Patch Tuesday. Infrastructure hacking and hackers. Industry notes. Influence operations. Jamming a radio station.
Dave Bittner: [00:00:00:24] This is the CyberWire Podcast. I'm Dave Bittner. Okay. So we're big fans of the 99% Invisible Podcast here and they're incredibly successful with their fundraising, so somebody here had the bright idea that maybe if I sounded more like Roman Mars, more people would go check out our Patreon page at patreon.com/thecyberwire. It's worth a shot.
Dave Bittner: [00:00:23:00] We've got some Patch Tuesday notes with Microsoft and Adobe both offering updates. Kremlinology goes cyber as infrastructure attacks remain under investigation. A cyber company emerges from stealth. The US General Services Administration removes Kaspersky Lab from Schedule 70. Election influence investigations turn to the question of Russian opposition research. And the Sheriff of Nottingham, call your office, because Robin Hood was no winker.
Dave Bittner: [00:00:56:09] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analyst unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:51:04] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 12th, 2017.
Dave Bittner: [00:02:01:09] Yesterday was patch Tuesday, and both Microsoft and Adobe issued security updates for their products.
Dave Bittner: [00:02:07:10] Microsoft's 55 security fixes included updates to Windows, Internet Explorer, Edge, Office, the dot NET Framework, and Exchange. Among the patches were two that addressed vulnerabilities Preempt Security found in Microsoft's NT LAN Manager (that's NTLM) that they quietly disclosed to Redmond back in April. Experts advise users of NTLM to address these issues as soon as possible. NTLM is a set of security protocols used for authentication. They're managed through Active Directory's Group Policy. The vulnerabilities fixed this week both enable credential relay attacks - theft of negotiated NTLM credentials, which are then forwarded to a server for successful authentication.
Dave Bittner: [00:02:51:15] Adobe's patches addressed Flash Player (one fixed a remote-code execution bug) and Adobe Connect for Windows. Observers like Brian Krebs make the usual remarks to the effect that users should perhaps simple get rid of Flash entirely at this point. But Flash will no doubt retain many of its users, and those users should pay attention to Adobe and patch Flash promptly.
Dave Bittner: [00:03:15:22] The phishing attempts against US power plants, including, most famously, the Wolf Creek nuclear facility in Kansas, continue to be generally regarded as Russian in origin. They are affording a good opportunity to observe the young Kremlinological sub-discipline of threat-actor tracking. Where security intellectuals once looked at the line-up atop Lenin's Tomb on May Day for indicators of succession, influence, and personal-decline, we now look at reused and repurposed code. The Kremlinological metaphor should be borne in mind when assessing attribution. Kremlinologists often had it right, but they also whiffed on occasion. Who saw Konstantin Chernenko coming; for example, back in the day? A few, maybe, but it's always been an inferential and circumstantial game.
Dave Bittner: [00:04:04:09] WIRED has a nice scorecard of Russian infrastructure-hacking suspects. They draw attention to three. Two of them are relatively well-known, the other more obscure.
Dave Bittner: [00:04:13:23] The first is intelligence gathering Energetic Bear, also known as DragonFly, Koala, and Iron Liberty. Energetic Bear has been tracked by security companies CrowdStrike and FireEye since 2014, but is believed to have been active since 2010. It began by distributing the Havex-Trojan in watering-hole campaigns, then turned to phishing. Energetic Bear seemed initially most interested in collecting against the oil and gas sector, but also showed interest in electrical power. Energetic seemed to become less energetic after it came under scrutiny in 2014, and is held by some to have vanished, but who knows? Might just be hibernating.
Dave Bittner: [00:04:55:03] Number two on WIRED's list is Sandworm, also known as Telebots or Voodoo Bear, Fancy Bear's GRU cousin. Sandworm is held to be a destructive actor, and is generally credited with the Ukraine grid takedowns of the last two and a half years. Sandworm is also thought to be in some fashion behind the recent CrashOverride pandemic.
Dave Bittner: [00:05:16:10] Last comes Palmetto Fusion. This is the quiet one. FireEye has been observing them since 2015, and they like the other two have shown an interest in the energy sector. Palmetto Fusion is not only quiet, like Cozy Bear, but is also thought - maybe - to be associated with the FSB, the quieter, more sophisticated agency that's the heir to the old KGB. Fancy is noisy, Cozy is not, so Palmetto Fusion may indeed trace its lineage back to the Lubyanka.
Dave Bittner: [00:05:46:20] In any case, investigation into the attempts on the US grid continue. There's been no effect on operations, so far, but experts are warning that the Americans can't count on that forever.
Dave Bittner: [00:05:59:02] Avanti Markets, makers of the food kiosks compromised by hackers, is getting good reviews for their swift and open disclosure of the issue. The compromise included both paycard and biometric information.
