Controlled unclassified information requirements affect federal contractors.
Cleared Defense Contractors will see DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, compliance requirements appear in DoD contracts. These requirements must be implemented within 30 days of contract award. The Information Security Oversight Office (ISOO) is responsible for one of those requirements, implementing the NIST SP 800-171. Learn more about CUI compliance in this joint webinar presented by ISOO and SecureStrux.
The Week that Was.
October 27, 2018.
By The CyberWire Staff
US Cyber Command lets individual Russian operators know that Uncle Sam cares.
The US is reaching out directly to individuals involved in Russian influence operations. US Cyber Command is reported to be direct-messaging election-meddling trolls (New York Times). The message is as simple as it is direct: we know who you are and what you're doing, and you'd be well-advised to stop (Ars Technica). Observers differ as to how effective this will be as a deterrent (Slate), but recent US indictments of individual Russian nationals for their role in influence operations give the warnings some point (Slate). And it's unknown what other retaliatory operations Cyber Command may have under preparation or in progress.
Become a Cyber Spartan and Defend the Gates of America. At Invictus International Consulting we are hiring DevOps, Cloud, Security Engineers, and Cyber Weapons Developers to serve our government and commercial clients. Join us.
A look back at TRITON/TRISIS.
FireEye attributed to Russia "with high" confidence the TRITON/TRISIS attack against safety systems in a Saudi petrochemical facility. FireEye concluded that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) in Moscow wrote some of the code. It's possible but uncertain it was entirely a Russian operation. The question is complex: several actors had motive to hit the facility. FireEye's evidence is compelling but circumstantial (Forbes).
Dragos, presenting at the ICS Security Conference, described Xenotime, the threat actor behind TRISIS/TRITON. Cyberattacks like this are designed to kill. Dragos CEO Lee offered some encouragement when he cautioned people against forming a picture of the attacker as hyper-competent and effectively invincible. Instead, remember that attackers make mistakes, too. With TRISIS they shut the facility down, twice, which wasn't their intention. They wanted it to operate in an unsafe mode. Lee suggested an alternative picture of industrial control system hackers: they're 18 to 30 years old, in their first government job, dealing with management and PowerPoint, "just like you" (The CyberWire).
Edgewise recently published Zero Trust Security for Dummies. We've got answers to questions like: What is zero trust? How do I get started with zero trust? Why is a data-centric model of zero trust the best approach? Download Zero Trust Security for Dummies today.
Indictments and information operations.
The US Department of Justice has indicted a Russian national, Elena Alekseevna Khusyaynova, for conspiracy to influence US 2018 elections. Her indictment marks the first charges brought in connection with midterm voting. She's an accountant managing the finances for "Project Lakhta," an influence campaign intended as usual to inflame existing American political and cultural flash points. Ms Khusyaynova isn't in custody, but if she's ever tried, she could face five years' imprisonment.
Project Lakhta used the familiar trolls farmed along the Neva, but it also sought, with some success, to rope unwitting Americans into the op, often by forming and moderating social media groups. Moscow doesn't particularly care who gets elected as long as Americans grow to hate and mistrust one another. As the Justice Department points out in its comments on the Khusyaynova indictment, "The conspirators’ alleged activities did not exclusively adopt one ideological view; they wrote on topics from varied and sometimes opposing perspectives."
Observers are struck by the "weaponization" of Internet advertising technology (Data and Society). The means may be novel, the precepts less so. As the Grugq observes, "People keep rediscovering the basic principles of propaganda that were documented a century ago. It’s basically like every new technology demonstrates the old maxim: 6 months in the laboratory can save an afternoon in the library!"
Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
Apple calls for an American GDPR, and takes a whack at the "data-industrial complex."
Apple CEO Tim Cook has called for a comprehensive US privacy law. He said Wednesday the effects of the EU's GDPR had been positive, and he expressed the hope that the US would follow suit with comparable regulation. Apple of course has long differentiated itself from other Silicon Valley tech giants by its public commitment to privacy. Apple sells devices, not data, which would be the basic product of companies like Google and Facebook (Washington Post). Mr. Cook has famously pointed across Silicon Valley in the general direction of Google and said, "If you're not paying for the product, you are the product."
Cook also strongly reiterated the company's long-standing opposition to any weakening or subversion of device encryption. Giving governments easy access to people's devices is a threat, he maintains, to basic rights to privacy. Not everyone may feel that way, especially those in what Cook called the "data industrial complex" (Washington Post).
Former Facebook security chief Alex Stamos replied to Cook with a tu quoque: how about coming clean on how the iCloud works? And what about those VPN apps you took down at the request of the Chinese government (Naked Security)?
Create a culture of cybersecurity awareness with Coachable Moments.
