What should a new CISO's priorities be at 30, 60, and 90 days?
A CISO’s first 90 days on the job are a window of opportunity to establish credibility, earn the support of other leaders, and make contributions with a positive impact. Coalfire has recommendations that will help newly-hired CISOs quickly add value and set the stage for a long-term success.
The Week that Was.
March 25, 2018.
By The CyberWire Staff
Guccifer 2.0 turns out to be GRU 2.0.
Guccifer 2.0, doxer of the Democratic National Committee during the 2016 US elections, is confirmed to be what he (actually they) was long suspected to be, a team of GRU operators, Russian military intelligence (Ars Technica). It was difficult to track Guccifer 2.0 because of their use of Elite VPN, an anonymizing service headquartered in Russia exiting through a server in France. At least once, however, Guccifer 2.0 forgot to activate the VPN client before logging in, revealing an IP address traced to a GRU facility on Moscow's Grizodubovoy Street.
Guccifer 2.0 posed as a disinterested Romanian hacktivist, but few took this claim at face value. Among those who did, more or less, were some political advisors to the Trump campaign. Special Counsel Mueller has brought FBI agents who worked on Guccifer 2.0 onto his team (Daily Beast).
Motherboard, which long ago offered strong evidence suggesting Guccifer 2.0 wasn't what he claimed to be, says the missteps that betrayed their identity were unsurprising: "Guccifer 2.0 was always sloppy" (Motherboard).
Friday morning the US Justice Department announced the indictment of nine Iranians for a multi-year cyberespionage campaign the Mabna Institute (also named as a defendant) conducted for Iran's Islamic Revolutionary Guard Corps. Charges include conspiracy to commit computer intrusions, wire fraud, unauthorized access of a computer and aggravated identity theft.
The campaign began in universities, where the defendants allegedly phished about 100,000 professors in some 300 universities worldwide. Roughly 8000 professors took the bait. The defendants prospected university data bases for technical information, and then moved to corporations and government offices using "low-and-slow" password spray attacks (CNN).
The Justice Department says 31 terabytes of data were stolen. The US Treasury Department has also imposed sanctions on the individuals and institutions named in the indictment. Extradition and trial of the defendants are unlikely (they're all in Iran) but the prospect of arrest will at least restrict their foreign travels to countries that don't have an extradition agreement with the US.
The Justice Department said the defendants also phished in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the UK (SecurityWeek). The UK joined the US attribution (Mehr). Iran has reacted with anger (BBC).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Cyber conflict may go kinetic.
The recent warning from US-CERT of ongoing Russian operations against US electrical power distribution has placed the industry on alert (Nozomi). US-CERT warned nine days ago, in conjunction with the FBI and the Department of Homeland Security, that Russian operators successfully intruded into electrical grid industrial control systems, albeit without working damage in this first stage of their campaign. Direct and official attribution of a cyber operation to a specific named nation-state is unusual in American practice. Cylance this week identified one of the attack vectors the Russian threat actors have been using: compromised Cisco routers.
Cyberattacks on power grids are particularly worrisome if they affect industrial control systems in ways that enable attackers to drive difficult-to-replace critical components to destruction like turbines. Such destruction was shown to be possible by demonstrations like the US Energy Department's Project Aurora. Such attacks could bring down grids for months, with great attendant suffering. Russian cyber operators have probably been in the US power grid since 2014 at least (Control Global).
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
Kinetic conflict goes diplomatic, and may go cyber.
At least ten and as many as twenty European countries are expelling Russian diplomats in response to the attempted murder by nerve agent of Sergei Skripal and his daughter Yulia. Bulgaria, the Czech Republic, Denmark. Estonia, France, Germany, Ireland, Latvia, Lithuania, the Netherlands, and Poland are committed to expelling Russian diplomats (Guardian). The United States is preparing to do likewise (Bloomberg), and Russia has promised to respond in kind (Sputnik).
Russian Foreign Minister Lavrov denounced these responses as the result of British determination to make relations with Russia as bad as possible. President Putin called accusations of Russian responsibility for the attack "delirium" (CNN). Other Russian officials say it's "highly likely" the UK had stocks of the Novichok agent used in Salisbury, and that the attack was a British provocation (CNN). They've also blamed the US for the attack (CNN). Essentially no one believes either story: attribution to Moscow seems as solid as the attack itself is unprecedented.
The Skripals are heavily sedated and in physically stable condition, but may have suffered severe and permanent neurological damage. The police officer who was hospitalized for exposure to the poison has recovered and been released after two weeks of treatment (Financial Times).
During this period of heightened tension, the UK has been bracing for cyberattacks against its critical infrastructure. The threat is real but so are false alarms: Wiltshire police denied this week that their networks came under Russian attack (Independent).
Do you rely on SAML-based SSO? Better listen to the latest Research Saturday.
On this week’s episode of Research Saturday, we talk about a recently unearthed a new vulnerability class that affects SAML-based single sign-on (SSO) systems. Kelby Ludwig, Senior Application Security Engineer at Duo security, takes us through their research.
Facebook, Cambridge Analytica, and data use.