Dave Bittner: [00:06:13:09] In industry news, a security start-up emerged from stealth this morning, as Edgewise Networks announced itself in Burlington, Massachusetts. Edgewise Networks' announced goal is to focus on "Trusted Application Networking." The company is backed by three venture capital firms, dot 406 Ventures, Accomplice, and Pillar.
Dave Bittner: [00:06:35:19] Kaspersky Lab has been under a Congressional cloud for some weeks, as various members have made noises about banning the Russia-based security company and its widely used products from US Federal, especially Defense, systems. Following reports by McClatchy and, most recently, Bloomberg, that Kaspersky has done business with Russian state security organs, the company has been removed from two GSA procurement vehicles.
Dave Bittner: [00:07:01:10] "After review and careful consideration," the US General Services Administration says it has removed Kaspersky from Schedule 70 (which covers IT) and Schedule 67 (which includes procurement of Photographic Equipment and Related Supplies and Services). It's not, as some have reported, an outright ban, and there's no statement on the GSA site that connects the removal with allegations that Kaspersky's in bed with the FSB, but that's how the general media are treating the matter. Agencies will remain free to hire Kaspersky under other contract vehicles, but the action does remove an easy avenue for the company to sell into the Federal Government. Kaspersky denounces the Bloomberg story about the company's alleged connection to FSB as a politically motivated hack job. Congressional interest in restricting Kaspersky continues unabated, and some observers see the GSA action as a Trump administration shot across Russia's bow.
Dave Bittner: [00:07:58:24] The story is developing, and it's worth noting that there are at least two issues here. It would be difficult (not impossible, but difficult) to find major security companies that don't do work for their home country's intelligence or law enforcement agencies. But doing that sort of work doesn't necessarily mean that a company is selling out the rest of its customers to the cops and spies. So the story will bear watching.
Dave Bittner: [00:08:24:05] Investigation of election influence operations continues in the US: Donald Trump Jr.'s campaign season email exchanges with Russian sources of opposition research receive foreseeable scrutiny.
Dave Bittner: [00:08:38:02] Finally, a radio station in the UK - in Nottinghamshire, to be precise, has been suffering interference by someone playing the 1978 novelty hit "The Winker's Song," over and over. That's the title that appeared on the single's cover. It's unclear whether it's a case of hacking or jamming, as some reports suggest the Winker fan is using a pirate radio transmitter. We assume the Sheriff of Nottingham is on the case.
Dave Bittner: [00:09:04:19] Our UK desk insists this is a story, because, they say, it illustrates a trend: the convergence of cyber and electronic attack, reminding us that at the beginning of the first Gulf War US air strikes announced that the campaign had begun by flying in behind jammers playing the Clash's Rock the Casbah, and so on. Maybe. But the fact that the UK desk has enthusiastically pointed out that the Winker's Song foreshadowed similarly themed hits by the Vapors (in 1980), Cyndi Lauper (in 1983), and the Divinyls (in 1990) makes us think our UK desk is still, mentally, and probably emotionally, in the tenth grade. Either that or aspiring pop music historians.
Dave Bittner: [00:09:54:09] Time to take a moment to tell you about our sponsor ThreatConnect. Are you going to Black Hat this year? Of course you are. And when you go you will not want to miss talking to the experts at ThreatConnect. The team will be there at booth number 120 answering questions, sharing insights and doing demos. Of course, they'll also be handing out some of their famous t-shirts and raffling off an incredible Sonos Surround Sound System, and who would not want to get in on an opportunity to win an awesome surround sound system? In addition to all of the activities at the booth, executives will also be on hand and available to meet in the ThreatConnect media suite. Visit threatconnect.com/blackhat to learn more. That's threatconnect.com/blackhat. Surround sound, sounds awesome. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:46:01] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, welcome back. We had a story come by from Security Affairs and was talking about a site channel attack on some RSA encryption. They were claiming that they can crack 1024-bit RSA encryption. Bring us up to date here. What's going on?
Jonathan Katz: [00:11:09:02] So this is an example of a site channel attack where basically the attacker is using information that they're obtaining by watching the execution of the algorithm. Say if they have a virus running on the same machine that the algorithm is executing on, and by looking at very small differences in the timing that various parts of the algorithm take, it turns out that it's possible to extract bits of information that allow them to recover the secret key for 1024-bit RSA as you say.
Dave Bittner: [00:11:37:16] And one of your colleagues at the University of Maryland had a hand in this?
Dave Bittner: [00:11:41:14] Yes, that's right. Actually Daniel Genkin is one of the co-authors of the paper describing this work and he's currently splitting his time working with me at the University of Maryland, and also working with Professor Nadia Heninger at the University of Pennsylvania.
