Alleged Russian hacking & info ops, under investigation by US. IoT botnets continue to exact a DDoS toll. Yahoo! security practices.
Dave Bittner: [00:00:03:18] US authorities investigate alleged Russian attempts to influence upcoming elections. DDoS has come to the IoT. Yahoo security receives some harsh scrutiny And how much does a bear weigh anyway? TheDarkOverlord is back and extorting investment bankers. We're thinking it would be a European brown bear.
Dave Bittner: [00:00:28:13] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web. Developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely - because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:41:23] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 28th 2016. US authorities continue to investigate what they take to be Russian intelligence services' information operations. These include selective feeding of hacked material to various websites, some legitimately independent like the news services who report the leaks. Some of them fronts like the Shadow Brokers and DCLeaks, others not obviously either. Like Wikileaks, although Mr Assange's crew has been trending Russian.
Dave Bittner: [00:02:12:14] The apparent goal remains undermining US selections and consequent diminution of US prestige and influence internationally, especially when such influence is tied to American advocacy of democratic political reforms.
Dave Bittner: [00:02:25:18] The New York Times caught up with the proprietor of King Servers, which ThreatConnect is associated with the IP addresses the FBI says were used in this summer's intrusions into state voting services. That proprietor is Vladimir M. Fomenko, a 26 year old shredder in Biysk, Russia who has a Guy Fawkes' tattoo and a business renting out servers in Europe and North America. Mr Fomenko is as coy about hacking as Russian officialdom has been, he's even willing to talk to the FBI. He says, "If the FBI asks, we are ready to supply the IP addresses, the logs. But nobody is asking. That is a big question."
Dave Bittner: [00:03:05:11] So there is a studied ambiguity in Russia about how the discreditable material now in public circulation has been obtained from US networks. There is no ambiguity whatsoever about the conclusions people are invited to draw from the doxed files. Speaking of the US election, Mr. Fomenko observes, "In Russia, we don't have this type of election. It looks like little children fighting."
Dave Bittner: [00:03:29:13] Reuters reports that the FBI has also recently opened an investigation into attempted hacks of senior democratic party figures' smartphones. Neither the DNC, the Clinton campaign nor the FBI was willing to offer comment, but Reuters cites sources in a position to know as saying the inquiry is connected to suspected Russian attempts to influence US elections.
Dave Bittner: [00:03:52:06] Very large distributed denial of service attacks continue and observers find the attackers' exploitation of poorly protected IoT devices particularly worrisome. KrebsOnSecurity has recovered, thanks to Google's Project Shield, but an even larger IoT based attack is said to have hit OVH hosting. It's hard to patch the things that make up the internet of things, as the register observes, and it's even harder to do so when the things in a network are at the end of their life cycle.
Dave Bittner: [00:04:21:17] On yesterday's show we spoke with Kathleen Smith from ClearedJobs.Net about the "Hacking the Job Shortage" study from Intel. Today, we share the second part of our conversation where we discussed employee turnover and retention.
Dave Bittner: [00:04:36:00] Other companies that just seem to be okay with churn?
Kathleen Smith: [00:04:37:13] I think most companies are okay with churn. The challenge, when you look at the open positions that are out there, the study really felt that the United States' government and the finance industry were those that were most heavily invested in cyber security, and that we should be looking at them to have innovations in recruiting and retaining our workforce. But when I took a look at recruiting and retention within the finance industry, it is not any different than we see from many of the other industries out there. I mean more technical companies are undertaking more fascinating and captivating strategies to recruit and retain their workforce, and the US government has had to always deal with specific regulations, specific technology. USA have Jobs.gov but they're not really making many changes.
Kathleen Smith: [00:05:39:08] They have come out with one on one programs, there are some programs that are maybe making minor headway, but this hasn't been full scale "we need to overhaul our system to be able to take on this challenge."
Dave Bittner: [00:05:54:06] When the best of the best find a place that they can call home, what do they find? What are the things that make them go there and make them stay?
Kathleen Smith: [00:06:05:03] The things that make them go there are knowing that they're going to be part of a "best in class" company and team. Referrals, word of mouth, employee referral programs - no matter the industry - are still the best ways for companies to find their candidates. Having a really great best in class, intrusion detection and penetration testing team, those companies don't have any problem finding other candidates because people are really interested in working with those people who are doing the most innovative technology.
Kathleen Smith: [00:06:46:09] When they go there they know that, no matter how blue their hair is, how many tattoos they have, that they are still respected and accepted as a professional and that they are part of a community and part of a team. It's also understanding that there are going to be some times when there are going to be some strange things going on and they're accepting of that. I've talked to many managers who say, "I have to trust them. They're doing something that I don't quite understand but I have to trust them." That's the one thing that I have seen in my 20 years of working in recruiting and marketing - employers don't trust their employees. I think that that's why we need to look at the cyber security workforce challenge as a way to say we need to change recruiting and workforce management. If we're going to have candidates come in to our companies, we have to trust them.
Dave Bittner: [00:07:43:24] That's Kathleen Smith. She's the chief marketing officer at ClearedJobs.Net.
