The CyberWire Daily Podcast 3.9.17
Ep 302 | 3.9.17

Vault 7 doesn't show much evidence of false flag operations. The most interesting question the WikiLeaks dump raises is, where did the material come from? RAND studies the zero-day market. The Near Abroad wishes for more US soft power.

Transcript

Dave Bittner: [00:00:03:12] Vault 7 and the false flags that really aren't there. A call for more stress-testing of software. RAND reports on the market for zero-days. The Near Abroad warns the US that it would like to see more American soft power deployed in their part of the world.

Dave Bittner: [00:00:24:11] Time to take a moment to tell you about our sponsor, the good folks over at CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload the resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. You'll find this and other great opportunities at cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:20:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore, with your CyberWire summary for Thursday, March 9th, 2017.

Dave Bittner: [00:01:30:05] As people have continued to sift through WikiLeaks' Vault 7, the consensus is emerging that there's not much that's surprising there, beyond the obvious fact that so much stuff leaked at all. (Assuming, we hasten to add, the material is as genuine as it appears to be.)

Dave Bittner: [00:01:46:19] One early reaction clearly doesn't have traction. Informed observers seem to be in agreement that the signs people thought they saw in Vault 7 of CIA false flag operations aren't in fact there. What is found in Vault 7 are copious signs of code reuse, and that's not surprising at all. It's economical and makes sense. Any intelligence service in just about any country would re-purpose code it pulled from the wild and use it, providing that code could be adapted to meet mission needs. So seeing evidence that Cozy Bear and Fancy Bear were really CIA provocations designed to cast blame on the Russians for election hacking is regarded by most observers as being on the fanciful side. The smart money remains on Cozy and Fancy being the FSB and the GRU.

Dave Bittner: [00:02:34:07] There also seems to be little in the dump to suggest that the CIA is engaging in widespread domestic surveillance. In this respect as in others, Vault 7 resembles the leaks concerning the Equation Group that appeared last summer.

Dave Bittner: [00:02:47:12] Emerging security industry consensus holds the interesting question about the Vault 7 dumps to be just how the material leaked, and that, of course, will take some investigation.

Dave Bittner: [00:02:58:00] The leaks do include some commentary on the relative difficulty of bypassing various security products. Some of those products fare better than others, if the leaks are to be believed. KrebsOnSecurity thinks one lesson industry should draw from Vault 7 is that money spent on marketing might be better applied toward "stress-testing" products. Another lesson may be this: if a sophisticated intelligence service with the resources of a developed nation-state is interested in your networks, consumer antivirus products, no matter how good they may be at frustrating crooks and busy-bodies, are unlikely to keep that nation-state's cyber operators out.

Dave Bittner: [00:03:36:02] The Vault 7 leaks have drawn attention to how governments handle zero-days - vulnerabilities which are not publicly disclosed and for which no fixes have been made available. Coincidentally, the RAND Corporation has just released an interesting study on the zero-day market. Their study looked at this market from the point-of-view, mostly, of a participant in that market, but the study has some implications for defense and security.

Dave Bittner: [00:04:00:06] The report reached five conclusions: first, "declaring a vulnerability as active" (that is, publicly unknown) "or dead" (that is, publicly known) "may be misleading and too simplistic." Some vulnerabilities, particularly those in legacy products that have reached the end of their life, may be, as RAND puts it, "immortal."

Dave Bittner: [00:04:19:12] Second, "exploits have an average life expectancy of 6.9 years after initial discovery, but roughly 25% of exploits will not survive for more than a year and a half, and another 25% will survive for more than 9.5 years." This means, among other things, that "software rot" - what happens when code isn't maintained and regularly updated - can bring dormant vulnerabilities to the surface.

Dave Bittner: [00:04:44:22] Third, "no characteristics of a vulnerability indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and various groupings of exploit class type." Essentially, don't get cocky, kid - there's no one kind of vulnerability that can be safely assigned a low priority for checking and fixing.

Dave Bittner: [00:05:09:14] Fourth, "for a given stockpile of zero-day vulnerabilities, after a year approximately 5.7% have been discovered and disclosed by others." And fifth, "once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days." Since exploits are often reverse engineered from patches, one moral is, don't delay patching.

Dave Bittner: [00:05:36:07] Much of the commentary on the report takes it as a given that purchasing and "stockpiling" zero-days is a bad practice. That may be true, but the issue's not entirely clear. In the event coverage section of the CyberWire's website you can read an account of a lively debate about the Vulnerabilities Equities Process we heard at CyCon last October - there was intelligent advocacy on both sides of the question.

Dave Bittner: [00:06:00:00] Many organizations have come to rely on virtualization and the cloud as part of their IT infrastructure plans, taking advantage of the flexibility and scalability the cloud environment can provide. But what about security? Tom Corn is Senior Vice President of Security Products for VMware.

Tom Corn: [00:06:17:19] What we're ultimately trying to protect is not servers or networks, what we're trying to protect are applications and data. The challenge is where we're trying to protect it. We're trying to protect it from servers and networks and those are orthogonal plains. When applications were monolithic facts the whole application ran on one physical machine, the server was a pretty good proxy for the application. That's not what an application looks like today. An application is in a distributed system of components networked together. It’s web servers, talking to app servers, database servers, it's all kinds of containers connected together.

