The CyberWire Daily Podcast 10.27.17
Ep 464 | 10.27.17

BadRabbit ransomware and Reaper botnet updates. SATCOM bugs. ICS cybersecurity notes. Moscow's free commercial speech piety. Anonymous is back.

Transcript

Dave Bittner: [00:00:01:08] The CyberWire podcast is made possible, in part, by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:20] BadRabbit, be a good rabbit and stay in your hutch. Don't listen to Sandworm. Reaper is still locked and loaded, but quiet. Maritime SATCOM system is found to be buggy, and the worse news is that it's beyond its end-of-life. A look back at the annual ICS Cybersecurity Summit that wrapped yesterday in Atlanta. Moscow says buying ads is a free speech issue. And who knew the Kremlin was such a nest of civil libertarians? Anonymous is back and poking at the Spanish government.

Dave Bittner: [00:00:47:07] A brief note about our sponsor E8 Security. We've all heard a lot about Artificial Intelligence and Machine Learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction, and not even very plausible science fiction. But the Artificial Intelligence and Machine Learning E8 is talking about, aren't science fiction at all, and they're here today. E8's white paper, available at e8security.com/cyberwire can guide you through the big picture of these still emerging, but already proven, technologies. We all need to turn data into understanding and information into meaning. AI and Machine Learning can help you do that. See what they can do for you at e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:43:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore, with your CyberWire summary for Friday, October 27th, 2017.

Dave Bittner: [00:01:53:20] BadRabbit seems, for now, quiet as a bunny, but it wouldn't do at all to expect that to continue. Cisco researchers found a variant of the (alleged) NSA Equation Group EternalRomance tool in BadRabbit's code. And consensus among security researchers in other companies is that BadRabbit is the work of the threat actors behind NotPetya. That would be the TeleBots APT, also known as Sandworm, which has in the past been associated with Russian security services, especially in operations directed against Ukraine. The damage done in BadRabbit's brief period of activity doesn't remotely approach that achieved by NotPetya, but, of course, BadRabbit could well return. A majority of the targets BadRabbit hit were Russian (around 65%), but observers note that the high-value targets it clobbered were Ukrainian. Much reporting continues to treat BadRabbit as conventional criminal ransomware, but it's too early to tell, and TeleBots alleged involvement may point in a different direction. What's not dis-positive in the still-tenuous attribution is the high rate of attack against Russian targets. It might be ordinary crime, it might be misdirection on the backs of the little people, or it might be a mistake, which could explain why the attack infrastructure came down so quickly.

Dave Bittner: [00:03:11:13] The Reaper IoT botnet, also known as IoTroop, is still assembled and poised, but has yet to unleash the expected distributed denial-of-service attack. Researchers at NewSky Security, however, have observed disturbing signs in the cybercriminal underground that hackers are sharing malicious code suitable for integration with the botnet.

Dave Bittner: [00:03:32:17] IOActive reports vulnerabilities in Inmarsat’s widely used maritime SATCOM system. Users of communication systems running the AmosConnect 8 platform could be susceptible to a blind SQL injection flaw or access to full administrative privileges. The former bug would permit an attacker to gain access to other users credentials. The second flaw would give an attacker the ability to execute commands on the system. There is no patch for the issues, and none is planned. AmosConnect 8 reached its end-of-life and Inmarsat's retired the platform from its product line. If you're still using it, Masters and Commanders, maybe it's time to upgrade.

Dave Bittner: [00:04:14:10] Security Week's ICS Cybersecurity Conference closed yesterday. We'll be publishing more of our own accounts of the proceedings on thecyberwire.com over the course of next week. In the meantime, a few quick reflections on the conference are in order. The operators of industrial control systems continue to believe that cybersecurity remains too IT-centric. This is natural: the cybersecurity sector emerged largely from the larger IT sector, and it brought with it concerns about privacy and information assurance. But the problem the plant operators see is that a fixation on information tends to lead to a disregard of physics, and here they mean the actual physical operation of industrial systems, and the actual physical consequences of system failure, "kinetic consequences," if you wish to borrow common military language. As one of the speakers put it in a bit of quick advice to the security community, "Please forget fail fast. There is no agile. Failure is not an option." Plant operations have to be highly available, they have to be reliable, and above all, they have to be safe.

Dave Bittner: [00:05:20:02] But perhaps some of the usual tropes about mutual misunderstanding between those concerned with IT and those concerned with OT are simply misguided. By yesterday afternoon, as the event wrapped up, there was an emerging consensus that the way to understand the issue is in terms of a before-and-after: "Before the packet" and "after the packet," as industrial control system maven Joe Weiss put it at the open-mic session the conference closed with. What goes on physically before the packet is where the systems ground truth is to be found, and it's there that one finds the unaddressed security and safety issues.

