Executive Order mandates election interference sanctions. British Airways regulatory exposure. Patch Tuesday notes. EU passes copyright law. Russia says no to Novichok. WhatsApp scam.
Dave Bittner: [00:00:03] A U.S. executive order issued today will impose sanctions on foreign actors following a determination that there's been an attempt at election meddling. The executive order covers both hacking and propaganda. British Airways may receive a heavy fine under GDPR for its recent breach. The EU passes controversial copyright legislation. Russia says the accused Novichok hitmen didn't do nothin'. And watch out for Olivia on WhatsApp. She's not what she at first seems to be.
Dave Bittner: [00:00:39] Time to take a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper, entitled, "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out their research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 12, 2018. Ars Technica has just reported that U.S. President Donald Trump today signed an executive order that would automatically impose sanctions on any foreign entity found to be interfering in U.S. elections. The text of the order, which is called, "Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election," has not yet been released, but Director of National Intelligence Dan Coats and National Security Adviser John Bolton gave reporters an outline of the order in a conference call earlier today. The executive order declares a national emergency and requires the director of national intelligence to regularly assess activities directed at influencing or otherwise disrupting U.S. elections and to report findings to the Departments of Justice and Homeland Security. Those departments would determine within 45 days whether the interference had occurred.
Dave Bittner: [00:03:06] If the conclusion is that someone did interfere, then the Departments of State and Treasury would automatically impose a range of appropriate sanctions. Such sanctions could include, the executive order specifies, blocking of assets, blocking transfer of property, stopping U.S. investment in sanctioned companies and restriction of travel. National Security Adviser Bolton said that the order covered not only attacks on election infrastructure, which would presumably include voting machine hacks, data manipulation and so forth, but also distribution of propaganda intended to have an effect on an election. DNI Coats said, quote, "we've learned our lessons. Our focus is going forward that we have the integrity of the election in place and we have the measures in place to deter and retaliate if necessary," end quote.
Dave Bittner: [00:04:00] A determination of foreign influence could come at any point in an election cycle. One interesting point stressed by Bolton is that the first public notice of a finding of interference would usually be the imposition of sanctions themselves. The U.S. doesn't, Bolton explained, wish to risk exposing the intelligence sources and methods used to investigate such matters. The executive order comes as Congress is considering legislation to accomplish some of the same goals. The Deter Act, co-sponsored by Senators Van Hollen, a Democrat of Maryland, and Rubio, Republican of Florida, would impose economic sanctions against Russian companies and require the executive branch to identify other countries involved in election interference within a deadline of 90 days to propose sanctions. A similar bill is under consideration in the House of Representatives.
Dave Bittner: [00:04:54] The British Airways data breach remains under investigation. The general consensus is that RiskIQ got it more or less right in attributing the intrusion to the Magecart gang. The incident is expected to result in precedent-setting GDPR enforcement action. Bloomberg reports that authorities are considering a fine, and online magazine PYMNTS suggests the fine could be a looloo (ph) - as much as 500-million pound sterling. This is especially likely if enforcers conclude this is the time to draw a compliance line.
Dave Bittner: [00:05:28] In yesterday's Patch Tuesday, Microsoft addressed 61 vulnerabilities, at least three of which are under active exploitation in the wild. Security firm Ivanti emailed us to point out, among other things, that one of the fixes from Redmond addresses CVE-2018-8440, the privilege escalation vulnerability in Windows Advanced Local Procedure Call that the depressed and frustrated researcher SandboxEscaper dumped on Twitter recently. Ivanti suggests you not delay in applying this patch. It's out, about and being actively exploited. Adobe also patched, issuing a new version of its Flash Player, and SAP has fixed 14 bugs in its products, as well. Microsoft Office 365 is among the most widely used cloud services in the world, which, of course, makes it a prime target for attack. That makes securing Office 365 a priority for many organizations, but it can be complicated. Robert Block is senior vice president of product strategy at SecureAuth, a company focused on preventing the misuse of credentials.
Robert Block: [00:06:37] It depends on the license level and the strategic value that organizations have placed on Microsoft. If I looked at our prospect and customer base, it's probably in thirds. A third of them own the very basics of Microsoft. They still want to use O365. A third of them use the mid-tier, which provides them real rich business functionality and basic security. And a third of them live in the E5. E5 - that's Microsoft's licensing terms, the largest license you can have where you have the enterprise of business and enterprise of security. They treat Microsoft very strategically. So we still see our demographic as third, third, third.
