The CyberWire Daily Podcast 6.17.16
Ep 123 | 6.17.16

Patch Flash Player. DNC hack updates, fighting terror in cyberspace.

Transcript

Dave Bittner: [00:00:03:21] Russia says, no, we didn't hack the DNC, but CrowdStrike stands by its attribution.

Dave Bittner: [00:00:08:21] Guccifer 2.0 shows up DNC Chair Wasserman Schultz as both Snowden and Trump share their own speculations.

Dave Bittner: [00:00:15:24] The FBI continues to probe possible ISIS connections to the Orlando shooter. Some GitHub user credentials are compromised.

Dave Bittner: [00:00:22:17] In industry news, some companies are looking at M&A, but at least two prominent ones aren't.

Dave Bittner: [00:00:27:21] Patches this week close Windows' BadTunnel and Adobe Flash Player vulnerabilities.

Dave Bittner: [00:00:32:07] Analysts express concern over IoT security, and we take a look at car hacking.

Dave Bittner: [00:00:41:17] It's time to mention one of our sponsors, E8, and let me ask you that question: do you fear the unknown? Lots of people do, of course. Mummies, The Lost City of Atlantis, stuff like that. But we're not talking about those, we're talking about real threats, unknown unknowns lurking in your networks.

Dave Bittner: [00:00:56:24] The people at E8 have a white paper on hunting the unknowns, with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to e8security.com/dhr and download their free white paper: Detect, Hunt Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no-one's ever seen before.

Dale Drew: [00:01:19:13] The known unknowns, Let Them Off Man and Spontaneous Human Combustion, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. E8security.com/dhr.

Dave Bittner: [00:01:39:14] I'm Dave Bittner in Baltimore, with your CyberWire summary and weekend review for Friday, June 17th, 2016.

Dave Bittner: [00:01:46:19] The Russian Government, to no-one's surprise, piously denies any involvement in the DNC hack. Guccifer 2.0, the source claiming to be the lone hacker behind the year-long persistent intrusion into the Democratic National Committee's networks, releases more documents. In this case, the files are, by name and by amount, donor information, which contradicts DNC Chair Wasserman Schultz's assurances that no financial data were lost.

Dave Bittner: [00:02:12:24] CrowdStrike stands by its attribution of the hack to Russian intelligence services. The company's co-founder and CTO Dmitri Alperovitch suggests the possibility that Guccifer 2.0 is a dis-informing catfish, put forward to deflect suspicion from Russia's FSB and GRU (Cozy Bear and Fancy Bear).

Dave Bittner: [00:02:32:10] Ars Technica and others point out circumstantial evidence that the hacker was at least Russian-speaking. The use of a characteristically Russian form of a smiley emoji, the Cyrillic text noting broken links, which suggest that doxed PDFs were converted on a Russian language machine and, interestingly, the name Felix Edmundovitch, left by the last editor in document metadata.

Dave Bittner: [00:02:54:14] Felix Edmundovitch is the name of Lenin's principle enforcer and about as closely associated with Soviet-era secret police as J. Edgar would be with the Cold War FBI. Not to imply any moral equivalence between the two, but you see the point.

Dave Bittner: [00:03:09:21] The choice of the pseudonym argues, circumstantially, that someone working on the documents has a nostalgic urge to be back in the USSR; in any case, circumstantial.

Dave Bittner: [00:03:21:01] Moving beyond the circumstantial to the realm of theoretical speculation, Edward Snowden thinks the DNC hack shows someone wants to show they have the ability to manipulate elections. Maybe. Donald Trumps says, it's possible the DNC may have hacked itself. Few takers so far on this one.

Dave Bittner: [00:03:39:15] The FBI cautions that it's found no link between Orlando shooter Mateen and ISIS, by which they mean no command-and-control, since Mateen said plenty online about loyalty to ISIS. A study of ISIS sympathizers on Twitter reports predictable social media behavior prior to attacks. The researchers from the University of Miami and Harvard University, also suggest it's possible to identify and track ad-hoc web groups, aggregates, as opposed to individuals. Tracking aggregates may prove a more attractable challenge than following individuals. The difference between hundreds and hundreds of thousands of social media actors.

Dave Bittner: [00:04:16:12] Such aggregate tracking in cyberspace might develop indicators and warnings of physical attacks. In developing threat intelligence on cyber attacks, attack traffic itself provides indicators and warnings of imminent, or ongoing campaigns. Such traffic can be collected in honey pots, or as live data.

