Apache Struts patched. Dragonfly is in the power grid. Ransomware notes. Taringa breached. Cryptocurrencies in China and Russia. Signal stealing that's not SIGINT.
Dave Bittner: [00:00:01:11] Remember, all of our Patreon supporters have access to exclusive content and extended interviews, and at the $10-per-month level you get access to an ad-free version of the CyberWire podcast. It's at patreon.com/thecyberwire.
Dave Bittner: [00:00:18:02] A critical vulnerability in Apache Struts has been patched. Dragonfly poses a clear and present danger to European and US power grids. Ransomware continues rampant. Latin American social media platform Taringa suffers a breach. Notes from the Intelligence and National Security Summit. Cryptocurrencies in China and Russia. And say it ain't so, Joe: are the Red Sox stealing signals with an Apple Watch?
Dave Bittner: [00:00:48:12] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzzwords. They're real technologies, and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. So go to e8security.com/cyberwire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz about artificial intelligence isn't about replacing humans. It's really about machine learning, a technology that's here today. So, see what E8 has to say about it. And they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:47:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 6th, 2017.
Dave Bittner: [00:01:57:16] Apache patched a major bug in its open-source Struts software yesterday. The vulnerability enables an attacker to execute remote code on affected servers running applications using the REST plugin. Apache Struts is very widely used, and the vulnerability, discovered by researchers at LGTM, is a serious one. It's been assigned the identifier CVE-2017-9805. A majority of Fortune 500 companies as well as many Government agencies are affected. Vulnerable applications run from online banking to airline booking systems, from the US Internal Revenue Service to any number of state departments of motor vehicles. It's a critical flaw, and organizations are being urged to patch immediately. LGTM has a proof-of-concept exploit which it hasn't released. So by all means, patch.
Dave Bittner: [00:02:51:10] There's a disturbing report out about a threat to the power grid. Symantec researchers warn that the "Dragonfly" threat group has been actively pursuing, and has to some measure achieved, access to US and European power grid operational networks. According to Symantec, this means that Dragonfly has no further hurdles to clear were it to decide to disrupt power distribution. The effects would be similar to those Sandworm had on Ukraine's power grid, but differences in approach suggest that Sandworm and Dragonfly are distinct actors.
Dave Bittner: [00:03:24:06] There's no attribution yet. Both Russian and French text appears in the code, but that's consistent with false-flagging.
Dave Bittner: [00:03:33:00] GlobeImposter, SynAck, Princess, and Locky ransomware continue to surge in the wild. The best first defense against ransomware remains the tried and true practice of regular, secure, offline backup of your files.
Dave Bittner: [00:03:46:22] Other DDoS-based extortion campaigns are hitting some online gambling sites, which of course are highly sensitive to service disruption.
Dave Bittner: [00:03:55:17] Latin America social media service Taringa (described as "Reddit-like") has sustained a major breach. 28 million accounts have been compromised.
Dave Bittner: [00:04:06:13] We have a stringer down at the Intelligence and National Security Summit in Washington, DC, today and tomorrow. Some interesting notes from the conference so far have touched on the US Intelligence Community's engagement with the private sector, and on emerging US cyber deterrence policy.
Dave Bittner: [00:04:22:04] The US IC wants people to understand that it gets one big fact about industry and innovation: it's not all in the US, and not even all in the other Four of the Five Eyes. Dawn Meyerriecks, Deputy Director of Central Intelligence for Science and Technology, cautioned that we've "encoded in our DNA" that the US is preeminent in technical innovation. We've also encoded this in our laws and regulations, she added. This post-World War Two assumption is no longer true, and the Government needs to rethink how it invests. Ann Winblad, Founding Partner of Hummer Winblad Venture Partners, offered an interesting fact. The quarter that just closed, she said, is the first quarter ever in which more venture capital flowed to China than to the United States.
Dave Bittner: [00:05:09:23] The Summit also heard from Tom Bossert, Assistant to the President for Homeland Security and Counterterrorism, National Security Council, Executive Office of the President. He talked about some of the essential elements of cyber deterrence. What's needed, he explained, is a well-thought out and generally accepted set of norms for conduct in cyberspace. We also need reliable, high confidence attribution of attacks. And we need retaliation that's sure, proportionate, and revocable. He said, significantly, that he thought such retaliation would probably not be cyber retaliation.
Dave Bittner: [00:05:46:06] KrebsOnSecurity has a long profile on Marcus Hutchins, the white hat hacker the FBI arrested in Las Vegas. Mr. Hutchins is, according to the profile, a complex man with a complicated history.
