Fancy Bear's phishing expeditions. Cryptowars and privacy regs in the EU. Is that really you, Dr. Niebuhr?
Dave Bittner: [00:00:03:17] Fancy Bear left tracks in Bitly, and Fancy Bear did an awful lot of phishing going back to March 2015. Experts take a look at Russian espionage and influence operations, and they draw some disturbing conclusions. The EU seems ready to go anti-encryption—how that will work with the EU's regulatory emphasis on privacy is anyone's guess. And no, that's not a famous theologian tweeting: it's the head G-Man.
Dave Bittner: [00:00:35:01] Time for a moment from our sponsor, Netsparker. You know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out the false positives, save you money and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable then it is definitely not a false positive. Learn more at netsparker.com but, wait, there's more! And we really do mean more; go to netsparker.com/cyberwire for a free 30 day trial of Netsparker desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's netsparker.com/cyberwire. And we thank netsparker for sponsoring our show.
Dave Bittner: [00:01:43:21] Major funding for the CyberWire podcast is provided by Cylance. I'd Dave Bittner in Tucson, Arizona with your CyberWire summary for Friday, March 31st, 2017.
Dave Bittner: [00:01:54:18] As the week ends, interest in Russian cyber operations remains as high as ever. US Congressional hearings into the extent of those operations continue, and with heightened attention being drawn by stories of how extensive and aggressive Russian activities were.
Dave Bittner: [00:02:09:23] SecureWorks has been tracking Fancy Bear's activity during the run-up to last year's US elections, and they've found that activity to have begun as early as March 2015, and to have prospected over 6700 people. While there was clearly a lot of interest in the US election, that was far from Fancy Bear's only interest. Targets are said (by Motherboard) to have included "members of the US military, diplomats all over the world, Russian government critics, Hillary Clinton campaign staffers, and even Hillary Clinton." It was a phishing campaign, thus typical of the commodity-level approach that continues to pay off well for espionage services. Only 2% of the marks took the phishbait, but when you've trolled through nearly 7000 accounts, 2% is enough. SecureWorks was able to get the details they did because Fancy Bear left its Bitly URL-shortener accounts public, so even bears do leave tracks.
Dave Bittner: [00:03:07:15] At SINET ITSEF 2017 in Mountain View, California, earlier this week, we heard an account of Russian cyber operations that emphasized four of its salient features. First, it has clear objectives in what the Russians view as an ongoing war between themselves and the West (and especially against the US). The principal objective is to induce chaos in what Moscow regards as a zero-sum contest: a Western loss—whether financial, social, political, or reputational—counts as Russian gain. As Ondrej Krehel, CEO of security company LIFARS put it, during the Cold War, "if you did harm to the US, you were a hero" and that attitude and policy have persisted beyond the end of the Soviet era.
Dave Bittner: [00:03:52:22] Second, while all espionage services show a tremendous appetite for data, new-found ability to aggregate and correlate data makes any particular loss of a small bit of information far more consequential than it would have been earlier. And, as the Hoover Institution's Herb Lin pointed out at ITSEF, the Russian services have by no means been laggard in exploiting information in these new ways.
Dave Bittner: [00:04:16:11] Third, there is no clear line of demarcation between organized crime and Russian espionage services. The services regularly and deliberately make use of organized cybercriminal groups to damage their targets. Lin alluded to unconfirmed reports he'd learned of to the effect that there have actually been formal memoranda of understanding issued by Russia's Federal Security Bureau to cyber gangs.
Dave Bittner: [00:04:40:13] Fourth, espionage and influence operations are commonly carried out using relatively simple tools. Phishing continues to be used because phishing works.
Dave Bittner: [00:04:51:04] Some of these observations were echoed yesterday at the Billington International Cybersecurity Summit in Washington, DC. Thomas Donahue, Research Director at the Cyber Threat Intelligence Center, more familiarly known by its acronym CTIIC noted that intelligence agencies have always had a large and insatiable appetite for information, and so Russian concentration on big data tools is unsurprising, as is their ability to profit from the data they're able to aggregate and correlate. He also said that sophisticated threats, like advanced nation-state espionage services, differ from less sophisticated threats—say small-time criminals or one-off hacktivists—less in terms of the sophistication of their technique than in their focus, determination, and persistence. They use what works, and since phishing works, then they'll by all means phish.
Dave Bittner: [00:05:42:13] James Trainor is currently Senior Vice President, Cyber Solutions Group at Aon, but recently he was the Assistant Director, Cyber Division of the US FBI. He told the summit that in his experience he'd long seen connections among organized cybercrime and the espionage services of what he called the "big four" threat actors: Russia, China, Iran, and North Korea. But there are significant national differences in the way each of the big four interacts with crime. For example, Russia tends to make direct use of criminal organizations almost as subcontractors. In the case of China, one tends to see government officers moonlighting as cybercriminals, without direct official sanction, as a kind of private enterprise. Iran's relationships Trainor said were too complex for easy characterization, but North Korea's case is easily understood: the government itself engages in criminal activity for the state's profit.
