Dave Bittner: [00:00:03:18] Updates on the weekend's bombing and knife attacks against US targets in Minnesota, New York and New Jersey. Fancy Bear doxes more athletes from the WADA networks. Fancy's also still interested in US elections, and experts point out that releasing genuine emails could be battlespace preparations for online disinformation operations. In industry news, Oracle buys Palerra, and major tech companies form a Vendor Security Alliance. Reactions to the prospect of a Snowden pardon, and an insider gives his take on Snowden, the movie.
Dave Bittner: [00:00:39:18] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily, we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet by yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough.
Dave Bittner: [00:01:02:03] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identity new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:47:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, September 19th, 2016.
Dave Bittner: [00:01:53:14] The weekend saw several physical attacks across the United States, with fewer injuries than might have been feared, and with no fatalities reported save some among the attackers. The incidents, which remain under investigation, include stabbings in Minnesota and a series of apparent bombings, both successful and attempted in New York City and New Jersey. They're particularly affecting travel in the northeastern corridor of the US, as one of the explosive devices was found at a rail station in Elizabeth, New Jersey, just south and west of New York City.
Dave Bittner: [00:02:24:07] ISIS sympathizers, both in casual social media conversation and in ISIS's more official channels have been quick to applaud the attacks online, praising "soldiers of jihad" and to urge others to follow their example. As is usually the case, signs point to inspiration and local collaboration as opposed to central direction of the attacks. Police have taken at least one bombing suspect into custody, one Ahmad Khan Rahami, and they're in the process of moving in on a suspected terror cell in New Jersey.
Dave Bittner: [00:02:55:06] It would be pleasing to report that cyber investigation and alert online policing revealed the plots and saved lives, but in this case, no, we don't yet have any information to that effect. A bomb in Seaside Park, New Jersey, went off without injuring anyone because the charity race it apparently targeted started late.
Dave Bittner: [00:03:13:19] The devices in New York City were either poorly fabricated or poorly placed. They were similar to the bomb used at the Boston Marathon. One bomb in New York was accidentally found and inactivated by thieves as they tried to steal the bag it was concealed in. Crooks in Elizabeth also found the bomb near the rail trestle, but the New Jersey thieves had the decency to call police.
Dave Bittner: [00:03:34:20] One set of three apparently connected cyber incidents is also under investigation by police in Dearborn, Michigan. ISIS sympathizers defaced three Michigan Arab-American organizations' websites late last week. The hackers were apparently distressed by the organizations' lack of zeal for jihad and sought by the defacements to inspire the groups' members to acts of jihad. The affected organizations were not moved by the appeal.
Dave Bittner: [00:04:00:10] Fancy Bear has released more documents it hacked from the World Anti-Doping Agency, WADA. This tranche affects more non-US, prominently Australian, athletes.
Dave Bittner: [00:04:10:00] Fancy Bear's interest in US elections also continues unabated. Few dissent from the consensus that Fancy Bear is run by Russian intelligence services. The US Department of Homeland Security offers various forms of security support to state election officials. Acceptance is voluntary, elections won't be Federalized.
Dave Bittner: [00:04:28:16] Concerns center around the discrediting effects of disruption and disinformation. Information operations are more feared than data corruption in the service of direct vote fraud, although that's a concern, too. The recent doxing campaigns may also be serving as battlespace preparation. As we heard last Thursday from former White House cybersecurity advisor Richard Clarke at Invincea's Beat the Breach event, even if initially leaked emails are genuine, there's no reason to expect the next tranche will be. And this is the sort of disinformation informed election security observers worry about.
Dave Bittner: [00:05:02:01] Turning with relief to patch news, we hear that Mozilla is expected to patch a Firefox zero-day tomorrow. The flaw rendered users susceptible to man-in-the-middle attacks. It's also attracted much unfavorable comment in the vulnerability researcher twitterverse, who have been excoriating Mozilla for letting it happen.
Dave Bittner: [00:05:20:16] In industry news, Uber, Twitter and other tech-dependent companies have formed the Vendor Security Alliance, which intends to drive better standards for security products. The VSA, as it will be known, will vet and rate security products that the Alliance members consider for adoption.
Dave Bittner: [00:05:36:08] In M&A news, Oracle has acquired cloud security shop Palerra. And healthcare and biomedical security firm Protenus has received the privacy industry's top honor, the 2016 HPE-IAPP Privacy Innovation Award. Other winners have included IBM and Microsoft, so bravo Protenus, you're in distinguished company.
