The CyberWire Daily Podcast 12.16.16
Ep 247 | 12.16.16

US Election Assistance Commission hacked. US, Russia, swap hard words over influence operations. Ransomware updates. More on the effects of the Yahoo! breach. Autonomous vehicles approaching.

Transcript

Dave Bittner: [00:00:03:21] Rasputin, no not that one, the hacker, is trying to sell admin credentials for the US Election Assistance Commission on the black market. US investigation of Russian influence operations continues, with promises of eventual retaliation. Nose-thumbing from Moscow received in response.

Dave Bittner: [00:00:20:22] UK and EU officials worry about Russian meddling with 2017 elections. The Yahoo breach sinks in, and some call it the Exxon Valdez of cyberspace. Their new ransom-ware strains and a growing ransom-ware sector, but help in the form of an international public/private partnership. And we're closer to seeing robot drivers on the streets.

Dave Bittner: [00:00:47:11] Time for a message from our sponsor Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money and improve security.

Dave Bittner: [00:01:02:04] Their approach is proof-based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it defines in websites, and presents you with a proof of exploit. You don't need to verify the scanner findings, to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it's definitely not a false positive. Learn more at netsparker.com.

Dave Bittner: [00:01:26:00] But wait, there's more, and we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's netsparker.com/cyberwire. We thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:54:09] I'm Dave Bittner in Baltimore with your Cyberwire summary and weekend review for Friday December 16th, 2016.

Dave Bittner: [00:02:03:00] Election hacking and election influence operations, which may be connected, but aren't necessarily the same thing, remain very much in the news. Security company, Recorded Future, reports that it's found a Russian-speaking hacker – they're calling him Rasputin – who's selling what he claims is access to compromised US Election Assistance Commission networks.

Dave Bittner: [00:02:23:21] Recorded Future observed chatter that suggested credentials to Election Assistance Commission, or EAC Networks, were for sale. Further investigation enabled them to identify the vendor as a Russian speaker, who was negotiating with an unknown buyer working on behalf of an unspecified Middle Eastern government.

Dave Bittner: [00:02:42:00] Approximately 100 sets of account credentials were for sale, some of them apparently representing privileged administrative accounts. Such accounts could be useful for a variety of purposes. They could be used, for example, as Recorded Future points out, to install malware and establish a watering hole on a US Government site.

Dave Bittner: [00:03:01:00] Rasputin, who's been knocking around black markets for some time is, in Recorded Future's view, probably a crook and not an agent of an espionage service. Over the past two years, he's been connected with financial services compromise in the Middle East; compromise of a Chinese e-tailor and, of course, now with the attempted sale of EAC credentials.

Dave Bittner: [00:03:21:10] The US Election Assistance Commission is not a well-known agency, so some background information may be useful. The EAC is a small independent federal agency created by the Help America Vote Act of 2002. It supports the conduct of elections through a variety of largely voluntary and advisory services: testing and certifying voting equipment; maintaining the National Voter Registration Form, but not any database of voters; administering a national clearing house on elections, to receive complaints of alleged fraud and so on; and promoting development of shared practices and other ways of improving elections.

Dave Bittner: [00:03:57:05] Thus, compromise of the EAC doesn't represent any real threat to the integrity of US elections, but it's an embarrassment; another black eye for a way of voting that's taken more than its share of punches over the past year.

Dave Bittner: [00:04:10:02] TechCrunch and others have noted that the EAC published an op-ed in the Washington Post on October 18th, with the reassuring headline, "don't believe the hype: foreign hackers will not choose the next President". It seems likely that Rasputin was rooting around in their systems, even as they wrote.

Dave Bittner: [00:04:27:18] The US continues investigating more official Russian influence operations mounted during the recently concluded election cycle. Officials murmur about President Putin's direct involvement, which Mr Putin dismisses as "funny nonsense".

Dave Bittner: [00:04:41:17] In an NPR interview yesterday, President Obama promised unspecified retaliation against Russian information operations, "at a time and a place of our own choosing", to which the Kremlin said, in essence, put up or shut up.

Dave Bittner: [00:04:55:21] NBC News reports that the administration didn't take action before the election because, first, it didn't want to appear itself to be meddling improperly in the election. Second, it didn't want to escalate cyber conflict with Russia and, finally, it thought Democratic candidate Clinton was going to win anyway; so they could, as one unnamed source put it, "kick the can down the road."

Dave Bittner: [00:05:16:24] The US Intelligence community has blogged, at its IC on the Record site, that it doesn't intend to make anything else public until it's completed its investigation, and until it's satisfied that what it has to say won't compromise intelligence sources and methods.

Dave Bittner: [00:05:32:15] British and European officials are expressing concern about similar Russian meddling in their own upcoming elections. The prospect of what ThreatConnect calls faketivism – false flags and covert information operations is particularly troubling to them.