Dave Bittner: [00:06:36:24] Such observations about international cyber conflict are particularly timely as US Congressional inquiry into Russian influence operations continues. We will continue to follow those hearings with interest.
Dave Bittner: [00:06:49:21] Reports suggest that the European Union will soon mandate backdoors in encrypted communications. The Register says that companies who don't anticipate and voluntarily comply will find a hammer dropped on them sometime in June. This anti-encryption stance, motivated in part by concerns about police ability to monitor and stop incipient terrorist activity, seems to be in tension, to say the least, with the stringent privacy protections the EU also wishes to put in place.
Dave Bittner: [00:07:17:17] Researchers at Palo Alto Networks have found two remote access Trojans, Trochilus and MoonWind, in active use against utilities and other targets in Thailand.
Dave Bittner: [00:07:28:20] Open-source developers using GitHub should beware: the Dimnie Trojan is there, and being used against them.
Dave Bittner: [00:07:37:00] Finally, Gizmodo says it's found FBI Director Comey's Twitter account. It's long been known Director Comey was on Twitter, but exactly what his handle was he coyly kept secret, which would explain the small number of followers he claimed—less than 10. The Director's handle turns out to be an homage to theologian, Reinhold Niebuhr. You'd think a Chicago man would have chosen Paul Tillich or Paul Ricoeur but we don't know: maybe you go to Twitter with the theologians you got.
Dave Bittner: [00:08:08:22] Time for a word from our sponsor Palo Alto Networks. You know, it's almost impossible to run an organization without the public cloud today and we'd like to tell you about how our sponsor, Palo Alto Networks, can help you utilize any cloud safely and securely. You can find them at go.paloaltonetworks.com/secureclouds. The cloud is no longer just a convenient place somewhere out there to put stuff, it's an integral part of the way modern enterprises work. Palo Alto Networks understands this and they also understand that securing your data and applications that are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in-between is key. Make sure your data and apps are secure and protected wherever they may be. Palo Alto Networks has the broadest, most comprehensive cybersecurity for private cloud, public cloud and software as a service environments. They know that secure clouds are happy clouds - so keep yours happy, get started at go.paloaltonetworks.com/secureclouds and we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:09:20:11] And I'm pleased to be joined once again by Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cybersecurity Center. Jonathan, we saw a story come by about this cryptocurrency called Z-coin. Turns out they have a vulnerability.
Jonathan Katz: [00:09:35:10] Yes, that's right. They announced a vulnerability a couple of weeks ago and what they had noticed was that a hacker was able, essentially, to spend about half a million dollars worth of their cryptocurrency that they weren't, of course, supposed to spend. Once they noticed that, they started digging into the code and they found actually that their code was indeed vulnerable to an attack and they went ahead and patched it. To their credit, they were very public about it. They announced this vulnerability, they announced this mistake on their blog and then they followed up with a more detailed post afterward explaining what exactly had happened.
Dave Bittner: [00:10:09:09] According to the story, this was a case of a simple one digit typo.
Jonathan Katz: [00:10:13:23] It is really unbelievable. It was exactly that. It was a one character typo in their code and what this allowed the attacker to do was to essentially re-spend coins multiple times which is something you're obviously not supposed to do. For those of the avid listeners who know a little bit of programming, it came down to a simple error of using a double equal sign rather than a single equal sign, so the double equal sign is meant to test the equality between two values and the single equal sign is meant to be an assignment of one value to another variable. Just that one error in the code allowed the attacker to go ahead and double spend all these coins.
Dave Bittner: [00:10:52:08] This is the kind of error that can make it through your usual rounds of testing.
Jonathan Katz: [00:10:59:02] Yes, that's right. It's not one of the things that typical static analysis, for example, would find. It is an error in the logical portion of the code and you would have to really understand what the code is supposed to be doing in order to find it, which means that these automated analyzers are probably not going to be able to find it but you need humans to be involved and to be checking the code and to spot the error. Looking at the code, which was available on their blog as I mentioned, it is surprising that it was not caught earlier but it's one of those things where just a mis-type and a single character error can cause these problems. And I guess if you look at the same code too many times, you don't even notice these kind of things anymore.
Dave Bittner: [00:11:37:05] In this case, nearly half a million dollars worth of problems.
Jonathan Katz: [00:11:40:24] Yes, that's right. One thing interesting about these cryptocurrencies, of course, is that any time there is a vulnerability you can be sure someone's out there looking to make money off of it because these cryptocurrencies have value in the real world and so you can be sure that people are constantly looking to take advantage of them.
Dave Bittner: [00:11:56:21] Jonathan Katz, thanks for joining us.
Dave Bittner: [00:12:03:03] Time for a word on some research from our sponsor, Cylance. You know, DLL hijacking isn't a new threat, but that doesn't mean it's no longer dangerous. Cylance has found a graph tor variant that's up to no good and that shows the ability to hide quietly in plain sight. Whatever the malware controllers are up to, you can learn something about their malicious code, how to recognize it and what you can do to protect yourself by visiting the threat spotlight piece on graph tor at cylance.comb/blog. Understand the threat. If you want to feel truly lucky, go beyond relying on lady luck or at least realize that fortune is infatuated with the efficient and the prepared. Learn more at cylance.com/blog. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:13:00:06] My guest today is Bob Ackerman. He's Founder and Managing Director of Allegis Capital, a seed and early stage venture capital firm focused on cyber security. He's also a board member at Data Tribe which he describes as a start-up co-creation studio that builds disruptive start-ups in the domains of data, analytics and cybersecurity. He joined us in our studios in Baltimore.
