Dogs that haven't barked. Surveillance authority reauthorization advances in the US Senate. Notes on ICS cybersecurity.

Dave Bittner: [00:00:01:01] Thanks again to all of our Patreon subscribers. If the CyberWire if something that makes you feel more informed and safer every day we hope you'll check out our Patreon page. It's at patreon.com/thecyberwire.

Dave Bittner: [00:00:15:10] Several dogs aren't barking today. Still no sign of the Reaper botnet doing anything. An update on BadRabbit, which, for some reason seems to have hop, hop, hopped quietly away from its infrastructure. Other forms of more conventional ransomware, however, remain in circulation in the wild. It looks as if Kaspersky software might have stumbled across NSA files after all. The US Senate Intelligence Committee has voted to reauthorize Section 702 surveillance authorities through the end of 2025 and we have notes on ICS from Atlanta.

Dave Bittner: [00:00:54:00] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you. Go to E8security.com/cyberwire and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability AI and machine learning are the technologies that can help you do it. So visit E8security.com/cyberwire and see how they can help address your security challenges today. That's E8security.com/cyberwire, and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:55:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 26, 2017.

Dave Bittner: [00:02:07:01] Most attention today has been given to BadRabbit. Experts are increasingly convinced that it’s the work of the same threat actors responsible for NotPetya. The consequences of NotPetya were so heavy that BadRabbit is being watched with considerable concern. FireEye, ESET, Avira, McAfee and others have noticed something curious and interesting about BadRabbit, however. The servers and sites BadRabbit's controllers used seem to have shut down after just a few hours of activity. The controllers appear to have taken down their own infrastructure. Why they might have done so is a matter of conjecture. Some observers have speculated that they feared detection, got spooked and tried for a quick getaway. That's one possibility, likeliest if BadRabbit is a pure criminal caper. There are of course other possible explanation; the incident was misdirection, the incident accomplished whatever it was intended to accomplish, the controllers found they were wreaking unintended and undesirable consequences, and so on. It's very early in the incident and, as usual, one expects that it will take the experts some time to sort things out.

Dave Bittner: [00:03:12:14] Other ransomware remains active. Iran's Computer Emergency Response Team's Coordination Center reports that variants of Tyrant ransomware are circulating in that country. Comodo has been tracking what it characterizes as a fourth wave of IKARUS ransomware using the .Asasin file extension and PhishMe notes that Sage ransomware has assumed a more convincing form, with a more engaging user interface and easier payment options. The US Senate has moved closer to enacting a version of Section 702 surveillance authority for NSA. There are competing versions circulating in Congress, but on Tuesday the Senate Intelligence Committee voted 12-3 in closed session to send legislation to the floor that would renew Section 702 through the end of 2025. Kaspersky Lab's transparency and charm counteroffensive may have hit a bump. The company acknowledged that its security software did indeed scoop up some NSA tools, from a machine that should never have had them in the first place. They say they promptly deleted the sensitive files, but some of the material they say they inadvertently pulled in turned up in the hands of the ShadowBrokers. It's not known, of course, that the Brokers got their goods via Kaspersky tools, but, as they say inside the Beltway, the optics aren't good.

Dave Bittner: [00:04:34:06] In industry news, cyber security investment capital firm Allegis Capital announced a name change to AllegisCyber as well as the appointment of Dave DeWalt as a managing director. Mr DeWalt is well known in the cyber security industry, having previously been the CEO of both FireEye and McAfee. We spoke with Mr DeWalt, along with AllegisCyber founder, Bob Ackerman, on the occasion of the announcement at their DataTribe startup incubator. We begin with Mr Ackerman.

Bob Ackerman: [00:05:03:11] For us, Allegis Capital was the, was the first dedicated cyber venture fund in the world and, building on that success, we're always looking for ways to where do we go next. And so DataTribe is a startup studio to begin creating companies here in Maryland, was part of that initiative. We're also announcing that, that, you know, my good friend Dave DeWalt, sort of one of the legends of the cyber industry is joining Allegis as a managing director and, you know, for us what that really brings is, you know, a lot of these young cyber companies they're, they're phenomenal solution innovators but they struggle on the commercial side and so bringing Dave into the team does a couple of things for us. It, you know, it brings his network, his operating experience, you know, to bear and supporting our young companies. We're also gonna extend our investment focus a bit to early growth. So historically, Allegis has been an early stage venture firm focused on cyber. With DataTribe we're now incubating companies. With Dave joining we're also extending the platform to include early growth and the idea is that we want to be able to engage with the best entrepreneurs regardless of their stage of development and really create in Allegis, now being rebranded AllegisCyber, kind of the go to, one stop shop for entrepreneurs who are doing meaningful things in cyber.

