In today’s podcast we hear some preliminary news about ISIS information operations as expressed in captured files. Hacktivists experience remorse and debate doxing ethics. We review the speculation about the DNC hack and note that another Democratic Party campaign organization may also have been compromised. State-sponsored hacking is driving enterprises to seek help from security companies. The University of Maryland's Jonathan Katz tells us about post-quantum encryption, and Daniel Ennis, former NTOC Director at NSA and currently Executive Director of the University of Maryland Global initiative on Cyber, shares his thoughts on his time with the agency, and the need for cooperation in cybersecurity by government, universities, and industry. Pokémon trainers are still going where they shouldn’t.
Dave Bittner: [00:00:03:15] US intelligence services sift captured ISIS files for insight into the terrorist group’s information operations. Hacktivists argue over the ethics of doxing, the contending moralists are Edward Snowden and Julian Assange. Investigation into the DNC hack continues, and a fresh investigation opens into the possible compromise of the Democratic Congressional Campaign Committee. North Korea seems to be after online shopping, a lot of them, in South Korea. State-sponsored hacking is seen as driving the security market. And if you’re looking for a Pokémon to train, here’s some news you can use. In the course of your search, don’t climb the fence at Fort Meade.
Dave Bittner: [00:00:43:19] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence.
Dave Bittner: [00:01:00:23] Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection.
Dave Bittner: [00:01:20:08] Visit cylance.com to learn more about the next generation of anti-malware. And even better, if you're at Black Hat this year, swing by booth 1124 and chat with the Cylance people. Cylance, artificial intelligence, real threat prevention, and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:43:04] I'm Dave Bittner in Baltimore with your CyberWire daily podcast for Friday, July 29th, 2016.
Dave Bittner: [00:01:48:19] The US is sifting through a considerable volume of material on ISIS online activities. The Caliphate’s information operations have been largely devoted to inspiration and recruiting, particularly the exploitation of recorded murder as propaganda-of-the-deed. What can be learned from ISIS’ captured records will become clearer over coming weeks.
Dave Bittner: [00:02:08:10] In other respects, this has been a week of doxing, dominated, of course, by the release of material obtained from the US Democratic National Committee. The leaks brought down DNC Chair Debbie Wasserman Schultz, and prompted Republican nominee Donald Trump to suggest the Russians, presumably the people behind the hack, might release the emails Democratic nominee Hillary Clinton deleted from her private server after her tenure as Secretary of State ended.
Dave Bittner: [00:02:32:22] So all of this has prompted some soul-searching in the hacktivist community. The Internet Archive, with some hacktivist concurrence, took down files posted with a view to exposing alleged repression in Turkey, but it’s difficult to contain such information once it’s out. The files inducing some retrospective hacktivist regrets included a great deal of personal information about ordinary Turkish citizens. “Kind of everything went wrong,” one of the hacktivists involved told Motherboard.
Dave Bittner: [00:03:01:16] The emails WikiLeaks dumped from the Democratic National Committee also contained personal information, mostly about donors to the party. WikiLeaks regrets nothing, but some people nominally aligned with them do. Edward Snowden, for one, while approving of WikiLeaks' devotion to openness and transparency, thinks they shouldn’t be so resistant to “even modest curation.” WikiLeaks tweeted back, “Opportunism won't earn you a pardon from Clinton and curation is not censorship of ruling party cash flows,” and included, with some appearance of snark, a link to the Wikipedia article on “digital curation,” which defines it as “selection, preservation, maintenance, collection and archiving of digital assets.” We note, by the way, that Mr. Snowden is currently living in Russia.
Dave Bittner: [00:03:48:15] Reaction to this intramural hacktivist dispute has been mixed, some lining up with Snowden, others with WikiLeaks. Sympathy for the WikiLeaks position seems prompted mostly by the news that the FBI has opened another investigation, this into the hacking of the Democratic Congressional Campaign Committee. WikiLeaks sympathizers see criticism of the group as objectively aligned with opponents of transparency.