Dave Bittner: [00:06:00:02] China has banned VPNs, and a man already convicted under the ban faces nine months in prison. China has also banned initial coin offerings.
Dave Bittner: [00:06:11:06] Russian Communications Minister Nikiforov has called for an indigenous cryptocurrency. Bitcoin and Ethereum are based on, in his words, "foreign cryptography," and thus undesirable. He says the government is working with Ethereum to develop a homegrown cryptocurrency. Here's a tip for Mr. Nikiforov: Russia's already got its own cryptocurrency, Voppercoin. We talked about it on Friday. If he'd care to do so, Mr. Nikoforov can stroll on over to the Burger King in the Arbat and supersize himself to financial security. He'll also be able to enjoy some of that flame-broiled goodness. Is that Vopper indigenous or foreign? Who cares, it's delicious.
Dave Bittner: [00:06:56:14] Taking a quick look at our CyberWire event tracker at thecyberwire.com/events, the CyberSecurity Summit is coming up in New York on September 15th. You can use code CYBERWIRE50 for 50% off admission. There will also be a CyberSecurity Summit in Boston on November 8th.
Dave Bittner: [00:07:13:03] The Economic Alliance of Greater Baltimore is having a breakfast event called Leading the Cyber Transformation. That's September 9th, 2017, starting at 7:30 AM.
Dave Bittner: [00:07:23:03] Maryland Cyber Day is coming up, October 10th, in Baltimore, Maryland. You can learn more about that at mdcyber.com.
Dave Bittner: [00:07:30:06] There's an event coming up in October called Networking the Future, from the Florida Center for Cyber Security. That's their annual conference.
Dave Bittner: [00:07:37:16] You can find out more about these events at thecyberwire.com/events. And speaking of events, the CyberWire is proud to be a media partner of the 8th Annual Billington CyberSecurity Summit, coming up in Washington, DC on September 13th. Tom Billington heads up Billington Cyber Security, and he's here to tell us about the summit.
Tom Billington: [00:07:56:04] The attacks are growing, whether they be WannaCry or Petya. And the nation states across the globe are becoming more active. We thought it was important to address both the proactive approach and the unprecedented times that we're living in to be an overall focus. And obviously, we dive deeper throughout the full day.
Dave Bittner: [00:08:18:12] We had the Cybersecurity Executive Order from the president. That's one of the topics you're going to be talking about?
Tom Billington: [00:08:25:04] It certainly will. We will be kicking off the conference with the DNI director Daniel Coats. Then we will be focusing on the implementing Executive Order from the perspective of five CISSOs. That'll be a in-the-trenches view of the Executive Order for CISSOs at DHS, HHS, Treasury and Defense, who were responsible for the implementation of that Executive Order in their agencies.
Dave Bittner: [00:08:55:20] And this year, even more than ever, you have an international focus. Take us through what's the international angle here?
Tom Billington: [00:09:04:07] I'm very excited that this year we will have the UK CyberSecurity ambassador, Conrad Prince, and also the Australian ambassador for Cyber Affairs, Dr. Toby Feakin. Those are obviously two of the five Five Eye partners. Their perspectives are really critical. Because as we know, cyber security is a global issue, and our Five Eye partners in particular are crucial to our country's ability to enhance our cyber security in our own country, and for our Five Eye partners.
Dave Bittner: [00:09:41:21] So, what about operationalizing cyber for the warfighter?
Tom Billington: [00:09:45:16] General Votel is a four-star commander for United States Central Command. He oversees military operations in a variety of countries, including in Iraq and Afghanistan. He will be attending to give the closing keynote, and discussing cyber in the context of the war-fighting domain. And General Votel doesn't speak publicly often, so we're very honored to have him speak at this conference in our nation's capital.
Dave Bittner: [00:10:21:11] What's your hope? When someone attends this conference what kinds of things do you want them to walk away with?
Tom Billington: [00:10:27:22] Three things. One is a much better understanding of the Cybersecurity Executive Order. Second is terrific networking, and third is I think understanding of what's around the block in trends. What will the next threats be that might arise and how can all of us best address them?
Dave Bittner: [00:10:52:06] That's Tom Billington. The 8th Annual Billington CyberSecurity Summit is coming up in Washington DC on September 13th. You can find out more about this event and learn how to list your event on our CyberWire event tracker at thecyberwire.com/events.
