The CyberWire Daily Podcast 12.10.19
Ep 986 | 12.10.19
Pensacola under cyberattack. Notes on ransomware. The US Justice Department IG report on Crossfire Hurricane. Who let the bots out?
Play
Play
Transcript

Dave Bittner: [00:00:03] The city of Pensacola is hit hard by an unspecified cyberattack. Ryuk ransomware decryptors may cause data loss. A new variant of Snatch ransomware evades anti-virus protection. The U.S. Justice Department's inspector general has reported on the FBI's Crossfire Hurricane investigation. Another unsecured database exposes PII. Keep an eye out for Patch Tuesday updates. And it's prediction season, so CyberScoop lets the bots out. 

Dave Bittner: [00:00:36]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25, in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at isi.jhu.edu and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu. Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible, in part, by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:46]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 11, 2019. The city of Pensacola, Fla., has disconnected most of its networks in response to a cyberattack that hit over the weekend. The attack began early Saturday, the Pensacola News Journal says, hours after a Saudi military pilot undergoing training at Pensacola Naval Air Station murdered three U.S. sailors and was subsequently shot by local police. The timing of the cyberattack raised speculation that it might be connected to the shooting, which, according to the New York Times, authorities are investigating as a possible terrorist incident. But so far, no such links have been found. The motivation behind the cyberattack remains unclear. The city hasn't said, for example, whether it's received ransom demands. The city has said that no personal information appears to have been compromised, but the investigation is still young and still ongoing. Pensacola is working with the FBI on the case. 

Dave Bittner: [00:02:49]  The decryption specialists at Emsisoft warn that the criminal-provided Ryuk ransomware decryptors may damage larger files. The decryptor truncates big files, and Emsisoft finds that this can result in unrecoverable data loss. Decrypt if you must, but better to restore from secure backups and, better yet, to avoid infection in the first place. While we're on the subject of ransomware, researchers at security firm SophosLabs report finding an evolved version of Snatch ransomware that avoids some anti-virus protections by causing Windows to reboot in safe mode. 

Dave Bittner: [00:03:26]  The U.S. Justice Department late yesterday released its inspector general's report on the FBI's 2016 Crossfire Hurricane investigation. Crossfire Hurricane was opened to look into allegations of Russian influence in President Trump's campaign. As The Washington Post summarizes the report, the IG found that the FBI had grounds to open an investigation but that the investigation itself was marred by serious failures. Those failures are particularly evident, NBC News says, in the way the FBI obtained and used FISA warrants and in its handling and assessment of confidential human sources. 

Dave Bittner: [00:04:02]  Reading through the report, we see that the most prominent confidential human source mentioned - or CHS, as the IG teaches us to call such persons - is Christopher Steele, the British national who provided the kompromat of the Steele dossier to various parties, including opposition research shop Fusion GPS. The FBI cited information from Steele in its application for a FISA warrant to surveil Carter Page, then a foreign policy adviser to the Trump campaign. 

Dave Bittner: [00:04:31]  The process of obtaining a FISA warrant requires that the request be based on verified information. That verification, according to the IG, was less than fully successful. In one instance, for example, the bureau submitted a Yahoo News article in verification of some of Steele's claims without noting that the article was based on information from Steele. With apologies to Ludwig Wittgenstein, this is a little like buying a second copy of a newspaper to confirm the stories you read in your first copy. 

Dave Bittner: [00:04:59]  The IG found that the process of securing the warrant was marred by serious performance failures by the supervisory and nonsupervisory agents with responsibility over the FISA applications. Page, the IG report says, did indeed have contact with Russian intelligence officers, but he did so with the knowledge of an unnamed U.S. agency he was providing information. That agency, Page has said, was the CIA. 

Dave Bittner: [00:05:25]  In general, the report suggests that the inquiry was handled carelessly and under the spell of the sort of targeted fixation investigative agencies frequently tempted. There's no finding of political bias in the bureau, but those disposed to look for it will find - indeed, have already found - plenty of circumstantial evidence of it, mostly surrounding eagerness to swallow the Steele dossier, hook, line and sinker. Those disposed to dismiss political bias are focusing on the IG's finding that the FBI had grounds to start an investigation. The FBI immediately accepted the report's recommendations and says it's moving to strengthen applicable procedures and oversight mechanisms. 

Dave Bittner: [00:06:05]  Application security firm Veracode recently published the latest update to their State of Software Security report. Chris Wysopal is CTO and co-founder at Veracode, and he takes us through their findings. 

Chris Wysopal: [00:06:17]  Customers that scan their software for vulnerabilities on a more frequent basis end up fixing vulnerabilities a lot faster. So it shows that just a process change can lead to more secure software. 

Dave Bittner: [00:06:34]  So based on what you gathered here in this report, what are your recommendations? 

