Shadow Brokers: zero-day hoarding (or not) and firewall exploitation.
Dave Bittner: [00:00:03:17] Juniper joins Cisco and Fortinet in confirming Shadow Brokers' zero-days. We hear from the principle investigator in Columbia University's study of NSA zero-day disclosure policy. And we talk with RedSeal about firewall security and vulnerability. IoT encryption R&D updates. Security startups attract more investment. And what not to say to your VC.
Dave Bittner: [00:00:30:16] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet by yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:38:12] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 23rd, 2016.
Dave Bittner: [00:01:44:21] Juniper Networks joins Cisco and Fortinet in confirming that the Shadow Brokers' leaks include zero-days for its products. NetScreen devices running ScreenOS are vulnerable. Most observers who've expressed an opinion have concluded the Shadow Brokers' leaks are genuine. There's more divergence on attribution of responsibility, although consensus continues to point to Russian intelligence. A minority argues that this couldn't be the case, because the Russian organs would have held the material quietly and exploited it for their own purposes, and that hence the leaks were the work of a rogue NSA insider. But more observers, Edward Snowden, of all people, among them, argue that disclosure is a deliberate move on the part of the Russian government to discredit NSA and place American intelligence collection in bad odor. And, of course, the complicity of a compromised insider is consistent with a Russian intelligence operation.
Dave Bittner: [00:02:36:09] That the Shadow Brokers are private actors with a mix of hacktivist and mercenary motives seems unlikely. Their online auction of the material has seen no serious bidders. And, as CIO points out, the loss leaders with which they've teased the market would have brought a great deal of money from zero-day brokers, whether white, grey, or black hat. As it stands, their bids yesterday totaled only a little more than a thousand dollars.
Dave Bittner: [00:03:00:16] There's been much speculation over whether or not the NSA has been hoarding zero-days. We spoke with Jason Healey, Senior Research Scholar at Columbia University.
Dave Bittner: [00:03:09:15] Well, you lead the study at Columbia University of NSA zero-day policy, and you presented that at DEF CON this year. And you suggested that there wasn't a big hoard of zero-days being kept by the agency. Can you summarize those conclusions for us?
Jason Healey: [00:03:24:00] The research did a couple of things. One, we wanted to get in and get some detail on this actual process that the government uses on whether they're going to keep vulnerabilities to themselves or tell the vendor. Second, we looked at how many does it seem like they keep per year. So as a former White House staffer, Director of Cyber Policy, and a former NSAer, and if you'd have asked me beforehand, I probably would have said in the hundreds. I don't think in the thousands, but it was possible. I talked to other folks that were like me, and they were kind of insider outsiders. I mean, they didn't know the real number, but they knew a lot about Washington DC and about national defense, and that seemed to be about right. And it looks like that today the number is in the single digits. I mean, we saw one number that said two in 2015. They retained two vulnerabilities, or at least two that the White House is aware of. Far, far less than, I think, anyone else would have guessed.
Dave Bittner: [00:04:25:17] What do you advocate as a policy with respect to government discovery and disclosure of vulnerabilities?
Jason Healey: [00:04:31:10] Well, you know, having been a former NSA, from the White House, right, NSA's got a spot and they are there and they've helped to make sure that we haven't had additional attacks like 9/11. You know, they're keeping an eye on what the Russian's and the Chinese and the Iranians are up to. And spying versus cyber meetings is one of the most effective ways to do that. So, we know that it has to have this role. So, one of the things that we'd like to get across to folks is there's actually a relatively good mature process that seems to be happening right now. You know, NSA is particularly a lot less nefarious [LAUGHS] than I think that a lot of people fear. We've already done a fair amount of transparency. You know, most of it was forced on the White House, right? They weren't talking about this process until Heartbleed came out, and then that forced the NSA and the White House to come out and start telling us more about this process.
