Australia confirms foreign intelligence service hacked Bureau of Meteorology. TV5Monde and its false-flag hack. Trojan hitting SWIFT. Patch Tuesday notes. US-Russian cyber showdown.

Dave Bittner: [00:00:03:12] A quick look back at Patch Tuesday. Amazon gets solid reviews for a password reset campaign. A new Trojan is caught manipulating SWIFT fund transfer logs. IoT botnets worry e-commerce sites, and the EU's proposed stickers seem unlikely to allay those concerns. Australia confirms a foreign intelligence service hacked its Bureau of Meteorology but it won't say which foreign service that wasn and says the US to Russia 'ready or not here we come.' Maybe!

Dave Bittner: [00:00:37:12] Time for a timely message from our sponsors at E8 Security. Putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system, listening or running programs on a rare or never-seen-before open port is one of them. It's easy to say that, but could you say what counted as rare or never-seen-before or would that information jump out at you as you reviewed logs; if you had time to review your logs and, by the time the logs reached you, the news would be old. But E8's analytical tools recognize and flag the threat at once, enabling you to detect, hunt and respond. Get the white paper at e8security.com/dhr and get started. E8 Security, your trusted partner. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:29:05] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 12th, 2016.

Dave Bittner: [00:01:35:12] Yesterday, of course, was Patch Tuesday but with a difference. As announced, Microsoft has moved away from its pick-and-choose patching regime and toward a new, take-it-or-leave approach. This month's Hobson's Choice addressed five zero-days in Internet Explorer, Edge, Windows and Office. Adobe issued eighty-one fixes to Acrobat, Reader and Flash; several of the vulnerabilities closed could afford attackers remote code execution in affected machines. Oracle is expected to revamp its own patching practices in the near future as well.

Dave Bittner: [00:02:08:18] Amazon is asking its retail customers to reset their passwords. The requests are targeting those consumers whom Amazon has reason to believe may be using compromised passwords. The company has identified possible password reuse from its inspection of recent big credential breaches.

Dave Bittner: [00:02:25:24] The response to Amazon's move from the security industry has been, as far as we can tell, overwhelmingly positive. They see the reset campaign as a positive, proactive step from a company that hadn't itself sustained a breach. Here's a sampling of what people are telling the CyberWire. STEALTHbits' Brad Bussie offered enthusiastic approval bordering on rapture. "Praise Amazon!" Bussie said. "This act is exactly what organizations need to do to look out for their customers."

Dave Bittner: [00:02:52:15] John Gunn of VASCO Data Security calls it, "an incredibly smart move, it essentially says that even if your other on-line providers won’t protect you, we will." He sees it as Amazon showing 'their innovative mindset and customer-first business philosophy.'

Dave Bittner: [00:03:07:09] Péter Gyöngyösi, Product Manager of Blindspotter at Balabit said, "What's interesting in Amazon's action is that it is probably one of the first cases when a large online company takes a proactive measure in resetting passwords". He sees this as being a bit risky, insofar as Amazon's letter confirmed that passwords had been reused. He also thinks it's another wake-up call to move toward personal password managers, multi-factor authentication and behavioral analytics. VASCO's Gunn agrees on the shortcomings of the password,which he characterized as a 'thirty-year old technology' with increasingly obvious limitations.

Dave Bittner: [00:03:45:00] Kunal Anand, Co-Founder and CTO of Prevoty, said, "It's fantastic to see companies like Amazon being progressive about password management. Until everyone moves to a password manager and has unique passwords for every account, there will always be password re-use". He calls Amazon's scanning for compromised passwords a win-win for both the company and its customers.

Dave Bittner: [00:04:08:07] Not all the news is as welcome as Amazon's notification to its customers. The SWIFT funds-transfer system is again under attack, this time by either Carbanak's masters or someone very much like them. A Trojan, "Odinaff," has been observed manipulating SWIFT logs.

Dave Bittner: [00:04:26:10] IoT botnets continue their service-disrupting probes of various networks. E-Commerce sites are held to be especially vulnerable since their business depends upon high availability. The EU's announced plans to certify the cyber safety of IoT devices is derided by Naked Security as an attempt to fix the problem by affixing stickers to connected stuff, which for now seems unkind but fair enough. Further fairness would note that this probably represents little regulatory steps for little regulatory feet and that the policymakers will have to toddle a bit before they can run.

