Dave Bittner: [00:00:03:18] Olympic Destroyer's relationship status with known threat actors is complicated. The US joins the UK in blaming Russia for NotPetya and seems to be considering sanctions. The US Congress considers election security and considers a state-level option: let governors call in the National Guard. New York cyber law reaches its second milestone. And, no, Edward Snowden has not moved in down the block and bought a two-terabyte iCloud storage plan.
Dave Bittner: [00:00:36:12] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:43:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, February 16th, 2018.
Dave Bittner: [00:01:53:11] Breaking news as we publish today. The Justice Department has announced that Special Counsel Robert Mueller has indicted 13 Russian nationals and three Russian entities. According to the court documents provided by the Special Counsel’s office, “The indictment charges all of the defendants with conspiracy to defraud the United States. Three defendants with conspiracy to commit wire fraud and bank fraud, and five defendants with aggravated identity theft.”
Dave Bittner: [00:02:21:11] The indictment outlines attempts by the Internet Research Agency and the other defendants as far back as 2014, to conspire with each other to, “defraud the United States by impairing, obstructing and defeating the lawful functions of the government, through fraud and deceit for the purpose of interfering with the US political and electoral process, including the presidential election of 2016.” We'll be following this story as it develops.
Dave Bittner: [00:02:49:15] Recorded Future has taken a good look at the Olympic Destroyer malware and concluded that any attribution to a particular threat actor would be premature. They offer some notes on their code similarity analysis. Researchers at security firm Intezer point out that fragments of code bore some similarity to that used by, "diverse threat actors in the general Chinese cluster."
Dave Bittner: [00:03:13:17] Recorded Future itself found what they call trivial but consistent similarities to malware used by North Korea's Lazarus Group, but this is very far from dispositive proof. As Recorded Future puts it, "Before one concludes that these widely diverse threat actors have formed an axis of evil intent on disrupting the Olympics, we need to take a step back and look at our research techniques." Such similarities are at least as consistent with false-flag operations, or simple opportunistic code re-use, as they are with conspiracy.
Dave Bittner: [00:03:48:05] The US Government, specifically the White House, yesterday joined the British Foreign Office in attributing last year's NotPetya pseudo-ransomware campaign to Russia. This was an unsurprising statement, as US officials have long regarded Russia as the prime suspect. NotPetya began with attacks in Ukraine and spread to other countries. The UK was particularly affected. Exploits leaked by the Shadow Brokers, who attributed them to NSA, were instrumental in the NotPetya attacks.
Dave Bittner: [00:04:18:24] White House Press Secretary Sarah Sanders said Thursday, "It was part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber attack that will be met with international consequences." Thus, the US seems to have promised some form of sanctioning, probably in concert with the United Kingdom.
Dave Bittner: [00:04:45:15] The US Congress continues to noodle the problem of election interference, in which two different kinds of problems tend to be conflated. One of those problems would be the issue of hacking proper, in which vote tallies were manipulated or people excluded from or added to voter registration databases. That would be essentially a cyber version of old-fashioned voter fraud, the sort that people suspected, for example, when Chicago's Mayor Daley said during the 1960 election that he wouldn't know how the vote went in machine-Democratic Chicago until the returns from machine-Republican Downstate Illinois came in. The other problem is that of influence operations, the sort of disinformation and propaganda - lies surrounded with a bodyguard of truth - that Russian troll farms have busied themselves with.
Dave Bittner: [00:05:32:23] A number of Senators and people testifying before them have one proposed solution: bring in the cyber elements of the National Guard. How that might help with influence operations is more difficult to see, but Guard cyber units could presumably help governors secure their state's voting IT, subject, of course, to the sorts of personnel shortages and so on the security sector is notorious for.
Dave Bittner: [00:05:57:08] Some notes from the one of the United States, specifically New York, that will have implications beyond the borders of the Empire State.
Dave Bittner: [00:06:04:18] The state's Department of Financial Services' cybersecurity regulation, 23 NYCRR 500, was enacted in March of 2017. Yesterday marked a milestone, banks, insurers, and other financial services companies doing business in New York, and that's a lot of them, had to certify their compliance with the rules. The requirements of the regulation mandate, "risk assessments, vulnerability assessments, penetration testing, multi-factor authentication and end-user awareness training." This represents the second tranche of compliance.
Dave Bittner: [00:06:38:09] The first has been in effect since last August. It gives companies 72 hours to report a security incident that has a 'reasonable likelihood' of producing material harm to operations. As Dark Reading points out, "That goes beyond PII breaches to cover anything from intellectual property leaks to DDoS."
