Dave Bittner: [00:00:03:16] WikiLeaks releases more Vault 7 files. Are we talking about compromised supply chain or damp squib? NATO worries about Russian information operations. ISIS continues to push jihadist inspiration online, claiming the London killer as one of the Caliphate's soldiers. Facile attribution can mislead, as seen in a surprising arrest. Comments on America's Joblink Alliance breach. And Estonian experience suggests to the world that President Putin is a proud spirit who cannot endure to be mocked.
Dave Bittner: [00:00:39:24] Time for a few words about our sponsor, Dragos, and what they can tell us about securing industrial control systems. If you're operating in the electric, water, oil, gas, nuclear or manufacturing sectors, you're operating an increasingly connected system of systems. You'll need a security operation center, a SOC, to help keep your operation running through outages, disasters and the increasingly common cyber attacks those sectors face. Dragos has a white paper at dragos.com that offers a framework to help you get the right people, processes, and technologies in place to secure your piece of the nation's critical infrastructure. It will help you ask the right questions and come up with solutions that fit your needs. You'll find their guide at dragos.com. That's dragos.com. Check it out for insights into securing the new connected world of industrial control systems. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:01:46:12] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 24th, 2017.
Dave Bittner: [00:01:56:03] Yesterday, WikiLeaks dumped the second tranche of the Vault 7 documents it maintains came ultimately from the US Central Intelligence Agency. Julian Assange's group is calling this set of files Dark Matter, and they're said to contain documents suggesting that the CIA was able to compromise Mac firmware if it had physical access to the devices. Apple thinks its products' vulnerabilities are overstated in the Dark Matter material. WeLiveSecurity glosses this as damp squib, but the more disturbing speculation in Threatpost and elsewhere is the suggestion that intelligence agencies had access somewhere at some time to Apple's supply chain.
Dave Bittner: [00:02:36:17] Other Apple related news concerns the threat from a group calling itself "The Turkish Crime Family", which is demanding ransom from Cupertino. If Apple doesn't pay either $75,000 in cryptocurrency or $100,000 in iTunes gift cards The Turkish Crime Family threatens to remotely wipe 300 million Apple devices. Apple's hanging tough. They say they weren't breached and that any iCloud credentials the criminals may have were obtained elsewhere, probably through password reuse.
Dave Bittner: [00:03:06:01] We heard from Fidelis Security's John Bambenek on the incident and he's as skeptical as Apple about the threat. "The hacker group is not following what's become typical operating procedure, for example, if this were a real ransomware tack they would be communicating privately with the company they're targeting. Based on previous incidents the current threat has all the hallmarks of a stunt. If they really have the ability to wipe iPhones then they would have wiped a few already as proof of life." He advises due diligence and reminds anyone who gets this sort of demand that paying ransom only serves to increase the threat.
Dave Bittner: [00:03:41:02] NATO continues to worry about Russian information operations and how to counter them. US Army General Curtis Scaparrotti, currently serving as Supreme Allied Commander Europe, is advocating a more concerted effort to counter Russian Government disinformation aimed at the European members of the Atlantic Alliance. He particularly recommends that the US Government reinforce the Russian Information Group, a joint SACEUR State Department operation, and the State Department's Global Engagement Center, which he says is "not robustly supported".
Dave Bittner: [00:04:12:18] The other, very different information campaign currently threatening the civilized world is, of course, the one being mounted by ISIS. The terrorist group has claimed the radicalized London jihadist as one of the Caliphate soldiers. ISIS continues to emphasize radicalization, recruitment and inspiration. That third goal, inspiration, is expected to grow in importance as ISIS continues to lose territory and fighters in its core areas of operations. Informed observers think that ISIS, as a pseudo-state, is on its way to oblivion, but its messaging an attendant terrorist diaspora will trouble the world long after the endgame in Syria. It's also likely to be passed on to successor groups.
Dave Bittner: [00:04:56:12] As British police roll up suspected associates of the London attacker, another case points out the dangers of hasty and facile attribution. Jewish community centers in the US have recently sustained a wave of violent threats that, happily, have not been executed. In this case the usual suspects would probably have been all the wrong suspects. Israeli police have arrested a Jewish man with dual-US Israeli citizenship on suspicion of having been the one communicating the threats. By all appearances, the man in custody appears to be a mal-adapted misfit, perhaps actuated in part by his rejection for military service. So again, attribute with dually skeptical caution.
Dave Bittner: [00:05:39:04] On Wednesday the AP reported that American's Joblink Alliance, provider of a nationwide employment service for job seekers, had been compromised by a malware infection. Personal information from people seeking jobs in at least ten states – Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont – is thought to have been exposed. The breach remains under investigation and officials are advising anyone who used the systems to review their bank and pay card accounts.
Dave Bittner: [00:06:08:20] Reaction from the security industry has been decidedly jaundiced. Vasco Data Security's John Gunn calls it entirely unacceptable that an organization should fail to secure personal information properly. "This is adding injury to misfortune. Not only are these people out of work, now they have to worry about identity theft for the rest of their lives. The final insult is the referral to credit monitoring services where the victims can pay for ID theft protection."
