did in 2016.
The Department of Homeland Security is getting nice marks on its election security work from a normally tough senatorial audience.
Senator Warner, Democrat from Virginia and ranking member of the Senate Intelligence
Committee, told Face the Nation this week that, quote, I think we've made great progress,
particularly at the individual polling stations and with the tabulations of votes.
So I think people should vote with confidence, end quote.
He credits the Department of Homeland Security with a sound effort to coordinate cyber defenses with state and local election authorities.
The other aspect of election defense, of course, is deterrence.
U.S. Cyber Command, with unusual blood in its eye, is apparently ready to hit back hard at Russia if anything develops.
How it might do so is left unspecified, beyond administration suggestions that it will be
retaliation short of war, but that, of course, leaves a lot of room for retaliation. We hope
you don't have to do anything, cybercom, but if you do, well, from all of us, good hunting.
The media and government chatter around the elections is interesting. The Washington Post, for example, quotes Homeland Security's Christopher Krebs as saying that the midterms are just the warm-up or the exhibition game.
It's like the undercard for the main event, which he thinks will be the 2020 election cycle.
In the general chatter, those who wish to expect the worst are watching for distributed denial-of-service attacks
or, if they're really expecting the worst, perhaps local power grid hacks.
Both could indeed disrupt polling, but it's worth noting that concerns about DDoS or grid hacking tomorrow
are mostly founded on a priori possibility.
One sidelight, there will be Russian election observers in the U.S.
so they can report back to the international community
on whether the Americans are holding free and open elections.
Members of the Russian Duma are in the country to report back
to the Parliamentary Assembly of the Organization for Security and Cooperation in Europe
because who's better equipped, after all, to recognize whether voting lives up to international democratic norms
than the officials of the United Russian Party,
or the Communist Party of Russia, both which are represented in the delegation.
It's a nice gesture, as if Mr. Putin were President Wilson
out to teach his sister republics to elect good men.
If you run across any Russian poll watchers tomorrow,
give them a hearty Dobre utrau, good morning, and say welcome to America.
Adding Naša Luce, ours is better, would be cheeky, so try to restrain yourself.
A team of academic researchers at Finland's Tampere University of Technology
and the Technical University of Havana
have reported a side-channel vulnerability, port smash,
in Intel CPUs that employ a simultaneous multi-threading architecture.
It doesn't appear that the risk is high.
The Register reports that Intel doesn't think it's worth patching,
but does note that it's unrelated to Meltdown or Spectre,
which were related to speculative execution.
They think it's not unique to Intel chips, and AMD is looking into whether its own devices
might be affected, and they think it's not so much a vulnerability as it is an expected-by-design
property.
So, according to Intel, the researchers' proof-of-concept exploit could be avoided by following sound, side-channel safe development practices.
Kevin Bocek, chief cybersecurity officer at Venify, commented to us that processor vulnerabilities like port smash are a good reason to think harder about managing machine identities.
He thinks it wise to rotate the keys and certificates that identify machines.
He sees it as a hygienic measure, like changing passwords from time to time. He said, quote,
the reality is that most keys and certificates aren't changed often and a surprising number
are never changed. These are the machine identities that are most at risk from port smash, end quote.
that are most at risk from port smash, end quote.
There's competition out there in bot land.
Cyware warns that two botnets, FBot and Trinity,
are competing to rope in Android devices.
FBot is a Satori variant.
Trinity is a version of ABD Miner.
The goal of both botnets is cryptojacking, still a popular criminal ploy.
Finally, back on September 7th, we said, on the advice of our Foreign Intelligence Service desk,
that we didn't buy Russia's rebranding of the GRU as the GU, since that involved taking the
intelligence out of intelligence service. And our staff ventured to state that they were confident
President Putin himself probably
called the Military Intelligence Service GRU, at least privately and among friends and family.
So what do we see over the weekend? Late Friday, Bloomberg reported that Mr. Putin called for the
restoration of the missing R during a celebration of the GRU's 100th birthday. So, there you go. G. R. U.
Because there just ain't no disputing that old Vlad Putin. And we told you so.
If you cross paths with our Foreign Intelligence Service desk, by the way,
please don't congratulate them. They tend to get above themselves when they've called a shot.