According to The Ponemon Institute, two out of three insider threat incidents are caused by employee or contractor mistakes. The good news is, these mistakes can easily be avoided ... with the right coaching. Just in time for Cybersecurity Awareness Month, the Coachable Moments series from ObserveIT gives cybersecurity teams the tools they need to empower people to understand the policies and best-practices intended to keep them safe. Check out Coachable Moments today to learn more.
Supply-chain seeding attack recedes further into implausibility.
Amazon and Supermicro have joined Apple in demanding that Bloomberg retract its story about Chinese supply-chain poisoning of motherboards with spy chips. There's still neither confirmation nor retraction of the story, but at this point Bloomberg effectively stands alone (Serve the Home). Security Boulevard reflects on the story and offers some advice for journalists covering cyber stories.
Crime and punishment.
A collection of Hoosiers who play Call of Duty are accused (but not, apparently, charged, at least yet) of stealing some $3 million in cryptocurrency. They are thought to have used a swatting operation to coerce a co-conspirator into working with them (News BTC). There seems to be an odd and disturbing subculture of swatting among online gamers, many of whom see this as a legitimate way of disciplining other gamers whom they think are in one way or another out-of-line and recalcitrant (WIRED).
The Celebgate hacker, a former high school teacher, has copped a guilty plea to Federal charges of gaining access to a protected computer and aggravated identity theft. Christopher Brannan will face a minimum sentence of two years, but both sides in the trial have recommended thirty-two months to the judge (US Department of Justice).
Courts and torts.
Google and Facebook are being sued, separately, for violating users' privacy through unauthorized geotracking (Naked Security).
Fallout from the recent indictment of a Treasury Department official charged with leaking sensitive financial information includes fears that banks will be more reluctant to share information concerning potential financial crimes with the Government. They receive civil immunity when they make such disclosures, but they may grow mum if they're not confident that the information they provide the Government won't be leaked (Wall Street Journal). The leak itself looks like an inside-baseball affair, with roots in an intra-bureaucratic squabble that goes back to the previous Administration (Wall Street Journal).
The European Court of Justice has ruled that you can't get yourself off the hook in a lawsuit alleging piracy simply by pointing out that your family members could have done it when you weren't around. Publisher Bastei Lübbe sued one Michael Strotzer in a Munich court for pirating one of the firm's audiobooks. The pathetic Herr Strotzer offered in his defense that his parents has access to his Internet connection, and so they could've done it. Well, no. Upon appeal the European Court of Justice clarified the way in which German law should be interpreted, and that this defense is no defense (Naked Security). Pathetic. First Mutti, then Oma? Sad!
Policies, procurements, and agency equities.
In the US, NSA is working out three contracts collectively known as "Greenway," said to aim at enhancing agency communications. General Dynamics, AT&T, and ManTech are the three primes. Together the three vehicles are reported to have a total contract value of $6.7 billion (Nextgov).
In a vote expected shortly after the midterm elections, the US Congress is thought likely to approve legislation establishing a new civilian cybersecurity agency in the Department of Homeland Security (Washington Examiner).
That Department's National Risk Management Center continues to expand the industrial sectors with which it cooperates. It began with finance, telecommunications, and energy, and intends eventually to expand into a total of sixteen sectors (Federal News Network).
Fortunes of commerce.
ESET appears set for a major change of direction, transforming itself from a software company (its antivirus programs are well-known and widely used) into a cybersecurity consultancy (Tawahul Tech News).
Sputnik says that, despite mistrust and regulatory headwinds in the Five Eyes (the US in particular) Kaspersky Lab is doing quite well in other markets, thank you very much. Not so much in the UK, however, where Kaspersky's global transparency initiative has failed to gain much traction with HM Government (New Statesman).
Huawei remains under suspicion in all Five of the Eyes. In Canada a former defence minister and a former CSIS director urge the Government to keep the company out of the country's 5G network (CTV News), but Prime Minister Trudeau sees no particular reason to particular reason to reverse a decision that would allow the company into Canada. In this respect the letter two US Senators sent the Prime Minister warning him against Huawei may well have backfired (Interpreter). The company is by no means giving up on the international 5G market. It will establish a lab in Germany that would enable the code reviews Huawei believes will facilitate its participation in 5G network build-outs. The lab is expected to open in Bonn on November 16th (CRN).
Following reports that President Trump's iPhone is not secure, denied by the President (TechCrunch), China's Foreign Ministry suggests the President would be much better off using a Huawei device, so give Beijing due credit for a cheeky sense of humor (Reuters).
Google has dropped plans for an incubator campus in Berlin. The proposed center had been protested by locals (Applesque criticism of data collection and use, etc.) who've claimed victory, but Google did not attribute its decision to the unwelcoming reception (BBC). More generally, the company's secrecy and pervasive reach is seen as a liability, and likely to prompt both litigation and legislation (Washington Post).