Dave Bittner: [00:06:36:07] NuData Security's Lisa Baergen agrees that targeting vulnerable job seekers seems especially awful. She thinks that every organization entrusted with personally identifiable information needs to constantly test and harden its external and internal defenses. And free credit monitoring, she adds, is unlikely to be of much help. A better course of action is a credit freeze, and those responsible for losing the data should consider offering it for free.
Dave Bittner: [00:07:02:22] A quick look at our CyberWire events calendar. The second annual Billington International Cybersecurity Summit will convene in Washington DC next Thursday, March 30th, and the Cybersecurity Summit will connect senior level executives in Atlanta, Georgia, on April 6th. We'll be covering some of next week's events as well, in addition to the Billington International Summit, we'll be in Silicon Valley next Tuesday and Wednesday for Cynet's annual ITSEF conference, and then we'll head to Tuscan over the weekend for the Women in Cybersecurity Conference. Stay tuned for coverage here and in our daily news brief.
Dave Bittner: [00:07:36:11] And finally, we return to countering Russian information operations. Estonia may have some valuable lessons to share in this regard. The Christian Science Monitor's Passcode service has an interesting overview of those lessons. In particular, the Estonian experience appears to suggest that the Russian Government is especially vulnerable to humor and satire, and that the US Government shouldn't hesitate to go negative early and often. We'll try to do our bit with humor. Knock-knock, ktoh-ohn? Our linguistic staff tells me that's Russian for knock-knock, but honestly, if you asked I would have guessed Klingon. Anyway. We got nothing. These information operations are always harder than they look. Maybe the State Department could find some gag writers on Job Link. Oh wait. Cozy and Fancy probably beat them to it.
Dave Bittner: [00:08:30:14] Time for a message from our sponsor, Palo Alto Networks. You can learn more about them at go.paloaltonetworks.com/secureclouds. With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks' integrated platform provides detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. So, organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and SaaS environments, because secure clouds are happy clouds. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:09:28:08] Joining me once again is Rick Howard, he's the Chief Security Officer at Palo Alto Networks. He also heads up their Unit 42 Threat Intel Team. Rick, you've got some updates for us today on the Cyber Threat Alliance. Some good stuff happening there.
Rick Howard: [00:09:41:24] Yes, we made some big announcements at the RSA Conference a couple of weeks ago. And starting last summer, the Cyber Threat Alliance as an organization has made some exponential moves forward, culminating in all these announcements at the RSA Conference. So, let me just go through them all. The first one is the original founding members, plus a couple of new founding members that I'll talk about, put some money in to invest in this thing to make it a non-profit. So it is now a non-profit company, officially, so it's an official organization on its own, run similar to what an ISO or an ISAC would be. That took a long time to get that done, with the help of Booz Allen Hamilton helping us with the governance in all of that. So, that part is done, very excited about that.
Rick Howard: [00:10:28:14] At RSA we announced the new President of That's Now New Non-Profit. His name is Michael Daniel and he is the former cybersecurity Czar for President Obama, so we feel very fortunate that he has come on board to lead this thing into the future for us.
Rick Howard: [00:10:44:18] Those two new board members I was telling you about. The original ones were Fortinet Intel Security, Palo Alto Networks and Symantec, but when we went through this process to form the non-profit, Checkpoint came on board and Cisco came on board. So, some big heavyweights in the cybersecurity industry banding together for this alliance to make all of our mutual customers better. So again, pretty happy about that.
Rick Howard: [00:11:10:01] And then, two more things, two smaller things, but it's great that we have these. We brought on three new members, just for sharing members, the RSA Company, not the conference, joined us. Rapid 7 and Insights. Insights is an Israeli company. And they joined the original contributing members, Barracuda, Zscaler, Reversing Labs and Telefonica. So, we're very happy to have those guys on board.
Rick Howard: [00:11:34:15] And the very last thing, and I've talked to you about this before, is the idea of sharing adversary playbooks. We've rolled out a new sharing platform to all the members called the Cyber Threat Alliance Platform Version Two, that facilitates the sharing of adversary playbooks. So, the bottom line to all this is that the Cyber Threat Alliance is now a thing, and expect good things from it going forward.
Dave Bittner: [00:11:58:02] Alright. And you can find out more about it at cyberthreatalliance.org. Rick Howard, thanks for joining us.
Rick Howard: [00:12:04:04] Thank you, sir.
Dave Bittner: [00:12:09:22] Want to take a moment to tell you about some research from our sponsor, Cylance. The hoods at Shell Crew, an organized cyber crime gang, are using and improving a family of malware Cylance calls StreamX. Unfortunately, StreamX flies below the radar of conventional signature based antivirus solutions. And when it gets in, all kinds of bad things follow. Shell Crew can modify all your file systems or registry, create system services and enumerate your resources, scan for security tools, change browser settings and, of course, execute remote commands. StreamX is being served up by some legitimate websites, mostly Korean. It's a nasty rat you want nothing to do with. To get the information on StreamX go to cylance.com/blog and check out the paper on Shell Crew. That's cylance.com/blog. And find out how to protect yourself from this and other threats with Cylance Protect. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:13:15:04] My guest today is Chris Roberts, he's the Chief Security Architect at Acalvio Technologies and a popular speaker at security conferences around the world, with a reputation for having a direct and unfiltered style when sharing his perspectives.
