The CyberWire Daily Podcast 8.29.16
Ep 173 | 8.29.16

Bug bounty? Nah, just short the stock. Pegasus, cyber arms control, and more.

Transcript

Dave Bittner: [00:00:03:02] Iran says SCADA malware wasn't the cause of petrochemical industry fires. France, India and Australia investigate theft of submarine design data. Citizen Labs' investigation of iOS spyware renews debate over cyber arms control. The Shadow Brokers haven't yet got their half-billion dollars, but their leaks chill US-Russian relations and prompt both election fears and concerns over zero-day disclosures. The US prepares to revise its anti-ISIS social media operations. A security firm gives its medical device vulnerability research to a hedge fund, hoping to profit from selling the affected company's stock short. And fisher-folk in at least two states should be alert, lest they find themselves in a social engineer's creel.

Dave Bittner: [00:00:50:00] Time to take a moment to thank some sponsors. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security are hosting the third annual senior executive cyber security conference on Wednesday September 21st, from 8:30 am to 4:00 pm. That's going to be at the Homewood Campus of Johns Hopkins University, right here in Baltimore. Hear from industry leaders on cybersecurity best practices and trends that will help you better secure your organization's data. This year's agenda examines the current cyber security landscape threats and challenges ahead for organizations and how senior leaders can work towards shifting their data to being safe and secure. You can find out more online at secsc.compasscyber.com or on the Johns Hopkins University Information Security Institute website at isi.jhu.edu. Do check it out. And we thank the Johns Hopkins University Information Security Institute and COMPASS Cyber Security for sponsoring our show.

Dave Bittner: [00:01:56:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday August 29th, 2016.

Dave Bittner: [00:02:02:21] Iran says a recent series of fires at its petrochemical facilities were not the result of a cyberattack. Official sources report that such facilities had sustained attempted attacks, but those attempts were unsuccessful and unrelated to the fires they sustained earlier in July of this year. Brigadier General Gholam Reza Jalali, Chief of Iran's Civil Defense Organization, said his organization's inspections of SCADA software discovered "inactive viruses in one or two petrochemical complexes" and that the infections were remediated without incident. He also observed that at least some of the malware came preinstalled with industrial control systems purchased abroad.

Dave Bittner: [00:02:42:18] India, France and Australia continue to investigate theft of design documents related to the Scorpene family of submarines. The data belonged to French shipbuilder DCNS, which has contributed to the design of Australia's related Shortfin Barracuda class of diesel-electric boats. French investigators so far believe the theft was committed by a rogue DCNS insider. India is also a user of Scorpene-class submarines, with six boats building or in service. It's unclear so far where the data went or on whose behalf they were taken.

Dave Bittner: [00:03:16:15] The investigation occurs as Australian authorities work to shore up that country's cyber security. Of particular concern, and not apparently related to the DCNS breach, are reports of long-running Chinese intrusions into Australian government and corporate networks. The goal of the incursion again appears to be technical information on sensitive programs, thus industrial espionage. China's embassy in Canberra denies the whole thing "totally groundless" and "false clichés." Also China's a big victim of cybercrime and cyber espionage and not at all the bad guys here. Says the embassy.

Dave Bittner: [00:03:52:19] Observers react to reports by Citizen Lab and Lookout of iOS zero-days (since patched by Apple) actively exploited by surveillance tools provided by Israel-based, California-owned NSO Group. Citizen Lab is particularly insistent that Ahmed Mansoor (whose iPhone was found infected with Pegasus spyware exploiting the since patched Trident vulnerabilities in iOS) was a legitimate human rights advocate, and not a cat's paw for subversion or terrorism against the United Arab Emirates.

Dave Bittner: [00:04:23:00] Haaretz, among others, thinks the incident calls for closer scrutiny of what many are calling "cyber arms dealers." It's worth reading the comments section on many of the articles. When an editorialist calls for restrictions on products like those the Citizen Lab report associated with NSO Group, within the first few comments one sees an accusation that the writer is shilling for Wassenaar, the much disputed and still evolving cyber arms control regime. So the question of how threat actors might be controlled without impeding legitimate vulnerability research remains open.

Dave Bittner: [00:04:55:07] So does the question of what counts as a legitimate lawful intercept tool and what counts as a legitimate intelligence operation. Discussion of lawful intercept tools is reminiscent of long-running discussions that sought to find distinctions between offensive and defensive kinetic weapons. Discussion of legitimate intelligence operations has continued to turn on issues of vulnerability discovery and disclosure. The Shadow Brokers incident prompts many to see its leaked zero-days as an object lesson in the unwisdom of hoarding, as opposed to disclosing vulnerabilities.

Dave Bittner: [00:05:27:03] The Shadow Brokers are, as current consensus holds, a sock puppet for Russian intelligence services who possibly operated with the assistance of a compromised insider, although how they got the material they're advertising remains an open question. The incident is regarded by many as an escalation of US-Russian conflict to levels not seen since the Cold War. Concerns for upcoming US elections - which may be vulnerable to both information operations and direct manipulation of electoral returns - prompts some gestures toward infrastructure protection from the US Department of Homeland Security. These gestures are not being universally welcomed by the states, many of whom sniff a federal incursion into their turf, and other observers question whether such measures as designating elections "critical infrastructure" will be on balance positive steps.

