The CyberWire Daily Podcast 10.28.16
Ep 215 | 10.28.16

Not all experts agree you should resign yourself to being hacked. The state of fraud, 2016. Ransomware and DDoS updates. The Kremlin gets doxed.

Transcript

Dave Bittner: [00:00:03:09] Ransomware is still with us. A new study of the state of online fraud is out and one lesson is it's better to take some, any precaution than to whistle and hope for the best. Windows seems to suffer from an exploitable vulnerability. How serious it may prove remains to be seen. Mirai botnets continue to sputter across the IoT. Signs point to a public health approach to mitigating DDoS. And those doxed Kremlin emails? Apparently the real deal.

Dave Bittner: [00:00:34:11] Time to take a moment to thank our sponsor E8 Security. You know, to handle the unknown, unknown threats you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score users risk? E8 can show you how. Did you know for example, that multiple Kerberos tickets granted to a single user is a tip off to a compromise. E8 can show you why. Get the white paper at e8security.com/dhr and get started. Detect, Hunt, Respond. E8security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:24:09] I'm Dave Bittner, in Baltimore, with your CyberWare summary and we can review for Friday, October 28th, 2016.

Dave Bittner: [00:01:32:20] With all the recent concern over distributed denial-of-service attacks, it's worth recalling that the ransomware threat hasn't gone away. It's just been eclipsed a bit in the news cycle. Nettitude Labs, which is keeping an eye on the RIG exploit kit, reports an increase in RIG alarms. The kit is delivering CrypMIC ransomware, taking over distribution after Cisco’s Talos unit shut down the vector, malvertising using the Neutrino exploit kit. RIG is also being used, Nettitude says, in Pseudo-Darkleech and EITest malvertising campaigns.

Dave Bittner: [00:02:06:24] And the SANS Institute shares work by itself, Bleeping Computer, and Malwarebytes into the continuing distribution Cerber. So, the ransomware threat is still out there, and still active.

Dave Bittner: [00:02:17:22] The fraud protection shop Easy Solutions this morning release Fraud Beat 2016, it's annual study of trends in online fraud. Mobile applications and social media of course figure prominently in the current attack landscape. One of the findings suggests that taking some, any, protective measures on mobile systems is better than doing nothing and hoping for the best. The study found that organizations that installed no protective measures were between four and nine times likelier to be attacked than those who had some precautions in place.

Dave Bittner: [00:02:48:22] Multi factor authentication reduces the incident of phishing attacks by a factor of three. Social media, of course, are rife with bogus profiles. Facebook, Twitter and Instagram between them are infested with more than 80 million fake profiles and these, of course, figure in many attacks.

Dave Bittner: [00:03:05:13] One mildly surprising finding in Easy Solutions Study is that four out of five Google searchers click sponsored ad words links as opposed to organic search results. And more than a third of those clickers don't even realize that there's a distinction here. It has driven a rise in search engine ad poisoning activity.

Dave Bittner: [00:03:24:14] Finally, of course, personal identifiable information, PII, continues to have value in the criminal markets, especially when it can be monetized through creation of false identities.

Dave Bittner: [00:03:35:06] Personally identifiable information can be stolen from many sources. This week a big compromise has come to light in Australia. The Australian Red Cross has suffered a data breach, possibly through inadvertent leakage as opposed to hacking, although that's unclear at this time. A file containing blood donor records going back to 2010, and including more than a million donor records, was found exposed on a public-facing website. This is believed to represent the largest single breach in Australian history .

Dave Bittner: [00:04:04:01] The CyberWire heard from Ilia Kolochenko, CEO of web security company High-Tech Bridge. Commenting on the Australian Red Cross breach, he said "It's difficult to determine the exact cause of data leakage in this particular case, but frequently human negligence is the main reason". He sees skid hackers as a kind of second-order source of carelessness. "It can also be a consequence of a previous breach, sometimes inexperienced hackers put data archives on the website to download or share with others and forget, or just don't bother, to delete it afterwards."

