In today's CyberWire, we discuss why the US Intelligence Community got prickly about Kaspersky: their Israeli colleagues tipped them off that something was fishy in the software's use. UpGuard says Accenture left some AWS data buckets exposed. Accenture says they were associated with decommissioned systems, but exposed they seem to have been. Sources say Deloitte's breach is worse than hitherto disclosed, with more than three-hundred clients exposed. Joe Carrigan from JHU ISI with some follow-up from a listener on password security when using password managers. Brian NeSmith from Arctic Wolf with results from an IoT ransomware survey.
Dave Bittner: [00:00:02:15] Just the other day my ten year old son came to me and said, "Daddy do you think I'll be able to get some braces to help straighten out these crooked teeth?" And I said "Son if enough people sign up to support the CyberWire on Patreon, then maybe you can get those braces." I'm kidding, of course. My son lost all of his teeth ages ago, he just doesn't brush, so. Patreon.com/thecyberwire
Dave Bittner: [00:00:27:14] Why did the US intelligence community get starchy about Kaspersky last year? Their Israeli colleagues tipped them off that something was fishy in the software's use. UpGuard says Accenture left some AWS data buckets exposed. Accenture says they were associated with decommissioned systems, but exposed they seem to have been. Sources say Deloitte's breach is worse than hitherto disclosed, with more than 300 clients exposed.
Dave Bittner: [00:00:54:06] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year you've surely heard a lot about artificial intelligence and machine learning, we know we have. But E8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to e8security.com/cyberwire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning and technology that's here today. So see what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:57:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 11th, 2017.
Dave Bittner: [00:02:08:03] The New York Times and other outlets reported late yesterday that Israeli intelligence officers tipped off their US National Security Agency counterparts that Kaspersky software had been used to gain access to devices holding highly classified American intelligence documents.
Dave Bittner: [00:02:23:23] Israeli intelligence services monitoring Russian activity saw them using Kaspersky software as what the New York Times calls "an improvised search engine." They notified their American colleagues and, the Times reports, this is the background to the US Government's decision to ban Kaspersky products from its networks.
Dave Bittner: [00:02:42:23] Israeli intelligence services penetrated Kaspersky in 2014, sources say. Kaspersky discovered (and disclosed, without attribution) Israeli presence on its networks in 2015. It connected the activity to the Duqu family of cyber espionage tools.
Dave Bittner: [00:03:01:08] Antivirus software is an attractive target because of the system access it receives. Kaspersky's products have the reputation of being particularly aggressive in their scans of the devices they're installed to protect. Kaspersky has long represented that as a feature, not a flaw, saying that such scanning increases their ability to offer protection against little-known and unfamiliar threats. Of course, should such scanning be compromised, it can be exploited to look for sensitive material on the devices it's protecting, and that's what sources in the US Government say happened in this case. An NSA contractor's machine with Kaspersky security software installed was hacked by Russian intelligence services (probably the FSB, by most accounts) who knew exactly what files they wanted. And those are the files they got.
Dave Bittner: [00:03:49:19] The US Government decided to ban Kaspersky security software from its networks on September 13th, 2017, when the Department of Homeland Security issued Binding Operational Directive 17-01.
Dave Bittner: [00:04:02:12] The directive came after months of quiet warnings by intelligence and federal Law Enforcement organizations of the risks Kaspersky software presented. Kaspersky Lab itself denied that its products were being used to collect intelligence on behalf of Russian or any other national intelligence services, and called for the US government to in effect put up or shut up about the widely used security software. All questions about the undeniable tension between Russia and the US aside, this would appear to be at least part of the evidence Kaspersky challenged the US to present.
Dave Bittner: [00:04:36:02] Kaspersky's precise relationship to the alleged exploit remains unclear. If their software was indeed exploited, one can take one of the following positions on the incident. Either one of these possibilities, or even some mix of all of them, are likely to be true. Either Kaspersky cooperated with Russian intelligence services and delivered its products up for espionage purposes, or the Russian services hacked Kaspersky without its knowledge, or the Russian services succeeded in infiltrating agents into the company without the company's executives' knowledge. A number of observers think it unlikely that any Russian company would be able to refuse a request from their country's security services.