Dave Bittner: [00:06:15:22] Another issue regarding vulnerability disclosure cropped up late last week. Muddy Waters Capital, a hedge fund, shorted the stock of St. Jude Medical, Incorporated, which trades on the New York Stock Exchange under the ticker symbol STJ. The shortsellers also announced that St. Jude's pacemakers and other related devices are, Muddy Waters says, vulnerable to hacking. The fund also suggests "a strong possibility" that nearly half of St. Jude Medical's revenue will be lost over two years, as devices are recalled and vulnerabilities remediated.

Dave Bittner: [00:06:49:24] Muddy Waters did not of course perform the vulnerability research itself, the hedge fund was approached, it says, by MedSec Holdings, a security firm focused on the health care sector. CEO, Justine Bone, told Bloomberg she thinks St. Jude can fix the devices and she hopes they do so soon. She also told Bloomberg, in response to a question about whether MedSec would profit from the short, that her company's compensation is key to Muddy Waters' investment. She recognizes that their approach is "non-traditional" but she said that she believed St. Jude has a record of "brushing aside" security concerns, and that this justifies their unusual step of seeking compensation through investment as opposed to bug bounties.

Dave Bittner: [00:07:31:09] St. Jude Medical has been in acquisition talks with Abbot Labs. Many analysts think this incident likely to derail or at least delay any acquisition.

Dave Bittner: [00:07:41:03] Returning to information operations, the US Government is reported to be again rethinking its social media effort against ISIS. The fresh approach appears to be one of enlisting third parties, in preference to using direct messaging against the Caliphate.

Dave Bittner: [00:07:56:04] Finally, there have been two curious, similar, but probably unrelated, incidents in which fish and wildlife services in Kentucky and Oregon suffered breaches exposing personal data of game license applicants. In the Oregon case, one "Mr. High" is demanding ransom and threatening to leak the information. So if you're fishing in the Ohio or the Pacific Northwest, take care you don't wind up as some social engineer's catch of the day.

Dave Bittner: [00:08:25:16] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to, and profit from, Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:36:01] Joining me is Markus Rauschecker, he's the Cybersecurity Program Manager at the University of Maryland's Center for Health and Homeland Security. Markus, recently the White House put out a Presidential Policy Directive, I believe it's number 41, this deals directly with cyber security. Fill us in, what is this about?

Markus Rauschecker: [00:09:53:01] So about a month ago the White House issued PPD 41, which is called US Cyber Incident Coordination. And it really tries to address one of the fundamental problems of cybersecurity, which is the question, who's in charge and who's responsible for responding to a cyber incident in the government? Who do victims contact within the government once they become victims of a cyber incident. So this is what the PPD tries to outline and it does it in a pretty straight forward way I think. It certainly sets forth some of the guiding principles for the Federal Government in how to respond to cyber incidents, and it also establishes clearly the lead federal agencies that are going to be responsible in a cyber incident response.

Dave Bittner: [00:10:33:19] Give us some examples. Who's responsible for what?

Markus Rauschecker: [00:10:36:14] The PPD kind of breaks it out into different response areas for a cyber incident. So you'll have a threat response area, an asset response area and an intelligence support area of responsibility. What does that mean? A threat response deals primarily with law enforcement, national security, so really how to investigate a cyber incident. And for that response area the PPD says that the FBI will be the lead agency, the lead federal government agency, to deal with threat response. The second area of response would be asset response. For that the PPD 41 says that the Department of Homeland Security is in charge. And what does that mean? Well the Department of Homeland Security in its asset response responsibilities is going to provide technical assistance to organizations, to victims, it's going to help them find some of those threats that are out there, try to patch some of the vulnerabilities, help with risk assessments and then outlining some courses of action that the victim or the organization might want to undertake in response to the cyber incident. So that's DHS, the Department of Homeland Security's job, according to PPD 41.

Markus Rauschecker: [00:11:49:14] And then finally the last area of responsibility that the PPD outlines is the intelligence support area. And for that it says the Office of the Director of National Intelligence is going to be in charge. And basically we're talking about intelligence here, right? So we're talking about increasing situation awareness across the board, federal agencies should know what the threats are based on what the intelligence community knows, so that they can be better prepared for any kind of cyber threat.

Dave Bittner: [00:12:19:15] Has there been any reaction to this so far? Is it being positively received?

Markus Rauschecker: [00:12:24:10] I think any time you try to provide more clarity, any time the government tries to provide more clarity in terms of what the roles and responsibilities are and who's in charge, I think that is always well received. Part of the PPD also says that the Department of Homeland Security will be responsible for submitting a national cyber incident response plan to the White House, and I think that's going to take this PPD even a step further in terms of outlining some of those roles and responsibilities, and clarifying those roles and responsibilities for both the government, the public sector and the private sector, in terms of what some of those roles and responsibilities are. So we're going to see this national cyber incident response plan relatively soon. In October we're going to see a draft put out there for public comments, so people can comment on the draft, and then the final version will actually be submitted to the White House in January of 2017, or no later than January of 2017. So you know we'll have to wait and see what that response plan looks like, but I think it will also help in terms of outlining those roles and responsibilities and just clarifying the effort that the federal government is going to undertake when it comes to cyber incidents.

Dave Bittner: [00:13:42:19] Alright, Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:13:46:21] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision makers, well you've come to the right shop. Visit thecyberwire.com/sponsors to learn more. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. And our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.