Don't encourage them. They can to get above themselves when they've called a shot. Don't encourage them.
They can be pretty insufferable.
Calling all sellers.
Salesforce is hiring
account executives
to join us
on the cutting edge
of technology.
Here, innovation
isn't a buzzword.
It's a way of life.
You'll be solving
customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He is the Chief Security Officer at Palo Alto Networks,
and he also leads Unit 42.
That's their Threat Intel team.
Rick, it's great to have you back.
You know, you and I have talked about DevOps and DevSecOps before, but today we want to touch on DevOps and the future of orchestration. What
do you got for us? Well, yeah, we have talked about this in the past day, but for some of your
listeners who are not familiar, I always recommend two books from the Cybersecurity Canon Project to
get you started. And the first one is The Phoenix Project by Gene Kim, Kevin Baer, and George Spafford.
It's a novel that is easy to read and will ease you into the philosophy of DevOps. So I recommend
that one highly. And the second book is called Site Reliability Engineering from the Google team,
Betsy Beyer, Chris Jones, Jennifer Pettoff, and Niall Richard Murphy. Now, this is a technical
how-to manual from the Google
team that explains how they implemented DevOps and site reliability engineering some six years
before we even had a name for DevOps. So that said, I was talking with my CIO, Naveen Zucci,
a couple of weeks ago about how Palo Alto Networks is pursuing the DevOps philosophy internally,
and I had an epiphany, and I love when I get those things. So for security professionals, there are two distinct and
parallel efforts going on in the community around the DevOps idea. Now, the first is the traditional
DevOps movement of automating not just the applications that the organization uses to run
the business, but also automating the infrastructure, everything from quality control to regression testing, to deployment, to health monitoring while in
production, and to automatically fixing ailing applications all in real time. That is the
traditional DevOps mandate. For cybersecurity professionals, DevSecOps is the process of
automating and deployment, monitoring and maintenance all the security tools that your organization deploys down the intrusion kill chain in the five big islands of data that we all have.
And they are behind the perimeter, in the data center, on our mobile devices, in our SaaS applications, and in our IaaS services.
We have known about this first effort, this first traditional DevOps movement
for a number of years now. It is why the movement to the cloud is so tantalizingly attractive.
If we do this right, we can get out of our way in relation to all those old and inefficient
legacy processes and procedures we currently have in place. The movement to the cloud is our
get out of jail free card, and we're using DevOps to get it done.
But the second parallel effort is where my epiphany came out. We are not only automating the traditional DevOps and DevSecOps stuff, we are also automating the manual procedures that
we have all been using in the SOC for the past decade. Out of all the innovation that has come
out of the cybersecurity industry in the last decade, the idea that we need butts in seats watching alerts on a screen has remained stubbornly entrenched.
That is beginning to change.
Most of the network defenders that I talk to have some project on the board where the goal is to eliminate all of the traditional SOC Tier 1 and Tier 2 tasks through automation so they can use their people to track down the Tier 3, my hair is on fire, incident response tasks. So we are making progress. With that in mind, I have two
recommendations. Okay. First, if you are just beginning your career in the cybersecurity
field, or you are somewhere in the middle, you might take on a personal improvement project to
learn how to code. When I started in the industry back when, you know, General Washington was just taking command of the Continental Army, coding was not a required skill. It was not necessary. But I predict
in 10 years, network defenders will be coders first and security professionals second. You can
make yourself invaluable right now today if you know how to code. So that's the first recommendation.
Second is, while you're taking this journey to the cloud
and learning how to be a DevSecOps practitioner,
make it easy on yourself.
Use the same security tools down the intrusion kill chain
on each of the big five data islands.
With DevSecOps, you are writing code
that will communicate to your deployed vendors' APIs.
Your journey will be a lot shorter
if you standardize on the same set of APIs on each data island, as opposed to a different vendors' APIs. Your journey will be a lot shorter if you standardize on the same set of APIs
on each data island
as opposed to a different set of APIs for each.
That way lies madness.
There'll be dragons down that path, all right?
So that's my recommendation.
All right.
So just, I mean, keeping it simple,
taking out some of the complexity there.
Exactly.
Yeah.
All right, Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, Thanks for having me. of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.