Dave Bittner: [00:00:00:00] Fancy Bear and France's elections. Why clever phishing continues to succeed, and what's up with 0Auth abuse. Information operations distinguished from simple "hacking." Another point-of-sale compromise suggests identity management issues. And can hackers really blow up a submarine by driving their car fast and furious? You be the judge.
Dave Bittner: [00:00:28:23] We'd like to take a moment to thank our sponsor, Palo Alto Networks. You can find them at go.paloaltonetworks.com/secureclouds. The use of software as a service application takes date security beyond traditional network perimeters. SaaS environments can create gaps in security visibility and pose new risks for threat propagation, data leakage and regulatory non-compliance. With Palo Alto Networks' integrated platform, you get detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. So your organization can achieve complete SaaS protection. With Palo Alto Networks you get the broadest, most comprehensive cybersecurity for all Cloud and SaaS environments. Make sure your apps and data stay secure and protected. Remember, secure clouds are happy clouds. Find out how to secure yours at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:01:40:05] Major funding for The CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:43:16] I'm Dave Bittner with your CyberWire summary for Wednesday, April 26th, 2017.
Dave Bittner: [00:01:50:01] Observers continue to digest Trend Micro's report that Pawn Storm, that is, Fancy Bear, in all probability Russia's GRU military intelligence service, intruded into networks associated with French presidential candidate Emmanuel Macron. Trend Micro researchers are at pains to point out that the sort of phishing Pawn Storm conducts is unusually resistant to the sorts of sound, commonsensical best practices organizations take to protect themselves. It dupes victims into giving up not only passwords, but access tokens, too. It sends a plausible-looking email to their target pretending to be from Google, warning the marks that "Your account is in danger," and inviting them to install a bogus security app called "Google Defender." If you fall for it, you're redirected to an actual Google page that invites you in effect to allow Pawn Storm to view and manage your email. If you click "Allow," you're handing them your 0Auth token, which gives them what they're after.
Dave Bittner: [00:02:47:24] Google says it's on the lookout for 0Auth abuse, and reminds everyone that they should download their apps only from the Play Store.
Dave Bittner: [00:02:55:07] Phishing of course is a general problem, and one not confined to political targets. NTT Security's recent study of the problem concludes that around three-quarters of all malware is distributed by phishing. Robert Capps, of NuData Security told us that, “Phishing schemes have become extremely sophisticated, with nearly all modern attacks aimed at stripping end users of their authentication credentials and other sensitive information." He notes that an IBM study found that some 70% of the credentials that are stolen by phishing are collected within an hour of the onset of the attack. He argues that there's a need to get beyond identity validation techniques that can be stolen and reused, and he sees the way forward as lying in passive biometrics and behavioral analysis.
Dave Bittner: [00:03:41:10] It's worth noting that the kind of hacking going on in recent political campaigns seems to be done in the service of information operations, influence that would formerly have been achieved through leaflets, planted stories in newspapers, radio broadcasts, blackmail, and so on: the armamentarium of traditional propaganda and compromise. Since today information operations are generally carried out online, the CyberWire has taken an expansive view of them. Cyber operations are things people do to other people using IT and OT as a means to some end. It's worth, however, distinguishing information operations from such activities as destructive attacks or takeovers of victims systems, the sorts of attacks seen, for example, in Stuxnet or Shamoon.
Dave Bittner: [00:04:25:17] As C4ISRNet reports, panelists at a recent Carnegie Endowment symposium wanted people to understand the distinction. Christopher Painter, Coordinator for Cyber Issues at the US State Department, called cyber the vector by which information was extracted, but how and why such information is used by the adversary is "not necessarily a cyber issue." Former US Homeland Security Secretary Michael Chertoff cautioned against being too quick to "weaponize" information in ways that could easily lead to censorship. He advised instead that attention be devoted to "counter-messaging." The US has had relatively few counter-messaging successes in recent history.
Dave Bittner: [00:05:06:08] IronNet's Brett Williams, retired Major General and former director of operations for US Cyber Command, is similarly frustrated by the too-easy focus on the "hacking" aspects of information operations. He argues in a C4ISRNet op-ed that victims of information operations need to spend at least as much time on telling a persuasive story as they do slamming the network security barn after the informational horse has already been stolen.
Dave Bittner: [00:05:33:11] The IoT continues to provide both challenges and opportunities for consumers and security professionals alike. We heard from Stan Black, Chief Security Officer at Citrix for his take on the IoT.
Stan Black: [00:05:45:21] There's a tremendous amount of technology that we're adding into the now that was never connected to the Internet. Programmable logic controllers for, you know, nuclear plants, dams, power grids, et cetera. And then there are a significant number of customers who are producing consumer based technology and their primary goal is to be the only player in a space, whether it's a Wi-Fi doorbell or a refrigerator or something you add to your car. So we have a combination or a risk associated with legacy, and we have a risk associated with time to market and cost of goods sold. If you only sell something for 20 or $30, probably you're not gonna put $100,000 worth of security testing in it before you release it.
Dave Bittner: [00:06:37:18] When people reference that, I've heard a lot of people wonder if there needs to be some sort of regulatory solution since neither the manufacturers or the consumers are really going to have much motivation to push for better security. What's your take on that?
Stan Black: [00:06:52:24] Well, if we apply a regulation then we get into a situation where we have multiple companies or/and multiple countries. So if we look at some of the vulnerabilities and issues that have been associated with IoT devices and technology, frankly the primary issue is that good security coding practices were not adhered to. So, I don't know if that needs to be regulated, if we had a regulation for every vulnerability that we had, we would never get anything done.
