SHA-1 is broken. Grizzly Steppe and Carbanak. M&A notes. Linux patched. Arrest in Deutsche Telekom hack. The insecurities of connected cars.

Dave Bittner: [00:00:03:16] SHA-1 is broken for real. Grizzly Steppe threat actor seemed to have a lot in common with the Carbanak gang. Notes on DisTrack, also known as Shamoon. There's a Bitcoin exchange hit by DDoS, Linux patch is an old vulnerability. Reuters says Symantec was in talks to buy FireEye but the companies backed away from a deal. An arrest in the Deutsche Telekom hack and with the vulnerability researchers found when they looked at connected cars.

Dave Bittner: [00:00:35:21] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out CyberSecJobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs and it's great for recruiters too. If you're an employer looking to source information security professionals contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs; WakeMed is looking for an information systems security officer to help safeguard sensitive information. You'll find this and other great opportunities at CyberSecJobs.com. That's CyberSecJobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:39:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 24th, 2017. Every cryptographer who's been telling people to abandon SHA-1 can feel vindicated this week. Google announced the first successful collision attack against the algorithm. In the unlikely event you're still using SHA-1, well please move to something better.

Dave Bittner: [00:02:05:03] TruSTAR looks at additional information on Grizzly Steppe, the US Department of Homeland Security has released. They found that its operators, by consensus, Russian intelligence services, have much in common with The Carbanak gang, including not only code but also command and control infrastructure. This isn't to say that the Russian government wasn't behind the Grizzly Steppe operations, but it does suggest, again, the complexity of attribution. See for example, NSA Director Rogers' recent comments on this attribution, essentially, "sure the Russians went to work during our election." The Russian Organs have long made effective use of criminal organizations and this week Moscow revealed that its investment in cyber warfare and information operations has been larger than many defense intellectuals suspected. The level of effort deployed in information operations has especially raised eyebrows. Some say it exceeds even the propaganda campaigns the Soviet Union mounted at the height of the Cold War.

Dave Bittner: [00:03:03:08] Bitfinex, a major bitcoin exchange, was hit earlier this week by a significant denial of service attack. The disruption occurred on Tuesday as Bitcoin's value was reaching new highs. There's been a pattern of such disruption when Bitcoin speculation is hot. And various black hats have said they've been hired to organize DDoS against larger exchanges but no one seems quite sure of the motive. Bleeping Computer, for example, says it's an urban myth that smaller trading platforms hired digital button men to make their bigger rivals unavailable to drive trades their way.

Dave Bittner: [00:03:38:01] In patch news, the Linux project closes an 11 year old vulnerability. A Google intern, Andrei Konovalov discovered and disclosed it. He'll release a proof of concept exploit showing how an attacker could gain route access, probably next week, after people have an opportunity to patch. Many, perhaps most analysts, expect to see a round of consolidation in the security security over the next couple of years but it's not arriving all at once. Yesterday, according to Reuters, parties familiar with the negotiations confirmed that about six months ago Symantec had been in preliminary talks to acquire FireEye. Those negotiations came to nothing. This particular acquisition is now said to be off the table.

Dave Bittner: [00:04:21:08] A British subject has been arrested for last year's Deutsche Telekom hack. UK police collared the unnamed gentleman in London, executing a German warrant. The suspect is being extradited to Germany where he'll stand trial for allegedly attempting to compromise Deutsche Telekom's service to recruit devices into a Mirai botnet. And finally, there was a fair bit of talk concerning automobile cyber security last week at RSA. We found the research particularly interesting when it touched on the risks associated with the increasingly connected and autonomous car, which you might think of as another big moving thing in the internet of things. Kaspersky looked into the security of android apps used by seven car manufacturers. Three of the apps unlocked the doors, the other four not only unlocked the doors but started the engine too. This has, inevitably, been covered with screamer headlines saying car thieves can hack your car. It's not quite that bad but the apps are vulnerable and their security, while more than zero, is still penetrable. The researchers singled out two particularly meretricious design practices they say are accidents waiting to happen using either SMS messages or voice commands to control a car. IBM's X-Force also got into the act. They've determined that a lot of these convenient apps, like the ones that let you honk your horn to find your car in the crowded lot at Walmart, well those apps continue to work, even after you've sold your car. We leave the security issues of this as an exercise for the listener, particularly those listeners in the market for a pre-owned ride. So driver beware, especially if you buy your cars used.

