Zero-days, industry notes, the Intelligence & National Security Summit, and more.
Dave Bittner: [00:00:03:18] Notes from the Intelligence and National Security Summit, especially about cyber conflict with nation states and terrorist organizations. Unresolved issues of cyber deterrence and where it should fall on the spectrum of conflict. Goals of election hacking and other influence operations. Ransomware trends and credential breaches. And sometimes your enemies are an even better recommendation than your friends.
Dave Bittner: [00:00:30:24] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily, we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet by yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending, technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:38:21] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, September 12, 2016.
Dave Bittner: [00:01:45:01] Last week's Intelligence and National Security Summit offered a great deal on cybersecurity policy and practice. Cyber was not only addressed repeatedly in the plenary sessions, but it was the focus of one of the conference's three breakout tracks. That cyberspace is of prime concern to the intelligence community and those who support it is unsurprising, but, a walk through the exhibitor's hall offered some striking confirmation: cyber security vendors dominated the space.
Dave Bittner: [00:02:11:05] Also interesting was the clear sense that the leaders INSA and AFCEA drew to the summit were working through some of the same theoretical, practical and conceptual issues defense thinkers have grappled with over the past century and a half. How those issues will be resolved in cyberspace is, in some cases, clear, elsewhere it remains murky.
Dave Bittner: [00:02:30:16] Questions of deterrence were particularly difficult to resolve, several of the symposiasts suggest that cyber deterrence today was in roughly the same state of theoretical immaturity nuclear deterrence was in 1950. How to balance the need for certain attribution and credible retribution on the one hand, with the competing need for freedom of action and desirable ambiguity, in particular, remains an unsolved challenge.
Dave Bittner: [00:02:55:05] The international norms we find in such places as the law of armed conflict are also still missing from cyber conflict. The entire field remains to be developed. Coupled with this, an observation made by Lieutenant General Kevin McLaughlin, Deputy Commander, US Cyber Command, to the effect that cyberattacks need not be met with retaliation in kind, and it's clear that the relationship between the virtual and the kinetic world remains, to say the least, imperfectly understood.
Dave Bittner: [00:03:22:21] For a full account of the Summit, visit our website, thecyberwire.com, the Summit was hosted by AFCEA International and the Intelligence and National Security Alliance, INSA.
Dave Bittner: [00:03:33:21] Among the topics taken up at the Summit was the threat posed by nation-states, Russia prominently among them, and by non-national actors, especially the Islamic State. The Islamic State, that is ISIS, maybe on the way to defeat, that's the assessment of Director of Central Intelligence Brennan and his colleagues in the Big Six US intelligence agencies. Especially in so far as ISIS aspires to be a Caliphate holding, governing and administering territory. But, Brennan and his colleagues don't regard this as unalloyed good news, they expect to see a decline in ISIS cyber and information operations capability as it loses the relatively secure enclaves it finds useful in producing what FBI Director Comey called, "the kind of propaganda they use to influence screwed up individuals." But, they anticipate problems as well, expecting a metastasis of fighters to spread to other regions as ISIS loses control over its core territory.
Dave Bittner: [00:04:30:23] There are reports today that law enforcement and intelligence agencies find ISIS an increasingly elusive opponent online, less easy to track and trail than it formerly was. This is, in part, due to ISIS's increasing use of encrypted chat, but to a great extent, as the Wall Street Journal reports, it's attributable to the Caliphate's reversion to the traditional terrorist cellular trade craft: "face-to-face meetings, written notes and misdirection." Sometimes one advances capabilities by technological retreat.
Dave Bittner: [00:05:01:16] The other class of threat that received a great deal of attention at last week's meeting was, of course, the nation-state threat. Here, four states were singled out as particularly troublesome: China, Russia, Iran and North Korea.
Dave Bittner: [00:05:14:12] Australian authorities see a rising threat of foreign cyber attacks aimed at eroding that country's government's legitimacy, and the credibility of its political leaders. Chinese efforts here pose the most immediate concern, although Russia is mentioned as well. Chinese influence operations appear mostly economically motivated, and to extend such things as traditional lobbying, shading toward bribery.
Dave Bittner: [00:05:38:06] US concerns about Chinese cyber operations have less to do with fear of influence than they do with ongoing incidents of direct hacking aimed at theft of intellectual property. Yet here, the experts at the Intelligence and National Security Summit were in substantial agreement. The cyber tensions with China can be, and are being, managed through diplomacy and negotiation.