Dave Bittner: [00:11:09:07] Finally, another Boston sports team seems to have been caught stealing signals. Major League Baseball is said to have determined that the Red Sox were using an Apple Watch to steal signals from the New York Yankees. Allegedly a guy out by the scoreboard was reading the catcher's signs, relaying them to a team staff member's Apple Watch, from where they were in turn relayed to the batter. The Red Sox say, well, you too, Yankees, they say the Bronx Bombers were doing roughly the same thing, as if that makes it okay. This "right back atcha" sounds fallacious to us. Not, you'd understand, that this Baltimore show is carrying water for the New York Yankees.
Dave Bittner: [00:11:49:17] During the New England Patriots' Deflategate scandal, scientifically literate Baltimore Ravens fans greeted the New England club with Tom Brady jerseys emblazoned not with Mr. Brady's name, but with the Universal Gas Law: PV=nRT. If you have suggestions for a similar greeting to the Red Sox the next time they visit Camden Yards, by all means let us know. Maybe DeMorgan's Theorem, or Bayes' Theorem? We welcome your suggestions. In any case, we hope the Orioles hit an Avagadro's Number of dingers against the BoSox the next time they meet.
Dave Bittner: [00:12:28:19] And now some thoughts and an offer from our sponsor, ThreatConnect. We all know that in cyberspace there are things that'll knock you down you don't even see coming. Unless, that is, you've set yourself up to slow the game down. An analyst without situation awareness is like an NFL rookie: wide-eyed, but always blind-sided. So, look to a combination of threat intelligence, analytics, and orchestration, to enable your security teams to make the right decisions fast enough to protect the enterprise. ThreatConnect can get you started with their free webinar at 1:00 PM Eastern Time, September 14th. You can reserve your place at threatconnect.com/webinar. Learn from the experts how you can make smarter decisions and put them in place faster. That's threatconnect.com/webinar. We'll see you there on September 14th, and we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:13:25:11] Joining me once again is Ben Yelin. He's a senior law and policy analyst from the University of Maryland Center for Health and Homeland Security. Ben, I had an article come by from the Independent, this news story about Donald Trump cybersecurity advisors resign, and they're warning of insufficient attention to the growing threats. There was a whole group of folks resigned from this committee. Bring us up to date, here.
Ben Yelin: [00:13:48:02] Yes. It was a large portion of this presidential task force on cyber security. They wrote an extensive letter outlining all of the reasons that they decided to leave the commission. Now, some of them are cyber related. They have problems with the speed and urgency of the president's efforts to combat cyber threats. But they also talked about seemingly unrelated ideological problems. I think since a lot of members of this council are prominent players in the private sector, they don't want to be associated with a president making comments like the one that he made after the Charlottesville attack. They also mentioned his inattention to climate change, citing the fact that he withdrew the United States from the Paris International Climate Agreement. So, there are specific cyber security reasons, but we also see broader, ideological reasons that some of these members don't want to be associated with this president.
Dave Bittner: [00:14:44:15] It's interesting, you know, from the cyber security point-of-view, because I think in general, President Trump's Cyber Security Executive Order received positive notes from both sides of the aisle?
Ben Yelin: [00:14:56:04] I think that's true to an extent. Obviously, some of these members objected to the fact that President Trump hasn't focused on issues of election systems integrity. He has denied Russian interference in our presidential election. But if this were solely about his attention to the narrowly-defined issues of cyber security, I don't think we would have seen these mass resignations. I think the resignations are the result of a broader critique of the president's policies. So, I think the members who have quit this council are not doing so primarily because of narrow issues related to cyber security. I think it's because a broader force is at play.
Dave Bittner: [00:15:38:21] And, and many of these folks were holdovers from the Obama administration, yes?
Ben Yelin: [00:15:43:07] Exactly. So, to be fair, I think this article mentions that three of the members were Obama administration holdovers, obviously those members are going to have major ideological differences with the president. And we've seen that in past administrations, where you have some holdovers on presidential commissions from previous administrations that were ideologically different, and we maybe haven't seen this kind of mass resignation as, as we've seen, especially in the wake of the, the Charlottesville incident. But we certainly see people leaving some of these boards when they are forced to work with a president that they don't agree with ideologically.
Ben Yelin: [00:16:18:05] I think the difference here is, is one of scale, and one of publicity. I mean, I think, not just this commission, but in a number of some of the business advisory commissions that the president has appointed, you've seen members of the commission offer public rebukes, and public critiques of the president's actions, not related to the narrow policy issues of those commissions, but related to his performance of his duties at large. Yes, some of it is normal, ideological differences, but I think the difference here is in the scale of resignations.
Dave Bittner: [00:16:57:09] Ben Yelin, thanks for joining us.
Dave Bittner: [00:17:01:07] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:17:12:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.