Learn how to achieve one source of truth for risk, compliance & vulnerability management.
Today most organizations are developing applications, either for external customers or to run the business. Either way, you need to make sure secure software is shipped, especially as the cybersecurity landscape is constantly changing in tactics and intensity. Read how IT resilience platform provider Zerto is using the CYBRIC platform to achieve one source of truth for risk, compliance and vulnerability management across its dynamic SaaS environment and making sure it has the right security processes in place for future growth.
The Week that Was.
September 8, 2018.
By The CyberWire Staff
Britain has had it: let Russia look to its cyber defenses.
At least three of the Five Eyes (and probably the other two) are scowling hard at Moscow. We may be seeing something that amounts, almost, to declared cyberwar between the UK and Russia. British Prime Minister May told Commons Wednesday that the Government had identified the attackers responsible for the Salisbury nerve agent attacks. She named Alexander Petrov and Ruslan Boshirov, as GRU operatives. She said the attacks were "almost certainly" approved at a high level, and that "the full range of tools from across our national security apparatus" will be used against the GRU. That full range of tools is understood to encompass offensive cyber operations (Times). The Prime Minister briefed US President Trump, Canadian Prime Minister Trudeau, and other allies before the UK took its case the United Nations. The US, France, Canada, and Germany all expressed complete solidarity with Great Britain. "We, the leaders of France, Germany, the United States, Canada and the United Kingdom, reiterate our outrage at the use of a chemical nerve agent, known as Novichok, in Salisbury on March 4.... We have full confidence in the British assessment that the two suspects were officers from the Russian military intelligence service, also known as the GRU" (BBC).
Russian authorities responded by doubling down on increasingly implausible denial. It's all "lies," a "cheap soap opera" and so forth (BBC). Ambassador Vasily Nebenzya said of the Skripal incident that "We are taking it very seriously... we have been asking for cooperation from the U.K. authorities from day one." Russia, he said, has been investigating the incident "for a long time" but he declined to discuss any findings. He categorically denied that Russia has any chemical weapons program and said that Novichok was invented in the West (UN Web TV). No serious person believes the claims about Novichok or Russia's chemical weapons program. Mr. Nebenzya's position was that the aggrieved party here is Russia, and no one else.
The British position is quite unambiguous. GCHQ Director Jeremy Fleming, in Washington Thursday for the Billington Cybersecurity Summit, attributed the attempted assassination of the Skripals directly to Russia. He called the Russian threat in cyberspace "real and active," and added that a "team of allies" will deal strongly with that threat.
Some observers think the GRU is becoming an embarrassment for Russian President Putin (Bloomberg). Others think its brazen visibility is quite intentional: let them hate us as long as they fear us (Foreign Policy).
A year in, companies unsure of risk under China's Cyber Security Law, says Control Risks.
Over a year into China’s Cyber Security Law, Control Risks experts say its vague definition and application leaves multinational companies struggling to understand their risk. Further, how strictly the government will crack down and the extent of penalties for non-compliance remain open questions. Nonetheless, companies operating in China must understand their unique exposure and specific cyber, physical and procedural requirements. Let Control Risks help you make the critical decisions to seize your opportunities in China.
Stone Panda (a.k.a. APT10) identified with the Tianjin Bureau.
CrowdStrike has confirmed claims by Intrusion Truth that APT 10 (also known as Stone Panda) is operated by the Tianjin Bureau of China's Ministry of State Security. Intrusion Truth, described as "shadowy," represents itself as a hacktivist group dedicated to exposing Chinese intelligence (SC Media).
Traditional browsers betray you by revealing your identity. Security teams who use a cloud browser manage attribution and can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with Authentic8 Silo, a secure cloud browser and egress from hundreds of points of presence around the world.
"Up your cyber hygiene."
That's what the FBI is telling US political campaigns this year (ABC 11). As far as is known, no political campaigns replied, "no...up your [hygiene]."
US Director of National Intelligence Coats yesterday said that the prospect of foreign interference with US elections remained real and troubling (Reuters). Facebook's recently departed security chief Alex Stamos was more direct: the US elections risk becoming "the World Cup of information warfare" (CNN). The Department of Homeland Security has been describing its commitment to election security (Federal Times)
At the Billington Cybersecurity Summit this week concerns about election interference and a determination to do something about it were very much in evidence. General Nakasone was particularly direct. He closed his Summit keynote with a statement that there is no higher priority for US Cyber Command and NSA than the security of the midterm elections (The CyberWire).