Dave Bittner: [00:05:55:10] Twitter's newfound fastidiousness about accepting Russian ads has drawn protest from the Russian government, which feels this is unfair to Sputnik and RT. It's not clear how Twitter and other social media platforms will be able to police their users content; it's even less clear how they'll do in an acceptably neutral way. But those unlikely free-speech advocates in the Kremlin are going to be a tough crowd. Russian government spokesperson Maria Zakharova said that, because ad buys are a free speech issue, note that Twitter's not blocking RT or Sputnik, just declining to sell them ads, the Russian government will take unspecified measures. She wrote piously, “We see this as another aggressive step aimed at blocking the activities of Russian TV channel Russia Today, and it is the result of pressure from part of the American establishment and special services."

Dave Bittner: [00:06:48:08] And, finally, in an unrelated story, Anonymous has resurfaced, attacking Spanish government sites in apparent solidarity with the Catalan Independence Movement. Several hackerweight of Guy-Fawkes massed bravos are committing various nuisance attacks, but these don't appear to have risen to the level of a serious threat to public order or the physical integrity of the Kingdom of Spain.

Dave Bittner: [00:07:15:24] Time to share some information from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance protects, stops both file and fileless malware. It runs silently in the background. And best of all, it doesn't suffer from the blind spots in Legacy Defenses, that NotPetya exploited to such a devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at cylance.com and find out how their AI-driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:08:17:09] And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, good to have you back. You know, I still talk to people who say that, in response to moving things to the cloud, they say, I like to have my stuff in-house. I like to be able to go and hug my servers and know that they're right here where I can see them and I know what they're up to. And I think a lot of that comes down to their ability to monitor things. And you wanted to talk today about feeling comfortable with working with the cloud.

Justin Harvey: [00:08:47:17] Yes, I think that that is a great concern that is shared by many global organizations. What you'll find is a trend that more and more companies are moving to the cloud. And not just companies in general, but I never thought that I would live to see the day that more financial services institutions are moving their transactional and customer data to the cloud, given that financial services has been a lot more risk averse than other industries. And I think that a lot of that is due to, not only the cost efficiency, but when it comes down to it, there has been innovations and leaps and bounds around, not only the physical security, but the online security and monitoring telemetry around cloud data centers through Microsoft and Amazon. So we're seeing a lot more companies migrate to that. And the feedback I keep hearing is we don't feel, we companies don't feel that we can do it as effectively as Microsoft and Amazon and the other cloud providers. So that's really one of the big values there.

Justin Harvey: [00:10:00:23] As far as a monitoring perspective goes, there is this bumper sticker, and/or shirt, and/or laptop sticker I keep seeing that really bothers me, and the sticker reads "The cloud is just your data or your system in someone else's data center." And up till the last few years, that has been true. However, with Microsoft and Amazon making big strides in platforms as a service, and infrastructure as a service, and the ability to deploy whole systems, whole platforms into the cloud, without even using a container base service. I'm thinking of Amazon's Elastic Beanstalk and Lambda functions. There's really a huge knowledge gap there for companies and thinking through how do we monitor that? Both of the major cloud providers have issued new APIs and new cloud monitoring standards that, while yes, you can wire your entire cloud infrastructure for getting immediate feedback in telemetry, and you can load that into your log management solution. It becomes a lot more effective to essentially adopt the new cloud monitoring strategies that are out there, and not only store your data, your customer data, or your business data in the cloud, but to also store your logs up there, and essentially use the cloud on itself to do your threat hunting and your cloud monitoring.

Dave Bittner: [00:11:42:02] Alright, Justin Harvey, thanks for joining us.

Dave Bittner: [00:11:49:04] My guest today is Michael Sulmeyer. He's the Belfer Center's Cybersecurity Project Director at the Harvard Kennedy School. Before Harvard, he served in the office of the Secretary of Defense as the Director for Plans and Operations for Cyber Policy. I began our conversation by asking Michael Sulmeyer to describe the mission of the Belfer Center at Harvard.

Michael Sulmeyer: [00:12:09:20] Several decades ago, this place really became the home for thinking about new doctrine and strategic concepts at the dawn of the Cold War. The idea was that we could build something similar for cybersecurity and how states are behaving in cyberspace today. There's been a lot of work in academia and in Think Tanks about privacy and about surveillance, which is very important work to get done. But, much less about how states pursue their interests through cyberspace and use cyber operations as a tool of hard power. And that's very much in line with original founding concepts of the Belfer Center, and so that's what we're now trying to channel as we look at state behavior in this new domain of cyberspace.

Dave Bittner: [00:13:05:21] And why do you think that it's something that hasn't gotten the attention of some of the other areas of cybersecurity?