Dave Bittner: [00:05:20:09] Has the Shadow Brokers incident, you know, led you at all to reevaluate the conclusions of your study?
Jason Healey: [00:05:26:17] Not so far. I'm very open to it and I'm quite concerned that I might have to. You know, Symantec came out, you know, they said, "Last year, we discovered 50 zero-days in the wild in 2015." So, again, you know, an NSA arsenal of dozens sounds about right if you said, "All right, well, we discovered 50," and that covers all of the US ones, all of the Chinese, all of the Russian, all of the organized crime. And so right now, I'm prepared to come off of that, but I haven't seen anything so far that shakes us.
Dave Bittner: [00:05:59:14] That's Jason Healey, Senior Research Scholar at Columbia University.
Dave Bittner: [00:06:04:24] RedSeal is a cybersecurity company that specializes in network resilience. They also found themselves mentioned in some speculative reports about the NSA leaks last week. We wanted their take on that, as well as their thoughts on protective firewalls. I spoke with Ray Rothrock, CEO of RedSeal.
Dave Bittner: [00:06:22:09] Last Friday, Salted Hash published a piece where they reported, with some skepticism, that hackers with the handles, "Brother Spartacus" and "13 John," said that someone called "Dark Lord" was conducting a red team engagement of some RedSeal tools on behalf of In-Q-Tel, and that they walked off the job with a copy of the vulnerabilities, the Shadow Brokers had published. Do you have any comments about that piece?
Ray Rothrock: [00:06:45:07] We really don't. We have no knowledge of any of that. The reporter did call us and we don't have any knowledge of that at all. That headline and that article stunned us. We don't know what happened with the Shadow Brokers leaks in terms of any details, what they did, or they how they did it or whatever. We just don't have any knowledge of that. But, there's some other information on the web that indicates that the tools leaked are legitimate, and that there is some connection to the NSA. And watching the fallout through other articles like that scoop this morning, it's quite serious and companies like Cisco and whatever are taking this as a five alarm drill. So, that's what we know.
Dave Bittner: [00:07:32:04] So, the story is that this may have involved firewall zero-days. We're wondering what your take is on how does an enterprise know that it has a problem with its firewalls?
Dr. Mike Lloyd: [00:07:42:09] So, the nature of the vulnerability in some of these firewalls comes from SNMP, and this is a management protocol.
Dave Bittner: [00:07:48:02] Dr. Mike Lloyd is RedSeal's Chief Technology Officer.
Dr. Mike Lloyd: [00:07:51:12] If you want to understand what that means for an organization, you have to think about traffic to a firewall and distinct traffic through a firewall. A firewall exists to police some edge, some boundary between one place and another. And so you set these things, certainly at your outer edge, but also for internal segmentation. A lot of organizations over the last several years, for reasons of resilience, to try and increase their ability to withstand attacks, they started using internal segmentation. This means you use firewalls a lot of boundary locations, and they're supposed to send all traffic through these devices. So, that's normal. If you want to use the network, your traffic needs to go through a firewall. But, as a typical network user, you should never need to send your traffic to the firewall.
Dr. Mike Lloyd: [00:08:35:09] Now, what that means is that you normally set up a network, kind of distinction, between the people who can send traffic to the firewall and those who can't, right? This is different from all of the regular traffic that has to pass through it. So, the traffic with the two traffic is you set up a network management zone inside a network. It's a standard best practice. But it's a quite difficult thing to do. This may sound a little bit abstract and, well, because it's a little bit abstract, organizations struggle to understand whether they've got good control over traffic to their firewalls. And this is what scares them when news like this comes out, right? The scary part is, okay, there's now a vulnerability, and if anybody can send this SNMP traffic to my firewall, they may be able to get onto them and do all kinds of nasty things. And they can't easily tell whether they've got control of traffic to the firewalls.
Dave Bittner: [00:09:22:21] What can an enterprise do to protect themselves?