Dave Bittner: [00:04:11:09] The FBI is said to have warned the Clinton campaign of a possible compromise back in March, at about the same time the DNC realized someone was in its servers. Experts continue to point out that people should draw the lesson that encryption is worth the trouble.
Dave Bittner: [00:04:26:17] Did we mention that Edward Snowden is currently resident in Russia? This leads naturally to the question of who’s behind the WikiLeaks documents, and most observers, led by security companies CrowdStrike and FireEye, have concluded that Russian intelligence services, the FSB, also known as Cozy Bear and the GRU, aka Fancy Bear, were responsible for the long-running compromise of DNC networks. They, then, would have been the ones providing the documents to WikiLeaks.
Dave Bittner: [00:04:54:22] This consensus, however, is not without its dissenters. Taia Global’s Jeffrey Carr, for one, points out the circumstantial quality of the evidence on display. Forensic evidence is usually circumstantial, however much of it may accumulate. Guccifer 2.0’s claims to be both responsible for the hacking and no kind of Russian at all, for example, were undermined in part by tags found in the leaked documents’ metadata, including the name, in Cyrillic, “Феликс Эдмундович”, the first name and patronymic of Felix Edmundovich Dzherzhinsky, founder of the Soviet security services under Lenin. Why, skeptics ask, would a spy tag files like that? This would be like the FBI tagging files used in a honeypot “J. Edgar.” Not impossible, but questionable tradecraft.
Dave Bittner: [00:05:42:00] Assuming that this persuasive but still partially unsettled attribution is correct, what could the motive have been? FireEye finds it interesting that a government is willing to make routine use of criminal channels and techniques. They also think it likely that Russia’s government wanted to be caught. They wanted to show that they could hack US targets with impunity. CrowdStrike isn’t buying this. What intelligence service, they ask in effect, wants to see an operation blown? And they think the Russians, the GRU in particular, got caught because they were clumsy.
Dave Bittner: [00:06:13:02] Other states seem unashamed to engage in cybercrime. North Korea, for example, is back in the news as South Korean investigators report that the DPRK has stolen some ten million online shopping credentials.
Dave Bittner: [00:06:26:24] There’s much discussion of a need for cooperation in cybersecurity by government, universities, and industry. We spoke with Daniel Ennis, former NTOC Director at NSA and currently Executive Director of the University of Maryland Global initiative on Cyber. He joined us in our studio in Baltimore, and I started our conversation by asking him about his experience at NSA.
Dave Bittner: [00:06:49:04] So take us through the threat operation center. What is the mission of the center? What are they there to do?
Daniel Ennis: [00:06:53:19] Well the primary mission is to understand what is in the forward intelligence space, relative to cyber, and actually help the protection of US national security systems by translating that and working with elements across the NSA and across the US government, in providing information assurance and defensive insights that might help protect those systems.
Dave Bittner: [00:07:17:11] And who are you partnering with? Are your relationships with industry?
Daniel Ennis: [00:07:21:08] Well that's the cyber space that we all live in, the cyber context that we all live in. Principally working with the FBI and DHS because they have authorities to help in the United States context. But more importantly across a broader spectrum than that, working with the private sector, working with industry groups. Ultimately working with entities that have been penetrated and for whatever reason, the US government believes that we ought to help them.
Daniel Ennis: [00:07:54:00] At the end of the day when you start talking about cyber, while our principal role was to help protect national security systems, ultimately when you have threats against the financial sector, or other sectors, and NSA has relevance in that space, it's incumbent upon us to figure out how to help.
Dave Bittner: [00:08:15:07] When you look at the various threats that affect both the United States and on a global level, in your opinion, where does cyber rank? Where does it fit in?
Daniel Ennis: [00:08:25:12] Well first of all you have to look at the context that we're in the United States or the world, right? We live on a digital platform. In the commerce and everything we do in the United States is on the internet. We as a nation are one of the most vulnerable to cyber attacks, to cyber intrusions, because we are so tied to the internet. I think that if I had to create a construct, I mean certainly counter terrorism and issues associated with terrorism take top priority because the concern about physical threats to US persons and our allies.