Dave Bittner: [00:06:23:24] Dave DeWalt believes the mid Atlantic region has untapped potential.

Dave DeWalt: [00:06:27:19] Well one thing to understand is the amount of talent that sits in this Washington, Baltimore, Virginia area and so a guy who spent 30 years in Silicon Valley, building companies, 20 years in cyber security, you recognize how much talent is sitting in this region. But when you sort of look at the amount of engineering talent then you look at the access to capital, then you look at how many commercial companies are produced, those ratios are quite a bit off. So here, you know, this announcement of both AllegisCyber's fund as well as DataTribe and its incubation model and the combination of those two really create a platform for government and its ecosystem to roll out commercial products and roll 'em out successfully. So this has really not been done before, to really watch the capabilities of incubating a company, seating a company, launching a company, making it successful from, from cradle to grave, so to speak, and, it's about time because, from one man's view, the threat landscape is driving a necessity for this type of solution to be built.

Bob Ackerman: [00:07:34:22] When we think about investing in this space what we see is where, where the innovation, you know, is, is evolving. You know, we, we can look at things like threat intelligence, that's pretty well sorted out. End point, first generation, pretty well sorted out. So I think, in some of these legacy areas, where there's a lot of innovation, I think we've wrapped our arms around the problem and the solution. We're probably gonna see some consolidation. But what happens is we see new frontiers, new domains for innovation around cyber opening up. So, you know, we're real active, for example, in identity authentication. Now we think, in a digital economy, authentication and fact is one of the core pillars of cyber security. But you also think about social, you know, you think about consumer, you think about industrial, you think about satellite, you think about cloud. These are all emerging domains that, all of a sudden, are sort of on the front line of cyber threats and that's where we see a lot of the innovation shifting, going forward.

Dave Bittner: [00:08:31:13] That's Bob Ackerman along with Dave DeWalt from AllegisCyber.

Dave DeWalt: [00:08:37:05] Today is the final day of the ICS Cybersecurity Conference. Our staff down in Atlanta found two presentations this morning particularly interesting. Stephen Ridley, Senrio's CTO and Founder, spoke about the Devil's Ivy IoT vulnerability his company's researchers discovered earlier this year. But his main points were, "We hate to break it to you, but OT is IT, and ICS is 'IoT'," and "Code reuse is vulnerability reuse; hardware reuse is vulnerability reuse." Code and hardware reuse are pervasive across verticals, he argued. The other presentation that merits a brief mention was by Dr. Peter Vincent Pry, representing the EMP Task Force on National and Homeland Security. He made everyone's flesh creep with an account of the EMP threat, that's electromagnetic pulse, it's not just to the power grid, but to civilization itself. EMP occurs naturally in the form of solar geomagnetic storms. We've seen big ones in 1859 and 1921, before the dawn of the electrical civilization we now enjoy, and Pry says you ain't seen nothing yet, we're due for another big one and it needn’t be the sun behaving badly, either: Mr. Kim would do just fine. EMP can also be induced artificially, either by a nuclear weapon or, on a smaller scale, by a non-nuclear EMP kit. An EMP attack that's well within the demonstrated capabilities of a failed state like North Korea could, Pry argued, take down the US power grid for 18 months, with an attendant loss of life on a catastrophic scale.

Dave Bittner: [00:10:18:13] The Atlanta meetings have highlighted the challenges of securing industrial systems where environments and installations vary so widely that highly tailored security measures seem a practical inevitability. There's an interesting divide on evidence at the ICS Cyber Security Conference. The engineers who operate plants worry about doing so safely and reliably. They tend to fall into the more pessimistic camp. They're very much aware of the dependencies among systems, including surprising dependencies, to the possibilities of cascading failure, and to the difficulty of keeping complex systems in equilibrium. The cyber operators tend toward the optimistic. They're engaged, at least imaginatively, and sometimes actually, in thinking about attack and they perceive all of the attackers' difficulties that are so familiar to military operators. To be sure, the attacker has the initiative, and can choose the time and place of engagement. Beyond that, the defender has advantages too. It's not for nothing that conventional tactical wisdom looks for a three-to-one advantage before going on the attack.