Dave Bittner: [00:04:39:01] Security company enSilo has reported finding a code-injection vulnerability affecting all Windows versions, including Windows 10. They're calling it "AtomBombing". According to enSilo, the flaw could enable an attacker to bypass security products, access encrypted passwords, steal desktop screenshots, and exploit browser sessions with man-in-the-middle attacks.

Dave Bittner: [00:05:00:16] Since AtomBombing exploits Windows atom tables, provided by the operating system to enable applications to store, share and access data, enSilo believes the issue arises from the design of the Windows OS and isn't susceptible to patching. "The direct mitigation answer," enSilo says, "would be to tech-dive into the API calls and monitor those for malicious activity"

Dave Bittner: [00:05:23:11] To return to the aforementioned DDoS threat, no, we haven't forgotten it. Mirai botnets are continuing spurts of activity against targets that strike observers as selected more or less randomly. Since Marai's source code was released, Arbor Networks has been tracking its mutations. Hackers, dismissed by Motherboard as "wannabes", have been adding buggy features to that code.

Dave Bittner: [00:05:46:06] The DDoS attacks against Dyn a week ago were very large, perhaps exceeding a terabyte per second. Various proposals for dealing with botnet-driven distributed denial-of-service attacks by ISPs include increased filtering and blocking. Controversial because of the potential for censorship or other misuse. And notification to customers of device compromise. ISPs have tended to hesitate to notify customers of botnet activity unless it affected their own network performance. But, there's growing acceptance of a public health model that would encourage them to warn users of infected devices in the hopes of containing botnet formation.

Dave Bittner: [00:06:24:05] You remember Vladislav Surkov, the Putin adviser who doesn't use email? He uses email after all, or so it seems. Several of the very large number of documents hacked and released by the Ukrainian hacktivists of CyberHunta have been confirmed by third parties as genuine. Some of the emails indicate Russian government contingency plans to force a shutdown over Ukraine's Donbas region as early as next month.

Dave Bittner: [00:06:48:19] Meanwhile, Mr. Putin dismisses claims that Russia is meddling in US elections. Despite those claims being widely believed and strongly supported. He accuses American officials of acting like a bunch from a Banana Republic and that they're trying to whip up "hysteria". On that whole Banana Republic thing, we think President Putin has the dismissive stereotype of a small Central American government in mind, and isn't referring to the clothing retailer. But who knows? If a lot of orders for cargo shorts go out from the Kremlin on Black Friday we'll be the first to acknowledge we misunderstand you. Vladimir Vladimirovich.

Dave Bittner: [00:07:25:20] And finally, okay, we know you're tired of hearing this. But National Cybersecurity Awareness Month is now in its final full week. The theme is "our continuously connected lives, what's your aptitude?" It's aptitude as in "app". Get it? So, seriously, spare a moment, think about how you're choosing, downloading and using apps. The digital exhaust you save could be your own.

Dave Bittner: [00:07:55:19] Time to take a moment to tell you about our sponsored Delta Risk. A Chertoff Group company. Since 2007, Delta Risk's experts have been delivering managed security services and risk management consulting to clients worldwide. They know technical security, policy, governance and infrastructure protection, and above all they know a thing or two about effective planning. The biggest blind spot organizations have about cybersecurity is in incident response planning and Delta Risk can help.

Dave Bittner: [00:08:21:22] The last thing you want to be doing when your IT infrastructure is virtually crashing down around your metaphorical ears is to be improvising a plan. So, get ahead of the problem and download Delta Risk's white paper Top Ten Incident Pain Points. Are you prepared? You can find it at delta-risk.net/topten. Check yourself against the challenges Delta Risk lays out. Again, that's delta-risk.net/topten. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:08:57:11] And I'm pleased to be joined once again by Ben Yelin and he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, earlier this week, there was a session where Maryland Lawmakers heard arguments over police surveillance technologies. The hearing took place in Indianapolis the state capital. But my understanding is that you were actually on the scene?

