The CyberWire Daily Podcast 11.1.16
Ep 217 | 11.1.16

The Shadow Brokers say trick or treat to the Amerikanski. Are free elections like free beer? Google wants faster patching. The state of Mirai.

Transcript

Dave Bittner: [00:00:03:14] The Shadow Brokers are back and again mangling English like a bad scriptwriter doing Ensign Chekhov fan-fiction. Russian leaders continue to scoff at American Elections and WikiLeaks continues to leak. Microsoft doesn't patch fast enough to suit Google. Researchers consider the scope, threat, and mitigation of the Mirai IoT botnet. And Furby's back but this time, it's connected.

Dave Bittner: [00:00:31:03] Time for a message from our sponsor, E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. It's self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the rear risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free white paper to learn more. E8, transforming security operations. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:27:15] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 1st, 2016.

Dave Bittner: [00:01:33:07] The Shadow Brokers came back for Halloween. You will remember them as the group responsible for their successful late summer doxing of the Equation Group and their unsuccessful attempt to auction off lots of what they said was NSA attack code. The auction was so ill-conducted that it's difficult to read it as a serious criminal attempt. In any case the Shadow Brokers dumped an archive they called "trick or treat" online. The dump is represented as, and may well be, a revelation of server stage infrastructure used by the Equation Group. That is, it shows servers that may have been compromised in order to accomplish various cyber campaigns. The Equation Group is thought by most observers to be, roughly speaking, an NSA contractor.

Dave Bittner: [00:02:15:04] The Shadow Brokers are still writing their communiques in completely implausible broken English. A sample, quote, "The Shadow Brokers is having special trick or treat for Amerikanskis tonight," end quote. No one actually writes or speaks like that, except in fiction, where either complete ineptitude of broad comedy would be on display. Flashpoint who suffered through the present participles, absence of articles and matey malapropisms so the rest of us don't have to, thinks the goody writing reveals a false flag. Which false flag is unclear, presumably some guys in Eastern Europe who are hacktivist Robin Hoods, but Flashpoint also notes the Shadow Brokers tend to mirror Russian President Putin's jibes at the American political system. In the “Trick or Treat” dump, for example, the Brokers deride American elections as "free, as in free beer," a one-liner that aspiring stand-up Mr. Putin delivered recently at the St. Petersburg Economic Forum, either there or at open-mic night at the Chuckle Hut. We don't exactly get it since free beer seems no joking matter, but perhaps it plays better in the original.

Dave Bittner: [00:03:19:18] The Shadow Brokers, by the way, say they've still got lots of Equation Group stuff to sell if you act now.

Dave Bittner: [00:03:26:04] The evident connection between the Shadow Brokers and Russian Security Services feeds ongoing concerns about US elections. Russia is generally believed, especially by the US intelligence community, to be actively engaged in attempting to influence the vote. 46 States have now asked for Federal help securing the elections they're constitutionally responsible for conducting. Officials are more worried about interference with voting than with direction manipulation of the tally.

Dave Bittner: [00:03:53:11] WikiLeaks has continued to release discreditable emails with presidential candidate Clinton's manager John Podesta remaining the big catch, in what appears to have been a successful phishing expedition. More doxing is expected before next Tuesday's voting. The FBI's newly resumed investigation into candidate Clinton's State Department era email practices also continues.

Dave Bittner: [00:04:16:14] Google has publicly disclosed flaws its researchers discovered in Microsoft Windows and Adobe Flash. The Windows zero-day, Google disclosed, is both unpatched and being actively exploited in the wild. It's a kernel vulnerability that allows an attacker to escape from sandboxing and execute remote code on the affected system. Google found the problem on October 21st and in accordance with Google policy made its discovery public after seven days. That policy, in place since 2013, gives vendors 60 days to patch a privately disclosed flaw if there's no active exploitation but only a week if an exploit is out in the wild. There's no patch yet from Microsoft and Redmond isn't happy with Mountain View. But Google is sticking to its commitment to go public within a week of discovery when there's active exploitation in the wild, whether or not the vendor has a patch ready.

