The CyberWire Daily Podcast 6.23.17
Ep 377 | 6.23.17

Vault7 leak: Brutal Kangaroo toolkit. Data breach and ransomware updates. Notes on code audit requirements.

Transcript

Dave Bittner: [00:00:01:07] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:16] A Brutal Kangaroo hops out of Vault 7, don't let it poke your device with a thumb drive. Big data leaks wind up being traded in the black market. The dangers of careless configuration of an S3 bucket. Ransomware remains pricey, it can also serve as misdirection. Software companies receive and respond to code audit requirements as a condition of doing business in Russia.

Dave Bittner: [00:00:40:24] Here's a quick note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning, hey who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business. But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today and E8's white paper, available at e8security.com/cyberwire can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:36:15] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 23rd, 2017.

Dave Bittner: [00:01:46:17] "Don't put that in your mouth, you don't know where it's been." I remember my Mom telling me that. And you know what? Those are words to live by and I did. Well, I usually did. Well let's update that and you'll see why in a moment. "Don't put that in your USB port; you don't know where it's been."

Dave Bittner: [00:02:03:15] In its now familiar Friday ritual, WikiLeaks dumped another set of documents from its Vault7. These purport to be a tool kit the US CIA assembled to use against air-gapped systems. "Air-gapped" sounds deeply sinister, almost telepathic. And there have been demonstration hacks of air-gapped systems that used, if not paranormal, at least clever and surprising approaches to their targets. But the reality here is more mundane, the tool described in the leak used USB drives to get into its targets. So, effective, but essentially a technique that depends upon the human weaknesses of curiosity and misplaced trust that have haunted us since snakes were suggesting fruit selections to our foremothers, or since Pandora decided to take a peek.

Dave Bittner: [00:02:48:02] Still a timely reminder, don't stick thumb drives into your devices unless you know where they've been. And look, “know where they've been” doesn't mean hey, I just got this from Cozy Bear. It means that you know it's safe.

Dave Bittner: [00:03:00:12] We mention Cozy Bear because we like animals and animal-themed names. Around here BYOD generally means "bring your own dog," but the tool kit is alleged to be an American and not a Russian caper. Yet it too has a totem animal: "Brutal Kangaroo." Why? Who knows? But then Kangaroos do box, so maybe this one is like the Max Baer of marsupials.

Dave Bittner: [00:03:25:22] A very large database of some 800 million email credentials offered for sale in dark web markets since October has been traced to Russian criminals. It's not only for sale, but it's on sale. The Times says it can be had for as little as £2. Many British accounts are on the block.

Dave Bittner: [00:03:44:04] Post mortems of the Deep Root Analytics voter data exposure see poor configuration of an Amazon S3 bucket as a sufficient explanation of the incident. The data was collected under Deep Root's contract with the US Republican National Committee.

Dave Bittner: [00:03:59:21] After vanishing for a time, Locky ransomware is back. This general kind of attack continues to exact a financial cost. A South Korean web hosting firm paid the Erebus threat actors about $1 million to recover their data, but it can also serve other purposes. The WannaCry furor, for example, appears to have served as misdirection for a data-theft campaign.

Dave Bittner: [00:04:22:19] Gamers unable to reach their Final Fantasy online platform should know that it's not you it's them, and "them" means some unknown third party who's been subjecting Final Fantasy to a distributed denial-of-service attack.

Dave Bittner: [00:04:36:04] Reuters reports that US firms are complying with Russian government requirements that they share their source code as a condition of doing business. That's disturbing but it's also not unexpected or even unusual. China has long sought to exact similar arrangements from companies wishing to do business there. The official reason is always security, the governments want to ensure that code used within their borders doesn't bring security risks in with it, and to some extent that's no doubt true. There are doubtless other motivations at play; a wish to establish a favorable national trading position with domestic competitive advantage, interest in reverse engineering foreign products and so on, but the requirement isn't unprecedented.

Dave Bittner: [00:05:18:17] Americans are skittish these days about most things Russian, and not without reason. Reuters, however, points out the market reasons for compliance: "From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market." The companies also say they've taken steps to minimize the risks associated with exposing their code: "The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered." Such audits occur in the US too, albeit in the limited context of Defense contracting and other sensitive work. And calls for code audits have been recently woofed from Capitol Hill in the direction of Kaspersky Labs, the Russian security vendor whose products are widely used in the US and elsewhere.