Dave Bittner: [00:07:22] And so what are the challenges to each of those groups? I mean, I suppose one thing must be perception. People feel like they have Office 365. But as you lay out here, that might not mean the same thing.
Robert Block: [00:07:36] Oh, it absolutely does not. In fact, Microsoft O365 by itself as a business optimization platform, while fantastic in certain rights, comes with little security on its own. So the first thing you have to do as a customer is break down, what do you own, what you want to own, and what is best practice or what fits your needs to own? The minimal adopters, they are still trying to figure out, OK, so, yes, I'm going to use O365 for email, and I'm going to use it maybe for SharePoint or other online services. But I did not buy any security, so how do I get now secure? Do I up-level in license with Microsoft, or do I seek best of breed third-party integrations? The mid-tier saying, hey, I bought some feature-rich business optimization and I bought some foundational security, but is that enough? And it's likely not. So now what do I do? Do I up-level again, or do I seek out third-party best of breed, best practice-based security scenarios? And the third is saying, hey, I've bought it all, but I had no idea I bought nine products just for security. And they intermingle each other in certain ways that is not great for my user experience. Now what should I do? Should I still seek a third party, or should I just live with what I have and deal with it on the pro-serve side and administratively?
Dave Bittner: [00:09:01] Now, what about the folks that entry level? It seems to me almost upside-down in a way that the people with the least amount of sophistication, I would suppose, are also the ones with the least amount of protection.
Robert Block: [00:09:13] One hundred percent. And I think that's an industry systemic issue. And I won't necessarily fault Microsoft for that. I think our SMB to low, mid-level space does have the least sophistication of resources, to your point. At the same time, they have the same issues. They're an attack surface. Their credentials are at risk. They still store PII. They still have sensitive information. They still have to produce a service that's consumed by someone, just at a smaller scale.
Dave Bittner: [00:09:43] So take us through - I mean, what is your advice for someone who's approaching this and trying to decide - they know that they want to use Office 365. There are some real benefits for them there. How should they approach it? How do they know how to begin?
Robert Block: [00:09:58] So I'm going to say something that might put people off. Stop listening to Microsoft. Listen to yourself. What does your business need? And write that down. Then go back again. What would make your business excel or accelerate? And write that down. And pay no mind to what you get in a license level or pay no mind to what you get from a third party or pay no mind to what you get for an up-level subscription by Microsoft and just look at you. What makes your business run and thrive? Once you've documented those business and security requirements, now backfill who can fill those needs the best.
Dave Bittner: [00:10:35] That's Robert Block from SecureAuth.
Dave Bittner: [00:10:39] The European Union passed its long-debated and widely feared copyright law which incorporates what's been called a link tax. There are some exemptions for smaller organizations and not-for-profits. But in general, the law is very good news for rent-seeking big media companies and moderately bad news for everyone else where the law is widely seen as opening up considerable possibilities for censorship. At a minimum, the measure seems likely to force YouTube-like content moderation on much of the Internet.
Dave Bittner: [00:11:10] Russia's President Putin says they now know who the two men are the British fingered for the Salisbury nerve agent attacks. He says they're just regular joes, civilians and neither criminals nor GRU hoods. Presumably they got their Novichok, which in the Russian view, they of course didn't actually have, off their spice rack in the kitchen. I know that's where I keep mine, and it's probably where you keep yours, too. Mr. Putin says he hopes the two will soon tell their story. There's a European arrest warrant out for both Petrov and Boshirov, the two alleged goons, but no one expects them to present themselves to British authorities soon or, indeed, ever.
Dave Bittner: [00:11:53] According to the BBC, Mr. Putin said, quote, "we know who they are. We have found them. I hope they will turn up themselves and tell everything. This would be best for everyone. There is nothing special there, nothing criminal, I assure you. We'll see in the near future," end quote. Russian state television reacted with all the full-throated approval one would expect from Russian state television, calling Mr. Putin's remarks simply sensational. Channel One speculated that British Prime Minister Theresa May would resign on the news that Petrov and Boshirov are just regular guys, or else that she'd double down on lies and propaganda.
Dave Bittner: [00:12:32] The case is an interesting study in Russian information operations - lots of confusing crosscurrents of misdirection most recently concerning timestamps on surveillance footage of Petrov and Boshirov, flat denials of involvement accompanied by sententious good-citizen offers of cooperation in the investigation, charges of foreign hostility to Russia and allegations that whatever happened was a provocation. It's a familiar playbook, and it will be seen again.
