When 95% of breaches are human error, why is it on the last line of our security budget?
The week that was.
Mole hunt updates.
It's still unclear who the Shadow Brokers' source was, but a third NSA employee entered a guilty plea Friday to willful retention of classified information. Nghia Hoang Pho removed classified material from NSA between 2010 and March 2015. Pho's computer is the much-discussed one whose Kaspersky software pulled highly classified files. Sources say Pho took the classified material home so he could use it to help rewrite his resume (New York Times).
Another alleged mole in custody, Reality Winner, was this week denied pre-trial release. Ms Winner, former Air Force, former NSA, and former NSA contractor, faces Federal charges related to her alleged attempt to pass highly classified material to the Intercept (Military Times).
An inspector general's report this week found that US Defense Department programs for monitoring and controlling privileged access to sensitive information are still wanting, even post-Snowden (Fifth Domain). The report may be read in its entirety here. Challenge 4, "Increasing Cybersecurity and Cyber Capabilities," and Challenge 8, "Ensuring Ethical Conduct," are particularly interesting.
Your cyber security posture is right of boom.
Unsecured AWS S3 bucket contained sensitive US Army INSCOM data.
Researchers at UpGuard found the insecurely configured database contained Red Disk material. Red Disk, an adjunct to the US Army's Distributed Common Ground System (DCGS) was intended to provide multi-level security, centralized data ingestion and handling, and readily sharable information for tactical operations. It's generally regarded as an unsuccessful program, unpopular with its intended users. Failed or not, Red Disk information still shouldn't have leaked. The US Army's Intelligence and Security Command (INSCOM) is a component of NSA's Central Security Service.
Another major exposure hit the private sector, too: 111GB of sensitive information, including credit histories, were in a misconfigured National Credit Federation bucket (Infosecurity Magazine).
What is the state of WPA2, are public WiFis safe now?
Former US National Security Advisor pleads guilty.
Michael Flynn, who also said he's cooperating with Special Counsel Robert Mueller's investigation, on Friday entered a guilty plea to charges he lied to the FBI about his conversations with the Russian ambassador (New York Times).
DevSecOps experts from Visa and CYBRIC talk cyber threat survival.
Carelessness or misdirection?
The Cobalt Group, thieves who specialize in financial institutions, have been exploiting Windows systems that remain unpatched for an old Office vulnerability. They've also apparently leaked a list of their targets by making the rookie mistake of putting the marks' email addresses in the open "To" field of their spam, as opposed to the more customary "BCC" field, which would have obscured the addressees. But there's some speculation that the apparent lapse may be deliberate, wolf-meat tossed to security researchers as misdirection to cover the real targets, which Cobalt is quietly working elsewhere (Bleeping Computer).
The team matters in the world of industrial security.
The Uber hack.
Nobody really believes the hackers who told Uber that if paid, they'd delete the data they stole, actually deleted what they took (Ars Technica). We also now know roughly what the hacking discount is for a stake in Uber. Judging from SoftBank's offer, it looks like a 30% markdown (TechCrunch). The ride-share company has posted another large quarterly loss: $1.5 billion for the third quarter of 2017 (Ars Technica). The company also faces a growing number of lawsuits (Dark Reading).
Among the new security measures Uber's CEO Dara Khosrowshahi has instituted is a crackdown on employee use of secure messaging apps like Wickr and Telegram (Mashable). His intent is to keep discussion of business matters out of difficult-to-monitor side channels. The policy has been in place since soon after Khosrowshahi took the CEO's job, but he tweeted about it Wednesday. The policy is relevant because of criticism of Uber's security practices that's surfaced in current litigation over self-driving-car intellectual property that involves Uber, Google's parent Alphabet, and Waymo (Recode). A memo came to light that may indicate it was Uber's practice to conceal discussion and (allegedly) poaching of intellectual property over "ephemeral communications, non-attributable devices, and false attorney-client privilege designations with the specific intent of preventing the discovery of devices, documents, and communications in anticipated litigation" (Roadshow).
The tally of people in the UK affected by the Uber breach is now placed at 2.7 million (TechCrunch). Internationally, the incident continues to prompt calls for more stringent regulation of data handling and breach disclosure (Daily Star). There's also speculation that the ride-sharing firm's departed security chief might not be out of work for much longer (Outline).
Equifax breach update.
Equifax Canada has more than doubled its estimate of the number of Canadian citizens' whose data were caught up in the credit bureau's breach: the firm now places its estimate at 19,000, up from 8,000 (CTV News).
Shipbroker declines to pay ransom.
