The CyberWire Daily Podcast 3.29.18
Ep 566 | 3.29.18

Russia retaliates against the US with tit-for-tat PNGs, consular closure. Assange has no more Internet (until he behaves). Fauxpersky and WannaCry seen in the wild. Facebook works on privacy.

Transcript

Dave Bittner: [00:00:00:24] Hi, everybody, Dave here with a quick request to help us grow our audience for the CyberWire. If you can help spread the word about our show, to your colleagues and friends, around the office, on social media, or if you could leave us a review on iTunes, that'll help new people find the show. We do appreciate it. Thanks.

Dave Bittner: [00:00:19:21] Russia retaliates with diplomatic expulsions and at least one consulate closure. Potential cyber operations remain a matter of concern. WannaCry hits a Boeing plant, but Boeing is resilient enough to work through the infection. A new keylogger pretends to be Kaspersky AV, but not very convincingly. Facebook works to upgrade user privacy, and Apple says it doesn't need to do the same.

Dave Bittner: [00:00:49:02] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyses the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and lead their Cyber Daily. They do some of the heavy lifting and collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel, and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:56:07] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Thursday, March 29th, 2018.

Dave Bittner: [00:02:06:14] Russia has promised to retaliate in response to the more than 25 countries who have taken diplomatic measures to protest the Salisbury assassination attempts, and has just begun to do so. Sputnik News is reporting this afternoon that Foreign Minister Lavrov has summoned US Ambassador John Huntsman to inform him that Russia will match the US expulsion of 60 Russian diplomats by sending an equal number of Americans home. The Russian government will also match the US closure of the Seattle consulate by shuttering the American consulate in St. Petersburg. The Russian government had earlier expelled British diplomats and ordered the British Council to cease its activities in Russia. Other retaliation is expected. Kremlin representatives have been saying they reserve the right to respond at "some appropriate time". Lavrov did say this afternoon that Russian action would "mirror" those taken by Western countries, so further tit-for-tat declarations of diplomats from other nations persona non grata are probably coming.

Dave Bittner: [00:03:09:08] Russia has denied any involvement in the Salisbury nerve agent attack, calling the evidence the UK has "a hoax." Russian sources have also suggested the incident is either a British or an American provocation, aided and abetted by the Czech government, which Moscow hints could have provided stocks of Novichok nerve agent to the provocateurs. Essentially no one believes this, but Sputnik is reporting that Foreign Minister Lavrov also said that that Russia intended to convene an emergency meeting of the Organization for Prohibition of Chemical Weapons in what Russia calls "a bid to start a dialog and establish the truth". The Organization for the Prohibition of Chemical Weapons (OPCW) is an intergovernmental group composed of the 192 signatories to the Chemical Weapons Convention. It's headquartered in the Hague, and works to enforce chemical weapons control and non-proliferation measures.

Dave Bittner: [00:04:09:00] It's worth noting that, as nuanced and lawyerly as Russian language services such as Sputnik and RT have been, that country's domestic media have been a lot rowdier about the Salisbury incident as a cautionary tale of spies and turncoats getting their proper comeuppance. Why are we spending so much time on diplomacy? It's because of the degree to which cyber operations now interpenetrate international conflict and tension. The retaliation that most concerns Western countries, particularly the UK and the US, is the prospect of Russia executing a cyberattack against electrical power grids that's been long under preparation.

Dave Bittner: [00:04:47:16] There's other news related to tensions between Russia and the West, and it too occurred in England. Yesterday Ecuador cut off WikiLeaks' founder Julian Assange's internet access, saying he violated a written undertaking not to do things that would damage Ecuador's international relations. They yanked Assange's connection apparently for at least two reasons, he's been tweeting support for a Catalan separatist leader arrested in Germany to be handed over to Spanish authorities. And, more significantly, he's also been tweeting in Russia's interest and against Britain's in the ongoing matter of the Salisbury nerve agent attacks.

Dave Bittner: [00:05:22:02] The proliferation of IOT devices continues at an ever increasing rate and many of those devices fall into the category of smart sensors, designed to measure or take a reading on something and report back what they know. Deral Heiland is Research Lead for IOT technology at Rapid7 and he joins us to share his views on smart sensors.

Deral Heiland: [00:05:46:05] So, a smart sensor is nothing more than some kind of device, whether it is a device for measuring blood pressure, or blood sugar levels in somebody and being able to communicate that data somewhere else; or in the area of a smart city, it maybe in a lighting system, within the city, that it can actually detect traffic movement, as an example, and be able to feed that information back into some kind of more higher level data analytics type system for making decisions within the environment. So, basically, it is a device that has an embedded type technology, that has the ability to detect, measure and gather pertinent pieces of information that can be used for further analysis somewhere else.

Dave Bittner: [00:06:35:02] And is the information flow from these devices generally in one direction?

