In today's podcast we review the bidding over responsibility for the DNC hack—most observers still think signs point toward Moscow. Wikileaks promises more DNC documents to come. Suspicions revive that the Cyber Caliphate may be a false-flag operation and other notes on the difficulty of attribution. Dridex may be present in some SWIFT-related bank fraud. Angler seems gone for good (but replaced by other exploit kits). UK MPs suggest holding CEO's responsible for breaches by hitting their pay. Tanium and FireEye and their rejected suitors. DoJ responds to the Silk Road appeal. Jonathan Katz from the University of Maryland explains the Etherium/DAO cryptocurrency heist, and Ryan Stolte from Bay Dynamics share results from a report on board room engagement with cyber.
Dave Bittner: [00:00:03:18] Guccifer 2.0 or the Russians? Front groups, sock puppets, and false flags. US investigation into jihadist chatter surrounding the Orlando massacre proceeds cautiously. Dridex said to be present in networks hit by SWIFT-related bank fraud. Angler seems as gone for good as threats ever are in cyber space but it's got several successors. Boards' and CEOs' responsibilities for breaches. Notes on rejected M&A suitors. And the DOJ doesn't think much of the Silk Road appeal.
Dave Bittner: [00:00:37:15] I want to thank our sponsor E8 Security and remind you to visit E8security.com/dhr and check out their free White Paper, "Detect, Hunt, Respond," which will give you the information you need to deal with the unknown threats in your network, the threats no one has ever seen before. E8 is going beyond legacy signature matching and human watch standing. They're hunting these unknown threats with machine learning and big data analytics. See what E8 has to say. Download the free White Paper at E8security.com/dhr. We appreciate E8 for sponsoring the CyberWire. I hope you'll check it out.
Dave Bittner: [00:01:20:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 20th, 2016. The DNC hacker or hackers remains or remain elusive. Guccifer 2.0 released Democratic Party donor lists late last week, and also emails purporting to show long-standing DNC preference for the party's presumptive nominee. Like the earlier opposition research on the Republicans' presumptive nominee, none of this information is as surprising as some of the shocked, shocked reactions to the hack would have it. Wikileaks, whose Julian Assange is no friend of the presumptive Democratic nominee, says it's received more documents from the DNC compromise, and that these show how the primary process was manipulated. Whether that amounts to more than an expression of DNC preferences remains to be seen.
Dave Bittner: [00:02:07:03] Attribution remains controversial. Guccifer 2.0 has maintained that he or she or they is not the Russian government. There are clues in leaked material pointing to Russian speakers, but they aren't dispositive, and "Russian speaking" needn't mean the Russian government. There's a community of Russian-speakers about 15 miles south-southwest of us, for example, that has nothing to do with the Russian government. And our editor said loudly he'd bet a month's pay they've got nothing to do with this hack either. Some outlets have accepted at face value Guccifer 2.0's claims to be an independent, disinterested hacktivist, with the British magazine Computing going so far as characterize the episode as an embarrassment for CrowdStrike, the firm whose investigation fingered the Russian government. But CrowdStrike has been standing by its attribution of the attack to the probable work of the FSB and GRU. They note, as do others, that Guccifer 2.0 could easily be a false flag for the Russian intelligence services. And others have been commenting on the very long record of provocation by Russian security services, more than a century, extending through the Soviet era and back to the Tsars.
Dave Bittner: [00:03:12:14] An op-ed by Immunity CEO Dave Aitel running in Ars Technica bluntly dismisses the idea that a lone hacker breached the DNC as "not believable," and says, quote, "The DNC hack and dump is what the cyber war looks like," end quote. He argues that elections should be regarded as off-limits as much as critical infrastructure and says the episode should serve as a test case for how the US will respond to a cyber attack by a nation state. Some of these observers are arguing that the group operating as the Cyber Caliphate is also a Russian front group, although ISIS sympathizers calling to one another online and committing low-grade cyber vandalism would hardly seem to require or indeed use such support or coordination.
