The CyberWire Daily Podcast 9.8.16
Ep 180 | 9.8.16

US voting security, cyber M&A action, OPM breach post mortem, Pokémon, and more.


Dave Bittner: [00:00:02:23] Continuing concerns over US elections, Congress has harsh words for the OPM. Ransomware may prove self limiting for criminals and St Jude Medical strikes back.

Dave Bittner: [00:00:20:21] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyses the entire web, developing cyber intelligence, that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's cyber daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself, to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for the cyber daily email and every day, you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to, to subscribe for free threat intelligence updates. That's and we thank Recorded Future, for sponsoring our show.

Dave Bittner: [00:01:33:19] I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, September 8th, 2016.

Dave Bittner: [00:01:39:22] As concerns about alleged and apparent Russian attempts to influence US elections continue, the secretary of Homeland Security seeks to reassure voters that the election will be conducted without the vote being hacked. Both presidential candidates said in back to back appearances on a defense policy forum last night, that they intended to make cyber security a priority in their prospective administrations. There's general consensus that the Russian government is interested in influencing US public opinion during this election cycle, probably in the direction of undermining confidence in the electoral process itself. US Secretary of Defense, Ashton Carter, is the latest US official to call Moscow out, for aggressive policies, telling students at Oxford University that Russia's government has the clear ambition to erode the principled international order, with what he characterized as unprofessional conduct in Ukraine, Syria and cyberspace. Unprofessional strikes us an odd characterization, but we get his drift.

Dave Bittner: [00:02:38:12] That the US now considers itself to be in a cold war with Russia in cyberspace, has been much in evidence so far, at the Intelligence and National Security Summit. Speakers mince no words in characterizing Russia as the adversary, along with lesser powers like Iran and North Korea. China is also mentioned, but in the context of more ordinary intelligence collection and an unseemly interest in intellectual property theft. The IP theft most seem to feel, is something the US and China might negotiate over, to their mutual interest.

Dave Bittner: [00:03:09:18] The Congressional Report on 2015's major data breach at the Office of Personnel Management came out earlier this week. It offers a harsh critique of OPM's state of security at the time of the incident, although it also points to certain improvements OPM has since made. At the Intelligence and National Security Summit, we spoke about this briefly with intrepid CEO, Richard Helms, no relation to the late director of Central Intelligence. He pointed out as significant, the fact that none of the data stolen in the breach seemed to have turned up for sale in the black market. This suggests that the intrusion into the databases was an intellectual operation, as opposed to a conventional cyber crime. Helms noted that the identity theft protection OPM is offering to the millions whose personal information was exposed, is unlikely to help them much, since criminal identify fraud is unlikely to have been the goal. He thinks the victims are more likely to become targets for an intelligence service. We'll hear more inside perspective on the OPM breach tomorrow, when we talk with Cylance's Malcolm Harkins, about his company's investigation.

Dave Bittner: [00:04:12:05] Another cyber threat, much discussed at this week's Intelligence and National Security Summit, is the ongoing Jihadist radicalization ISIS and other groups are carrying out online. Google believes it may have a response. Google's tech incubator, Jigsaw, is using its redirect method, so that search advertising algorithms will display counter messaging, beside Jihadist themed search results. Thus, you would get your ISIS results, but displayed beside them would be, for example, YouTube video of Imam's counseling against terrorism, regrets of ex-Jihadists and so on.

Dave Bittner: [00:04:45:18] Some new threats and vulnerabilities have come to light. Rapid7 reports discovering a new threat to network management systems, NMSs, they can be exploited using the simple network management protocol, SNMP, both cross site scripting and SQL injection attacks are possible and Kaspersky Labs describes Mokes, a back door built for Macs.