Dave Bittner: [00:06:14:01] I'd like to take a moment to tell you about our sponsor, ThreatConnect. They're offering a valuable opportunity for individual researchers to get started with threat intelligence at no cost. That's right it's free and it's called TC Open. TC Open allows you to see and share open source threat data with community support and validation. Once you sign up you'll have immediate access to more than 100 open source intelligence feeds. Access to threat incident and adversary data, the ability to collaborate on or consume active and historic indicators, incident and threat data. More importantly, you'll be able to validate your findings with peers in the growing ThreatConnect common community. Get the details and sign up today for TC Open at threatconnect.com/free. That's threatconnect.com/free. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:07:10:23] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, welcome back to the show. As we think about WannaCry and as WannaCry sort of fades into our rear view mirror, you had some thoughts about how we look back on it and what it can tell us about the future.

Dale Drew: [00:07:28:22] Yeah, I think WannaCry is just a great example of the time for us to use adult attention span to solve global problems. What happens is, when there's a flash of an incident, we all get together, we all try to solve the problem, we all try to repair the issue. And then the moment that that an issue dies down, we're onto the next problem. And things like WannaCry really signal sort of what the future holds for us. The difficult thing about WannaCry is it was a very unsophisticated collection of code. It was someone who had just taken piece parts and put together various components of code. There was a lot of bad code, the algorithm to determine which Bitcoin wallet it was going to use wasn't working. So it didn't make the bad guys as much money as they had hoped. The algorithm to scam for other victims wasn't working properly and so it could have spread much deeper than it did.

Dale Drew: [00:08:27:16] But nothing really stopped that capability from being used by an adversary who wanted to wreak havoc on Internet infrastructure and just encrypt the Internet as we know it and hold it for ransom. Between that and the fact that things like WannaCry are using protocols like tor, and we as a security community are not really prepared to be able to track malware activity through tor. It's really a time for us to wake up as a community and get a lot more proactive in stopping those sorts of attacks.

Dale Drew: [00:09:02:20] I think WannaCry signals two things; I think WannaCry signals to organized crime, that if they really want to make a lot of money using exploits, there is a significant inventory of deep entrenched exploits from the NSA and the CIA releases that are going to allow organized crime to weaponize those and do another global ransomware attack again, that has all those pieces fixed. It also allows a nation state to decide that if they want to cause havoc in a specific country or the Internet as a whole, that they now have sort of the mechanism and the avenue to do that. Imagine everyone's laptop being encrypted or desktop being encrypted or data center being encrypted with absolutely no mechanism to be able to recover.

Dale Drew: [00:09:53:06] You know, we keep on hearing very sophisticated advice on how to detect and prevent against things like ransomware, things like WannaCry, but it really is just a matter of us getting back to the basics. Not only do we need to collaborate more as an ecosystem and get proactive and be able to stop these things, we need the attention span to figure out as bad guys of all their tools, how we respond to that as a community. And then on ransomware specifically, just really get back to the basics. Don't click on links that you don't directly trust and back up your data.

Dale Drew: [00:10:29:17] And I think that we can sort of address those really fundamental issues that we're going to be a lot more capable as a community to protect critical data on the Internet.

Dave Bittner: [00:10:41:02] Dale Drew, thanks for joining us.

Dave Bittner: [00:10:47:14] Now I'd like to tell you about some research from our sponsor, Cylance. You've heard a lot lately here, and elsewhere, about WannaCry. The sloppy but dangerous ransomware campaign that became a pandemic. Our sponsor, Cylance has a few things to say about it you may not have heard elsewhere. WannaCry spread as a worm and a nasty surprising one, so a lot of legacy defenses didn't stop it but Cylance says its AI did. In fact, if you'd had Cylance's artificial intelligence software running on your systems, you'd have been proofed against WannaCry infestations. Go to cylance.com/blog and check out the post on Cylance versus WannaCry. Their math driven models make the unknown cyber threats known and stop them from hitting you. Visiting cylance.com/blog and see what they can do for you while the next WannaCry is just a gleam in the attacker's eye. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:11:50:02] My guest today is Darron Gibbard. He's the Chief Technical Security Officer at Qualys, a provider of cloud based security and compliance solutions. Prior to his position with Qualys, he was the Head of Enterprise Risk and Information Security Services for Visa Europe. He joins us today to discuss the GDPR, the EU's general data protection regulation.

Darron Gibbard: [00:12:11:17] General data protection regulation has been enforced or in force since 2016, so last year. The regulation itself has been worked upon by various governing bodies in the EU since 1998. Each of the regions within, or the countries within the European Union have had their own data protection regulation. And they have been working on that in the case of the UK since 2002, and have had the General Data Protection Act since then. But the EU has been working on it and working with basically the various different governing bodies within the EU, in Germany, in the UK, in Ireland, in France and all the various regions and has been working on that since 2002 and been amalgamating and getting the regulation together since it came into mandatory requirements since 2016.

