The CyberWire Daily Podcast 9.7.16
Ep 179 | 9.7.16

Election hacking (again). Also key sharing risks, and more.


Dave Bittner: [00:00:03:15] Cyber risks and cyber talks at the G20 summit. China may be looking to the Russian model in the Near Abroad as it thinks about its next steps in the South China Sea. The current state of Russian-American relations in cyberspace. The risks of shared cryptographic keys. An Android Trojan evolves. Industry notes, contracts, patches, acquisitions and lawsuits. And, you want extra bacon with that? Trust us, you don't.

Dave Bittner: [00:00:35:00] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web. To develop information security intelligence, that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:32:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 7th, 2016.

Dave Bittner: [00:01:39:17] The G20 summit which concluded Monday in Hangzhou, the first time the session has been held in China, saw foreseeable fears that those attending the summit would be the target of cyber espionage. This has been par for the course at G20 sessions in recent years. Policymakers and others attending were warned to expect a variety of hacks and other intelligence prospecting. Warnings focused on Chinese intelligence and security services and given point by the current atmosphere of great and regional power competition over territorial rights in the South China Sea.

Dave Bittner: [00:02:12:21] That particular competition has had a cyber dimension that's widely expected to increase. The Hague ruled against China's claims in July and China's rivals for control over the South China Sea, primarily Vietnam and the Philippines, have experienced cyber espionage widely attributed to Chinese intelligence services. Observers think that Russian hybrid warfare in the Near Abroad, particularly against Ukraine, may provide Chinese security service with an attractive template for action in the matter of the South China Sea. Hacking and the construction of artificial islands would seem consistent with that assessment.

Dave Bittner: [00:02:49:00] China is also widely suspected of having been responsible for the OPM breach discovered and disclosed last year. The US Congress has just released the results of its long inquiry into the compromise that affected tens of millions of Americans who held or applied for security clearances. It's highly critical of the way the Office of Personnel Management handled and secured the personal data it collected and held. We'll hear more about this breach in upcoming podcasts.

Dave Bittner: [00:03:16:08] If concerns with respect to China have mostly to do with regional territorial claims and industrial espionage, the principal concern in the US with respect to Russia currently involves fears of election hacking. Circumstantial evidence of Russian involvement in recent compromises of US political sites, has induced US officials at the meetings to seek a firmer line with Russia over cyber conflict and cyber norms.

Dave Bittner: [00:03:40:05] Russian involvement in US elections could take the form of a direct attempt to hack paperless balloting systems, but that's less certain than the information campaign Moscow is generally regarded as operating, the goal of which appears to be casting doubt on the legitimacy of US elections and the US political system as a whole. Those operations are believed to have had, so far, at least three known components. First, intrusion into election databases, which demonstrate vulnerability, even though the content of such databases is widely and often legitimately available. Second, high-profile hacking of political party and campaign organizations, initially quiet, then late this spring, noisy. And, the Shadow Brokers' sockpuppetry that purports to have exposed Equation Group attack code.

Dave Bittner: [00:04:26:01] There may be a fourth incident, possible compromise of former Secretary of State Clinton's private email server during her tenure in office. House Minority Leader Pelosi has called upon Republicans to stop exploiting alleged Russian cyber capers involving Democratic campaigns. The FBI released its findings last Friday.

Dave Bittner: [00:04:46:00] This morning, at the Intelligence and National Security Summit in Washington, Director of National Intelligence, James Clapper declined to comment on these incidents, on the grounds that they're being investigated by the FBI. He did, however, say that he foresaw increased cyber activity by adversaries that include Russia, China and transnational actors like ISIS, and ISIS's successor groups. We'll have more notes on the Intelligence and National Security Summit later this week.

Dave Bittner: [00:05:13:15] SEC Consult warned last year that too many embedded devices were sharing cryptographic keys. The situation apparently hasn't improved, and concerns about those devices' vulnerability to man-in-the-middle attacks continues to rise. We'll hear shortly from John Leiseboer from our partners at Quintessence Labs, who'll tell us all about cryptographic and key management standards.

Dave Bittner: [00:05:36:12] Kaspersky warns that an evolved version of the Gugi Trojan is now able to bypass Android 6 defenses against phishing and ransomware.

Dave Bittner: [00:05:46:08] Most people agree that cyber attacks are coming in faster and more frequently. We spoke with Gabby Nizry from Ayehu, where they specialize in automation that they say can help combat the increasing velocity of incoming threats.

Gabby Nizry: [00:06:00:00] It's not only anymore firewalls and antivirus and endpoint detections, it's now protecting against internal users and protecting by, you know, protecting people and protecting machine from people actually.

Dave Bittner: [00:06:15:03] Describe to me where is some of the areas where automation can really make a difference.

