Hulk smash. Pokemon smish. And more on the Shadow Brokers.

Dave Bittner: [00:00:03:17] Emails flood dot gov inboxes. A retooled version of Locky ransomware is out in the wild. The Shadow Brokers seem to have some NSA goods. The brokers themselves are thought to be either Russian spies or rogue insiders, or some mix of both. Worries about US election hacking rise. More companies are concerned about insider threats. We'll chat with Chris Fogle from Delta Risk about security concerns and responsibilities for members of the board room and c-suite. And, yes, there's another Pokémon-GO hack.

Dave Bittner: [00:00:37:21] Time for a message from our sponsor, Cylance. I'm going to guess, because you're listening to this podcast, that you're looking for something beyond legacy security approaches. You're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence, and Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:36:21] I'm Dave Bittner, in Baltimore, with your CyberWire summary and Week-in-Review for Friday, August 19th, 2016.

Dave Bittner: [00:01:44:01] Breaking overnight was a story about a flood of emails clogging in-boxes of people with dot gov addresses. According to some observers, the emails, mostly newsletters the recipients didn't sign up for, amount to a denial of service operation. The problem is beginning to manifest itself outside the dot gov domain, according to Brian Krebs, who's been reporting on the incident. Krebs himself has been getting newsletters he'd rather do without.

Dave Bittner: [00:02:09:12] FireEye reports that a new, freshly retooled Locky ransomware variant is out in the wild. The vectors are macro enabled Office 2007 Word documents. Healthcare organizations are again being hit hardest, and both sides of the Pacific are affected. Infestations have been reported in the United States, Japan, Korea, and Thailand.

Dave Bittner: [00:02:30:10] This week's big news, of course, is the apparent compromise of sensitive NSA files. Consensus is that the material leaked by the Shadow Brokers is genuine. The files they've released are ostensibly a teaser in a $500,000 online auction for even more interesting stuff the Shadow Brokers claim to have in their possession. But this seems implausible. The auction isn't really set up in such a way as to inspire confidence among the bidders. And, in any case, half a billion and change is a bit steep, even for Wealthy Elite, as the Shadow Brokers are calling their ideal customers.

Dave Bittner: [00:03:04:08] Kaspersky thinks the encryption implementation in the files is sufficiently unusual to tie them to the Equation Group, a threat actor Kaspersky hasn't identified, but which is widely believed to be an NSA operation. Other evidence suggesting the leak is genuine includes zero-days for firewalls and other security products. Cisco and Fortinet have confirmed that the zero-days in the leak are genuine, and they've already issued patches. Juniper Networks is evaluating the purported zero-days in its own products, and observers think those will turn out to be real as well.

Dave Bittner: [00:03:36:13] So, with cases like this, spectators always want to know whodunnit. The pre-eminent suspects in this case are Russian intelligence services. A lot of people, including oddly enough Edward Snowden, think the Russians were behind the leaks. Snowden's speculation, shared over Twitter, and seconded by others, is that the Russian services may have accessed files inadvertently left behind on an Equation Group staging server. The timing of the incident also seems suspect, coming as it does on the heels of Russian incursions into the US Democratic National Committee and other political targets. It's worth noting that the later stages of those incursions became noisy, and relatively obvious, as if being detected might serve the attackers' purposes. Publication of the files may be intended to dissuade US retaliation for the DNC hack. Passcode quotes Immunity's CTO Dave Aitel to this effect, quote, "We talk a lot about cyberdeterrence. This is what it looks like," end quote.

Dave Bittner: [00:04:34:23] This incident, following as it does, compromises at the DNC, the DCCC and the Clinton Foundation, and prominent Republicans' accounts, has increased fears that the upcoming US elections are vulnerable to disruption or manipulation.

Dave Bittner: [00:04:49:05] But a lot of other people think those responsible were disgruntled insiders who walked out with the files on a USB drive, the way Snowden walked out with his leaks. There is material on the files released so far that observers think unlikely to have been found exposed on a staging server, or indeed anywhere else susceptible to hacking. This, they say, suggests an insider. And, of course, a disgruntled or compromised insider could have worked with Russian intelligence, so the two hypotheses aren't mutually incompatible.

Dave Bittner: [00:05:18:09] Insider threats cropped up elsewhere this week. An employee of Sage, the accounting and business software provider, was arrested at London's Heathrow Airport Wednesday in connection with a large data breach affecting between two and 300 Sage customers in the UK. The breach was accomplished by abuse of insider credentials. Recent studies suggest that companies are uneasy with respect to their ability to detect and protect themselves from insider threats.

Dave Bittner: [00:05:43:19] Matthew Ravden, CMO at Balabit, commented to the CyberWire on trends in insider threats. Quote, "The problem with insider breaches is that so many of the preventative technologies that companies have spent millions on are powerless to detect malicious activity once the user has been authenticated," end quote. He sees enterprises reposing too much faith in password management systems, and notes that once privileged users log on, they've too often got unrestricted access to sensitive data. Quote, "Privileged users pose a serious threat to every company, and passwords just aren't effective," end quote. He pointed to a recent survey by SailPoint that found one in five employees saying they'd be willing to sell their work passwords, some for as little as a $150.

