Dave Bittner: [00:00:03:18] The DNC hack seems to be spreading - campaign consultants private accounts may also have been compromised. Forensic evidence points to Moscow, but some still see room for doubt. Experts say the moral should be, encrypt. ISIS claims to have inspired the most recent bombing in Germany. Industry news includes a look at automotive cybersecurity. And WikiLeaks’ Assange says of the DNC dox, you ain't seen nothing yet.
Dave Bittner: [00:00:32:14] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries, or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network, and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit Cylance.com to learn more about the next generation of anti-malware. And even better, if you're at Black Hat this year, swing by booth 1124 and chat with the Cylance people. Cylance - artificial intelligence, real threat prevention. We thank Cylance for sponsoring our show.
Dave Bittner: [00:01:34:14] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Tuesday, July 26th, 2016.
Dave Bittner: [00:01:40:18] The scope of the Democratic National Committee hack seems to be wider than initially believed. Not only were the party’s networks compromised, but so, apparently, were personal accounts of Democratic consultants and Clinton campaign workers. DNC consultant, Alexandra Chalupa, began receiving pop-up warnings on her Yahoo Mail account shortly after she began searching for connections between Trump campaign chairman, Paul Manafort, and Ukrainian or Russian businesses, as part of the DNC’s opposition research. The automated warnings from Yahoo Security said, "We strongly suspect that your account has been the target of state sponsored actors."
Dave Bittner: [00:02:16:23] Other campaign officials personal accounts and devices may also have been accessed by those state sponsored actors, who are widely believed to be what CrowdStrike calls Fancy Bear and Cozy Bear, a.k.a. Russia’s GRU and FSB. CNN says Federal authorities warned the Democratic National Committee of a potential network breach months before the party acknowledged and addressed the problem. The DNC says the warnings it received from the FBI were non-specific. The FBI is currently investigating the hack.
Dave Bittner: [00:02:46:06] Most observers concur with CrowdStrike's attribution of the DNC hack to Russian intelligence services, and there’s much speculation about Russian motives, largely centered on President Putin’s conjectured wishes to throw the US presidential election to the presumably simpatico Mr. Trump. Some security firms like eSentire and Rook do note that forensic analysis of the kind CrowdStrike offers in evidence can be more circumstantial than dis-positive. Finding a Kalashnikov at a crime scene doesn't mean the Russians did it, as Rook puts it, but signs do seem to point toward Moscow. What, if any, response the US will make is unclear, and will probably await the outcome of investigation.
Dave Bittner: [00:03:25:22] Krebs looks at both Democratic and Republican email practices and finds them wanting, specifically because they flunked authentication by not having implemented DMARC.
Dave Bittner: [00:03:35:14] Other observers think there are additional lessons to be learned as well. The big takeaway, according to several security industry experts who contacted the CyberWire, is this: encrypt your email. Here’s a sampling of what they told us.
Dave Bittner: [00:03:47:15] InfoArmor’s, Byron Rashed, said, “When dealing with sensitive information through email, it should always be encrypted.” Sure, this can be inconvenient, but it’s important if you want to deny hackers access to it.
Dave Bittner: [00:03:59:22] John Gunn, of VASCO Data Security, told us, “Encryption is simple to use, inexpensive, and highly effective. It doesn’t guarantee the hackers could not have obtained the information, but it certainly would have made their job a lot more difficult.” He sees a systematic email failure of this kind as further evidence of the shortage of security professionals and campaigns unwillingness to pay for their help. “There are many commercial solutions that do exactly what was needed to protect these leaked emails. It just takes a pro and some dough."
Dave Bittner: [00:04:30:00] Lastline’s, Giovanni Vigna notes that encryption, while important, doesn’t render you bulletproof, especially if a nation state is after your data. "Using encrypted email would have helped. Encryption adds another layer of protection, which requires an attacker to obtain the encryption keys of a user in order to decrypt the messages. However, if a nation state is involved, it's not unthinkable that a compromise might include access to the secret key of the email recipients.”