Chris Roberts: [00:13:29:12] If you take a look at what is being sold and what is being touted by a lot of the vendors, the propaganda that's being put out, the concern is that they're throwing around the words machine learning and artificial intelligence probably a little more freely than I think most of us would prefer them to use. I talked to a lot of the vendors out there about what do they define as AI? What do they define as machine learning? And unfortunately most of them it just seems to still be very, very rule based. The whole genesis of their architecture comes down to an IF, AND, OR, NOT statement, which isn't true AI, and isn't really machine learning.
Chris Roberts: [00:14:12:17] You take another step back and you go down towards what the Darpa Project actually put together, the Grand Cyber Challenge, and that is where you're starting to get more intelligence and the actual machines themselves understanding both defensive and offensive tactics, and actually being able to react accordingly, without necessarily the restraining rules that most of the vendors are putting around something. I mean, they had a lot more free rein, and the architecture was built a lot more freely, whereas most of the vendors and most of the systems don't want to tread on anybody else's toes and spend a lot of time actually just building architectures that don't necessarily have good heuristics; they're still based on a very, very structured learning architecture.
Chris Roberts: [00:14:59:06] When you see a lot of the security fence guys go, "hey, we have built an AI to help you understand and track attackers," it's like, "well, are you doing anything more than a set of flippant Splunk rules? Or do you actually have intelligence built in? Or are you now using machine learning and AI in place of big data?" Because everybody's got fed up of hearing the words big data.
Dave Bittner: [00:15:21:11] With all of the technology we still have these basic problems of the insider threat, either intentional or otherwise, and so this notion of people being one of the weakest links in the chain, where do you come down on that?
Chris Roberts: [00:15:36:01] Oh, I mean, it's huge, I mean, again, 20 years plus and we still haven't figured out how to protect a basic password, let alone, in many cases, actually understanding that that is still the keys to the kingdom. I mean, we still engage in pentest and assessments on an extremely regular basis. We'll walk into a client and we've got a list of three, four, five thousand default passwords that they'll have on any of their regular enterprise, Skater, ICS, IOT devices, and 99 times out of 100 we can pop the architecture simply because they forgot to change the basics. So it's not even a fact that they've not actually defined passwords correctly, it's they haven't even changed the default ones that are sitting all over the internet in the first place.
Dave Bittner: [00:16:22:23] So where do we have to go?
Chris Roberts: [00:16:24:04] We're going to go somewhere different, I mean, you know, again, another test that we've done a few times now within organizations is we'll approach members of their staff and of their team, and you start taking a discussion with somebody, and I think the statistics in there, that the average cost of a password if I need to buy it rather than crack is $1,000. So, worst case scenario I offer somebody a set of crisp 100s and I walk into the enterprise with their password and their credentials. There has got to be a much better solution.
Chris Roberts: [00:16:52:19] The problem is that when we start looking at the alternatives, you start looking at any potential biometrics, and you start looking at any two or three or multi-factor solution, and then you start entering into the realm of a national identity. Or maybe the corporation holds some level of biomatter on you, or some kind of other very, very sensitive information on you. But do we have to go to that one? Do we start looking at "one of my systems has keyboard biometrics on it, so the only way somebody gets in is if they, a, know the password and they can, b, type the thing in the same manner." So you've got to put a better set of combinations in place. Or you remove passwords all together and you start building in something the same as with the military. You've got the CatCard with the military, at least it's something you have, and yes, you have to have something else with it, but you remove the human a little bit more effectively from it.
Dave Bittner: [00:17:56:21] Looking forward, what are the take homes? What are the things you think people should be thoughtful about?
Chris Roberts: [00:18:01:14] People need to ask more questions. Whether it's listening to the propaganda getting put out by the latest companies, spouting AI, or machine learning or user behavior analytics, or next generation IPS, I wish people would ask more questions. When my mother picks up the phone and she's told it's the director of MI6 who's calling her to tell her that she needs to press these buttons on the computer, and tells them to go pound sand, because she asked more questions, that's all I can ever ask for at the moment. Do I really believe that this day and age we are going to get the entire network of systems talking together? I think eventually. But I think for the minute that the best we can ask is that people ask a few more questions, rather than trusting everything that comes out, or trusting and maybe doing a one time verify, continue verification and just continually questioning. If we can get people to do that I think we're on the right road to be perfectly honest.
Dave Bittner: [00:19:05:01] That's Chris Roberts from Acalvio.
Dave Bittner: [00:19:11:21] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how they can protect you from cyber attacks visit cylance.com.
Dave Bittner: [00:19:28:22] Be sure to check us out on Twitter and Facebook and LinkedIn, and, if you have the inclination, we would really appreciate it if you would take the time to leave a review on iTunes. It really does help people find the show. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody, thanks for listening.