Bear again, and WikiLeaks (also again). Chinese hackers return, now after infrastructure companies. Debit card hacking epidemic in India.
Dave Bittner: [00:00:03:19] DDoS takes down internet sites throughout the US East Coast. Hotspot vigilantes try to get Julian Assange reconnected inside Ecuador's London Embassy. More election documents appear in WikiLeaks. Russia offers to monitor US elections. NSA's director talks about labor force issues and some advice from the Cyber Security Hall of Fame. You want security, convenience and freedom? Pick two.
Dave Bittner: [00:00:35:02] Time to tell you about one of our sponsors E8 Security. And I want to ask you that question I've been asking you all week. Do you fear the unknown? Lots of people do of course, ghosts, chupacabras, stuff like that. But we're not talking about those. We're talking about real threats. Unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine-learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to e8security.com/dhr and download their free white paper, “Detect, Hunt, Respond.” It describes a fresh approach to the old problem of recognizing and containing a threat that no one has ever seen before. The known unknowns like Area 51 and who shot JR? They're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them, go to e8security.com/dhr and check out the white paper. Have you done it yet? You know you really should. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:42:08] I'm Dave Bittner in Baltimore with your CyberWire summary and Week-in-Review for Friday, October 21st 2016.
Dave Bittner: [00:01:49:04] Multiple outlets are reporting that Dyn, a major DNS provider, has come under repeated denial-of-service attacks. This is causing widespread outages along the US Eastern Seaboard. Many popular sites including Twitter, Amazon, SoundCloud, Spotify, Netflix, Reddit, Discus, PayPal, and Constant Contact have been intermittently up and down throughout the day. Dyn and the affected sites are coping with the sequential waves of DDoS attack but like our neighbors we've been observing these issues all day. The story is developing, we'll follow it into next week.
Dave Bittner: [00:02:24:19] Fancy Bear continues its busy romp through Russia's Western targets, not just the US Democratic National Committee and various high numerous in the Clinton campaign. But according to ESET more than 1800 distance email addresses throughout Europe, the Middle-East, North America and Latin America.
Dave Bittner: [00:02:43:08] Bit.ly based phishing links were evidently used to compromise the Gmail accounts of both Clinton operative John Podesta and former secretary of state, Colin Powell.
Dave Bittner: [00:02:53:02] Motherboard has a nice catch of convincing looking phishbait. They invite you to look and consider whether you'd bite. The spoofing is, as former Homeland Security Secretary Chertoff told an audience at CyberMaryland today, quite persuasive and convincing. US Director of National Intelligence Clapper says that there's really no serious doubt the Russian services are the ones culling and distributing the elections season’s email sleaze, and ODNI's got the forensics to back up the attribution.
Dave Bittner: [00:03:22:11] Fancy Bear's take continues to be distributed through DCLeaks and WikiLeaks. The latter has released among other stuff, one of President Obama's pre-presidential email addresses. TechCrunch tried emailing him, it didn't bounce but no reply yet.
Dave Bittner: [00:03:39:02] WikiLeaks’ Julian Assange remains in Ecuador's London Embassy. Ecuador continues to extend him asylum but they've cut off his internet. A number of Wi-Fi vigilantes are said to be hanging around outside, offering Mr Assange the use of their hotspots, but with what success is unknown.
Dave Bittner: [00:03:57:10] The Russian government through its crocodile tears has expressed an interest in monitoring US elections about which they profess concern. There is no US response to this offer yet but we did hear former Homeland Security Secretary Chertoff comment on Russian election monitors this afternoon at Cyber Maryland. "I'd like to say come on over and see how a real democracy works. But sometimes you have to be willing to put yourself under the same standards you apply to others. I'm only being semi-facetious when I say great, come and observe. God bless, come and do that." So who knows? Will it happen? Probably not. Still fun to think about.
Dave Bittner: [00:04:39:22] ThreatConnect reports that the same Chinese actors believed to have hacked the US Office of Personnel Management and the Anthem insurance network are back, now targeting Franco-American infrastructure companies. A number of US officials have recently pointed to a marked increase in Chinese government hacking, so this new campaign appears to be either an outlier or a resumption of earlier practices.
Dave Bittner: [00:05:01:19] An ATM hacking wave has hit India. Debit cards are being affected. Major Indian banks are coping with the problem by replacing compromised debit cards.
Dave Bittner: [00:05:11:17] We've been attending CyberMaryland which is wrapping up this afternoon. Yesterday morning NSA Director Admiral Michael Rodgers opened the conference with a keynote that called for more efforts in cybersecurity workforce development, he noted NSA's internship program with particular satisfaction, more public-private cooperation. He thinks the private sector should tell the government what kind of information it needs. The requirements for information sharing in particular should originate in the private sector.
Dave Bittner: [00:05:39:15] Faster acquisition authority, an FY2017 pilot in the US cyber command will he hopes, prove a successful model for the future.
