A new version of the Vulnerabilities Equities Process (VEP) is out.
On Wednesday the White House released guidelines on how the US Government will henceforth manage the Vulnerability Equities Process (VEP), the system that governs when software vulnerabilities discovered by the Government (mostly Intelligence agencies) will be disclosed and when they'll be held for use in intelligence collection or cyber operations (White House Fact Sheet). White House Cybersecurity Coordinator Rob Joyce explained the move in a blog post as "the right thing to do" (White House). The new process is designed to achieve: (1) "Improved transparency is critical." (2) "The interests of all stakeholders must be fairly represented." (3) "Accountability of the process and those who operate it is important to establish confidence in those served by it." (4) "Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate."
Reactions generally regarded welcomed the announcement as a step toward transparency (ZDNet). The Mozilla Foundation likes it, seeing it as consistent with the PATCH Act (Open Policy and Advocacy). The Information Technology and Innovation Foundation (ITIF) also approves (Public). The Council on Foreign Relations give the VEP a sober "Pass" (CFR).
A Recorded Future study of China's vulnerability disclosure practices presents an instructive contrast: security agencies there call the shots.
A mole hunt at Fort Meade?
NSA may be in the midst of a mole hunt as it works on the apparent leaks coming from the Shadow Brokers (CyberX). The first person taken up in the course of the investigation (still publicly unknown) was apparently fingered in 2016, shortly before the Shadow Brokers began releasing material they say they obtained from NSA. Two other persons charged with mishandling classified material, Hal Martin and Reality Winner, are awaiting trial (New York Times).
That long piece on the Shadow Brokers the New York Times published last weekend is still drawing much comment. Observers tend to make several points. First, the leaks that have reached the world through the Shadow Brokers cast doubt on any organization's ability to safeguard sensitive information. Second, every enterprise should bring its patches, especially patches for mobile devices, up to date, as many fear a wave of mobile system hacking. Finally, suspicion centers on Russian intelligence services or some unidentified group of disgruntled insiders.
Some pundits ask, if the Shadow Brokers were indeed run by Russian intelligence services, why would they have leaked NSA tools to the world? Wouldn't they simply have used them, quietly, against American targets? Some cite this as grounds for thinking that the Brokers aren't really the Russians at all, but some rogue insider group. CBS this Morning last Monday interviewed their in-house national security expert Michael Morell, a former acting Director of Central Intelligence, who said he's not so sure. "If Russia had access to NSA in terms of cyber, internet access, or in terms of an insider, why would they go public and give that up? I tend to think this is either a disgruntled insider or an outside group."
That's possible: intelligence services everywhere are sensitive about revealing "sources and methods"—indeed, their wariness about doing so is a common and inevitable source of frustration for the operators who are their customers. But there are at least three other points worth making.
First, releasing tools that came, rightly or wrongly, to be generally attributed to NSA, was a hard shot at the agency's reputation. An article in Esquire this week has the sophomoric but representative title "The NSA: Still [Effing] Up," a bad rap for the premier American SIGINT shop, the biggest Eye of all Five Eyes. But don't just take it from Esquire, take it from Sputnik, too: the Russian news outlet primly said Monday that "The NSA was dealt a severe blow by a massive infiltration that resulted in the theft of cyber-weapons, by unidentified hackers, calling into question its value to US national security."
Touching as anyone would find Sputnik's concern for good government and US national security, it's not a good look for Fort Meade (Atlantic). So reputational damage hurts an intelligence agency as much as it hurts, say, a credit bureau or a telecom company. Maybe it hurts even more, especially when legal authorities like Section 702 are under Congressional review. Section 702 gives NSA authority to intercept foreign signals, subject to oversight by the FISA court. This authority is widely regarded within the US Intelligence Community as essential to the IC's ability to do its job (Nextgov). Section 702 skeptics see the law as a threat to privacy and domestic civil liberties, and hope for its sunset at the end of this year. (Bloomberg sees an assault on privacy that promises to become "Hobbesian": a war of all against all.) Such damage obviously works to the advantage of nation-state adversaries, who have their own reasons for disliking Section 702.
Second, mole hunts are always disruptive. The most famous one is the still controversial chase that tore through the CIA during the later tenure of Langley's legendary counterintelligence chief, James Jesus Angleton. A mole hunt at Fort Meade, with the attendant mistrust, suspicion, and fear it could engender, would also likewise work to the advantage of a nation-state adversary. The leaker or leakers could, for all anyone knows, still work at NSA. So should everyone in Central Maryland, between say Columbia and Annapolis Junction, now be looking warily over their shoulder? A change in, or restoration of, an institutional culture may well be necessary, but such a process is inevitably painful in the short term (Bloomberg).
