Does Fancy Bear care if it's caught? Retaliation, vulnerabilities, litigation, and more.
Dave Bittner: [00:00:03:16] The bears are back and apparently not too worried about who knows it. From the DNC to the Republicans to the World Anti-Doping Agency, disbelief is getting harder to suspend. More politically motivated hacking out of Russia prompts US promises of investigation and costs to be imposed. Failures in digital hygiene continue to be exploited. SCADA hacks worry the electrical grid. And some good news, NIST has released a new cyber self-assessment tool and they'd like you to give it a spin.
Dave Bittner: [00:00:37:15] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:38:17] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 15th, 2016.
Dave Bittner: [00:01:44:22] The bears are back and we're not talking Mama, Papa and Baby, but their Russian cousins, Cozy and Fancy. Especially Fancy Bear who no longer really seems to care whether anyone knows that her paws are in the honey.
Dave Bittner: [00:01:57:03] More emails from US political figures have leaked, this time from the Republican side of the aisle. Many of them are of relatively recent vintage. Those drawing the most attention are from former Secretary of State Colin Powell, who has some unguarded things to say about both Presidential nominees. As usual, email rarely displays its authors to good advantage.
Dave Bittner: [00:02:19:02] The Republican National Committee says that, contrary to earlier reports, the RNC itself wasn't hacked, but that various Republican operatives were.
Dave Bittner: [00:02:27:24] The emails are being posted on DCLeaks, which, for some time, has represented itself as the work of American hacktivists who respect and appreciate freedom of speech, human rights and government of the people. Most observers, however, describe DCLeaks as connected to the Russian government. ThreatConnect is more direct, they say the leakers are Fancy Bear.
Dave Bittner: [00:02:49:14] US authorities have declined to attribute these incidents and they've asked for public patience, but they've also said they intend to impose costs on those responsible.
Dave Bittner: [00:02:59:04] This brings up two trends we've heard much discussed recently, at last week's Intelligence and National Security Summit ,Tuesday's annual Billington CyberSecurity Summit and this morning's Beat the Breach symposium convened by Invincea. First, threat actors, especially those run by the Russian Intelligence services, seem increasingly indifferent to whether the world knows they're involved. The last stages of Fancy Bear's incursion into the Democratic National Committee, for example, was surprisingly noisy, and the compromise of the World Anti-Doping Agency was similarly brazen. Sockpuppets remain in ritualistic use, but the deniability they afford is increasingly implausible.
Dave Bittner: [00:03:38:11] The second trend the noisiness indicates, some observers say, is that the threat actors really don't fear having consequences imposed on them. Richard Clarke, former White House Cyber Advisor finds this a disturbing trend. As he said this morning, during Invincea's Beat The Breach session at the National Press Club in Washington, "The Russians are clearly very active in the selection and they don't seem to care that we know it." He points out that when genuine emails are released, as has been the case so far, that sets up the possibility of future effective deception operations. The next tranche of ostensibly stolen emails, for example, need not be genuine at all. But, at this point, clever fabrications will be generally believed and will be tough to disprove, and that will carry weight.
Dave Bittner: [00:04:24:24] The World Anti-Doping Agency was apparently breached by spearphishing, and Mackeeper researcher, Chris Vickery, has reported that a misconfiguration on Donald Trump's official website exposed campaign intern résumés to the public internet. Plixer's Thomas Pore told the CyberWire that in his view the campaign was fortunate the website leak was ethically reported. Pore said, "the question that remains is, who else discovered the leak prior to its being reported?"
Dave Bittner: [00:04:54:13] Tim Strazzere is Director of Mobile Research at SentinelOne, a company that provides endpoint and server protection. He's credited with the discovery of an Android vulnerability involving image files.
Tim Strazzere: [00:05:05:23] It's essentially very similar to Stagefright, which has been in the news recently, so it's essentially an issue in how there was a - in parsing of a JPEG file. Specifically, it's called the EXIF format, and that's essentially the details contained within a JPEG for where this photo was taken or what kind of camera it was taken with, or maybe the shutter speed, and by improperly parsing that data, we're able to cause remote code execution and also to crash devices remotely. Because what happens is, certain applications, like Gchat or Gmail, actually parse this file before the user has said, like, hey, I want to download this or I want to view this image. So, by me sending you an email and you opening it, this could cause a crash on your side or potentially remote code.
Dave Bittner: [00:06:04:10] This really surprises me, because I guess in my mind there aren't many things more benign than a simple image file.
Tim Strazzere: [00:06:11:04] Yes, it was interesting, because this has a lot of implications where a simple image file could just be your avatar for a game, or if you're uploading maybe a picture to a social media site, or maybe you're sharing something with some friends, those are all going to be static images which we inherently just assume are going to potentially be more safe than, let's say, oh, if I send someone a PDF, they might be more wary about that if they don't know who I am. But an image, it's just something that you look at, so maybe that would be more safe.
Dave Bittner: [00:06:44:12] So can you dig into some of the specifics? What kind of modifications do you make to the EXIF metadata to make things go bad?
Tim Strazzere: [00:06:53:01] There's bits in that structure that say something like, where was the GPS coordinates, and GPS coordinates are going to be a set length, I don't remember exactly the length, but let's just say they should be six digits long after the decimal place. Well, the format accepted more than that, which nobody would really anticipate, because GPS isn't getting longer by any means, so if we could set something like that longer we could cause an overflow. And then that basically meant that the program that's passing it is going, well I only expect this many, so it should never be higher than this number or lower than this number. But by stuffing something it didn't expect in there, it attempts to read it and now it's pointing to the wrong location.