Chris Wysopal: [00:06:40]  Yeah, so the recommendation is to make a cultural change of not having a separate security team be the people that test software, decide what to fix and then essentially harangue the development team to fix issues not on the development team's, you know, schedule or when it's best for them. The recommendation is to get management in the development organization to take ownership for this and use as evidence things like the State Of Software Security report, which says you're going to have much more secure software actually with less effort - it's going to be easier for you to produce more secure software - and get that buy-in at the executive team, and then push it all the way down to the individual development teams where they will take ownership for securing the software. And the security team then becomes a consultant. They become someone that helps this process work, but they're not there in the daily meetings, saying, you know, should we fix this bug anymore? The security team takes ownership of that and gets trained to have some expertise so they actually know what they're doing. Then they build it into their process, and they think about getting it better and better over time. 

Dave Bittner: [00:07:57]  Was there anything in the report that was surprising to you? Any unexpected results that came through? 

Chris Wysopal: [00:08:03]  Well, we did something which was a little different this time, which was we didn't just look at how often scanning was done. We looked at the pattern of the scanning. So was it steady? Was it on a daily basis, a weekly basis? Was it irregular? Was it something where it would seem haphazard? Like, why are they scanning now, and why is there a lot of intense scanning over this period or what we called bursty, which was long periods of time where no scanning activity happens, then a month or two of intense scanning activity and then a long period time with none? And that kind of showed us that they were scanning only as they got close to the release cycle. And we didn't know what to expect from breaking development teams into those three categories - steady, irregular and bursty. So the recommendation is scan on a steady basis or even an irregular basis, but don't go long periods of time without scanning. That almost guarantees your product is going to be less secure. 

Dave Bittner: [00:09:04]  And it kind of reminds me of, you know, the frantic cleaning of the house that takes place before, you know, Thanksgiving or when family's coming over and you haven't done it in a while. You start throwing things into closets, and you'll pay for it later. 

Chris Wysopal: [00:09:16]  Absolutely. I think that's a great analogy. 

Dave Bittner: [00:09:18]  (Laughter). 

Chris Wysopal: [00:09:20]  At the high level, when we say, like, you know, is software, you know, getting more secure or less secure, we just saw over the 10-year period that we've been doing it a lot of vulnerabilities that are well-known like SQL injection are sort of at the same percentage rate that they were 10 years ago. We had 23% of apps 10 years ago had one or more SQL injection vulnerabilities, and here in 2019, 24% of apps have one or more SQL injection vulnerabilities. So it's crazy to think that if you look - zoom out and look at the big picture, not much has changed as far as, you know, are people fixing these problems or not - or introducing these problems? So we still have a lot of work to do as an industry, and we hope that these recommendations that come out of the report where we see what - you know, particular development teams are doing really well, we can percolate that through the industry so that becomes the average way of doing things and, you know, everyone gets better, not just these teams that have a great process. 

Dave Bittner: [00:10:21]  That's Chris Wysopal from Veracode. 

Dave Bittner: [00:10:24]  The day now seems somehow incomplete without news that a misconfigured cloud database has exposed a great deal of personal information, and today, unfortunately, is complete. TechCrunch reports that the British penetration company Fidus has found another one. It's an AWS bucket belonging to a company that TechCrunch and Fidus declined to name. The company's business is the processing of applications for copies of U.S. birth certificates. The exposed database holds more than 750,000 applications. Such applications contain a considerable amount of personally identifiable information, including, according to TechCrunch's look at the material, the applicant's name, date of birth, current home address, email address, phone number and historical personal information, including past addresses, names of family members and the reason for the application, such as applying for a passport or researching family history. That's a lot. Amazon said it would notify the unnamed company whose bucket it is that needs to, well, do something about it. 

Dave Bittner: [00:11:24]  Today, of course, is Patch Tuesday. So be on the lookout for updates from Microsoft and Adobe expected sometime this afternoon. We'll have notes on the fixes tomorrow. 

Dave Bittner: [00:11:34]  And finally, it's also prediction season, and the cybersecurity industry has been busy making them. We do link to those in our daily news briefing, and we encourage those interested to look there for the sector's virtual crystal ball. But we'd be remiss if we didn't mention one outstanding and very funny aggregation of 2020 forecasts. It's in CyberScoop, and, by all means, give it a look. The publication decided to turn the AI loose on the predictions to glom them all together, and they didn't stop there either. They let the bots do the writing, too. As the editor says in her disclaimer, the article is all generated through Markov chains and is only super lightly edited for clarity. Those Markov chains are rattling better than the cash boxes that encumbered Jacob Marley when he visited Ebenezer Scrooge. Their most insightful prediction, we thought, was prediction No. 8 - more security officers will get worse. Tell it, brothers and sisters. We particularly like the way the bots attributed a quotation to Carl von Clausewitz at the end of every section, a riff on his famous dictum that war is the continuation of politics by other means. A few of our favorites were war is merely the continuation of the evolution in cloud security or war is merely the only way to monetizing IOT network attacks and war is merely the marketing deployed. So bravo, CyberScoop, and do go read the whole thing. 

Dave Bittner: [00:13:01]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:14:03]  And joining me once again is Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: [00:14:14]  Good to be here with you, Dave. 