Darron Gibbard: [00:13:19:06] So organizations are preparing and they are preparing for the regulation and have been working very, very hard in the last 12 months and, in a lot of cases, a lot longer than that, have been working on and with their regional regulators basically on the regulation for probably two to three years on average within European organizations, preparing themselves. And there's a number of steps that need to be taken by organizations to basically make sure and ensure that they become compliant with the regulation.

Darron Gibbard: [00:14:00:12] And a lot of it is around basic security good practices, so practices that organizations should already have in place and should be operating in their sector or their vertical that they operate within.

Dave Bittner: [00:14:14:21] Is there a sense that organizations are going to be ready?

Darron Gibbard: [00:14:18:00] If you had asked me a year ago, I would have said no. I mean if you asked me recently when I engaged with CISOs and I talked to CISOs and CIOs in various organizations, yes they will be. I think there has been a lot of focus in the last 12 months basically within the regulatory bodies, within the vendor space that has been helping organizations prepare for it. 90%, 95% of organizations will be ready to go by the May 25th 2018.

Dave Bittner: [00:14:52:09] And as far as organizations that are outside of the EU, what is your expectation for how this is going to affect them?

Darron Gibbard: [00:14:59:08] I firmly believe that it will affect them just as much as what it affects the organizations within the EU itself. So it's ensuring that EU citizen data is protected wherever it goes across the globe. PWC did a very good article last October in the US where they interviewed over 2500 organizations within the US. And the average spend per organization was a million dollars on preparing for GDPR, and making sure that their organizations were ready. And that's across obviously multiple sectors, multiple size organizations.

Darron Gibbard: [00:15:40:01] So if the US is leading by example, then, you know, obviously Australia are working well towards it. I was down in South Africa basically three weeks ago; they're preparing for it. So if I'm totally honest, I probably think everybody outside of the EU is better prepared for the GDPR than what they are within the EU.

Dave Bittner: [00:16:03:09] Why do you say that?

Darron Gibbard: [00:16:04:20] Just because of the understatement of the budgets that are being spent and the preparation that's being put in to making sure that the citizen data is separated. And it is understood and is known and where that data is going and how it's been used within the organizations that are processing it.

Dave Bittner: [00:16:23:24] So when the May 2018 deadline arrives, how do you see this playing out? Do you suspect that it'll probably be a non-event or we will expect to see some organizations paying hefty fines?

Darron Gibbard: [00:16:36:10] I'm hoping it'll be a very quiet event and basically a bit like Y2K and basically it'll become a non-event and just be that everything will carry on as per normal. From my perspective, I think it will be business as usual, so organizations, those already under regulatory regime will be prepared, will be ready and will basically be ready to go. Organizations that are not so used to the regulatory regime will have a lot more work to do to get themselves used to the language of the regulation. And to understand what the impacts would be to their respective organizations.

Dave Bittner: [00:17:18:18] Do you suspect that they're going to be any unexpected consequences of the new regulations?

Darron Gibbard: [00:17:24:05] I think there will be, I think there'll be a positive for cybersecurity, information security and IT security teams. In a lot of cases, with things like privacy by design and privacy impact assessments, security teams have been left out of the project management of future development strategy conversations within respective organizations. And I think this is an opportunity for the security industry to mature and to grow up and to finally have that C level, C suite presence. Because what the cyber, the security teams, the CISOs, the CIOs are going to be protecting the organizations and protecting the CEO from breach, from massive regulatory fines.

Darron Gibbard: [00:18:13:23] So I think, you know, I've been in this industry for 25 years now, I think it's now finally, with the incoming GDPR, the regulation, I think it's going to actually improve, and I think it's going to make the CISO's role a lot more important within organizations.

Darron Gibbard: [00:18:35:02] The UK Information Commissioner's Office has a very good 12-steps-to-take-now document, it's a document to refer to and reference for any organization and it just highlights what organizations need to be prepared for and what they need to be doing. So I think that would be a good reference document to use. It's horrible yellow color but apart from that, it's basically quite a nice document that gives you the steps that any organization, whether they be a small ten men organization through to 50,000/60,000 employee organizations or hundreds of thousands of employee organizations need to take.

Dave Bittner: [00:19:20:24] That's Darron Gibbard from Qualys.

Dave Bittner: [00:19:28:01] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to a our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:19:40:19] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, social media editor is Jennifer Eiben. Technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend, we'll see you back here on Monday. Thanks for listening.