Dave Bittner: [00:05:48:16] And some serious national introspection about what foreign adversaries in cyberspace mean for American society and the American political system. His emphasis on the importance of workforce development was brought in to sharper relief by those who introduced him. A high school junior from Baltimore county's Loyola Blakefield school and its award-winning cyber program did the honors.
Dave Bittner: [00:06:10:21] Also at CyberMaryland we caught up with Joey Muniz, Technical Solutions Architect with Cisco. He gave a talk at the conference explaining various types of cyber attacks and how they differ from the way Hollywood often portrays them.
Joey Muniz: [00:06:24:16] I think in general people are just misled. So it can be that the media are talking about us misleading them, it could be the vendors saying hey buy this magic product and you're gonna be safe and they actually get a false sense of security from that. I think even compliances in some of those regulations, somebody says oh, we've met this particular regulation, we're safe now. Which you're not because that regulation is x-amount of months, years old. So I think in general as an industry, a lot of that weeds where if you just kind of jump in you're not getting the right information and that's all misleading.
Dave Bittner: [00:06:57:07] Last night's induction ceremonies for the National Cyber Security Hall of Fame were marked by graceful speeches by those who received the award. Congratulations to all of them. Most of the newest members of the Hall of Fame saw difficult challenges ahead for cybersecurity, even as they acknowledged their colleagues, students and mentors. We'll note something Dan Geer closed with, giving him the last word. Referring to a NORAD commanding general's remark from the mid 1950's, that the price of security was inconvenience. Geer suggested that our civilization faced a future in which security, freedom and convenience would increasingly find themselves in tension. His advice? Pick two.
Dave Bittner: [00:07:43:10] Time to take a break to tell you about one of our sponsors, ClearedJobs.Net. If you're a cybersecurity professional and you're looking for career opportunities check out ClearedJobs.Net. They're a veteran owned specialist that matching security professionals with rewarding careers. They have opportunities from top employers like Swift, DISA and the Los Alamos National Laboratory. Learn more about the opportunities for both cleared and non-cleared professionals at their website clearedjobs.net. Once more that's clearedjobs.net. And we thank ClearedJobs.Net for sponsoring our show.
Dave Bittner: [00:08:23:22] Joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland and also director of the Maryland Cyber Security Center. Jonathan saw an article in Motherboard recently, they were talking about how they cryptographic key that secures the web, is being changed for the first time. Walk us through what's going on here?
Jonathan Katz: [00:08:40:06] Well this is a key that's used by iCandy, internet corporation for assigned names and numbers. And like the headline of the article said, it's a key that's used to secure routing on the internet. So every time you type in to your browser, say, Google.com, that address that you typed needs to get translated in to an IP address that allows the packets that you send to reach their destination. This is done through a somewhat complex protocol, called DNS. Or the domain name system. In order to prevent attackers from modifying the addresses that you get back, and then sending you to the wrong place, the answers you get back from the domain name service can actually be signed with respect to a public key. And so iCandy were the ones in charge of this public key and they're now going to be refreshing that key and updating it and issuing a new key.
Dave Bittner: [00:09:33:07] Now one of the things that struck me in the article is that they're increasing the size of the key from a 1024 bits up to 2048. In a world where we consider 256 bit encryption to be pretty secure, going all the way up to 2048, is that just future proofing or overkill? What's going on with that?
Jonathan Katz: [00:09:52:00] So here they're actually using RSA technology, RSA system for the signature scheme. There's a difference in bit security when you talk about key lengths for symmetric algorithms and for asymmetric algorithms like RSA. 256-bit security is sufficient for symmetric key algorithms, but for public key algorithms, you need a lot more bits in order to obtain a comparable security. Going from 1024 bits to 2048 bits, is basically them protection for several more years. We actually still can't break 1024-bit RSA but it's getting to the point where maybe it's a little bit of an uncomfortable security margin, and people are concerned that perhaps within a time span of five years or so we may be able to break such keys and so for that reason they're just being careful and going up to a 2048 bit key.
Dave Bittner: [00:10:40:06] Is this a transition that's going to be seamless to users?
Jonathan Katz: [00:10:42:24] Well hopefully so. I mean there's always the risk actually that there will be some compatibility issues but I think they're proceeding slowly enough that this should hopefully get ironed out. And users won't see any problems.
Dave Bittner: [00:10:53:05] Alright Jonathan Katz, thanks for joining us.
Dave Bittner: [00:11:01:23] My guest today is Kevin Greene. He's a program manager in the cybersecurity division of the Department of Homeland Security Science and Technology Directorate, where he's a leader in the agency's software assurance efforts.
Kevin Greene: [00:11:14:04] I have about 20 years of cybersecurity experience. Of recent years I've been focusing on software security and software assurance. Really developed a strong passion regarding this area. Because I believe that everything starts with building secure systems and coding is a huge part of that. Currently support Homeland Security Science and Technology Directorate, Cyber Security Division as a Program Manager and my role is really a couple of things. Really one b, you know a leader in the community, working with academia, working with industry as well as government to really figure out how do we advance software assurance technologies, tools and capabilities? It's really trying to push forward the state of the art and evolving it, innovating around creating better capabilities in terms of how we analyze software for potential weaknesses that can expose vulnerabilities in software.
