In today's podcast, we hear about the long-expected US Executive Order, with commentary from Politico's Eric Geller. It was signed yesterday, and gives prominence to the NIST Framework, DHS,and OMB. Eternal Blue is used to spread WannaCry ransomware, and the UK's NHS is hard hit. Fancy Bear prances in NATO costume. US Intelligence Community leaders warn the Senate that the Russian cyber threat is large, growing, and not going away. The University of Maryland's Jonathan Katz explains some potential browser protocol vulnerabilities. And spamming celebrates its thirty-ninth birthday—no happy returns for you, spammers.
Dave Bittner: [00:00:00:12] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:01] The long-expected US Executive Order is out, and Politico's Eric Geller provides analysis. EternalBlue is used to spread WannaCry ransomware, and the UK's NHS is hard hit. Fancy Bear prances in NATO costume. US Intelligence Community leaders warn the Senate that the Russian cyber threat is large, growing, and not going away. And spamming celebrates its thirty-ninth birthday.
Dave Bittner: [00:00:43:05] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily, they do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:47:03] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 12th, 2017.
Dave Bittner: [00:01:56:15] US President Trump signed his long-anticipated Executive Order on cybersecurity yesterday, and we'll have some notes and an interview, on that one later. In the meantime there are other breaking stories worth your attention.
Dave Bittner: [00:02:08:19] There's some new fallout, apparently, from the ShadowBrokers' last dump of tools. A strain of ransomware, "WannaCry" is spreading rapidly via the "EternalBlue" tool the Brokers dumped, which they claim they got in some unspecified fashion from the US NSA. Researchers at security firm Avast tell Forbes that they've recorded thirty-six-thousand variants of WannaCry today, MalwareHunterTeam counts twelve affected countries, and says that Russia has been hardest hit, with Spain and China placing and showing.
Dave Bittner: [00:02:41:22] EternalBlue is an access tool that abused the network file-sharing protocol SMB (Server Message Block) to exploit a now-patched Microsoft vulnerability, MS17-010. The exploit isn’t ransomware itself, but is being used to deliver WannaCry to its targets. Flashpoint noticed at the end of April an upwelling of chatter in Russian cybercrime fora concerning ways of using the ShadowBrokers' dumps. It would appear this is one use someone's found for them.
Dave Bittner: [00:03:12:10] As so often happens, the medical sector is being hit hard. Sixteen National Health Service facilities in the United Kingdom have reported infection. In some cases this has caused wards to close and staff to be sent home.
Dave Bittner: [00:03:26:19] WannaCry isn't the only development in ransomware. Jaff, a strain of malware that looks a lot like son-of-Locky, is now reported to be spreading via Necurs. It's asking for $3700 from its victims. As always, it's better to back up than to pay.
Dave Bittner: [00:03:44:09] While WannaCry seems likely to be predominantly a criminal action, there are reports of state-sponsored activity today as well. Romania's Ministry of Foreign Affairs is said to be among the diplomatic organizations and missions across Europe being phished by Fancy Bear (APT28, or Russia's GRU). The phishing emails spoof NATO addresses and seek to induce the unwary to download a remote-access Trojan that FireEye researchers are calling "GameFish." Romanian authorities haven't commented, but NATO, while declining to say anything about this particular episode, says it comes under attack all the time, and that spoofed emails are no novelty.
Dave Bittner: [00:04:24:15] Part of the reason the hacking of En Marche! Emails (also attributed to Fancy Bear) didn't have the kind of malign effect seen in the earlier attacks against the US Democratic National Committee is that the hackers had less time to establish themselves, but a bigger part of the failure seems due to the Macron campaign's early and active mitigation efforts
Dave Bittner: [00:04:46:10] The US Directors of Central Intelligence and National Intelligence tell Congress that rising Russian assertiveness, activity, and influence in cyberspace is an enduring and growing threat. Senator McCain regrets that US preparations seem unequal to that threat and excoriates the current national state of readiness.