Dave Bittner: [00:05:16:08] Another major consultancy has suffered data exposure. UpGuard reports that on September 17th their researchers found sensitive data belonging to Accenture exposed in four unsecured Amazon Web Services S3 buckets. It's unclear whether the data, now secured, were obtained by bad actors. Accenture says the only unauthorized scan they've detected came from UpGuard. Accenture also says the material exposed, including keys and credentials, was related to a decommissioned system.
Dave Bittner: [00:05:48:06] Deloitte's breach may have grown worse. The Guardian reports that 350 clients, including US Government agencies and multinational corporations, suffered exposure. Deloitte, which had put the number of affected clients at six, disputes the report.
Dave Bittner: [00:06:03:12] The number of data exposures being reported in companies that are well-resourced and sophisticated with respect to security is striking. It seems failure to securely configure databases in the cloud is common. We can offer a couple of conjectures about why this is so. First, the cloud is so easy, and seems to do so much, that it can appear to users that their cloud service probably handles security implementation, encryption, and other basic elements of cyber hygiene. Unfortunately that isn't so. These matters are generally the user's responsibility, although some cloud vendors, notably Amazon, are working to give their users as much help attending to these matters as they reasonably can. And second, organizationally, it may be fatally easy to regard configuring your AWS S3 buckets as a routine IT task. If there's any big lesson from the past two quarters, it's this: organizational leaders, pay attention to cloud security.
Dave Bittner: [00:07:01:09] The security of IoT devices remains an ongoing challenge and the folks at Arctic Wolf Networks recently published their results from a survey titled "Ransomware of Things: When Ransomware and IoT Collide". Brian NeSmith is CEO at Arctic Wolf and he shares insights from the report.
Brian NeSmith: [00:07:19:24] There are a couple of big things that stand out. The first is that one, everybody wants their IoT devices to be connected. The idea of just getting a device that I'm now going to plug into a network and I want to be able to remotely control it, I want to be able to configure it and manage it, and at the same time a bit of cognitive dissidence. I want to connect to the Internet and whatever security exists on that device I'm not really going to build anything else. So a bit of inconsistent view which is I need something but I'm not necessarily gonna worry about the security, I'm gonna depend on the vendor to make sure they're doing the right thing to secure that device.
Dave Bittner: [00:07:53:09] And is that a realistic expectation?
Brian NeSmith: [00:07:55:09] I think much like you see in other parts of your infrastructure, you have to build a layer of defense and adding monitoring and, you know, detection of failures in your security is a critical part of it and that applies to IoT like it applies to laptops and servers and every other device that you have in your network.
Dave Bittner: [00:08:13:17] One of the interesting statistics I saw that you sent over was it said that nearly everyone expressed concern about ransomware but almost half of them would rather pay off the cyber criminals with ransom than to adequately patch and protect their systems ahead of time. So this sort of reactive rather than proactive approach was preferred.
Brian NeSmith: [00:08:35:21] Yeah you see, I guess what I would say is overall general view which is I find it impossible to keep everything patched so if I do get compromised I'm going to bet on my ability just to pay the ransom and that's the way I'll recover it, or I'm gonna restore from backups. I think to some extent you can consider it a form of sticking your head in the sand and just hoping it doesn't happen to me.
Dave Bittner: [00:08:57:02] I suppose there is some good news to be taken from this, the survey pointed out that more than half of the organizations have a dedicated response plan.
Brian NeSmith: [00:09:07:19] I would have said in general people have an idea of, "what am I gonna do if I get hit with ransomware, if I get my devices compromised?" To some extent I think, like you said, the incident response plan could be, "I'm just going to pay the ransom and then restore it." In other cases they've gotten a bit more sophisticated with backups but there is definitely a growing threat in this area. We're seeing more and more small businesses getting attacked using IoT, and it's the sort of thing you can't ignore. It's not like the PC that you have on somebody's desktop where you could be able to [INAUDIBLE] later date. If they compromise your heating system then it's another matter, you've got to deal with it. So it gets an immediacy in something that's very apparent to a lot of organizations.
Dave Bittner: [00:09:51:21] Looking at the results of this survey what were the take homes for you in terms of advice you would give to organizations who are dealing with these IoT issues?
