The CyberWire Daily Podcast 8.31.16
Ep 175 | 8.31.16

The compleat hacker: wading pool, laptop, MiG 21; no hoodie, no problem, and more.

Transcript

Dave Bittner: [00:00:03:13] US think tanks hacked. And like election database, signs point toward Russia. Russia calls it an American provocation. US Federal and state officials think about securing November's vote. SWIFT sustains new money transfer fraud attempts. New ransomware strains are out in the wild, and a Trojan is impersonating Google Chrome. And what would it take to get you kids into a MiG-21?

Dave Bittner: [00:00:31:15] Time to take a moment to thank some sponsors. The Johns Hopkins University Information Security Institute and Compass Cyber Security are hosting the third annual Senior Executive Cyber Security Conference on Wednesday September 21st, from eight 30 am to four pm. That's going to be at the Homewood Campus of Johns Hopkins University, right here in Baltimore. Hear from industry leaders on cyber security best practices and trends, that will help you better secure your organization's data. This year's agenda examines the current cyber security landscape, threats and challenges ahead for organizations, and how senior leaders can work towards shifting their data to being safe and secure. You can find out more online at secsc.compasscyber.com, or the Johns Hopkins University Information Security Institute website at isi.jhu.edu. Do check it out. And we thank the Johns Hopkins University Information Security Institute and Compass Cyber Security for sponsoring our show.

Dave Bittner: [00:01:37:20] I'm Dave Bittner in Baltimore, with your CyberWire summary for Wednesday, August 31st, 2016.

Dave Bittner: [00:01:43:19] US officialdom has been slow to attribute recent politically-relevant hacks to any state actors, but Crowdstrike hasn't been coy. The company says Cozy Bear (Russia's FSB) is behind breaches at US think tanks studying Russia. The full list of affected think tanks is unknown, but one of them is the Center for Strategic and International Studies. CSIS not only acknowledged coming under attack (whose effects they said they've mitigated) but described the ministrations of Russian intelligence as part of the cost of doing business. The director of the Center's strategic technologies program, James Andrew Lewis, told Defense One, “It’s like a badge of honor - any respectable think tank has been hacked. The Russians just don’t get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”

Dave Bittner: [00:02:37:14] Russian intelligence services remain the leading suspects in last month's incursions into US voting databases, but Russia Today pooh-poohs all the evidence tossed up by ThreatConnect, Fidelis, Crowdstrike, and SecureWorks as a whole lot of nothing. These denials convince few beyond those already disposed to take at face value Russian Foreign Minister Lavrov's denial a fortnight ago. He declined to comment on "pseudo sensational news," and added, "President Putin has repeatedly articulated our position and stated publicly that we never interfere in the internal affairs of other countries.” So there you have it.

Dave Bittner: [00:03:15:01] In fairness to Foreign Minister Lavrov, as usual the evidence in these cases, however compelling it may be, remains largely circumstantial. There is, however, a growing consensus that US elections are vulnerable to disruption in cyberspace.

Dave Bittner: [00:03:29:00] If you're an election official anywhere in the US, whether you're in Hackensack, Pflugerville, Show Low, or Coalinga, and you're worried about Cozy Bear or Fancy Bear finding your networks just right, RedSeal's CEO Ray Rothrock offered the CyberWire some tips we're happy to pass along to you.

Dave Bittner: [00:03:46:17] First, accurately visualize all access paths across your as-built network. Prioritize vulnerabilities based on that access, and on the business context of information in network. Segment your network to control or limit access from untrusted sources (like, we add, the Internet). Take vulnerable assets offline, if possible, and use your security resources against high-priority vulnerabilities. Rothrock, like many observers, sees erosion of voter trust in the electoral system as among the more serious concerns these incidents arouse.

Dave Bittner: [00:04:19:19] The insider threat continues to be a serious challenge for cyber security professionals, be it the malicious actor or careless or under trained employee. We recently caught up with Dr. Jim Kent, global head of security for Nuix.