Dave Bittner: [00:03:57:00] Jihadist chatter surrounding the Orlando massacre remains under very cautious investigation in the US. The gunmen used Facebook during both the run-up to the shooting and during the massacre itself, which has drawn some criticism toward Facebook. Most observers regard this as unfair, noting that Facebook has long had a fairly effective policy against terrorist content in place, and pointing out the difficulty of interdicting such content in near-real time. The FBI has attracted similar criticism, and here observers have again drawn attention to the tension between surveillance and civil liberties. Transcripts of shooter Mateen's 911 calls are expected to be made public by the Justice Department later today, but US Attorney General Lynch has said they’ll be redacted to excise Mateen's "pledge of allegiance" to ISIS. The reason offered for the redaction is official US unwillingness to spread ISIS propaganda.
Dave Bittner: [00:04:47:19] The DAO, that's the Decentralized Anonymous Organization fund, has been attacked, and public blockchain platform Ethereum has lost some $50,000,000 in crypto currency. The funds that were drained, they’re called "ether" in the crypto currency subculture, can't be used for almost a month however and an attempted rollback will serve as a test case for blockchains' self-healing abilities. We caught up with the University of Maryland's Jonathan Katz this morning and asked him about this particular caper and technology behind blockchain. We'll hear from him after the break. While most speculation about the Bangladesh Bank hack and other SWIFT-linked fraud have centered on North Korean Lazarus Group code found in the affected systems, the presence of Dridex leads others to suspect Russian gang involvement.
Dave Bittner: [00:05:32:11] Elsewhere in cyber crime, after having vanished for a couple of weeks, the Angler exploit kit really does seem to have departed the scene. Malwarebytes has been reviewing what post-Angler cyber crime looks like. Neutrino is the number-one replacement, followed by RIG, Magnitude, and Sundown. Magnitude is being seen in what Malwarebytes sniffs are "low-quality" campaigns. Sundown, a newcomer and something of a dark horse, is appearing in malvertising campaigns.
Dave Bittner: [00:06:00:09] A Parliamentary committee in the UK that’s been looking into the Talk Talk hack and other incidents suggests that CEOs whose companies are hacked should have their pay docked, so Baroness Harding might well look to her purse. That boards and executives have become markedly more attentive to cyber security seems, however, beyond dispute. We spoke with Bay Dynamics founder and CTO Ryan Stolte about this issue, and he shared the results of Bay Dynamics' study of board involvement with cyber.
Ryan Stolte: [00:06:27:05] Board of directors are accountable for setting the risk appetite for an organization where senior directors will actually run the company and what was interesting is if you look at cyber risk in comparison to other types of risk like financial risk, regulatory risk, competitive risk and legal risk, cyber risk was rated actually a bigger concern for board of directors. And it was just slightly bigger than these, but these are the standard, you know, pillars of risk that any company faces. Financial risk is obviously of key importance but regulatory risk, legal risk, competitive etc. those are the things that'll, that'll make or break an organization. So to see that the board of directors is considering cyber risk at or above the level of concern of those other prominent risk factors or risk conversations was, was surprising to me and very positive and I think that the outcome of that is-- that was a major shift in the market out there and I think a critical shift in order for us to get ahead of the cyber security challenges that we face.
Ryan Stolte: [00:07:40:06] And I think that conversation has shifted from maybe it'll happen, I hope it doesn't happen to me, and we've transitioned into we're definitely under attack, we understand that and we need to provide great care for the cyber security challenge.
Dave Bittner: [00:07:57:13] The report also revealed that boards are demanding an ever increasing level of communication skills from their company's leadership.
Ryan Stolte: [00:08:03:02] 59% of the board members said that if we don't get high quality information from our cyber security leadership, they may be terminated and it's-- you now, the analogy that we'll make is, imagine if your, your chief financial officer walked into a boardroom and had inconsistent presentations, inconsistent numbers, they were incomplete or didn't make sense, they'd probably be walked straight out of the room. You want the means of communication, how the numbers are reported, to be consistent and understandable and tell a story. And if the cyber security leadership is not able to do that, more than half of them are saying that the cyber security leadership will lose their job.
