Dave Bittner: [00:00:01:07] The CyberWire Podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:11] WikiLeaks dumps documents attributed to the Imperial project. Russian catphish are said to have nibbled at French President Macron's campaign. North Korea mines Bitcoin. Malware warnings include a banking Trojan and two malicious Android apps. NotPetya's effect on TNT is said to have hit small businesses hard. MedSec has no regrets, and said it would short St. Jude again. The Pwnie Awards have been given at Black Hat. Cisco's Edna Conway guides us through third party risk. And the ShadowBrokers are back.
Dave Bittner: [00:00:49:22] Time for some notes from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya, and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system. And they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and fileless malware, it runs silently in the background. And best of all it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effect.
Dave Bittner: [00:01:27:07] If you don't have Cylance Protect and you'd like to learn more about how it can defend your enterprise, head on over to cylance.com and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. We thank Cylance for sponsoring our show.
Dave Bittner: [00:01:52:06] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Friday, July 28th, 2017.
Dave Bittner: [00:02:03:02] WikiLeaks dumped another round of alleged CIA hacking documents from Vault7 late yesterday. They describe three tools: "Achilles," which backdoors Mac OS X disk images, "SeaPea," a stealthy Mac OS rootkit; and "Aeris," a Linux implant. WikiLeaks says the tools are associated with an Agency project called "Imperial."
Dave Bittner: [00:02:25:07] We heard yesterday about Mia Ash, a catphish used by Iranian intelligence and security services to socially engineer targets in the oil and gas industry. Today there are reports of other fictitious personae used in espionage. Investigators say that Russian intelligence services sought to spy on French elections by posing as Facebook friends of successful Presidential candidate Emmanuel Macron. Facebook, which has briefed US Congressional investigators, says it noticed about two dozen bogus identities posing as friends-of-friends of Emmanuel Macron. The goal was intelligence development, the agency believed responsible was Russia's GRU, also known as Fancy Bear. Russia has consistently denied attempting to influence the French elections.
Dave Bittner: [00:03:13:01] North Korea is reported to have undertaken a large-scale Bitcoin mining operation. This is consistent with the DPRK's exploitation for the Internet for whatever financial gain it offers. In this case, at least, Bitcoin mining is no crime, but Pyongyang has been connected to online crime in the past, most prominently through the Lazarus Group.
Dave Bittner: [00:03:33:24] In malware news, Flashpoint warns that Necurs is now delivering the Trickbot banking Trojan. Sophos warns of two SMS-stealing malicious apps in the Play Store. Both are by New.App, one represents itself as an app store shortcut, the other as "Skin Care Magazine." As always, choose your apps with care.
Dave Bittner: [00:03:56:16] NotPetya continues to have a ripple effect on business, small enterprises are said to be particularly affected by service disruptions the campaign inflicted on FedEx subsidiary TNT.
Dave Bittner: [00:04:09:13] In industry news, PerimeterX raised $23 million in a Series B round, and Raytheon says not to expect a Forcepoint initial public offering. Raytheon asserts that it's in the cybersecurity business for the long-haul, and has no intention of moving on from Forcepoint.
Dave Bittner: [00:04:27:07] More calls for special prosecutors are heard in the US, this time from the Republican side of Congress, asking for investigation of security breaches by the FBI and former Secretary of State Clinton.
Dave Bittner: [00:04:40:20] Now we'll take a quick look back at the week in Vegas, where Black Hat, Defcon and BSides all convened, giving the cyber-shivers even to the hard-boiled denizens of Sin City.
Dave Bittner: [00:04:51:19] At the conference MedSec CEO Justine Bone spoke, and was unrepentant in her advocacy of vulnerability-research-driven stock-shorting as a legitimate business model for security companies. Bone's company was involved in shorting St. Jude Medical stock when MedSec gained knowledge of an undisclosed vulnerability in St. Jude products. The incident was controversial at the time, many thought MedSec was ghoulishly trifling with people's health. Bone sees it as a legitimate short, and says she'd do it again.
Dave Bittner: [00:05:23:19] The Pwnie Awards were passed out at Black Hat, recognizing the good, the bad, and the ugly. Here's a quick rundown of some of the major honors: Best server-side bug went to the Equation Group, honored for CVE-2017-0143, 0144 and 0145. The best client-side bug, the independent, parallel discoverers of CVE-2017-0199, which was a Microsoft OLE export. The best privilege escalation bug, the many who worked on Drammer, the Rowhammer attack on mobile platforms. Best cryptographic attack, researchers at Google and CWI for breaking SHA-1. The best backdoor, the envelope please, and the Pwnie went to M.E.Doc, the Ukrainian accounting software at the bottom of NotPetya. For best branding, Atlassian took the honors here for branding, and in the opinion of the judges, over-hyping, the Ghostbutt vulnerability.
