Dave Bittner: [00:00:00:22] A big thank you to everyone who stepped up and become a supporter of CyberWire on Patreon. You can find out how and all the benefits at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:04] Security firms warn of Iran's growing cyber capabilities and Tehran's disposition to use them. Gossips and activists far outdo bots in spreading disinformation. Memcached kill-switch should be approached with legal caution. Slingshot espionage tools have been active quietly in the Middle East and Africa for six years. Fancy Bear sniffs at Asia. And Australia is concerned about Chinese espionage and influence operations.
Dave Bittner: [00:00:45:05] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyses the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:52:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, March 12th, 2018.
Dave Bittner: [00:02:00:14] Iran may be showing greater cyber capabilities and a correspondingly larger disposition to use them for espionage and surveillance, the Hill reports. Researchers at security firm Symantec have seen an expansion of activity into Israel, Jordan, Turkey, Saudi Arabia and the United Arab Emirates. Security company FireEye is tracking two Iranian threat groups, APT33 and APT34. APT33 has been linked to destructive, wiper attacks. While APT34 has so far been busy with reconnaissance of critical infrastructure targets.
Dave Bittner: [00:02:38:10] The University of Toronto's Citizen Lab says that Egypt, Syria, and Turkey are adapting Sandvine products to install spyware and cryptojackers. Sandvine says it's got nothing to do with it.
Dave Bittner: [00:02:51:23] Bots have their uses in spreading disinformation over social media, but an MIT study suggests human gossips are overwhelmingly more active in doing so. Demonstrably false claims are jumped on re-tweeted with delight by the enthusiastic and the committed.
Dave Bittner: [00:03:09:12] Exploitation of memcached for DDoS attacks continues to worry security experts. There's also some concern over a kill-switch Corero found last week. As reported in several news outlets, Corero thinks the kill-switch - a "flush_all" command - could provide a counter to very high-volume attacks the exploit can generate. But the Register asks "is flush_all "the cavalry" or questionably legal interference in someone else's computer"? Cloudflare and Arbor Networks told eWEEK that flushing all would amount to changing the contents of a non-cooperating computer. And, of course, that's illegal in many places.
Dave Bittner: [00:03:49:12] The US Securities and Exchange Commission recently released revised cybersecurity guidance for publicly traded companies. The last time the SEC wade in with guidance on cybersecurity was in 2011, and of course a lot has changed since then, with larger and more frequent high profile breaches of public companies. Dr. Christopher Pearson is CEO of Binary Sun Cyber Risk Advisors, and a frequent contributor to the CyberWire, and he weighs in on what the new guidance means.
Dr. Christopher Pearson: [00:04:18:07] Really what this is, is it's supplemental guidance, it's meant to provide further interpretation on the original guidance. And what it really does is it kind of, if you wanted to you break down to three different areas. It talks about cybersecurity risks in terms of you publicly trade a company, must dimension the risks, understand them, have policies and procedures around it and update the public, the investor community, those people that you have a duty to, you must go ahead and update that continually as those things change.
Dr. Christopher Pearson: [00:04:47:12] Second, this whole area of insider trading. Insider trading programs, they're fairly common within publicly traded companies. What this guidance said, and makes abundantly clear is, any type of trading that happens around, surrounding, just before the announcement, just after the announcement, of a data breach, of a cybersecurity incident, needs to be looked over with a special scrutiny, and there needs to be policies and procedures around this. And new companies must own this.
Dr. Christopher Pearson: [00:05:17:03] And then third, the area of governance. The SEC, really they pretty much ask two questions here. They say, you, board, what is your role in cybersecurity and cybersecurity risks incidence issues? And how are you engaging with senior management, with leadership on cybersecurity? That's what the new interpretative guidance really focuses on, those three areas. This a wake up call for all public companies, the senior management, and the boards, specifically the chairperson of the board, the chairperson of the audit committee, if they have it, the chairperson of the risk committee, to actually ask themselves the fundamental questions. What role is the board playing in cybersecurity? And how is it engaging with senior management? That is something that I don't think that they're going to be able to escape, and they're actually going to have to work with in-house counsel, with outside experts, with CISOs that are at the company, and outside experts, to go ahead and formulate a plan and a strategy around this.
Dr. Christopher Pearson: [00:06:15:20] What we have seen as a result of, I mean if you think about Yahoo! They disclosed their breaches in September, 2016, and then later on in late October, early November 2016, but then upped the numbers to essentially in 2017, midway through, saying everyone had been breached. That's one example of a publicly traded company that's involved in an emerging acquisition transaction, making a dramatic change and dramatic announcement. And the SEC does say, "Hey look, if things change we understand that. We know that things are not going to be perfect. We know they're going to change. You have a duty to update it if there's a material change." And I would argue many there. And then separately with Equifax, we all know about the potential allegations around insider trading, or inappropriate trades, or trades that are circumspect. But I think the most recent items are serving as a great emphasis for the SEC, in this regard.
Dave Bittner: [00:07:15:05] So, the SEC comes out with the guidance. I'm a member of a board, what kinds of questions should I be asking at my next board meeting?
Dr. Christopher Pearson: [00:07:22:02] Yeah Dave, that's a great question. So, realistically, they should be immediately determining who has governance over the cybersecurity risk programs. Where's that coming in from? It's coming in from audit, it's coming in through an enterprise risk management committee. Where's the CISO reporting? Where's the CIO reporting? How is that reporting relationship going? What times have cybersecurity incidents and risks been addressed by the board? How long have those people been in the board meetings? I mean, there's definitely some more statistical analysis that can be done here in terms of, is the board receiving and seeing the right people regarding several security risks?
Dr. Christopher Pearson: [00:08:02:13] Secondarily, are they actually, when they do see those people, when they do have that information come forward at a strategic level, are they receiving the right type of information? Are they taking action in the right manner? Do they have the right types of auditing and reporting and procedures there? How exactly is the board then interfacing back with management? It's not enough that this be a one way street, it has to be a bi-directional street. They have to be communicating with senior management about cybersecurity risks, about strategic things that they should be looking at, and also what things are coming over the horizon in terms of cybersecurity risks to the business, to the enterprise.
Dr. Christopher Pearson: [00:08:38:10] So really, it's analyze what is currently going on in terms of structure meetings, people that are reporting in on this topic and subject. Second, try to figure out from a governance or a boarding standpoint, is that working? Is it efficient? Also, from an education standpoint, is the board well educated on cybersecurity and how to actually govern it? And, finally, probably one of the biggest things and I think we're going to see this change just very much so in the way that Sarbanes-Oxley did, is who on the board, when they look to the left, when they look to the right, or look around that big circular table, who on the board is actually the cybersecurity expert?
Dr. Christopher Pearson: [00:09:16:07] I think that we know who the financial experts are, because we have to under Sarbanes-Oxley. But who is actually the member of the board that is leading the charge strategically, and governance wise, on cybersecurity? Those would be some of the basic questions to start out with.
Dave Bittner: [00:09:32:16] That's Dr. Christopher Pearson from Binary Sun Cyber Risk Advisors.
Dave Bittner: [00:09:39:01] Kaspersky Lab has described Slingshot, cyber-espionage malware, that for six years has quietly infested systems in the Middle East and Africa. The researchers call it sophisticated and stealthy, an elegant product, they think, of a nation-state. They don't say which nation-state, but they do note that the debug code is written in pretty good English.
Dave Bittner: [00:09:39:11] A Kaspersky study also sees a shift toward Asia in Sofacy's interests. Sofacy is also known as APT28, Tsar Team and Fancy Bear. Kaspersky describes the group as "pragmatic, measured and agile." Also, it's Russian-speaking. Those who think the Bears have gone into hibernation as far as Western targets are concerned, however, shouldn't get too cocky.
Dave Bittner: [00:10:25:22] The UK is considering sanctioning Russia for the attempted assassination, in England, of former GRU officer and MI6 spy, Sergei Skripal. Many think sanctions would prompt Russian retaliation by cyberattack. A number of British officials, including some senior military leaders, have been warning about the country's vulnerability to cyberattack, with particular concerns for critical infrastructure, and so considerations of how to handle possible retaliation aren't idle.
Dave Bittner: [00:10:56:02] Russia has denied involvement in the attempted poisoning. By nerve agent, of Skripal and his daughter while simultaneously suggesting that Skripal had it coming, and that other potential turncoats should take heed and take warning. Smert shpionam "death to spies" whence comes the acronym Smersh of Stalin's secret police and James Bond villain fame, apparently continues to animate Russian counterintelligence policy. It would seem difficult to have it both ways: there's at least some cognitive dissonance between "it's provocation - we didn't do nuthin'" and "See? That's what spies get."
Dave Bittner: [00:11:34:06] Australia's Ministry of Defense has banned use of the Chinese manufactured app WeChat on its personnel's official phones. There are two concerns here: first, what the MoD sees as careless data exposure through the app, and second, the strong suspicion that WeChat is firmly in the pocket of the Chinese government, and so in the pocket of Chinese intelligence services.