Dave Bittner: [00:06:01:07] What would it take to get you into a compromised device today? This one had just one owner. A little old lady from Pasadena who didn't do anything with her onboard systems except click every link in the email she read on her tethered unpatched android phone. We mean, of course, Pasadena, California. The little old ladies of Pasadena, Maryland generally have man hacking skills but, come to think of it, that might be a problem in its own right. One owner only. She just drove it to church on Sundays. Her grandkids said she did like to compile a lot of python from the can bus, whatever that is. We think it's some kind of long sugar cookie. Did we mention that we finance?

Dave Bittner: [00:06:40:00] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and, of course, who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solutions scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti malware. Cylance, artificial intelligence, real threat protection. That's cylance.com, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:07:39:07] And joining me once again is Dr Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back. We wanted to touch base today about this notion, this push to have election infrastructure categorized as critical infrastructure. What can you tell us about this?

Dr Charles Clancy: [00:07:58:02] Yes. So right after the 2016 Presidential Elections and the controversy associated with potential Russian hacking, or so called hacking of that election, the Department of Homeland Security decided to announce the designation of election infrastructure as one of the segments of critical infrastructure, which is a really interesting outcome. I think this is an opportunity for a potential investment in cyber security resources, for example, in R&D resources from DHS, to look at how we might design more secure election infrastructure. But it's been interesting that over the last couple of weeks there's been a lot of push back from States in particular, who feel as though this designation will somehow interfere with their ability to deploy and operate the election infrastructure that they have right now. So it's an interesting debate. I think one issue with it is that many of the other critical infrastructure sectors that are designed by DHS do not have Federal jurisdiction. For example, the telecommunications infrastructure is perhaps regulated by the FCC but not operated by the government. So I don't know that I quite agree with the State's opinion that it's federal overreach in terms of such a designation. On the other hand, I don't know that it really would have made any difference in the most recent election given the sort of alleged attacks against our election process. Had nothing to do with the voting infrastructure itself but rather the perception of the voters as they walked into the ballot booth.

Dave Bittner: [00:09:38:00] Many people look at the way that our election system is distributed among the States and the amount of control that the States have is actually being a feature of the system that makes it more resistant to a broad base hacking.

Dr Charles Clancy: [00:09:50:08] Indeed. There's stuff that was, of course, one of the claims that the States made in their push back against the DHS finding that this should be critical infrastructure was that it's already a very distributed process that doesn't rely heavily on internet infrastructure but, rather, local jurisdictions making phone calls with election counts, sort of upstream to State voting authority. So, as long as there's strong authentication in those processes, we'll be fine but it'll be interesting. As we see in many technology sectors, the push to modernize involves more and more automation and reliance on internet connected infrastructure. We'll have to see as voting technology matures and States adopt more sophisticated techniques, whether or not that impacts the overall system's security posture.

Dave Bittner: [00:10:40:03] Alright. Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:10:46:24] Here's something of interest from our sustaining sponsor, Cylance. They're hosting a webinar next Wednesday, March 1st, in which they'll tell you how to cut through the risk confusion as they shed light on some common cyber misperceptions. Their discussion will lend some clarity to thinking about risk by describing the divergent perspectives people in different organizational roles bring to risk estimation. You'll find a registration link at cylance.com under events and webinars. That's cylance.com for an intelligent discussion of cyber risk, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:11:31:16] My guest today is Jason Porter. He's Vice President of AT&T Security Solutions where he's leading a team that's taking part in a new IOT cyber security alliance. In addition to AT&T, the alliance includes IBM, Palo Alto Networks, Symantec and Trustonic.