Dave Bittner: [00:05:06:13] Adobe did patch the Flash problem Google found and they did so last Friday. Some sources say that the Windows flaw required the Flash exploit before it could itself be exploited. And so while Microsoft is still expected to fix the problem soon, the severity of the Window's bug is much reduced by the Adobe patch.

Dave Bittner: [00:05:25:08] Researchers continue to consider approaches to cleaning up Mirai and similar Internet-of-things threats. One proof of concept, a white hatted worm that crawls through IoT devices and changes their default passwords, is unlikely to pass legal muster but the demo shows the way some people in the security industry are thinking.

Dave Bittner: [00:05:44:04] Nominium released their Fall 2016 Data Science Security Report yesterday and among the issues they address is the October 21st distributed denial-of-service attack on Dyn. Nominium's Head of Data Science and Security, Yuriy Yuzofovich told the CyberWire that the attack was, quote, "a wake up call that put a spotlight on the importance of DNS, and the impact of IoT-based attacks on the Internet and on service providers and enterprise networks," end quote. He thinks enterprises should use this event as an opportunity to consider their readiness to weather a DNS attack and to think through the implications of other kinds of Internet-of-things based attacks on their networks.

Dave Bittner: [00:06:23:05] There are many bad actors out there trying to take advantage of vulnerabilities where they find them. We checked in with Ferruh Mavituna from Netsparker to learn about cross-site scripting, and how a feature called Content Security Policy helped sport the baddies.

Ferruh Mavituna: [00:06:37:17] Cross-site scripting is a vulnerability that allows an attacker to hijack a session. So for example, you are logged into an application and there's a cross-site scripting vulnerability in that application, an attacker can send you a link and when you click that link that attacker will steal your current session and they will be able to do, stop it so that you can't raise a log and use it. So if you are on an-- let's say if you using Gmail and if there's a cross-site scripting in Gmail, right after you click a link, attacker will be able to access your emails. So it's pretty dangerous and it's a huge problem, it's a massive problem. So Content Security Policies are protection against cross-site scripting. If your website is completely secure against cross-site scripting, in theory, you don't need content security policies because, you know, you're already safe. It won't add any value to you. But in reality we know it's very rare, the chances are, you are vulnerable. And also it's a best practice, we always say you need defense in that.

Ferruh Mavituna: [00:07:46:05] CSP is something applied on the browser levels. So it's something your browsers and the web server tells the visitor's browser, look, you can only log resources from these websites and WP lists. You can say, never load any Java script from any domains but from my own domain or but from these white-listed specified domain lists. And also CSP can say, and generally should say, don't execute Java scripts written directly on the page. They need to be referenced. So they need to be used script sourced element on the HTML instead of having in-line Java scripts, which are generally used in cross-site scripting attacks.

Ferruh Mavituna: [00:08:33:17] So effectively what CSP does it tells your browser, do not execute Java scripts from another domain and do not execute in-line scripts. And you've got very granular console on these domains, these rules and there are a bunch of other rules, it's very complex actually, CSP. But when you do it right, even if you have a cross-site scripting, you can survive. It can be because you have proper CSP destinations, your browser will not execute the Javascript, so attack will fail, despite of the fact you have a cross-site scripting on your website. So it's a very nice defense in that feature. It's highly recommended because of how common cross-site scripting is and how hard it is to protect your website against it.

Dave Bittner: [00:09:22:08] So explain to me how someone would implement Content Security Policy.

Ferruh Mavituna: [00:09:27:24] Implementation is generally through HTTP headers. You can also use meta tag but HTTP is the most common way and generally recommended.

Dave Bittner: [00:09:36:19] That's Furruh Mavituna from Netsparker. You can learn more about Content Security Policy at content-security-policy.com.

Dave Bittner: [00:09:47:10] Finally, listeners of a certain age will recall the Furby, a fuzzy, gremlin- or troll-like toy that gained notoriety around the turn of the millennium for its unprepossessing looks, its wide eyes, its fuzzy hair and its propensity to repeat things said in its presence. Well, the Furby is back in a new more connected form just in time for the holidays. We assume Furbys are still banned from Fort Meade and its environs? Check before you bring one to work, kids, loose chips sink ships.

