A BadRabbit and Reaper update. EU and cyberwar. DPRK denies WannaCry responsibility. China's cyber espionage shifts. Oracle emergency patch. Buganizer wide open. Influence ops. Heathrow security.

Dave Bittner: [00:00:00:21] If you're someone who usually skips ahead at the end of the show, maybe skips over the end credits, well today might be a day that you want to listen to the whole thing. Just a suggestion. Happy Halloween.

Dave Bittner: [00:00:14:22] The state of BadRabbit and Reaper. The EU drafts a diplomatic framework for self-defense in cyberspace. Pyongyang denies UK attribution of WannaCry to North Korea. Threat intelligence types suspect the Sino-US cyber modus vivendi might not be the unqualified success it's been taken to be. Oracle issues an emergency patch. Congress will hear testimony about influence operations in Twitter, Google, and Facebook. And USB sticks contain the darnedest things.

Dave Bittner: [00:00:48:08] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:53:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 31st, 2017.

Dave Bittner: [00:02:03:20] No fresh developments in either the BadRabbit ransomware or Reaper botnet stories. To recap, however, emerging consensus is that BadRabbit is a product of the same operators who were behind NotPetya this past Spring. The Ukrainian government says those operators were in the Russian security services, and while Kiev is certainly disposed to believe the worst of Moscow, most other observers think that attribution isn't unreasonable.

Dave Bittner: [00:02:30:01] Reaper, on the other hand, an IoT botnet comprised largely of security cameras and initially feared to be larger than Mirai in its denial-of-service potential, looks to many like a product of the criminal underground, specifically of the Chinese underworld, and probably intended for rental as a booter service in Chinese domestic black markets. It's also looking much smaller than initially feared, albeit with some potential for rapid expansion.

Dave Bittner: [00:02:57:24] Attribution is of course particularly important if you carry a gun or a badge, in matters of criminal investigation or warfare. The European Union has prepared a draft diplomatic document, "Framework on a joint EU diplomatic response to malicious cyber activities", that would recognize cyberattacks, under some conditions, as acts of war. This is less path-breaking than some reports would have it. The framework aligns basically with existing NATO recognition of cyberspace as a domain of conflict within which states can legitimately exercise their right to self-defense. Observers have pointed out, of course, that attribution remains difficult and problematic.

Dave Bittner: [00:03:39:08] While attribution may be hard, the UK's attribution to North Korea of the WannaCry infestation that troubled its National Health Service earlier this year is offered with high confidence. It drew a foreseeable response from Pyongyang: denial of involvement and righteous promises of retaliation against the slanderers. This puts the UK in the same boat as much of the rest of the civilized world. So when it comes to DPRK retaliation, take a number, Whitehall.

Dave Bittner: [00:04:09:07] China appears to be shifting rather than limiting its cyber espionage directed against American targets. WIRED reports signs that the Sino-American agreement to limit mutual hacking is being tested by Beijing's recent operations. FireEye told WIRED they'd seen a move toward more industrial espionage in East Asia, and more traditional espionage directed against Government targets in the US. That's not to say that industrial espionage has vanished from the American scene entirely. The CCleaner backdoor installed in some Avast security products without Avast's knowledge, for example, was used to put implants into machines in some US tech firms networks.

Dave Bittner: [00:04:49:23] Oracle has an emergency patch out for its Identity Management product. Users are urged, by both Oracle and outside security experts, to patch as soon as practical.

Dave Bittner: [00:05:02:03] A security researcher has found a big bug in Google's bug tracker. Mountain View's Issue Tracker, the "Buganizer," as insiders call it, is the working repository of security and other issues reported to Google. The researcher found it was accessible by coming up with a bogus Google corporate email account and then simply requesting access. Google is policing up the problem.

Dave Bittner: [00:05:26:01] Social media executives from Facebook, Twitter, and Google will testify on Capitol Hill this week, answering questions about how Russian influence operations may have played out in last year's US elections. It appears the Russian efforts were cheap, with their effect magnified by intelligence sharing and liking.

Dave Bittner: [00:05:45:16] Bogus identities established by the now notorious St. Petersburg troll farm Internet Research Agency had particularly broad reach. In Facebook alone, 470 phony accounts purchased about 3000 ads, but that's the tip of the proverbial iceberg. Images, organic posts, events, and so on, extended the trolls audience to 126 million people, viewing about 80,000 bits of content. The content was fundamentally disruptive in character, without any consistently discernible positive agenda, following traditional forms of influence-seeking: gaining trust, exploiting shared interests, surrounding disinformation with an effective bodyguard of fact, and so on.

Dave Bittner: [00:06:29:06] There are some reports out of the UK that such political influence operations in a number of cases have amounted to catphishing, and the Times of London suggests we ought to expect more of that in the future, "the Fifth Column in the Fifth Domain." So, Robin Sage, call your office.

Dave Bittner: [00:06:45:24] Another story out of London involves that perennial favorite of social engineers and those who lose sleep over what those crazy employees with do by accident: the USB drive. A guy found a USB stick on the street and was curious to see what it contained. So he stuck it into a library computer, and congratulations, sir, for not inserting into your work computer, but shame on you, sir, for being a bad library patron. What did it contain? Well, its 2.5 gigabyte storage capacity held more than 170 documents relating to security at London's Heathrow Airport, some of which had security markings like "confidential" or "restricted." The content included stuff like lists of people exempt from security screening, hijacking duress codes, the Queen's route to the Royal Suite, in a hidden part of the airport, and such sensitive physical details as the locations of escape shafts and maintenance tunnels. It's unclear whether the material belonged to a careless insider or a potential terrorist. Investigation continues.