Clarksons, a major shipping firm based in London, disclosed Wednesday that it was hit by cybercriminals who accessed its networks, apparently through one authorized user's stolen credentials. The attackers obtained sensitive company data which they threatened to release if they weren't paid ransom (Reuters). This wasn't a ransomware attack, but rather more conventional blackmail. Clarksons declined to pay, disabled the affected account, and is working closely with law enforcement (Logistics Management).
Relationship building vs. relationship breaking as an influence strategy.
Venezuela's government, evidently having no domestic challenges left to engage its energies, has been assisting the Russian organs with information operations aimed at keeping Catalan independence controversy in Spain on the boil (Daily Beast).
Trolling from Moscow (or St. Petersburg) has been less than edifying. While there may be a high-minded pose of self-determination and national aspiration long-deferred in Catalan-themed engagements, this was not the case with the activity reported during the last US election cycle. In that campaign the content was scurrilous: violent, racist, and cunningly depraved, as befits an operation devoted to fomenting resentment, mistrust, and chaos (NBC). For their part, Russian leaders see the US Government as engaged in driving a wedge between the Kremlin and Russian oligarchs (Washington Examiner)
The head of the UK's MI6 is said to have identified Russia as the principal threat to British security (Times) and US Secretary of State Tillerson denounced Russia's "malicious tactics" (Washington Post).
By way of contrast, Chinese influence operations in the US appear to be more honey than vinegar, seeking to build relationships through grants, partnerships, and so forth (Foreign Policy).
Social networking by other means.
NATO, tired of being slapped around in cyberspace, is in an increasingly hawkish mood with respect to its eastern neighbor, which has played a weak hand with considerable skill. Informed by the experience of its new members from the Near Abroad, the Atlantic Alliance is considering assuming an active defense to push back against Russian cyber offensives (Business Insider).
Autarchy as a defensive strategy.
Russia says it will build its own DNS, a response, Moscow says, to American cyber aggression (Defense One). The projected system represents an attempt to bring large sections of the Internet into Russia's virtual sphere of influence. The new DNS, which Russian planners hope to bring online by August of next year, is designed to attract the other BRICS countries (Brazil, Russia, India, China, and South Africa) into the system (Bleeping Computer).
AI isn't always quite as A as it seems.
Expensify uses a lot of human talent to sift through the receipts submitted to the corporate expense accounting service (WIRED).
Giving the Tin Man a heart.
Or, if you prefer, turning Pinocchio into a real, live boy. Facebook says it will soon deploy an artificial intelligence to determine, from near-realtime scanning of content, whether someone presents a suicide risk (TechCrunch).
Facebook also has said it's disabled targeting of ads to specific ethnic groups, which a trial by Pro Publica seemed to indicate amounted to a subtle form of redlining. Facebook cites a "technical failure" in its system for the problem. The social media platform had employed various algorithms to infer ethnicity and other characteristics of interest to advertisers (BBC).
But the Tin Man may be up against a Terminator.
McAfee warns of a coming machine-learning "arms race" between criminals and defenders (Datanami). Comodo, RiskIQ, and Malwarebytes see a rapidly expanding attack surface, inflated by cryptocurrency adoption, the rise of data lakes, and the quick growth of the Internet-of-things, as providing a strong incentive for criminals to become increasingly "strategic." That means attackers can be expected to take advantage of more sophisticated black markets and to bring artificially intelligent technologies into their operations (CSO). Forbes offers a survey of what AI can be realistically expected to accomplish in network defense.
Three Chinese nationals are indicted for hacking.
They're not in custody, nor are they likely to be taken into custody. The US Department of Justice returned indictments against three Chinese nationals employed by Boyusec, a cybersecurity company that was disestablished earlier in November. They're said to have hacked into Siemens, Moody's Analytics, and Trimble to steal intellectual property. As the US Attorney points out, individuals were charged, not the Chinese government, but it's not difficult to see the indictment as a shot at Beijing's state-directed industrial espionage program (Foreign Policy).
The US has indicted people for hacking who were out of reach before: Russians, Chinese, and Iranians in particular. It's been part of a "naming and shaming" approach to deterring crime. Eventually it's likely that some of those under indictment may travel to a place where they can be arrested and extradited. It happened, after all, to Roman Seleznev, son of a prominent member of Russia's Duma, who incautiously vacationed in the Maldives with his girlfriend in 2014. He'd been indicted in 2011, in April of this year received a twenty-seven year sentence from a US Federal District Court in Seattle (New York Times). Just this week a Federal Court in Georgia tacked on fourteen more years for racketeering and bank fraud (Infosecurity Magazine).
The approach has its fans, and we extend congratulations to the FBI's Pittsburgh Field Office for their solid investigatory work in the Boyusec case, but not everyone is convinced Department of Justice's indictments are necessarily a good idea. It's not only the US that can name and shame, and the Americans have their cyber operators, too, and it's not unreasonable that they might worry about international retaliation (WIRED).