Third, it's worth noting that the Shadow Brokers started to sell, or more accurately dump, their material in August of 2016. This is some months after an as yet publicly unnamed NSA worker was found to have highly sensitive material on a compromised laptop. Kaspersky released results of an internal investigation this week that found the device in question to have been compromised by malware, including a backdoor Trojan (Dark Reading).If a foreign intelligence service became aware that their operation had been blown, that would change its calculus about sources and methods, possibly tipping the balance in favor of disclosure (Naked Security). If you'd had an in at NSA, but had it no longer because NSA was wise to you, why not go for the confusion and reputational damage a dump would bring?
Influence operations in Spain and the UK.
The Spanish government has warned the EU that it's detected extensive online meddling in Catalan affairs. The information operations emanate, Madrid says, from Moscow, and their aim is the familiar one of sowing discord, mistrust, and confusion (Deutsche Welle).
Officials in the UK were not circumspect in attributing Brexit and Bremain trolling to Russia. Ciaran Martin, who directs the National Cyber Security Centre (NCSC) said Wednesday, "Russia is seeking to undermine the international system. That much is clear." Martin called out "attacks" on the media, telecommunications, energy sectors (Security Week). The potential for an attack on the power grid is of course a major concern. The Verdict speculates about what such an assault would look like.
Russian influence operations didn't begin with President Putin. They aren't expected to end with him, either, however much international adversaries might prepare for the inevitable post-Putin Russia (Defense News).
Propaganda failure?
Last week the Russian Ministry of Defense published images and commentary which it claimed showed the US providing air cover to ISIS in Syria. The larger claim is that the US is playing a double game, and is complicit with Islamist terrorism. Implausible on the face of it, the MoD's claim was quite specific, claiming to show US coverage of an ISIS convoy fleeing the Syrian town of Abu Kamal on November 9th. But, as Bellingcat pointed out, the screenshot displayed was in fact captured from the video game AC-130 Gunship Simulator: Special Ops Squadron (Military Times).This was probably a goof, since the Russian MoD took the story down soon after exposure, but one wonders: Who's the audience? Are they likely to buy it anyway, at least for awhile? If your audience is gullible and their attention span short, AC-130 Gunship Simulator: Special Ops Squadron is good enough for the checkout line tabloid market.
Open source (intelligence, not software).
Hard to handle, but one ignores it at one's peril, open source intelligence uses freely available, unclassified sources of information to derive highly useful, actionable intelligence (CipherBrief). OSINT often runs afoul of a common temptation managers succumb to: mistaking cost for value.
Amazon's smart key is vulnerable.
Early adopters who decided to install the Amazon Key, a cyber-physical system that would let delivery personnel enter their house to leave packages must now wait for Amazon to patch the system. It's been found vulnerable to compromise amounting to an almost open door, at least for tech-savvy burglars and stalkers. A patch is expected very soon (Wired). Many will no doubt choose the just-leave-it-on-the-doorstep option (Computing).
AWS S3 buckets continue to be misconfigured.
The data that the Australian Broadcasting Corporation left exposed (two buckets with some 1800 daily MySQL backups—see Infosecurity Magazine), add another incident. UpGuard blogged Friday that it discovered some 1.8 billion social media posts scraped and stored, apparently on behalf of US Central Command by a company so far known as "Vendor X" (Ars Technica).
Patch news.
Microsoft patched a large number of vulnerabilities this week. Many of the fixes address abuse of Dynamic Data Exchange (Security Week). One patch fixes a buffer overflow issue that's been quietly present in Office's Equation Editor since 2000 (Security Week). Adobe also patched: some eighty flaws in nine products (Security Week).
On Wednesday Cisco patched a bug affecting twelve products that use the Cisco Voice Operating System platform. The flaw could enable an attacker to gain root access to affected systems (Threatpost).
Mozilla upgraded Firefox to version 57 (Naked Security). Google told app developers it will crack down on Android apps that abuse Accessibility services (Help Net Security).
Apple has fixed the iPhone X's cold weather input bug (Ars Technica).
Oracle fixed vulnerabilities in the PeopleSoft app server. The "Joltandbleed" memory leak was particularly troubling (Ars Technica).
The long arm of the GDPR.