Dave Bittner: [00:05:48:07] The magnitude of the Yahoo breach continues to sink in, and security industry observers express displeasure over both weak crypto practices and slow breach disclosure. The company's stock price has seen sharp declines, as investors lose confidence that Verizon's acquisition of Yahoo's core assets will actually go through.

Dave Bittner: [00:06:07:13] Chris Pogue, CISO at security intelligence firm Nuix, offered us representative reaction. "Wow," he said. "How many times have I said that data breaches are almost always worse than initially thought? A lot. If Verizon was going to purchase Yahoo for its intellectual property and brand reputation, both of which are pretty much shot at this point, my money is on Verizon walking away after this."

Dave Bittner: [00:06:31:14] Netskope has discovered new variants of Locky ransomware circulating in the wild. Malwarebytes has published more information on Goldeneye, which is a re-branded strain of Petya-Mischa ransomware. This criminal sector continues to grow. An IBM security study released this week says that ransomware operators are expected to net a billion dollars from extortion in 2016, up from a relatively paltry $24 million in 2015. So it's worth remembering that regular, secure backup is always a sound practice.

Dave Bittner: [00:07:04:02] There's some compensating good news on the ransomware front. The International public/private partnership No More Ransomware has added new partners and expanded free services for ransomware victims. Bravo to all the partners in this effort – too many for us to list here, but all deserving a pat on the back.

Dave Bittner: [00:07:22:22] In industry news, well-known security executive, Amit Yoran, is stepping down as President of Dell's RSA Unit. He's moving to Tenable Network Security, where he'll serve as CEO.

Dave Bittner: [00:07:35:02] Finally, autonomous cars take a few more steps closer to hitting the asphalt. GM announces that it's going to begin building and testing self-driving vehicles at the Michigan facility where it currently produces the Chevy Bolt. Uber has begun operating a few robotic vehicles on California streets. They have human operators on board ready to take over if necessary, but the State of California says, the vehicles are in violation of State regulations. How this will play out is to be decided, no doubt, in the courts. Such things usually are.

Dave Bittner: [00:08:11:15] Time for a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insights into emerging threats. We subscribe to and read their cyber daily.

Dave Bittner: [00:08:28:15] They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the cyber daily email and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news targeted industries; threat actors; exploited vulnerabilities; malware; and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks.

Dave Bittner: [00:08:51:15] Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:12:19] Joining me once again is Markus Rauschecker; he's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security. Markus, the National Cyber Incident Response Plan recently went through a public comment period. This is a plan that has really been ripe for some updates. What's the latest with it and where can we expect it to go?

Markus Rauschecker: [00:09:36:05] Yes, the National Incident Cyber Response Plan has come out of the Presidential Policy Directive 41 that came out in July 2016. Basically, the Department of Homeland Security, in conjunction with the Federal Emergency Management Agency, has taken a lead in developing this National Incident Cyber Response Plan, which is going to basically outline how the Federal Government would respond to a cyber incident in this country.

Markus Rauschecker: [00:10:04:19] DHS and FEMA have been working with other Federal Government agencies, like the Department of Justice, or Department of Defense, as well as representatives from State and Local Governments, and they're getting a lot of involvement from the Private Sector as well. Critical infrastructure owners and operators, for example.

Markus Rauschecker: [00:10:22:06] It's really a multi-stakeholder effort that's underway here to update the National Incident Cyber Response Plan, to really outline how the government is going to respond.

Dave Bittner: [00:10:33:12] Now Markus, FEMA is taking a lead role in this effort. I think a lot of people would be surprised; you don't really think of FEMA as being a cyber agency.

Markus Rauschecker: [00:10:43:18] It might be surprising to hear that FEMA is a lead agency in developing the cyber plan. But, when you take a step back, you will see that the National Cyber Incident Response Plan actually will fall under the National Preparedness System, which is the national system for dealing with any kind of threats or hazards. It outlines, as a country, how we prevent and protect against threats, how we mitigate against them, how we respond to them and how we recover. It's this overarching framework that we have here, this National Preparedness System, and FEMA, of course, is a big part of that.

Markus Rauschecker: [00:11:16:16] I don't think it's too surprising to now see that FEMA is involved in developing this National Cyber Incident Response Plan, when that Cyber Incident Response Plan really is just a subset of this larger National Preparedness System.

Dave Bittner: [00:11:30:11] Alright. Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:11:41:09] My guest today is Jacob Ginsberg. He's the Senior Director of Products at EchoWorx, a provider of email encryption solutions and managed encryption services.

Dave Bittner: [00:11:43:16] With a new President headed to the White House in the US, we wonder what the transition could mean for the encryption debate, and how encryption affects our daily lives when it comes to protecting our privacy and our valuables in an increasingly connected world.

Jacob Ginsberg: [00:12:05:05] Obviously things are a little bit up in the air right now, at least in the US with the changeover of office happening right now in the Executive Branch. But, on the whole internationally, it looks like we might be at the beginning of a bit of a downswing,from my perspective. Assuming not from the law enforcement's perspective.