Dave Bittner: [00:11:57:11] Australian concerns over Chinese influence operations are at least as strong as American worry about Russian opinion-sharing. Foreign Affairs characterizes the influence as including "inducements, threats, and plausible deniability." The problematic behavior includes buying access and influence through political donations, such donations being routed through third-party cutouts, co-option of Australian universities as "propaganda vehicles," and diversion of Australian scientific research to the benefit of People's Liberation Army modernization. There's even been a full-blown political scandal in the Senate, as onetime up-and-coming Labour star Senator Dastyari resigned in January after getting support from a donor linked to the Chinese Communist Party and publicly retailing Beijing's South China Sea talking points.
Dave Bittner: [00:12:46:22] China's President Xi, by the way, has just been installed as, effectively, leader for life with the repeal of presidential term limits. But this grant of tenure came after a parliamentary vote of approval, so it's all good, right.
Dave Bittner: [00:13:07:07] And now a message from our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and Machine Learning are a lot more than just empty talk. Machine Learning for one thing is crucial to behavioral analytics, you can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality, and some insights into how these technologies can help you, go to e8security.com/cyberwire and download E8's free white paper on the topic. It's a nuanced look at technologies that are both future promise and present payoff in terms of security. When you need to scale scarce human talent AI and Machine Learning are your go-to technologies. Find out more at e8security.com/cyberwire. E8 Security, follow the behavior, find the threat. And we thank E8 for sponsoring our show.
Dave Bittner: [00:14:15:00] And joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland, and also Director of the Maryland Cybersecurity Center. Jonathan, welcome back. You know in the time since the Spectre and Meltdown vulnerabilities came to pass, we've discussed them, but I thought it might be interesting to dig into some of the technical details with you and get your perspective on it. What do you have to share?
Jonathan Katz: [00:14:37:01] Yeah, these are really fascinating vulnerabilities actually, or bugs that have been discovered. And what's really interesting about them is, number one, how deep they go, because they basically arise from ways that the processors on a lot of our computers have been made to work. And so from that point of view, they're really just about everywhere, and it's also very difficult to get rid of them, or to patch them. Another thing that's really interesting about it, is just the way that the vulnerabilities arose and the causes for those vulnerabilities.
Dave Bittner: [00:15:08:15] Let's dig into some of the details there. What do you mean by that specifically?
Jonathan Katz: [00:15:12:16] So, one of the ways that modern processors work, and they do this in order to optimize their performance, is they do something called branch prediction. So this, at a high level here, basically means that if you have like a IF statement, you know, if X equals one do one thing, and if X equals zero do another. What your processor might do is actually execute both of those instructions until it can figure out which one of those was the correct path that I should have taken. So, it will execute both of those in parallel, and that way immediately when you figure out what the value of X is, you can go ahead and take the right result. And then the processor is supposed to throw away the result taken on the other branch, which is no longer needed.
Jonathan Katz: [00:15:50:24] And the flaw basically, was that even though the processor would that correctly and would erase the data that it computed on the branch that wasn't taken, there would be a residue in memory based on that branch, based on the non-taken branch. And that residue and memory could, for example, involve cryptographic keys or other cryptographic material. And then researchers were able to show that they were in fact able to get access to that data through another complicated mechanism that's kind of a side point here almost. But they were able to show that they were able to get access to that data and thereby even though the data was computed on a branch that was never actually taken, the researchers were still able to get access to that. So, it's pretty incredible actually.
Dave Bittner: [00:16:31:13] Yeah it's fascinating to me that it was such a, sort of, a fundamental part of computer science. I mean people are saying that textbooks are being re-written based on these discoveries.
Jonathan Katz: [00:16:40:05] Yeah that's right. So, this idea of branch prediction is a relatively old idea, I guess around 20, or even maybe 30 years old, and it's fundamental in the way computer architectures are designed nowadays. And people just never thought about the security implications of that. So, certainly weren't thinking in that direction 30 years ago. And even until six months ago people just didn't think of the security implications of that. And so now people are going to have to go back to the drawing board and think about how they can square the processor optimizations with the need for security.
Dave Bittner: [00:17:13:21] And do you think this is going to trigger a whole new line of research of people going in and going back and looking at the fundamentals to see if there are security issues lurking within?
Jonathan Katz: [00:17:24:21] Yeah exactly. I think it's on both sides, actually. It'll involve researchers looking at the existing architectures and seeing whether or not they're vulnerable, and then it'll also involve architecture experts looking at the current designs and seeing how they can fix them to make sure that they're not actually vulnerable.
Dave Bittner: [00:17:39:08] Alright that's interesting stuff. Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:17:43:03] Thank you.
Dave Bittner: [00:17:45:23] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:18:07:20] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're code building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:18:17:16] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.