The CyberWire Daily Podcast 11.5.18
Ep 719 | 11.5.18

US midterm election cybersecurity updates. PortSmash side-channel proof-of-concept. Botnets compete to cryptojack Android devices. And will the GRU get its "R" back?

Transcript

Dave Bittner: [00:00:00:23] US midterm elections end tomorrow evening, with officials on high alert for election hacking. Russia sends a poll watcher to the US to make sure democratic norms are observed. Side-channel attack proof-of-concept has been announced for CPUs, but the risk seems relatively low. Botnets are fighting over Android devices for cryptojacking power. And Russia's GU, or GRU? It looks like it's going to get its R back.

Dave Bittner: [00:00:34:11] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time, while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Wanna learn more? Check out their newest white paper titled "Threat Intelligence Platforms: Open Source Versus Commercial."

Dave Bittner: [00:01:20:16] As a member of a maturing security team evaluating threat intelligence platforms, or TIP, you may be asking yourself whether you should use an open source solution, like a malware information sharing platform, or MISP, or buy a TIP from one of many vendors offering solutions. In this white paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:05:00] Major funding for the CyberWire Podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 5th, 2018.

Dave Bittner: [00:02:16:06] US midterm elections will be held tomorrow. With early voting having been in progress for some weeks, it may be more accurate to say that they will end tomorrow, with polls closing around eight o'clock p.m. local time. There's been much concern about election security, but at the eleventh hour most of that concern has shifted from fear of direct manipulation of voting, or disruption of polling, toward worries about voter suppression efforts or other last-minute influence operations.

Dave Bittner: [00:02:45:21] A flurry of reports suggest efforts to penetrate election-related databases, but most of these have been in the context of state officials announcing their successful defense against such penetration. And it's not clear that this isn't largely a matter of the officials attending to the regular background of attempts to steal personal data. The main adversary, of course, is Russia, and state and Federal officials in general say they're seeing lower levels of activity than they did in 2016.

Dave Bittner: [00:03:15:07] The Department of Homeland Security is getting nice marks on its election security work from a normally tough Senatorial audience. Senator Warner, Democrat from Virginia and ranking member of the Senate Intelligence Committee, told Face the Nation this weekend that "I think we’ve made great progress, particularly at the individual polling stations and with the tabulations of votes. So I think people should vote with confidence." He credits the Department of Homeland Security with a sound effort to coordinate cyber defenses with state and local election authorities.

Dave Bittner: [00:03:48:19] The other aspect of election defense, of course, is deterrence. US Cyber Command, with unusual blood in its eye, is apparently ready to hit back hard at Russia if anything develops. How it might do so is left unspecified, beyond Administration suggestions that it will be retaliation short of war, but that, of course, leaves a lot of room for retaliation. We hope you don't have to do anything, Cyber Com, but if you do, well, from all of us, good hunting.

Dave Bittner: [00:04:19:11] The media and Government chatter around the elections is interesting. The Washington Post, for example, quotes Homeland Security's Christopher Krebs as saying that the midterms are "just the warm-up, or the exhibition game". It's like the undercard for the main event, which he thinks will be the 2020 election cycle. In the general chatter, those who wish to expect the worst are watching for distributed denial-of-service attacks or, if they're really expecting the worst, perhaps local power grid hacks. Both could indeed disrupt polling, but it's worth noting that concerns about DDoS or grid hacking tomorrow are mostly founded on a priori possibility.

Dave Bittner: [00:05:00:10] One sidelight: there will be Russian election observers in the US so they can report back to the international community on whether the Americans are holding free and open elections. Members of the Russian Duma are in the country to report back to the Parliamentary Assembly of the Organization for Security and Co-operation in Europe, because who's better equipped, after all, to recognize whether voting lives up to international democratic norms than officials of the United Russian Party, or the Communist Party of Russia, both of which are represented in the delegation. It's a nice gesture, as if Mr. Putin were President Wilson out to teach his sister republics to elect good men. If you run across any Russian poll watchers tomorrow, give them a hearty "Dobroe utro" (доброе утро), good morning, and say "Welcome to America." Adding "nashe luchshe" (наш лучше), ours is better, would be cheeky so try to restrain yourself.

Dave Bittner: [00:05:58:11] A team of academic researchers, at Finland's Tampere University of Technology and the Technical University of Havana, have reported a side-channel vulnerability, PortSmash, in Intel CPUs that employ a simultaneous multithreading architecture. It doesn't appear that the risk is high. The Register reports that Intel doesn't think it's worth patching, but does note that it's unrelated to Meltdown or Spectre, which were related to speculative execution. They think it's not unique to Intel chips (and AMD is looking into whether its own devices might be affected) and they think it's not so much a vulnerability as it is an "expected by-design property." So, according to Intel, the researchers' proof-of-concept exploit could be avoided by following sound side-channel safe development practices.

Dave Bittner: [00:06:49:01] Kevin Bocek, Chief Cybersecurity Officer at Venafi, commented to us that processor vulnerabilities like PortSmash are a good reason to think harder about managing machine identities. He thinks it wise to rotate the keys and certificates that identify machines. He sees it as a hygienic measure, like changing passwords from time-to-time. He said, "The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed. These are the machine identities that are most at risk from PortSmash."

