The CyberWire Daily Podcast 9.12.17
Ep 432 | 9.12.17

Equifax breach news. Unsecured admin accounts. BlueBorne via Bluetooth. Hackable medical devices. Bots convince. A guilty plea draws a long sentence.

Transcript

Dave Bittner: [00:00:01:02] I know it's a popular thing for people to say: for just the price of a cup of coffee, you can support us on Patreon, and it's true! So do it! Patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:16:05] Equifax attracts more attention from plaintiffs, AGs and Congress. Everyone else is on heightened alert for fraud and identity theft. MongoDB says users of its database process were not assigning passwords to administrative accounts. A Bluetooth-based attack vector, BlueBorne is described. Syringe pumps are found to be hackable. Bots serve more effective social media clickbait than human operators can, and Roman Seleznev gets 27 years after he cops a plea to hacking.

Dave Bittner: [00:00:50:07] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff - and we're betting that however many you have, you haven't got enough.

Dave Bittner: [00:01:14:18] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today to stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:01:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 12th, 2017.

Dave Bittner: [00:02:11:19] Early and ambiguous comments about the Equifax breach pointed to an Apache Struts vulnerability, with the suggestion that the vulnerability the attackers exploited was CVE-2017-9805, a bug Apache fixed on September 5th, 2017. But according to Contrast Security and other observers from the security industry, it now seems likelier that the hackers exploited CVE-2017-5638, a vulnerability that was patched in March of this year.

Dave Bittner: [00:02:42:13] The Equifax breach continues to draw litigation from the plaintiff's bar, and regulatory inquests from state and Federal government bodies. Congress plans to hold hearings.

Dave Bittner: [00:02:53:12] The company's share price dropped another 8% yesterday. In a kind of sector-wide collateral damage, Equifax's competitors TransUnion and Experian also took smaller hits to their stock late last week, but both now seem to be recovering.

Dave Bittner: [00:03:09:10] The Equifax breach is providing some tailwinds for another sector. Unsurprisingly, that sector is cybersecurity. Exchange-traded funds covering cyber have risen steadily since the breach was disclosed last Thursday.

Dave Bittner: [00:03:23:21] The persons unknown who demanded ransom from Equifax with a September 15th deadline now appear to be grifters unconnected with the hack. There's been no further public word on attribution.

Dave Bittner: [00:03:36:14] Turning to another incident, databases held for ransom, MongoDB believes the recent wave of ransom attacks on users of its database products have a common cause: failure to set passwords for administrative accounts. The vendor says it hopes to improve its customers' security awareness.

Dave Bittner: [00:03:55:13] Armis Labs has announced its discovery of a Bluetooth-based attack vector affecting major operating systems. They call it BlueBorne. It's said to affect equally desktop, mobile, and IoT systems.

Dave Bittner: [00:04:10:01] In news of medical device vulnerabilities, ISC CERT has warned that Medfusion syringe pumps could be vulnerable to remote manipulation. Mitigations are available.

Dave Bittner: [00:04:22:16] ZeroFOX research suggests that bots may be better than humans at getting their marks to swallow social media clickbait. In an experiment, the bots consistently achieved higher conversion rates than the human social engineers they were compared against. Their experiment has attracted renewed interest as experts mull the increased weaponization of artificial intelligence by various bad actors.

Dave Bittner: [00:04:46:06] In addition to the CyberWire podcast, I am also the host of the Recorded Future podcast, where I have the pleasure of speaking with smart, interesting people on topics centered around threat intelligence. Myke Cole is one of those interesting people. He's an intelligence analyst, a reality TV personality and an award-winning author of fantasy fiction. Here's a segment from our recent conversation.

Dave Bittner: [00:05:08:08] You are an award-winning and bestselling author, and in order to write compelling characters, you have to be able to put yourself in the mindset of the characters that you're writing about. I wonder how that informs your abilities as an analyst, to be able to put yourself in the mindset of your adversaries?

Myke Cole: [00:05:29:11] I'm really glad you asked that question, because it's an issue I campaign on, especially in law enforcement and intelligence in the military classed as cyber.

Myke Cole: [00:05:41:09] Cyber is an incredibly analytical field. We are constantly attempting to interpret, understand and think like machines which de facto takes us out of the human mindset. When that's married to the law enforcement and intelligence field, we call adversaries in every police department and in almost every intelligence agency. We call them bad guys, and that's an incredibly judgmental position to take. It's necessary, because you can't be worrying about your adversary's relationship with their mother if you're going to have to prosecute them or, in kinetic law enforcement terms, literally put cuffs on them and drag them off.

Myke Cole: [00:06:22:24] I'm not saying that this kind of snap judgment isn't necessary, but it is a roadblock and it does hold you back, because behind those computers are people, and people have human motivations. A corollary in fantasy fiction is George R. R. Martin's A Song Of Ice And Fire, which has been reinterpreted by HBO into the hit television show, A Game Of Thrones. I'm sure pretty much everybody listening to the podcast has seen the show, or they're living under a rock if they haven't.

Myke Cole: [00:06:59:14] George R R Martin is an older, overweight white guy who grew up in Bayonne, New Jersey. I think we can all safely say that he's not a dwarf like Tyrion Lannister, nor a haughty, noble queen like Cersei Lannister. Yet he evokes these characters so convincingly that they resonate so realistically with an audience. When people try to dissect how he is able to do that so well as a writer, I tell them he's empathetic and is able to step outside his own preconceived notions and judgments of the world, and sympathetically into the shoes of someone who is utterly unlike him. That enables him to understand their goals.

