CyberWire Daily - WikiLeaks and Vault 7
Episode Date: March 8, 2017In today's podcast we talk over the latest news, rumors, gossip, and common sense surrounding WikiLeaks and its Vault 7 dump of hacking tools and other spy stuff. And wait a minute—do angels really ...weep? After all, they're supposed to be pure intelligence. But you came here for the hacking, not the angelology, and there's a lot of stuff dancing around in Vault 7. Research Scientist Jim Walter from Cylance weighs in with his take. Some people even see dancing Bears, but we think they're seeing things. Dale Drew from Level 3 Communications tracks changes they’re seeing in DDoS attacks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
It's all WikiLeaks all the time, we're afraid.
So batten down your smart TV, stop hyperventilating, if you're the excitable kind,
and listen to reports and speculation about the latest from Mr. Assange.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, March 8, 2017.
The news today continues to be all about WikiLeaks and its Vault 7 document dump, which purports to contain CIA cyber espionage documents, plans, and exploits.
WikiLeaks, the organization led by gadfly Julian Assange from his refuge inside Ecuador's London embassy,
has issued a self-congratulatory press release about Vault 7,
saying that it's now got the majority of the CIA's hacking arsenal,
including malware, viruses, Trojans, weaponized zero-day exploits, malware remote control systems,
and associated documentation. This, of course, is a large claim. Most of the people in a position
to assess the plausibility of WikiLeaks' claim think initially that the material was probably
really obtained from the CIA. Among those who've offered their opinion is, as you'd expect,
Edward Snowden, who said from his Moscow perch that it looks like the real goods.
How that material was obtained is so far unknown, WikiLeaks won't be telling,
and U.S. counterintelligence and criminal investigations will take some time to sort out what happened.
Some 930 megabytes of data, or roughly 900 documents if you prefer to count them that way,
are said to be in Vault 7.
The targets among them include Android, iOS, macOS, Windows, Linux,
and a variety of Internet of Things families.
Some observers are struck by the prominence of iOS hacks in the dump.
Apple has said that most of the vulnerabilities Vault 7 indicates were exploitable
had already been patched by the time WikiLeaks revealed them.
Assuming that the leaked material is legitimate,
several speculative conclusions suggest themselves.
First, it's unsurprising, despite the screamer headlines,
that the CIA uses cyber espionage tools in its intelligence collection.
It's also unsurprising that it cooperates with intelligence services in the other five I's, the United Kingdom, Australia, Canada, and New Zealand.
The documents do suggest a great many devices have been and can be hacked,
and some in the security industry express concern that criminals will be able to exploit the revelations.
But they don't appear to show the sort of global skeleton key into every encrypted system
that some hasty reporting has claimed.
The Intercept, not a publication to cut the US intelligence community much slack, points
out that the documents don't show that secure messaging apps have had their encryption broken,
but rather that smartphones can have spyware and keyloggers installed on them,
which isn't quite as alarming, or at least quite so novel.
There's also less than meets the eye in some of the more spectacular hacks the dump claims to reveal.
Graham Cluley offers some useful perspective on his blog.
Weeping Angel, for example, named after a Doctor Who character,
on his blog, Weeping Angel, for example, named after a Doctor Who character, has excited a lot of alarm because, well, who wants their Samsung smart TV spying on them?
But Weeping Angel is installed from a USB drive, not remotely, and not apparently in
the factory or elsewhere in the supply chain.
If you've got a Weeping Angel in your TV, presumably you've also had a CIA bagman in
your rec room to install it.
Ars Technica, in a sauce-for-the-gander-ish mood, reviews CIA's eye-rolling over their
NSA sisters' equation group mess. The material in WikiLeaks' Vault 7 does suggest that the CIA
has significant cyber espionage capability, possibly more than most would have suspected,
given that NSA is typically regarded as the lead U.S. cyber intelligence agency.
Needless to say, researchers across the security industry are sifting through the Vault 7
documents.
One of them is Jim Walter, senior research scientist with Cylance.
One of the interesting parts specifically is some of the examples that they're citing or utilizing for some of the malware implantation
or examples of techniques used by known malware that they're sort of embracing with some of their own tools and technologies.
So, you know, there's certain things that sort of stand out like that as we comb through the material.
Us, like most of others, are still sort of digging through it to find those interesting bits. So does having this list of techniques available now, does having that
information itself represent any sort of new threat? I wouldn't say. So I think there's a lot
in here that, you know, again, a lot of things that are covered in here technically are, you know,
also seen in, you know, known in the wild malware families already.
Some of the information is directly pulled from already known and familiar malware families.
There's very limited, if any, quote, new information. Also, a lot of it has been
redacted or removed as well. So this is not by any stretch a complete leak. And there are obvious,
you know, sections where some of the juiciest or sexiest details have purposely been removed.
