Grid hacking in Ukraine? German terror investigations. Airliner vulnerability dispute. NIST wants post-quantum crypto standards. Project Wycheproof. Wassenaar update.
Dave Bittner: [00:00:03:17] Ukraine investigates Saturday's power outages amid speculation it might be either a demonstration or misdirection. German police track terrorists' spoor online. Pakistani hackers hit Google's Bangladesh domain, possibly for the lulz. Speaking of the lulz, OurMine is back and messing with Twitter accounts. NIST is looking for some post-quantum standards. Wassenaar renegotiation goes on hold. And the ShadowBrokers offer a low, low price for Equation Group code, if you act now.
Dave Bittner: [00:00:38:16] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it every day. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough.
Dave Bittner: [00:01:02:02] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:47:03] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, December 21st, 2016.
Dave Bittner: [00:01:53:17] Ukraine continues to investigate Saturday's apparent cyber attack on the electrical utility serving Kiev and its environs. Authorities, who say the outage was remediated in less than an hour and a half, disclosed the incident yesterday. There's no confirmation yet that the outage was due to a cyber attack although suspicions are running high.
Dave Bittner: [00:02:12:05] Last December's grid disruption in Western Ukraine is generally believed to have been the work of Russian intelligence services but there's no attribution so far of this latest incident. F-Secure's Mikko Hyppönen speculated in an interview with Reuters that if this is indeed a cyber attack, it could have two purposes. It might be either a show of power, aimed at driving home the message that Ukraine's government can't protect its citizens or it could be serving as misdirection and cover for some other as yet unknown or undisclosed operation.
Dave Bittner: [00:02:43:01] German police pursue suspected terrorists' online trail as ISIS claims responsibility for the murders committed at the Berlin Christmas market. ISIS appears to be concentrating its recruiting effort on children. One 12-year-old is suspected of building a nail bomb for use against "Crusader" targets. Much Caliphate current chatter appears to fantasize about attacking Christians observing Christmas.
Dave Bittner: [00:03:07:05] In the Subcontinent the "Team Pak Cyber Attackers" deface Google's Bangladesh domain with a security awareness taunt. The incident seems more skid caper than patriotic hacktivism or any other serious attempt on Bangladesh networks by a regional rival.
Dave Bittner: [00:03:24:01] OurMine is back, hacking a Netflix Twitter account and other high-profile online identities. OurMine is thought to consist of a small group of youths with one of the leaders possibly operating out of Saudi Arabia.
Dave Bittner: [00:03:38:01] Panasonic denies with some heat an IOActive report that Panasonic in-flight entertainment systems could compromise airline passenger data or even open flight control systems to interference. IOActive stands by its claims.
Dave Bittner: [00:03:53:12] After last week's disclosure of Yahoo!'s second major breach, Verizon is rumored to be reviewing its planned acquisition of Yahoo!'s core assets. What Verizon eventually does is likely to set significant precedents in M&A activity.
Dave Bittner: [00:04:08:08] Incident response plans for cyber security breaches are kind of like smoke alarms and fire extinguishers. You hope you'll never have to use them but if you do, you'll be really glad you have them in place. We heard from Sam McLane from Arctic Wolf about good IR planning and what's often overlooked.
Sam McLane: [00:04:24:18] The real keys revolve around sort of three areas. They're promote, plan and then practice and what I'm talking about there from a promotion perspective is start with executive buy-in. If you are a security person, a CISO or even just a security manager and you don't have an executive sponsor to help promote the plan within the company, when the rubber hits the road and you actually need to draw from other people, you need a legal representative or someone from HR, you need to pull more of the IT team in, you then have to go sort of barter to get their time slices.