Dave Bittner: [00:05:07:12] Ransomware remains a problem, but there are some early signs it may be self limiting, at least as far as the criminal ecosystem is concerned. The extortionists are increasingly not decrypting files, even after ransom is paid. As many as a third of companies affected by ransomware aren't getting their data back, upon payment. This suggests the criminals may be killing their business model. There will soon be little incentive for anyone to pay. The US Government's advice is now unambiguous, don't pay, and by all means, back up your data.

Dave Bittner: [00:05:39:09] We heard from some security companies about other current issues, prompted by the report earlier this week of a breach at the Nashville Hutton Hotel. Lastline's, Brian Laing, spoke about point of sale issues. "Point of sale, POS systems, tend to rely on older operating systems, nearly all Microsoft Windows", he told us. "Interestingly, it's very common to find Windows XP in current distribution for POS systems, even today." There are many exploits available for XP and many of them operate at the kernel level. Users of vulnerable point of sale systems should be aware of this and take measures to mitigate that risk.

Dave Bittner: [00:06:14:23] Tripwire's Craig Young commented on the problems surrounding sharing cryptographic keys and certificates. "This is particularly a pain point," he said, with respect to embedded devices. He said, "The best advice for consumers is not to access devices over shared networks, including the Internet, without first installing a properly signed security certificate." It's no longer, he pointed out, as expensive to do so, as it once was.

Dave Bittner: [00:06:42:13] Many organizations feel it necessary to stand up their own security operation center, or SOC, to defend themselves against cyber threats. We spoke with Amos Stern, CEO at Siemplify, about what it takes to build what he calls, a next generation SOC.

Amos Stern: [00:06:57:02] I wouldn't say it's one thing, it's a set of capabilities that enables organizations to identify what are the real threats out of the thousands of different alerts and detections that they have, and initiate a response much faster. I'd say there are four key factors. One, you need to be able to take all the different signals in and bridge the gap between the different tools, so you just have a lot of different tools, each focused on detection of some other aspect in the organization, like a network detection tool, an endpoint detection tool, access control, data leakage, and so on and so on. You need to be able to bridge the gap between those and look at the big picture. You need to be able to run analytics and add context to everything, apply intelligence on top of that and then bring external resources together, with whatever is being detected internally and finally, you need to be able to automate whatever possible and where you can't, to empower the internal response process of the human expert.

Dave Bittner: [00:07:54:22] So, let's dig into the automation aspect of it. I mean, is automation really a requirement now because of the velocity at which the data comes in now?

Amos Stern: [00:08:05:20] Automation has a few different dimensions to it. So you can automate the investigation process, which I like to call analytics, more than automation, because there is a huge volume, like you said, of data that comes in. You need to be able to process it really fast. So, processing it means identifying the important threats, filtering out the noise, adding context, all the things that you can do, by applying analytics and then the other part of automation is automating the response. So basically, being able to define different workloads and orchestrate a list of actions and say, "If these things happen, we can take these measures automatically and either, enrich the data, block the user, just start a workflow and automate some of the response," and this helps reduce the time for the response, but it can't always be the case. So we would never replace the human factor completely.

Dave Bittner: [00:09:01:03] If someone is in the process of setting up a security operation center, what kind of advice do you have for them?

Amos Stern: [00:09:08:07] I think first, they need to think about the entire process, it's not just technology. Alright, it's a security operation, it's a combination of the technology, the people, the process, the whole thing. You need to take into account, all different signals, you need to be able to add some analytics and to put them all into one context. There are many tools to do this today, you need to be able to apply intelligence and turn intelligence to that and you need to be able to orchestrate whatever part of the response you want. Otherwise, if you miss one of these components, you can build a SOC, but it would not be the most efficient it can be.

Dave Bittner: [00:09:46:18] That's Amos Stern, he's the CEO at Siemplify.

Dave Bittner: [00:09:51:21] In industry news, St Jude Medical is suing both Muddy Waters Capital and MedSec over their allegations that St Jude's pacemakers and similar devices are dangerously exposed to hacking. St Jude disputes that allegation. It also dislikes the way Muddy Waters and MedSec seem to have used the disclosure in the service of shorting St Jude stock.

