The CyberWire Daily Podcast 7.8.16
Ep 137 | 7.8.16

Classified info--goose sauce, gander sauce. Security industry buoyed by Avast, AVG.

Transcript

Dave Bittner: [00:00:03:18] Android encryption issues are under study. Experts consider implications of D-Link vulnerabilities for IoT security. The Wendy’s paycard breach has gotten much bigger. Familiar exploits circulate in the wild and Mac backdoors make a comeback. CryptXXX. Is joined by a new ransomware variant, Kryptobit and Dead Krypter continues to play the Grinch. AVAST's purchase of AVG encourages the markets. The EU adopts new data regulations aimed at improving resilience. The FBI explains what it found in its investigations of Hillary Clinton's emails and Defense Attorneys find new lines of defense.

Dave Bittner: [00:00:41:02] It's time to thank our sponsor E8 Security, you know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks and E8 Security's behavioral intelligence platform enables you to do just that. It's self-learning security analytics give you early warning when your critical resources are being targeted. The E8 security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit E8security.com/dhr and download the free white paper to learn more. E8 transforming security operations.

Dave Bittner: [00:01:32:14] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday June 8th 2016.

Dave Bittner: [00:01:38:07] Another encryption issue surfaces in the Android ecosystem. Orange Labs reports that Android’s KeyStore default implementation could be susceptible to forgery attacks. It’s a proof-of-concept, not an attack in the wild, but the news is nonetheless unwelcome. Orange Labs says KeyStore’s hash-then-encrypt authenticated encryption scheme in cipher block chaining mode doesn’t guarantee the keys’ integrity. The researchers admit that criminal exploitation wouldn’t be easy - it would, for one thing, require that the victim install a malicious application that needed KeyStore read/write permission. They disclosed their findings to Google in January.

Dave Bittner: [00:02:16:22] This report joins concerns expressed earlier this week about Android’s KeyMaster module, whose Qualcomm environment was found vulnerable to reverse engineering. Qualcomm says that it fixed the vulnerabilities in 2014, and so informed Google; if there’s still a problem here, one infers, it’s not Qualcomm’s.

Dave Bittner: [00:02:34:16] Some follow-up to the D-Link device vulnerability. It affects not only routers, but web-connected cameras and other consumer IoT devices as well. Michael Patterson, Founder of Plixer, points out that the risk here is widespread, and may prove difficult to contain. Taking smart TVs as an example of the issues that arise with the connected home, he said, “I fear that some manufacturers may not be patching the OS of old TVs, as most don’t require any type of subscription for updates.” Thus consumer electronics may be making another contribution to the botnet world.

Dave Bittner: [00:03:10:02] Wendy’s the U.S. fast-food restaurant chain, has determined that the payment card data breach it sustained when criminals gained access to its network late last fall was more extensive than previously believed. More than a thousand restaurants were affected, and Wendy’s thinks the attackers gained access to the company’s network through some third-party or parties. “Service providers’ remote access credentials” the company said, appear to have been compromised.

Dave Bittner: [00:03:36:04] Some observers think the chain needs to consider a radical response: decommission and replace its current infrastructure. Brad Bussie, Director of Product Management at STEALTHbits, told us that, “The most logical thing to do in this instance is to invest in protecting your brand and deploy new servers to all Wendy’s locations. The damage the malware has caused and will continue to cause can’t be assigned a simple monetary value. The reputation of Wendy’s is at stake and the quickest and most controlled way to eradicate the hack is to decommission the current stores infrastructure.” He thinks Wendy’s might do well to be guided by an analogy with farming. “When the breadth and depth of an infestation is unknown, it makes the most sense to burn your fields, till the earth, and start over."

Dave Bittner: [00:04:20:15] We often hear about the contribution data analytics can make to security, and how big data analytics in particular can offer insight into defense. Malek Ben Salem, from our partners at Accenture Labs, talked us through big data and big data analytics. We'll hear from her after the break.

Dave Bittner: [00:04:36:19] Elsewhere in cyberspace, the Kovter click-fraud malware is posing as a Firefox update—users of the Firefox browser should exercise caution. Banks in Japan are sustaining a wave of BEBLOH Trojan infestations, and the venerable NetTraveler spy tool, which researchers have been tracking since 2012, has returned to targets in Eastern Europe.

Dave Bittner: [00:04:56:17] Mac backdoors are also making a comeback—ESET has found another, “Keydnap,” [KEEP-nap] which is hunting passwords in Mac keychains.

Dave Bittner: [00:05:05:03] The advantage in ransomware seems, for the moment, to be shifting back toward the criminals. Sucuri has observed a new variant, “Cryptobit,” being distributed in a campaign called “Realstatistics.” Realstatistics, which is also pushing the more familiar CryptXXX, is using the Neutrino exploit kit and exploiting compromised websites based on the Joomla or Wordpress content management systems.