Dave Bittner: [00:08:45:18] That's Ryan Stolte from Bay Dynamics. You can read the report on their website. In other industry news, CRN reports that much-admired unicorn Tanium rejected acquisition bids from both VMware and Palo Alto Networks. The Motley Fool looks at another company that turned down acquisition bids, FireEye, and says there were two rejected suitors, Symantec, they’re pretty sure about this one, and Cisco, less certain, but signs point toward San Jose. Symantec of course did purchase Blue Coat and industry observers continue to believe that acquisition an important one, especially in its implications for the cloud access security market. And finally, our day's summary of the news concludes with a look at crime and punishment. The US Department of Justice responded to convicted Silk Road boss Ross Ulbricht's appeal for a new trial by arguing his motion should be denied and that he should spend the rest of his days in jail. And police sweep up a cageful of online predators around Houston, Texas. So far none of them have offered the obvious defense, "I was framed. It was, of course, Guccifer 3.0."
Dave Bittner: [00:09:56:00] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:10:22:10] Joining me once again is Jonathan Katz. He's a professor of Computer Science at the University of Maryland and heads up the Maryland Cyber Security Center. Jonathan, news over the weekend broke that the Ethereum crypto currency lost about $500,000,000 in value over the weekend, after $60,000,000 worth of digital currency was stolen from DAO, a venture capital fund. What can you tell us about Ethereum?
Jonathan Katz: [00:10:46:02] Well, Ethereum you can think of as kind of a second-generation of Bitcoin, at a very high level. Bitcoin we know provides the blockchain which is a distributed mechanism for keeping track and keeping a record of all the transactions in the system, and again at a very high level, what Bitcoin allows is for people to send money from one person to another, send Bitcoins from one address to another. Uh, Ethereum takes that to another level. What Ethereum does is it allows essentially arbitrary code to be used to define when money is transferred from one person to another, and these are the smart contracts you mentioned. So just as an example, Ethereum would allow you to write a contract that would transfer money conditioned on a future event. So this is a very simple way of gambling. You could write a contract that would transfer money depending on, say, who won the NBA Finals and then after that event had occurred and it was determined who won, the contract itself would determine who gets the money from that, from that contract.
Dave Bittner: [00:11:45:16] So they set up this contract system and someone figures out a way to extract $60,000,000 from it. How did this come to pass?
Jonathan Katz: [00:11:52:06] Well, I guess it wasn't exactly the Ethereum system. What it was was a-- the thing called the DAO which you can think of as a distributed investment fund. So again these smart contracts are very powerful and what you can imagine if you have some sort of contract set up that allowed people to put money into a fund and then to collectively vote on what investments that fund should make and then to withdraw their money at any time if they wanted to. And what happened here is that the system, this investment fund as it were, kind of defined the rules of the system by the code itself. Whatever was allowed by the contract defining this distributed investment fund, is what's allowed in the system. And a smart person, a smart hacker, came along and was able to figure out a way to write a contract that allowed them to withdraw essentially more money than they put in and this caused the fund to lose a lot of money. They, they essentially stole money from the fund. And this is now causing quite an uproar within that community.
Jonathan Katz: [00:12:48:00] Usually we think of systems being defined by some English-language description or maybe a more formal legal description of what the system should do and then you try to write your code to capture the intent of the system and in this case, as you said, the prin-- the founders of this fund had these principles that, you know, what was allowed within the system is defined by the code itself. And because the code allowed this attack to take place, then by the rules of the system, it was okay and should be, and should be allowed. Of course, it doesn't go-- it doesn't follow the intent of the founders of the system and now they're trying to figure out whether, whether, and if so how, to recover from this attack.
Dave Bittner: [00:13:24:09] Alright, we'll keep an eye on it, Jonathan Katz, as always, thanks for helping us understand it.
Dave Bittner: [00:13:32:24] And that's the CyberWire. I want to remind everyone to go check out the Grumpy Old Geeks podcast where I made an appearance in their most recent show. Thanks to Jason and Brian for having me on. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.
New and emerging automotive technologies mean new cybersecurity challenges. Gain solutions and insights from over 20 cybersecurity thought leaders at the Billington Automotive Cybersecurity Summit. The Chairman and CEO of General Motors, Mary Barra, U.S. Transportation Secretary Anthony Foxx, CEO of General Dynamics, U.S. Senator Gary C. Peters and Lyft CEO and Co-Founder Logan Green join other cybersecurity experts to examine the rapidly evolving global automotive and mobility landscape and the cybersecurity issues and best practices surrounding these new technologies. Register here and use code CyberWire2016 for a 20% discount off the corporate rate.