Michael Sulmeyer: [00:13:12:22] In part, it's because this component of the field, about operations and the exercise of power, has been more classified and more sensitive than a lot of other areas. And only in the last five or six years, I think, has the US government been willing to talk more publicly about its activities in cyberspace. And you're also seeing a number of people who have had experience with these kinds of operations and their oversight from government, leave government, and come out to academia and to centers of excellence for research, and be able to write about it, and be able to talk about it. That is a relatively new development. But, the idea of computer security, obviously, is not very new. A great book called The Cuckoo's Egg, by Clifford Stoll, that came out in, I think, 1989, talks all about this kind of stuff. But what's more new is how governments are finally beginning to talk about it.

Dave Bittner: [00:14:26:20] What's your estimation of where things stand right now? In terms of cyber policy, what is the current state?

Michael Sulmeyer: [00:14:35:13] It's a good question. It's a broad question. But, I think largely what we see today is a reflection more of not so great defense, as opposed to brilliant offense. We face a lot of challenges, especially in the United States, but not exclusively here, but especially here, about systematically improving our defenses, and that's really hard, because we were first. Internet was created here, so many of the companies that now dominate the space, were created here. So, in some sense, we have some of the oldest infrastructure and are more dependent on it. That leads to real challenges when you're trying to systematically improve defenses, not just across the government, but across businesses and operators of critical infrastructure. Very hard.

Dave Bittner: [00:15:33:12] How do you see the research that you do, making its way out into the world?

Michael Sulmeyer: [00:15:40:06] It's almost easier for academics to think about researching and writing and publishing, because that's so much of the game to be successful in academia. What often is not thought so much about is marketing. How do you take this important piece of research that you've done and actually get it into the hands of people that could do something with it? So, the first step is, you know, we always try to make sure that there are actionable recommendations in the papers that we write. You can't just be admiring a problem. You have to make concrete recommendations to make a difference and improve things. And what I've found then is through different travels and meetings, especially on Capitol Hill, with legislative staff, it's a great opportunity to share some of the work that we've done and it's always a good open reception to new ideas and suggestions for legislation. And so I find that Capitol Hill is a great place to take our products and have conversations with staffers about what's on their mind, what can we do, what can we write about next that would be interesting and policy relevant, and, oh by the way, here's something that we answered for a colleague of yours, you know, what do you think?

Dave Bittner: [00:17:07:20] That's interesting to me, because one thing we've talked about several times here on the CyberWire is how many of our legislators, and even looking at the Supreme Court and certainly also in the executive branch, you know, just by the virtue of these people being older, many of them are not digital natives, and so a lot of this sort of thing isn't reflexive to them. So it's interesting to me to hear you talk about interactions, particularly with their staff, and how receptive they are to the types of things that you're sharing.

Michael Sulmeyer: [00:17:41:15] Yes, absolutely. And the staff often are quite young, you know. And I think what you do see on the part of legislators, across the age range and experience range, is a frustration with the current state of affairs. I mean, they're appropriated so much money into different cybersecurity initiatives, and yet the breaches keep happening. Senator McCain, I don't think gets enough credit for being one of the most outspoken legislators about his frustrations that we're not, as a country, deterring this kind of bad behavior, and why is that? So, questions he's been asking at recent hearings are the right questions to be asking and they're coming from one of the most experienced Members in the Senate.

Dave Bittner: [00:18:36:09] Where do you see the United States being in terms of our leadership position? Are we still leading the way in the cyber domain?

Michael Sulmeyer: [00:18:46:05] I do think the very fact that the United States has been in the business for so long, both with trying to protect our own infrastructure, but also understanding how to pursue US national interests through cyberspace as well, it still gives us a lot of capability in that space. So, I'd still say that, while we may not have the great position of dominance that we had ten or 15 years ago, a lot of others have caught up, we still have some pretty amazing reach and some pretty amazing capabilities. I think what you, to be looking forward a little bit, one thing that we're still waiting on is how our government is going to adjudicate really who's accountable when things go wrong and a cybersecurity incident happens? There really hasn't been any accountability. Right now, when there's a breach, like Equifax that we read about from the last couple of weeks, or other things, who gets left holding the bag, but the victim, right?

Michael Sulmeyer: [00:19:58:06] And at some point, government has generally come in in new areas of technology, think the automobile and other areas, and in the name of safety or other reasons, fundamental fairness sometimes, has adjudicated really who's going to be accountable, and shaped economic incentives accordingly to sometimes promote a little greater attention on safety. And I think, right now, we're waiting to see if the United States government and the Congress is going to play that kind of a roll when it comes to cybersecurity.

Dave Bittner: [00:20:40:22] That's Michael Sulmeyer from the Belfer Center's Cybersecurity Project at the Harvard Kennedy School.

Dave Bittner: [00:20:51:23] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of Artificial Intelligence, check out cylance.com.

Dave Bittner: [00:21:04:12] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend. Thanks for listening.