Dr. Mike Lloyd: [00:09:25:11] A very good starting point is to audit who has access to your firewalls. Where do you allow access from? You'll see this in the advisories from all of the makers of the firewalls as well. They're all in a scramble right now to build a patch software that is no longer vulnerable. That's the routine response to a zero-day. There's also a lot of focus, not just on the firewall devices, but on how you manage your network. Do you have a well built enclave where only your network management personnel who need to do this have access to the firewalls? And, so, one of the first things you have to do is go check, "Okay, did I get that network management zone built correctly?"
Dave Bittner: [00:09:59:04] That's Dr. Mike Lloyd, Chief Technology Officer at RedSeal.
Dave Bittner: [00:10:04:17] Interest in, and concerns about, the security of the Internet-of-Things continue to grow. Yesterday, researchers at Tohoku University in Sendai, Japan, announced development of what they describe as "more efficient" compression of encryption for IoT devices.
Dave Bittner: [00:10:20:04] US scientists at NIST are also working on standards for lightweight crypto of the kind IoT devices will need. The task apparently is giving them the willies. Short keys of the kind they're considering are relatively weaker. They're working to arrive at standards for devices that will be lightweight enough to work on simple IoT devices, but that will remain strong enough to accommodate useful security.
Dave Bittner: [00:10:42:09] In industry news, ThreatQuotient announced this morning it had received $12 million in Series B funding. The round was led by New Enterprise Associates, joined by existing investors, Blu-Venture Investors, and the Center for Innovative Technology. Tempered Networks has said that it's raised an additional $10 million in funding. Rally Capital joined existing investors in the round.
Dave Bittner: [00:11:06:06] And finally, TechCrunch offers advice on how not to pitch your start-up to venture capitalists. Have you thought about saying, "We are the Uber of our industry, applying curated, user-generated gamification to the sharing economy"? Well, TechCrunch says, don't - The VCs will run for the exits. We might add "leveraging synergies" to this short list of cliché elevator-speech text.
Dave Bittner: [00:11:32:22] We've got another message from our sponsor, Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four. After all, it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts, are all invited to RFUN 2016. Meet others like you. People who understand that cyber security depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture/com/rfun. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:12:34:01] Joining me is John Petrik, editor of The CyberWire. John, what other news is coming in about this NSA leak?
John Petrik: [00:12:39:20] We had the third major company confirm that in fact some of the material leak does include zero-days that affect its products. That's Juniper Networks that both Cisco and Fortinet had last week said that, yes, they confirmed that the zero-days did affect their products.
Dave Bittner: [00:12:55:13] How about attribution? Are we narrowing that down at all?
John Petrik: [00:12:58:20] Most people continue to believe that the leaks are ultimately the work of the Russian government. Most people don't find the apparent identity of the Shadow Brokers particularly plausible. That being that they're kind of disinterested activists who are also in it for the money, who want to strike a blow against the people they call "wealthy elite" and so on and so forth. James Bamford, a journalist who's written a lot about the NSA for many years, his book The Puzzle Palace was the first general study of the NSA to be published several decades ago. Bamford has looked at it and he said that he doesn't think it could have been the Russians. It's foolish to speculate that it was the Russians because, had the Russians had access to this material, they would have been the last people in the world to disclose it, to reveal it.
John Petrik: [00:13:50:11] There are alternative explanations as well. I mean, the thinking that it has to be an insider come largely down to observations people have made that some of the content of the leak, so the material that's leaked so far, appears to contain words that would have only been accessible to someone who had access to an air gap system. So, the notion is that there's another Snowden, as people are calling him, pilfering this stuff, taking it out on a thumb drive and some other storage medium, so that's possible. And it's worth noting, however, that the existence of a rogue insider is by no means incompatible with the whole operation being a Russian intelligence operation.
Dave Bittner: [00:14:32:12] John Petrik, thanks for joining us.
Dave Bittner: [00:14:36:14] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. And our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.