Dave Bittner: [00:12:26:13] What do you mean by a downswing?

Jacob Ginsberg: [00:12:28:06] From the perspective of myself, coming from the perspective of kind of a more privacy conscious citizen, I would say that a lot of the protections that are in place are in the process of being eroded.

Dave Bittner: [00:12:44:02] How is that happening?

Jacob Ginsberg: [00:12:45:22] Again, it's easy to speak globally for a second and then we can shift to the US, because the most recent example, I would say, comes out of the UK with the Investigatory Power Bill, which is not necessarily specific to encryption, but more with regard to privacy and mandates record collecting by ISPs, and removes the barrier of requiring a warrant to get at that information.

Jacob Ginsberg: [00:13:13:06] Then there's also little pieces in there about encryption and, as you know, talk seems to spring up whenever it can, whether it be in Canada, or the US also, about the government wanting to put in back doors and mandating access and things like that. Those calls seem to be increasing in both volume and frequency.

Dave Bittner: [00:13:32:01] Is it mutually exclusive? I mean, can you have strong encryption, but also have some sort of back door access for law enforcement?

Jacob Ginsberg: [00:13:40:06] I would say yes, they are absolutely mutually exclusive. You know, there's a couple of catchphrases that are thrown around. One of them is, today's back door is tomorrow's vulnerability. That's something that's generally well accepted in the security industry. There's little to no guarantee if a back door, or a mechanism for access is put in place, that it won't be exploited down the road by someone else. There's always that very real risk.

Dave Bittner: [00:14:08:09] We hear from law enforcement who say that they have real needs to be able to get at some of this data. You know, some of them really tug at your heartstrings, trying to solve murders of people and so forth. How do you respond to those kinds of stories?

Jacob Ginsberg: [00:14:29:14] Let me just say that I don't blame law enforcement or people in the intelligence community for wanting some of these tools like back doors. Everyone wants tools to be able to do their job more effectively. Assuming, of course, obviously, that everyone has everyone's best interests in mind, what they are interested in doing is helping people and capturing terrorists and criminals and whatnot. No blame, or anger is thrown their way.

Jacob Ginsberg: [00:14:59:13] But I guess the answer would be that, you know, no-one would argue that, if the police could go into a domicile, or a residence whenever they wanted without a warrant, certainly they would be able to catch more criminals and possibly even prevent more crimes. But we as a society have decided that that's too far and we've kind of drawn a line around, you know, protections and privacies.

Jacob Ginsberg: [00:15:25:17] It's not up to the police, it's up to the rest of us, as a public and to the courts and politicians, when you can depend on them, to kind of reinforce that line. It's a reasonable request from their perspective, but I would say that, given the scope of technology and people's digital footprint nowadays, it's a bit too far.

Jacob Ginsberg: [00:15:47:04] You know, this phrase that's banded about a lot of times in the US, you know, often in sad context, that freedom isn't free. A lot of time you'll see it on Facebook or something overlaid with a picture of caskets coming back from the Middle East of American soldiers or service members, and that's kind of generally the context that the quote is thrown around in. Again, this is a tragedy of course, as well.

Jacob Ginsberg: [00:16:14:20] But really, where I think it's most applicable is this context: if we want a free society and a free society is one where you're sure of your persons and property and there are protections around them in what you can say and not say, that that's the cost of freedom. There are going to be crimes that you can't solve; there are going to be murders that happen; there are going to be things that slip through the cracks.

Jacob Ginsberg: [00:16:40:12] It's difficult to say that to people who are tangentially involved, let alone victims. But that's my personal opinion: that's the cost of a free society, and that's really the proper context for that quote.

Dave Bittner: [00:16:55:00] When it comes to these sorts of things legislation inevitably lags behind the technology. Do you agree with that?

Jacob Ginsberg: [00:17:01:23] Yes, I agree with that 100%. It doesn't necessarily favor privacy or look unfavorably on technology; it can certainly cut both ways. I mean, that has been an aspect of the conversation for as long as law enforcement and technology have collided. That assumption is the basis of the All Writs Acts of the late 1700s in the US, that would allow courts to compel companies or bodies to act in a certain way; where there are gaps in legislations. 

Jacob Ginsberg: [00:17:36:13] The All Writs Act was, again, used as the basis of New York Telephone Company versus The United States in the Supreme Court decision of 1977. That is the framework for a lot of our surveillance and being able to look at pen registers for phone records, which is, again, used as a lot of the basis for email communications and digital surveillance today.

Jacob Ginsberg: [00:17:57:02] It is a really important issue and it's almost impossible to overstate its importance. This is a very real inflection point, potentially; in terms of our relationship with the data that we own and create and who we are and our governments.

Dave Bittner: [00:18:12:22] That's Jacob Ginsberg from EchoWorx.

Dave Bittner: [00:18:20:01] That's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:18:29:23] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody and thanks for listening.