The CyberWire Daily Podcast 6.26.17
Ep 378 | 6.26.17

Brute-forcing Parliament. Election hacking retaliation? Cyberspies hunt IP in East Asia. Microsoft security issues. ISIS hacktivists deface Ohio websites.

Transcript

Dave Bittner: [00:00:01:00] I want to thank our latest Patreon supporters. If you haven't checked it out yet, please do so, it's at patreon.com/thecyberwire. Thank you.

Dave Bittner: [00:00:11:07] Parliament recovers from a brute-force attack. Reports on election hacking in the US suggest there was some American cyber retaliation last year against Russian influence operations. BlackTech goes after intellectual property in East Asia. Windows Defender gets a patch, but Windows 10 source code leaks. Fireball malware's extent is disputed. ISIS hacktivists deface websites associated with the government of the State of Ohio. And how much can we count on common sense?

Dave Bittner: [00:00:44:14] Time for a message from our sponsor, Recorded Future. You've probably heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyses the entire web, to give info sec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily, they do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web; Cyber News, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, June 26th, 2017.

Dave Bittner: [00:01:59:04] Last Friday the British Parliament sustained a brute-force attack on email credentials belonging to Members and staff. Around ninety accounts are thought to have been targeted. The principal concern that's been voiced is the possibility of blackmail. Authorities took down the email service and required password resets, which itself represented a significant disruption. Initial attribution was to an unspecified foreign intelligence service; that service has now by consensus been specified, it's Russia's. What is a brute force attack, and how does one conduct one? The CyberWire's glossary defines it as, "an exhaustive search for a cryptographic key or password that proceeds by systematically trying all alternatives until it hits on the right ones." It can be resource intensive, but it can work, too. We heard from High-Tech Bridge CEO, Ilia Kolochenko, about brute force attacks and he pointed out that such attacks can be simple and cheap to organize. He said, "virtually any teenager could be behind it." But he also thinks they can be relatively easy to defend against. He said, "A simple brute-force attack can normally be detected and blocked within a minute." He draws the lesson that fundamentals are still being ignored by governments that ought to know better. Those fundamentals, he thinks, include two-factor authentication, strict password policies, and regular audits for weak passwords and noncompliance. Other measures like advanced IP filtering and anomaly detection would also help. Inquiry into Russian influence operations against last November's US elections turns up records that purport to show that then President Obama, responding to concerns from Democratic members of Congress, directed cyber retaliation against Russia using "implants" that "would hurt."

Dave Bittner: [00:03:45:21] Russia's demonstration of a grid-hacking capability against Ukraine continues to stir concerns in the power sector. An op-ed in the Moscow Times suggests that publicly expressed fear of Russian cyber capabilities plays into President Putin's hand. It's a weak hand, most foreign policy experts think, but Mr. Putin has played it extremely well. The editorialist calls it "dark power, the malign shadow of soft power." If soft power exerts itself in the form of positive examples, dark power does so through fear, and this can be seen in cyber operations as well, more luridly, in assassinations. Researchers at security firm Trend Micro are outlining the activities of the BlackTech cyber espionage group, which is prospecting East Asia (especially Japan, Taiwan, and Hong Kong) for industrial intellectual property. They've linked BlackTech, which they describe as "active and well-funded" to campaigns known as "PLEAD," "Shrouded Crossbow," and "Waterbear." BlackTech is working against bugs in outdated software (especially old Windows versions) and has been seen using tools leaked from controversial lawful-intercept vendor, Hacking Team. It's shaping up to be a challenging week for Microsoft. Redmond quickly patched another flaw in Windows Defender that Google's Project Zero uncovered, and that's the good news. Check Point has been following the Windows malware that goes by "Fireball." The security company and Microsoft are at loggerheads over just how many Fireball victims are out there. Check Point puts the count at two-hundred-fifty-million. Microsoft says it wasn't nearly that bad, and, anyway, Windows 10S users were all safe. Windows 10S itself, however, may still be susceptible to attack by malicious Word macros as suggested by a proof-of-concept ZDNet organized.

Dave Bittner: [00:05:39:17] Microsoft has also disclosed that Windows 10 source code (about ten terabytes of secure code and internal builds, according to reports) has leaked online, where it's now open to whatever inspection and exploitation can make of it. Pro-ISIS hacktivists—the usual skids belonging to Algeria-based Team System DZ—have defaced sites belonging to the State of Ohio with a message reading, “You will be held accountable Trump, you and all your people for every drop of blood flowing from Muslim countries.” Ohio is almost certainly just a target of opportunity. We've seen before that Islamist hacktivists have shown a predilection for indifferently defended government sites in the American heartland. Most of them have tended to be at the municipal level; the State of Ohio is a somewhat bigger fish. But ISIS hacktivists still haven't shown the sort of serious offensive capability many observers have long feared.

