US attributes DNC hacking to Russian government, promises to protect itself. Russia dismisses attribution as "rubbish." WikiLeaks posts Clinton campaign emails.

Dave Bittner: [00:00:02:09] Industrial control system worries in the electrical power sector. IoT botnets spook the EU and research into Mirai reveals some interesting features of last month's DDoS attacks. The US Intelligence Community says officially that the Russians are trying to influence US elections. The Russians say it's rubbish. Hilary says Moscow wants to throw the election to Donald. Donald says it's unproven and, besides, how about those state department emails. Investigation into the arrested NSA contractor proceeds. An expert suggests best practices for Cyber Security Awareness Month.

Dave Bittner: [00:00:43:10] Time to take a moment to thank our sponsor, E8 Security. You know, to handle the unknown unknown threats you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes, it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise. E8 can show you why. Get the white paper at e8security.com/dhr and get started. Detect, hunt, respond. E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:32:19] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 11th, 2016.

Dave Bittner: [00:01:39:09] Worries about industrial control system security surfaced again late last week. As the International Atomic Energy Agency reported that an unnamed nuclear plant sustained a successful disruptive cyber attack two to three years ago. The attack posed no immediate threat to public safety but skater experts and utilities are expected to redouble efforts of securing power generation and distribution facilities.

Dave Bittner: [00:02:04:05] September's Internet-of-things driven distributed denial-of-service attacks against OVH and KrebsOnSecurity continue to cause technical and policy alarm bells to ring around the world. The European Union is moving toward some form of IoT security regulation. So far it's unclear what form such regulation will take, but the talk in the European Commission so far is about a labeling system that would tell consumers their Internet-connected devices are "approved and secure." The evolving policy will bear watching.

Dave Bittner: [00:02:35:08] Investigation into the details of the IoT DDoS campaigns continues to center on the Mirai botnet. Security company Imperva has published the results of its findings in its Incapsula blog. The company says the Mirai botnet was both "territorial" (in that it disabled competing malware on infected systems and prevented remote connection attempts on compromised devices) and selective (in that its bots were coded to avoid IP addresses belonging to, among other organizations, the US Postal Service, the Internet Assigned Numbers Authority, the US Department of Defense, General Electric and HP).

Dave Bittner: [00:03:13:03] Late Friday, the US officially attributed election-related email hacking to Russia's government. A joint statement by the Office of the Director of National Intelligence and the Department of Homeland Security said the Intelligence Community was not only confident the operations were conducted by the Russian government, but that they could only have been authorized by "Russia's senior-most officials." So the US Intelligence Community rules out not only the hacktivism toward which Guccifer 2.0's sockpuppetry would have misdirected attention, but also potential claims that the breaches represented low-level unauthorized freelancing. The statement also calls document dumps by DCLeaks and WikiLeaks "consistent with the methods and motivations of Russian-directed efforts."

Dave Bittner: [00:03:58:21] The ODNI and DHS profess clarity about the nature of those motivations: "These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow. The Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there."

Dave Bittner: [00:04:20:00] Russian officials have, as one would expect, dismissed the attribution as "rubbish" designed to inflame what they're characterizing as "unprecedented" anti-Russian hysteria.

Dave Bittner: [00:04:29:19] In the US Presidential campaign, candidate Clinton has said that Russia's trying to throw the election to Trump. Candidate Trump, despite being briefed earlier about the grounds for attributing the DNC breaches to Russia, said it's unclear to him that Russia is actually behind the hacks. He's also taken the opportunity to draw attention to Clinton's difficulties with handling classified material during her tenure as Secretary of State.

Dave Bittner: [00:04:53:19] Also late Friday, around the time the ODNI and DHS released their statement on the DNC hacks, WikiLeaks posted just over 2000 emails purporting to be from candidate Clinton's campaign manager, John Podesta. These emails look generally discreditable, as leaked emails usually do. WikiLeaks impresario, Julian Assange, has promised more regular revelations through Election Day on November 8th.

Dave Bittner: [00:05:19:20] The FBI wants another iPhone unlocked. This one belonged to Dahir Adan, the apparent jihadist who went on a stabbing rampage in a Minnesota mall before he was shot dead by an off-duty police officer. The Bureau's efforts are expected to mirror those undertaken during investigation of the San Bernardino massacre earlier this year.

Dave Bittner: [00:05:40:12] Investigation into the NSA contractor arrested for allegedly having highly classified material squirreled away in his Maryland home continues. The Intelligence and National Security Alliance is prompted to call upon the next Congress and Administration to modernize security policies, practices and technologies in ways that would more effectively mitigate this sort of insider threat.

Dave Bittner: [00:06:02:13] Credit cards continue to be a popular target of criminals both online and with skimming devices. Smrithi Konanur is global product manager for HPE Data Security, and we checked in with her for some details on credit card security.

Smurtley Koninar: [00:06:16:18] The old credit cards that are the magic stripe credit cards didn't have essentially a lot of security enabled in the cards themselves, hence it was really easy to read the payment information through the magic stripe and it was easy to duplicate those cards, hence the payment fraud was really rampant previous to EMV.