Wednesday Facebook founder and CEO Mark Zuckerberg broke his public silence on Cambridge Analytica's use of the company's data for psychographic political consultation. Most observers think his statement was too little and too late, and a good lesson in how not to respond to the public about a very public incident. Zuckerberg promised to do better with customer data. He framed the incident as being fundamentally about third-party apps, and it appears that Facebook's response will initially at least concentrate on reining in such apps (CNN Money). He indicated his readiness to testify before US Congressional panels (Politico).
Facebook's COO, Sheryl Sandberg, also appeared at midweek, saying the company's leadership should have spoken out sooner, and that she was "open to regulation" (TechCrunch), which it seems likely she'll get. A California bill under consideration, for example, would require that bots in social media be marked with disclaimers (Motherboard). UK Culture Minister Hancock has summoned Facebook, Twitter, and Google to an April meeting in the woodshed (Times).
A number of observers have commented that Facebook's business model is surrounded by a body guard of shifting EULAs too complicated and volatile to help users give informed consent. The company is under investigation by the US Federal Trade Commission, which wants to determine whether Facebook violated an earlier consent decree that required it to obtain users' permission before sharing their data. If Facebook is found to be in violation of that consent decree, it could face fines of $40,000 per violation (Infosecurity Magazine).
A Deloitte study found that 93% of consumers surveyed would cancel their accounts with services they found were abusing their data. (ZDNet). As with all polls this is a reflection of mood rather than determination or reasoned decision, but there are signs of a developing backlash against free service providers that make their money selling their users' data. It even has its own movement, complete with hashtag, for what that's worth: "#deleteFacebook." The co-founder of WhatsApp (now owned by Facebook) is all in on it (TechCrunch); a Times op-ed sees Facebook as Orwell's telescreen.
The odium surrounding the activities of Cambridge Analytica, the company that harvested and used Facebook data, seems to derive in large part from the nastiness of the self-image it's expressed: manipulation, entrapment, spy-fiction hijinks, etc. (Independent). Steve Bannon, former advisor to President Trump, said that Facebook data "is for sale all over the world" (Guardian).
Predictably, shareholders are filing lawsuits against Facebook. The data handling incident has severely hit the company's value in the markets (Times).
The British Parliament is holding its own inquiry into the Facebook data stewardship affair. A former Facebook platform operations manager has said that the company's handling of data was much larger than what's been revealed in the Cambridge Analytica affair, and that the company at best turned a blind eye to the practices now being condemned (Naked Security). Suspended Cambridge Analytica CEO Alexander Nix has also been recalled to testify before a panel in Westminster investigating fake news (TechCrunch).
German authorities have also opened an investigation of Facebook's data handling practices (Reuters).
Sanctions for IP theft.
Heavy US tariffs imposed on Chinese tech imports are seen as a form of reprisal for cyberattack, specifically for cyberattacks that steal intellectual property (CNBC). They also represent a move against what President Trump called an "out-of-control" trade imbalance (Wall Street Journal).
The US Treasury Department said this week that China had also not lived up to its end of the Sino-American agreement not to hack one another for profit that Presidents Obama and Xi concluded during the last US Administration (CyberScoop).
Much US concern about Chinese cyber operations has manifested itself in measures taken against Huawei. The Chinese company is widely regarded within the Federal Government as a security risk (Bloomberg). Those concerns have also hit Huawei in the US consumer market: Best Buy announced this week it will no longer sell Huawei devices (Tech Radar).
Marching virtually through Georgia.
Atlanta, Georgia, struggles to recover from a SamSam ransomware attack that has locked up a number of city services (KnowBe4). The mayor says they don't yet know whether employee data were breached, but online services have been disrupted and city workers have been told not to turn on their computers. The FBI is investigating (GCN). Travelers take note: wi-fi at busy Hartsfield-Jackson Airport has been affected, and other systems are under inspection (Atlanta Journal-Constitution).
Crime and punishment.
The Government will an easier burden of proof than it feared in the trial of accused NSA hoarder Hal Martin. Prosecutors will not have to show that Mr. Martin both knew the contents of twenty specific documents, and knew that they were classified. As Judge Garbis wrote, "Proof that the defendant knew he was wrongfully retaining the mass of stolen documents is sufficient to satisfy the Government’s willfulness mens rea obligation under [the Espionage Act], if the Government can prove that the specified Charged Documents were in the mass of documents taken and wrongfully retained" (Politico).
British hacker Laurie Love, famous for (allegedly) gaining illegal access to US Government sites to search for evidence that Washington was covering up dealings with extra-terrestrials, will not, ever, face extradition to the United States. British courts found that he'd be likely to commit suicide under the ungentle conditions of American justice, so Mr. Love is safe at home (Ars Technica).
Patching and disclosure.
The consensus on the AMD chip vulnerabilities CTS Labs publicly disclosed on March 13th is that, while real, the issues don't really represent the sort of serious risk CTS said they did. Check Point, among the third-parties who've verified the vulnerabilities, is also among those who disagree with CTS Labs' hair-trigger, detail-redacted disclosure, which Check Point characterized as "very irresponsible" (Check Point). AMD has announced a schedule for addressing the vulnerabilities (SecurityWeek).
