The CyberWire Daily Podcast 3.13.17
Ep 304 | 3.13.17
Vault 7 updates—observers speculate about an inside leaker. Pre-loaded Android malware raises supply chain concerns. Ransomware in Japan. Convincing Chrome-spoofing malware. GCHQ warns UK parties to expect Russian influence operations.
Transcript

Dave Bittner: [00:00:03:12] Vault 7 speculation holds the leaker was an insider, but there's no specific insider named, yet. Supply chain security issues are raised by both Vault 7 leaks and discovery of preloaded malware in some Android devices. Bitcoin won't get its own ETF, yet. Japanese companies willingness to "pay to make it go away" is seen playing into the hands of ransomware extortionists. And GCHQ warns Britain's political parties to expect Russian influence operations in the general election.

Dave Bittner: [00:00:39:20] I want to take a moment to tell you about our newest sponsor, Dragos - the ICS security practitioners who offer protection for industrial systems along three axis: technology, people and intelligence. If you operate the infrastructure that keeps communities running, you should know about their services. They create technology that keeps power running, water flowing and oil and gas getting safely where it needs to go. Dragos offers the first industrial cybersecurity automation platform. Its Threat Operations Center delivers industrial control systems specific threat intelligence. And if you need incident response or threat hunting services, Dragos has those as well. To find out more, visit dragos.com. They brought the world's leading industrial security professionals into a healthy ICS ecosystem. Check out their new white paper, "Insights For Building an ICS Security Operations Center". It's a valuable perspective you won't find elsewhere. Again, that's dragos.com. We thank Dragos for sponsoring the CyberWire, and we welcome them to the show.

Dave Bittner: [00:01:53:18] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 13th, 2017.

Dave Bittner: [00:02:03:21] The Vault 7 leaks look more as if their ultimate source was an insider. Former CIA Deputy Director Mike Morrell expressed no doubt over the matter in appearances on weekend talk shows. "The material could only have come," he said, "from strictly controlled and segregated internal networks." The effectiveness of such control and segregation seems not to have been called into question. Observers note a disturbing progression - Snowden, Shadow Brokers, Martin, and now persons unknown - that some say casts doubt on the US Intelligence Community's security posture. This induces some, like Vice News, to think a contractor was behind the leak, but that's a priori speculation only. The investigation is in its early stages, and the speculation is coming from informed outsiders, but outsiders still.

Dave Bittner: [00:02:52:13] It seems there's been no large-scale leak of the hacking tools mentioned in Vault 7, so far. There's also been no visible movement, yet, on WikiLeaks' promise to work with software vendors in a responsible disclosure program to enable them to close those zero-days.

Dave Bittner: [00:03:09:06] Exploitation attempts against vulnerable Apache Struts deployments continue, but Rapid7 reports that malicious traffic is down. Patching Apache Struts remains a good idea if you’re an enterprise user.

Dave Bittner: [00:03:22:12] Check Point warns that it's detected pre-loaded malware in 38 Android phone models, two unnamed companies issued to employees. The manufacturers were not, Check Point says, responsible. Rather, the bad code appears to have been introduced "somewhere along the supply chain." This is a different matter from other episodes of pre-loaded malware, which have tended to be traceable to the devices' point of origin.

Dave Bittner: [00:03:48:02] Looking to our CyberWire events calendar, we have two events worthy of your consideration. Booz Allen s holding a recruiting event in Tysons Corner, Virginia, this Wednesday, March 15th. They invite "innovators, designers, and coders" to attend. This Thursday, March 16th, you can join Delta Risk for a webinar on six lessons learned from hunting advanced cyber criminals. You'll find links to register for both on our Event Tracker, at thecyberwire.com/events.

Dave Bittner: [00:04:17:07] Malware Hunter reports finding a new and unusually persuasive paycard information stealer. The malicious app, "Betaling," passes itself off as the Chrome browser, and it's a pretty convincing spoof, at least insofar as look-and-feel are concerned, even down a little reassuring https lock in the corner.

Dave Bittner: [00:04:37:11] Bad news for Bitcoin arrived Friday, as the US Securities and Exchange Commission turned down an application to establish the Winklevoss Bitcoin Trust, which would have been the world's first Bitcoin exchange traded fund. The SEC denied the proposal, essentially, because of fears that the fund's value would have been too dependent on unregulated Bitcoin actors outside the reach of US law and regulation, and therefore could have been too susceptible to manipulation. Value of a Bitcoin dropped from about $1300 to around $1000 on the news.

Dave Bittner: [00:05:11:23] Bitcoin's underlying blockchain technology, however, has uses and applications outside the narrow confines of that cryptocurrency. You can learn more about blockchain and related technologies next Monday, March 20th, when the security community reconvenes at its Jailbreak watering hole - and that's a physical watering hole, a craft brewery - in Laurel, Maryland to talk with Novetta about Ethereum and Graph databases. We checked in with one of the presenters, Novetta Blockchain Analyst Dr. Corey Petty, for a preview of his presentation.

Dr. Corey Petty: [00:05:44:14] The Ethereum aspect of what I'm talking about is really about how people interact with the businesses that you create, and trying to understand a new framework of how you build that up in regards to trust. So, how you trust your customers, how your customers trust you, and then how they then interact with the product that you create for them. Ethereum opens up a lot of different ways in which you can do that, that aren't based on the traditional client server model of things.

Dave Bittner: [00:06:10:20] For people who don't know what smart contracts are, can you give us an overview of what that means?