Dave Bittner: [00:06:29:11] And, of course, this week has seen more news about Pokémon GO than Ash Ketchum or any other trainer would like to see. AdaptiveMobile reported finding a large Pokémon SMS spam campaign, and Plixer's Thomas Pore offered this commentary to the CyberWire. Quote, "With Pokémon GO being the fastest growing game ever, until popularity severely declines we can expect to see villains hacking various attacks. Gamers need to be wary that with popularity comes the potential for cybercrime," end quote. In particular, Pore sensibly warned gamers that anything that looks too good to be true is, and to be wary of phishing scams, whether they came by email or SMS. Quote, "With recent news of Pokémon GO ransomware, it’s unlikely that attacks against the trainers will subside anytime soon," end quote.

Dave Bittner: [00:07:17:17] Finally, we need to point out that, whatever the evidence for Russian involvement in the Shadow Brokers' incident, broken English isn't among it. The Shadow Brokers sound far more like a screenwriter's lazy idea of a Hollywood foreigner than they do any known version of non-native English speaker. Our linguistic staff called it more Hekawi than Fancy Bear. But, we have heard from a listener, J.B., we'll call her, who pointed out that the Shadow Brokers sound a lot like the Incredible Hulk, although of course a lot more verbose than the ever-loving Hulk ever was. Our linguistic staff has been doing some thinking, and they think J. B. may actually be Natalia Romanova a.k.a. the Black Widow. Who else would be so quick to recognize the voice of the Hulk? And, say, Russian, too.

Dave Bittner: [00:08:08:18] It's time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their daily's at the CyberWire, and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Check it out, go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:08:14] And I'm joined by Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and Director of the Maryland Cybersecurity Center. Jonathan, I remember when I was a kid there was a boy who lived across the street from me and we used to send each other encrypted messages for fun. We would come up with some simple way to encode a simple phrase and part of the fun was trying to figure out how the other person encoded the message and we wouldn't make them too hard. It was just sort of a game we played, send messages back and forth. I was thinking about that and it got me thinking, today, where obviously things are a lot more sophisticated, if someone presents you with something that you know has been encrypted but you don't know the method by which it was encrypted, how do you go about trying to figure out what was the method that was used to encrypt a pile of data?

Jonathan Katz: [00:09:51:12] Well, I think you can actually distinguish two general classes of encryption. So, the first is where people are using some encryption scheme that's been standardized and analyzed and is generally considered to be secure. And the second is where the people who are communicating are using an encryption scheme that they developed on their own, that they made up. And what was interesting is that, in the first case, the encryption algorithms that are used nowadays are meant to be secure, even if all of the details of the algorithm are known. So, the only things they rely on for their security is the fact that the parties are using a key that is unknown to the eavesdropper. But revealing what method you're using for encryption doesn't undermine security at all.

Jonathan Katz: [00:10:32:00] So, if you have somebody maybe using one of those encryption schemes, even if they-- you know, so, first of all, even if they tell you what they're using, it wouldn't impact security. And if they didn't tell you what they were using, you could guess from among a set of a relatively small number of possibilities, maybe ten or 15 different possibilities of how they might have encrypted it and then you can try attacking it with all 15. So then the interesting thing is if somebody comes up with their own algorithm you might think that that gives them better security because the eavesdropper wouldn't even know what method they're using. And it's sort of true, but the problem is that in general when people develop their own encryption schemes, kind of like you and your friend, they tend to be easily breakable and usually what you can do as a, as an analyst or as an eavesdropper is try to look for patterns in the underlying data and then exploit those.

Dave Bittner: [00:11:17:03] So, what kinds of patterns would you be looking for?

Jonathan Katz: [00:11:19:15] Well, for example, a lot of encryption schemes that people come up with will have the property that when you repeat letters or words in the underlying message, then you'll see repeated letters or words in the cipher text. So, modern encryption schemes, secure encryption schemes don't have that property. But, if you think about kind of the maybe historical encryption schemes that would work by substituting one letter for another, or one phrase for another, those would have that property. So, if you get enough encrypted text, you can start looking for repeating blocks of letters and then try to use that to figure out what the parties are communicating about underneath.

Dave Bittner: [00:11:55:19] Alright. Fun stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:12:00:19] I want to take a break and tell you about an exciting CyberWire event happening next month, the third Annual Women in Cyber Security Reception. Taking place September 27th at the Columbus Center on the beautiful Waterfront in downtown Baltimore, the Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cyber security industry. The focus of the event is networking and it brings together leaders from the private sector, academia and government from across the region and women at varying points in the career spectrum. The reception also provides a forum for women seeking cyber security careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connection.

Dave Bittner: [00:12:42:07] This year, we're pleased to be partnering with our friends over at the Cybersecurity Association of Maryland, CAMI. If your company is interested in supporting this important event, we have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is an invitation only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you.