Daniel Ennis: [00:09:01:22] Certainly counter proliferation given the problems in that space could create issues that we all would want to avoid. But I would put it right up there because of the cyber peace. I would put it right up there in parallel with those mission sets because we are so vulnerable as a country and it is such a part of our future.
Dave Bittner: [00:09:24:23] When you looked at our capabilities as a nation, in terms of defending ourselves, in terms of being able to handle these cyber threats, what were some of the areas where you thought this is an area where it's under control? Versus this is an area that might keep you up at night?
Daniel Ennis: [00:09:43:18] Well I mean again everything's relative, so I thought we had relative strength in the space at NSA and its primary role of protecting US Department of Defense Systems and ultimately helping others in protection of the National Security systems. That said, given the wide open nature of the internet, and given essentially how both the nation states and criminal elements have proffered and prospered in this space, I think we're massively vulnerable across all of the spectrum.
Daniel Ennis: [00:10:19:12] So I think that we have strength in our knowledge, we have strength in our capability. We even have strength in our knowledge as how we apply defensive measures to protect systems. But there's such a huge vulnerability and such huge gaps and we talk about zero-days being created every day, that make whatever element that you might refer to vulnerable, I think that in that space we just have a huge way ahead. A huge mountain to climb if we're going to actually secure systems.
Daniel Ennis: [00:10:52:04] It doesn't go unnoticed that our information assurance organization at NSA had come out with in many instances, "These are the top ten things you should do to protect yourself." But even in that space, most entities aren't even taking the most basic steps to do that. So it's not just that the vulnerability's there, it's that even when you represent that you understand how you could make yourself less vulnerable, how you can close off the possible vectors of attack that you might face, most people aren't doing it.
Dave Bittner: [00:11:26:09] So when people think of the NSA I think there's this popular almost Hollywood version of what the NSA is and what they do. How do you think the public's perception of the NSA aligns with the reality of what the NSA actually does no a day by day basis?
Daniel Ennis: [00:11:41:18] Well I think you hit it. There's probably a Hollywood version. If I go to see a James Bond movie, I want to see bells and whistles. And I think in some instances, people want to see that. But obviously the reality's much different. I think there's also a part of this context is some of the Snowden insights that were provided which by the way, clearly I think he got a lot wrong. NSA's an incredibly technically proficient agency and I think what we would want them to know and I'm retired, but I still love the place, is that they actually follow the rule of law.
Daniel Ennis: [00:12:23:02] That in fact they, at great pains, strive to follow the rule of law. We have an incredibly robust process, incredibly robust leadership whose job it is every day is to make sure that we are following that rule of law. I think if you checked with some of the civil libertarians that were a part of the review process after some of the Snowden information came out, they will tell you that if they had a surprise, it was just how much emphasis and how much pure process, they didn't say places on ensuring that they follow that rule of law.
Daniel Ennis: [00:13:02:11] I think that people would be surprised how much time and how much emphasis is actually spent on making sure that they get that right.
Dave Bittner: [00:13:08:17] Do you actually have a big dimly lit room that looks like NASA mission control with lots of big screens?
Daniel Ennis: [00:13:14:22] Yes, there actually is an ops floor. There's a couple of them. Yes you do have those places because there is a 24/7 mission. So any time you have a 24/7 mission you're going to have a room that actually is geared to that, and so people turn the lights down because it actually is a better working environment in that space, and you have the boards where people are looking at, and in some instances those are eye candy, but in some instances they actually provide relevance to people who are coming in and looking at the board.
Daniel Ennis: [00:13:44:02] But you have those rooms where people are working 24/7 and it does look that sort of Star Wars type of op center.
Dave Bittner: [00:13:51:23] Daniel Ennis, thanks so much for joining us today.
Daniel Ennis: [00:13:54:11] OK thank you.
Dave Bittner: [00:13:56:03] That's Daniel Ennis, former NTOC director at NSA and currently executive director of the University of Maryland Global Initiative on Cyber. We'll have an extended version of my interview with Mr Ennis next week on our website.