Dave Bittner: [00:07:51:01] Yahoo's security practices draw sharp criticism from observers who argue that marketing decisions made under intense competitive pressure drove the struggling internet giant to take fatal shortcuts. Insiders speaking on condition of anonymity to the New York Times say Yahoo was slow to adopt the sorts of security measures Google and other companies put in place after widely reported Chinese hacking in 2010.
Dave Bittner: [00:08:14:10] Yahoo! Was, for example, a relatively late adopter of bug bounties, and CEO Mayer is said to have under funded her now departed CISO's efforts to shore up security. The company also declined to require a recommended password reset for fear of driving away email customers. The consequences of the Yahoo! breach for the company's deal with Verizon remain uncertain.
Dave Bittner: [00:08:37:11] TheDarkOverlord, whoever that is, is back and seeking to extort ransom from Los Angeles investment bank WestPark Capital. TheDarkOverlord says he'll release sensitive documents if he's not paid, and has offered a teaser of what he has.
Dave Bittner: [00:08:53:01] Flashpoint believes at least 13 organizations would be harmed by the doxing. The documents appear to represent inside information of investment in M & A planning.
Dave Bittner: [00:09:03:00] Finally, the suggestion made in the US presidential debates this week that, for all we know, the hacker of the DNC could have been some 400 pound guy sitting on a bed in his parents' house has attracted much unfavorable comment. The 400 pound weight, one of the candidates cited, has been particularly reprehended with some even suggesting that it's sufficiently offensive a characterization of the presumably unknown hacker that it's likely to prompt outraged and honor-driven cyber retaliation against the candidate responsible for the canard.
Dave Bittner: [00:09:33:22] We must, in all candor, agree. A quick consultation of the internet tells us that Fancy Bear probably weighs at least twice that and Fancy's been so active lately that the bed in his or her parent's house may just be too hard to lull a bear to sleep. After all, if you were Fancy Bear, you wouldn't like being cheated out of 200 plus pounds - what would Cozy Bear think?
Dave Bittner: [00:09:58:13] For our non-US listeners, 400 pounds is a tad north of 181 kilos. 800 pounds would be about 367 kilos. That's a lot of bear in anybody's book. And Fancy? Cozy? We're willing to credit you with 800 pounds each at least. And that's no bull.
Dave Bittner: [00:10:22:05] Time for another message from our sponsor, Recorded Future. So attention threat intelligence enthusiasts, the first week in October consider heading to Washington DC and joining Recorded Future and the rest of your community in DC for RFUN 2016. This October 5th and 6th. Share experiences, insights and best practices. Learn from exclusive presentations by threat intelligence thought leaders, and you can be the first to know and get a sneak peek of new Recorded Future product features and the company's development road map. Meet others like you - people who understand that cyber security depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:11:21:17] Joining me is Malek Ben Salem.She is the R&D manager at Accenture Technology Labs. Malek, I know you wanted to tell us about some of the work you're doing with semantic technology for security analytics?
Malek Ben Salem: [00:11:31:01] Correct. An example of semantic technologies is ontologies, which are typically used to enable knowledge sharing and reuse. In our lab, we try to leverage ontologies to enhance security analytics at the edge. This was a Darpa-funded project, it was part of the program called ICAS, the Integrated Cyber Analysis Systems Program that Darpa funded. Within this program, we used an ontology. We defined and built a new cyber security ontology with true leverage to look at logs created by new software, installed on devices and automatically infer the schemer of that log based on the security ontology that we've developed.
Malek Ben Salem: [00:12:29:11] Why is this important? It's because users will keep using software all the time, and security analysts will need to understand any logs created by that software and need to use it to understand when a device is compromised or when software is compromised. However, if they use existing sim technologies, they would have to build API's for every new software and every new log format that's created. With our tool, with this automated way of inferring the schemer of that log, automatically they don't have to do that and all of that information, all of those logs that are created can be automatically consumed, contextualized and, obviously, with more context, the better decisions security analysts can make about what the incident is about, what's the root cause and where to look further to understand what's causing it.
Dave Bittner: [00:13:30:06] So what kind of accuracy do you get with this sort of system?
Malek Ben Salem: [00:13:33:20] It varies, depending on how structured the log is. So some of these logs are very structured in they are schemas, others are what we call semi-structured types of data, however, we are conducting experiments to measure those accuracies.
Dave Bittner: [00:13:52:06] Malek Ben Salem, interesting stuff. Thank you for joining us.
Dave Bittner: [00:13:57:14] And that's the CyberWire. Before we go, we want to thank everyone who helped make the third annual Women in Cyber Security event a success. The event was last night here in Baltimore, and it was everything we could have hoped it would be. The location, the food, the music, and most importantly all of the amazing women who filled the room with laughter, inspiration and positive energy. It was a great night.
Dave Bittner: [00:14:18:16] Special thanks to Jennifer Eiben who heads up our social media and event planning here at the CyberWire, and who's hard work ensured everything ran smoothly. Thanks to our sponsors and partners who made the event possible, there are too many to list here but please know that we appreciate your support. We couldn't do it without you.
Dave Bittner: [00:14:34:22] And to everyone who attended, thank you. We hope to see you again next year and that you'll help spread the word.
Dave Bittner: [00:14:40:19] The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I am Dave Bittner. Thank you for listening.