Tom Corn: [00:07:01:15] And the best metaphor I think I've come up with to describe the problem is if you think of a data center as a city where the buildings are servers and the roads are networks. When we had monolithic fact applications a long time ago, it was kind of like having a skyscraper with only one application in it and the whole application was in there. And when we had that, from a security perspective, we had a front door to place guards at. And the two things that really helped us was, firstly, the fact that those guards could be rest assured that there was no other way to touch any part of that application without going through that door. And secondly, they only had to worry about one application, about one tenant in that building. So the policies about who should get in or what looks weird about someone who was trying to get in were relatively straight forward.

Tom Corn: [00:07:53:08] Fast forward to what applications look like today. It's the parts of buildings in many different parts of the city. That is an application. And in any building there are many applications and in fact they move in and out all the time. All right, well that's a very complex model, because trying to determine who gets in or out or trying to determine what looks weird or being comfortable that from where I sit I can see anyone who's touching that is next to impossible. As a result, most of the security industry is still focused on trying to prevent infiltration into the data center or into a given machine. And we are very blind if someone does land somewhere. Can they move around the data center? That is an architectural gap. The real huge promise, I think, of virtualization in cloud is helping solve that problem, helping connect the dots, enabling security to be applied and aligned to what we're really protecting, the applications and data.

Tom Corn: [00:08:57:05] And that's where we're seeing a lot of the advances in security technology, not just from us, but from other companies, is really focusing on taking advantage of the cloud to do just that.

Dave Bittner: [00:09:07:03] That's Tom Corn, from VMware.

Dave Bittner: [00:09:10:23] Several Eastern European and Southwest Asian countries - the Baltic States, Poland, Ukraine, and Georgia - either members of or desiring closer association with NATO, warned the US about rising Russian assertiveness in Europe, and urged that the US begin to apply some soft power to counter it. By "soft power" was meant, principally, larger, more effective, more closely targeted, information operations. A number of leak-sources, as many have noted, seem over the past couple of years to have been at least objectively aligned, as an Old Bolshevik might have put it, with Russian interests. And there has been no shortage of other, more obvious Russian information and influence campaigns, as the Baltic States are particularly keen to point out. European governments are growing particularly sensitive to the prospect of political influence operations - France, for example, has decided to eliminate overseas electronic voting in its own upcoming elections.

Dave Bittner: [00:10:08:18] And finally, a note to our listeners, if we may do some polite begging. The CyberWire is a finalist for a Maryland Cybersecurity People's Choice Award and so we're taking the liberty of asking you to consider voting for us. If you enjoy the CyberWire Daily News Briefing and the CyberWire Podcast, we'd appreciate your support. You can cast your vote at thecyberwire.com/vote through March 22 (and you don't need to be in Maryland, or even in the US, to do so, so Rangoon, come on in). Thanks as always for reading and listening. That's thecyberwire.com/vote.

Dave Bittner: [00:10:48:18] Time for a message from our sponsor, Netsparker. Are you still scanning with labor intensive tools that generate more false-positives than real alerts? Let Netsparker show you how you can save time, save money and improve security with their automated solution. How many sites do you visit and therefore scan, that are password protected? With most other security products you've got to record a log-in macro, but not with the Netsparker. Just specify the username, the password and the URL of the login page and the scanner will figure out everything else. Visit netsparker.com to learn more. And if you'd like to try it for yourself, you can do that too. Go to netsparker.com/cyberwire for a free 30 day fully functional trial of Netsparker desktop. Scan your websites and let Netsparker show you how easy it can be. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:11:46:16] Joining me once again is Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and he's also Director of the Maryland Cyber Security Center. Jonathan saw this story come by on Google's security blog about Project Wycheproof. Give us some of the details. What do they have going on here?

Jonathan Katz: [00:12:03:03] So this is basically something that Google is putting out that will allow implementers who are developing their own crypto code to check for the most common vulnerabilities that come up in this code. This is really important actually, because what we've seen time and time again is that the underlying crypto, the algorithms themselves and the protocols based on them tend, for the most part, to be pretty secure and pretty resilient to attack, but nevertheless a lot of crypto code is vulnerable just because implementers make the common mistakes that occur over and over again. So the goal of this project is just to help people find those mistakes in their code and to prevent them from occurring.

Dave Bittner: [00:12:39:20] So what's the practical use of this? You feed your code into this project and it analyzes it?

Jonathan Katz: [00:12:46:00] Yes, exactly. So this would basically do exactly that. You feed your source code in and what it has is some tests for some ten or twenty or so of the most common mistakes that people tend to make in their code and it will let you know if it spots those errors. Now of course it's not foolproof, there can always be new mistakes that people make, but at least this will catch 95% of the most common errors that people tend to do.

Dave Bittner: [00:13:09:18] And when you're talking about errors, what are we talking about? Are these typos or different kinds of implementation errors?

Jonathan Katz: [00:13:16:18] So these are not quite typos, these are more subtle and more things that have to do with the way the underlying cryptographic algorithms are used. Just as one high level example, there are a lot of cryptographic algorithms that assume that you're using a nonce - which is supposed to be a number that's chosen at random and never repeats - and what this can do is it can check for biases in those nonces, that means that they're distributed non-uniformly, or even the potential that nonces might repeat over time which would destroy the underlying security of the algorithm.

Dave Bittner: [00:13:47:14] This is on Google's security blog. It's Project Wycheproof. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:13:55:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber threats, visit cylance.com.

Dave Bittner: [00:14:13:06] If you're looking to spread the word about your product or service and help support the CyberWire through sponsorship, a heads up, our sponsorship slots for 2017 are just about sold out. But don't fret, we've opened up a limited number of spaces for 2018 for pre-sale, but they won't last long. Head on over to thecyberwire.com/sponsors for more information.

Dave Bittner: [00:14:33:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, our technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.