Gabby Nizry: [00:06:20:19] So, you know, automation is a game changer. The moment you add automation to the game you are able to reuse, you are able to repeat and you don't have to do it all over again manually. You can test whatever you build, once you've tested, you can go then and implement that. So for example, you can take automation into the world of data enrichment, incident enrichment, collecting data, investigation, forensic work and so on. And it can take all the long process from the moment you have an incident until you are kind of able to analyze what's going on, kind of cut it by 90%. So take only this part of their investigation and forensics and basically you can squeeze it into minutes and even sometimes seconds. It's a huge advantage to have that because you can actually respond quite faster and to contain and maybe even to immediate the incident before it's impacted the entire business.

Dave Bittner: [00:07:36:23] And why do you think that so many people are afraid of automation?

Gabby Nizry: [00:07:41:05] Fear of not being able to control the process. Fear of what will happen if the machine will do something instead of us. And again, it's just about education and it's just about people to trust automation. We know that most of the attacks and most of the hacks that are being known these days, are being, you know, done by machines. So the war, it's against the machine, not against real hackers that sit on the other side of whatever the planet where it sits and the guy is actually in real time now doing some stuff. It's machine against machine. To kind of beat the machine you have to be on the other side using machines. So, I think it's a process that people will start to see how machines evolve in their day to day. And again, in IT, I believe it's already a mature market, I wish security could learn from IT, what they have achieved so far with automation.

Gabby Nizry: [00:08:52:05] So it's not only tools, it's processes and knowledge and content that these guys need in order to be able to fulfill their responsibilities on the cyber security risks.

Dave Bittner: [00:09:05:17] That's Gabby Nizry, he's CEO at Ayehu.

Dave Bittner: [00:09:10:19] In industry news, Google has issued patches for the recently discovered Quadrooter vulnerabilities. Iovation has acquired authentication shop LaunchKey, and the Department of Homeland Security has selected Imperva's SecureSphere Web Application Firewall and SecureSphere Database Firewall for inclusion in its Blanket Purchase Agreement for Continuous Diagnostics and Mitigation Tools, Continuous Monitoring as a Service.

Dave Bittner: [00:09:36:14] And in less pleasant news, well-known intelligence unicorn Palantir is said to be suing one of its early investors. The allegation is IP theft.

Dave Bittner: [00:09:47:06] Finally, you want extra bacon with your router? Trust us, you don't. It appears that Cisco ASA devices were among the more prominent targets threatened by the EXTRABACON exploit leaked by the Shadow Brokers. Too many of those devices are said to remain unpatched for comfort. Cisco did promptly develop and push a patch after the exploit leaked. So, as always, keep your patches up to date. And hold the bacon.

Dave Bittner: [00:10:18:08] We've got another message from our sponsor Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four. After all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you. People who understand that cyber security depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free at That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:19:05] And I'm joined once again by John Leiseboer, he's the CTO at Quintessence Labs. John I know you wanted to share some information with our listeners about the standards when it comes to cryptographic and key management. What do we need to know about that?

John Leiseboer: [00:11:32:18] Common standards help enable improbability, you know, it's important though that the standards we use are properly fined, unambiguous and vendor independent. There are standards in almost every technical field. The cryptography and key management, there are standards for organizations such as the ITier, Oasis, OSI, the IEEE, NIST, ANSI, the payment card industry and plenty of others, there's no problem finding a standard in the cybersecurity world.

John Leiseboer: [00:12:05:13] Two of the most more important improbability focus standards though for cryptography and key management would be PKCS 11, which is Public-Key Cryptography Standards number 11 and KMIP, or K-M-I-P, the Key Management Interoperability Protocol. Both of these standards are currently managed by Oasis. The organization for the advancement of structured information.

Dave Bittner: [00:12:27:09] And so digging into those, I mean how do we deal with them and what part do they play in cryptography and security?

John Leiseboer: [00:12:34:18] PKCS 11 is a standard for cryptographic application program uniface. It defines a vendor independent API all in cryptographic operation such as encryption and digital signatures and also key generation. PKCS 11 turned 25 this year, so it's quite an old standard. It was originally managed by RSA, the industry standard, it moved to Oasis just over three years ago. P11 is widely used in cryptographic products, with smartcards, the hardware security modules and database encryption into web servers. Similar standards to PKCS 11 would be Microsoft CNG, CAPI in the old days, the OpenSSL API, and the Java JCE. In fact both OpenSSL and JCE for cryptographic providers that present at PKCS 11 interface.

John Leiseboer: [00:13:26:22] The other standard I mentioned, KMIP, specifies a protocol for the exchange of key management messages between key management clients and servers. It's those operation to create register and get the optics like symmetric keys, key peers and certificates. It's a relatively new standard, it was published in 2010.

Dave Bittner: [00:13:49:06] Alright, interesting stuff, John Leiseboer thanks for joining us.

Dave Bittner: [00:13:54:18] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit the CyberWire dot com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.