Configuring AWS buckets. New threats and vulnerabilities. Insight into criminal cyber markets. Apple and Oracle patch.

Dave Bittner: [00:00:01:03] Our thanks to all the patrons who have been so generous in their support of the CyberWire. We're happy to have added a new benefit this week. Members of the Producer's Circle now receive exclusive access to our new Quarterly Report. If you'd like to see a sample, go to thecyberwire.com/quarterlyreport, and thanks again to our patrons.

Dave Bittner: [00:00:22:14] Amazon Web Services has a timely reminder, check your cloud's configuration. Hacks now seem to affect revenue for years. A rundown of some new threats and vulnerabilities. We've got some insights into the criminal carding market and the training it offers. We've got some patch news and forget about Mayweather-Macgregor, the pay per view we'd sign up for is Putin-Wittes.

Dave Bittner: [00:00:49:24] I'd like to tell you about some tactics and techniques from our sponsors, Cylance. Cylance will be offering a short course at Black Hat on Leveraging Artificial Intelligence and the ELK Stack for Targeted Threat Hunting. You've heard about AI, the ELK stack and threat hunting. Now learn what they are and what they can mean for the defense of your enterprise. In this course, you'll learn how to create your own enterprise-wide hunting platform using ELK with data enrichment feeds and how to set up an ELK server to facilitate powerful hunting and how to collect data efficiently from every end point on your network fast. So don't just look for threats, get out and hunt them. Check out the presentation on Wednesday, July 26th from 4:10 to five o'clock in the afternoon at Business Hall, Theater B, Level One. Cylance, it's where you'll find the next generation of cyber security. Learn more at cylance.com under their events section. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:52:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 20th, 2017.

Dave Bittner: [00:02:02:22] Amazon Web Services has sent its customers a reminder that Access Control Lists, those are ACLs, well, they govern who can see the content of their S3 buckets and that they should look at their buckets to ensure that public read-access is enabled only where it's supposed to be. Misconfiguration, often by third parties, has hit data held by large organizations hard this summer but AWS wants customers to remember that protecting information from inadvertent exposure isn't that hard. So an S3 bucket isn't exactly a set-it-and-forget-it Ronco toaster oven, but, really, it's not that complicated.

Dave Bittner: [00:02:40:23] TalkTalk's revenues declined in the first quarter and analysts attribute this in large measure to the breach the telco sustained in 2015. This report suggests effects of cyberattacks can linger, a lesson worth considering in the wake of NotPetya, particularly with respect to its effects on shipping and manufacturing. TalkTalk, whose breach is nearly two years' old, is still suffering. It reported a 3.2% slip in revenue in the first quarter this year. Its CEO at the time of the incident was Baroness Dido Harding, who left her job at the beginning of April. The proximate cause of the revenue decline is given as recontracting consumer customers to new, lower-cost, fixed rate plans.

Dave Bittner: [00:03:24:06] Some new threats and vulnerabilities are worth a mention. Malformed Windows MSI files are now known to infect Linux systems, too. Researchers call the vulnerability "Bad Taste."

Dave Bittner: [00:03:35:24] CyberArk's Red Team reports a form of domain fronting that can mask attackers' command-and-control traffic. It abuses content delivery networks and high-traffic domains. Domain fronting uses different domain names at different layers of communication. The technique, CyberArk says, is in use in the wild and can be applied to highly targeted attacks.

Dave Bittner: [00:03:58:24] As fears of election hacking persist, the DarkHotel APT group appears ready to offer a fresh approach to political hacking. The online gang uses whaling, digital certificate factoring and Inexsmar malware in its attacks.

Dave Bittner: [00:04:14:10] In the second cryptocurrency heist reported this week, a hacker stole Ethereum currency worth approximately $30 million by exploiting a vulnerability in a Parity wallet. Parity is working on a fix. This is a distinct attack from the one CoinDash reported earlier this week, in the course of its initial token offering.

Dave Bittner: [00:04:35:10] Comodo, the New Jersey based security firm, warns of a new kind of phishbait being used by criminals in the wild. It's a continuation of the long-running trend of phishing growing more clever and more tightly targeted, almost to the point of spearphishing. This new approach presents the phishing email as a response to an earlier request for information by the victim. Most of the intended marks of the technique are in the US but the approach has been seen in at least twenty other countries.