Dave Bittner: [00:05:28:10] CryptXXX itself has grown harder to track. It’s being distributed in more effectively obfuscated forms (as, for example, in pseudo-DarkLeech). It now directs victims to a new dot onion site for payment (payment still accepted in Bitcoin, of course) but it’s now removed the customer service support it once provided its victims in order to make it easier for them to cough up their ransom.

Dave Bittner: [00:05:50:03] DedCryptor, the ransomware that struts its stuff as an evil Santa Claus (or, more properly, as our editor pedantically insists, an evil Ded Moroz) is spreading out a bit from its Russian heartland and infecting more English-speaking users and removes the opportunity to contact customer service. DeCryptor is still asking for 2 Bitcoin—about $1300—if you want to be taken off the naughty list.

Dave Bittner: [00:06:20:08] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.

Dave Bittner: [00:06:42:01] And joining me once again is Malek Ben Salem, she's the R&D Manager for Security at Accenture Technology Labs. Malek I know one thing you wanted to share with us today is your take on how big data can help with analytics.

Malek Ben Salem: [00:06:53:20] Absolutely. I think big data technology is enabling new security analytics use cases and applications, you know. Companies today struggle with their security analytics. If they're only collecting data or acting upon data such as security alerts and events collected by their Sim tools, that security information event management tools, or by looking at their logs from their firewall servers; those are just the tip of the iceberg in terms of the things that they are, they types of data that they can analyze. based frameworks where storage is no longer a problem we can collect a lot more and act upon a lot more data. For example, we're no longer limited to what application firewall data. You can look at your user web browsing behaviors, you can gather data about malware from the Internet. You can gather data like, you know, what are the blacklists and watchlists and link that to malware that you see to understand what's going on within your network. You can use business process data to understand how your applications are doing and identify if they're undergoing an attack. You can leverage social media activity, email data to understand or to analyze your employees' behavior and identify if there are any insider threats within your company. So a new range of use cases, a new range of applications are enabled by the ability of being able to link structure and non-structure data to these big data frameworks, big data repositories and big data processing capabilities.

Malek Ben Salem: [00:07:37:10] The reason why it cannot analyze more data is prior to this is because we didn't have these big data repositories. But today with technologies like big data frameworks, Hadoop-based frameworks where storage is no longer a problem, we can collect a lot more and act upon a lot more data. For example, we're no longer limited to what application firewall data. You can look at your user web browsing behaviors, you can gather data about malware from the Internet. You can gather data like, you know, what are the blacklists and watchlists and link that to malware that you see to understand what's going on within your network. You can use business process data to understand how your applications are doing and identify if they're undergoing an attack. You can leverage social media activity, email data to understand or to analyze your employees behavior and identify if there are any insider threats within your company.

Malek Ben Salem: [00:08:52:06] So a new range of use cases, a new range of applications are enabled by the ability of being able to link structure and non-structure data to these big data frameworks, big data repositories and big data processing capabilities.

Dave Bittner: [00:09:11:09] Malek Ben Salem thanks for joining us.

Dave Bittner: [00:09:16:19] Time to tell you about one of our sponsors, the SINET Innovation Summit. SINET brings its innovation summit 2016 to New York next Thursday. If you're interested in learning how finance industry, universities and government can work together for better security come to Times Square and hear about the potential of public private partnership for cyber security innovation. And best of all CyberWire listeners who register with the code SINECYB, that's S-I-N-E-C-Y-B, get a $100 discount. So check out SINET's Innovation Summit, connecting Wall Street, Silicon Valley, and the Beltway, and tell them the CyberWire sent you.

Dave Bittner: [00:10:03:06] In industry news, Avast’s move to buy competing and complementary security company AVG for $1.3 billion has had a generally positive effect on the markets. The acquisition seems both a bid for a geographically wider market and an IoT security play. Cyber security exchange traded funds enjoyed a nice bounce on the news. The acquisition is also regarded as an auspicious sign for prospective sellers, notably Intel, which is interested in finding a buyer for its security unit, and for companies like FireEye that are perennial subjects of acquisition speculation.

Dave Bittner: [00:10:37:05] We wanted a take on the current state of the early-stage start-up ecosystem, and so we spoke with Bob Stratton of the Mach 37 cyber accelerator to gain some perspective.

Bob Stratton: [00:10:47:18] Our focus is restricted to things that are specifically oriented around cyber security products. We started in September 2013 and since then have helped launch 35 security products, start up companies.

Dave Bittner: [00:11:05:06] Mach 37 is located in Northern Virginia and Stratton says "from the outset being in the mid-Atlantic was a deliberate choice.

Bob Stratton: [00:11:12:05] What was then an intuition and which I now actually can prove, is that we had perhaps the highest density of security expertise in any region in the world in the mid-Atlantic area. And more recently that's been borne out because I know there was at least one analysis done across all the security people that could be found on Linkedin; and about half were found to be in the U.S.. And the single biggest concentration of security expertise in that group was in the Washington/Baltimore area at around 6%, whereas the closest runners up were New York and Silicon Valley and they were both in the 2% range.