Dr. Jim Kent: [00:04:33:13] For the first time, the growing trend about inside threat is really being realized. It's, you know, the awareness and acceptance that the insider threat has always been the elephant in the room that nobody really wants to talk about, is now coming more and more to the front. People are accepting it, and saying okay there is something that we really must look at how we deal with, and why is insider threat important to me? And why is it important to us at Nuix? Well, for me, it encompasses a lot of the general trends that you see in cyber security, under one umbrella. So, when we start to dig into that, it gets really interesting, because we start to say, well look, where is the critical value data? We're suddenly going to the realms of understanding the lay of the land, what are the threats? We always talk about the threats as being the landscape. The software's a threat, the hardware's a threat, and the people are a threat. Well, I really saw the scales slide this year towards understanding that the software bits, that we have many bits of technology in the cyber security landscape, that are trying to deal with the software and the hardware, but the people threat is that persistent threat, and it's the variable that's always moving around. So trying to understand how we put the person as an insider threat in those situations, what they would do, how they'd behave, how we build from the ground up, an approach of governance and accountability, how do we work out who's accessing what, how it's encrypted, how those critical value data buckets are put together, and why they're put together. Understanding that is becoming more prevalent in the security world, which is a really good trend that I've seen.

Dr. Jim Kent: [00:06:16:13] When you start now stepping back, and reassessing what does cyber security really mean, I think you can see the market in the industry, and actually the clients and the drivers and the people beside it are saying maybe it's time to start looking and thinking at this slightly different. Taking all the good bits we have found, looking at the used cases, looking at the behaviors, consolidating and bringing it altogether, and looking at how we best attack and approach the next set of preventional detection going forward.

Dave Bittner: [00:06:48:22] That's Dr. Jim Kent from Nuix.

Dave Bittner: [00:06:53:00] There have been a number of public-private initiatives across the United States that seek to foster cooperation for both security and economic development. One of the newer ones has just been opened in Mississippi—the Mississippi Executive Alliance for Cybersecurity, or "MEAC" to give it an acronym. MEAC held its first meeting last Friday. The goal is "to provide a venue for business leadership – board members, CEOs and CFOs – to address cyber security so that they can effectively lead their organizations in a connected economy."

Dave Bittner: [00:07:25:00] Reuters, this morning broke the news that the SWIFT international funds transfer system has sustained several additional attacks since the well-known fraud committed against the Bangladesh Bank. SWIFT declined to disclose the affected institutions this time around, but it did say the common factor in the incidents was exploitation of weak local security that enabled attackers to request fraudulent money transfer. SWIFT wants its member institutions to shore up their cyber security as soon as possible.

Dave Bittner: [00:07:53:05] The CyberWire heard from Balabit's István Szabó, who said, "Even if banks upgrade and improve their current security tools and procedures as recommended by SWIFT, it is important to highlight that these attacks are not primarily machine based and current security tools won’t spot them." Essentially the problem as he sees it is one of privilege abuse and privilege management. He recommends close profiling and monitoring of privileged users.

Dave Bittner: [00:08:18:21] In news of more ordinary cybercrime, Dr. Web warns that the Mutabaha Trojan is impersonating Chrome in the wild. ESET has been following OSX/Keydnap, which steals OSX Keychain data and installs a backdoor in a victim machine. OSX/Keydnap has been newly observed spreading by the Transmission BitTorrent client application.

Dave Bittner: [00:08:40:08] AVG has discovered a new strain of ransomware - "Fantom", with an F, which poses as a Windows update to gain access to its targets. Experts continue to debate the wisdom of paying ransom, but the best protection remains secure backup.

Dave Bittner: [00:08:55:14] Finally, if you'll indulge an anecdote, one of our stringers once walked into a cyber café in the former Soviet Union. He took one look, turned around, and walked back out.