Dave Bittner: [00:13:03] And finally, in a particularly nasty scam being reported by WhatsApp users in the U.K., children are being targeted by someone or some people calling himself, herself or themselves Olivia and inviting the recipients to click a link. The link goes to nasty adult content. The motivation appears to be art for art's sake - simple disinterested nastiness. And sadly, there's more than enough of that gurgling around in cyberspace.
Dave Bittner: [00:13:33] There may be some attempt to disarm children in the choice of the name Olivia, which is the name of the piglet heroine of a popular series of children's books. Sorry to give you something else to think about, parents, but keep an eye out for Olivia on WhatsApp. She's not what your children might take her to be. If you see such a message, WhatsApp says you should block the sender, disregard and delete the message, and under no circumstances forward it.
Dave Bittner: [00:14:04] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's WHITE PAPER on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:15:04] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. You sent along an interesting write-up here from a gentleman from the MIT Media Lab. And this has to do with both responsible disclosure when it comes to cryptocurrency, but also a pretty serious bug that he found. Bring us up-to-date here. What's going on?
Jonathan Katz: [00:15:30] This was actually a pretty interesting story, like you said, and also kind of a scary one because what it showed is that even a very simple flaw in one of these cryptocurrency algorithms could have pretty devastating effects. What happened in this case is that the person at the MIT Media Lab found a relatively small but important bug in bitcoin cash. And like I said, it was a bug that was very small, and people hadn't noticed up to that point. But it could've had a devastating consequence because it would've had the effect of having some people in the network validate certain transactions, while other people in the network did not validate them. And, of course, for a blockchain, this is really problematic because that leads to a fork in the underlying blockchain where half the network has one view of the system and the other half has a completely different view of the system, and that's not supposed to happen.
Dave Bittner: [00:16:22] Yeah. So potentially a catastrophic bug. But then, he also had some second thoughts about reporting it.
Jonathan Katz: [00:16:31] Yeah. He was actually a little worried because he realized that somebody could take advantage of this bug to actually spend more money within the system than what they actually had. They could effectively do a double-spend attack. And he was worried that by publicly reporting the bug, if somebody then went ahead and actually exploited the bug and carried out the attack, then either he would be suspected as being the one carrying out the attack, or he would be blamed for disclosing the bug and then allowing people to take advantage of it. So he went through a number of steps, actually, to report the bug, but in an anonymous fashion so that he wouldn't be blamed afterward in case anything went wrong.
Dave Bittner: [00:17:07] Yeah. He was actually concerned for his safety, which is something I hadn't really considered, but I think it's probably good thinking.
Jonathan Katz: [00:17:14] Well, you know, with these cryptocurrencies, there's real money ultimately on the line. And so these bugs can really have significant financial consequences.
Dave Bittner: [00:17:23] And so how does it end? Is it all's well that ends well?
Jonathan Katz: [00:17:26] Well, you know, yes and no, right? So of course, he reported the bug, and the bug was promptly fixed. But what's worrisome here is the fact that even though all this code is open-source and anybody can go ahead and look at it, and even though you have really talented programmers working on this code, bugs still creep in. And it just shows how careful we all have to be about this - about the software that we're using, especially in the context of these cryptocurrencies, which are contributed to by lots of people around the world, you know, potentially in a more haphazard manner than code that's put out by a company.
Dave Bittner: [00:17:59] Yeah. So even though it's open-source, I guess that's - that has it's good and it's bad.
Jonathan Katz: [00:18:04] Yeah. There's sort of a running debate about whether open-source software is inherently more or less secure. And in principle, it should be more secure because you have, quote, unquote, "the eyes of the world" looking at it. And so if any bug is introduced, anybody should be able to find it. The flipside of that is that very few people actually have any incentive to look at it. So it's not like you're being paid to look at the code as part of your job, for example. And so maybe this is just a case in point that you really do need dedicated people whose job it is to look over code, and you can't just rely on volunteer effort to generate secure code.
Dave Bittner: [00:18:38] Yeah. All right. Well, it's an interesting story for sure. As always, Jonathan Katz, thanks for joining us.
Dave Bittner: [00:18:46] And that's the CyberWire.
Dave Bittner: [00:18:47] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.