Dave Bittner: [00:04:56:19] Stu Sjouwerman is CEO of KnowBe4, and the author of the book, “Cyberheist: The biggest financial threat facing American businesses.” He gave us his take on the DNC hack.
Stu Sjouwerman: [00:05:07:12] You know, you kind of have to look at how these guys operate and what they have done before. Generally speaking, state-sponsored hacking organizations use particular types of tools, usually developed in-house with a very specific signature. If you see these tools come back over and over again, then you know who you're dealing with, because that's a unique kind of identifier. It's not all that hard, when you know who you're dealing with, to point to what the source is of a particular hack.
Dave Bittner: [00:05:43:05] What about the notion that this represents an attempt by the Russians to influence the US elections? Where do you come down on that idea?
Stu Sjouwerman: [00:05:51:09] Typical Putin. Most people remember that Putin is originally a KGB man - that's called FSB these days. But once you're a spook, always a spook, is the expression. This is fairly normal operations from their perspectives, so I'm not surprised at all. They're very good. They're extremely sophisticated. They have the best of the best over there. And if they really put their mind to it, Russian hackers can get into pretty much anything.
Dave Bittner: [00:06:28:16] Sjouwerman is particularly intrigued by the use of WikiLeaks to distribute the documents.
Stu Sjouwerman: [00:06:33:15] The fact that they're using WikiLeaks is interesting. WikiLeaks doesn't seem to care that they are being used this way. The documents are real, so it's a sword with a double-edge, in a case like this. If WikiLeaks say, "Yeah, well, we don't care where it came from, even if it's the Russian state-sponsored hackers, we still promote it." That's just an interesting angle.
Dave Bittner: [00:07:02:05] That's Stu Sjouwerman, he's the CEO of KnowBe4.
Dave Bittner: [00:07:07:00] There is news in cyberspace beyond the precincts of the US Presidential campaign. ISIS remains sadly active online, posting a pre-suicide video allegedly from the Ansbach bomber, in which the young man declares his adherence to the Islamic state and his commitment to jihad. German authorities are increasing their scrutiny of potential terrorists, particularly among that country’s recent influx of refugees.
Dave Bittner: [00:07:31:01] In industry news, Acalvio Technologies has emerged from stealth. The company, which has been operating for some two years, announced a combined $17m in Series A and B funding. Acalvio describes its offering as fluid deception, a shifting and less resource intensive set of decoys for attackers.
Dave Bittner: [00:07:50:10] Last Friday the CyberWire covered the inaugural Billington Global Automotive Cybersecurity Summit in Detroit. Our full report is available online at thecyberwire.com. But today we caught up with our Editor for an overview of what we heard there. We'll hear from him after the break.
Dave Bittner: [00:08:05:11] Finally, forgive us if we return in closing to the DNC hack and its attribution of Russia. There are a few notables who dissent from that attribution. They include WikiLeaks founder, Julian Assange, who says no one has any real proof the Russians gave him the documents. Assange says he’s got lots more documents and will release them soon, and that they’ll be enough to put Hillary Clinton in jail, which of course will be believed when it’s seen. Russian Foreign Minister, Lavrov, also says Russia had nothing to do with it. Lavrov's denial is more denial-by-dismissal than non-denial denial. He said he wouldn't comment because he doesn't wish to use four-letter words. That’s some good cultural awareness and knowledge of demotic American idiom on the Foreign Minister’s part. If he’d been speaking Russian, those words would surely have run to five letters.
Dave Bittner: [00:08:57:12] Time to take a moment to tell you about our sponsor, Netsparker. Web applications can have a lot of vulnerabilities, have you heard? Sure you have, you're listening to this podcast. And, of course, every enterprise wants to protect its websites. But if you have a security team, you know how easy it is for them to waste time calling out false positives. Check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily. You can use it to automatically scan 1000s of websites in just a few hours. But, don't take their word for it, go to netsparker.com/cyberwire for a free 30 day fully functional trial of Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. We thank Netsparker for sponsoring The CyberWire.