Dave Bittner: [00:05:06:03] US President Trump yesterday signed his long-anticipated Executive Order on cybersecurity. Its sections address "Cybersecurity of Federal Networks," "Cybersecurity of Critical Infrastructure," and "Cybersecurity for the Nation." It's a Federal-Government-centric order whose recurring themes are IT modernization and rationalization (including more shared services and use of the cloud), an emphasis on resilience, and an assertion that henceforth agency heads will be held accountable for the security of the organizations they lead. It mandates use of the NIST Framework across the Federal Government and places a strong emphasis on implementing sound risk management practices. It also calls for increased cyber deterrent capability. It's noteworthy that the two agencies singled out as responsible for assessing and reporting on Federal cybersecurity are OMB (which handles fiscal management, and so could be expected to address the sought-after efficiencies of IT modernization and consolidation) and DHS (responsible for securing the dot-gov domain). Many of the Executive Order's elements are relatively uncontroversial and represent continuity more than they do a break with past policy (or past aspirations). Reaction has been of course mixed but on balance positive. A little later in the show Politico's Eric Geller join us to review the order.
Dave Bittner: [00:06:25:23] Sophos rather sourly notes, spam turned thirty-nine last week. Sure, it's Jack Benny's permanent age, but it's also a reminder of how enduring an obvious threat vector is. So no happy returns of the day, spammers.
Dave Bittner: [00:06:42:22] Finally, a correction on a story we ran earlier this week. On May 8th we made note of the Fatboy ransomware-as-a-service offering, and how it uses the Big Mac index to automatically set the price of the ransom, depending on where you live. So far, so good. We went on to say that the Big Mac index has nothing to do with the delicious multi-layered McDonald's hamburger of the same name. That, was wrong. The Big Mac index is indeed named for the burger. We do our best to get our facts straight, but from time to time we get it wrong, and we think it's important to let you know when we do, and make it right. Incidentally, I'm more of a filet-o-fish guy, myself. Robble Robble.
Dave Bittner: [00:07:25:22] Time for a message from our sponsors at E8. They'd like to invite you to take a joyride. But it's not the kind of bad behavior that you'll find in the joyrides in say, Smokey and the Bandit or Cannonball Run, it's a joyride into behavioral analytics, the indispensable tool for being able to tell good behavior from bad behavior. You'll know the bad actors by what they do, how they behave and not by who they say they are. The experts at E8 are offering you a first hand look on a small scale with no obligation at what behavioral analytics can do for you. Go to e8security.com/joyride and hop on in. Seeing is believing. So check out e8security.com/joyride and let E8 show you what they can do. And we thank E8 for sponsoring our show.
Dave Bittner: [00:08:16:00] And I'm pleased to be joined once again by Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, I saw a story come by on InfoWorld about some HTTPS inspection tools that might weaken security. Let's start with some basic here though, can you just give us a quick overview of how HTTPS works and how that traffic can be inspected?
Jonathan Katz: [00:08:39:00] Yeah, so let me start with a very high level overview of how HTTPS works. Basically HTTPS is a protocol that allows a user to set up a secure connection with a server. And typically this is done, let's just say in two steps at a very high level. One step would be that the user will get an authentic copy of the server's public key and then using that copy of the servers public key , there will be some interactive protocol that they run that allows the user and the server to set up the secure connection. Now in the article you were talking about, what happened basically is that a third party was introduced into this mix, and what that third party did was basically sit in between the user and the server, and rather than having a connection directly between the user and the server, what you had instead was one connection between the user and this intermediary, and then a second connection between the intermediary and the server. So that meant that you had encrypted traffic going in between the intermediary and the server. The intermediary would then decrypt it and inspect it, and then re-encrypt it and forward it back onto the client.
Dave Bittner: [00:09:43:14] This short of inspection is a pretty routine thing to happen within a, for example, a corporate IT environment.
Jonathan Katz: [00:09:49:07] Yes, it could be set up in that way, right, what you would have is say, a user was accessing some internet site from their computer at work. And rather than setting up a connection directly between themselves and the server, they would, say, set up a connection between a firewall, say, within the company and then that firewall would act as the intermediary and allow the user to connect out to the server.
Dave Bittner: [00:10:10:09] So in this particular story there was a degradation of the type of encryption that was used along the way?