Dave Bittner: [00:06:00:05] Matters stand quite differently with Russia, here the concern is more serious as Russia shows a strong capability and willingness to wage hybrid warfare, both the President and the Secretary of Defense have warned Russia about interfering with US political processes and last week's symposiasts agreed there was a threat there. Director of Central Intelligence Brennan declined over the weekend to say that Russia was hacking the elections, but, he did counsel wariness over Russia's cyber capabilities, which he assessed as high. Observers are arriving at a consensus that manipulating US election results globally would be difficult, although local mischief remains a real concern. The dispersed and disparate nature of the state run US electoral process is, by virtue of what FBI Director Comey last Thursday called its "clunkiness," relatively resistant to large-scale manipulation. But, such large scale manipulation is thought unlikely to be Russia's goal. As The Hill noted this morning, the goal is not to change the results of November's elections, but rather to call them into question, thereby undermining "confidence in American democracy."
Dave Bittner: [00:07:05:05] In cybercrime notes, as ransomware continues to morph and spread, researchers at TrendLabs find the CryLocker ransomware exfiltrating user information as a png file.
Dave Bittner: [00:07:17:03] Another big credential breach hits, this one involving Russian instant messaging service QIP.ru, it's thought to affect 33 million users.
Dave Bittner: [00:07:27:20] As President Obama nears the end of his second term, the American Civil Liberties Union has opened a campaign advocating a Presidential pardon for NSA leaker, Edward Snowden. This Wednesday, the ACLU is expected to join Amnesty International and Human Rights Watch in opening a petition to that effect. They hope to take advantage of the attention generated by the opening of Oliver Stone's film, Snowden. Appropriately enough, the petition will be conducted online.
Dave Bittner: [00:07:56:07] Finally, we've, on a few occasions, been able to shout "bravo" in the direction of Emsisoft's Fabian Wosar, who's released several ransomware decryption tools. Recently he's received accolades of another kind, the Apocalypse criminal coding group has named a strain of ransomware after him. Fabiansomware. We hear it's poorly designed. In any case, bravo Fabian and keep slugging. Sometimes your best recommendation is the enemies you make.
Dave Bittner: [00:08:30:17] Time to take a moment to thank our sponsor, E8 Security. You know, to handle the unknown unknown threats you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score user's risk? E8 can show you how. Did you know, for example, that multiple kerberos tickets granted to a single user is a tip-off to a compromise? E8 can show you why. Get The White Paper at e8security.com/dhr and get started. Detect, hunt, respond. E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:09:17:02] And I'm pleased to be joined today by Yisroel Mirsky, he's a PhD candidate researcher and project manager at the cyber security research center at Ben Gurion University. Thanks for joining us today, I know one of the things you wanted to talk to us about, one of the areas of your research, is air gap security.
Yisroel Mirsky: [00:09:33:19] So, air gap security is a security measure in which an organization physically isolates their network from public networks in order to evade a tax, or really to evade direct confrontation. So, for example, military networks or financial systems and, most commonly, industrial systems such as power plants. Although it's a great measure and it really does help minimize the attack vectors on the organization's network, it's not impervious to attacks. For example, there are many malwares out there that can get over this air gap, this physical separation between the two networks, for example, Flame, Goss, Agent.btz, Ducksnet and so on and so forth. So, when it comes down to it the attacker's challenge is two factors, one, command-and-control of his malware, once he's gone into the network how can he control his malware to get to whatever asset he has, and data exfiltration, as soon as he gets whatever data or asset he wants, how can he get it out of the network? And in general there are two types of channels that the attack would be interested in, an inbound channel and an outbound channel from the network. So, for an inbound channel there's one approach which is actually quite interesting, as the idea that not every network is completely isolated from all other networks. For example, most buildings have what's called an HVAC system, a heating, ventilation, air conditioning system, and this system will change the heating and it will also allow you to control all sorts of other subsystems such as elevators, and many times has a web portal for the technicians to connect to and administer the system from remote. Now, this web portal connects to the public internet, but, in parallel, on the same physical space you have this isolating network. So, what we've found is that if you compromise the HVAC system from remote you can raise the temperature and lower the temperature of the different rooms, and thus signal binary modulations over the air to the computers, because every computer has basically thermo-sensors inside for the CPU and for the chassis and so on and so forth. And you can actually detect these fluctuations quite well. So, it just goes to show that you may be able to segregate your network completely, physically, and isolate it, but that doesn't mean that it's going to be impervious from attacks. You have to think of all sorts of other outside the box kind of attacks and side channels that can be affected.
Dave Bittner: [00:12:05:24] Yisroel Mirsky, thanks for joining us.
Dave Bittner: [00:12:10:14] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make The CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.