Brian NeSmith: [00:10:01:16] I would start with by recognizing that IoT devices are built on standard much older operating systems and the organization can't depend completely on the vendor supplying those devices that they're going to stay patched and up to date. They're almost packaged as a black box but inside them is Window CE, Windows 3.1, Windows 95, very old versions of Linux, and that organizations need to be more proactive and realize that this is a factor that if they get compromised they can be used to attack other parts of their infrastructure. Hackers only have to find the weakest link. And the weakest link increasingly is going to be most likely an IoT device.
Dave Bittner: [00:10:43:09] That's Brian NeSmith from Arctic Wolf.
Dave Bittner: [00:10:46:20] At AUSA yesterday there was much discussion among attendees of the growing convergence of cyber operations with traditional electronic warfare disciplines. Those whose memories extend to the Cold War endgame found the discussion of the electronic threat very familiar: now, as then, Russian electronic attack capabilities were highly respected and much feared. This threat, with the rise of hybrid war, has now been transposed into the cyber domain.
Dave Bittner: [00:11:14:23] We'll have discussions of these and other matters later this week as the annual conference wraps up.
Dave Bittner: [00:11:24:18] Now I'd like to tell you about some research from our sponsor Cylance. Good policy is informed by sound technical understanding; the crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship, and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption introduce exploitable vulnerabilities into applications, and develop nation state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiques with a massive cloud of noise. Backdoors for the good guys means back doors for the bad guys, and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to cylance.com and take a look at their blog for reflections on surveillance, censorship and security. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:12:28:22] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back. You know we got some response from a listener about one of our recent segments, we were talking about password managers and password safety and so forth, and one of the things that we talked about was the possibility that if you're using a password manager perhaps you're putting all your eggs in one basket, and how important it is to use multi-factor authentication. This listener sent in a clever bit of information. What they said they did is they let the password manager automatically generate a random string, say it's 20 characters long, so they have the password manager automatically fill in that string but then they append that string with a four digit code that they know, a number, a phrase, whatever that's meaningful to them, that they can remember, that they add to everyone of these randomly generated passwords.
Dave Bittner: [00:13:32:16] So the point is, they have this randomly generated password that the password manager remembers but by appending it with this four digit code, even the password manager doesn't know the whole password. So it's this balance of them having something that's easy to remember; they only need to remember a short combination of characters. But it makes the password manager that much safer.
Joe Carrigan: [00:13:57:07] Yes, it does. I'll preface this by saying, it doesn't make it less secure. A lot of times when I hear people say "I have this security idea", a lot of times what they're doing is they're actually decreasing the level of security. Well if you're using random 20 character passwords or so, just completely garbage string of characters as your password, that's already secure. And if your concern is that you're going to have a piece of malware exfiltrate your password database and that falls into someone else's hands then this could be a hedge against that, absolutely. I think it's a good idea. It doesn't hurt to do it.
Dave Bittner: [00:14:37:22] So do you think that's sufficient? Overall you're on board with this one?
Joe Carrigan: [00:14:42:08] Well yes I am on board with this one. I would recommend however that you are flexible with being able to change that PIN over time. Because if you're a specific target, and that's really what you're worrying about at this point in time, if somebody gets one of your passwords from a breached site that didn't encrypt your password at all, just ordinary plain text, they're going to see the four digit code at the end of your password. And if they also have your password library, your password manager, and access to that, then they're going to be quickly be able to associate that, to be able to change that. That is a very far-fetched scenario though, somebody getting access to a database and access to your password manager. Those two things are probably not very likely to happen. So I still think this is a good idea.
Dave Bittner: [00:15:32:13] Alright Joe Carrigan thanks for joining us.
Joe Carrigan: [00:15:34:19] My pleasure, Dave.
Dave Bittner: [00:15:37:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit cylance.com. They CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Artificial Intelligence & Machine Learning. This technology is popping up in everywhere in cybersecurity. Aside from sounding cutting-edge, what does it mean? What value does it add? Find out exactly how cool AI and machine learning are, and how small nuances in how each is used can make a big difference from E8, at e8security.com.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com