Dave Bittner: [00:05:04:19] Taking a quick look at our CyberWire event tracker, if you're headed to Black Hat, don't miss Deep Instinct at Booth 873. BSides Las Vegas is happening July 25th and 26th, you don't want to miss that. Clearedjobs.net is having a CyberTexas job fair on August 1st and there are cybersecurity summits coming up in Chicago on August 8th and New York on September 15th and the eighth annual Billington cybersecurity summit is coming up September 13th 2017 in Washington DC. You can find all the details and find out how to list your event on our CyberWire event tracker at the cyberwire.com. Cybersecurity is, of course, a rapidly growing industry attracting innovation and investment and, with that, comes a desire by the states to attract and nurture cybersecurity companies with the high paying jobs and highly educated people that come with them. Chris Ensey is Chief Operating Officer at Dunbar Cybersecurity and he also co-chairs the Governor's workforce development board's cybersecurity taskforce for the state of Maryland. I asked him about what it takes for states to compete in a hot cybersecurity market.

Dave Bittner: [00:06:12:21] So, you know, you, you are a Maryland company, as are we here at the CyberWire, so we have a certain amount of pride of our local accomplishments and so forth. And-- but I'm curious, you know, when you look at the bigger picture of any individual state, when a state tries to complete for cybersecurity dollars, for cybersecurity workforce, what are the kind of things that states have to take stock of and look toward in terms of investments and being able to attract organizations and people?

Chris Ensey: [00:06:42:12] So I think the resources that they have in terms of the workforce are oftentimes going to be looked at as one of the lifebloods of any thriving business in this industry. They have to look at, do we have the resources, are we developing the right talent and skill sets and can we keep those talented people in the state? So I think Maryland is in a unique position, because of our geography almost, to retain a lot of localized talent. We've got obviously the influences of the Department of Defense and the intel agencies, Washington DC co-located right next to us, also a growing set of commercial entities that are focused on opportunities here and beyond. There's a lot of really interesting things happening locally in terms of incubators, start ups, new technology that's emerging that's coming either out of government programs, institutions and the academic community or even just homegrown things that have emerged that are starting to take a national and even a global footprint.

Chris Ensey: [00:07:44:14] That said, I don't want over sugarcoat it either. I think there's a lot of things we still have to do to take a seat at the table of the best states in the United States that are focused and have resources for cybersecurity.

Dave Bittner: [00:07:58:18] What are some of the areas where you think a state like Maryland needs to improve?

Chris Ensey: [00:08:02:15] Well, I, I think while we've built out some great companies and we've taken a definite noticeable position in the US as a source of cybersecurity talent mainly due to the fact that we have the federal influence in the centers of excellence here from a security perspective, I think that if you look at the overall ecosystem that's out there of producers of cybersecurity services, products and technology we would fall far down the lists. One of the areas I think that limits Maryland in a sense is that sometimes we do have a myopic focus on the Department of Defense contractors and the type of work that goes into that sector and I think that at times can maybe detract a little bit from the opportunities that are out there to build global products and solutions that make their mark in terms of the state's place in the competitive landscape of companies that are out there.

Chris Ensey: [00:08:58:14] One of the things I'm always critical of in the state of Maryland, when I look at all these different activities that are going on and different business development initiatives and training programs and grant programs that people are contemplating, is that what are we doing to put all those pieces together? And I think, in general, I see a lot of overlapping initiatives. I see a lot of competing interests almost and I think that's holding us back to a degree. We haven't quite cracked the code on how do we make it so that we're bringing more opportunities to this state at mass scale using every resource we have in conjunction to make it happen as explosively as possible.

Dave Bittner: [00:09:35:05] That's Chris Ensey from Dunbar Cybersecurity.

Dave Bittner: [00:09:39:14] There've been some more patches this week. Apple has issued patches for MacOS, iOS and Safari. And Oracle has fixed 386 vulnerabilities in its products. Many of Oracle's issues were discovered and reported by security vendor, Onapsis.

