WikiLeaks and Vault 7.
Dave Bittner: [00:00:03:02] It's all WikiLeaks all the time, we're afraid. So batten down your smart TV, stop hyperventilating (if you're the excitable kind) and listen to reports and speculation about the latest from Mr. Assange.
Dave Bittner: [00:00:21:06] Time to take a moment to tell you about our sponsor, the good folks over at CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload the resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. You'll find this and other great opportunities at cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.
Dave Bittner: [00:01:17:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, March 8th, 2017.
Dave Bittner: [00:01:27:08] The news today continues to be all about WikiLeaks and its Vault 7 document dump, which purports to contain CIA cyber espionage documents, plans, and exploits. WikiLeaks, the organization led by gadfly Julian Assange from his refuge inside Ecuador's London embassy, has issued a self-congratulatory press release about Vault 7, saying that it's now got "the majority of the CIA's hacking arsenal including malware, viruses, Trojans, weaponized 'zero day' exploits, malware remote control systems and associated documentation." This of course is a large claim.
Dave Bittner: [00:02:04:22] Most of the people in a position to assess the plausibility of WikiLeaks' claims think, initially, that the material was probably really obtained from the CIA. (Among those who've offered their opinion is as you'd expect Edward Snowden, who's said from his Moscow perch that it looks like the real goods.) How that material was obtained is so far unknown: WikiLeaks won't be telling, and US counterintelligence and criminal investigations will take some time to sort out what happened.
Dave Bittner: [00:02:32:24] Some 930 megabytes of data - or roughly 900 documents, if you prefer to count them that way - are said to be in Vault 7. The targets discerned among them include Android, iOS, MacOS, Windows, Linux, and a variety of Internet-of-things families. Some observers are struck by the prominence of iOS hacks in the dump. Apple has said that most of the vulnerabilities Vault 7 indicates were exploitable had already been patched by the time WikiLeaks revealed them.
Dave Bittner: [00:03:00:17] Assuming that the leaked material is legitimate, several speculative conclusions suggest themselves. First, it's unsurprising, despite the screamer headlines, that the CIA uses cyber espionage tools in its intelligence collection. It's also unsurprising that it cooperates with intelligence services in the other Five Eyes: the United Kingdom, Australia, Canada, and New Zealand. The documents do suggest a great many devices have been and can be hacked (and some in the security industry express concern that criminals will be able to exploit the revelations), but they don't appear to show the sort of global skeleton key into every encrypted system that some hasty reporting has claimed. The Intercept, not a publication to cut the US Intelligence Community much slack, points out that the documents don't show that secure messaging apps have had their encryption broken, but rather that smartphones can have spyware and keyloggers installed on them, which isn't quite as alarming, or at least quite so novel.
Dave Bittner: [00:03:58:15] There's also less than meets the eye in some of the more spectacular hacks the dump claims to reveal. Graham Cluley offered some useful perspective on his blog. Weeping Angel, for example (apparently named after a Doctor Who character) has excited a lot of alarm because, well, who wants their Samsung smart TV spying on them? But Weeping Angel is installed from a USB drive, not remotely, and not, apparently, in the factory or elsewhere in the supply chain. If you've got a Weeping Angel in your TV, presumably you've also had a CIA bagmen in your rec room to install it.
Dave Bittner: [00:04:32:18] Ars Technica, in a sauce-for-the-ganderish mood, reviews CIA's eye-rolling over their NSA sisters' Equation Group mess. The material in WikiLeaks' Vault 7 does suggest that the CIA has significant cyber espionage capability, possibly more than most would have suspected, given that NSA is typically regarded as the lead US cyber intelligence agency.
Dave Bittner: [00:04:55:05] Needless to say researchers across the security industry are sifting through the Vault 7 documents. One of them is Jim Walter, Senior Research Scientist with Cylance.
Jim Walter: [00:05:05:05] One of the interesting parts specifically is that some of the examples that they're citing, or utilizing for some of the malware implantation, are examples of techniques used by known malware that they're embracing with some of their own tools and technologies. So certain things stand out like that as we comb through the material. Us, like most others, are still digging through it to find those interesting bits.
Dave Bittner: [00:05:32:10] So does having this list of techniques available now, does having that information itself represent any sort of new threat?
Jim Walter: [00:05:40:07] I wouldn't say so. I think a lot of things that are covered in here technically are also known in the wild malware families already. Some of the information is directly pulled from already known and familiar malware families. There's very limited, if any, "new information." Also a lot of it has been redacted or removed as well. So this is not by any stretch a complete leak and there are obvious sections where some of the juiciest or sexiest details have purposely been removed.
Dave Bittner: [00:06:20:00] I think to the general public the reporting that's been out there is sort of focused on this notion that perhaps my television is spying on me. For the people out there who are seeing those reports, what advice would you have for them?
Jim Walter: [00:06:35:11] Well, it's definitely good to be aware of the technologies that are in your home and in your surroundings and what surveilling capabilities of those technologies may or may not be. Chances are most of the average folks are not necessarily going to be targets of the tools that are outlined in these documents. Having said that, heightened awareness is always a positive thing, so being aware of it is good, knowing how to take control of it is good, but put it in context of your day to day life and try to talk yourself down a bit if you're not a likely target of these operations.
Dave Bittner: [00:07:16:21] That's Jim Walter from Cylance. How the material exited the CIA is so far unknown, but tracking down the leak or leaks will keep investigators employed for some time.
Dave Bittner: [00:07:28:11] The serious security failure also represents the first crisis for the new Director of Central Intelligence. So welcome to Langley, Mr Pompeo.