Bob Stratton: [00:11:58:07] So what was an intuition for us has been borne out, which is that, we're in an area that has the people who understand the threat and understand the problem. However, the economy in this region tends to be very service oriented and one of the things we've often wondered about is, you know, why don't we see more product companies in the mid-Atlantic region given that we have all this talent here that understand this stuff? And the answers to that come down to a couple of things. Access to capital, investment capital is certainly one big factor. And another is that a lot of the people that start these kinds of companies tend to be technical founders. They tend to have come from the technical track initially and may not, if you're talking about a first time CEO, for example, they may not have been through some of the more management traditional business history that, you know, startups in other sectors, those founders might have come from. So we realize that in order to address kind of all of those things you needed to do a couple of things.

Bob Stratton: [00:13:04:05] One is you need to create an ecosystem that would foster access to capital and customers frankly, but also we decided that a curriculum was in order. So unlike a lot of other accelerators where the program may consist of office hours with mentors and a dinner once a week, we actually built a 14 week program that is oriented to what my partner, our managing partner Red Gorden calls the cumulatively exhaustive set of things a startup CEO needs to know.

Dave Bittner: [00:13:36:04] Mach 37 typically engages with start ups early in the business life cycle.

Bob Stratton: [00:13:41:05] We are usually the first money into a company, first outside investor into a company. We can and have taken a range of companies that spanned from a good idea on the proverbial cocktail napkin, to companies that have come to us having built a product and having got customers and revenue. And we can tailor the program to the extent we need to, depending on that. But in general they have not even raised a formal seed ground yet in may cases. So what happens a lot of the time is right when they come out, that's the point where we're helping them do funding raising for a more formal structured seed round before they even think about going to a series A.

Dave Bittner: [00:14:31:24] Stratton says Mach 37 focuses on product based startups for a number of reasons. There's the obvious one of course that product companies often provide the best return on investment but equally important, according to Stratton is the issue of scalability.

Bob Stratton: [00:14:46:00] The reality is you have a lot of very talented people working on the service side of this and none of us scale. This problem is huge right. We continually hear about we can't hire enough people, we have all these roles that need to be filled, we can't get enough analysts. At the end of the day if you're in a position, if you have some expertise that you can encapsulate into some mechanism that's reproduce-able you may have the opportunity in some small way to be in more places than one at once, and do more work than eight hours a day if you can body that expertize into a product. And so if you even just look at it from the cyber security problem or at large and ask yourself the question, how can I achieve the maximum impact on this problem, there's an argument to be made that we need better products that solve more problems more effectively than we do now.

Dave Bittner: [00:15:39:21] Bob Stratton also shared some advice based on his experience working with so many startups.

Bob Stratton: [00:15:46:02] I've seen more worthwhile security products, start ups hurt out of an unwillingness to talk about what they're doing than I have ever seen hurt because somebody took their idea. Ideas are a dime a dozen and they may be brilliant, but execution, at the end of the day, is really what matters and so, because of our nature as security people we tend to be, you know, very private, very concerned about telling anybody what we're doing and maybe even, dare I say it, a little bit paranoid. I've seen far more people hurt themselves by being cagey and not engaging with people who might be able to help them than I have ever seen hurt because somebody stole their idea.

Dave Bittner: [00:16:26:24] That's Bob Stratton from the Mach 37 cyber security accelerator. The name Mach 37 by the way comes from the speed at which an object must be going to reach escape velocity from earth. So yeah, pretty cool.

Dave Bittner: [00:16:42:19] In policy news, as companies continue to mull the possible effects of Brexit, the European Union has moved to adopt new cyber security rules. RedSeal CEO Ray Rothrock had this to say about the EU’s regulations. “The EUs new cybersecurity rules are an important step forward. Fundamentally, they recognize that perimeter defenses, while necessary, are not sufficient to stop and, more importantly, recover from a successful cyberattack or disruption. Networks supporting critical services – such as banking, power distribution, drinking water, and healthcare – must be resilient. “A new focus on resilience will help enterprises manage what goes on inside the firewalls on their networks and continue to deliver services critical in a civil society.”

Dave Bittner: [00:17:28:11] And finally, the big story this week in the U.S. involved the FBI’s decision not to recommend indictment of former Secretary of State Clinton for mishandling classified information. FBI Director Comey testified before the House Oversight Committee yesterday. In essence he said that, while the former Secretary was “extremely careless,” there was insufficient evidence of criminal intent to sustain a prosecution.

Dave Bittner: [00:17:52:13] There are some gestures in Congress to deprive the presumptive Democratic presidential nominee of access to classified information, but there’s also movement toward other investigations. The State Department is reopening its own inquiry, and the House Oversight Committee strongly hinted it would be asking the FBI to open a perjury investigation.

Dave Bittner: [00:18:11:20] And defendants in other cases involving the handling of classified information are already invoking the standards implied in the email investigation as they move for dismissal or acquittal.

Dave Bittner: [00:18:25:14] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. We hope you'll help spread the word about our show by telling your friends and coworkers about the CyberWire. The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody, thanks for listening.