Myke Cole: [00:07:54:04] Obviously that's useful in fiction terms, enabling realistic characters to be made, but it also has utility in law enforcement and intelligence, because when you can step into the mindset of an adversary and understand their goals intimately, you'll be able to move one step ahead of them. If you understand that the motivation of a hacker is to do something for the lulz, or to do something because they're ideologically sympathetic to ISIS but not the same as ISIS, that's a very different set of actions.

Myke Cole: [00:08:28:05] This is one of the things that I found extremely frustrating when I was working CT. I can't remember the name of the head of FBI CT who famously said to Congress that he looked for leadership skills in his counter-terrorism agents, because a bombing was a bombing, a murder was a murder. He didn't think anybody needed to know Arabic or anything about Islam, and I wanted to choke the guy because it's exactly the opposite of what's correct. The bad guys we're judging have motivations and they can serve as predictors for their actions. If you marry a real knowledge of the technology that they use with an empathetic and sympathetic understanding of their motivations, this will help you understand what makes them tick, and help you stay one step ahead of them. In fiction, it's a known watchword that everyone is the hero of their own story.

Dave Bittner: [00:09:37:12] That's Myke Cole. You can hear the rest of my interview with him on the Recorded Future podcast at recordedfuture.com/podcast.

Dave Bittner: [00:09:46:19] And finally, Roman Seleznev has been sentenced after copping a guilty plea to US Federal charges of wire fraud, aggravated identity theft, and causing intentional damage to the protected computer. He'll get twenty-seven years in Club Fed, and he's also been ordered to pay $170 million in restitution. This is believed to be the stiffest sentence a US judge has handed down for a cybercrime. Mr Seleznev admitted being part of a carding ring, and also to serving as a cashier, the guy who hoodwinked paycard transaction processors into disgorging a cool $9.4 million from what must have been a large number of ATMs.

Dave Bittner: [00:10:28:10] Mr Seleznev was nabbed in the Maldives as he was headed for the airport about to return from a vacation with his girlfriend. The US Secret Service agents who made the collar delivered him to the continental US, stopping only for a quick appearance before a US Magistrate in the territory of Guam. The case has had an unusually high profile: not only is it international, but Mr Seleznev, a Russian citizen, is the son of Valery Seleznev, a big numero in the Russian Duma, Moscow's parliament.

Dave Bittner: [00:10:59:12] The Justice Department is pleased with its win; the Russians are not. They particularly object to the manner of Seleznev's apprehension. The Russian embassy in Washington had this to say on the matter: "We continue to believe that the arrest of the Russian citizen Roman Seleznev who de facto was kidnapped on the territory of a third country, is unlawful." According to available information, Roman Seleznev's lawyer is planning to appeal against sentence.

Dave Bittner: [00:11:27:09] Another lesson to be learned here: if you're wanted by the law, don't vacation in places that have serviceable relations and extradition agreements with the particular long-arm you're on the lam from.

Dave Bittner: [00:11:43:12] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent CylancePROTECT engine into VirusTotal. You'll know VirusTotal as the free, online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down.

Dave Bittner: [00:12:17:10] Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system.

Dave Bittner: [00:12:43:00] I'm joined by Robert M. Lee, the CEO of Dragos, to talk about industrial control systems where I'm curious about the notion of deterrents. We hear of suspicions that the Russians have been inside Ukraine's power grid system, how much of this is actually wanting to do damage, and how much is saber rattling to show what they're capable of?

Robert M Lee: [00:13:17:02] When we look at these type of events from an internal relations perspective, there are usually multiple reasons to do things. Understanding exactly what an adversary's intent is, is one of the most difficult things in intelligence. However, we can see that an adversary - in this case, highly likely Russia - is disrupting a large portion of Ukraine, not only the power grid, but other sites. A bi-product of that, whether intentional or not, is the demonstration that they can and are willing to take such action. Sometimes the willingness factor is more important than the ability.

Robert M Lee: [00:14:11:06] Can the United States take down infrastructure? Sure, but if there was never a will to do so, it may not pose a threat to other nations. These actions have to be met with some sort of response. Regardless of who is responsible, the fact that we have seen indiscriminate malware like WannaCry and NotPetya that impacted Ukraine, taking down part of a power grid through cyber attack for the first time in history, both in 2015 and 2016, and that those things have been met with silence from two different administrations, is concerning. It emboldens the attacker while eroding the setting of norms necessary in this space.

Robert M Lee: [00:15:11:03] While I agree we need to look at deterrents, I believe we must write rules of engagement for what is permissible in the future, taking a stand against indiscriminate attacks and attacks on civilian infrastructure. There is just too much potential harm to the global community in doing those.

Dave Bittner: [00:15:34:18] Robert M. Lee, thanks for joining us.

Dave Bittner: [00:15:38:20] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:15:50:15] Remember not long ago we discussed with Joe Carrigan from Johns Hopkins University the notion that your cell phone was listening in on you to help deliver ads? There's an extensive, spirited and fun discussion on that over on the Grumpy Old Geeks podcast this week.

Dave Bittner: [00:16:08:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.