ISIS, al Qaeda compete online. WikiLeaks doxes DNC (courtesy FSB, GRU)
Dave Bittner: [00:00:03:16] DNC chair takes the fall for DNC doxing. ISIS and al Qaeda compete to inspire terror - authorities miss some attempts, stop others. And Motown meets malware - our notes on the inaugural Billington Global Automotive Cybersecurity Summit, including notes on safety, autonomous vehicles, bug bounties, and information sharing.
Dave Bittner: [00:00:28:08] Time to tell you about our sponsor, Cylance. Looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocent. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And even better, if you're at Black Hat this year, swing by booth 1124 and chat with the Cylance people. Cylance - artificial intelligence, real threat prevention. We thank Cylance for sponsoring The CyberWire.
Dave Bittner: [00:01:32:19] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Monday, July 25th, 2016.
Dave Bittner: [00:01:39:11] WikiLeaks has released a tranche of documents taken from the US Democratic National Committee. They include donor lists, including, unfortunately, a great deal of personally identifiable information about individual donors, which many observers think was an unintentional mistake on the part of WikiLeaks. More interestingly, they include a lot of intraparty emails. These are the documents exciting the most outrage, particularly among supporters of Senator Sanders' candidacy, because they appear to show close coordination between the DNC and the Clinton campaign. The Sanders' campaign said, over the weekend, that it expects accountability for all this. And some of the accountability the Sanders' camp expects seems to have come in the form of the resignation of DNC Chair, Debbie Wasserman Schultz.
Dave Bittner: [00:02:23:13] Consensus among observers holds that Russian intelligence services gave WikiLeaks the documents. Essentially, no one, anymore, buys the Guccifer 2.0 sockpuppet’s story. It’s all Cozy Bear and Fancy Bear, that is, Russia’s FSB and GRU. Why Russian intelligence would have publicly doxed the DNC is another question. The DNC's spin is that it’s because President Putin would prefer to see a President Trump, than a President Clinton. The Republican National Committee’s answering spin is that this is ridiculous. Preference for a President Sanders, above both these alternatives, seems to have escaped the speculators as a possibility. That the Russian government would want influence over an American election seems clear enough, but what outcome it might be pushing is not so clear.
Dave Bittner: [00:03:08:01] Even less clear is what, if any, the official American response should be. Motherboard publishes a piece by King’s College London’s Thomas Rid, in which he argues that the government of the US, and, for that matter, the government of the UK, can’t safely remain officially silent to Russian attempts to manipulate an election.
Dave Bittner: [00:03:26:09] More terror attacks over the weekend are attributed to ISIS inspiration, either definitively, as in the Middle East, or tentatively, as in Bavaria. The shootings in Florida yesterday seem, police say, to have no terrorist motivation or connection. Online monitoring apparently enabled Brazilian authorities to disrupt plans to attack targets around the Rio Olympics. The judge presiding over the case in Brazil credits both Facebook and Twitter with having helped police gain insight into the would-be terrorists’ intentions. Both ISIS and its jihadist rivals in al Qaeda continue to call for attacks throughout the Dar al Harb - that would be where most of you listening to this podcast live - with al Qaeda specifically urging lone wolf kidnappings of Westerners to be held as bargaining chips for prisoner exchanges.
Dave Bittner: [00:04:11:12] Turkey continues its post-coup-attempt crackdown, initiating a state of emergency and, temporarily, at least, suspending adherence to the European Convention on Human Rights. The EU has protested.
Dave Bittner: [00:04:24:09] Turkey’s government is also demanding that the US extradite Muslim cleric, Fethullah Gülen, who’s been living Stateside in self-imposed exile for some years. The Turkish Foreign Ministry says he was a leader of the failed coup, and that failure to extradite him will adversely affect Turkey’s relations with the US. The US says it wants more proof of a crime.
Dave Bittner: [00:04:44:24] Anonymous hackers, generally pro-coup, or at least anti-Erdoğan, are currently active against Turkish targets, one of which is energy provider, Izmir Gaz.
Dave Bittner: [00:04:55:02] In industry news, Core Security has acquired Damballa. The price Core paid for the Atlanta-based Damballa is reported, by the Atlanta Business Chronicle, to be around $9m, which represents, the Chronicle says, pennies on the dollar for Damballa’s investors. TechCrunch reports a pretty noisy exit from stealth. StackPath has emerged with $180m in funding, led by Abry Partners, and four acquisitions already queued up: MaxCDN, Fireblade, Cloak, and Staminus.
Dave Bittner: [00:05:27:12] Last Friday, we attended the inaugural Billington Global Automotive Cybersecurity Summit in Detroit. The Summit drew leaders of the automotive and security industries, as well as from universities, the US Federal Government, and the State of Michigan.