Facebook, stung by breaches and data handling scandals, is rumored to be in the market to buy a cybersecurity company (The Information). The Motley Fool speculates that FireEye would be a good acquisition for the House of Zuckerberg. Bloomberg Law argues that such an acquisition wouldn't prove a panacea, but of few things do, and that's not necessarily a reason to think a Facebook M&A move would be completely futile.
One of the factors that may have contributed to Big Tech's Gilded Age is the outsized concentration of shareholder power in founders' hands (WIRED).
SIGNAL offers some advice to small businesses working in the Defense contracting space, and how they could usefully approach cybersecurity.
Apart from familiar difficulties developing an adequate cybersecurity workforce, in the US Government contractors face additional problems with the lengthy clearance process. Some are turning to more easily cleared younger workers (Wall Street Journal).
Raytheon has partnered with universities in the UK and Kuwait in an effort to increase the numbers of qualified cybersecurity professionals. The company announced that it will work with the University of Gloucestershire, Lancaster University, and Kuwait University to attract students into cybersecurity careers (PRNewswire).
There are also, in the US, state-level efforts to redress shortfalls in the labor market. The Ohio National Guard, for one, is involved in one such statewide program (Columbus Dispatch).
Applied Insight has acquired Organizational Strategies. Both companies work in the US Federal contracting space. The acquisition is expected to deliver enhanced capabilities in mission support for the US Intelligence Community (AP).
Fortinet announced its acquisition of ZoneFox, the Scottish threat-analytics startup, for initial consideration of $18 million. It's an insider-threat security play for Fortinet, which sees ZoneFox's cloud-based threat-hunting technology as complementary to Fortinet's endpoint security and SIEM offerings (CRN).
Bitdefender is buying RedSocks Security, a network traffic and behavior analysis start-up whose security intelligence technology is expected to complement Bitdefender's endpoint protection expertise. Terms were not immediately disclosed (CRN).
Oracle is acquiring predictive-intelligence-as-a-service shop DataFox for an undisclosed amount. Oracle expects DataFox to enhance its cloud offerings (TechCrunch).
Check Point is buying Dome9 for $175 million. It expects to integrate Dome9's advanced active policy enforcement and multi-cloud protection capabilities into its offerings. Both companies are based in Israel (SecurityWeek). The transaction was handled by the O'Melveny law firm.
CrowdStrike moves closer to an IPO. Reuters reported at the end of last week that the company had retained Goldman Sachs to organize the offering. Plans for the IPO are still in their preliminary stages and could change, but the offering is expected to take place in 2019, and the company is thought to expect a valuation of approximately $3 billion (CRN).
Cloudflare is also said to be considering an IPO, and like CrowdStrike has retained Goldman Sachs to handle the offering. The company is looking for a $3.5 billion valuation (CRN).
Wallarm, an application security shop based in California's Silicon Valley, has received an $8 million Series A round led by Toba Capital (PRWeb).
Israeli cybersecurity investment firm Team8 has established an $85-million fund with the intention of investing in eight new cybersecurity start-ups over the next five years. It's being backed by a number of large international firms, including Walmart, Airbus, Softbank Group, Moody’s Corp., Dimension Data, Munich Re, Barclays Plc and Scotiabank (Times of Israel).
MIT spinoff and blockchain shop Algorand has raised $62 million and hired some former Logmein and Fuze executives. The round was led by an international consortium of thirty investors. Algorand intends to launch its blockchain platform next year, and says it's solved the problem of making the technology simultaneously scalable, secure, and decentralized (BostInno).
IBM mulls app stores and thinks they may offer a wisdom of crowds with respect to data security innovation (Security Intelligence).
London's start-up ecosystem remains dynamic. The UK as a whole now has fifteen unicorns in the tech sector (Telegraph). Paris is positioning itself as a competing center of innovation (Telegraph).
Check Point co-founder Marius Nacht sees digitized healthcare and life sciences are the next major opportunity for Israeli innovation (Times of Israel).
"The Chameleon and the Snake" exercise DreamPort conducted for US Cyber Command pitted attackers against defenders, with each side challenged to create and deploy a single tool for use against the another (Fifth Domain).
Today's issue includes events affecting Kuwait, Russia, United Kingdom, United States.
A note to our readers: Having trouble with the CyberWire hitting your junk folder? Consider adding our domain (thecyberwire.com) or email address (firstname.lastname@example.org) to your whitelist or address book.
ON THE PODCAST
Research Saturday is up. In this edition we hear about "faxploitation." Researchers at security firm Check Point Software Technologies explored the possibility of exploiting old, complex fax protocols to gain access to modern multifunction office printers, and then pivot to connected networks. Yaniv Balmas is head of security research at Check Point, and he joins us to share what he and his colleague Eyal Itkin discovered.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.