Dave Bittner: [00:13:29:17] My guest today is Chris Fogle, founder and Executive Advisor at Delta Risk, where he has more than 20 years of experience in the diverse areas of cybersecurity, emergency management and contingency planning and operations. Mr. Fogle is presenting at the upcoming Cyber Texas Conference and his topic is Perspectives on Cybersecurity for Boards and Business Executives. I spoke with him earlier this week.

Dave Bittner: [00:13:53:18] Do you think that boards are properly or adequately educating themselves when it comes to this stuff?

Chris Fogle: [00:14:00:02] I think they're making the-- they're making a very good effort. Just the fact that we get a lot of calls from boards and, I mean, we work with several, tells me that they're not stupid. You don't, you know, you don't become a, a member of a large company's board because you don't know what you're talking about. One of the best things that is happening in the landscape today is that some of the details about these large data breaches are making them into reports and case studies, board members read this and they can picture themselves in that-- or their companies in that situation. In fact, that's what we encourage through our, through our exercise process, is, you know, you don't have to invent some really unique data breach or, or technical threat in order to have an effective exercise. Just go get the Wall Street Journal, any of the cyber breach case studies that are put in there or news stories, plop it down on the conference table in the board room and talk about it.

Chris Fogle: [00:14:57:00] When people can picture their own decision making in those cases, or in those stories, you know, and they understand that, that a lot of the expense that comes from cyberattacks or cyber, cyber breaches or data breaches, is on their instant response side. So in other words, it's not being prepared, taking longer than it should have, not being able to contain it, well, then they start to understand that, well, we have to be a little more proactive in our spending. And if we can prevent that, then we know based on these three or four case studies that we'll save billions of dollars or at least hundreds of thousands of dollars on the response side.

Dave Bittner: [00:15:33:22] I've heard it said that, you know, IT people tend to speak in terms of things like threat levels of red, yellow and green, whereas boards, you know, want to talk in dollars and cents, and so there's that communications disconnect. But, I've also heard that people have actually sort of been shifting around some of the positions within their companies, which shifting around some of the c-level people to have people in positions to take responsibility to bridge that gap. Is that something that you've seen?

Chris Fogle: [00:16:03:15] Yes, absolutely, in fact, I was speaking with one of the large financial institutions in Wall Street about two weeks ago. I was surprised, but not totally unexpected, that what they said was, "You know what I really need is, I need cyber guys that understand banking," right? So I-- so that, that told me that right there that they were more interested in teaching their technical staffs on, on the business than vice versa. And, again, I think that's reasonable to expect, right? The money, the investments come from the boards, come from the c-suite decisions, so they have to be processed in terms of the business. We are seeing that. I think it's a good thing. I like the idea of folks being, you know, moved around. I think the only position that I might, not really cringe, but really question is when someone becomes a CISO, a Chief Information Security Officer, I think that person has to have a good grounding, a good basis in cybersecurity or they're going to be kind of ineffective leading a technical staff.

Dave Bittner: [00:17:11:12] I'm curious, what would be your advice to someone who's heading into a board level position with a company that has to deal with a lot of cybersecurity type of issues? What would your advice be to someone like that?

Chris Fogle: [00:17:24:08] First of all, if you're looking for immediate payback on some investment, focus on your instant response capabilities. Again, that's where most of the dollars are spent when it comes to data breaches and cyberattacks. It's the inability or the unpreparedness of a company to actually handle or contain the event. And it's not just technical, this is, this is how you communicate to the media. When do you make the notifications? Do you involve your outside counsel? So, I would really encourage them to get smart on incident response and work with their leadership and staff on different types of exercises or scenarios, at least discussions. The second thing that I would tell them is, don't be typical or normal. Because right now, in today's land-- business landscape, typical or normal doesn't indicate that you're secure or that what you're doing is adequate. So you always have to strive for how can we do better? And that's where a lot of the challenge comes, because in order to be better than normal, you have to spend money, and, and we understand that that is, that that is tough.

Chris Fogle: [00:18:30:21] And then finally I would say, just, just remember, done is better than perfect. There are, there are no perfect solutions in cybersecurity. It doesn't matter what the vendors tell you, it doesn't matter what the consultants say. It's a continual process of understanding where your critical assets are, what, what is threatening them, what your risks are, and are you mitigating to the latest evolution of the threat. You can, you can look for the best return on investment numbers before you can make your investment, and the only impact or the only outcome will be that you won't make the investment because it's not-- it's just not possible. So done is better than perfect. Do something and don't be satisfied with the status quo.

Dave Bittner: [00:19:15:12] That's Chris Fogle from Delta Risk. Mr. Fogle will be presenting on this topic at the upcoming Cyber Texas Conference in San Antonio, August 23rd and 24th. We've got more information about Cyber Texas in the events section of our website, thecyberwire.com.

Dave Bittner: [00:19:34:18] And that's The CyberWire. To subscribe to our daily podcast or news brief, visit thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jen Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.