The CyberWire Daily Podcast 8.12.16
Ep 162 | 8.12.16

FBI has "high confidence" Russians hacked DNC. Olympic hacks, cyber vigilantes, criminal markets.

Transcript

Dave Bittner: [00:00:03:18] The DNC hack was discovered by the US Intelligence Community last year. The FBI has high confidence Russian services were behind it. Concerns about election and other infrastructure hacking rise. More point of sales systems are compromised by the Carbanak gang. Cybercriminals offer a new financial malware kit and ransomware gets picky over whom it hits. The cybersecurity labor market is complex but talent remains in demand. The Olympics see both cyber crime and patriotic hacktivism. How safe are ICS and SCADA systems? Industry expert, Robert M. Lee, weighs in. And Pokémon gets kicked out of the Pentagon; we think they all went to Crystal City.

Dave Bittner: [00:00:46:13] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries, or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: artificial intelligence real threat protection, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:42:21] I'm Dave Bittner, in Baltimore, with your CyberWire summary and week in review for Friday, August 12th, 2016.

Dave Bittner: [00:01:49:11] Sources close to the investigation of the Democratic National Committee hack and related intrusions into the US political party's networks, say the FBI has "high confidence" that the Russian government is behind the incidents. The investigation has been going on for longer than the DNC's been aware it was hacked. Reuters reports that US intelligence officials told the Congressional "Gang of Eight" about the espionage last year. They said back then it was a spearphishing attack, which still seems likely enough. The slow disclosures coming from the investigation are prompting two reflections from observers. First, this comes mostly from the security industry, there seems to be a lot of interest in influencing the US elections, whether by hacking or by more widespread information operations. Second, and this comes mostly from the foreign policy establishment, this can't be good news for Russian-American relations.

Dave Bittner: [00:02:41:00] Forbes reports that the same cybergang who hit Oracle's MICROS point-of-sale system has also been discovered in compromises of five other cash register vendors: Cin7, ECRS, NAVYZEBRA, PAR Technology and Uniwell. It's thought that the gang is Russian—the same operators behind Carbanak—and that more than a million point-of-sale devices are affected.

Dave Bittner: [00:03:03:21] Several new developments in the criminal economy are worth noting. Bleeping Computer and Malwarebytes are tracking an evolution of the familiar tech support scam—you know the kind: someone calls you and tells you they're usually from 'Microsoft tech support,' that your computer's been infected with a virus, and that they need to 'take control' of your machine to clean it up. In this case you're the one who does the calling. A screen comes up that emulates a Windows activation screen, then persistently nags you to call and pay for your 'activation key.' So far, rebooting seems to get rid of them, but they may get better. Malwarebytes can detect and clean the infestation.

Dave Bittner: [00:03:41:15] Heimdal Security reports on a crook-to-crook vendor going by the name "Others"—it's not clear whether "Others" is one or many. "Others" is, or are, selling what he, she, or they are billing as the next Gameover Zeus. It's a financial crime kit called "Scylex" and it can be purchased for $7,500.

Dave Bittner: [00:04:02:00] And Kaspersky describes a new version of the Shade ransomware, it's also known as "Troldesh", it comes bundled with a RAT, a remote access Trojan. So far, Shade has mostly affected businesses in Russia and the Near Abroad, that is, the former Soviet states. The RAT is the new wrinkle. It's apparently there to help the criminals confirm that the infected business is solvent before they expend too much effort in holding files for ransom. There's no margin in blackmailing bankrupts.

Dave Bittner: [00:04:31:03] Looking back on the week that's now coming to an end, we've seen some market turbulence in the cyber security sector, and even some layoffs, notably the 400 jobs FireEye cut. We should note two things, here. First, a lot of talented people were caught up in the FireEye layoffs, and, given the notorious shortage of skilled workers in the sector, we trust they'll be given a look. Second, there are a lot of jobs to be filled, so if you're looking for a position in the industry, you're probably going to find yourself in a seller's market. Later in the show we'll hear from Robert M. Lee, CEO of Dragos Security. He has some advice for transitioning military personnel interested in a cyber security career.