Sam McLane: [00:05:01:20] And that should be all set up beforehand. Everyone should understand the requirements, their roles within an incident response plan. And that goes to the planning piece which is, have it written down. This is not a large effort. There's probably a couple of week's worth of work getting everything written down. And then you maybe have a meeting once a quarter or once every six months with all the constituents so that they just understand, "Hey, here are the changes in the plan," maybe someone in HR has left and you need to get a new representative. But keeping that fresh even at a semi-annual rate is good enough so that when it does happen, it's not like you're scrambling.
Sam McLane: [00:05:40:18] And then practice. At least once a year you should do some kind of a drill where you go in, you get an incident and you run it to ground. And we participate in those all the time. Some people call them table-top security exercises where our champion at a customer will say, "Hey, I need you to, to fake a ransomware incident." And so we'll call our escalation chain within the customer, everyone knows it's happening but then they follow the correct procedures and we go through initial response, remediation steps, postmortem, documentation, walk through the whole thing for customers. And those three things are sort of the basic foundational aspects of having a proper incident response plan.
Dave Bittner: [00:06:22:01] And so what are some of the areas that people tend to overlook?
Sam McLane: [00:06:25:20] So the biggest thing that we found is just maintaining good documentation. In mid-sized companies, the people that are actually going to execute different aspects of your incident response plan change quite frequently. They either get promoted, they move departments or they just turn over and so you wind up having someone new in a job that's never even heard of the incident response plan. And we call them as your front-line help-desk person and say, "Hi, this is Sam from Arctic Wolf, so-and-so just got phished and here's the user name and here's the workstation ID." And they have no idea what to do.
Sam McLane: [00:07:01:09] And so we have to walk them through it and we coach them but that sort of keeping people trained, keeping people up to date, just understanding who owns what in that is probably the biggest problem. Because at the end of the day, if it's a significant enough security issue, you'll be able to get the right people and you'll go do the work and it'll just happen. It's just how much pain do you want to go through when it occurs.
Dave Bittner: [00:07:26:03] That's Sam McLane from Arctic Wolf.
Dave Bittner: [00:07:30:04] In the US, the National Institute of Standards and Technology has asked cryptographers for input on information security standards in a post-quantum computing world. The Institute's "Call for Proposals for Post-Quantum Cryptography Standardization" is available online in the Federal Register. Quantum computing is seen as posing a possible fatal threat to the widely used public-key cryptographic systems that protect banking and other online transactions. NIST hopes to be able to replace its three cryptographic standards most vulnerable to quantum computing.
Dave Bittner: [00:08:03:03] The week has seen another cryptographic initiative, this one from the private sector. It comes in the form of Google's Project Wycheproof which aims to help developers avoid replicating vulnerabilities in open source cryptographic libraries. We heard from security firm Synopsis on Project Wycheproof and they approve. Adam Brown, Synopsis Security Solutions manager, said, quote, "This is great for developers who have considered security in the first place to make sure they get encryption right. In our testing activities in the field where we take a data centric approach, we frequently see weak encryption or no cryptography at all," end quote. This is, he thinks, especially a problem in back-end systems interacting with data stores.
Dave Bittner: [00:08:45:19] Wassenaar renegotiation will be deferred and in the US that means it will be left up to the incoming Administration. The two-year effort to revise the agreements has adjourned without reaching consensus. The major sticking point is the regime's language about intrusion control software, which most in the security industry think would severely limit legitimate and indeed essential white hat security research.
Dave Bittner: [00:09:09:16] And finally the ShadowBrokers' English hasn't improved even to the point of broken plausibility but we suspect that may be in the Brokers' eyes a feature and not a bug. As the Grugq has noticed, "These guys are hilarious." Equation Group code is still being offered at a deep, deep discount if you act now but few observers think the ShadowBrokers are activists interested in sticking it to the man or as the Brokers would put it, Wealthy Elite, still less that they're actually interested in this as a commercial venture, however often they describe what they're up to as a "business."