Dave Bittner: [00:11:55:20] How big a deal is this? Is this something to be taken seriously or is this more of an academic kind of thing?
Jonathan Katz: [00:12:01:19] Well, it's a little bit mixed actually. It's something to be taken seriously from the point of view that there are actually deployed products, in particular the new pgcrypto library that are vulnerable to this attack. And they've ended up patching the system and fixing the bug that led to this attack, so they certainly took it seriously. On the other hand, the conditions that an attacker would need in order to carry out this attack are pretty severe, and like I said earlier, the attacker would basically have to be running on the same machine that the cryptography was being executed on, which if that's the case, if you have an attacker running on your machine you probably have bigger problems to worry about.
Dave Bittner: [00:12:41:06] Right. So there are probably more practical ways to get what you need if you already have full access to the machine itself?
Dave Bittner: [00:12:48:02] Yes, potentially. I think that this is one in a line of work that highlights the potential problems that can occur. When you're implementing cryptography in the cloud you might have different users programs being run on the same physical machine, and it's potentially possible in that case that an attacker running on the same machine as an honest user, would be able to get the information that's needed to carry out this attack in that case as well.
Dave Bittner: [00:13:13:20] All right, Jonathan Katz. Thanks for joining us.
Dave Bittner: [00:13:20:17] Now I'd like to tell you about some research from our sponsor Delta Risk. We all depend on the power grid. You've heard a lot over the last few months about the grid's vulnerability. Crash Override in particular, threw a scare into the energy distribution sector. It's a real threat and its masters demonstrated what they can do last December in Ukraine. Even a minor disruption to the power grid could be devastating to all of us. Download Delta Risk's new white paper Cyber Security and The Grid: The Definitive Guide for insight into how the North American power grid works, an overview of current regulations, and a look at potential cyber threats. You'll find the guide at deltarisk.com/grid-whitepaper. Delta Risk, LLC, a Chertoff Group company is a global provider of strategic advice, cyber security and risk management services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com and while you're there, get that guide to Cyber Security for the Grid. It's deltarisk.com/grid-whitepaper. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:14:34:23] DEF CON and Black Hat are coming up, and if you've never been, chances are you might be a bit unsure of what to expect. Jennie Kam is a Researcher at Cisco, and she's put together a webinar to help tradeshow first-timers.
Jennie Kam: [00:14:47:22] It was very intimidating the first time I was there. I didn't speak to anybody my first DEF CON really. I tried to blend in and keep to myself and figure out what was going on. And I don't want anyone to have that kind of experience because I've discovered through the years, there's so much more to see at DEF CON and it's so much better when you do speak to people. And I just wasn't sure who was safe to talk to and where to go and what to do, and so I just want everyone else to have a better experience than my first experience at DEF CON.
Dave Bittner: [00:15:20:17] Give us an idea of what can people expect from this online panel you've put together.
Jennie Kam: [00:15:26:10] A lot of questions I hear are about what are the difference between Black Hat and DEF CON and do I need to do both? There's BSides Las Vegas, and some of the smaller co-located parties and conferences and so I have a diverse group on the panel to explain sort of who belongs where. And if you're interested in which topics, maybe which villages or which parties to hit or not to hit, as well as, how do I stay safe in Vegas amongst all these hackers?
Dave Bittner: [00:16:00:18] Is this panel specifically targeting women who are taking their first trip out there or can anyone tune in?
Jennie Kam: [00:16:08:03] We welcome anybody to tune in. The panel does happen to be six ladies whom I've all met and worked with, and we all have a very different and diverse opinion. So while there will be tips specific to women, just a few, the safety tips really apply to everybody about keeping your drink safe and shady characters that may approach you, and we'll give examples of the types and experiences that we've either had or have friends who have encountered at DEF CON.
Dave Bittner: [00:16:38:12] Give us the details here. When is the panel? How can people take part?
Jennie Kam: [00:16:43:02] Our panel is this Thursday, July 13th at one in the afternoon Pacific Time, three p.m. Central, and for those in New Zealand, like our panelist Kate, it's actually July 14th, Friday morning at eight a.m. New Zealand Time. We know DEF CON is a very global event and people come in from all over, so we try to accommodate a variety of perspectives and timezones. They can register for the webinar, there's a link from my tweet at TXjenniek, just a link from my pin tweet.
Dave Bittner: [00:17:16:18] Okay. So check out your Twitter account and that's the quickest way to find out how to sign up?
Jennie Kam: [00:17:21:23] Yes.
Dave Bittner: [00:17:22:16] And once again, that Twitter account is @TXjenniek. That's J-E-N-N-I-E-K. That's Jennie Kam from Cisco.
Dave Bittner: [00:17:36:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:17:48:19] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.