Dave Bittner: [00:07:35:07] So, what are the ways that people can protect themselves against this sort of thing?
Tim Strazzere: [00:07:40:03] So it's actually pretty interesting. Since this is in the framework of the actual Android system there's not much that they can do. In my understanding, there's no real products on the market that can protect you for this, you basically need to get an update from Google. So, as of Tuesday, when they pushed this patch, all the OEMs have the patch, and Google has pushed actual firmware updates for their devices that they control. Hopefully we'll see different OEMs actually pushing out updates as well to people, but, what I suggest to customers is to vote with your wallet, who's getting updates and when was the last time you got an update? So, until you get an update for this actual patch there's not much you can do.
Dave Bittner: [00:08:25:00] That's Tim Strazzere from SentinelOne. Tim's discovery earned him a $4,000 bug bounty from Google. He pledged that money to a local non-profit organization called Girls Garage, a maker space for middle school aged girls. And Google matched the pledge for a total of $8,000. Well done Tim.
Dave Bittner: [00:08:44:24] SCADA security maven Joe Weiss warns on Control's Unfettered Blog that intelligent relays are demonstrably susceptible to hacking. This is a matter of immediate concern to electrical utilities, but, such relays are in widespread use by other industrial sectors as well.
Dave Bittner: [00:09:02:07] Marc Sachs, Senior Vice President of the North American Electric Reliability Corporation, spoke this morning at Beat the Breach. He talked through the well known attack the Ukrainian power grid sustained last December and he noted that the outage was enabled by, again, some mistakes in fundamental network hygiene that any enterprise, anywhere, might make: susceptibility to phishing, password reuse and failure to bring systems up to date. That section of the Ukrainian electrical grid was using an unlicensed version of Windows XP as its OS.
Dave Bittner: [00:09:34:14] It's easy to be caught up in the long, human story of error. So we're pleased today to be able to close with some good news, and no, we're not talking about "City Escape" becoming the national anthem. NIST, the National Institute for Standards and Technology, whose doggedly non-regulatory and collaborative approach to standards development has been winning friends and influencing people for years, has issued a draft cybersecurity self-assessment tool, and the Institute is asking for your comments.
Dave Bittner: [00:10:01:02] The tool is called the "Baldridge Cybersecurity Excellence Builder," and it provides organizations a way of assessing how effectively they're using NIST's well regarded Cybersecurity framework. Deputy Secretary of Commerce, Bruce Andrews, said today in a statement announcing the release of the draft document that the Builder will enable enterprises to better manage their cyber risks. So, go to the Baldridge Performance Excellence Center at nist.gov and let them know what you think. Comments are open until December 15th of this year.
Dave Bittner: [00:10:34:09] Time for a message from our sponsor E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats, you've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. Its self learning security analytics give you early warning when your critical resources are being targeted. The E8 security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free White Paper to learn more. E8, transforming security operations. And we thank E8 for sponsoring our show.
Dave Bittner: [00:11:27:19] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, you know, recently I had my teenage son here at the office with me and they were sort of keeping him busy, I allowed him to use my laptop, and it struck me midway through the day, I went over and looked at some of the stuff he was surfing and he was on a gaming site, and that site looked pretty sketchy to me. It struck me that, you know, there's the whole issue of our teens, protecting our teens and our kids in what they're doing and what they're not doing, but also, you know, if I'm sharing my computer with one of my kids how do I protect my stuff?
Joe Carrigan: [00:12:03:13] [LAUGHS] That's an excellent question. The way I do it at home is everybody has their own device, everybody has their own computer. But, not everybody can afford to do that, not everybody wants to do that, not everybody wants to pay the extra power bill that comes with having two massive gaming computers in their basement. One of the things you can do, is you can set up an account for each individual in your house and make sure that they don't have administrator privileges on that PC, that will prevent them from installing software and you can require that the installation of software asks for administrative privileges, and then they'll have to ask for the password, of course then you have to keep the password out of everybody else's hands or else they're just going to go ahead and enter it and put it in. If you have a situation like you had with your son using a laptop that he might not always use, these computers a lot of time, I know Apple and Chromebooks, I don't know if Windows has it, but they have guest accounts, you can just create a guest session and just go ahead and get access to the computer, but you have extremely limited permissions but you can still do things like surf the web and check your emails.
Dave Bittner: [00:13:14:10] I really wish I'd thought about that ahead of time because they're so easy to set up, but it didn't cross my mind, but I think that's part of it too, is that when it comes to looking out for our kids sometimes they can be their own worst enemies.
Joe Carrigan: [00:13:28:08] Right, they know what they want and they want it right now, and they're going to go and do what they need to do to get it regardless of what the ramifications of that are. I think the biggest thing you need to do is to educate the kids, tell them that when you get on this computer there are going to be websites out there that don't do what they say they do, they're going to be doing something in the background, there are going to people out there who aren't what they say they are, you know, not every 14 year old girl you meet on the internet, 14 year old son, is going to be an actual 14 year old girl.
Dave Bittner: [00:14:01:11] Right. And they're collecting data about you and, you know, everything they ask you is being tucked away and filed somewhere.
Joe Carrigan: [00:14:10:03] Right.
Dave Bittner: [00:14:11:02] So, you don't want to take all the joy out of it but you've got to instill a practical sense of caution I guess.
Joe Carrigan: [00:14:16:08] Yes, a healthy mistrust, I would say.
Dave Bittner: [00:14:18:11] That's a good way to put it. Alright, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:14:22:12] My pleasure.
Dave Bittner: [00:14:25:04] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.