Dave Bittner: [00:05:11:07] Concerns about the leak from Microsoft of the SecureBoot golden key persist. The CyberWire heard from Ray Rothrock, CEO of RedSeal, a company that specializes in cyber security resilience. Rothrock noted that Microsoft is working on a third patch for the issue, and he advised, "Every network administrator and every Windows device owner should not only apply all three patches, but also run analytics to see if their networks and devices have already been compromised and, if so, how vulnerable the high value assets on their network – business plans, customer information, credit cards numbers, financial reports – are to being hacked." The SecureBoot issue, he says, makes every Windows device on your network a potential avenue of compromise.

Dave Bittner: [00:05:56:04] ISIS and its information operations remain a matter of perennial concern. Studies describe how the terrorist group's promise of meaning and transcendence transform petty criminals—particularly disaffected men in the Dar al-Harb—into willing fighters. And some close to the hacking world think Anonymous might do well to eavesdrop on ISIS networks as opposed to shutting them down through DDoS attacks. That may prove a hard sell. DDoS is relatively easy and gives immediate gratification. Eavesdropping is slower, and, at least for Anonymous adherents, smacks too much of snitching.

Dave Bittner: [00:06:31:15] The Olympics are in the home stretch. Cyber criminals in Brazil have made their mark. Strategic Cyber Ventures, Tom Kellermann, told NBC News "it's the equivalent of an industrial revolution in Brazil with respect to cyber capabilities." Terbium tells the CyberWire they've seen considerable criminal chatter and traffic related to the Olympics on the dark web this week and incidentally some early evidence of what might be a new Yahoo! Breach, we'll follow up as we learn more.

Dave Bittner: [00:06:58:18] Anonymous had earlier protested the Olympics with attacks on some Brazilian government sites, but the latest hacktivist operation comes out of China: Swimming Australia's site was subjected to a denial-of-service attack after Australian medalist, Mack Horton, dismissed his Chinese rival, Sun Yang, as a doper and a cheater. This seems, most observers think, to be a genuine cyber riot by patriotic Chinese hacktivists, and probably not the work of the People's Liberation Army.

Dave Bittner: [00:07:27:03] Finally, will someone stop the Pokémon GO madness? Earlier this week MI6 had to tell the double-ohs not to chase Pokémon inside the service's headquarters. Now it's the US Department of Defense making the Pentagon off-limits to Pokémon. So, troops, at ease, keep your noses clean and your hands off the Pikachu.

Dave Bittner: [00:07:50:22] Time to take a break to tell you about our sponsor, ClearedJobs.net. If you're a cyber security professional and you're looking for a career opportunity, check out the free cyber job fair on the first day of Cyber Texas, Tuesday August 23rd at the San Antonio Convention Center. Organized by Clearedjobs.net, a veteran own specialist at matching security professionals with rewarding careers. The cyber job fair is open to all cybersecurity professionals both cleared and non-cleared. It's open to college students and cyber programs too. You will connect face-to-face with industry leaders like Lockheed Martin, Booz Allen Hamilton and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free, from career expert and Army veteran, Bill Branstetter, author of the Six Second Resume. To learn more visit clearedjobs.net and click job fairs in the main menu. Remember it's clearedjobs.net and we'll see you in San Antonio and we thank ClearedJobs.net for sponsoring our show.

Dave Bittner: [00:08:52:22] And I'm joined once again by John Leiseboer, he's the CTO at QuintessenceLabs. John, when it comes to security there are issues with redundancy and replication, things to consider with those. What can you tell us about that?