Jason Porter: [00:11:49:06] We know that it takes a community to solve really important challenges like securing IOT. We need the best of breed when it comes to areas like managing devices and end points. We need leaders in security data and applications. We need people with the history of managing connectivity and understanding threats and how to manage those. Therefore, we formed this alliance to go after this challenge together as a community.

Dave Bittner: [00:12:30:21] So take me through what are some of the goals that you're hoping to achieve with the alliance?

Jason Porter: [00:12:35:20] Absolutely. As an alliance team, we are really focused on education, trying to understand really what are the most problematic issues facing IOT security and educating the industry and customers on what can be done to make IOT more secure. What those challenges are and how we might solve them. We also want to influence, over time, through that education, standards, policy, regulations potentially, ultimately, that help to make IOT security the forefront and standard in deployment. We also, obviously, where appropriate, we'll come up with solutions that really solve IOT security and we're looking at it largely from a vertical viewpoint. Take industrial IOT, that is very different than, say, connected car or wearables. Each community has different challenges, different attack vectors, a, different attack surface area that we've got to be able to understand and communicate those challenges, communicate solutions and even potentially develop solutions for.

Dave Bittner: [00:14:18:08] So take me through the process of how the group is planning to work together?

Jason Porter: [00:14:24:08] So we work very much like our foundries. We took the model of our AT&T foundry model. At the foundries we bring a collection of really talented folks together, to work on solving problems and so, in this situation, we're bringing together a targeted community and we'll get together and bring in customers who have real needs and issues and, between that community, understand what are the highest priority items that we need to go solve and really work collectively. In agile development terms, it's like a scrum team, working together to go solve a problem.

Dave Bittner: [00:15:20:08] And from the outside, for those of us keeping tabs on what you all are up to, will you be publishing? How do we track your progress?

Jason Porter: [00:15:31:11] Absolutely. We do have milestones, we haven't published our milestones, obviously, but you can expect to hear from us. We will be publishing results, we will be communicating research so that it's really there for the broader industry's benefit and, obviously, you'll start to hear more about our next steps. Whether it's moving towards standards or solutions, you'll continue to hear a steady drum beat of that. You'll also hear about us expanding the alliance because, as we continue to move forward, we expect that we will need to bring in more members who can help us fill gaps and solve special challenges. Take defibrillators in health-care or insulin pumps or oil rigs, right, we're definitely going to need to expand our expertise in these other areas as we continue to solve and tackle new challenges.

Dave Bittner: [00:16:47:21] Looking at the list of participants in the alliance, it strikes me that there are areas where some of you are probably healthy competitors with each other, why do you think it's important for organizations to join together as a community to try to tackle these big problems?

Jason Porter: [00:17:07:17] This is one of those areas that really is beyond competition. We've got to go solve the industry problems for our economy, for end customers. We really need to not be encumbered by traditional competitive lines and really go solve problems. As you mentioned, some might view some of our participants as competitors but in this environment we're all committed to go solve challenges that we think raise the collective boat or raise the opportunity for the industry as a whole, protecting financial integrity and physical safety in many cases. Not every company can invest at the levels of the alliance team members to go and tackle cyber security at this scale. So we really need to help support companies that maybe don't have those resources, don't have data scientists and threat platforms and multiple socks and analysts so, really, it's an obligation of those who do to participate in these kinds of alliances to help protect maybe those with more limited resources.

Dave Bittner: [00:18:40:04] That's Jason Porter. He's Vice President of Security Solutions at AT&T.

Dave Bittner: [00:18:48:11] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. While you're there you can sign up for our daily news brief, delivered to your email. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how they can protect you from cyber attacks, visit cylance.com. Be sure to check us out on Twitter and Facebook and LinkedIn and, if you have the inclination, we would really appreciate it if you would take the time to leave a review on iTunes. It really does help people find the show. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody. Thank you for listening.