Dave Bittner: [00:04:33:23] We spoke to Dale Drew from our researcher partners at Level 3, about the difference between these sources of information. We'll hear from him after the break.

Dave Bittner: [00:04:42:01] GitHub has sustained and is recovering from a password guessing attack. GitHub itself wasn't compromised, but many user accounts were. It seems likely the account holders were, for the most part, victims of earlier breaches from services like MySpace, Tumblr and LinkedIn. GitHub is notifying affected users and advising everyone to move to two-factor authentication.

Dave Bittner: [00:05:04:11] This week has seen continuing reaction, mostly positive, to Symantec's acquisition of privately held Blue Coat. Blue Coat's CEO is expected to move up to leadership of Symantec, and the acquisition is regarded as a move toward repositioning Symantec away from some of its legacy products and into emerging security technologies. Some analysts see the move for shadowing more competition between Symantec and IBM.

Dave Bittner: [00:05:28:03] FireEye still isn't for sale and news that it turned down suitors, news that was broken by Bloomberg earlier this week, seems to have given the company's share prices a boost. FireEye had retained the services of Morgan Stanley to field inquiries and asset interest, according to Bloomberg, but decided against taking any offers it received.

Dave Bittner: [00:05:47:05] Tanium isn't for sale either. Rumors to the contrary, the unicorn says it's not interested in being acquired.

Dave Bittner: [00:05:57:19] I'd like to give a quick thanks to our sponsors at ThreatConnect. ThreatConnect is an enterprise level security platform that allows you to unite all your people, processes and technologies behind an intelligence driven defense. They're teaming up with Forrester, the Global Research and Advisory firm, for a look at fragmentation in the security industry, what it means, and what can be done about it.

Dave Bittner: [00:06:12:16] You can hear what they're got to say and consider how to apply the lessons to your own organization, by signing up for ThreatConnect's webinar. It's scheduled for Tuesday, June 28th. Catch Forrester's Jeff Pollard and ThreatConnect's Chief Intelligence Officer, Rich Barger, as they discuss the issues fragmentation poses for organizations of all sizes, and offer their thoughts on how to unify security operations in your enterprise.

Dave Bittner: [00:06:28:15] Visit threatconnect.com/webinar and let them know that CyberWire sent you. Best of all, the price is right, it's free. That's threatconnect.com/webinar. Check it out.

Dave Bittner: [00:06:55:18] I'm joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, there's been a lot of talk about the difference between analyzing honey pots, versus analyzing live data. What's the advantage of either of those approaches?

Dale Drew: [00:07:11:10] We believe that honeypot data and live data are both critically important and they're important for very different reasons. You know, now a honey pot is basically, if you want to catch a bear, you put out a pot of honey and then you watch the bear go to that pot of honey. That's essentially what a honey pot is. It's a system that is specifically and solely designed to attract a bad guy and have that bad guy break into it and then watch what the bad guy does.

Dale Drew: [00:07:40:17] Honey pots provide a pretty significant advantage. You know, you have the ability of capturing everything the bad guy does, as they're trying to break into the system, once they've broken into the system, and then what they're searching for when they're on the system.

Dale Drew: [00:07:54:00] There's a pretty wide variety of honey pot capabilities to respond to each of those notions. Remote access, local access and even content analysis. We think honey pots provide a pretty significant advantage in getting the context of what a bad guy is doing and how they're doing it.

Dale Drew: [00:08:13:02] Live data is also pretty important and one of the advantages that you have, as a network provider is that, you've got a view of the entire neighborhood. The disadvantage of honey pots is that you have to wait to be a victim. You have to wait to be compromised to know when a bad guy is after you. If you already know where the bad guy is, using live network data allows you to see that bad guy access customers, or access the network before they even hit a honey pot.

Dale Drew: [00:08:40:21] When we stop network traffic, when we stop the bad guys, we're able to see that bad guy move and manipulate and try to regain access back to the network live without having to wait for a honey pot to be compromised.

Dave Bittner: [00:08:55:15] Is there any sense that the bad guys are detecting the honey pots better, or are they able to know when they're being lured into one?

Dale Drew: [00:09:07:18] Yes. I would say honey pot technology is a very vicious cat and mouse game. Bad guys will specifically be looking for honey pot technology and honey pot behavior. A lot of malware is designed to either not operate at all, or to operate differently when it detects a honey pot.

Dale Drew: [00:09:27:18] The same thing with a wide variety of detection technologies, it's always sort of a cat and mouse game, with the bad guy trying to get around that sort of security detection technology, so they can be more focused on getting access to the victim.