Dave Bittner: [00:09:05:07] If we may virtually return to Russia for a moment, we'd like to give a shout-out to the journal "Foreign Policy," which is running the best stock picture of a hacker, ever. If you're tired of seeing some wraithlike figure in a hoody hunched over a keyboard, go check out Foreign Policy's story on election hacking. The guy in it is shirtless and sitting in a lawn chair, scowling at a huge laptop. In the background are a kid's inflatable wading pool, a couple of discount camping tents, and…get this…a MiG-21. The guy's gotta be a nogoodnik if we've ever seen one. But still, we wish we had our own MiG-21.

Dave Bittner: [00:09:47:16] Time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyses the entire Web, to develop information security intelligence that gives analysts unmatched insights into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from the technology that makes your security teams more productive than ever. We, at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:40:22] And it's my pleasure to welcome to the show our newest Academic and Research Partner, Yisroel Mirsky from Ben-Gurion University. Welcome to the show. Why don't we begin with an introduction. Tell us a little bit about yourself.

Yisroel Mirsky: [00:10:51:21] I came from Toronto, Canada. I was born there and I moved to Israel when I was about 18 years old. I did some religious studies and then I did my mandatory military service here in Israel, and afterwards I started my first degree in Communications Systems Engineering. And that's where I really got involved with cyberspace security and got interested in it. And that was really in my last year of my studies, where in order to get your degree, you have to do a final project. And I came up with this idea, instead of encrypting binary ones and zeros, what if we encrypted the physical signals themselves, so in other words, the voltage that goes over the wire, or the audio patterns that go over audible sound waves. The concept here is that every level lower that you encrypt your channel, the more information is protected. So if I encrypt the actual physical signal, and it sounds like white noise to you, then you don't even know the bit rate, per se, of the signal that's going all through the channel. That's what really launched me into the domain of cyberspace security and on actually that idea which we call the Vernam Physical Signal Cipher, I got a patent and sold it to a startup company.

Yisroel Mirsky: [00:12:00:16] And after that, I realized that I really wanted to become a researcher in the domain of cyberspace security, especially for two main reasons: one, the domain involves a lot of creativity, thinking outside the box; and two, the domain's always changing. There's new technologies coming out all the time, and it keeps you thinking and it keeps you on your toes. So, I searched for a place to do my Masters, and I found Ben-Gurion university. They are the center of cyberspace security here in Israel and they're growing very fast. And I got accepted to the Direct Track program for a PhD, a five year program, and I'm finishing up my last year now.

Dave Bittner: [00:12:38:00] Tell us about the lab there.

Yisroel Mirsky: [00:12:39:23] So the lab here, a little bit of history, it goes back about at least ten years or so, when Deutsche Telekom - I think in the States it's called TMobile - so they opened up a lab here in Ben-Gurion University, and what they were really looking for is a cooperation with the university somewhere international, in the States or in Israel or in Europe. And they had some sort of idea for a project, and kind of like a bidding war so to speak in terms of proposals or research. Ben-Gurion University was accepted, and it was an idea of trying to deploy scrubbing stations in their network to try and clean the traffic before it gets to the user. And they were so impressed with this three year project that we did, that they opened a lab here, and that's caused our university to grow.

Yisroel Mirsky: [00:13:33:19] Since then, we do a lot of projects with the industry, with IBM, with RSA, with Lockheed Martin, all in the domain of cyberspace security. And for two reasons really; one, is because, as researchers, we need funding and we need new ideas that involve and affect the world; and we need the data, especially when we're talking about machine learning. And on their side, they have the data and they have a problem, and we have the expertise. So it works out quite nicely together.

Dave Bittner: [00:14:02:19] And here in Beersheba we have basically a triangle that's being built here at the university, right next to the university at the High Tech Park you have where the military's intelligence units are coming, and the vision of the Government is to have a cooperation center here where each sector works together and shares information together.

Dave Bittner: [00:14:26:19] All right, Yisroel Mirsky, welcome to the CyberWire.

Dave Bittner: [00:14:30:20] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.