Dave Bittner: [00:06:18:07] The award for most epic fail was a squeaker, but the honors finally went to Australia's Prime Minister Malcolm Turnbull, who's picked up the fallen backdoor dead-end banner from former US FBI Director Comey. When asked whether the laws of mathematics would make proposed crypto restrictions unfeasible, Prime Minister Turnbull is said to have replied, "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia." Mr Turnbull nosed out the Intercept, nominated for the way they inadvertently exposed a source, NSA-leaker Reality Winner. Brutal Kangaroo was unavailable for comment, mates.
Dave Bittner: [00:07:02:24] Epic Ownage was a shared award, going to both WannaCry, tentatively credited as "North Korea," and the ShadowBrokers, unambiguously credited as "Russia. Straight up Russia."
Dave Bittner: [00:07:15:20] The ShadowBrokers resurfaced yesterday as if on cue, saying that they'd sent their exploits of the month to subscribers, and that they were raising their prices. Membership in their club will now set you back 500 ZEC in the Zcash cryptocurrency the ShadowBrokers prefer, which comes to about $88,400 US greenbacks. Details of what they're releasing, as we speak, are not yet public, being known to the ShadowBrokers and whatever subscribers or hostile attackers, the ShadowBrokers may have attracted.
Dave Bittner: [00:07:47:14] The Brokers might have raised their prices but they haven't budged from their stylish diction. Although we do detect a trace of Borat in this week's communiqué. "Hello the peoples! July is being good month for the ShadowBrokers Monthly Data Dump Service, make great benefit to the ShadowBrokers." They say. They go on, solicitous as always of their customers, "If you making subscription payment in July, do not be worrying. TSB got your payment. TSB no longer sending confirmation emails. If you not yet making subscription payment is still being days left in July, do not be missing out!" So hop to it, peoples - or don't.
Dave Bittner: [00:08:31:03] Now some news from our sponsor, Cylance. Cylance has integrated its Artificially Intelligence Cylance Protect engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyberattacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. We thank Cylance for sponsoring our show.
Dave Bittner: [00:09:30:12] Joining me once again is Justin Harvey, he's the Global Incident Response Leader at Accenture. Justin, welcome back. We've had these recent WannaCry attacks and the Petya, NotPetya attack and one of the components of these is this notion of auto-propagating malware. Bring us up to date here. Is this something new or is this been around for a while?
Justin Harvey: [00:09:50:19] It's been around for a while. The auto-propagation aspects of these new versions of malware are really taking advantage of organizations because they're just simply not equipped to handle something that spreads like wildfire. For the last decade I feel like companies have been focusing on preventing intellectual property theft and preventing data leaving. And with targeted attacks and adversaries, they're going from machine to machine to machine in a straight line. These new versions of malware, both destructive and ransomware are taking advantage of some of the latest vulnerabilities that have been released through ShadowBrokers and, and shotgunning, or scanning multiple networks and then utilizing credentials and or these vulnerabilities to triout through organizations.
Justin Harvey: [00:10:51:20] I find that companies are really ill-equipped to prevent that because they have a soft inside. They build up these really high walls. They put in the necessary preventative controls to stop the majority of attacks. But, when these attacks are actually getting a foothold, they are causing a lot of damage because networks are not being segmented, there's not a lot of preventative controls that would normally be found in the perimeter, that are being used inside the enterprise.
Dave Bittner: [00:11:26:02] What kind of recommendations do you have for people to better protect themselves against it?
Justin Harvey: [00:11:33:00] I think it falls into a few areas. The first is to adopt proactive preventative controls within the enterprise. This could be a controversial statement, but I believe in more network segmentation, even across what we would call client networks. So you plug in your laptop into the company Wi-Fi, or you plug it into the wall through a Ethernet. To date, companies have said, "We need networks to talk to each other, to utilize file sharing and things like that inside the enterprise." But what we're also saying is that these latest versions of ransomware and destructive malware are taking advantage of that same sort of features and functionality for productivity. Unfortunately, I think that companies need to start adopting more firewalling and intrusion detection and prevention between these client networks.
Justin Harvey: [00:12:27:12] Another couple of areas that companies can do, keeping up with the latest threats as they're going across social media, so using what we in the industry call open-sourced threat intelligence. So, when these start to hit the wire, you know about it faster than everyone else. And those precious hours, could really catapult or help better prepare your enterprise. And the last thing that I would want to mention is, we are spending more time with our clients instead of doing Internet response planning, creating Internet Response Plans. We've pivoted to creating Crisis Management Plans. So in the event of a cyberattack, what can these organizations do quicker and more efficiently? Can they shut down their networks faster? Can they get the word out to their employees not to connect to the network? Do they have out-of-band communication, because Voice over IP is down? And so on.