Dave Bittner: [00:06:59:00] The third tranche comes on September 18th of this year, and will include rules on security personnel, data access and data use.
Dave Bittner: [00:07:07:12] And finally, hey everybody, did you hear that crazy Ed Snowden is back in the US of A? We did. There was this email from Apple, well it sort of looked like it was from Apple, that said $9.99 had been billed to the zany privacy advocate and retired NSA sys-admin for an iCloud two-terabyte storage plan. Why would we get that anyway? You've just got to click to see more! Maybe find out where he's living, right, and what he needs those two terabytes for. Our money was on his living at Mar-a-Lago, because, well, who wouldn't want to live there, and maybe using the storage for old episodes of Celebrity Apprentice, because, well, who wouldn't want to watch that!
Dave Bittner: [00:07:45:22] But, alas, it's turned out to be a scam discovered by Malwarebytes. Why it occurred to the phishers to use a Snowden receipt as phishbait is difficult to say. Would its very implausibility induce people to click, because how could anything so odd be bad, or are they trying to weed out the wary and concentrate their efforts on the gullible? If it’s the latter, then we have a pro-tip for them: put in the email that Mr Snowden had become a Nigerian prince! You're welcome.
Dave Bittner: [00:08:18:00] Time for a message from our sponsors at E8 Security. They understand the difference between a buzzword and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven, technologies at e8security.com/cyberwire.
Dave Bittner: [00:08:37:23] We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the human something unexpected? Cut through the glare of information overload and move from data to understanding. Check out e8security.com/cyberwire and find out more. Follow the behavior, find the threat. That's E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:09:26:08] And I'm pleased to be joined once again by Zulfikar Ramzan. He's the Chief Technology Officer at RSA, they're a Dell Technologies business.
Dave Bittner: [00:09:33:20] Zulfikar, welcome back. We wanted to touch on the blockchain today. Obviously, lots of hype about blockchain and bitcoin and all that sort of stuff. You wanted to make the point, though, be careful about hype versus reality.
Zulfikar Ramzan: [00:09:47:12] That's right. I think blockchain has become the new AI, if you will. In 2017, that was the buzzword du jour. It's continued in 2018, obviously driven by this erratic price fluctuation of bitcoin and people really trying to jump on the bitcoin bandwagon, if you will.
Zulfikar Ramzan: [00:10:02:18] But to me, I think the interesting point is when you look at blockchain in isolation of bitcoin there are some fundamental assumptions about what's required to make blockchain work correctly. So, for example, when you look at something like bitcoin, part of the security analysis of bitcoin involves the idea that if people were trying to gear the system people tried to do things that would somehow interfere with the way bitcoin operates, that same effort could then be used to legitimately mine bitcoin, so there was an incentive economically for people to essentially abide by the rules. When you start looking at applications of blockchain that are outside of bitcoin, some of those same financial incentives or economic incentives no longer start to apply.
Zulfikar Ramzan: [00:10:44:09] On top of that, I think there's also an element where people don't look at all the assumptions around which blockchain is successful. So, for example, you know, blockchain is designed for more decentralized and distributed environments where there's maybe no single point of trust. If you start to look at problems that involve maybe a single point of trust or that are centralized, there may be better solutions out there than using blockchain-based technologies. I think what is happening is when there's a new concept out there, a new buzzword in the IT lexicon, people rush to the shiny, new object without considering whether there are simpler ways to solve those same problems.
Dave Bittner: [00:11:17:02] Yes, absolutely. I mean, when we come to trade shows and so forth you can look around and see what is the flavor of the month this year. And I think you're right, a blockchain is certainly hot right now, and I think there's a lot of people sort of capitalizing over the fact that it can be complicated and hard to understand.
Zulfikar Ramzan: [00:11:34:14] Right, to me it reminds me of what happened a number of years ago when you looked at the whole financial meltdown on Wall Street, where people where essentially investing in these complicated, derivative instruments, things like mortgage-backed securities, without fully understanding the underlying mathematics and/or without fully understanding all the assumptions that were required to make those equations and those types of instruments reliable.
Zulfikar Ramzan: [00:11:55:14] I think everybody who knew the math understood that there were fundamental assumptions being made, in derivatives that were maybe not that valid in real-life. Around things like the independence of people's default rates happening at the same time, and so I think when you look at something like blockchain I think we're in a similar situation, where people have gotten so caught up in, in this whole bitcoin concept that very few people, I think, really understand how bitcoin works underneath.
Zulfikar Ramzan: [00:12:19:15] And I get worried that people are going to over-invest in these areas without a true understanding and we're going to see another bubble that's going to completely deflate and I think it could hurt a lot of people. I've been hearing stories about people who are literally taking out second mortgages on their homes or using, you know, instead of paying back their loans are, are taking out a credit card debt just to invest in bitcoin. And so there's a lot of people out there who I think could be negatively impacted by a bubble bursting in this area.