I think, you know, to the general public, the reporting that's been out there is sort of
focused on this notion that, you know, perhaps my television is spying on me. You know, for the
people out there who are seeing those reports,
what advice would you have for them? Well, you know, it's definitely good to be aware of the
technologies that are in your home and in your surroundings and what, you know, surveilling
capabilities of those technologies may or may not be. You know, chances are, you know, most of the
average folks are not necessarily going to be targets of
the tools that are outlined in these documents. Having said that, the heightened awareness is
always a positive thing. So being aware of it is good. Knowing how to take control of it is good.
But put it in context of your day-to-day life and try to talk yourself down a bit if you're not a likely target of these operations.
That's Jim Walter from Cylance.
How the material exited the CIA is so far unknown, but tracking down the leak or leaks will keep investigators employed for some time.
The serious security failure also represents the first crisis for
the new Director of Central Intelligence. So welcome to Langley, Mr. Pompeo. Among the problems
he'll have to deal with, in addition to the obvious counterintelligence ones, is the plausibility Vault
7 is now lending to those who wish to maintain that Cozy Bear and Fancy Bear were really just
CIA provocations all the time.
The section of the vault that has given rise to those specious and probably too-good-to-be-true aha moments is one called Umbridge,
which details how the agency could run false flag operations.
Another problem the CIA, the U.S. intelligence community,
and the U.S. security and IT sectors as a whole will have to deal with
is the suspicion the dump will arouse about Silicon Valley's products in general.
Julian Assange, by the way, says he's under cyber attack, and he may well be.
We'll have more reactions to Vault 7 over the course of the week.
You'll find links to non-WikiLeaks news in today's CyberWire Daily News Briefing.
Do go and read about phishing at the Securities and Exchange Commission,
various arrests and court settlements, and cyber policy moves in China, Australia, Canada, India, and elsewhere.
Taking a quick look at our events calendar, here are three events worthy of your consideration.
Booz Allen is holding a recruiting event in Tyson's Corner, Virginia, on March 15th.
They invite innovators, designers, and coders to attend.
On March 20th, the security community will reconvene
at its Jailbreak watering hole,
a physical watering hole, not the bad hacking kind,
in Laurel, Maryland, to talk with Novetta
about Ethereum and graph databases.
And on March 22nd, you can join ThreatConnect for a webinar
on finding what size threat intelligence fits
your enterprise. You'll find links to all of these in our event tracker.
Finally, to return to Weeping Angel, we'd like to reassure one of our stringers,
a notorious Luddite and tightwad who's convinced Lovey Howell was looking at him funny as he
watched Gilligan's Island reruns on Antenna TV a while back. This is the sort who keeps two TVs,
one with broken sound, one with broken picture,
so the shows can be watched.
First of all, Weeping Angel only works on smart TVs,
so your cathode ray tube model is probably safe.
Second of all, Lovey always looks at people funny.
You would too if you were married to Thurston Howell III.
too if you were married to Thurston Howell III. solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Dale Drew.
He's the Chief Security Officer
at Level 3 Communications.
Dale, welcome back.
You wanted to tell us today
about some changes that you all are seeing when it comes to DDo back. You wanted to tell us today about some changes
that you all are seeing when it comes to DDoS.
You know, it's interesting.
We're seeing the bad guys actively modify their tactics
and how they're extorting
and how they're attacking sites using DDoS.
And so volume-based attacks are so yesterday.
They're so last week.
So a lot of bad guys are beginning to migrate to sort of three new attack techniques, some of them very emerging and some of them getting a lot of maturity in a very short time frame.
So for gaming industry, we're seeing attacks called microburst attacks, and it's pretty specific to the gaming or financial industries.
These are attacks that are about 10 seconds to 30 seconds in length. So most of the DDoS scrubbing
capability, most of the DDoS scrubbing infrastructure that is set to analyze attacks and set to
help cache large volumetric attacks can't handle a very quick microburst attack, but it's enough to reset
gaming sessions. And so if a bad guy does that enough, gaming consumers will stop using the game
and go to another game that's more stable. I see. Wow. They're seeing they have a lot of
effect and impact. The other one is, you know, this is a bit of an evolution of a pre-existing attack, but it's more application-related attacks.
And this is where we're seeing bad guys do a tremendous amount of research in the application environment of their target, mostly on the Fortune 1000 side where they believe they can get a bit more extortion revenue out of that target. But they're really analyzing the weaknesses in their target application portfolio
and then custom writing attacks
that are specific to that application portfolio.
So these are attacks that are going after
being able to consume resources
and capability of the applications
that take away resources from legitimate users,
whether it's database queries,
whether it's encryption attacks, whether it's encryption attacks,
whether it's form posting attacks, but things that are much more sort of customized toward
their victim. And then the last one is we're seeing a lot of attacks that are volumetric,
but with regards to IP addresses, and this is mostly an internet of things attack like a bash light or mariah a lot of isps as an example and
a lot of scrubbing capabilities are scaled to handle thousands of ip addresses or even tens
of thousands of ip addresses but not hundreds of thousands and definitely not millions so we're
seeing where bad guys are coming from a significant number of sources. And that is overwhelming the capability of these infrastructures to be able to even build a list big enough to be able to
prevent all the IP addresses coming and hitting the platform.
So the arms race continues. Dale Drew, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.