Dave Bittner: [00:09:51:08] Joining me is John Petrik, he's the Editor of The CyberWire. John, last Friday you were at the Billington Cyber Security Global Automotive Cybersecurity Summit in Detroit. What was this conference like?
John Petrik: [00:10:04:19] The conference was held in Detroit, with heavy sponsorship from the automotive industry, especially General Motors - they were very much present there. It brought together a lot of experts from the automotive industry, from the security industry, from sectors that the automotive industry thinks it has something to learn from, notably aerospace and defense. And it brought some people in from universities and government, as well.
Dave Bittner: [00:10:29:05] What was some of the bigger trends that you saw in the conference?
John Petrik: [00:10:32:18] There's a strong sense that the automobile industry thinks that it's getting ahead of the problem of cybersecurity. They think that they have a chance to get it right from the outset because, unlike many other sectors, they haven't really been hit by a devastating cyber attack. Just before the conference opened, the Auto-ISAC released the set of best practices for automobile cybersecurity that they'd been developing. The Auto-ISAC is an industry group that does that sort of thing.
Dave Bittner: [00:11:08:08] Any surprises that came out of the conference?
John Petrik: [00:11:11:00] The concern at the conference was overwhelmingly for vehicle security and safety. There wasn't a lot of talk about protecting IP. There wasn't a lot of talk about protecting your networks against the kinds of hacking that we're familiar with in other corporate sectors. It was also interesting to hear that nobody at the conference thought that the industry was moving too rapidly down some of the technological lines of advance that's moving. No one, for example, thought that autonomous vehicle technology should be slowed down or stopped. In fact, people from both industry and government argued that autonomous vehicle technology probably represented a very important advance in safety.
John Petrik: [00:11:53:00] Some of the surprises came out of some familiar things. We've heard at many conferences over the last several years, people from the FBI and the Department of Justice talking about the importance of investigating cyber attacks, and about imposing costs on the people who are committing them. So we heard a lot about that, from the FBI and the DOJ. One of the speakers was David Johnson, who is the Associate Executive Assistant Director of the FBI. He was very interested in encouraging any company, any automobile manufacturer or supplier, who came under cyber attack, to come to law enforcement. That's a familiar theme, of course, the FBI always says that, and I have no reason to think they mean anything but that.
John Petrik: [00:12:43:19] He talked about the importance of getting to know your local FBI. One thing he was very insistent on, and I think this was very interesting, he said, "We are not going to treat you as anything other than the victim of a crime. So, we're not going to treat you as the person who's responsible or liable for any crime." And, in fact, he said, and he said this very slowly and very clearly, "We will not provide opinion or comment to regulatory agencies."
Dave Bittner: [00:13:09:22] So, what's behind that? What's the subtext there?
John Petrik: [00:13:12:23] The subtext is that there's been a lot of aggressive regulatory policing by some Federal agencies. There are many people in industries, not so much the auto industry, but other industries, mostly healthcare, I think, who think that there are Federal agencies who are kind of out to get them. There was a little bit of a taste of that in the talk by the Federal Trade Commissioner. She started her little presentation on her panel by saying, ironically with some self-deprecating humor, "I'm from the FTC and I'm here to help you." So that got the laugh. But, she herself was in a kind of peacemaking mood, you know? She talked about the importance of understanding that perfection is not the standard, it can't be the standard. We're interested in working together with people to get it right.
John Petrik: [00:14:00:16] When people like the FBI say, regulatory body, regulatory agency, they mean groups like the SAC, the FTC, the FCC, that kind of body - the people who develop and enforce regulations. The Bureau, apparently, wants people to understand that if they come to them with a problem, the Bureau's not going to dine them out to the regulators.
Dave Bittner: [00:14:23:07] John Petrik, Editor of The CyberWire, thanks for joining us.
Dave Bittner: [00:14:28:09] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.