Dave Bittner: [00:09:42:18] Alright, Dale Drew, thanks for joining us.

Dave Bittner: [00:09:48:13] This CyberWire podcast is made possible by Wide Angle Youth Media. A non-profit that provides free media education to Baltimore youth, to tell their own stories and become civic leaders. Learn, watch and connect at wideanglemedia.org.

Dave Bittner: [00:10:18:15] Looking back, this was, of course, June's big week for patching. Microsoft published its customary Patch Tuesday fixes, the most interesting of which addressed a widespread network traffic hijacking vulnerability, that's going by the name of BadTunnel. BadTunnel can be exploited through all versions of Microsoft Office, Edge, Internet Explorer and some third party Windows apps.

Dave Bittner: [00:10:40:11] Tencent's Xuanwu Lab in Beijing, which discovered the flaw, describes BadTunnel as affording a way to spoof NetBIOS across networks.

Dave Bittner: [00:10:50:08] Adobe issued its promised Flash Player patch for Windows, Macintosh, Linux and ChromeOS late Thursday. The zero-day it fixes is being exploited in the wild, especially in an espionage campaign by the SCAR-kruft APT group.

Dave Bittner: [00:11:04:22] Internet-of-things concerns touched at least three areas this week. Booz Allen Hamilton published an extensive report on industrial control system security. Booz notes the familiar array of threat actors interested in ICS attacks: nation state, criminals, hacktivists and insiders. The report sees the barriers to entry dropping, as ICS attack tools show the same movement toward widespread availability and commoditization visible in other criminal sectors.

Dave Bittner: [00:11:32:22] A senior NSA leader's public musing about the intelligence that could be garnered from connected medical devices, excited widespread, often slightly paranoid comment.

Dave Bittner: [00:11:43:03] As our cars become more connected and as self-driving systems are under advanced development in many places around the world, many wonder about the future of automotive cyber security. We'll go that speculation one better. Today we talk about the present of automotive security with Craig Smith, the Founder of Open Garages and an expert on hacking cars.

Craig Smith: [00:12:02:08] In the beginning, you know, vehicles are all mechanical. The nice thing about that, of course, is that when you bought a vehicle, you pretty much have got the building materials with the vehicle, and that's made easy to work on it and tinker and all that good stuff. Eventually we started getting these electronic components put in, but eventually the boxes had to talk to each other and then the chips are actually micro controllers, which is running firmware and the complexity grew as they started switching to a network based model.

Craig Smith: [00:12:32:19] Still we weren't quite to the area of having cyber risks yet. You didn't really run to a real threat until we started adding more and more connectivity. You know, it started pretty small, you know, some digital radio stuff, you know, maps from satellite this type of thing. But now they've got to the point where, most of the external communication are things that most people recognize from a normal network, or a normal laptop such as wireless access points and Bluetooth and cellular uplinks.

Craig Smith: [00:13:05:19] Cellular uplink is a great example, where you've gone from a closed system to one that's now reachable from anywhere in the world.

Dave Bittner: [00:13:14:05] Smith says, it's only in the last few years that automotive manufacturers have started to put significant resources into the cyber related security of their products.

Craig Smith: [00:13:22:21] They're doing threat modeling; you know, they are looking at the architecture from a security perspective which is great. It does take a long time, in the automotive production world, to kind of see the fruits of your labor. Typically, if you buy a car today, that car was designed five years ago. So there's a lot of challenges there and without looking over their update system, those vehicles are also pretty much going to stay the way they are for the next ten plus years on the road.

Craig Smith: [00:13:49:17] You know, from the software world, making a piece of software that doesn't need a fix of any type in ten years is kind of unheard of.

Dave Bittner: [00:13:56:22] There's a good bit of media attention about hackers remotely accessing cars while they're on the road and taking control of them. But Craig Smith says that, for now, that's not the kind of attacks they're seeing.

Craig Smith: [00:14:07:12] What we're seeing as far as the malicious users right now, they're really just taking cars. You know, they're not doing anything more complex than that yet. There was a threshold for stealing a car electronically, because it's easier than just smashing a window, you go that route.

Craig Smith: [00:14:22:12] What we're seeing, at least from the electronic side, is we're seeing things that attack the key fob system. Things that will basically amplify a signal of your passive key entry system, so the ones where you walk up to the car and the car unlocks for you. This will amplify the signals of the vehicle and make it seem like you're closer to the car than you are. You could be parked near your house, or something of that nature, and they get the car to unlock.