There are concerns that worries over exposure to shared liability under GDPR may induce cloud providers to shed customers they think might put them at risk (Computing). It will indeed be difficult for any company anywhere in the world to operate outside the reach of the GDPR. If you control or process data belonging to an EU citizen, you will be affected by the regulation (Information Management). Most enterprises feel themselves unprepared for GDPR, and some security experts see the regulations as the entering wedge of a new form of data loss (Computing).
US DHS, FBI warn of North Korean malware.
The US Department of Homeland Security and the FBI jointly warned of two North Korean malware campaigns active in the wild, both attributed to "Hidden Cobra," better known as the Lazarus Group. The two strains of malware are FALLCHILL and Volgmer; both appear to be espionage tools (FCW).
Some observers think the activity foreshadows a serious effort by the DPRK to wage cyberwar on a large scale (eWeek). A researcher for Team T5 and HITCONGIRLS presented an overview of Pyongyang's tactics, techniques, and procedures (eWeek).
State-sponsored hacking as the C-suite's Get-Out-of-Jail-Free card?
Tenable's CEO Amit Yoran thinks attempts to blame state-sponsored espionage services for major data breaches are likely to be a lot of self-serving hooey (Washington Business Journal). He's got, for the most part, former Yahoo! CEO Marissa Meyer's testimony before Congress in mind. She told the Senate panel that, in her view Yahoo! was breached by a foreign intelligence agency. The implication, of course, is that any company would be helpless in the face of (here fill in the blank with your favorite foreign intelligence service). Yoran argues that it's important not to lose sight of this: "In a vast supermajority of breaches, the victims were ultimately compromised by the seemingly simple things. Equifax’s catastrophic breach occurred because they failed to identify and patch a known vulnerability in their Apache Struts implementation for which updates and workarounds were available" (Tenable).
Thinking about gifts that won't keep on giving the wrong stuff?
That's right: there are only four non-shopping days 'till Black Friday. Grim, huh? So what are the riskiest gifts out there? McAfee has a helpful list of, not quite the most dangerous gifts, but the kinds of gifts that are most likely to be exploited:
- Laptops, smartphones, and tablets. Traditional hacking fodder.
- Drones.
- Digital assistants, those things you talk to to answer questions, order stuff online, and so on. "Alexa, buy me a doll house. And please stop hanging out with Tay."
- Connected toys, where security can be an after-thought, and where privacy sometimes seems more bug than feature.
- Connected appliances, especially because of the way they can be herded into botnets.
And McAfee laments that too many of are too willing to bring home shiny but vulnerable presents. So shop happily, but be sensible when you actually bring the stuff home. (We know, we know, the last thing you want to do in the midst of holiday exhaustion is become the family's help desk, tech support, and sys admin all-in-one, but buck up and take sensible precautions. Remember, we're pulling for you. We're all in this together.)
If you're an online retailer, by the way, Credit Union Times has some advice on what you can do to stifle bot-driven credential theft.
Black market price lists.
A new study looks into the goods and services available in the dark web souks. Flashpoint examines the pricing for "Fullz" (complete dossiers of personally identifiable information useful for a variety of fraudulent purposes), distributed denial-of-service attacks (DDoS-for-hire), exploit kits, Remote Desktop Protocol (RDP) servers, bank logs, passports, and, of course, paycard data (Flashpoint).
Industry notes.
ThreatQuotient picks up a significant funding round: $30 million from various investors, one of whom is Cisco, thought to be a potential suitor in an eventual acquisition (Washington Business Journal). Cisco's recent wave of acquisitions prompts that speculation (SDX Central). Logz.io on Wednesday announced $23 million in Series C funding (Logz.io). IoT security shop ReFirm Labs has receiving initial funding in the amount of $1.5 million from DataTribe (GlobeNewswire). In a play to integrate physical and cyber security offerings, ADT has acquired Datashield, intending to cross-sell the two kinds of service (ZDNet).
Barracuda has acquired privately-held Sonian, a provider of "public cloud archiving and business insights" (PRNewswire).
Qualcomm tells Broadcom thanks but no thanks: Broadcom's $130 billion offer "dramatically undervalues" Qualcomm (Computing).
K1 Investment Management is merging two compliance companies, Smarsh and Actiance (TechCrunch).
root9B Holdings, as expected, has announced that it will discontinue operations effective December 31, 2017 (KrebsOnSecurity). Its stock was delisted from NASDAQ this week (PRNewswire).
The financial sector's regular Quantum Dawn cyber exercise concluded a week ago (Security Week).