Dave Bittner: [00:07:52:23] A quick note from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to Machine Learning and Artificial Intelligence. You can get a free white paper that explains these new, but proven, technologies at e8security.com/cyberwire. We all know that human talent is as necessary to good security as it is scarce and expensive, but Machine Learning and Artificial Intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised Machine Learning, where the human teaches the machine, might seem to be the best approach, in fact, unsupervised Machine Learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out e8security.com/cyberwire and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:08:56:12] Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks, and he also heads up Unit 42, which is their Threat Intelligence Team. Rick, welcome back. Good leadership comes from the top, but when it comes to cybersecurity, those people at the top, the Board of Directors and folks up at that higher echelon of a company, it seems like they can be targets. They can have particular risks that are associated with them. How do we deal with that?

Rick Howard: [00:09:21:10] Well, you know, as network defenders, we kind of ignore those guys at the top, and it's probably a blindspot for us all. So, let me just kind of give the background here. So, we all know that stealing legitimate credentials from important people is a tried and true tactic that adversaries use to penetrate networks. You know, if I as an adversary, why would I spend hours developing a zero day exploit or, you know, spending hundreds of thousands of dollars just to buy a good one when you can legitimately log into the victim's network with real credentials. So this is not a new idea. This has been around forever. But the one thing that many of us have left unattended in this regard is the protection of our company's directors. These high up people in that rarefied atmosphere. Our board members. We may have even deployed some mature and capable two-factor authentication schemes and other credential protection technology from great companies like ours, Palo Alto Networks. I had to get the plug in. But we do this with an eye to protect our own employees.

Rick Howard: [00:10:18:08] Now, these board members, they are these rare animals where they have one foot planted in the company business, the company secrets, but they kind of exist outside the normal protection bubble we afford our regular employees. Many of them sit on several boards on very different companies and have access to really sensitive information. Now, if I was a cyber adversary, if I would consider the collection of board members to be a target rich environment, if you know what I mean, if you can grab their credentials, you might have access to many companies material information. So, here we are and yet, as a community, a bunch of network defenders, we kind of allow the board members in many cases to exchange highly sensitive company information without encryption and through their private email accounts. Some of these folks are doing it with Gmail and stuff. So, here's the analogy that we should paint here. This is akin to spending thousands of dollars on high quality locks for your brand new house but leaving the garage door open all the time to make to easy for your spouse to get into her car. I mean, well at least in my house my spouse is the Chairman of the Board and I do pretty much whatever she says, so I understand why we're in this situation.

Rick Howard: [00:11:27:19] So, there are two things you should think about. There's network defenders. First, consider extending company security protection to your board members. They absolutely should not be using their own personal email accounts to exchange company information. It's pretty obvious when you say it out loud, but that's kind of the situation we're in. And the second thing you should consider is that for all the people in the company, the board will see some of the most highly sensitive information that exists, so consider implementing special handling of that kind of data for all board members that is over and above what your normal procedures are.

Dave Bittner: [00:11:59:20] What about the social factor in this? The human factor of this. When you get to a board member, you know, this is usually a very important person. This a muckety muck kind of person, and they may say, "Yeah, I don't want to do that." How do you deal with that?

Rick Howard: [00:12:12:19] That has been the bane of the network defender community for many years. The good news is board members are becoming more and more aware of the cybersecurity challenges that we all have, and I think now, even today, they are more amenable to these kinds of solutions. In fact, if you help them do it, I think they would be glad to take it on.

Dave Bittner: [00:12:30:09] Alright. Good information, as always. Rick Howard, thanks for joining us.

Dave Bittner: [00:12:35:12] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using Artificial Intelligence, check out cylance.com.

Dave Bittner: [00:12:48:04] If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to patreon.com/thecyberwire to find out how.

Dave Bittner: [00:12:56:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

Song: [00:13:10:23] [SINGING DIALOGUE] I was coding in the lab late one night

When my eyes beheld an eerie sight 

For my malware threat score began to rise 

And suddenly, to my surprise 

It did the mash 

It did the malware mash 

The malware mash

It was a botnet smash

It did the mash

It caught on because of flash 

The malware mash. 

It did the malware mash 

From the Stuxnet worm squirming toward the near east

To the dark web souqs where the script kiddies feast 

The APTs left their humble abodes 

To get installed from the rootkit payloads 

They did the mash 

They did malware mash

The malware mash 

It was an adware smash 

They did the mash 

It caught on because of flash 

The malware mash 

They did the malware mash 

The botnets were having fun 

The DDoS had just begun 

The viruses hit the dark net 

With ransomware yet to come 

The keys were logging, phishing emails abound 

Snowden on chains, backed by his Russian hounds 

The Shadow Brokers were about to arrive 

With their vocal group The NotPetya Five

They did the mash 

They played the malware mash 

The malware mash 

It was a botnet smash 

They did the mash 

It caught on because of flash 

The malware mash 

They played the malware mash 

Somewhere in Moscow, Vlad's voice did ring 

It seems he was troubled by just one thing 

He opened the shell then shook his fist 

And said "Whatever happened to my Turla Trojan twist?"

It's now the mash 

It's now the malware mash 

The malware mash 

And it's a botnet smash 

It's now the mash 

It caught on because of flash 

The malware mash 

It's now the malware mash 

Now everything is cool, Vlad's a part of the band 

And the malware mash is the hit of the land 

For you defenders, this mash was meant to 

When you get to my door tell them Creeper sent you 

Then you can mash 

Then you can malware mash 

The malware mash 

And be a botnet smash 

He needs the mash 

Don't you dare download Flash 

The malware mash 

Just do the malware mash 

Man, cyber like a ghoul

Yes he goes. You fetch his young soul

Cyberware good