Ben Yelin: [00:09:20:09] Yes, I was more of a part player in this whole performance, but I was there. So, this was a hearing convened by the House Judiciary Committee. Normally, they're not in session this time of year, but I think this was a topic of sufficient importance that they decided to hold an out of session hearing. And they reviewed three surveillance programs and looked at both the law and policy issues of all of them. The first is the aerial surveillance that was discovered a couple of months ago, which consists of Cessna flyovers started by a private organization in Dayton, that was just uncovered in the news a couple of months ago. They also discussed stingray devices, which I know you and I have talked about a good deal on this podcast, and your listeners are very familiar with. And also they look at facial recognition technology.

Ben Yelin: [00:10:07:02] There is a realization recently that Maryland State Police use facial recognition technology. And they don't just get the images from criminal arrests or criminal records, they're actually also matching images to MVA records, which, I think, robbed a lot of civil liberties advocates the wrong way. There was representatives of both sides of the issues. The ACLU and the Office of the Public Defender talked about what they thought was necessary legislation needed to protect against over reach by law enforcement. And they thought there had to be specific legislation to curb the abuses of each of these technologies, but broader legislation to make sure that there are public hearings and public notices to make sure that the public is sufficiently aware of the programs and has an opportunity to comment on it.

Ben Yelin: [00:10:57:07] And that's actually important from a legal perspective. We know, based on Fourth Amendment Jurisprudence, there's not a search for Fourth Amendment purposes unless a person's reasonable expectation of privacy is violated. And it's hard to know whether you have a reasonable expectation of privacy if you were never given a chance to be aware of some of these programs.

Ben Yelin: [00:11:17:02] Certainly, if we walk out on the street and see one of those blue light cameras, we're aware that they're doing video surveillance in our neighborhood. But, for something like overhead surveillance where a Cessna plane is flying up to 25,000 feet above the City of Baltimore, it would be hard for a person to even contemplate a scenario of them or their vehicles being surveilled by overhead devices. And as a result, that would be violation of one's reasonable expectation of privacy. And that would mean that to do that the government would have to have a warrant or an equivalent of a warrant.

Ben Yelin: [00:11:50:10] I thought the discussion on the stingray device was particularly interesting. We had a case here in Maryland at the Court of Special Appeals a few months ago, the Andrews case, that held that a warrant is required before the government use the stingray devices to get location identifying information from individuals. So, the legislator was sort of grappling with that new standard. And I think the representatives from law enforcement and their representatives from both Baltimore County and Baltimore City were trying to show the process that they go through. And tried to argue that they actually each search not only complies with the law as articulated by the Court of Special Appeals, but actually goes through a series of four separate judicial proceedings before a person's location identifying information is retained.

Ben Yelin: [00:12:36:19] So, it was a particularly interesting hearing. I think we'll definitely need to pay close attention when the state legislature comes back in January to see if they attack some of these problems head on and what kind of legislation they look to adopt.

Dave Bittner: [00:12:51:18] Alright. Well stay tuned and we'll check in as the story develops. Ben Yelin, thanks for joining us.

Dave Bittner: [00:13:02:20] Time for a word from our sponsor TechExpo. They're running a hiring event next Wednesday, November 2nd, 2016 at the Ritz Carlton, Tyson's Corner in Virginia. You can register and get full details at techexpousa.com. But one of the highlights include a career seminar with Cybersecurity experts Chuck Brooks and Bruce Benedict of Battlefield Resumes. You'll also have an opportunity to interview with Intel Security, AT&T Government Solutions, BAE Systems, SAIC and more of the leading companies in the security space.

Dave Bittner: [00:13:34:14] You should have at least two years of cybersecurity experience to attend, and if you do this event should be right up your alley. Take a look at advancing your career at TechExpo. That's Wednesday, November 2nd at the Ritz Carlton, Tyson's Corner, 1700 Tyson's Boulevard in McLean Virginia. Check out the details at our sponsors site, techexpousa.com. And we thank TechExpo for sponsoring our show.

Dave Bittner: [00:14:03:13] My guest today is Dug Song. He's the CEO of Duo Security, where he's a strong advocate for a back to basics approach to cybersecurity. He also rejects what he describes as learned helplessness reaction to cyber threats. And thinks users can be empowered by better systems with better design.