Dave Bittner: [00:12:43:05] Yes, so buyer beware. Zulfikar Ramzan, thanks again for joining us.
Zulfikar Ramzan: [00:12:47:19] My pleasure.
Dave Bittner: [00:12:52:21] And now a few words about our sponsor DataTribe, the successful and growing cyber security start-up studio. They're doing something different to bring on-board some of the freshest talent to the sector. They're launching the DataTribe cyber competition: a competition to identify high-technology start-ups who've got a vision to disrupt cyber security and data science.
Dave Bittner: [00:13:13:02] The three finalists will split $20,000 in prize money. But that's just the beginning. Finalists will be considered by DataTribe for up to $2 million in seed funding. Start-ups with less than $1.2 million in seed financing are eligible to apply, and contestants have until March 23rd to apply at datatribe.com/go/cybercompetition.
Dave Bittner: [00:13:35:03] And if you've got questions, DataTribe has answers. Email inquiries to email@example.com.
Dave Bittner: [00:13:42:04] Successful companies backed by DataTribe include ReFirm Labs, Enveil and Dragos, which recently made headlines over CRASHOVERRIDE and TRISIS, so check it out. It's datatribe.com/go/cybercompetition. And we thank DataTribe for sponsoring our show.
Dave Bittner: [00:14:08:03] My guest today is Jack Rhysider. He's been a Network Security Engineer for the past decade or so, doing blue team work securing firewalls and threat hunting in a SOC, but he came to our attention as the host of the Darknet Diaries podcast.
Jack Rhysider: [00:14:23:08] In this episode, we're going to hear a story from Jayson E Street.
Jayson E Street: [00:14:26:21] What's up?
Jack Rhysider: [00:14:27:09] Jayson is one of those guys that has endless stories of incredible things that have happened to him. He's also a Diet Pepsi addict. When you talk to him, you hear him say random things like...
Jayson E Street: [00:14:37:04] It's never drinking the Diet Pepsi that gets me, it's usually trying to get rid of the Diet Pepsi that gets me. I almost died peeing off a cliff in Bulgaria.
Jack Rhysider: [00:14:45:04] While I was talking to him, I was kind of curious to hear the back-story of all these little footnotes that he was throwing at me. But it didn't take long before I heard him say something that I just had to hear the whole story.
Jayson E Street: [00:14:56:12] I accidentally robbed the wrong bank the last time I was in Beirut.
Jack Rhysider: [00:15:02:13] Jayson started out in law enforcement, but for almost the last 20 years he's been working in infosec. He's done considerable work defending the network, but he's also done numerous penetration tests.
Jack Rhysider: [00:15:12:05] One of his favorite things to do is what he calls 'security awareness engagement.' He's hired by companies to test the physical security of a place. For instance, it shouldn't be possible for a guy to just walk off the street, walk right into an office, walk directly past reception, sit down at a random computer and do work and then walk out! He should be stopped, right? The door should be locked, reception should not let him pass, and the computer should be locked, and then someone should notice that he shouldn't be there. This is what should stop him, but companies hire Jayson to actually test if this kind of thing is possible.
Jayson E Street: [00:15:48:23] When I do these engagements, they're not red team engagements, they're not pen testing, they're literally security awareness engagements. I don't mind getting caught and if I don't get caught I try to get caught by the end of the engagement, because I'm trying to teach the employees how to be better.
Dave Bittner: [00:16:03:15] Makes you want to hear the rest, right? Yes, me too. Here's my conversation with Jack Rhysider.
Jack Rhysider: [00:16:10:00] I'm kind of scratching my own itch with this whole podcast. There was a talk I heard a few years ago about Heartbleed, the OpenSSL vulnerabilities, and they gave a lot of follow-up to that. Like they said there was a fork with LibreSSL and then there was some additional funding that added to OpenSSL and there were all these extra bits of details after the vulnerability was disclosed that we didn't hear, it didn't hit our news cycles. And I started to realize I'm missing like the whole aftermath of a lot of breaches in vulnerabilities and so I wanted to do kind of a deep-dive in a lot of big vulnerabilities and breaches that I've heard of in the past to hear what happened to the hackers, did they get arrested? Were they ever caught? And all these things, so I, I wanted to know more about some of these, some of these breaches. Instead of being at this breakneck speed of the latest greatest news, I kind of wanted a slow roll of give it to me in its entirety.