Dave Bittner: [00:10:12:19] Intel has spun of its McAfee cyber security unit, which will now operate as an independent company. An RSA begins its new life as a unit of Dell.

Dave Bittner: [00:10:26:17] Time for another message from our sponsor, Recorded Future. So, attention, threat intelligence enthusiasts, the first week in October, consider heading to Washington DC and joining Recorded Future and the rest of your community in DC, for RFUN 2016, this October 5th and 6th. Share experiences, insights and best practices. Learn from exclusive presentations by threat intelligence thought leaders and you can be the first to know, get a sneak peek of new Recorded Future product features and the company's development road map. Meet others like you, people who understand that cyber security depends upon actionable intelligence. Network with your information security peers, to learn how others apply threat intelligence. RFUN is the place to be, if you're a threat intelligence enthusiast. Register now, it's free at Recorded Future dot com slash RFUN. That's Recorded Future dot com slash R-F-U-N and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:25:08] Joining me is Jonathan Katz, he's a professor of computer science at the University of Maryland. He's also a director of the Maryland cyber security center. Jonathan, I saw a story come by on the Register website recently, about some researchers, who apparently, have had some success cracking homomorphic encryption, now, that's something we've talked about on the show before. Can you start off by just giving us a quick review, what are we talking about with homomorphic encryption?

Jonathan Katz: [00:11:47:07] So, this technique of homomorphic encryption is actually something quite amazing, that was developed in a breakthrough, just under a decade ago and which, what basically allows you to do is to perform arbitrary computation on encrypted data and people are really excited about this because what it would allow you to do, potentially, is encrypt your data and send it off to be processed by another party, who could, like I said, do arbitrary processing on data to compute an encrypted result, send it back to the original user, who could then recover that result, all without leaking any information to the party doing the computation. So this is really exciting and there's been a lot of progress in developing schemes over the past few years, with either better security, or better efficiency, or some combination of both.

Dave Bittner: [00:12:32:22] So what is the vulnerability that these researchers claim to have discovered?

Amos Stern: [00:12:35:05] Well, it turns out, there was a scheme published in 2014, that was claiming to have a new approach to developing a fully homomorphic encryption scheme, that would be much more efficient than previous schemes. But what researchers showed just recently is that they were able to actually take that scheme and break it in a variety of different scenarios. One of those scenarios was, it happened to be the case that the same data were being encrypted under multiple different public keys then the researchers were actually able to recover that original data and in another attack, they were actually able to mount what's called the chosen-ciphertext attack, which is a kind of an active attack on a communication protocol, to recover the entire private key of the fully homomorphic encryption scheme. So basically, taken together with these results, demonstrated that the original scheme proposed in 2014 was actually insecure.

Dave Bittner: [00:13:28:12] So, how big a blow is this against homomorphic encryption in general?

Amos Stern: [00:13:33:23] Well, I think it actually doesn't say very much about the fully homomorphic encryption schemes that have been proposed and analyzed in the mainstream cryptographic literature, I think what they're truly demonstrating is just the importance of pure view in general, so basically, cryptographers will very often publish a new scheme and kind of throw it out there and see whether anybody else can break it and in this particular case, researchers, just a couple of years later, were in fact able to break it. What a lot of modern cryptosystems and a lot of the, like I said, the fully homomorphic encryption scheme, that are proposed in the mainstream literature, they actually come with proofs of security, that show that the underlying encryption scheme can be reduced to some hard mathematical problem and so this gives a lot more confidence in such a scheme and yes, I think it's really a good demonstration of the importance of this kind of proof of security. The scheme that was attacked didn't come with any proof to begin with.

Dave Bittner: [00:14:26:20] Alright, Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:31:08] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the editor is John Petrik. Our social media editor is Jennifer Eiban and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.