Credit card fraud down over Black Friday.
As the holiday shopping season opens, there's some perhaps unexpected good news: credit card fraud has dropped. An Iovation quick study indicates that credit card fraud dropped 29% over 2016's Black Friday weekend. The reasons are not too complication: retailers have been able to do a better job of detecting fraud, with wider adoption of chip-and-pin technology credited with giving them a big assist (Help Net Security).
Apple fixed a bug that exposed MacOS High Sierra machines to rooting (TechCrunch). The patch is an important one; there's plenty of advice on how best to apply it (Naked Security). Cisco has patched six vulnerabilities in its widely used WebEx players (Threatpost).
Annals of creative slacking: Michael Faraday, call your office when you get to the 19th hole.
Were you aware that a (presumably mostly empty) snack-food bag could serve as an impromptu but effective Faraday cage? Mr. Tom Colella, a "Twisties" puffs fancier, was. He used an empty Twisties bag to enclose his PDA, thereby blocking the ability of his employer, the Western Australia water management outfit Aroona Alliance, to discern that he was not on the job, but rather on the links playing a few rounds of golf. Apparently 140 or so rounds of golf. Twisties come in an aluminized Mylar bag, which apparently did the trick as long as it was closed and grounded. Aroona managers were aware that Mr. Colella liked to keep his PDA wrapped in a Twisties bag, but seem to have regarded this as a harmless eccentricity until they twigged to the whole Faraday cage thing, and then all that time on the course. (Ars Technica). Would this work with an Utz potato chip bag? The Old Bay seasoned kind? We're asking for a friend.
Akamai completed its acquisition of Nominium this week (Multichannel News). Trend Micro announced that it was buying application security firm Immunio. The company intends to use the acquisition to move its hybrid cloud security into the devops market (Dark Reading). Qualys on Wednesday said it had agreed to acquire assets of Netwatcher in a cash transaction (Qualys).
Nokia was rumored to be in talks directed at an acquisition of Juniper Networks (CRN), but Nokia has said there's nothing to the scuttlebutt, and they're not talking about buying anything (CRN). BlackBerry's security expertise and strong intellectual property portfolio are said to be making it an attractive takeover target (Investor Place).
Proofpoint has offered investors $60 million in cash for Weblife (TechCrunch). The acquisition would represent a play for the market in personal email security for corporate networks (Silicon Valley Business Journal).
McAfee announced its acquisition of cloud security specialists Skyhigh Networks. Terms of the deal haven't been announced, but recent estimates of Skyhigh's valuation have run to about $400 million (TechCrunch).
Another major acquisition's terms are known. Private equity firm Thoma Bravo is taking Barracuda Networks private for $1.6 billion (TechCrunch). Observers think Barracuda had been undervalued by the market, and that being taken private will render it more agile (CRN). Observers see this and other recent M&A activity as evidence of a sector-wide trend toward consolidation (Silicon Angle).
Terbium Labs picked up $6 million in a new funding round led by Glasswing Ventures (Street Insider). Pwnie Express names a board member, Todd DeSisto, its new CEO as the company announces an $8 million investment (xConomy). Reversing Labs made the biggest investment score of the week, however, with a $25 million Series A funding round (Digital Journal).
While there are more privately-held unicorns than ever, observers see a curious contraction in early-stage venture capital (TechCrunch).
A retirement prompts an executive shuffle at Booz Allen Hamilton. Joseph Logue will retire from effective June 30th. Executive Vice President Karen Dahut will succeed him as head of the defense business. Executive Vice President Christopher Ling will lead the intelligence business, and Executive Vice President Kristin Martin Anderson will direct the civil business. The changes will take effect on April 1st, 2018, fiscal new year's day at Booz (Washington Business Journal).
ManTech also has some new leadership: Rick Wagner has been appointed to lead the company's Mission, Cyber, and Intelligence Solutions Group, replacing long-time head Bill Varner, who retires at the end of this year (Washington Technology).
Eugene Kaspersky doubles down on his insistence that Kaspersky Lab was emphatically not spying for the Kremlin. He said this week he and his firm would quit Moscow if the Russian government asked them to conduct cyber espionage on its behalf (ZDNet). The US accusations are, he said, a put-up job, deliberately orchestrated by the US Government (Guardian). All US Government agencies are now said to have completed scanning their enterprises for Kaspersky software. About 15% of the Federal agencies were using it; that percent should shortly drop to essentially zero (Axios).
This CyberWire look back at the Week that Was discusses events affecting Australia, Brazil, China, Denmark, Germany, India, Netherlands, Norway, Russia, Singapore, South Africa, Spain, United Kingdom, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.