Craig Smith: [00:14:46:03] They won't usually be able to drive the car away. But it's a pretty easy one, as you can build an amplifier for like 40 bucks. So, again, the technical threshold has dropped to a point where it's pretty easy to build one of these things, store it in a backpack and walk up and down the street.

Dave Bittner: [00:14:58:23] Like any rapidly evolving attack service, Smith expects to see exploits evolving too.

Craig Smith: [00:15:04:06] I think what you're going to probably see, as we get more of a traditional hacker, malicious element into automotive, is you're probably going to see things such as data harvesting. You know, you're going to try and locate things such as, like, undercover squad cars, which are worth a lot of money. Looking on the microphone inside of vehicles, especially for high profile vehicles, limo services and things of that nature. Those are also worth a lot. Hopefully not, but you could even see things like ransomware and stuff of that nature.

Craig Smith: [00:15:32:23] I think, regardless if we see that kind of stuff, we'll start seeing people trying to hurt other people with it. It's possible of course, you know we've demonstrated that it's possible, but you have to be a little bit messed up to decide if that's a normal thing to do. This isn't defacing a website.

Dave Bittner: [00:15:50:13] We're already seeing cars that assist their drivers and as self-driving cars develop, Smith sees interesting challenges and opportunities for passenger safety.

Craig Smith: [00:15:59:13] US data said in 2018 that, you know, we basically need vehicles that can, you know, sense if a car's in front of them and automatically apply the brakes. That is a vehicle who will override the human. The human's sitting there saying, I want to give it gas, but the car decides, no, I'm not going to give it gas. As a matter of fact, it's going to be the opposite of what you just said, I'm going to apply the brakes, that's a car overriding human. Simple system, self-driving cars have a much larger attack surface, but they're designed differently.

Craig Smith: [00:16:30:05] We have cases in California where, just, you know, saying, okay, we need a steering column inside of these self-driving cars, so humans can override the car. You can't have both. We can't have humans overriding cars while the car's overriding the human. You know, we have to decide which one we decide is safer and go with it. 

Craig Smith: [00:16:49:23] I prefer, even as a higher attack surface, the self-driving cars because, when they don't have the luxury of relying on the human to blame for mistakes, they have to do a lot of self-checks. So they don't trust their own sensors, and this is a key piece. So we have a bunch of different types of sensors to determine if what's in front of them is a pile of leaves or, you know, a dog laying on the road. You can't just say, well the humans just taken over, they have to use the different sensors to determine it and having an instrument that doesn't trust the output of its own sensors, and has to have a consensus, is way better.

Craig Smith: [00:17:27:18] Even though there's more attacks in self-driving, we're looking at a better starting point. It's very interesting, because you wouldn't naturally think that's the case.

Dave Bittner: [00:17:36:13] There are also interesting intellectual property implications, as automotive systems come to rely on Crypto for updates and security.

Craig Smith: [00:17:44:01] As we have this kind of new found interest of automotive manufacturers to step up security and getting it closer to modern day security. We're going to move some of their updates, which is going to be like a PKI kind of system. You know, it's going to use Public Key Crypto so that, you know, if you push an update over the air, then you know it's from the manufacturer which is great and you should totally do that.

Craig Smith: [00:18:00:00] But there's an additional challenge if we go to that type of system in that, we could potentially lock out Ma and Pop shops and individual car owners from doing any kind of firmware changes or integration. Because, with a Public Key Infrastructure type system, you would need a key and unless they're going to do some significant key management, we could really get down to a point where, even though you paid a bunch of money for your Tesla, you may not really own it, but you can't make any changes to it.

Craig Smith: [00:18:39:04] The reason I'm bringing this up is, I see people in the security community make this mistake more than I see the automotive community making the mistake. The automotive community kind of gets the right to repair and right to tinker. Security people lock everything down, you get the key, we did a good job, let's go home and that's not how it's going to work with cars. You have to do the half set up and make it so, yes, you can't remotely update firmware, but we need a way for consumers to be able to say, no, I know what I'm doing, I want to make these changes, or maybe I want to invent something new, or whatever it is. You know, I paid for this car to make modifications and it's my car. How do I do that? We have to solve that problem.

Dave Bittner: [00:19:17:03] That's Craig Smith, the Founder of Open Garages. We've really got to get Teslas as a sponsor.

Dave Bittner: [00:19:27:13] That's the CyberWire. I want to give a shout out to Jason and Brian at the Grumpy Old Geeks podcast for having me on their show today. Do check it out, it's a fun raucous good time.

Dave Bittner: [00:19:36:22] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. I'm Dave Bittner. Have a great weekend everybody.