Dave Bittner: [00:11:29:12] Time to share some news from our sponsor, Cylance. Cylance has integrated its artificial intelligent Cylance protect engine into VirusTotal. You'll know VirusTotal is the free online service that analyzes files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:28:19] And I'm pleased to joined, once again, by Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, we have an article here from Politico. The title is cash strapped states brace for Russian hacking fight. Certainly, we've been seeing more and more information coming out about voting systems, not just influence operations but perhaps, more than we thought, voting systems themselves may have been accessed, explored, probed, if you will. This article digs into the fact that some States are having some trouble coming up with money to properly defend themselves.

Ben Yelin: [00:13:06:06] Yeah, so we know the threat is there, obviously, the Administration has denied Russia's involvement to a certain extent in the 2016 Presidential election but the intelligence community has largely accepted their conclusions and we know that efforts will be made to affect the integrity of our voting systems, including our voter databases, which contain personal information on American voters. The problem is that States are indeed cash strapped. There was a Federal statute that passed in the wake of the contested 2000 election called the Help America Vote act in which Federal money was appropriated to update electoral systems. For the most part States have run through that money. They no longer have access to those funds. In addition, majority of States, I think almost all 50 of them require, by their State Constitutions, a balanced budget. So they're far less flexible to address growing threats, whatever they may be than the Federal government, which can operate at a deficit. So many States, of all political persuasions, have been pleading with the Federal government to offer some sort of assistance to protect the integrity of voting systems. So far, Congress has been resistant, to say the least. I think one of the committee chairmen of jurisdiction, Senator Richard Shelby of Alabama basically said that this was a State problem, elections are, are a State domain and they need to figure it out themselves, which I think is technically true but this is, even though elections are, traditionally, administered at the State level we're beginning to recognize that this is a national problem that might require a national solution and it's not just the potential that our systems are going to be hacked, it's about the confidence and the integrity of our electoral system and losing that confidence, even in the absence of some sort of attack, is bad enough in and of itself. So I think it's, I think it's very concerning.

Dave Bittner: [00:15:07:15] Yeah, e... explain the, the politics behind this for us. I mean it seems to me that, assuring the integrity, as you say, of our, our electoral system would be a an issue without much controversy coming from either side, but not necessarily so?

Ben Yelin: [00:15:24:15] Yeah, so I think part of it is President Trump's insistence that the Russian hacking did not having tangible impact, if it did exist on the 2016 Presidential election, and frankly, some of his self consciousness about the fact that people think his victory is partially due to that election hacking. And I think that's a large part of the partisan response and then there's also a more legitimate ideological opposition among Republicans to appropriate Federal money for an area that's traditionally been in the State domain. According to our Constitution, States administer their own elections and so I can understand, philosophically, why some political conservatives would want to keep it that way. The problem is you can have that ideology but you still have to put up with the impacts. Whether the States are able to come up with funds to address the problems themselves is a extremely open question and you can have an ideological opposition but that's not gonna solve a, a very pressing problem. So you have to decide whether you want that ideological opposition to supersede your ability to address a national problem. You know, Russia's not only gonna be attacking a limited number of blue States, they have broad, wide reaching capabilities. So I think it's a national problem that needs addressing, even though I understand the reluctance to devote Federal tax dollars to an area that has traditionally been under State control.

Ben Yelin: [00:16:54:05] There's also, this article mentions an election assistance commission, which already exists and one of the leading Democrats to address this issue, Senator Klobuchar of Minnesota who over, whose committee overseas elections, is pushing a Bill that would put the commission in charge of creating digital defense standards and would authorize grants to help implement those standards. That is a Bill that's widely supported among Democrats but, again, you see this resistance on a Republican side, largely due to the appropriation of Federal money and, frankly, this, this idea that a lot of this is sour grapes among Democrats for having lost the 2016 presidential election.

Dave Bittner: [00:17:38:20] Alright, Ben Yelin, thanks again for joining us.

Dave DeWalt: [00:17:44:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit cylance.com. A quick reminder that if you have the inclination if would be great if you could go to iTunes and leave a review for our show and also subscribe there. It is really one of the best ways you can help people find our show.

Dave DeWalt: [00:18:07:07] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.