Dave Bittner: [00:07:37:23] Among the problems he'll have to deal with in addition to the obvious counter-intelligence ones, is the plausibility Vault 7 is now lending to those who wish to maintain that Cozy Bear and Fancy Bear were really just CIA provocations all the time. The section of the Vault that has given rise to those specious and probably too-good-to-be-true aha moments is one called "Umbrage," which details how the Agency could run false flag operations.
Dave Bittner: [00:08:03:24] Another problem the CIA, the US Intelligence Community, and the US security and IT sectors as a whole will have to deal with is the probably suspicion the dump will arouse about Silicon Valley's products in general.
Dave Bittner: [00:08:15:22] Julian Assange, by the way, says he's under cyberattack, and he may well be.
Dave Bittner: [00:08:21:02] We'll have more reactions to Vault 7 over the course of the week.
Dave Bittner: [00:08:25:04] You'll find links to non-WikiLeaks news in today's CyberWire Daily News Briefing - do go and read about phishing at the Securities and Exchange Commission, various arrests and court settlements, and cyber policy moves in China, Australia, Canada, India, and elsewhere. While we're doing this bit of self-reference, may we also mention that the CyberWire is up for a people's choice award from Maryland Cyber? You can vote for us at mdcyber.com/peoples-choice-award. They'll take votes from you even if you're not in Maryland - so whether it's Virginia, California, New York, Manila, Mumbai, London, Birmingham (the Midlands or Alabama) or Paris, come on over and vote.
Dave Bittner: [00:09:05:04] Taking a look at our events calendar, here are three events worthy of your consideration. Booz Allen is holding a recruiting event in Tysons Corner, Virginia, on March 15th - they invite "innovators, designers, and coders" to attend. On March 20th the security community will reconvene at its Jailbreak watering hole (a physical watering hole, not the bad, hacking kind) in Laurel, Maryland to talk with Novetta about Ethereum and Graph databases. And on March 22nd, you can join ThreatConnect for a webinar on finding what size threat intelligence fits your enterprise. You'll find links to all these on our Event Tracker.
Dave Bittner: [00:09:41:19] Finally, to return to Weeping Angel, we'd like to reassure one of our stringers, a notorious Luddite and tightwad, who's convinced Lovie Howell was "looking at him funny" as he watched Gilligan's Island reruns on Antenna TV awhile back. (This is the sort who keeps two TVs - one with broken sound, one with broken picture - so the shows can be watched.) First of all, Weeping Angel only works on smart TVs, so your cathode-ray-tube model is probably safe. Second of all, Lovie ALWAYS looks at people funny - you would too, if you were married to Thurston Howell III.
Dave Bittner: [00:10:19:16] Time for a message from our sponsor, Netsparker. You know when you want automated security you want it to be - wait for it - automatic. Well, Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. For example; with other scanners you have to configure URL rewrite rules to properly scan a website. Well, not with Netsparker. They say it's the only scanner that can identify the setup and configure its own URL rewrite rules. Visit netsparker.com to see how Netsparker’s no false-positive scanner frees your security team to do what only humans can. Don't take their word for it. If you'd like a free trial go to netsparker.com/cyberwire and you'll get a 30 day fully functional version of Netsparker desktop. Scan your websites with no strings attached. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:11:23:03] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale welcome back, you wanted to tell us today about some changes that you all are seeing when it comes to DDoS.
Dale Drew: [00:11:33:23] You know it's interesting, we're seeing the bad guys actively modify their tactics in how they're extorting and how they're attacking sites using DDoS. So volume-based attacks are so yesterday, they're so last week. So a lot of bad guys are beginning to migrate to three new attack techniques. Some of them very emerging and some of them getting a lot of maturity on a very short time frame. So for gaming industry we're seeing attacks called micro-burst attacks and it's pretty specific to the gaming or financial industries. These are attacks that are about ten seconds to 30 seconds in length.
Dale Drew: [00:12:16:10] So most of the DDoS-scrubbing capability, most of the DDoS-scrubbing infrastructure that is set to analyze attacks and set to help cash large volumetric attacks, can't handle a very quick microburst attack. But it's enough to reset gaming sessions. So if a bad guy does that enough, gaming consumers will stop using the game and go to another game that's more stable. They're seen to have a lot of affected impact.
Dale Drew: [00:12:46:03] The other one is - and this is a bit of an evolution of a pre-existing attack, but it's more application related attacks - and this is where we're seeing bad guys do a tremendous amount of research in the application environment of their target, mostly on the Fortune 1000 side where they believe they can get a bit more extortion revenue out of that target. But they're really analyzing the weaknesses in their target's application portfolio and then custom-writing attacks that are specific to that application portfolio.
Dale Drew: [00:13:18:22] So these are attacks that are going after being able to consume resources and capability of the applications that take away resources from legitimate users, whether it's database queries, whether it's encryption attacks, whether it's a form posting attacks. The things that are much more customized towards their victim.
Dale Drew: [00:13:39:05] And then the last one is we're seeing a lot of attacks that are volumetric, but with regards to IP addresses and this is mostly in a Internet-of-things attack like a Bashlite or Mirai. A lot of ISPs as an example; and a lot of scrubbing capabilities are scaled to handle thousands of IP addresses or even tens of thousands of IP addresses, but not hundreds of thousands and definitely not millions. So we're seeing where bad guys are coming from a significant number of sources and that is overwhelming the capability of these infrastructures to be able to even build a list big enough to be able to prevent all the IP addresses coming and hitting the platform.
Dave Bittner: [00:14:22:03] So the arms race continues. Dale Drew, thanks for joining us.
Dave Bittner: [00:14:28:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you and your systems, visit cylance.com.
Dave Bittner: [00:14:39:22] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, technical editor is Chris Russell, our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.