Dave Bittner: [00:14:11:23] Time to take a moment to tell you about our sponsor Netsparker. Do you know how to tell a false positive from real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money and improve security.
Dave Bittner: [00:14:26:08] Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable then it is definitely not a false positive.
Dave Bittner: [00:14:47:12] Learn more at netsparker.com. But wait, there's more, and we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker desktop. It's fully functional, scan your websites with Netsparker and let them show you how they do it. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:15:10:08] Joining me once again is Jonathan Katz, he's the director of the Maryland Cyber Security Center, and a professor of computer science at the University of Maryland. Jonathan, we saw a recent blog post from Google about research work they're doing on post quantum cryptography. Why is quantum computing important? Why is this notion of post quantum cryptography important for encryption?
Jonathan Katz: [00:15:33:12] A lot of people are now worried about the potential for advances in quantum computing, and as many of our listeners may know, quantum computers would actually be able to break all the public e cryptography that's currently used on the internet. So even if you're not worried about a potential quantum computer existing today, if you're concerned about long-term security of your communications you might be concerned about a quantum computer, even coming into existence ten years from now.
Jonathan Katz: [00:15:59:13] So this new class of so-called post quantum crypto systems is exactly meant to be secure, even against a quantum computer and so it relies on new mathematical techniques beyond the ones that are currently being used today.
Dave Bittner: [00:16:11:00] And would this affect current techniques for encryption? Is this a backwards compatible kind of thing?
Jonathan Katz: [00:16:19:07] Yes, so the way Google have done it, first of all, they're only doing it on some limited number of connections and they're really just doing it for as you said, research purposes to test the efficiency of the new protocol. And they've done it in such a way actually that it doesn't downgrade the security of any existing connections and the reason is because what they're doing is actually running the existing key exchange protocol in parallel with the post quantum key exchange protocol and so in the best case, it gives you better security and even in the worst case it doesn't downgrade the security beyond what's already available.
Dave Bittner: [00:16:49:18] Alright, Jonathan Katz, thanks for joining us.
Dave Bittner: [00:16:54:17] It's time to thank our sponsor E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks, and E8 Security's behavioral intelligence platform enables you to do just that. It's self learning security analytics give you early warning when your critical resources are being targeted.
Dave Bittner: [00:17:16:10] The E8 Security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you.
Dave Bittner: [00:17:30:23] Visit E8security.com/dhr and download the free white paper to learn more. E8, transforming security operations.
Dave Bittner: [00:17:52:13] State-sponsored cyberattacks are inducing more enterprises to turn to security vendors for protection. The Washington Post sees some of the beneficiaries of this trend as Cylance, ThreatConnect, FireEye, Palantir, and CrowdStrike, and there are surely many others. That said, security stocks have shown mixed results recently, and persistent rumors that FireEye may be a takeover target reappeared this week.
Dave Bittner: [00:18:14:21] The Motley Fool notes that such rumors have been good for FireEye’s share price, and speculates that possible suitors include Symantec, IBM, and Cisco.
Dave Bittner: [00:18:24:10] Finally, we’d like to end this week with some advice that should go without saying, but apparently doesn’t. You don’t really need to be told, Pokémon trainers, that you shouldn’t pursue Pokémon into dangerous, sensitive, or restricted areas, like memorials, or nuclear reactors? Or, for that matter, NSA headquarters?
Dave Bittner: [00:18:41:24] Apparently some of you do. The Odenton-Severn Patch, the hyperlocal news service for the southeast gate at Fort Meade, ran a notice asking people not to catch-em-all on Fort Meade. So please, restrain yourselves. If you’re in the area, however, you might wander up to Annapolis Junction and track Pokémon around the National Cryptologic Museum. And enjoy the exhibits while you’re there.
Dave Bittner: [00:19:04:13] There’s no advice from Langley about Pokémon, so maybe it’s OK to chase them there. But we’re sure the trainers would welcome some guidance. So come on, CIA, give 'em the word. The truth shall make them free. We’re pretty sure we read something like that down your way.
Dave Bittner: [00:19:22:20] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody, thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over 4 million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.