Dave Bittner: [00:07:23:17] There's competition out there in bot-land. Cyware warns that two botnets, "Fbot" and "Trinity", are competing to rope in Android devices. Fbot is a Satori variant. Trinity is a version of ABD.Miner. The goal of both botnets is cryptojacking, still a popular criminal ploy.

Dave Bittner: [00:07:44:21] Finally, back on September 7 we said, on the advice of our Foreign Intelligence Service Desk, that we didn't buy Russia's rebranding of the GRU as the GU, since that involved taking the "intelligence" out of "intelligence service." And our staff ventured to state that they were confident President Putin himself probably called the military intelligence service "GRU," at least privately, and among friends and family. So what do we see over the weekend? Late Friday, Bloomberg reported that Mr. Putin called for the restoration of the missing "R" during a celebration of the GRU's hundredth birthday. So, there you go. G, R, U. 'Cause there just ain't no disputin' that ol' Vlad Putin. And we told you so. If you cross paths with our Foreign Intelligence Service Desk, by the way, please don't congratulate them. They tend to get above themselves when they've called a shot. Don't encourage them, they can be pretty insufferable.

Dave Bittner: [00:08:52:07] And now a bit about our sponsors at VMWare. Their Trust Network for Workspace ONE, can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single, open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMWare's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware, and we thank VMWare for sponsoring our show.

Dave Bittner: [00:09:52:22] And I'm pleased to be joined, once again, by Rick Howard. He is the Chief Security Officer at Palo Alto Networks and he also leads Unit 42, that's their threat intel team. Rick, it's great to have you back. You and I have talked about DevOps and DevSecOps before, but today we want to touch on DevOps and the future of orchestration. What have you got for us?

Rick Howard: [00:10:12:17] We have talked about this in the past, Dave, but for some of your listeners who are not familiar, I always recommend two books from the Cybersecurity Canon Project to get you started. The first one is The Phoenix Project, by Gene Kim, Kevin Behr and George Spafford. It's a novel that is easy to read and will ease you into the philosophy of DevOps, so I recommend that one highly. And the second book is called Site Reliability Engineering from the Google team: Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy. This is a technical how-to manual from the Google team, that explains how they implemented DevOps in site reliability engineering, some six years before we even had a name for DevOps.

Rick Howard: [00:10:54:10] That said, I was talking with my CIO, Naveen Zutshi, a couple of weeks ago about how Palo Alto Networks is pursuing the DevOps philosophy internally and I had an epiphany, and I love when I get those things. For security professionals, there are two distinct and parallel efforts going on in the community around the DevOps idea. The first is the traditional DevOps movement of automating, not just the applications that the organization uses to run the business, but also automating the infrastructure, everything from quality control, to regression testing, to deployment, to health monitoring while in production and to automatically fixing ailing applications, all in real time. That is the traditional DevOps mandate.

Rick Howard: [00:11:38:17] For cybersecurity professionals, DevSecOps is the process of automating and deployment, monitoring and maintenance of all the security tools that your organization deploys down the intrusion kill chain, in the five big islands of data that we all have. And they are, behind the perimeter, in the data center, on our mobile devices, in our SAS applications and in our IAS services. We have known about this first effort, this first traditional DevOps movement, for a number of years now, and it is why the move to the cloud is so tantalizingly attractive.

Rick Howard: [00:12:12:02] If we do this right, we can get out of our way in relation to all those old and inefficient, lengthy processes and procedures we currently have in place. The movement to the cloud is our get-out-of-jail-free card and we're using DevOps to get it done.

Rick Howard: [00:12:26:08] But the second parallel effort is where my epiphany came out. We are not only automating the traditional DevOps and DevSecOps stuff, we are also automating the manual procedures that we have all been using in the SOC for the past decade. Out of all the innovation that has come out of the cybersecurity industry in the last decade, the idea that we need butts on seats, watching alerts on a screen, has remained stubbornly entrenched. That is beginning to change. Most of the network defenders that I talk to have some project on the board where the goal is to eliminate all of the traditional SOC tier one and tier two tasks through automation, so they can use their people to track down the tier three, my hair is on fire, incident response tasks.

Rick Howard: [00:13:07:21] We are making progress. With that in mind, I have two recommendations. First, if you are just beginning your career in the cybersecurity field, or you are somewhere in the middle, you might take on a personal improvement project to learn how to code. When I started in the industry, back when General Washington was just taking command of our little army, coding was not a required skill. It was not necessary. But I predict, in ten years, network defenders will be coders first and security professionals second. You can make yourself invaluable, right now, today, if you know how to code. So that's the first recommendation.

Rick Howard: [00:13:44:01] Second is, while you're taking this journey to the cloud and learning how to be a DevSecOps practitioner, make it easy on yourself. Use the same security tools down the intrusion kill chain on each of the big five data islands. With DevSecOps, you are writing code that will communicate to your deployed vendors' APIs. Your journey will be a lot shorter if you standardize on the same set of APIs on each data island, as opposed to a different set of APIs for each. That way lies madness, there be dragons down that path, alright, so that's my recommendation.

Dave Bittner: [00:14:17:08] All right, so just keeping it simple, taking out some of the complexity there.

Rick Howard: [00:14:22:16] Exactly.

Dave Bittner: [00:14:23:20] Rick Howard, thanks for joining us.

Dave Bittner: [00:14:31:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:14:50:04] And thanks to our supporting sponsor, VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:14:59:01] Don't forget to check out the Grumpy Old Geeks Podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future Podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:15:27:03] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.