The CyberWire Daily Podcast 4.17.17
Ep 329 | 4.17.17

Missiles and malware? ShadowBrokers' leaks examined. Syrian info ops. ISIS recruits women for martyrdom. Ransomware, medical device vulnerability updates. Troubled unicorn?

Transcript

Dave Bittner: [00:00:03:14] A Missile fizzles on Pyongyang's big Day of the Sun. Friday's ShadowBrokers' leak suggests financial service and industrial IoT vulnerabilities. The Syrian regime calls hoax on nerve gas attack claims, but informed observers are unconvinced. Medical device makers might learn from mobile device makers. And clouds gather over a security unicorn.

Dave Bittner: [00:00:30:05] Time to thank our sponsor Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. With the adoption of software-as-a-service application, data now lives beyond the traditional network parameter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks integrated platform provides detailed software-as-a-service visibility and granular control, data governance, automated risk remediation and malware prevention, so organizations can achieve complete cloud security in SaaS applications. Palo Alto Networks has the broadest most comprehensive cyber security for all cloud and software-as-a-service environments because secure clouds are happy clouds. Find out how to secure yours at go.paloaltonetworks.com/secureclouds and we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:32:11] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, April 17th, 2017.

Dave Bittner: [00:01:43:08] Yesterday was the Day of the Sun in North Korea, an annual celebration marking the birthday of Kim Il-sung, founder of the Democratic Peoples Republic of Korea. The festivities were marked by the customary Soviet-style parade of military personnel and hardware. They were also marked by an attempted launch of a missile. That launch failed, with the missile exploding seconds after launch, according to monitors at US Pacific Command.

Dave Bittner: [00:02:09:05] As when other earlier test shots on 2016's Day of the Sun failed, there's been considerable speculation that the missile was interfered with by US cyber operations. This time around the speculation is being carried mostly in the press of three of the other four eyes, the UK, Australia and New Zealand, and it's again based for the most part on a priority speculation. There is, after all, no shortage of ways a missile shot can go wrong, particularly missile shots using technology developed in as closed, secretive, and self-sufficient a society as North Korea. But there's clearly a fairly widespread wish in many corners of the world that Supreme Leader Kim's ambitions for a long-range nuclear strike capability could be frustrated by quiet cyber action, short of air strikes or invasion.

Dave Bittner: [00:02:57:06] US and indeed Chinese policy toward the DPRK has hardened recently, with US Vice President Pence and other senior officials saying that the era of strategic patience toward Pyongyang has reached its end. Senior US officials are warning that a North Korean cyber attack against US infrastructure is likelier than a missile strike. US Secretary of Homeland Security, John Kelly, was among those calling this weekend for greater resilience in the nation's ability to sustain and recover from such an attack.

Dave Bittner: [00:03:27:18] Observers spent the weekend mulling the ShadowBrokers' latest release of alleged NSA hacking tools. Their consensus conclusions are so far that the leaks suggest exploitation of vulnerabilities in financial systems and the industrial Internet-of-things. Some of the more interesting material in the ShadowBrokers' latest pertains to a range of Microsoft vulnerabilities, particularly against Windows Server. Microsoft says - and observers agree - that it's already quietly patched the zero-days the leaks indicate. Of course, as always, when exploits are released, there's a heightened risk to unpatched systems.

Dave Bittner: [00:04:03:19] Turning to information operations, Syria's Assad regime, and in all probability its Russian sustainers, have undertaken a social media campaign intended to convince the susceptible that the regime's use of nerve agent against civilian populations never happened and that if it did, it was a US provocation. So hoax or provocation, the Damascus line is that it's all Washington's fault. The black propaganda is being associated with the #SyriaHoax and it seems to be gaining traction among the gullible, the disaffected, the suspicious and the ill-disposed.

Dave Bittner: [00:04:39:07] A study out of Nova Southeastern University looks into ISIS recruitment of women as suicide bombers. The study suggests that the approach is different from that used to induce men to seek martyrdom, but a close-reading suggests a common theme. While the sources of disaffection differ, the promise is about the same: those who don't fit in are proffered meaning and transcendence, redemption through violence.

Dave Bittner: [00:05:04:15] In the ransomware black market, Locky's out, Cerber is big and Forcepoint announces discovery of newcomer CradleCore. CradleCore is a different animal. Most ransomware is now being monetized in the form of ransomware-as-a-service but CradleCore's proprietors are selling the source code. This suggests to Forcepoint that the hoods running it either have limited experience, or are doing this as a sideline, or some combination of both.

Dave Bittner: [00:05:32:03] The US Food and Drug Administration is being reported in the Wall Street Journal and elsewhere, to have criticized Abbott Laboratories (makers of, among other products, St. Jude pacemakers) for having allegedly failed to investigate and resolve potential cybersecurity issues with its implanted devices. It's another incident that prompts concern about the security of the medical Internet-of-things.

Dave Bittner: [00:05:54:14] We heard from Rod Schultz of Rubicon Labs, who describes this as another challenge raised for technologies built on batteries and software. He thinks the experience of mobile devices, which depend upon advances in those two areas, holds potentially valuable lessons for medical device security and safety. In this particular case, Schultz thinks that advice from the likes of Samsung, Apple and Google would have been helpful, and that the FDA itself could profit from collaboration with them. "Each of those companies has processes and advice that the FDA could solicit to prevent battery, cybersecurity and other mobile device pitfalls" Schultz observed. "We are at the beginning of an incredible transformation in how medical care is given and received and the FDA can probably do more than send out strongly worded letters. They have the power to proactively connect the world's technology pioneers with its health care pioneers so that the patient can benefit."