Dave Bittner: [00:06:36:21] Finally, there's an opinion piece running in C|NET that got us thinking. The lede says, "Changing your password needs to become like washing your hands after using the bathroom, a habit. We’re a long way off from that." This is the editorialist's partial answer to the question posed in the headline: "What will it take for cybersecurity to become common sense?" A lot, one thinks. It's hard not to sympathize with the writer, and surely he's right that it's baffling to find that people still think 1-2-3-4-5-6 is a perfectly good password, and that it could be made even better if they added a 7 for added complexity. Heck, just ask people hanging out in Parliament's bar in Westminster what a good brute-forcing was like. But passwords have probably reached their limits, and changing them is a marginal improvement at best. And, besides, chasing the spread of common sense can be like chasing any other will-o-the-wisp.

Dave Bittner: [00:07:33:09] One of our stringers insists that we take the handwashing metaphor seriously. He was up in New York all last week and he says that, if handwashing is common sense, then common sense is surprisingly lacking in the restrooms at the Port Authority. We begged him not to go on, without success, and we'll spare you the details of his account, but to summarize, if our hopes for security rest on a widespread outbreak of common sense, well… Moses brought down ten commandments, and no one's exactly nailed those. SANS gave us twenty controls. Sure, they're valuable and sensible and need to be taken seriously, but is the SANS Institute likely to do better than Moses? And on that uplifting note, we hope we at least got your mind out of the Port Authority.

Dave Bittner: [00:08:23:00] And now some information from our sponsors at E8. We all hear a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics, you can't recognize the anomalies until you know what the normal is and machines are great at that kind of base-lining. For a guide to the reality and some insights on how these technologies can help, go to e8security.com/cyberwire and download E8's free White Paper on the topic. It's a nuanced look at technologies that have both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine learning are your go to technologies. Find out more at e8security.com/cyberwire and we thank E8 for sponsoring our show.

Dave Bittner: [00:09:24:14] I'm pleased to be joined once again by David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back, we wanted to touch on phishing today - it's that attack vector that just doesn't seem to want to go away.

David Dufour: [00:09:37:05] That's right, David. Thank you for having me back. Phishing continues to be the number one way people get infected and it won't go away, you're absolutely correct, most likely because it's a great business model. I can blast out a bunch of emails with malicious links that redirect people to site where I'm trying to get their account information and, even if I'm only getting a tenth of a percent or even less hits, I'm getting a lot of valuable information from people who don't realize that they're giving it to me.

Dave Bittner: [00:10:10:00] We've seen some high profile phishing attacks lately.

David Dufour: [00:10:13:00] Yes, we have, with people emulating Google docs and DocuSign. These are very professionally done, they look very authentic and then, once you've given out that information, the nefarious actors are able to breach those sites and get to your information. Once again, they're very diligent. They're getting very good at this type of attack.

Dave Bittner: [00:10:37:17] And if I'm someone whose job it is to protect my organization's network, this is one I think that leaves me scratching my head because what I'm really up against is human nature?

David Dufour: [00:10:47:21] Yes. I might have said this to you before and the people around here get really tired of hearing this but, in 1988, when I joined the US Air Force, one of the number one ways of attack was someone figuring out how to get your username and password. Here we are, almost 30 years later, and the number one form of attack is someone trying to get your username and password. Really, this all boils down to teaching the user how to identify a phishing site and not be drawn in. This is strictly a user product; there's a lot of tools we can put in place to try to block those URLs and block those sites, but they still get through email systems and email filters and, at the end of the day, if we can educate our users that's the number one way of prevention.

Dave Bittner: [00:11:32:12] What about the notion of the carrot versus the stick, of rewarding people for doing the right thing versus punishing people if they make the wrong choice.

David Dufour: [00:11:42:19] That's a great idea. In fact, I think a lot of folks would like to figure out how to do that better. I don't know what the carrot is, but I do believe that that's probably the better way, so people are conscious and they're more aware, rather than being fearful of something.

Dave Bittner: [00:11:59:20] Yes. It seems like such a complex problem because, on the one hand, you can stand up technical solutions to this and try to defend yourself - if someone has accidentally compromised your system, that insider threat, but, again, it's just so hard to fight against human nature. People are curious or lazy or will just will click those links.

David Dufour: [00:12:22:04] They will and the single biggest piece of advice, if you're going to go to a link, is type it in that address bar. Don't click the link. I know it's fun to look the YouTube video but typing that link in is the most sure way of getting to where you want to go.

Dave Bittner: [00:12:38:22] Alright, David Dufour, thank you for joining us.

Dave Bittner: [00:12:43:22] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit cylance.com. Thanks once again to all of our supporters on Patreon and to find out how you can contribute to the CyberWire, go to patreon.com/thecyberwire. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.