Dug Song: [00:14:21:02] I'm a 20 year veteran of network security. What people know me mostly for is something that open source software that I used to write. So, back before I did any companies, I was something of a software communist. If you look at your SSHM page, I was one of the authors of SSH, but also a bunch of exploits like dsniff to go capture people's credentials, passwords. Well, actually, I tried to get out of security for a while. I felt like security was something of a lemon market, where, you know, vendors would sell you a box, the box would sit in your network and it wouldn't really do anything. And, the customer would say, "Well, jeez, am I any more secure?" And the vendor said, "Of course you are. See, nothing's happened. And the customer would say, "Well, nothing happened before." But, that was sort of the quality I think of a lot of security parts back in that day and age.

Dug Song: [00:15:09:10] Where again, the best thing that ever happened on someone's watch in a CISO's is that nothing happened. And, I think today it's sort of changed a little bit, where security now has to enable a lot of the things that people want to do, whether it's cloud or mobile or what have you. And, I think a lot of the ways in which, again, security has been constructed for networks, for systems, and applications has not scaled to the way that an organization has actually needed to. Where today, again, I think the biggest security exposure we all have is people, right? Attackers don't go after systems so much as users and in an age of hyper connectedness.

Dug Song: [00:15:45:03] There's been so much discussion about how prevention has failed, and almost a sort of learned helplessness, right, that actually, "Oh there's nothing I can do to stop the attacks. It's not a matter of if, but when." And, in fact, our money is better spent, or your money is better spent, is usually a story told by vendors, on things like, you know, threat intelligence and other kinds of, you know, fairly esoteric kind of security functions that most organizations will never be able to operationalize.

Dave Bittner: [00:16:11:00] What kind of solutions are you advocating?

Dug Song: [00:16:13:24] You know, we believe that we have to democratize security. And by that we mean that we have to make security something that is inclusive of everybody. That when your users, your end users are the ones who are actually much more responsible for your security than maybe your average professional. And by that I mean that, if your users don't want to jump through your corporate VPN, right to use your corporate file server to share a file with a colleague, they will upload it to Dropbox, right, and do this instead. And, no amount of policy necessarily will really solve those kinds of issues for a lot of organizations. A different approach is required. And, so in democratizing security, our perspective has been that we have to make security easy in order for it to be effective.

Dug Song: [00:16:57:12] That is, in fact, security is not designed for people. Instead of being designed for networks, designed for systems and designed for applications, it won't be adopted by end users. And, so, we have to actually make security something that is a design-lead operation where, you know, today's security professionals have to be almost more like public health professionals, right. We're thinking very carefully about how they align user incentives toward the organizational outcomes that they're seeking to achieve. Because you can tell people to stop smoking, but sometimes you have to find other ways to lead them there. And so, the kind of solutions that Duo is focused on, and I think increasingly more and more of the security industry has to come to, are ones that actually respect the end user.

Dug Song: [00:17:40:20] You know, systems that actually are thoughtful about how they automate. A lot of what the organizational work flow is for companies that have better things to do, right, than deal with putting out security fires. And, so, between those two things, became a strong focus on user experience and design, as well as on automation to make the administrative side of security really, really simple. I think these are the core things that almost any new security technology has to be thoughtful about. Because, again, if users don't like it they will simply reject it. And there's so many new ways around these organizational boundaries of IT today that, again, most CISO's will never have a fighting chance unless they build the kind of security that people want.

Dave Bittner: [00:18:24:23] How would this work with something, for example, like a password? How is a design approach going to increase our credentialing?

Dug Song: [00:18:32:22] Yes. I think some things that you see is to afford convenience to users with the trade off in being able to provide more security. And, so, for instance, things like single sign up, you know the ability to use one single password and have that login carry across automatically all the applications that you might need to access. That is a strong degree of user convenience that actually end users want, but it actually benefits security, right. Because you have less passwords to govern, you have more ability to audit in a centralized way the accesses that have been between applications. But, you also have then the vantage point to provide other kind of inspection and control. And that affordance of security by delivering convenience, I think is one of the core principles that more and more security operators are going to have to think about.

Dave Bittner: [00:19:27:11] That's Dug Song from Duo Security.

Dave Bittner: [00:19:34:13] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. Our Technical Editor is Chris Russell and our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.