Dave Bittner: [00:06:50:18] In industry news, Bloomberg alleges that security unicorn Tanium is firing employees just before their stock options vest. Business Insider, which is also following the story, received a denial from Tanium, which says there's nothing to it. A company representative said "We investigated this allegation and the data confirmed that there is no pattern or practice of terminating employees based on their vesting cliff date." The Bloomberg story also notes that "at least nine senior executives have left in the past eight months, including the company’s president, chief marketing officer, chief accounting officer and the chief of operations and finance." Privately held Tanium, thought to be preparing for an initial public offering, is currently valued at $3.7 billion.

Dave Bittner: [00:07:43:16] Now a moment to tell you about our sponsor Control Risks. You know, successful companies look for opportunities in new markets, but where there's opportunity there's risk. Whether you want to move your client data to the cloud, bring an office on-line in China or acquire a competitor in Colombia, keeping your information secure is paramount. To do that your cybersecurity decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments, there's no substitute for expertise on the ground. With over 2500 employees and 36 offices around the world, Control Risks can help you assess the risk to your business, mitigate what you can and properly manage the rest, as they have for over 40 years. If you need to get a handle on your cyber risk in an emerging market, Control Risks will meet you there. You can find out more at Controlrisks.com/CyberWire. That's Controlrisks.com/CyberWire. Check it out. And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:08:51:20] And I'm pleased to be joined, once again, by Rick Howard, he's the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42 which is their threat intel team. Rick welcome back! We wanted to touch base today about connected cars and security and what you describe as first principles.

Rick Howard: [00:09:08:20] At the RSA Conference in San Francisco a few weeks ago, I had the opportunity to sit down with a few of the automobile manufacturers and discuss some of the design principles for securing the connected car, okay? It was fascinating and it reminded me how important design is to building secure solutions. Specifically, what design assumptions do you make about the connected car? So here's what I mean. For instance, you consider that your connected car is a mobile network of networks, or is it more like an in point, like a laptop or a mobile phone, or is it more like an operating system like Windows or Linux, because your choice here will dictate how you secure it and nobody has come to any agreement about what any of those things are. So let me just talk about some of those implications.

Rick Howard: [00:09:54:13] The connected car is similar to a network of networks, because everybody that I talk to from the automobile manufacturers say that it has at least two operational networks. They've got the entertainment system and the car's functional and safety systems, like the engines and the brakes and the airbags. Now, both of these networks must have access to the Internet or at least have a way to communicate outside of the car in order to receive updates, that's clear. How to do that securely is not particularly clear. We know that the entertainment system must have direct access to the Internet for it to be of any value. How the functional and safety system communicate out is not that obvious. But if the connected car is a network of networks, how do you firewall those two sides away from each other because everybody that I talk to knows that the system network should never communicate with entertainment system because that's just asking for trouble. So this has not been resolved yet.

Rick Howard: [00:10:48:15] But if you consider it like a laptop. So laptops have entertainment systems that sit on top of the operating system that communicates the various components of the device, okay? That is the model we all use today, but it is also the model that is routinely breached by bad guys, alright? So if we choose that model, at least we're familiar with it, but we will also get the same problems we have today on the Internet, that all endpoints have today, and maybe that's not the best approach.

Rick Howard: [00:11:12:21] Now the third one is if the car is more like an operating system. So, perhaps we can learn a thing or two about closed versus open architectures like iOS versus Androids. In all three design assumptions we know we have to install some basic security controls. We need to prevent and detect behind the Internet connections whatever they will be, we need basic controls between the entertainment system and the car's functional systems, we need basic controls from the proximity access point like keyless entry and GPS and ArmStar and car to car communication for safety of autonomous vehicles and the like. All those things have to be built in there.

Rick Howard: [00:11:52:12] What became clear to me when I was talking to these folks is that these discussions of the current car communication systems are probably not adequate. The current systems they have probably won't do us any good. If we start to bolt the security on top of what already exists, it's probably not going to work that well and it might be time to throw everything out and start from scratch a la Elon Musk and design to connect a car from the ground up using first principles. So it's going to be very interesting to see how this goes forward and nothing is set in stone at this point.

Dave Bittner: [00:12:26:19] Yes it's interesting to me, the notion that just like certain brands of cars have reputations for safety, I'm thinking of Volvo for example, could cars have reputations for protecting you in the cyber realm? Some brands doing a better job than others.

Rick Howard: [00:12:42:08] Yes and could you market that as a thing right? Maybe so, okay and mostly automobile manufacturers just now are getting their hands around all of that.

Dave Bittner: [00:12:52:11] Yes. All right, Rick Howard, good stuff. Thanks for joining us.

Rick Howard: [00:12:56:01] Thank you sir.

Dave Bittner: [00:12:59:07] And that's the CyberWire. For links to all of today's stories, interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. They're the company keeping your data safe with artificial intelligence. You can check them out at Cylance.com.

Dave Bittner: [00:13:17:16] A quick reminder about the new podcast we're excited to be producing in partnership with our friends at Recorded Future. It's focused on threat intelligence, it comes out once a week and we hope you will check it out and help spread the word. This week's show is focused on thieves, so if you're looking for the scoop, the skinny, the nitty gritty, the essentials, the straight dope and the truth of the matter all about feeds, well do yourself a favor and check out the show. You can search on iTunes for Recorded Future or visit Recordedfuture.com/podcast. Thanks for checking it out and we'd love to know what you think.

Dave Bittner: [00:13:48:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, the executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.