Dave Bittner: [00:13:31:10] Good advice as always. Justin Harvey, thanks for joining us.
Dave Bittner: [00:13:39:24] Time for one more message from our sponsor, Cylance. You know good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications and develop nation-state dragnet surveillance programs, will do little to stymie the rise in terrorist attacks. These efforts will be detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiques within a massive cloud of noise.
Dave Bittner: [00:14:21:18] Backdoors for the good guys mean backdoors for the bad guys. And it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to cylance.com and take a look at their blog for reflections on surveillance, censorship and security. We thank Cylance for sponsoring our show.
Dave Bittner: [00:14:49:24] My guest today is Edna Conway, she's the Chief Security Officer of the Global Value Chain at Cisco. She joins us to share her thoughts on third-party risk, effective ways to approach and handle it, and what the security community needs to do in the future to do a better job of protecting ourselves and our customers.
Edna Conway: [00:15:09:07] For me, I think what we focus on as the critical third-party security risks, are thinking comprehensively. So think about physical security, logical or operational security, and then security technology. If you start to think comprehensively, it gets you to a great place. That great place says, I need to worry about three or four fundamental risks or threats. We need to worry about tainted solutions, counterfeit solutions or services. The misuse of intellectual property could also cause harm. And then finally, we need to worry about the information security breach that may occur at that third-party's site, or technology that may have an impact on me. So all of a sudden you can start to pass it down, these four paths.
Dave Bittner: [00:16:05:13] Is it accurate to say that for a lot of people when it comes to third-party risk it's that a big part of is the fear of the unknown unknown? You know they don't have control necessarily of what's going on with those third-parties.
Edna Conway: [00:16:18:00] I think it's a great observation. I think the first step, to be honest with you is, the first unknown is figure out who the key players are in your third-party ecosystem, and understand what they deliver. Are you going to know to the ends degree? Probably not. But starting with an understanding of who the key players are, is the first step. So I think once you figure out who you're playing with in your sandbox and who that "we" is, then the next step really is to develop what I like to call a flexible security architecture. What you can do is really start to then identify what your key areas of concern are. We've identified what I call 11 domains of security, and not everything actually applies to everyone.
Edna Conway: [00:17:05:17] But as you begin to think about your domain areas and to get them with the third-party ecosystem and what they do for you, all of a sudden what becomes apparent is, certain things apply to certain third-parties, depending on the nature of the product or service, that they afford to you - how they interact with you. So that architecture really becomes the foundation of getting your arms around that ecosystem and understanding more deeply what's going on, but doing it in an operationally efficient way.
Dave Bittner: [00:17:38:13] As you look towards the future, or look towards the horizon, what kinds of things do you think have to change, in order for people to do a better job with this?
Edna Conway: [00:17:48:18] I think we need to converge on a couple of international standards, to be quite frank. We're still seeing a proliferation of standards that, in all honesty sometimes, are very thinly veiled trade barriers, cloaked under the title of security. The reality is, we are going to be, and we are well on our way to being one connected world. We've seen that recently with WannaCry and Petya. The reality of that means: how can we narrow down to a feasible set of items in a standard, that the world adheres to? And try and link off some of the geographic variation to the optimum extent possible, so that we can align in a better way? So that's a public private partnership challenge, number one.
Edna Conway: [00:18:41:20] Number two. Some of the things that we can do are just basic. I mean. The future is going to be that ransomware is going to continue to pull the thread. I think that's pretty clear to us. Remember, we have different types of threat actors, and those who are motivated economically are going to continue to target those from whom they can maximize their economic return. So understanding that you are under attack at all times, and making sure you don't have weak backup practices, that you are not updating readily and, more importantly, understanding that you need one unified, simplified architecture, so that you don't have some of the problems with what is often referred to as, "best of breed" in multiple vendors. Sometimes simplification actually equals a higher degree of fidelity. So those are the three areas that I would say I would look to for the future in terms of that question that you asked but mostly I think I want to finish with one last thought.
Edna Conway: [00:19:51:14] Automation. So where we can automate, and you and I were chatting before we began about the wonders of Artificial Intelligence and its ramifications on our security and mankind in general. The reality of automation is, it can catch certain things, to the extent we can begin to add the human factor into the way in which we approach security, which is new - add the human element, expand on that. All of this technology and all of our security efforts, exist to serve us because these devices and miscommunication is human communication. I think that will be a new way for us to embed the human factor into secure development life cycles. We have plenty of international standards and SDL models out there. I'm not sure we've really embraced the human element yet, sitting side by side with automation.
Dave Bittner: [00:20:47:13] Our thanks to Edna Conway for joining us. She's the Chief Security Officer of the Global Value Chain at Cisco.
Dave Bittner: [00:20:58:16] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com.
Dave Bittner: [00:21:11:12] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody. Thanks for listening.