Jonathan Katz: [00:10:18:14] Well, what happened in this particular case was that the encryption part was OK, but the intermediary was not doing a proper job of obtaining the legitimate copy of the server's public key. Typically you can think of the fact that a user who was particularly paranoid, or even just if they were following good security practices, they might do several different things to validate the public key of the server, but in this particular case, apparently, the intermediaries, these border gateways or firewalls as they were, were not doing that appropriate validation. So then it either ran the risk that the intermediary itself could be man-in-the-middled by an attacker, thereby reducing security for the end user.
Dave Bittner: [00:10:56:10] Alright, interesting stuff. Jonathan Katz, thanks for joining us.
Dave Bittner: [00:11:04:03] And now a moment to tell you about our sponsor ObserveIT. We hear about all sorts of threats and the spectacular tales of hacking that grab people's attention. But what about the threat that every organization faces that goes unnoticed? The insider threat. Insider theft of sensitive data is already the occasion of some of the biggest business litigation of the 21st Century. Whether the insider is malicious or just mistaken, they can take your business down before you know what's hit you. If proprietary data walking out the door, or vendors accidentally taking down critical systems keep you up at night, take a look at ObserveIT's free guide, quick wins for reducing insider threat at observeit.com/cyberwire. Their mission is to help you identify and eliminate the insider threat by knowing what your people are doing in real time. Check out observeit.com/cyberwire to learn more about managing insider risk today. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:12:07:14] I'm pleased to welcome Eric Geller back to The CyberWire. He's the Cybersecurity Reporter for POLITICO Pro, where you can find his coverage of the just released Executive Order on Cybersecurity. Eric Geller, welcome back to The CyberWire.
Eric Geller: [00:12:20:12] Thank you for having me.
Dave Bittner: [00:12:21:21] President Trump signed the Executive Order on cybersecurity yesterday, let's start off, just give us an overview. What's in this Executive Order?
Eric Geller: [00:12:30:01] Well it has three major components. It deals with securing federal networks, it deals with securing the critical infrastructure that powers basically all of our modern lives, and then it deals with the international engagement essentially building a more secure world for cyberspace. So a couple of the highlights that folks are going to want to know about, all agencies are now required to use the NIST Cybersecurity Framework, which is something that has been evangelized in the private sector and pieces of it have made their way to various government agencies, but it has not been an outright requirement. So it now is. The Office of Management and Budget and the Secretary of Homeland Security are going to work on essentially every agency has to send them a report on how they're implementing the framework, how they're making cyber risk management choices. And OMB and DHS have to look at those and decide, are they good enough? And then what is the sort of executive branch-wide cyber picture? And they have to tell that to the President and give some recommendations for addressing that.
Eric Geller: [00:13:31:18] So, that is I would say the big piece on the IT modernization side. I should also say that the American Technology Council headed by Jared Kushner is going to put together a report on all the different considerations around moving to shared services, moving to one network across the entire executive branch. So that is going to be an ambitious effort for sure. And then, you now, the critical infrastructure, section two, that's kind of the other big thing. It requires essentially a study from DHS of current efforts to protect critical infrastructure, current efforts to work with the operators and what resources they might need and what capabilities the government doesn't yet have that it should have to protect, or I should say, to help those companies protect their infrastructure. And they, again, they have to report to the President on what we could be doing better in that area. Then there's, you know, just kind of a smattering of other things, studying power outages, creating efforts to fight botnets, looking at the defensive industrial base, cyber threats to the defense industrial base.
Eric Geller: [00:14:34:18] And then you get into kind of the international area, which is, you know, deterrents, capacity building. The Secretary of State has to submit a report on an international cyber strategy. It ends actually with something that I think is really interesting and important, which is workforce development. Looking at different ways to train people better, education programs, apprenticeships, that kind of thing. There are a number of reports on what the US is doing, what our foreign cyber peers are doing; the Director of National Intelligence has to prepare a report on basically what we can learn from how other countries are training their cyber work forces because that is an issue on the horizon that a lot of people are very concerned about, the US falling short in that area.
Eric Geller: [00:15:18:00] It really runs the gamut of a lot of the high level cyber issues that are out there.