John Leiseboer: [00:09:05:16] To many people security means confidentiality, authentication and non-repudiation. We immediately start thinking about cryptographic algorithms, things like AES, RSA, elliptic curves, and we perhaps also think about protocols like RPC and SSL. But security also means availability of information. It means protecting against loss of information. And this means that we consider backup, redundancy and replication of that information. This is especially important with key management systems. It's easy to see it if I have a disk full of information encrypted with a single key and, if I lose that key, I've also lost that disk full of information. Even if the encrypted information itself has been backed up, the key is lost or damaged, then the original data and all the backups are also lost.

Dave Bittner: [00:09:54:09] So is this simply a matter of regular backups or is there more to it than that?

John Leiseboer: [00:09:59:14] Well, it's important to back-up information for building deploying a selected key management system to ensure that efficient redundancy in place to maintain system availability, both normal operations and also replication backup purposes. Imagine I have two key management nodes that are deployed, each backing each other up. When a new key is generated on one node it will be replicated to the other node, ensuring there's always at least one backup copy of the key. Now consider that's two different nodes of replication, what I'd call asynchronous and synchronous modes. If a client requests a server to create a key and the server returns the key to the client before copying it to the backup server, this is called asynchronous replication. It's fast, the client doesn't have to wait for the key to be copied but it has a fatal failure mode. If the key replication process fails for any reason, and that could be like a network going down, or the backup node is offline, or even the node that creates the key originally has just flawed maintenance which just breaks, then if the original node loses or corrupts that key there's no backup so we've potentially lost the information on the client.

John Leiseboer: [00:11:12:05] The other mode of replication as opposed to asynchronous is synchronous mode. In this node the server that creates the key waits until the key has been safely replicated to the backup node before providing the key to the client. This guarantees that there will always be at least one copy of the key. This is a much safer node of operation but it introduces latency into delivering the key to the client. So we have this trade-off between latency and safety of the key.

Dave Bittner: [00:11:41:21] Alright always things to balance. John Leiseboer, thank you for joining us.

Dave Bittner: [00:11:48:01] We have a different kind of sponsor today. Maryland Art Place or MAP, one of the regions leading arts organizations inspiring, supporting and encouraging artistic expressions through innovative programming, exhibitions and educational opportunities. While an arts organization is not what you'd expect to hear about on a cyber security podcast, we're excited to be partnering with them in a cyber security-themed open call to artists. The theme of this unique opportunity for female visual artists living and working in the Greater Baltimore Metropolitan area, is creating connections, and is part of the third annual women in cyber security reception taking place next month here in Baltimore. The reception is all about creating connections among women working in cyber security and, of course, our field exists because of the extraordinary connectivity enabled by today's technologies. We're excited to see how this year's artists interpret the theme. The winning selection will be reproduced and distributed to guests at the reception. To learn more about this opportunity, visit thecyberwire.com/wcs and click on 'call for artists.' That's the thecyberwire.com/wcs and 'call for artists.' We thank Maryland Art Place for partnering with us.

Dave Bittner: [00:13:03:13] My guest today is Robert M.Lee, he's the CEO and Founder of the critical infrastructure cyber security company, Dragos Security. Prior to that he spent time in the US Air Force and the Intelligence Community. I asked him to give us some background on ICS SCADA systems.

Robert M.Lee: [00:13:19:08] Industrial Control Systems have been around for decades. Control systems themselves have been around since Egyptian times, and they've always had the focus of controlling some physical component, automating part of the world has been our big push - industrial automation. The intent was never to plug these things up to the Internet, to be pulling off data into large databases for business purposes, they were supposed to be segmented systems. So, security was an afterthought. You couldn't actually reach the system, they were all segmented. You didn't really care about the security of the software but business demands have changed over time, and as companies try to get more efficient and try to return more value to the stockholders and the company executives, there's a push to get more and more data out of these environments.

Dave Bittner: [00:14:11:03] And so from your point of view, like where are the areas of most concern?