Dave Bittner: [00:09:42:16] As far as the retail discounting is concerned, with apologies to Madman Muntz, it seems unlikely that the boss is on vacation and they've all gone crazy. Consensus has come to regard the ShadowBrokers as a Russian intelligence operation and we know for a fact that Vladimir Vladimirovich can be reached even if he's relaxing at his dacha. Stay off Ded Moroz's naughty list, Vlad, and do say hello to Snegorochka for us.
Dave Bittner: [00:10:12:07] Time to take a moment to tell you a little more about today's sponsor, Recorded Future. I know you've heard of Recorded Future. I talked about them earlier in today's show. The real time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization.
Dave Bittner: [00:10:39:18] Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring today's show.
Dave Bittner: [00:11:17:04] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, you know, we, we had this story come by recently about the AdultFriendFinder hack. One of the things that caught my eye about that leak of credentials was, there was a not insignificant number of addresses that were .gov and .mil addresses.
Joe Carrigan: [00:11:38:21] Right. Right. What an opportunity for someone who might have their hands on the OPM breach data?
Dave Bittner: [00:11:46:22] You know, and obviously, you could have extortion, you could have espionage, all those sorts of things. But in this day and age, I thought we'd touch on just this notion of having burner email addresses.
Joe Carrigan: [00:11:57:09] Absolutely. If you're going to do something like this, there's no reason at all to use a .gov or .mil email address. I have a .edu email address and I send my wife emails from it, and still feel a little bit funny doing that because I have a Gmail address and a Yahoo! email address, and if I needed an email address for something that was of a temporary nature, it's easy enough to go out and create another email address on one of these providers.
Dave Bittner: [00:12:28:17] Yes, a Gmail address is free, a Yahoo! address is free.
Joe Carrigan: [00:12:30:17] Yeah, for free.
Dave Bittner: [00:12:32:10] You can have them forward to your primary email address.
Joe Carrigan: [00:12:36:11] You can actually even set them up so that you can read them on different email clients. You don't have to use their web client. You can use, use an email client of your choice.
Dave Bittner: [00:12:47:00] So, but there really is a security aspect to this as well. There might be situations where you need to create an account at somewhere where maybe you're not 100% sure that this is something you're either going to stay with for a long time or even you might have a funny feeling about them, that might be an opportunity to use a burner address as well.
Joe Carrigan: [00:13:03:05] Exactly, exactly. Or you could do as I do frequently and as I actually talked my Mom into doing at one point in time and that is just set up an address for all your affinity programs. So that you have an inbox where somebody says, "What's your email address?" and you give them, "It's email@example.com." [LAUGHS]
Dave Bittner: [00:13:24:04] Yes, right. Okay, right. So anywhere where you think you're likely to be spammed, that'd be great. Have a spam catcher email.
Joe Carrigan: [00:13:33:20] So it's just a black hole that you never check or maybe you do check but you just go in there, just select all, everything and delete it and move on. Because it's not an email address where you would ever expect any actual communication to come from.
Dave Bittner: [00:13:45:01] But the bottom line is, don't use your official email addresses for any of these.
Joe Carrigan: [00:13:51:09] For AdultFriendFriender. No, don't do that.
Dave Bittner: [00:13:52:13] Yes, not a good idea. Nothing good can come of that.
Joe Carrigan: [00:13:55:07] No good can come of that.
Dave Bittner: [00:13:55:21] It can come and get you in trouble. Alright, Joe, good talking to you.
Joe Carrigan: [00:13:59:06] It's my pleasure, Dave.
Dave Bittner: [00:14:02:24] And that's the CyberWire. Today marks a milestone for us. It's the first anniversary of the CyberWire Daily podcast's soft launch. We were producing the show but not really telling anybody yet, testing things and trying to figure out what worked. A special thanks to those who participated in the more than 500 interviews we've been able to include in our programming. On the day we first podcast we had three downloads. A year later, it's, well, a lot more than that.
Dave Bittner: [00:14:28:18] So as always but especially today, thanks for listening.
Dave Bittner: [00:14:32:23] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our Social Media editor is Jennifer Eiben. Our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner.