Payment processors probed with BGP exploits for redirection attacks. WhatsApp vulnerable to manipulation? Deterrence and retaliation. Anonymous vs. QAnon. Notes from Black Hat.
Dave Bittner: [00:00:03] Oracle warns of BGP exploits against payment processors. Check Point says it's found vulnerabilities in WhatsApp that could enable chat sessions to be intercepted and manipulated. Germany, Ukraine and the U.S. independently mull responses to hacking and influence operations. Anonymous announces it wants to take its shots at QAnon. Notes from Black Hat, including observations on grid hacks, AI and the gray hat phenomenon.
Dave Bittner: [00:00:36] Time for a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you will save your team time, while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyberthreat defense and the confidence to make strategic business decisions. And if you're in Vegas for Black Hat this week, stop by ThreatConnect's booth - No. 1414 - to get a demo and see the platform in action. And you can always learn more and get a free ThreatConnect account at threatconnect.com. And we thank ThreatConnect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:50] From the Black Hat conference in Las Vegas, where it's a dry heat, I'm Dave Bittner with your CyberWire summary for Wednesday, August 8, 2018.
Dave Bittner: [00:02:00] Oracle warns that attacks in July sought to exploit the Border Gateway Protocol in an attempted DNS redirection attack against U.S. payment processors Datawire, Vantiv and Mercury Payment Systems. There had been an earlier series of attacks in April that worked the same exploit against cryptocurrency wallets.
Dave Bittner: [00:02:20] Security firm Check Point says it's found vulnerabilities in WhatsApp's cross-platform messaging app. The issues, which Check Point disclosed to WhatsApp, could, the researchers say, be used by an attacker to intercept and manipulate group chat sessions. WhatsApp told The New York Times that Check Point's discoveries amount to seeing its app function as designed, so the company's response to the disclosure remains unclear. Such an attack could have various purposes, but the one most commented on is the possibility of exploiting WhatsApp to spread disinformation. The app has come under criticism in India because users abused the service to foment unfounded outrage that resulted in lynchings.
Dave Bittner: [00:03:04] German security services have been thinking through the problem of deterrence and retaliation. They believe they now, in fact, have the legal authorities necessary to conduct retaliatory cyber operations in response to an attack. Whether they would do so remains a policy decision.
Dave Bittner: [00:03:22] Ukraine's President Poroshenko has directed the country's security services to undertake a serious push to deflect attempts at election influence operations.
Dave Bittner: [00:03:33] U.S. Defense Secretary Mattis, pointing out that the military is there to defend the Constitution, says that the Department of Defense certainly has a role to play in defending off attempts to subvert, influence or otherwise compromise elections. The principal threat is perceived as Russia, also said to be after the power grid.
Dave Bittner: [00:03:54] TechCongress is an organization that aims to bridge the gap between the tech community and policymakers in Washington, D.C. They offer congressional innovation fellowships for tech-savvy individuals to work directly with members of Congress. Travis Moore is founder and director of TechCongress.
Travis Moore: [00:04:11] We place technologists to work with members of Congress through this one-year fellowship. This is a residential fellowship. You have to relocate to Washington, D.C., and show up in a congressional office for a year. Our goal is to really infuse technical expertise into the policymaking process. And, you know, you go to work directly for a member of Congress and work on a whole range of issues we could talk more about, but anything from encryption and investigating the OPM breach and the Equifax breach and every other breach to government surveillance and a whole range of other stuff.
Travis Moore: [00:04:50] For the TechCongress Congressional Innovation Fellowship, you know, we're looking for, essentially, three things. One is someone with the technical ability. So we do look for people that either formally or informally have technical skills - you're an engineer or a developer or studied computer science - so someone with technical ability, someone that can translate difficult technical concepts for a very layman's audience. Many members of the United States Senate don't even use email, so it's that - it's kind of that level of dumbing it down, but ability to translate, too. And then three, we're looking for people that are really entrepreneurial problem solvers and work well in teams because Congress is a collaborative place.
Travis Moore: [00:05:30] One of the things that we're trying to accomplish is to think differently than traditional D.C. institutions. New America's very much a do tank, not just a think tank. We want people that have been in the trenches working on the latest cybersecurity challenges. And our goal is really to elevate people and to give them access to not only a broader community of practitioners, but also the leading policymakers in Congress, in federal agencies, at think tanks.
Travis Moore: [00:06:00] Our goal is to bring doers into the policymaking process, not just write policy papers. We really want people that are executing in the field. We see connecting practitioners to the people that are making policy as really, really, really, really a central part, if not the core part of our mission. So if you're in the trenches, we want you, so come. And we hope you'll apply.
Dave Bittner: [00:06:26] That's Travis Moore from TechCongress. You can find out more about their fellowship programs on their website. That's techcongress.io.
Dave Bittner: [00:06:36] The U.S. government is working with Facebook to devise ways of countering foreign black propaganda online. The challenge is difficult, but Facebook's ongoing work on content moderation, painful and expensive as it's been, may hold long-term benefits. The more lawyers and money it throws at content moderation, the wider Facebook's moat becomes against upstart disruptors.
Dave Bittner: [00:07:02] Some recent studies in the U.S. suggest that viral political messages may be less effective than political campaigns think, hope or fear. Whether national espionage services will reach the same conclusion is an open question.
Dave Bittner: [00:07:15] The online operation that Anonymous has just announced against QAnon may provide an interesting case study, although Anonymous ops have tended to fizzle over the last several years.
Dave Bittner: [00:07:27] Black Hat's preliminary meetings and social events have run through last night. The conference opened its exhibit floor at 10 a.m. Pacific time today. The presentations in the Arsenal began at about the same time. We're making the rounds through the briefings and the booths, and we'll have notes and observations over the course of the week.
Dave Bittner: [00:07:47] There are a great many products and solutions being announced and pitched at the event, as is always the case. Among the discussions gaining early attention surround industrial control system security, that is ICS security, especially with respect to power grids, the prospects of artificial intelligence for cybersecurity, with some skeptical observations on their limitations, and trends in cybercrime, with a newly-released study on gray hats attracting attention.
Dave Bittner: [00:08:16] One starting point for power grid security discussions is Cybereason's honeypot experiment in which the company established a dummy power utility presence online and then observed the focused attention it received from attackers. These attacks ranged from the usual low-level probes to a focused and patient campaign that apparently came from a nation state. That this unnamed and probably unknown nation state showed a lower than expected level of sophistication suggests that it's not the usual Russian suspect so often mentioned in dispatches. This actor worked hard to get in, established itself in the honeypot and then went quiet, presumably biding its time until the right moment came to attack.
Dave Bittner: [00:08:59] And security firm Comodo has issued a challenge to the antivirus community. They call it the Zero-day challenge, and they intend to use it to expose what they regard as overhyped claims for the efficacy of artificial intelligence in threat detection. That AI has value in detection would appear to be beyond serious dispute, but Comodo seems interested in debunking some of the larger silver bullet claims that would anthropomorphize the popular family of technologies. In earlier conversations with us, Comodo has said that certain problems of malware detection are formerly undecidable, and it's this problem they think has been overlooked by some of the less critical and serious proponents of AI as a panacea. We'll take a look this week and see how the challenge progresses.
Dave Bittner: [00:09:48] A study commissioned by Malwarebytes on the true cost of cybercrime reports a disturbing trend - the rise of the gray hats, those security professionals who keep their legitimate day jobs but moonlight in cybercrime, or at least in questionable and dodgy activities. The study concludes that 1 in 20 security professionals in the U.S. are perceived as gray hats, and the fraction is much higher in some other parts of the world. How close the perception is to reality may be open to debate. The prevalence of hacker chic style in the security community may inflate it.
Dave Bittner: [00:10:22] We've lost track of the number of T-shirts we've seen wandering around here that sport skulls, the Punisher's logo and so on, not to mention pirate beards and legible apparel reading, I don't date white hats. But it's an unpleasant conclusion to contemplate. And here's a pro tip - those who wish not to be mistaken for gray hats would do well not to wear a gray hat or a black hat, for that matter. We speak metaphorically. Perception isn't reality. But on the other hand, it is one of several aspects of reality.
Dave Bittner: [00:10:59] And now, an open letter from your dedicated SOC analyst. Our team works around the clock, yet we're being flanked on all sides and can't get in front of threats fast enough. If we had a theme song, it would be "The Roof is on Fire." Speaking of fire, each attack is more sophisticated than the last, and our current operations aren't advanced enough to keep up. Our team is already stretched thin, and companies keep poaching our talent pool, affecting our level of tradecraft. We need help and fast. On the metro, I heard an ad from a company called LookingGlass Cyber Solutions. They have, as a service, security solutions built upon 20 years of experience, proper security chops and the infrastructure to support security teams like ours. It's time the good guys scored a point. Learn more at lookingglasscyber.com.
Dave Bittner: [00:11:59] Joining me once again is David Dufour. He's the senior director of cybersecurity and engineering at Webroot. David, welcome back. We are just about halfway through 2018. Where did the time go? (Laughter) We thought it would be a good opportunity to kind of take stock, look back at some of the predictions we made at the beginning of the year, see how they played out, what lived up to the hype, what fell flat. What are you all seeing there?
David Dufour: [00:12:24] Hi, David. Great to be back again, as always. You know, 2018, from a purely security perspective, is turning out to be kind of a boring year. We're seeing the same problems we were seeing last year in terms of phishing, ransomware really being the key drivers right now in security. The ransomware providers, as we say, are really honing their game and getting good at delivering ransomware. Phishing is still, as always, top of mind in terms of ways (inaudible) into systems. So it's kind of a little bit of a replay of 2017 at the moment.
Dave Bittner: [00:13:05] Still not seeing any huge, major global attacks or anything like that?
David Dufour: [00:13:10] Nothing major at the moment. I guess we had the router problem here recently. That's probably the biggest issue we've seen this year. Usually we see some before summer, then I think the cybercriminals take the summer off, and then we'll start seeing some things pop up in September, October time frame. So I think it'll be kind of a gentle summer. But other than the router issue right now, that's really been the big problem.
Dave Bittner: [00:13:36] Now, based on what we've seen so far, what's your advice to people heading into the second half of the year?
David Dufour: [00:13:41] Great question. And it's going to be, as I've said to you before, David, the more mundane, the more applicable it'll be. I think, you know, as people go on vacation, as they're traveling or, you know, through the summer and the rest of the year, let's make sure we're really paying attention to our wireless security when we're in public places. You know, maybe get a good VPN to ensure you're having good point-to-point security. As always, patches and backups and things like that, just practice your basic cyber hygiene because right now, there's nothing super critical that we haven't seen before that would tell me to do something more than the standard cybersecurity hygiene packages that are out there.
Dave Bittner: [00:14:26] Now, what about cryptojacking and cryptocurrency? I mean, we really thought, you know, we were going to run out of electricity for a while, right?
David Dufour: [00:14:33] That's right, David. We were - all the power plants were firing up and everything to handle all the cryptojacking power requirements. You know, first of all, cryptocurrency, the biggest problem there has been the hacking of crypto wallets and things like that. So just real quick to reiterate with the cryptocurrency, be sure if you're investing in that you have a really reputable site that you're investing with and they have good security because the biggest problem with cryptocurrency is having your wallet attacked.
David Dufour: [00:15:04] But as for cryptojacking, that's one of my favorite topics because all year people have been talking about that. You know, it's the big thing. It's a big problem. I'm going to kind of go back to I was saying, I couldn't figure out how a cybercriminal would make money off a cryptojacking because most cybercriminals, they're not multi vertical. They're focusing on ransomware. Or they're focusing on delivering malicious software. Where cryptojacking was people just kind of mining cryptocurrency while they were on your machine.
David Dufour: [00:15:32] So I thought it might be a problem in terms of using resources on your machine, but I didn't believe people would be distributing malicious software through cryptojacking. So I do think it's going to be something we need to pay attention to, but I'm not sure that it's going to be this big, horrible thing we all thought it would be.
Dave Bittner: [00:15:51] David Dufour, thanks for joining us.
David Dufour: [00:15:53] Thanks for having me, David.
Dave Bittner: [00:15:58] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:16:07] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:16:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.