Dave Bittner: [00:05:41:00] The Summit was held immediately after Auto-ISAC, that is, the Automotive Information Sharing and Analysis Center, released its set of industry specific cybersecurity best practices. Several themes emerged during the proceedings. First, the automotive industry believes it’s in a good position to build in security before it sustains a serious, dedicated attack on its products, and it views the Auto-ISAC recommendations as a good initial step. The US Department of Transportation is also preparing to release a set of guidelines for automotive cybersecurity in the near future. And it's noteworthy that the industry’s focus, at least insofar as the Summit’s discussions were concerned, is on the cybersecurity of its products.
Dave Bittner: [00:06:21:18] Second, senior automotive industry leaders said they were determined to regard vehicular cybersecurity as akin to a safety issue, and not a field in which they intend to seek competitive advantage. The US Department of Transportation, too, sees automotive cybersecurity as a space where it should be possible to realize significant gains in highway safety. Thus, there was much talk of collaboration and threat intelligence shared by executives from several automobile manufacturers. There were also many welcoming overtures to the white hat vulnerability research community, and considerable willingness on display to use crowd-sourced bug hunting, as Fiat Chrysler is already doing. Toyota’s and Honda’s participation suggested that this interest is not confined to US manufacturers.
Dave Bittner: [00:07:06:09] Third, the industry appears intensely interested in lessons to be learned from other sectors, with the defense and aerospace sectors in particular seen as a useful well of experience.
Dave Bittner: [00:07:16:04] Finally, looking toward the future, it’s clear that the industry sees the coming advent of fully autonomous vehicles as both transformative and effectively inevitable. It’s possible, several experts said, that we may see fully autonomous cars operating on the roads within ten years and available on an ordinary retail basis.
Dave Bittner: [00:07:34:11] While the automobile industry is concerned about drivers’ privacy, it’s clear they’re more concerned with their safety. As one industry analyst said during the event, "I love my privacy. I want to be alive to enjoy it."
Dave Bittner: [00:07:51:12] Time to take a moment to tell you about our sponsor, Netsparker. Still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money, and improve security, with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products, you've got to record a login macro, but not with Netsparker. Just specify the user name, the password and the URL of the login page, and the scanner will figure out everything else. Visit netsparker.com to learn more. If you'd like to try it for yourself, you can do that too - go to netsparker.com/cyberwire for a free 30 day fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it. That's netsparker.com/cyberwire. We thank Netsparker for sponsoring our show.
Dave Bittner: [00:08:48:04] I'm pleased to be joined, once again, by Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, I know you wanted to tell us about security and privacy for smart cities. Let's start off by telling our audience, what do you mean when you're talking about a smart city?
Dr. Charles Clancy: [00:09:04:18] A smart city is a new concept that is gaining a lot of traction across both the local and regional government area, but also companies that are involved in big data and analytics. It's essentially where you take the IT systems of municipality and begin to integrate the systems and the data that's generated by those systems. This could include things like: schools, libraries, transportation systems, public utilities, and public safety and law enforcement. The idea is that if you're able to aggregate all this information, you're able to run analytics on it that can generally improve the quality of life for the residents of that city. There have been a number of really interesting pilots that have happened over the last few years, across the world, looking at different aspects of this. Things like the sorts of instrumentation that might be useful for developing a smart city to open platforms for analytics that might run on the data that's generated by these smart cities.
Dave Bittner: [00:09:57:10] Of course, any time you're gathering and aggregating data, you've got issues with security and privacy. So, how does that apply to smart cities?
Dr. Charles Clancy: [00:10:04:23] Exactly. So, law enforcement, for example, is very interested in being able to leverage this data for things like predictive policing, which raises a lot of concerns about civil liberties and privacy. In general, there are key challenges with identity management, privacy of citizen data, and how that data gets used, and then security of the systems that are holding that data. There's a number of emerging protocol standards in the world of machine to machine communications. A new IETF standard called the Constrained Application Protocol, and a number of legacy messaging protocols, such as MQTT and AMQP, all of which support security features like TLS and DTLS for encryption of data. But, so far, I haven't seen really much in the way of robust authorization of that data, mostly because these pilots so far have been fairly rudimentary in their development and demonstrations.
Dr. Charles Clancy: [00:10:59:16] I think there needs to be a lot more work in the area of authorization and how this data gets used. And I think, so far really, people haven't even begun looking at the Cloud back-ends and security of those to make them resilient to hackers who may seek to mine a significant amount of data all in one place.
Dave Bittner: [00:11:17:08] Are there are any cities that are on the brink of implementing these kinds of things? Anybody doing any pilot projects in the real world?
Dr. Charles Clancy: [00:11:23:09] Indeed. There are pilots going on across the United States, and in Europe as well. Here in Arlington, Virginia, Virginia Tech is very involved with the smart city initiative, here in the National Capital region, and the cornerstone of our current research thrust in cyber physical system security.
Dave Bittner: [00:11:41:14] Dr. Charles Clancy, thanks for joining us.
Dave Bittner: [00:11:46:00] That's The CyberWire. Before we go, a tip of the hat to NPR's Planet Money Podcast, who ran a show this week called, When Women Stopped Coding. It's a story worth telling, well told. And if you're in this business, we think it's well worth your time. We hope you'll check it out.
Dave Bittner: [00:12:00:05] For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.