Bob Ackerman: [00:13:23:11] You know, I think we're at an interesting place in the development cycle of the market. I look at the last few years as large scale efforts to remediate gaps and holes in cyber defenses. So if you imagine a dike with a thousand holes in it, a lot of people running around trying to put fingers in those holes and that's important. It's important because the architecture that we're living with today basically is based on a 50 year legacy. It wasn't designed with the level of data integration, speed or velocity of data movement that we have today and so inevitably there are gaps that need to be plugged and that is not going to go away for the foreseeable future.
Bob Ackerman: [00:14:07:09] I think we are on the cusp of what I would call the second wave of innovation where people are beginning to think, based on that first wave, about more effective systems. What have we learned in that first wave of innovation? How do we begin to get ahead of some of these threats as opposed to purely responding to them? Think of this as how do we stop water from getting through the dike? I think that that is a really interesting area that we're beginning to move into where we will see a lot of innovation. You also look at things like orchestration and automation where, clearly, we're are ready for that second wave where we need to fill the skills gap, we need to be able to respond more rapidly to a threat environment, levels of automation to assist threat analysts and responding to those threats - a good example of second wave of innovation, how do you begin to build the stack so that your people are more effective and your fences are stronger from the outside?
Dave Bittner: [00:15:06:23] What about consolidation? Are you seeing a lot of that in our future?
Bob Ackerman: [00:15:10:23] I think consolidation is inevitable in any industry, number one and cyber is not going to be any different. I think what is different about cyber is innovation will continue apace along with consolidation so if you think about it, we're rolling up the past areas of innovation. There will be consolidation there while we push ahead in new areas of innovation. Historically, if you looked at innovation, the initial wave of innovation is driven by what I call hype and hope. The world will never be the same, we've got to grab part of that.
Bob Ackerman: [00:15:44:00] The second wave of innovation is rationalization. What did we learn in the first wave? Now let's be a little more thoughtful, a little more deliberate about what we're invading around. The third is that consolidation which historically is more of a maturation of an industry cycle. We're going to see the consolidation in cyber but it's not about maturation. It is just about building the base line of functionality, so that innovation can focus in the new areas. The nature of cyber as you well know, is just bad guys versus good guys. Innovation is a constant. It moves at a very rapid space but at some point in time we have to clean up behind ourselves and integrate this functionality which is essential into platforms that are a baseline of functionality and allows us to focus on new areas of innovation like homomorphic encryption or data provenance or orchestration and automation. I mean ff you stop and think about it, security analytics orchestration and automation - do the two of them come together, you know consolidate? You know so you've got this rationalization of the building blocks into larger pieces so that innovation can be focused in the areas which are more differentiated and really represent the cutting edge.
Dave Bittner: [00:16:58:17] Do you consider cybersecurity to be fundamentally different from other industries?
Bob Ackerman: [00:17:03:18] Yes, I do. If you stop and think about cyber, I can't think of another area of technology where innovation is a daily mandate from a technical perspective. I mean, if you think about the sharing economy, the Lifts and Ubers of the world. The innovation is around a business model. It's important but there's not that continual drive for technical innovation. If you step back and look at cyber, there's a tendency to think about cybersecurity as a vertical niche. I would argue that that is about as wrong as you could possibly be. In fact, cyber is broadly horizontal. The global economy today operates on a digital substrate and cyber is about that digital substrate, so cybersecurity is as broad as information technology. You have information technology evolving all the time, cyber is evolving with it. You have this legacy architecture that has all sorts of gaps or holes so in terms of a domain for innovation, it's about as big as you can possibly imagine and because the bad guys are very adroit at identifying vulnerabilities and exploiting those vulnerabilities, the good guys are running around equally challenged to either anticipate where those vulnerabilities are or to respond to vulnerabilities that have been identified. Innovation in this space is on a day to day basis. It is one of the reasons why it is difficult, quite frankly, for cybersecurity companies when they're public to continue to innovate as quickly as possible. As you get larger, it's harder to innovate as quickly as you need to be in order to be at the cutting edge in cybersecurity so it's a market segment, if you will, that is more driven by innovation than anything I can think of, certainly in my career.
Dave Bittner: [00:19:03:09] That's Bob Ackerman from Allegis Capital and Data Tribe.
Dave Bittner: [00:19:11:12] And that's the CyberWire. As I mentioned at the top of the show, some of the CyberWire team are here in Tucson, Arizona for the annual Women In Cybersecurity Conference. We'll have coverage and interviews from that show next week.
Dave Bittner: [00:19:22:17] Thanks to our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance helps protect you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:19:34:05] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Executive Editor is Peter Kilpe, and I'm Dave Bittner. Have a good weekend, everybody. Thank you for listening.