Dave Bittner: [00:12:12:21] Describe to us when we're talking about software assurance, what does software assurance mean?
Kevin Greene: [00:12:18:20] Software assurance means a lot of different things to a lot of different people. Essentially it's really what processes, what methodologies, what practices can you use to gain confidence and trust in using software, making sure software works as intended. So essentially at a very high level, that's the principles that I use in terms of software assurance.
Dave Bittner: [00:12:45:09] Take us through some of the programs that you all are working on?
Kevin Greene: [00:12:48:04] Fundamental program at CSD, Cyber Security Division at S&T was really rooted in a program that is called software quality assurance which was designed to really improve the methods and capabilities in terms of how we test software. So we talking stack analysis, dynamic analysis and binary analysis. Really trying to fund research to improve those critical areas and make tools better.
Kevin Greene: [00:13:12:16] We also have cyber programs and cyber small business innovation research, which allows us to work with small businesses to create research and create some novel capabilities around software quality assurance tools. I have two major programs, that have just been awarded. One is called STAMP Static Tool, Analysis Modernization project and the motivation behind that came from I was watching TV with my wife. I'm sure you're familiar with HGTV, Home Garden TV? The two brothers are property brothers, one who find neglected homes and you have the other who kind of takes funds and renovates the homes. I kind of said, wow, I can do that with open-source static analysis tools so that's kind of how STAMP came about. So what we're doing with STAMP is we're taking a collection of open-sourced static analysis tools and we want to modernize them. So four steps really, very high level.
Kevin Greene: [00:14:16:18] We want to create a next generation of test cases that allows us to baseline and measure the performance of static analysis tools. Phase two is doing a tool study, so we understand the strengths of tools, the weaknesses in tools, the gaps and that helps us generate what we call a modernization framework, allows us identify the areas where we need to modernize open source static analysis tools. And the fourth element is something I think is very unique and very interesting. It's called a consumer report for these tools and the goal behind that is really to invite those who are using these tools, those who are going to purchase these tools, an idea of whatever strengths and weaknesses of the tools, what are the sweet spots, what do the tools do well? What it also will do is show where the overlap is in the tools so that folks want to pair different static analysis tools together, they have an idea which tools they need to pair together to best match their software assurance needs.
Kevin Greene: [00:15:21:03] The other one is called ASTAM. It's called Application Security Threat and Attack Modeling. The motivation behind that is we can't continue to patch. I mean we've seen a lot of these security breaches that are happening. We look at what malware does. Malware looks for vulnerable systems, unpatched systems so we can't continue to patch so ASTAM came about because the wonder of exposures continue and seems like it's getting wider and wider. So the goal behind ASTAM was really to mimic the behavior of an attacker who does reconnaissance and looks for vulnerable systems 24/7. Hackers don't sleep. So ASTAM provides an on demand capability to automate red teaming penetration testing. But it also does something that I think is very important. It helps create countermeasures in mitigation mechanisms to block potential exposures and attack service, until administrators or organizations have the time to go and patch systems.
Kevin Greene: [00:16:26:22] The fourth and final is something which is very dear to me. It's called the Software Assurance Marketplace. Ideally it's a collaborative research infrastructure, where software assurance researchers, tool developers, software developers can come and improve their software assurance capabilities. For instance if a tool developer wants to improve their tool, today we host over 600 software packages and test cases and they become targets for tool developer to launch their tool against. And the purpose for that is it helps a tool developer understand where their tools is good at. So the SWAMP provides a way for tool developers to improve their tool over a period of time with something called continuous assurance. One of the unique value propositions of SWAMP is the SWAMP is in the classroom and helping reinforce the principles of coding and helping students improve their coding practice. Right now, the SWAMP is in a classroom. It has been integrated in Bowie State. Which is located in Bowie, Maryland. It's at HBCU, they are using it for their computer science courses and it's really helping students learn and helping reinforce good coding practices and I think that's a great value proposition. That's something I'm very excited about.
Dave Bittner: [00:17:46:16] So if someone wants to collaborate with you and get involved with these programs, what's the best way for them to do that?
Kevin Greene: [00:17:53:08] So the best thing to do is to visit our website www.dhs.gov and under the science and technology director you can look for the cybersecurity division. You can all information about all the latest research and R&D projects and ways to engage our cybersecurity division. Also every year we have something called our R&D showcase and technical workshop. It's an opportunity for our PI's and researchers to brief the community on their research and on the progress of their research. There's an opportunity for the community to engage our researchers on their research projects. So it's a great event and I think it's great for folks to see some of the great work that we're doing.
Dave Bittner: [00:18:39:11] My thanks to Kevin Greene for joining us. Kevin hosts a podcast of his own called “Welcome to Cyber Security Insights and Perspectives,” which you can find on iTunes.
Dave Bittner: [00:18:53:07] And that's the CyberWire. Thanks to our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik, our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody.