The CyberWire Daily Podcast 10.25.17
Ep 462 | 10.25.17

BadRabbit hopping though Eastern and Central Europe, and Southwest Asia. DUHK risks. Kaspersky on how a laptop was backdoored. Notes from Atlanta's ICS Cybersecurity Conference.

Transcript

Dave Bittner's son: [00:00:01:04] Dad, I already have two fishing rods, and besides we live right next to a lake where we catch fish all the time. We don't eat them. We throw them back, but if we did eat them, I would not share any with you because you're always using me for your show on the CyberWire, on the Patreon. So go to the CyberWire Patreon.

Dave Bittner: [00:00:26:05] Patreon.com.

Dave Bittner's son: [00:00:27:22] Okay. Now give me my money already.

Dave Bittner: [00:00:30:07] No, no, no, no. Patreon.com.

Dave Bittner's son: [00:00:32:04] Patreon.com.

Dave Bittner: [00:00:34:03] Slash the CyberWire.

Dave Bittner's son: [00:00:35:13] Slash the CyberWire.

Dave Bittner: [00:00:37:19] Alright, here's your fish.

Dave Bittner's son: [00:00:39:20] I don't want fish, dad!

Dave Bittner: [00:00:44:21] BadRabbit is a new strain of malware that's hopped out of Petya's hutch. The Lazarus Group is said to have taken control of some servers in India. DUHK warnings. Are industrial control system operators paying sufficient attention to Level 1 and Level 0 threats? Next May will see not only GDPR, but also NIS. And Kaspersky continues to protest its innocence of spying, and offers an explanation of what really happened with NSA leaks.

Dave Bittner: [00:01:17:22] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzzwords. They're real technologies and they can help you drive meaning from what an overwhelmed human analyst would see as an impossible floor of data. Go to E8Security.com/CyberWire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember the buzz around artificial intelligence isn't about replacing humans; it's really about machine learning, a technology that's here today. So see what E8 has to say about it, and they promise, you won't get a sales call from a robot. Learn more at E8Security.com/CyberWire, and we thank E8 for sponsoring our show.

Dave Bittner: [00:02:15:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, October 25th, 2017.

Dave Bittner: [00:02:26:11] A new strain of malware appears to have hopped out of Petya's warren, and this one may well propagate as rapidly as its extended family. Russia, Ukraine, Germany, Turkey, Japan, and Bulgaria report outbreaks of "BadRabbit," a malware strain that's acting like ransomware (or pseudoransomware). Group-IB thinks BadRabbit, which hit yesterday, looks like a Petya offspring. The largest single disruption so far appears to be in Ukraine, where Odessa's airport has had to curtail operations and increase security. The subway system in Kiev is also being affected. Russian news agencies Interfax and Fortanka were hit yesterday morning, as (reportedly) were two other media outlets so far unnamed. BadRabbit's victim landing page is demanding approximately $283 to recover files, but the situation is still developing and it remains to be seen whether this is a genuine extortion play, pseudoransomware aimed at disruption, or some mix of both. US-CERT advises against paying the ransom. If the perceived similarity to Petya and NotPetya holds, BadRabbit can be expected to continue its rapid spread. Attribution at this stage is mere speculation.

Dave Bittner: [00:03:42:03] Nozomi Networks reached out to us this morning with their take on BadRabbit. Moreno Carullo, Nozomi's Co-Founder and Chief Technical Officer, said, "Our research shows that the group behind BadRabbit have spent considerable time creating their ‘infection-network,’ going back to at least July, with the majority of sites relating to media and news." Carullo also offered insights on how an infection works: "When a victim visits what they believe is a legitimate site, they are instructed to download an Adobe Flash installer and update. Given that the attackers are targeting media and news sites that have previously employed Flash to enhance the visitor experience, this request may not immediately arouse suspicion – but it should! If the user follows the redirection the attack begins and the ransomware dropper downloads." Once the mark has executed the dropper (and the victim needs admin privileges to do so), a malicious DLL is saved and run using a customary utility. Carullo explains that their experience is that the malicious file tries to brute force login credentials and download an executable that appears to be derived from the DiskCryptor utility. That begins the encryption phase of the attack, replacing the bootloader the way NotPetya did.

Dave Bittner: [00:04:59:09] So what should an enterprise do? Don't pay the ransom, consider investing in some realtime detection tools, and above all back up your files.

Dave Bittner: [00:05:10:03] The Lazarus Group North Korean threat actor is reported to have taken control of a number of servers in India. The servers aren't the ultimate target. Rather they constitute a platform form from which other cyber attacks can be launched.

Dave Bittner: [00:05:24:15] DUHK attacks against devices using the ANSI X9.31 random number generator are being reported. DUHK stands for Don't Use Hard-coded Keys.

Dave Bittner: [00:05:37:10] There's a bit of a transformation going on as companies are moving more of their IT infrastructure to the cloud. What's motivating those moves can have a serious impact on security. Scott Kaine is CEO at Delta Risk, and he offers his perspective.

Scott Kaine: [00:05:52:24] The biggest shift that we've seen is that the use of the cloud is being primarily driven by the mid market, so those companies that are ten employees all the way up to 5,000 employees are now the primary users of these cloud environments, because they do not have the staff to manage anything in house. And at the end of the day from a cost perspective, it makes a lot more sense for them to leverage most of their back office applications in the cloud. As this transformation is taking place, the business is moving out. So businesses are getting the efficiencies of the cloud. However the security groups are usually left behind and they're in the usual state of catchup, which is then obviously a problematic situation in today's cyber environment.

Dave Bittner: [00:06:37:04] Yes, let's dig into that a little bit. When you say they're playing catch up, what prompts that?

Scott Kaine: [00:06:42:06] Most of from what I've seen has been a situation where the business and the ops and the IT teams have had a directive internally to either increase the efficiencies of their back office applications, or increase the capabilities of their back office applications, and so they're left with no choice but to move out to the cloud relatively quickly. In most cases, the security teams are an afterthought, from what I've seen, and what ends up happening is the folks that are driving the business needs, don't want any barriers, and therefore to some extent, are leaving the security teams out of the mix. So, in many cases, what we find out is the security teams don't even realize that the company is hosting some of these applications out there, and only find out after the fact, and then get asked to go ahead and try to fix it. And I'd say, as it relates to the larger firms, that is clearly an issue when you're dealing with the DevOps side of the house. So you've got developers within an organization, that are pushing out code to, and production code, which are vital interests to any firm, out to environments like AWS and GitHub. When you speak to the security staff and ask them whether or not they feel as if they've got visibility into these environments, the answer is normally no, or I'm not sure.

Scott Kaine: [00:07:57:23] From my experience, and what we've seen as a growing trend, is that the developers are basically creating the next generation on the WaWaWest, pushing their code out, using these environments. The security staff is unaware that the development staff are doing these things, and then it's not until something shows up in the press, or someone is pro actively searching to see actually what's going on, do they find out after the fact that they've got environments as well as individuals working, whether it be in Azure, or whether it be AWS, or GitHub, as I mentioned earlier, they then have to go back and figure out how to strap things down and retroactively put in the policy and governance, as well as the monitoring in place, to keep tabs on these individuals that are doing things that are putting the company at risk.

Dave Bittner: [00:08:43:03] So where's the communication gap here? I mean surely security is not a mystery in terms of that it needs to be handled these days and I would say, one of things we've seen in the past couple of years is that that message has reached the board. So how can they be being left out of these conversations and these, you know, setting of rules and policies.

Scott Kaine: [00:09:03:23] Well it's definitely a cultural thing. I mean the textbook answer here is that the software development lifestyle, and especially for the development teams, should include security staff from the onset. We've been professing that for decades, and frankly, it's been a challenge to get people to adhere to that for a variety of reasons: there might be personality conflicts; the security staff might impact the pace at which the teams have been asked to get things out. So picture this, you've got a requirement to have something done by a particular time frame. The security staff shows up and indicates that in order for the company to do everything that they want to do, it's going to require additional funding. It's going to require more time to make sure that most of the structural pieces are in place, to make sure that this environment is secure. And frankly people tend to avoid wanting to have those conversations, because they just have a directive to get things done.

Scott Kaine: [00:09:53:07] The answer is simple, which is the teams from the security staff should be involved, as I've said, at the beginning. Unfortunately, if they are in a start of catchup, it's driving a good part of our business model to help security teams catch up to the speed of the business. You know, over time I think cultural people will get ahead of it. It's just not there yet.

Dave Bittner: [00:10:11:04] That's Scott Kaine from Delta Risk.

Dave Bittner: [00:10:14:14] In industry news, security company SecureBox has announced closing a $150 million funding round.

Dave Bittner: [00:10:22:03] We're represented down in Atlanta this week at Security Week's 2017 Industrial Control System Cybersecurity Conference. A few notes from the event. The conference always features the annual "State of the State" address by ICS thought leader Joe Weiss of Applied Control Solutions. In yesterday's address he described widespread challenges in the industrial control system security field as a whole. In particular, he deplored the way in which IT security has taught the ICS community lessons he believes can be more misleading than helpful. "Our challenge isn't information assurance; it's mission assurance," he said. The engineer's job is safety and availability. Fundamentally the engineer doesn't care whether a disruption arises from malice, error, or act of God: as long as it disrupts operations or affects safety, it must be dealt with. The consequences of failing to do so can be not only expensive, but in the worst cases lethal.

Dave Bittner: [00:11:18:24] Purdue University's ICS reference architecture describes several levels. Level 4 comprises business logistics systems, things like ERP. Level 3 includes manufacturing operations. Level 2 control systems—SCADA. Level 1 comprises intelligent devices that sense and manipulate processes. And Level 0 defines the actual physical processes themselves. Weiss argued that insufficient attention has been paid to Levels 1 and (especially) 0. He shared a "like" he'd received on LinkedIn for a DefCon presentation on this very point. It came from an Iranian water supply system manager. What does this mean? (Apart from telling us that Joe is huge in Tehran, which anyone might have guessed.) Iranian water utilities certainly have as legitimate an interest in protecting their operation as anyone else, but it also suggests that unaddressed ICS vulnerabilities haven't escaped the attention of nation-state adversaries.

Dave Bittner: [00:12:17:24] And finally, Kaspersky Lab continues to maintain its innocence of spying, and it's offering an account of what they believe happened in the NSA leak incident they've been associated with in the press. The company says the NSA contractor (or employee—accounts now differ) mentioned as the source of sensitive leaked files backdoored his own machine by downloading and installing malicious pirated software. So, if Kaspersky's correct, the NSA type scored a trifecta in the what-you-shouldn't-do race: putting highly classified files on his own device, taking that device home, and then downloading pirated software. Bad, bad, and bad. Our advice, of course, is don't be bad.

Dave Bittner: [00:13:06:10] Now I'd like to tell you about some research from our sponsor, Cylance. Good policy is informed by sound technical understanding. The cryptowars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption introduce exploitable vulnerabilities into applications and develop nation state dragnet surveillance programs, will do little to stymie the rise in terrorist attacks. These efforts will be a determinant to national security and only further exhaust law enforcement resources and obfuscate adversary communiques with a massive cloud of noise. Backdoors for the good guys means backdoors for the bad guys and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to Cylance.com and take a look at their blog for reflections on surveillance, censorship and security. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:11:24] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back. We got a list from our friends at IBM. You know, people send us things from time to time that they would like us to talk about and I actually thought this was a good list for us to go through. They called this not your father's cybersecurity tips, and our friend Bob from IBM sent this over. I thought it was a pretty good list. Why don't you start off take us through the first one here.

Joe Carrigan: [00:14:38:17] The first one on this list is 'lie on your security questions.' And this is a great idea. I actually do this on a regular basis, so if you're on a website and they say we need to be able to recover your password, let's ask some security questions that only you know, like what's your mom's maiden name is a very common one, right. What's your dog's name? What's your oldest kids name? Well all of this information is now available on Facebook, and it's very easy to find it, so lie. So when they ask what your mom's maiden name is, tell them it's something completely ridiculous.

Dave Bittner: [00:15:11:01] Yeah, well, some people have even said just put random characters in there.

Joe Carrigan: [00:15:13:11] You could do that as well.

Dave Bittner: [00:15:15:01] You just have to remember what they are. You have to remember your lies.

Joe Carrigan: [00:15:18:10] Exactly. So if you use a password manager, the password manager I use, and I've talked about it here on this show many times, is Password Safe, and they have a space for notes and the notes are also encrypted with the rest of your information about the website. So it's find the storm in there.

Dave Bittner: [00:15:37:17] Going through the list, I mean some of these we've talked about before, so we don't need to spend a lot of time on it. An ideal password is a long nonsensical phrase. We've talked about that many times. You were just saying, their third one here is store passwords in a digital vault.

Joe Carrigan: [00:15:51:12] Right, the third one here, storing your passwords in a digital vault or a password manager, makes the second one possible, because it's very difficult to remember long nonsensical passwords for 300 websites that you might be a user of.

Dave Bittner: [00:16:05:06] That's for sure. Their fourth one here is double dip on security checkpoints.

Joe Carrigan: [00:16:08:11] Yes. Anytime you can enable a security checkpoint, that's an option on a website, you should, particularly with two factor authentication. This is so simple nowadays, because we have cellphones. Everybody has a cellphone, pretty much, and you can actually enable two different kinds of two factor authentication: one is where they send you a text message, which is the method I prefer; and another one is a time based temporary code.

Dave Bittner: [00:16:34:15] Google Authenticator is popular.

Joe Carrigan: [00:16:34:24] Google Authenticator is a prime example of that. That's actually based on a standard, the number escapes me right now, but you and the computer you're trying to authenticate to, share a seed and then that seed is applied to an algorithm, and as long as nobody else has the seed, it's very difficult to predict what the next number is going to be.

Dave Bittner: [00:16:56:02] And their last one here is 'get down with biometrics.'

Joe Carrigan: [00:16:59:04] Right. Biometrics to me, I'm not 100% convinced about biometrics. It's better than nothing.

Dave Bittner: [00:17:06:08] So this is things like fingerprints scanning and Apple has the new Face ID, things like that.

Joe Carrigan: [00:17:11:07] Right. Those are better than having an open phone, that's for sure, than not security your phone and they're very easy to implement. I don't know, I think there's not enough research done on the security of these things and research I have seen, suggests that these things are easily defeated, or at least can be defeated. I don't know if can be defeated and easily defeated, I don't view them as the same things. A lot of people in security do. You know, cryptographers view things as either secure or not secure. There's a very binary view there. I like to view things more on a spectrum, from how secure to not secure.

Dave Bittner: [00:17:47:21] I don't have to outrun the bear. I just have to outrun you, right?

Joe Carrigan: [00:17:51:20] Exactly. Yeah, right. You don't need to be the fastest guy, you just shouldn't be the slowest guy.

Dave Bittner: [00:17:57:02] Right. Alright, well I mean it's a good list. Overall it's a good list. So thanks to my friends at IBM for sending it over. And thanks to you, Joe, for joining us.

Joe Carrigan: [00:18:06:01] Dave, it's my pleasure.

Dave Bittner: [00:18:09:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, using Artificial Intelligence, visit Cylance.com.

Dave Bittner: [00:18:21:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.