Dr. Corey Petty: [00:06:16:07] A smart contract can be thought of as a robot. A smart contract is just the term that they came up with for historical reasons, but for a high level purpose, it's programing functionality into something that is going to be embedded and then it can't change, and then you can interact with that functionality, much like a robot. So you would program up a robot, give it some type of function - it can do a certain amount of things, it can handle money - and then you set it out into the wild and then you interact with that robot at your whim, and other people can also interact with that robot. That's the easiest way to absorb what a smart contract does. So you create these things, you write up a contract with various functions to do some task, and then interact with it.

Dave Bittner: [00:06:58:12] What are the advantages of a smart contract over a traditional pen and paper kind of contract?

Dr. Corey Petty: [00:07:05:07] A lot of it is that it's written in code, and how it works after being deployed, it will always work that way. It can't be changed. And if it does change, you know that automatically. A big part of what blockchain promises is this idea of auditing as well as transparency. So what you're interacting with and how you're interactive is very easy to see, easy to understand, and you know that it hasn't changed since the last time you used it. I think it's important to share that this technology is very new. A lot of people hear a lot of buzzwords around blockchain, Bitcoin, Ethereum and it's this panacea to solve a lot of problems and we're not there yet. It's opening up a lot of doors, but it's at a very infrastructure level. So you need to build a lot of things on top of infrastructure before you have an end product.

Dave Bittner: [00:07:49:05] That's Dr. Corey Petty from Novetta. He's also the host of the Bitcoin Podcast. Network analyst, Chris Andreasen will be presenting on graph databases as well. You can find a link to the event in the CyberWire's Event Tracker. Or visit w3.novetta.com/techtalk.

Dave Bittner: [00:08:09:16] The Japan Times laments ransomware's local successes. The country's enterprises have seen a wave of targeted ransomware, and Japan Times thinks they're caving in too quickly because of a strong tradition of what the newspaper calls "pay to make it go away."

Dave Bittner: [00:08:26:04] GCHQ warns British political parties of coming Russian attempts to influence elections. Ciaran Martin, chief executive of GCHQ's National Cyber Security Centre, the NCSC, wrote to Parliamentary leaders requesting a meeting during which the intelligence service could brief them on the threat of Russian online influence operations. He characterized the risk as the "potential for hostile action against the UK political system." He cautioned that it's not only the political parties networks and systems that are at risk, but that attacks could extend to "parliament, constituency offices, think tanks and pressure groups and individuals email accounts.” Martin clearly expects Russian influence operations to follow the template suggested by the DNC hacks during the last US election cycle.

Dave Bittner: [00:09:17:09] Finally, since we're talking about elections, we'd like to ask you for your vote. For us. Honestly, without any influence ops. As finalists for this year's Maryland Cybersecurity Industry Resource Award, we're also up for the People's Choice Award, and if you're a fan of the CyberWire, we'd appreciate your support. You can cast your vote at thecyberwire.com/vote through March 22nd. And you don't need to be in Maryland, or even in the US, to do so. That's thecyberwire.com/vote. You know what to do.

Dave Bittner: [00:09:53:22] Time to thank our sponsor Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. With the adoption of Software as a Service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks integrated platform provides detailed Software as a Service visibility and granular control, data governance, automated risk remediation and malware prevention. So organizations can achieve complete cloud security even in SaaS applications. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and Software-as-a-Service environments. Because secure clouds are happy clouds. Find out how to secure yours at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:10:53:01] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, there is this ongoing debate about end to end encryption. You wanted to bring us up to date. What are your thoughts on it where it stands right now?

Dr. Charles Clancy: [00:11:09:18] Indeed the topic got a lot of attention about a year ago with the Apple versus FBI lawsuit, and the efforts to get Apple to reveal, or to hack their own device in order to provide information to the FBI to support law enforcement. And the debate has had its ups and downs since then, with the number of different pieces of legislation introduced Congressionally from both extremes. Operators of telecommunication infrastructure and services must have the ability to provide keys to law enforcement under any circumstance to the other end, which is very much on the civil liberties and privacy side, that prohibits such activity by telecommunications providers. We're still waiting to see where Senator Warner's proposal for a 9/11-style commission to actually do a thorough analysis of the topic goes. I think one of the interesting things is that this is not a new debate. We had this debate back in the 1990s with the Clipper chip and many of the proposed approaches, which include things like key escrow and use of threshold cryptography, have split up master keys among multiple organizations, so no one entity has supreme power for decryption.

Dr. Charles Clancy: [00:12:24:18] It was sort of tested public opinion back in the 90s and really not found to be really favorable outcomes. So, as these efforts move forward, it will be interesting to see if we come to a different conclusion this time around. Perhaps since 9/11, the security versus privacy pendulum has swung in the other direction. Although, perhaps since Snowden, it's swung back the other way? I guess my point, though, is that there really are no new technologies on the table. The technologies that are being proposed now are the same technologies that were rejected back in the 1990s. It'll be interesting to see as the debate continues, whether or not that we'll really make any progress on this issue.

Dave Bittner: [00:13:00:24] What are you seeing in terms of what direction the Trump Administration may take with this issue?

Dr. Charles Clancy: [00:13:06:14] That's a great question. Obviously, there's a strong push towards law enforcement and National Security within the Trump Administration. Really all we've seen so far, though, out of the Trump Administration are reports that different federal agencies are using end to end encryption as part of their ability to coordinate internal protests against the new administration, rather than the administration taking any definitive actions or putting forward any policies towards the issue itself.

Dave Bittner: [00:13:37:02] All right. The debate goes on. We'll keep an eye on it. Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:13:44:02] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to cylance.com.

Dave Bittner: [00:14:02:02] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Our technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.