Dave Bittner: [00:07:26:04] Let's talk about some of the upside. What do you see are some of the positives with the explosion of IoT in the workplace?
Stan Black: [00:07:33:14] Things that required an individual to do an activity can now be integrated and potentially automated. Plus, since there aren't as many people in the mix, some of the inherent challenges that you have with inconsistencies of personnel go away very quickly. I mean, look at automated warehouses as an example. By combining RFID whether it be dust or chips or what have you, full robotics, et cetera, that's pretty darn impressive technology and
[00:08:09:23] the value to the companies that use that is incredibly high. I think that we need to recognize one simple fact. They are still dependent upon technologies that we can secure. As an example, if you'd like to connect them to an Internet, you can encrypt that tunnel. So I think that many of the practices that we use, prior of the IoT explosion are still incredibly relevant and the cost associated with performing the due diligence and due care on software and connectivity, et cetera, has come down dramatically. So a company can be competitive and can be secure at the same time.
Dave Bittner: [00:08:51:02] That's Stan Black from Citrix.
Dave Bittner: [00:08:55:11] The restaurant chain Chipotle Mexican Grill reports a point-of-sale breach that lasted between March 24th and April 18th of this year. It affected credit card payments.
Dave Bittner: [00:09:06:12] And finally, have you seen "Fast and Furious 8: Fate of the Furious" yet? Neither have we, but Robert Graham has watched it for all of us and posted a hacker-centric review over at Errata Security's blog. He pretty much rains on the parade led by Vin Diesel and Dwayne (the Rock) Johnson, finding the movie's depiction of hacks implausible, to say the least, with a couple of the hardware MacGuffins particularly objectionable, including a cyber mastermind's airplane that flies only where satellites can't observe it, and a device called "God's Eye" that accesses absolutely every camera in the world to show you absolutely everything that's going on everywhere. But Mr. Graham concludes his review with a tolerant shrug and a nod toward the willing suspension of disbelief Aristotle thought necessary to proper appreciation of drama. As Graham points out, "In the movie, the hero uses his extraordinary driving skills to blow up a submarine. Given this level of willing disbelief, the exaggerated hacking is actually the least implausible bit of the movie. Indeed, as technology changes, making some of this more possible, the movie might be seen as predicting the future."
Dave Bittner: [00:10:13:20] Of course predicting is one thing, accurate predicting another. But check out Errata's review, and then save us an aisle seat.
Dave Bittner: [00:10:26:18] And now a moment to tell you about our sponsor Control Risks. As your company grows and the global business environment becomes more complex, it gets harder to identify your blind spots and figure out how to see into them. It's now more important than ever to understand how protecting your systems and data require visibility beyond your network. Control Risks supports it's clients by increasing their situational awareness and proactively security their operational environment no matter where it is. Using their global reach and local risk expertize, they have a unique approach to identifying and mitigating their client's information security risks. From cyber due diligence assessments of third parties around the world to multi-jurisdictional cybersecurity regulatory reviews to cyber threat assessments that account for socio-political and economic risk indicators and more. There is uncertainly on the journey toward your business goals. Control Risks brings order to the chaos and reassurance to the anxiety. Find out more at ControlRisks.com/CyberWire. That's ControlRisks.com/CyberWire. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:11:41:16] Joining me once again is Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, I saw an article come by on InfoWorld with the sort of breathless headline. It said, "Critical Flaw Alert! Stop using JSON Encryption." What's going on here?
Jonathan Katz: [00:11:58:05] Well, basically what researchers found is that a classical attack, actually one that researchers have known about for quite a while, was actually possible against the encryption scheme being used in the JSON libraries. And it's really interesting, again, it's one of these examples of again, something that, that people had known for a while and been pointed out repeatedly in research papers. But nevertheless was still something that programmers were not aware of, apparently, when they implemented the system. And so turns out that it's vulnerable to that attack.
Dave Bittner: [00:12:30:13] And this was referred to as an "invalid curve attack" what is that?
Jonathan Katz: [00:12:34:24] Yeah, so basically what this involves is the fact that an attacker can pick certain parameters. In this case those are parameters that define a particular elliptic curve. And it turns out that those parameters need to be validated by the honest party before being used. And if they're not validated then what an attacker can do is basically pick parameters that define an insecure elliptic curve. And you know, luckily from at least a theoretical point of view, it is possible to distinguish between this class of insecure curves and ones that are, say, standardized by NIST and are considered more secure. But the point is that this validation was not happening. So attackers could basically replace a secure elliptic curve with an insecure one and then get the honest party are fooled in essentially into using an insecure curve.
Dave Bittner: [00:13:22:17] So what happens next? Is there a patch in the future? Is there a solution to this problem?
Stan Black: [00:13:28:01] Yeah, so this is the kind of thing that would be relatively easy to patch and so I don't know exactly what the plans are going forward, but it seems like it would not be very difficult to do and they should be pushing out a patch relatively quickly. It would have a small effect on efficiency but one that's not too bad and of course, anyway it's very important to take care of otherwise the system could be completely insecure.
Dave Bittner: [00:13:48:23] All right, Jonathan Katz, thanks for joining us.
Dave Bittner: [00:13:53:18] And that's The CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. They are the company keeping your data safe with artificial intelligence. You can check 'em out at Cylance.com.
Dave Bittner: [00:14:07:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.