Smurtley Koninar: [00:06:45:06] With EMV chip enabled cards, right now the payment information of the consumer is embedded into the chip itself, which is a secure device. Also, on top of that, there's a lot of cryptographic operations that take place for the authentication of the consumer and also, for transmitting the information, the payment information, into the EMV enabled terminals, it is also cryptographically done.

Dave Bittner: [00:07:15:24] What about on-device technologies like Apple Pay?

Smurtley Koninar: [00:07:19:06] That's a totally different security and payment technology. There's a concept called Tokenization. What we mean by tokenization is that the pan number, the credit card number itself, will be replaced by a random surrogate value. That way it's basically used as a security reason. Initially, it came about as back end security. However, with Apple Pay and Mobile Wallets EMV, again, the core standard brought about a new standard which is called a payment or EMV tokenization where the tokenization is done prior to the authorization. What I mean is, when you register to Apple Pay and you enter your credit card information, the process it goes through is that that credit card information will be sent to the Network, based on your credit card information, and then the issuer or the network will send a payment token back to the Apple Wallet. So whatever is stored in the wallet, in your Mobile Wallet, is a token. It's a payment token of the credit card number.

Smurtley Koninar: [00:08:36:22] That essentially enhances the security for payments quite a bit because the token is essentially the one that is used for the transaction of the payment authorization. However, that token itself cannot be used even if there's a data breach midway or there's a hacker that tries to get your information. The token itself is of no use to that hacker because, again, he doesn't have the same device. Apple Pay also comes with metric authentication, so there is additional authentication and security there so it's very hard to use that same token for other fraudulent purposes.

Dave Bittner: [00:09:20:01] That's Smrithi Konanur from HPE Data Security.

Dave Bittner: [00:09:25:01] In industry news, Verizon continues to mull whether its acquisition of Yahoo!'s core assets should proceed, and at what kind of discount.

Dave Bittner: [00:09:34:22] Finally, a CISO, a consultant and a security vendor walk into a bar, and the bartender says, 'So, got any good best practices to share?' Just kidding, it's not really a joke, it's just week two of Cyber Security Awareness month. That CISO, consultant and vendor are actually sharing some worthwhile thoughts on best practices with the readers of Healthcare IT News. They're worth a review. Among them are, share information, cultivate multiple sources of intelligence (and don't neglect the dark web), plan and exercise your incident response, keep your patches current, and above all, approach cybersecurity in the spirit of risk management. You can read their comments at healthcareitnews.com.

Dave Bittner: [00:10:20:21] Time for a message from our sponsor, Clearjobs.net. If you're a Cyber security professional and you're looking for a career opportunity, you need to check out the free cyber job fair on the first day of Cyber Maryland. Thursday, October 20th at the Baltimore Hilton hosted by Clearjobs.net. They're veteran- known specialists at matching security professionals with rewarding careers. The cyber job fair is open to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face to face with over 30 employers like SWIFT, DISA and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free, from career expert and air force veteran, Patra Frame. To learn more visit Clearjobs.net and click job fairs in the main menu. Remember that's Clearjobs.net and we'll see you in Downtown Baltimore and we thank Clearjobs.net for sponsoring our show.

Dave Bittner: [00:11:22:01] Joining me once again is Dale Drew, he's the chief security officer at Level 3 Communications. Dale, as we get closer to the election here in the United States, we're seeing more and more stories about the potential for voter hacking. What's your take on this? Is there something to this or is there more smoke than fire?

Dale Drew: [00:11:39:10] I say there's a lot of discussion around online voting and voting security. Voting security, in general, has always had a little bit of a black mark associated with it, not only because of the accuracy of the voting machines and their ability to be tampered with. For example, a couple of years ago someone loaded Pac-Man on a voting machine. I'd say the general consensus for voting security right now is just the need for holistic standards across the voting space. The ability for the back office infrastructure that is supporting as well as collecting voting data to be better protected. There's a fair amount of concern that a lot of these infrastructures are more susceptible to compromise than the voting platform itself.

Dale Drew: [00:12:34:16] The other one is the motivation. Today there is a sort of accepted half truth which is the belief that online voting, or a better voting security, is not really going to increase voting turn out. From what we've seen in other countries, I'd say that's half true. In some countries, turning to online voting and better voting security doesn't have a material impact on voter turn out. We've seen a couple of cases where it's been a 10% increase or a 12% increase. However, other countries have experienced between a 30-40% increase in voter turn out because they made it more convenient for the end user to be able to vote.

Dave Bittner: [00:13:18:07] And here in the United States voting is handled by the individual states, which strikes me as a mixed blessing because you have a lack of a standard across all the states but, on the other hand, it allows for experimentation.

Dale Drew: [00:13:32:05] Yes. The exact concern I'd say is just a lack of consistent standards. Each state can decide, based on their expertise at the time and their resources at the time, what voting security means to them. We believe that global standards are the key to fixing this; not just standards within the US but standards across the globe. There are a lot of countries that are doing online voting today. Some of them have their entire ecosystem oriented around people-based certificates as an example. We're not advocating that, but what we are advocating is more of a global approach to understanding the risk profile and developing approved methods for it so that each state now has access to a larger think pool or think tank of capability to provide better voting capabilities for their citizens.

Dave Bittner: [00:14:28:17] Alright, Dale Drew, thanks for joining us.

Dave Bittner: [00:14:33:01] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.