Dave Bittner: [00:05:03:00] With more and more business being done these days on mobile devices and many businesses opting for bring-your-own device policies, how do you ensure your proprietary information isnt being compromised on devices you may not control or own. Joey Alonzo is President of Quortum, an insider threat and risk management company, and he has some advice drawn from his own experience.

Joey Alonzo: [00:05:25:13] I recently left a large defense contractor on good terms and noticed a month or so later, when I went through my download file and my picture files on my phone, that I still had sensitive type information that I used my phone for reviewing, probably while I was at meetings or maybe when I was in my car or riding on the train.

Dave Bittner: [00:05:48:08] I think about my own I-phone and if I back it up to my desktop computer, you know, if had a bunch of files on there from work, those files would get backed up to my desktop computer and now we've extended the attack surface where now my desktop computer is a target or could be a target as well, yes.

Joey Alonzo: [00:06:06:03] Absolutely. So what you've now done is you've put your company's data at additional risk by being placed onto your home computer that you may insert a flash drive, your 12 year old hops on there, grabs something, heads over to a friend's house, different types of malware that are able to be accessed on your computer, all the data, all the information and you probably, at home, do not have the same type of network security requirements or software or a team of 20 to 25 people protecting your home computer system.

Joey Alonzo: [00:06:40:14] What happens, when your kids hook up their I-phones to it and back up, so think about the information that goes back onto their phones and when they go in. Perhaps you're not the person who hooks up to public Wi-Fi but, guess what, your kids probably are if they're stopping at Starbucks or Panera or even a local McDonalds has public WiFi.

Dave Bittner: [00:07:00:11] If I'm a company and I'm allowing or encouraging my employees to use their own devices for all the good reasons that people want to do that, what are the things that you recommend?

Joey Alonzo: [00:07:12:06] What we recommend first is to develop a policy and practices and procedures that follow what you think are the threats to your company's mobile device. We can all tell employees at a meeting, 'hey be careful with this, be careful with that' but if you actually put it out in a policy, if you base it on the legal requirements, if you base it on your kind of attitude as a leader within a company, if you're laid back, if you're pretty strict, if you're that hard core guy or girl who wants things your way and that's the only way, there's nothing wrong with that, but just make sure that you convey to your employees.

Joey Alonzo: [00:07:51:03] Make sure that they're briefed on what you expect from them in order to use their phones. Provide those policies. People are going to follow those. You're going to have that 95% people that understand, they're going to let you know. Make sure they understand what to do when their phone is lost. Make sure they understand what to do if they notice something odd going on on their phone, if they get unique requests if they're on a public WiFi. Whether it's a company phone or an employee on the phone, you as the company owner need to be aware of what's going on with every device that is handling your company's information.

Dave Bittner: [00:08:31:11] That's Joey Alonzo from Quortum.

Dave Bittner: [00:08:35:20] Australian official sources confirm what's long been generally believed: malware found in the Bureau of Meteorology was installed in December 2015 by an unnamed foreign intelligence service. That nameless service (which widespread media speculation at the time of the incident's discovery held to be the Chinese PLA) seems to have been interested in pivoting from the Bureau to establish persistence in other government networks. The Bureau of Meteorology also deploys high-performance computers, themselves sufficiently powerful to be of probable interest to an intelligent service.

Dave Bittner: [00:09:11:09] In another long-running espionage story, France's TV5Monde, talks about its March 2016 hack. Those responsible are believed to have been working for Russian intelligence services. They flew what's now regarded as the false flag of the "Cyber Caliphate."

Dave Bittner: [00:09:27:10] Foreign Policy recounts the difficult-to-follow spoor of the possible Russian information operation padding around Clinton consigliere, Sidney Blumenthal, WikiLeaks and Presidential candidate, Donald Trump. The publication sees it as a sort of house-of-mirrors bound to splinter "the truth" (in a Blumenthalism found in the leaked emails) into a variety of conspiracy theories useful in influence operations. An op-ed in the Christian Science Monitor's Passcode thinks there's room for doubt concerning Russian responsibility for the Democratic National Committee and that the US Intelligence Community might consider raising public confidence in the attribution by revealing more of its evidence.