Security executives at three of the most influential tech companies are leaving their companies, or at least their jobs (Bleeping Computer). Michal Zalewski, Director of Security Engineering at Google, tweeted Tuesday that he would be leaving the company at the end of this month. He's been with Google for eleven years. No reasons for his departure have been offered (CyberScoop). He's said to be joining Snap, Inc. (Reuters). Twitter's CISO, Michael Coates, is also leaving his company. He'd made his intentions known internally over a month ago. He intends to found a security start-up (Business Insider).
The New York Times reported Monday and Tuesday that Alex Stamos, Facebook's CISO, was leaving that company over disagreements concerning the way Facebook had handled Russian trolling during the 2016 election cycle. Stamos himself tweeted denials that he's leaving (and also denials that any Facebook executives interfered with his team's investigations into Russian ops), saying that he remained fully engaged with the company as he moved to a new role within it. A Forbes opinion piece on Thursday, in the course of praising Facebook leadership for holding one another "accountable to support corporate decisions, even if they disagree," followed the Times in saying that Stamos would leave the company late this summer, which could be consistent with Stamos's denials.
RSA announced the ten finalists for its annual Innovation Sandbox. The companies will compete for top honors on April 16th in San Francisco. The finalists are, in reverse alphabetical order: StackRox (security for containerized and cloud-native applications), ShieldX (multi-cloud security platform), ReFirm Labs (enterprise IoT firmware verification and validation), Hysolate (user freedom within air-gap security), Fortanix (self-defending key management service), cyberGRX (third-party cyber risk management), BlueVector (machine learning and speculative code execution engines), BigID (advanced personal data discovery), Awake (security investigation platform that scales high-level expertise), and Alcavio (deception technology).
Kaspersky will establish a data center in Switzerland to store and analyze suspicious traffic from the company's US and EU clients. The Swiss Transparency Centre is intended to be outside the reach of Russian security and law enforcement authorities; it represents a bid to restore the shaky confidence of Western customers and reassure the that Kaspersky isn't working for Moscow's organs (Data Center Knowledge).
Lloyd's Register has acquired New York-based Nettitude, specialists in risk management, managed detection, incident response (Seatrade Maritime News).
Detectify raised $6.15 million to advance its automated website vulnerability scanning (ReadItQuik). Application security company Virsec has closed $24 million in Series B funding (Globe Newswire). Mobile identity shop Averon has closed a $13.3 million funding round (PRNewswire).
Zscaler, 2018's first cybersecurity IPO, is now nine days into its life as a publicly traded company (Nasdaq). Tenable Network Security is preparing its own IPO, and is said to have hired Morgan Stanley to conduct it (Reuters). DocuSign is also rumored to be preparing an IPO (TechCrunch).
There's a movement among Verizon shareholders to tie executive pay to improvements in cybersecurity (Fast Company).
Congratulations to Akamai co-founder and MIT Professor Tom Leighton. He's won the 2018 Marconi Prize "for his fundamental contributions to technology and the establishment of the content delivery network (CDN) industry" (MIT News). Bravo, Professor Leighton.
Memento, homo, quia pulvis es, et in pulverem reverteris.
Here's an intriguing finding from Enigma Software: malware infections in the US are down about 17% over the past month. That's to say, they're down during Lent, the Christian season of repentance and preparation for Easter. Enigma finds this an interesting seasonal trend, strongly correlated with infection drop-offs in cities with higher than average Catholic populations, like Pittsburgh (a 38% fall-off since Ash Wednesday), Boston (down 36%), New York (a 31% drop), and Chicago (down 23%). Philadelphia, Los Angeles, Las Vegas, and Milwaukee also showed significant declines.
Enigma saw a similar, but smaller drop last year: 14%. "It's very common for people who participate in Lenten activities to curtail usage of things like social media and technology in general in the weeks leading up to Easter," Enigma said. It's the inverse of the higher infection rates typically observed between Thanksgiving and Christmas, when people increase their online activity as they shop and plan holiday events. The researchers don't expect the lower infection rate to last. Things usually return to normal within the octave of Easter.
Today's issue includes events affecting Bulgaria, China, Czech Republic, Denmark, Estonia, European Union, France, Germany, Ireland, Latvia, Lithuania, Netherlands, Poland, Russia, United Kingdom, United States.
A note to our readers: the CyberWire is happy to have been chosen as a finalist for the Maryland Cybersecurity Diversity Award (and the Cybersecurity Association of Maryland's People's Choice Award). You can find out more about the awards (and how to vote for us, if you'd like) here.
ON THE PODCAST
Research Saturday went up yesterday, as usual. This week we spend some time with Duo Security, which recently unearthed a new class of vulnerability that affects SAML-based single sign-on (SSO) systems. An attackers with authenticated access could trick SAML systems into authenticating them as a different user without any need to know that user’s password. Kelby Ludwig, Senior Application Security Engineer at Duo Security, takes us through their discoveries.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.