The CyberWire Daily Podcast 8.7.17
Ep 407 | 8.7.17

US Army bans DJI COTS drones. Amazon will scan AWS customers' S3 buckets for public accessibility. Recommendations for election security. Marcus Huchins pleads not guilty to Kronos-related charges.

Transcript

Dave Bittner: [00:00:00:14] If you go to patreon.com/thecyberwire you can find out how to become a contributor and at the $10 per month level you gain access to the ad-free version of our show. It's the same CyberWire, just without the ads. So check it out, patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:20:15] The US Army bans all use of DJI commercial off-the-shelf drones. We discuss two known unknowns and offer some background on defense acquisition practices. Amazon will begin scanning AWS customers' buckets for publicly accessible data. White hat hackers offer recommendations for election security. And Marcus Hutchins, a.k.a. MalwareTech, pleads not guilty to Kronos-related charges and makes bail.

Dave Bittner: [00:00:51:01] And now something about our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas but AI and machine learning are a lot more than just empty talk. Machine learning for one thing is crucial to behavioral analytics, you can't recognize the anomalous until you know what the normal is, and machines are great at that kind of baselining. For a guide to the reality and some insights into how these technologies can help you, go to e8security.com/ai-ml and download E8's free White Paper on the topic. It's a nuanced look at technologies that have both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at e8security.com/ai-ml. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:57:19] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, August 7th, 2017.

Dave Bittner: [00:02:08:11] The US Army last Wednesday ordered all units to immediately stop using DJI drones. The order, which came to public attention over the weekend, derives from unspecified concerns over cybersecurity, with the directive citing but not quoting two classified studies of drone vulnerabilities.

Dave Bittner: [00:02:26:04] DJI, a Chinese firm, had been criticized in the past by consumers for collecting too much about users, including geolocation data. In particular it required users to report certain information, said to be necessary for safer drone flights, and better compliance with geofencing. Users who elected not to provide the information would find that their drones would be either severely limited in range and endurance or disabled entirely.

Dave Bittner: [00:02:53:01] Exactly what worries the US Army is unspecified but speculation centers on two possibilities, either the risk of collection against army operations by a Chinese company that could presumably share the information gathered with its government or the possibility of drones being disabled remotely by either the vendor or hackers. Such concerns are of course not mutually exclusive.

Dave Bittner: [00:03:16:02] The order to take the drones out of service came last week from the G3/5/7, the Deputy Chief of Staff, Operations, Plans and Training. It was explicit and peremptory. All DJI products are to be taken out of service from drones to software to controllers and down to the batteries that power them all.

Dave Bittner: [00:03:35:13] So what, you might ask, is the US Army doing buying drones from a Chinese manufacturer? This is perhaps worth a quick explanation in terms of the US Government's acquisition system. It's been pointed out in coverage of the incidents that these are COTS purchases. They're purchases of commercial off-the-shelf systems. There is no program of record buying commercial drones from China or elsewhere. That is, there's no acquisition program that appears in the Future Years Defense Plan, the so-called "fid-ip" through a Program Objective Memorandum "POM" that makes the program a "line item record" in the Defense Budget. Programs of record are the sorts of acquisition programs through which tanks, attack helicopters and the like are required.

Dave Bittner: [00:04:19:07] It's been recognized for some time that the Defense acquisition process, while admirably suited to buying big long-lead time items surrounded by plenty of watchdogs and litigation, think shipbuilding for example, is less suitable for buying things whose technology evolves rapidly, are relatively inexpensive and probably don't require extensive militarization. So notoriously IT purchases have tended to be encumbered rather than facilitated by the acquisition system.

Dave Bittner: [00:04:48:04] In areas where civilian technological development outpaces military development, it makes sense to authorize quick purchases of relatively low cost items. Drones are a good example and DJI drones, also called quadcopters, they carry cameras mostly for photographers and hobbyists and they can be bought online for between $500 and $3,000. DJI drones were COTS purchases.

Dave Bittner: [00:05:11:24] Two interesting questions remain open. First, what vulnerabilities is the US Army worried about and second, why does the ban cover just DJI? Why would their products be particularly objectionable? There are lots of other photo drones out there of comparable performance and price and many of those are made in China too but the G3 singled out DJI for mention in dispatches. The story is developing.

Dave Bittner: [00:05:37:10] Turning to data breaches, it's been noted that many of this year's high profile incidents have so far been cases of inadvertent exposure of databases stored in clouds. In particular, customer misconfigurations of Amazon Web Services S3 buckets have embarrassed users across several sectors, political consulting, journalism, government contracting and so on. While properly configuring your data buckets is the data owner's responsibility, and not the cloud providers, Amazon is working to lend a helping hand by scanning for publicly available S3 buckets and asking the buckets' owners if they really do want their data to be generally available.

Dave Bittner: [00:06:16:04] White hats who looked at voting machine vulnerabilities for the recent conferences in Las Vegas have recommended ways of making elections more secure. WIRED distilled their suggestions into a five step path to more secure elections. First, retire old outdated and vulnerable machines. Second, secure registration systems and voter databases. Third, require security audits of any polling system that uses electronic voting machines. Fourth, make patching machines easier. Loosen up procurement rules and practices if that's necessary to getting upgrades done. And fifth, improve poll workers' training to make them more alert for election hacking.