Deral Heiland: [00:06:38:21] It varies. It really comes down to the type of sensor. In most cases, that happens to be the case, it is purely an informational gathering type device, but not always. There can be sensors that can take, obviously, various configuration changes or alterations in that direction also, giving them the ability to be reconfigured or modified or, at a bare minimum, possibly firmware upgrades, things like that, done to them.

Dave Bittner: [00:07:10:07] So, obviously, there are many benefits to having these devices, but your research shows that there can be some vulnerabilities as well.

Deral Heiland: [00:07:18:00] Yes. You know, as we start thinking about what these devices are used for, it makes us want to stop and step back and think about it. You know, what is the impact if issues or vulnerabilities arise in these devices? When we're trying to deal with information that's gathered, that could be confidential, or information that's gathered, that's used to make critical decisions, what is the impact on confidentiality, integrity, or even availability? If somebody can take these devices offline, with some kind of denial service type attack how does that impact us, based on how we're actually utilizing the technology?

Dave Bittner: [00:07:58:00] Can you give us some specific examples of cases where this could be problematic?

Deral Heiland: [00:08:01:20] Yes. I guess an example would be, what if a smart city is using sensor based technology for monitoring traffic flow within a city and making decisions on that type of information. It could easily lead to major traffic jams, very difficult to get out of the city at the end of the day. Things are not working right, the traffic flow isn't being able to be monitored, detected, altered, those type of things. Other examples could be within the industrial environment, where sensor based technology is potentially used for measuring and monitoring equipment performance or tank pressures, or boiler pressures. What if that information is altered, messed up or not available? What's the potential hazard there? I mean, it could lead to catastrophic failure of equipment, potentially risk to life and limb.

Dave Bittner: [00:08:59:03] And, of course, obviously, I guess in the medical community, there'd be a real risk as well.

Deral Heiland: [00:09:04:18] I think what we're seeing with some of the medical stuff is kind of fascinating. Right now, obviously, you can get kind of technologies to measure like blood pressures and blood sugar monitors. I have a device that I can attach to me, that I can use for monitoring blood sugar type levels in my body. So, if those things aren't accurate when it comes to a blood sugar example, it may lead to somebody who's a diabetic increasing their dosage of insulin, when they didn't need to and potentially harm them.

Dave Bittner: [00:09:35:10] So have you seen examples of people trying to exploit these sorts of things, or is it mostly theoretical at this point?

Deral Heiland: [00:09:41:11] I think there's been very little done out there. I remember some discussions on some lighting systems, some research, or some hacks that were done out there here a couple of years ago, in reference to those type of things. But right now, I think we're fairly early in the stage. The actual massive growth in this area around smart cities and smart grids and industrial is just starting to explode now. So my train of thought is, let's get our arms around how we're going to approach the security, how we're going to think about the security, how we're going to going to monitor, maintain and patch repair these type of vulnerabilities, issues, as they arise, or how we're going to actually going to deploy the technology effectively, now, before it becomes so ingrained into everything we do and we don't have the ability to make these quick changes or fixes.

Dave Bittner: [00:10:35:03] That's Deral Heiland, he's from Rapid7.

Dave Bittner: [00:10:38:05] In other cyber news, WannaCry has resurfaced, infecting a Boeing 777 assembly line in South Carolina yesterday. Boeing says the infection has been contained, was minor, and didn't interrupt production.

Dave Bittner: [00:10:38:05] A new keylogger is circulating in the wild. Its discoverers, researchers at Cybereason, call it "Fauxpersky" because of the malware's rather lame attempt to impersonate a legitimate Kaspersky anti-virus splash screen. Built on AutoHotKey, a legitimate tool, the malware is, according to Cybereason researchers, unsophisticated but efficient, with a large appetite for data and not much stealth.

Dave Bittner: [00:11:19:12] Drupal has issued a patch for a severe remote code execution vulnerability. Users are being urged to apply it as soon as possible. Observers think the bug likely to be exploited in the wild within a matter of days if not hours.

Dave Bittner: [00:11:34:00] Facebook has pushed some new privacy tools, policies, and settings. Users will now be able to see their privacy settings, formerly spread over about twenty pages, on a single page. Facebook has also added an "Access Your Information" feature that displays all the information you've made accessible, and to whom. The upgrades have received mixed reviews, with most observers taking the understanding view that, well, Facebook has to do something to restore the trust the Cambridge Analytica data scandal damaged.

Dave Bittner: [00:12:05:08] For its part Apple has done some pardonable gloating, reminding everyone that if you're not paying for the product, you are the product. CEO Tim Cook told MSNBC that, "The truth is, we could make a ton of money if we monetized our customer," but, unlike some others, they don't. When asked what he would do if he were Facebook's CEO Mark Zuckerberg, Cook simply replied, "I wouldn’t be in this situation."

Dave Bittner: [00:12:31:05] And finally, congratulations to the people and companies honored this week by the Cybersecurity Association of Maryland. Regional awards went to Anne Arundel County's Bridges, Baltimore County's Syncopated Engineering, Baltimore City's own Sally Kenyon Grant of Point 3 Security (and, we add, friend of the CyberWire), Frederick County's Patriot Technologies, Howard County's Enveil, and Montgomery County's KoolSpan. In the general awards, the People's Choice Award, sponsored by Gula Tech Adventures went to Dr. Emma Garrison Alexander, of the University of Maryland University College. The Anne Arundel Economic Development Corporation won recognition with the Industry Resource Award, and the Cybersecurity Champion of the Year went to Ellen Hemmerly, of bwtech@UMBC, the incubator at Research and Technology Park.

Dave Bittner: [00:13:20:15] Cyber Crucible was named the Cybersecurity Company to Watch, and CSIOS Corporation took honors as Cybersecurity Defender of the Year. The Cybersecurity Innovator of the Year Award went to Howard County's pride, Enveil, specialists in protecting data at rest, and surely a company to watch closely. And we're pleased to say that the Cybersecurity Diversity Award went to us, The CyberWire, in recognition of our diversity efforts and our Women in Cyber program. Thanks very much to Maryland Cyber for the honor, and special congratulations to our Social Media Editor and Community Outreach Director, Jennifer Eiben, for her long and patient work.

Dave Bittner: [00:14:04:04] And now a word from our sponsor, LookingGlass Cyber Solutions, an open letter from the malicious botnet on your network.

Male voiceover: [00:14:14:10] So, here we are. It's just you and me at this Godforsaken hour. You're looking right at me too, I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week, I'll be in Kabul by then, working on my tan. I love getting to know your company, by the way: your financial data, personal records. I've got a piece of unsolicited advice for you. Check out what LookingGlass Cyber Solutions is doing. They've got some kickbutt technology that thins off cyber threats like me, data breaches, ransomware and stolen credentials, in real time. Be a hero, with the LookingGlass Scout Shield Threat Intelligence Gateway. See the video at lookingglasscyber.com.

Dave Bittner: [00:15:20:18] And joining me once again is David Dufour. He's the senior director of engineering and cyber security at Webroot. David, welcome back. We wanted to talk this week about security conferences, RSA's coming up, and you have some tips for folks who might be heading off to their first conference, little words of wisdom.

David Dufour: [00:15:38:17] Yes, hey! It's great to be back, David. Yes, RSA is coming up very soon here and you know, we have a lot of experience, having gone to many, many security conferences and especially coming from the engineering side, I have some recommendations for both the sales and marketing folks and the engineering folks. You know, the number one thing that the sales and marketing folks always tell me, David, is we've got to make sure we have all of our matching shirts and tennis shoes, because if we don't look the same, we're not going to be able to sell any products. So make sure you've got your wardrobe figured out and your sales and marketing team have told you what you're going to be wearing.

Dave Bittner: [00:16:16:14] Yeah, critical, critical. Freshly pressed and washed.

David Dufour: [00:16:19:12] That's exactly right. You know, but in all seriousness, a couple of quick technical things. When you're going to a security conference, it's not obvious, you want to be super aware of using WiFi, even having your Bluetooth on. You know, make sure you have your like, cyber hygiene on steroids going, whether you're maybe not bringing your smartphone to the conference, or you're leaving that laptop in the hotel room, because you don't want hackers who are, you know, running rampant around these security conferences, getting into your devices. That would be a little bit embarrassing I think. And you want to make sure you tell your sales and marketing folks the same thing. You know, some other things, just in general, what I find when I go to these large security conferences, the big booths with the big manufacturers, they're great. They've probably got the coolest swag, t-shirts and stuff like that, but from a purely technical side, the place to go is the back of the room, those little bitty booths, where the folks have literally spent their entire marketing budgets to make it there, is there are some super interesting products, super interesting ideas.

Dave Bittner: [00:17:27:17] How about in terms of just pacing yourself? I think, especially for first timers, you walk onto that show floor and it can be overwhelming. How do you even break down how to best spend your time?

David Dufour: [00:17:41:12] You know, that's a great question that I'd kind of looked past, because you're absolutely right, how do you break your time down? I always try to make two passes at whatever conference I go to. The first one just being a run down, up and down the aisles, taking a look at who's there, who's interesting, and then, you know, I kind of make a game plan from there. And then I'll try to find some time later on in the conference, once people are in their groove, once that first wave hits and it's broken, that's when I kind of go around that second time and I walk a little slower, I make sure I'm talking to people, because they're definitely looking to talk to you and they have more time, because there's not as many people around.

Dave Bittner: [00:18:26:01] Alright, good advice as always. David Dufour, thanks for joining us.

David Dufour: [00:18:28:03] Thanks for having me, David.

Dave Bittner: [00:18:34:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit cylance.com. And thanks to our supporting Sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.