Robert M.Lee: [00:14:15:11] So from an industry perspective the ones that always get the most amount of attention are things like the power grid, which I think obviously is very important, we don't want folks messing around the power grid. But there are other industries that just don't have the same level of national focus but are also extremely important, like water industries as an example. If you go to an energy control center that controls a portion of the US power grid, you will find that they are doing a pretty good job. We definitely take security more seriously, increase the budgets and then work harder at it, but, overall, they have really been raising the bar over the years. Go to your average water utility though and they just don't have the budgets and folks to do that. So from an industry perspective I would just that we're very lopsided. You start seeing a lot of different places that are using control systems that, as industries go, haven't been as secured as some.

Dave Bittner: [00:15:11:01] What are the take homes for you, what are the things that you think its most important for people to know when it comes to this stuff?

Robert M.Lee: [00:15:18:06] A couple of key things. Number one, we most certainly need more people in the industry. There are different classes out there, there's plenty of resources online, you can do it for free, buy some eBay equipment, tons of ways to get in this community and to do it responsibly without any sort of hype or false resumes. Number two, we need more visibility in these environments, both with the people to start figuring out what kind of threats we're actually up against and what's the potential impact. We don't just need to put more boxes on the network, we need more trained people, who will then effectively choose the right solutions or come up with better solutions. Number three is sort of a big takeaway for me is, a lot of this is undefined, and from a political perspective we really need to start getting some definitions and common terminology and some frameworks around this. The Government is constantly talking about critical infrastructure security, but its role is not to deploy National Guard troops into power stations and infrastructure sites. Its role is not to send to taxpayer-owned teams to do free assessments, that's the place of private industry. Its role is to do things around policy and opening up the pathways for these companies to be more protected.

Robert M.Lee: [00:16:35:04] These environments have big consequences and there are real threats out there but they are also the most defensible environments in the world. When you talk about an energy control station or a substation or a transmission site, you're talking ten, 15, maybe 100 at max IP-connected devices, and your little control system shouldn't be updating its Facebook status or going to LinkedIn. So these are networks that are easily patternible, they're smaller, they're more static. The difficulty is data collection but, once you actually get the data, these are environments that you can look through pretty quickly and the adversary has so much more work to do. It's not about identifying a vulnerability and getting access, it's about knowing what to do once you're there. It's physical engineering not just cyber stuff. And so, again in my opinion, the adversary has to do more and the defenders have traditionally technically an easier job even though there's definitely difficulties involved. So I would say we've got issues, we need more people, but these environments are defensible and one day I think defense is most certainly going to succeed in this area.

Dave Bittner: [00:17:43:24] I want to address this job shortage that we have in the industry right now and come at that from a couple of different angles. I mean your experience in the military, what would your advice be for someone coming out of the military who is looking at exploring a career in cyber?

Robert M.Lee: [00:17:59:03] Yes, so I think the first thing to do when leaving any job, especially the military, is to not rest on your past experience, to realize that you're going to be hitting a completely new area and field and no matter if you were the smartest expert on your old team, maybe you just had a team of folks that weren't necessarily top quality. I don't want to be put anybody down but I see this where the smartest guy in the room leaves the room and realizes that it wasn't a really good test of their skills. I think it's very important to be humble, I think it's very important to be passionate and come at the problem very thirsty for knowledge. I also wouldn't jump into a bunch of paid classes, I teach at SANS, I think very highly of the SANS classes but the right approach in my opinion is to first start off with a free education. There's so many resources online, YouTube videos, research papers, etc, and if you're not willing to sit down and teach yourself something, you're probably also not going to really excel in this industry that's sort of fast moving. Once you get a basis of doing that then you seek the paid classes, then you seek the professionals and so you can really take advantage of that time instead of trying to figure yourself out while taking a couple of thousand dollar risk.

Dave Bittner: [00:19:16:05] That's Robert M.Lee, he's the CEO and Founder of Dragos Security.

Dave Bittner: [00:19:25:03] And that's the CyberWire. And if you enjoy our show we hope you will help spread the word and leave a reviewer rate on iTunes, it's the easiest way you can help us grow our audience. To subscribe to our daily podcast or news brief visit thecyberwire.com.

Dave Bittner: [00:19:38:19] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.