Dave Bittner: [00:09:54:22] Finally, we're noticing a couple of things these days. First, we're aware that Mayweather and McGregor are holding a round of really interesting joint press conferences in the run-up to their middleweight title bout, as our sports desk keeps telling us. And remember back in the Eighties, when it was morning in America? Our heartland desk does and they remind us that a candidate for Governor of Texas challenged Libyan strongman, Muammar Ghaddafi, to a duel to the death in a cabin cruiser on the "Line of Death" that Colonel Ghaddafi drew across the mouth of the Gulf of Sidra. The chosen weapon was Bowie knives. It didn't happen, as far as we know, and the challenger lost the election but his spirit lives on.

Dave Bittner: [00:10:36:09] We're thinking that spirit lives on in particular over at Lawfare, a blog we often read with interest on cyber-legal and cyber-policy issues.

Dave Bittner: [00:10:44:20] President Vladimir Putin is a noted martial artist but the editor of Lawfare, Benjamin Wittes, thinks he's a chump ripe for the dropping. "I'll fight Putin any time, any place he can't have me arrested," the Extreme Editor said back in October 2015 but we think the time is finally right for it now. If the Editor can pull it off, we'll set it up on pay-per-view.

Dave Bittner: [00:11:12:23] Now another message about some research from our sponsor, Cylance. You know, a good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications and develop nation state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiqués within a massive cloud of noise. Backdoors for the good guys mean backdoors for the bad guys and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to cylance.com and take a look at their blog for reflections on surveillance, censorship and security. That's cylance.com. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:20:24] And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, welcome back. You had an important point to make today and that was that, as, as we see the evolution of some of these, these threats, you're seeing that ISPs have some specific responsibilities and those responsibilities may be growing.

Dale Drew: [00:12:41:13] Yeah, absolutely. You know, and what I, what I'd say is, you know, what, what we're seeing is-- we're seeing threats becoming much more global much more often. We're seeing threats that, that the bad guys want to take advantage of the sort of deep entrenched and deep rooted protocols and systems that have large scale impacts across the entire net and, again, you know, WannaCry is a really good example of a single exposure that has a significant sort of global impact. Today we rely on a very specific set of community members within the security community who are analyzing malware at the application layer to be able to be the eyes and ears for that sort of global problem. And what I'd say is the ISP is in a very, very unique position to not only be able to detect those exposures but be able to stop those exposures and then collaborate across networks to be able to get as close to the edge of the bad guy as you possibly can, to stop it and figure out where the fingers on the keyboard are. If you look at, you know, Level 3 as an example, we are a huge proponent of something called "DOTS" which is the DDoS open threat signaling protocol. Now that protocol was originally being established to help be able to communicate about DDoS attacks across ISPs, to be able to stop DDoS attacks quickly but it's more of a signaling protocol on threats and so you expand a protocol like that to be threat based, you can push phishing attacks and malware attacks and DoS attacks across the entire network ecosystem and, eventually, the entire security ecosystem to be able to stop threats.

Dale Drew: [00:14:18:06] The ISP could also be shutting down command-and-control systems. You know, we do this once every two hours. We, we find C2s that have significant influence in the industry and we, we block the C2. And ISPs, you know, they, they're very concerned about blocking Internet addresses because they don't know the other purpose that IP address serves so they tend to be a little gun-shy on that and I think it's time that we started leaning into this problem a lot more.

Dave Bittner: [00:14:44:10] Are you seeing the adoption of these kinds of techniques by ISPs? Is that collaboration happening? Are people getting onboard?

Dale Drew: [00:14:51:17] I think today, when the threat level reaches a certain saturation point, that the community comes together and tries to solve it. But it takes a global event right now for us to be able to do that and, you know, that, that capacity, that capacity for the entire ecosystem to work together at once is there, that apparatus is available and I think that we need to get a lot more proactive in being able to stop these threats before they become global problems and use that entire ecosystem apparatus to make it much more difficult for the bad guy to operate.

Dave Bittner: [00:15:26:20] Dale Drew, thanks for joining us.

Dave Bittner: [00:15:31:07] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. You can find out more about Cylance and how they can help protect you with artificial intelligence at cylance.com.

Dave Bittner: [00:15:43:23] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.