Dave Bittner: [00:10:10:14] The Intelligence Community's statement, short as it may be on specific evidence, is not at all coy in its attribution looked to companies including CrowdStrike, FireEye and Fidelis for what's publicly known. The Russians did it, say the IC, and the operation was authorized at the highest levels of the Russian government. The Moscow Times seems convinced, and in a minority view also sees the episode as putting Russian President Putin in a bit of a diplomatic pickle.

Dave Bittner: [00:10:38:16] US President Obama has said there will be retaliation and he won't tell the Russians in advance what that retaliation will look like. A raised eyebrow op-ed in Lawfare suggests the President's also not going to tell Congress.

Dave Bittner: [00:10:56:05] Time for a message from our sponsor, Clearjobs.net. If you're a Cyber security professional and you're looking for a career opportunity, you need to check out the free cyber job fair on the first day of Cyber Maryland, Thursday, October 20th at the Baltimore Hilton hosted by Clearjobs.net. They're veteran- known specialists at matching security professionals with rewarding careers. The cyber job fair is opened to all cyber security professionals both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face to face with over 30 employers like Swift, DISA and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free, from career expert and air force veteran, Patra Frame. To learn more visit Clearjobs.net and click job fairs in the main menu. Remember that's Clearjobs.net and we'll see you in Downtown Baltimore, and we thank Clearjobs.net for sponsoring our show.

Dave Bittner: [00:11:57:15] Joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland and Director of the Maryland Cyber Security Center. Jonathan, you recently attended a conference, tell us about that.

Jonathan Katz: [00:12:08:19] So in August I attended the annual Crypto conference out in Santa Barbara, California. That conference is basically the premiere conference for academic cryptography in the United States.

Dave Bittner: [00:12:19:01] And what are some of the things there that caught your eye?

Jonathan Katz: [00:12:21:10] Well there were lots of papers, of course, but one of the things that seemed most interesting is that there were several papers focusing on obfuscation. Obfuscation is a relatively new idea that's popped up in the cryptographic community; of course it's been around for decades overall, but basically people have developed, over the last couple of years, a way to provably obfuscate software, namely changing it in such a way that even somebody looking at the source code can't figure out anything about how the program actually works.

Dave Bittner: [00:12:49:20] And so are there any downsides to using obfuscation?

Jonathan Katz: [00:12:54:20] Well, it's still in its infancy I would say from a cryptographic standpoint. It sounds great and it sounds like it would have lots of applications, but for one thing the current schemes are horrendously inefficient and, basically, it would take several hours not only to run one of these obfuscated programs, or even to compile it and generate an obfuscated program. The other big issue that we're seeing is that the security assumptions that people are using to prove that the obfuscation is indeed secure are relatively new and they're not very well understood.

Jonathan Katz: [00:13:24:24] So there's been a sequence of papers over the last several months proposing a tax on obfuscation schemes and then coming up with corresponding fixes against those attacks. So it's still very much in flux and it will be interesting to see how it develops over the next few months.

Dave Bittner: [00:13:38:10] And what are some of the real world situations where you would want to use obfuscation?

Jonathan Katz: [00:13:43:21] There's several actually. One of them is that companies are very concerned about protecting intellectual property. So if a company, for example, develops a new algorithm or a new tool for doing something, they would like to be able to release their code and allow people to use it but they don't want competitors to be able to look at the code and figure out the details, the secret source, as it were, of what they're doing.

Jonathan Katz: [00:14:04:20] Another case where obfuscation might be important is releasing security patches. Very often attackers can look at a security patch and, from the patch, figure out what the vulnerability was in the first place and potentially exploit it. If you obfuscated that patch, then it might be possible to allow people to update their software and protective themselves, while not revealing to attackers the exact nature of the vulnerability.

Dave Bittner: [00:14:27:00] Alright, interesting stuff Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:32:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.