Dave Bittner: [00:05:57:12] Edward Snowden says he's not really asked for a Presidential pardon, but he thanks his supporters for doing so on his behalf. It's also pretty clear he thinks he'd be a good candidate for executive clemency. The House Permanent Select Committee strongly disagrees, as we said last week, and over the weekend dueling editorials and op-eds took up the pro-pardon and anti-pardon causes.
Dave Bittner: [00:06:18:20] Those for the pardon see Snowden as having made an indispensable contribution to the cause of privacy and civil liberties generally by drawing attention to US surveillance policy and capabilities.
Dave Bittner: [00:06:29:17] Those opposed to the pardon ask, who benefited, and answer, essentially, "Russia," as they point out that most of what Snowden revealed were legitimate intelligence operations against foreign targets. They also argue that the NSA was shown to have been operating under appropriate legislative authorization with executive and judicial oversight, which they think casts doubt on Snowden's oath-to-the-Constitution explanation.
Dave Bittner: [00:06:54:22] Oliver Stone's film Snowden, "a dramatization of actual events," as they say, comes in for some quiet criticism by retired NSA Deputy Director Chris Inglis, who told National Public Radio that the Deputy Director depicted but not named in the flick would have been himself. And he never met Snowden, and certainly never directly gave him the sensitive, highly important, "Jason-Bourne-like" intelligence job the movie shows him entrusting to Mr. Snowden. Snowden, he points out gently, was a systems administrator working for a contractor, doing an important job requiring considerable skill, but he was a low-level employee.
Dave Bittner: [00:07:32:16] Inglis also offered some apt genre criticism of the film's claim to be "a dramatization of actual events." Inglis told NPR, quote, "Dramatization to me means you add the occasional exclamation point. You bring in a musician to perhaps add some background music. But you don't tell a story that is fiction," end quote.
Dave Bittner: [00:07:52:04] Finally, here's some legal news that involves no fiction. Laurie Love, the British gentleman accused of hacking US defense networks, will it seems face the music in a US Federal Court. A UK court has just ordered him extradited across the Pond.
Dave Bittner: [00:08:12:00] We've got another message from our sponsor Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four. After all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web.
Dave Bittner: [00:08:35:18] Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cybersecurity depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture.com/r-f-u-n and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:09:13:03] Joining me is Malek Ben Salem. She's the R&D manager at Accenture Technology Labs. Malek, I know there at Accenture you recently published a framework regarding the security for the industrial Internet-of-things. What can you tell us about that?
Malek Ben Salem: [00:09:26:04] Yes, the industrial Internet-of-things as you know introduces various operational technology architectures. Whether it's healthcare or manufacturing, transportation or energy production, all of these industries have different architectures. So at Accenture Labs as we deal with clients from various industries, we developed a framework for security for these industrial Internet-of-things domains.
Malek Ben Salem: [00:09:56:04] And what we focused on is, what are the, the common themes around these architectures and what are the differences between, between these domains. One thing we looked at is the edged year which we think has to be self-organizing and self-reliant. Today we see some solutions, security solutions at the edge, that provide some capabilities, some security functionalities but there is still a gap in protecting all the devices at the edge.
Malek Ben Salem: [00:10:33:15] For example, you know, many of these solutions are not vendor agnostic. So when you deploy them you have to make a lot of customization for that particular industry domain. What we're looking at in our framework is find mechanisms to detect and prevent physical or remote tampering with edge devices regardless of what the device is. That's one, one key security capability that we think is important.
Malek Ben Salem: [00:11:07:11] Another security capability that we've looked at also is a distributed intrusion detection mechanism that can optimally assign security functions to the resource constraint devices at the edge. So some, some mechanism that augments that edge layer with additional security capabilities, whether it's an additional device that is not constrained in terms of its re-- storage and computer capabilities, or whether it's a gateway at the edge that is responsible for augmenting the security capabilities of the edge devices underneath.
Dave Bittner: [00:11:48:18] Are we starting to see the development of these sorts of standards with IOT devices? Or is it still pretty much the wild west out there?
Malek Ben Salem: [00:11:55:19] I think we're starting to see that, and NIST has a working group that's working on Cybersecurity Framework and they published several drafts of their framework.
Dave Bittner: [00:12:07:24] Alright, Malek Ben Salem, thanks for joining us.
Dave Bittner: [00:12:13:05] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, and if you're interested in reaching a global audience of security influencers and decision makers, well, you've come to the right shop. Visit thecyberwire.com/sponsors to learn more.
Dave Bittner: [00:12:31:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.