Dave Bittner: [00:10:21:15] Time for a message from our sponsor, Delta Risk, a Chertoff Group group company. Since 2007, Delta Risk has been helping organizations manage cyber risk to protect their business operations. Today they're offering a distillation of some of their expertise in technical security, policy, governance and infrastructure protection in the form of a white paper, Top Ten Cyber Incident Pain Points. Are you prepared? Download it today at delta-risk.net/topten. The conventional wisdom is that every organization will eventually have to deal with a cyber incident and in this case the conventional wisdom is right. Delta Risk can help you prepare for that incident with some sound planning. So thanks, Delta Risk, for explaining those incident response pain points. Once again, visit delta-risk.net/topten and start planning. That's delta-risk.net/topten. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:11:22:13] And I'm pleased to welcome to the show, Rick Howard. He's the CSO at Palo Alto Networks. Rick, welcome to the show. By way of introduction, why don't you tell us a little bit about yourself?

Rick Howard: [00:11:32:00] Thank you for having me. It's a great joy to be on here, I'm a big fan of this podcast and so I'm glad to be here. I've been doing cyber security for a long time. I'm an old army retiree guy, did IT and cyber security for the army. My last tour, I ran the Army CERT for a couple of years where I coordinated offensive and defensive operations for the US Army which is a lot of fun. I went to the commercial sector and did a bunch of things and now I've ended up here being the Chief Security Officer for Palo Alto Networks.

Dave Bittner: [00:12:01:22] And you all have a fun name for your Threat Intel Team, you call it, Unit 42. Tell us how-- first of all how you came up with that name and then what kind of stuff does Unit 42 work on?

Rick Howard: [00:12:12:17] I love that I work at a place like Palo Alto Networks and we can do stuff like this. I got hired to form their first public facing cyber threat intelligence team. And so when I got on board and I had to write all the documents about what the team was going to do and, you know, what kind of skill sets we were going to need and what kind of equipment we were going to need and I was typing in Word documents, right, and so if you type Palo Alto Network Threat Intelligence Team, that takes up an entire line on a Word document. I don't know if you know that, but it is true.

Rick Howard: [00:12:42:22] So I got tired of doing that and I'm kind of a sci-fi geek, kind of a fantasy geek and as a joke to myself I started calling it Unit 42, in reference to the old Hitchhiker's Guide to the Galaxy book, where they have a running gag about what the meaning of number 42 is. And if you've read the book or if you're a fan, then you know that it's the answer to life, the universe and everything. So I amused myself and put it into the documents. Well, our Chief Marketing Officer is a bigger sci-fi geek than I am and when he saw it in the draft documents he said, "Oh, no, that's what we're calling it." So there you go, Unit 42.

Dave Bittner: [00:13:17:15] Well, what kind of stuff does Unit 42 do?

Rick Howard: [00:13:19:20] Well, I mean, the, the reason we decided to make a public facing threat intelligence team is that we have all these high-end cyber security researchers at the company but they were mostly focused on making the product better and understanding, you know, new threats coming down the road. We weren't really telling anybody about what we knew and so as a community project, my boss, the Chief Executive Officer, Mark McLaughlin, wanted a way for us to tell the world about what we knew about the threat. And it kind of goes with our philosophy and the company that we want to give intelligence to anybody who can consume it. The idea was to take a bunch of high-end researchers and put them on to the data that we collect through our platform collection grid and then make something useful out of it and tell our, our customers and anybody else in the world what we think about the threat and how they can prevent those threats from attacking their networks.

Dave Bittner: [00:14:12:14] Alright, well, Rick, welcome to the show and we look forward to hearing from you again soon.

Rick Howard: [00:14:16:16] Thank you very much, sir, I'm looking forward to it.

Dave Bittner: [00:14:21:00] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:14:30:13] Did you know you can reach our audience of engaged, informed, business government and academic leaders by sponsoring the CyberWire? Visit thecyberwire.com/sponsors and find out how.

Dave Bittner: [00:14:40:14] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.