Dave Bittner: [00:14:15]  Interesting article - this is from The Verge - something you and I have touched on over on the "Caveat" podcast. But there's some specifics here I wanted to dig in for our audience, and this has to do with whether or not you have a right to sue Facebook and other online platforms and some legislation that's being cooked up to address this sort of thing. What's going on here? 

Ben Yelin: [00:14:36]  So there was some promise in the past several months so there could be bipartisan agreement on federal data privacy legislation. This has been a long-running problem. We have this patchwork of state laws and some federal regulations that apply to data privacy, but we don't have uniform federal legislation. So a couple of key senators in the United States Senate, a Democrat, Maria Cantwell of Washington, a Republican, Roger Wicker of Mississippi, have been trying to work on a bipartisan solution to this problem. And I think there's general bipartisan interest in the skeleton of such a bill... 

Dave Bittner: [00:15:11]  OK. 

Ben Yelin: [00:15:12]  ...In terms of, you know, some of the things we all agree on, like giving the FTC, Federal Trade Commission, enforcement authority on data privacy violations. But a big source of disagreement is giving consumers, users a private right of action against the big tech companies. 

Dave Bittner: [00:15:28]  What does that mean? 

Ben Yelin: [00:15:29]  So this would allow a legal cause of action for any user of any one of these sites or any one of these technological devices to directly sue that company for damages. So oftentimes, you'll see legislation that bans a private right of action where the legislation will explicitly say individual doesn't have standing to sue, you know, on the basis of a violation of the statute. And what Senator Cantwell's proposal would say is that users do have legal standing to sue if they are alleging that their data has been compromised by one of these companies. You know, so the positives would be having a private right of action gives these tech companies, the Twitters and Facebooks of the world, more of an incentive to protect user data. If they're fearful about getting sued, you know, they might hire more compliance officers to make sure that they're complying with this federal statute. The downside, which is something that Senator Wicker and other Republicans have talked about, is that this could lead to a flood of lawsuits. And when a similar standard - a similar private right of action was applied to the telecommunications companies back in the '90s, it did lead to a lot of lawsuits - hundreds of thousands of them. A corollary to that arguments - Senator Wicker's argument, which I think has a lot of merit to it, is Facebook and Twitter, you know, they have the resources to respond to lawsuits. They're wealthy companies. Mark Zuckerberg can hire the best lawyers in the country. Jack Dorsey probably could, too. You know, resources are just not going to be a problem for them, even if they're sued by millions of users if there are a bunch of class-action lawsuits. That's not true for some of these smaller companies. Lawsuits could drive them out of business. And, you know, so this might be a regulation that - or a change in the law that actually would benefit big tech companies at the expense of the smaller guys out there. 

Dave Bittner: [00:17:29]  Could keep the smaller guys from establishing a foothold in the market, even. 

Ben Yelin: [00:17:33]  Exactly, because... 

Dave Bittner: [00:17:34]  You know, it's a big burden. 

Ben Yelin: [00:17:35]  Exactly because compliance would just be far more expensive... 

Dave Bittner: [00:17:38]  Right. 

Ben Yelin: [00:17:39]  ...And they would constantly be this threat of litigation. So that might impact somebody developing a new technology where - you know, or a new interface where they're not entirely clear if there are robust data protections. Maybe the company decides not to go through with that because it's too expensive to try to comply with these new federal regulations. So the upshot of this - you know, Senator Wicker claims as part of this article that he doesn't think this dispute on a private right of action is going to derail the entire effort to have a federal data privacy bill. I think Senator Cantwell has also signaled an openness to having legislation that does not have this private right of action. This is just going to be part of ongoing negotiations. There are certainly legitimate positives and negatives over that particular provision, but it's something that's going to have to be worked out in the United States Senate. 

Dave Bittner: [00:18:34]  All right, those gears keep turning, right? 

Ben Yelin: [00:18:36]  Absolutely. They always are, although we don't usually associate the United States Senate with gears turning. 

Dave Bittner: [00:18:42]  (Laughter) Gears grinding, right? 

Ben Yelin: [00:18:42]  Yeah, the gears are grinding... 

Dave Bittner: [00:18:43]  Sand and... 

Ben Yelin: [00:18:44]  ...Very slowly. 

Dave Bittner: [00:18:45]  ...Monkey wrenches and - yeah... 

Ben Yelin: [00:18:46]  Exactly. 

Dave Bittner: [00:18:46]  ...Rust on the gears. 

Ben Yelin: [00:18:48]  It is the... 

Dave Bittner: [00:18:48]  Yeah, yeah (laughter). 

Ben Yelin: [00:18:48]  It is the cooling saucer, as they say, of our democracy. 

Dave Bittner: [00:18:51]  Yes, yes. 

Ben Yelin: [00:18:52]  Yeah. 

Dave Bittner: [00:18:52]  All right, well, Ben Yelin, as always, thanks for joining us. 

Ben Yelin: [00:18:55]  Thank you. 

Dave Bittner: [00:19:00]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:13]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.