Jack Rhysider: [00:17:05:11] That was one of the things, but then also attending all these security conferences, and hearing all these amazing security stories from people, I feel like some of that stuff should also show up. So, it's not just like documentary style topics of a, of a breach, but sometimes it's just a single person's story of what they had, you know, an infosec story they have.
Dave Bittner: [00:17:25:07] And your storytelling style is, is noteworthy. I, I, I personally enjoy it. You have a mix of music and sound effects and so forth. Did you have any particular inspirations there?
Jack Rhysider: [00:17:37:24] So after getting the idea, it took me a couple of years before actually making the first episode and it was because I really wanted to have that, that great storytelling feeling. So I spent a lot of time researching things like how does Pixar tell a good story? And how does NPR tell great stories? And I, and I, I did a lot of research on, on storytelling, just to really try to get that feeling out of, of, of suspense and high-stakes and, and resolution and all these things that go into a great story. So it, it was a lot of work, but I'm still learning.
Dave Bittner: [00:18:08:09] You're a dozen shows into it as we record here and you publish every other week or so. What have you learned along the way, in terms of sticking to a schedule and the challenges of making these sorts of stories?
Jack Rhysider: [00:18:21:10] Yes, it's really hard. I'm, I'm the only person who makes it, so I've got to do all the research, find the guests, do the writing and I, I, I script out the entire thing. Then, of course, I add some music and get it all edited and, and that's a big challenge and I barely make it under the wire every two weeks. I, I really wanted to get ahead over the holiday break, but I didn't get a chance so it's, it's, it's just going at breakneck speed here. And I've got a full-time job so it's really hard to, to keep up, but somehow by miracles I keep making one every two weeks!
Dave Bittner: [00:18:52:08] Yes, let's talk a little bit about your background. You work in security.
Jack Rhysider: [00:18:56:17] Yes, so I've been, I would say, a firewall administrator for the last ten years, you know, writing the rules for the IPS units and firewalls, and I, I do that for an MSSP. But recently we've been trying to get a, a SOC together at this MSSP and so that's something I've been working on too. Is designing the SOC and building it out and training the SOC analysts and building an SIEM and all that kind of thing. And so once I started doing the SOC stuff is when I really started digging into threat intelligence and, and red teaming and blue team and I got really, really deep into security once I started working on the SOC.
Dave Bittner: [00:19:33:06] And, and so why do you think it's important to be sharing these stories with the rest of the community?
Jack Rhysider: [00:19:38:08] I feel like when we meet other infosec people we probably have the same question, but we just don't talk about it. And it's because we're under an NDA or we work for the government or something so we really can't share our problems, it's just too highly classified and secret, and so I really think that that's a problem. I think we should be sharing our problems, so that I can hear what it is that you faced and how you solved that so that I can try solving it in a similar manner, so I think it's really good to share it.
Jack Rhysider: [00:20:07:20] And another thing about my podcast is I try to make it reachable to more of a general audience and not just people who are super-deep into infosec. And so when they hear about how easy it is to social engineer something or how dangerous it is to leave your bitcoins on an exchange, that reaches a whole new audience that sometimes doesn't go outside of our bubble.
Jack Rhysider: [00:20:29:24] The other thing is that this seems to be the topic wherever I go. I go to a family meeting, I meet my neighbors, they're always talking about infosec and the latest breaches and Equifax hack, whatever it is. And I'm like, even, even the most common people are talking about security today. So I think they're also interested and to hear how these hacks take place and, and is it hard or easy to, to defend? Or what are all the nuances behind it?
Dave Bittner: [00:20:54:17] And how do you categorize yourself? Do you consider yourself a journalist or a storyteller?
Jack Rhysider: [00:21:00:14] I don't know, I struggle with that. I think I'm just a presenter, maybe a speaker. Just the same way you would, you would hear somebody talk at a conference. They, they prepare their slides, they do some research and they show you what it is that they've been working on, and I feel like I'm the same kind of way. But, you're right, it does lend into the, to the journalist world, because I am digging deep into maybe 20-year-old stories, that I have to dig out of archive.org because they all have completely gone. To find the, the, the information that I want to share. So there is a lot of journalistic work that I have to do. Yes, it's hard. I don't, I don't really, I don't really describe myself in any one of those roles, I think it's a little bit of all of them.
Dave Bittner: [00:21:39:20] Yeah, well it's good stuff. I, I recommend everybody check out Darknet Diaries. Jack, thanks for joining us.
Jack Rhysider: [00:21:46:19] Thank you so much. It's been a real pleasure and I really appreciate your show.
Dave Bittner: [00:21:52:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:22:05:10] And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:22:14:09] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:22:24:09] Our show is produced by Pratt Street Media with Editor John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.