Dave Bittner: [00:15:23:24] And so far, what have reactions been to the Executive Order?
Eric Geller: [00:15:27:07] Mostly positive, I have to say. I've spoken to a number of former Obama cyber folks who say that this is really a vindication of what they did. There's no attempt here to rollback Obama efforts. Yesterday, at the briefing, Tom Bossert, the Homeland Security Advisor was asked, you know, he said at one point that the previous administration had dropped the ball and he was asked to clarify and he basically said, "I think they didn't do enough," but really this is just a continuation of everything that they had been doing. It moved the ball forward a little, a little bit in terms of concrete steps, you know, reports that have to be written and that kind of thing. But there's nothing here that deviates from the Obama efforts. There really wasn't a lot of criticism. I will say that the main line of criticism that did exist was people saying they wanted more concrete action rather than just a series of reports. But this is very much a table setting move for the Trump administration.
Dave Bittner: [00:16:19:04] And speaking of action, are there any deadlines in the report? What kind of timelines are set for some of the elements they want to implement?
Eric Geller: [00:16:27:06] Yeah, most of the reports are due within 60, 90 to 120 days. There is a report that is due in 240 days, and a report, actually the state department International Strategy Report is due within 45 days. So you're going to see, I think, over the next three of four months in particular, a lot of effort to move the ball forward on those reports.
Dave Bittner: [00:16:47:15] What are you hearing in terms of people's take on the ability to actually implement some of the things that are outlined in this executive order?
Eric Geller: [00:16:55:05] A major challenge for them is going to be that they don't have people in a lot of the third, fourth tier positions. The sub-cabinet roles that are responsible for not only managing the career staffers who are doing these things, but also advocating for them and advocating for the priorities that come out of their work. So as an example, DHS has to look at critical infrastructure engagement. Career staffers are going to reach out to the critical infrastructure operators, they're going to talk to them, they're going to hear about essentially what they could be doing better. But without an Assistant Secretary for Cybersecurity and Communications and without a Deputy Undersecretary for Cybersecurity in the National Protection and Programs Directorate, those are two very important roles for taking the information and going to the Deputy Secretary, the Secretary, the National Security Council and saying, "Here's what we have learned, here's what we need to do."
Eric Geller: [00:17:46:15] So, you know, one problem here could be that the career officials put together their reports and they filter up to the Deputy Secretary and they make their way to the President, but the people who are supposed to be advocating for next steps aren't in place. They're not actually ready to say, "OK, here's the report, now here's what we've got to do about it."
Dave Bittner: [00:18:04:00] Anything that's struck you as being surprising or unexpected in the Executive Order?
Eric Geller: [00:18:09:17] I think what was most unexpected to me, looking at the other Executive Orders in the Trump Administration so far, is that this is not very political. There's nothing in here that jumps out to you as suggesting an imminent court battle or anything like that. They even toned down the language in the botnet section to avoid specifically calling out the telecommunications industry, to sort of make them a little bit happier, kind of appease them. That section is more general than it used to be, it doesn't say that they have a particular responsibility. So I think, you know, to step back and look at this Order, it's a very technical, apolitical document. It is a reflection of how apolitical a lot of cyber security is. As you start delving into implementation, there are you know, bureaucratic concerns and so you could say there is office politics in the sense of who gets what money and all of that. But this isn't a partisan area for the most part, it's not an area where Republicans and Democrats have fundamentally different visions. So what surprised me most is really how they were able to lean on the career staffers and put out a product that looks very different from a lot of the other Executive Orders in this administration so far.
Dave Bittner: [00:19:20:24] All right, Eric Geller, thanks for joining us.
Eric Geller: [00:19:22:17] Thank you.
Dave Bittner: [00:19:28:00] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out cylance.com
Dave Bittner: [00:19:42:06] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody. We'll see you back here on Monday. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
What the heck is behavioral analytics, anyway? At E8, we believe behavioral analytics is capable of providing insight into every stage of the attack lifecycle, across your network, users, and endpoints (even IoT!). You can check it out for yourself at http://e8security.com/joyride/.