Dave Bittner: [00:06:55:01] Marcus Hutchins, a.k.a. MalwareTech, the researcher credited with, inadvertently, flipping WannaCry's kill switch, is out on bail after pleading not guilty in a US court. He was arrested by the FBI in Nevada last week after attending DEF CON and Black Hat. He's facing charges related to creation and distribution of the Kronos banking Trojan. Prosecutors say that Hutchins admitted developing Kronos, but that was before he lawyered up and pled not guilty. They also allege that he was involved in offering Kronos for sale in various dark web markets.

Dave Bittner: [00:07:28:24] The case is likely to set important precedents for vulnerability research. Lawyers who've written about the case comment that the prosecution has what they characterize as an "aggressive" theory of the crime. Security researchers think that theory sufficiently aggressive to chill legitimate vulnerability research, including developing proof of concept exploits, writing innocent code that criminals could obtain and repurpose, engaging with black and gray hats in various online venues and so on.

Dave Bittner: [00:08:02:14] Now a word about our sponsor, the upcoming Cyber Security Conference for Executives. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security will host the event on Tuesday, September 19th in Baltimore, Maryland, on the Johns Hopkins Homewood Campus. The theme this year is Emerging Global Cyber Threats and the Conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at thecyberwire.com/jhucompass. Learn more about the current and emerging cybersecurity threats to organizations and how executives can better protect their enterprise's data. Speakers include Cyber Lawyer, Howard Feldman, IoT Engineering Expert, Dr. Kevin Kornegay, and Healthcare Data Security Thought Leader, Robert Wood. You can find out more at thecyberwire.com/jhucompass. And we thank the Cyber Security Conference for Executives for sponsoring our show.

Dave Bittner: [00:09:05:04] And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, great to have you back. You know, we see from time to time people have this notion that organizations should be allowed to hack back. When someone comes at them they should be able not only to defend but to strike back. What's your take on this?

Dale Drew: [00:09:25:06] I, you know, I think, I think hacking, I think the idea of hack back is a signal of the frustration that we cannot solve this bad guy problem as quickly as, as we need to and so, you know, it's, it's intended to put the tools in the hands of the victim, so that they can go back to the, the system that is breaking into them, get access to that system, remove the application that's attacking them and potentially either delete or recover data that's been stolen from them. You know, so for example there's a, there's a Tom Graves who is a, a republican out of Georgia, has introduced a bill to Congress called The Active Cyber Defense Certainty. And this isn't the first hack back legislation that's been proposed but it was one that was sort of released as the result of the impact of WannaCry.

Dale Drew: [00:10:15:23] My, my biggest concern about things like, you know, hack back legislation, is just the law of, of unintended consequences. As an example, when you're getting attacked by a system and you now have the cover, the legal cover, to be able to break into that system, the same way the bad guy did and be able to stop the attack, you don't know the system you're breaking into, you don't know the purpose that their system is doing. So you don't know if it's a medical device, you don't know if it's a mission critical system, and then you're relying on the forensic capability of the victim to be able to figure out which application and which user is causing the damage and you're giving them the authority to alter that system, you're giving the authority to, to kill the application or delete the user or alter the system state so no-one else can break in, as well as deleting data that you believe might be your data. But who knows what you're actually potentially deleting on the system. And so one is, you know, what happens when you put that sort of power and authority into someone else's hands and they cause unintended consequences. Because the bad guy's breaking into somebody else's computer to break into yours and so you're going to break in to that other company's computer to, to try to stop it, but you could be causing damage.

Dave Bittner: [00:11:28:11] The other one is while that might be eventually illegal in the US, you might be accessing systems outside the US and so you don't know where your legal authority begins and ends because the Internet is a global apparatus. It's not a US based apparatus. You might be legal in the US but breaking the law internationally. And if you cause damage on that computer internationally, you're liable for it, where the bad guy is liable for it only if they can get caught. You're liable for it because you're doing it under the color of law, apparently the color of law.

Dale Drew: [00:11:59:22] And then the last one that I'm worried about is just this sort of ambiguous definition of an attack. How do you distinguish the notion of you defending your infrastructure from being attacked by doing a ha-- you know, a hack back versus a cyberattack against your competitors, claiming that they attempted to break in to you? So this, this could give people a license to be able to justify breaking into other people's computer systems and claiming that, you know, I got port scanned by somebody or somebody went to my web page and it was really suspicious and so I'm hacking back and it turns out that it was a competitor. So I think this really opens the door to a significant amount of unintended consequences that will not really move us forward in evolving our security capability of stopping the bad guys.

Dave Bittner: [00:12:49:18] Dale Drew, thanks for joining us.

Dave Bittner: [00:12:53:08] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. A reminder that if you're interested in threat intelligence, you should check out the Recorded Future podcast where I am also the host. You can find out more about that at recordedfuture.com/podcast. And while you're checking out podcasts, check out the Grumpy Old Geeks Podcast. I join Jason and Brian for a weekly segment there called "Security Hah!" It's a good time, the language is a little bit salty so consider yourself warned. You can find the Grumpy Old Geeks podcast wherever all the fine podcasts are sold. And while we're asking you to do things, check out patreon.com/thecyberwire to find out how you can become a supporter of our show. And speaking of supporting our show, one of the best ways you can support our show is by leaving a review for us on iTunes.

Dave Bittner: [00:13:53:04] CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.