The force is stronger when MSPs and MSSPs come together.
The managed service market has grown tremendously, with the demand for managed security being unprecedented. For managed service providers (MSPs) looking to answer those demands, partnering with a managed security services provider (MSSP) expands access to highly-skilled cyber security analysts and a full suite of security solutions. Join Delta Risk’s webinar, September 19 at 1 PM ET, to learn how the two sides can join forces.
Tools and policies for content moderation.
Google has introduced an image-recognition tool designed to scrape the internet for child abuse content (Telegraph). Fairly or not, tech companies, Google among them, face increasing pressure from authorities to do something about the content that passes across their services (Telegraph).
Google has committed to clearing malicious apps from its Play Store, and to keeping trolls from buying ads, but reports suggest it's met with indifferent success. Researchers recently succeeded in buying ads while posing as a famous St. Petersburg troll farm, even copying some of that farm's notorious content (Register).
Among those most interested in content moderation are enforcers of copyright, but the bots being deployed seem not to be helping them much, either (Naked Security).
Get security training from FireEye experts at Cyber Defense Summit.
Training opportunities at CDS offer attendees hands-on, small-group, interactive sessions with some of the world’s foremost experts in cyber security. Whether you’re an expert or just starting out in security, there’s a course designed for you. Register now.
Countering influence operations.
Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg testified Wednesday before the Senate Select Committee on Intelligence (Real Clear Politics). Facebook's Sandberg offered an example of what companies like hers might be expected to do against foreign influence operations: suspend inauthentic accounts, the way Facebook, Google, and Twitter did when FireEye tipped them to such accounts' links to Iran's government. "In our mind that’s the system working," she said. Her testimony praised the kind of collaboration she'd called for in advance of the hearing (CNBC). Twitter's Dorsey thought research into identifying bots might prove fruitful. But larger questions about disinfecting online nastiness remained unanswered, quite possibly because they're unanswerable.
Snakes in the walled gardens.
Google's Play Store, by design relatively open and accessible, has long found it necessary to sweep the snakes out as malicious apps find their way in. Apple's store, in contrast, has been relatively speaking less prone to admitting malicious apps. But infested it can be. Malwarebytes Friday summed up work that several researchers have done in tracking "misbehaving" apps. The bad behavior has generally been data exfiltration. "Adware Doctor," "Open Any Files," "Dr. Antivirus," and "Dr. Cleaner" all represent themselves as security applications, and they all report back to Chinese servers. They also engage in some mutual cross-promotion. Malwarebytes says that "the Mac App Store is not the safe haven of reputable software that Apple wants it to be," and they strongly encourage users to report problematic apps to Apple.
Implausible advance-fee fraud, and even more implausible ransomware, still find takers.
Two implausible scams are circulating. One, a celebrity advance-fee come-on, tells the gullible that Pope Francis wants to give away a small fortune in Bitcoin (Bitcoin Exchange Guide). The other, crude ransomware, displays the face of former President Obama and represents him as declaring that he's encrypted your files, but that he'll recover them for you in exchange for "a tip" (ZDNet). It should be, but isn't, needless to say that neither the current Pope nor the former President are involved in any of this.
Cisco fixed issues with several products, including RV series, SD-WAN, and Umbrella (SecurityWeek).
Mark your calendars: Microsoft is really ending support for Windows 7 in "about 500 days" (Windows Latest).
Crime and punishment.
On Thursday the US indicted a North Korean hacker for complicity in Lazarus Group attacks on Sony and the Bangladesh Bank, and also in connection with WannaCry and other cyber operations. Park Jin Hyok worked for Chosun Expo Joint Venture, a Reconnaissance General Bureau front with offices in both North Korea and China.
Ameer Deeba, a Qualys executive who'd been with the company since 2001, two years after it was founded, has resigned his position as Chief Commercial Officer after agreeing to paying $581 thousand to settle a US Securities and Exchange Commission insider-trading investigation (Silicon Valley Business Journal).
Courts and torts.
Bitcoin Gold was delisted from the Bittrex exchange after the Bitcoin Gold team declined to pay half the damages Bittrex sustained in a multi-stage cyber attack between May 18th and 22nd of this year. Bitcoin Gold refused because in its view the hack took advantage of loose security at Bittrex; Bittrex responded by delisting Bitcoin Gold (ZDNet).
Policies, procurements, and agency equities.
Germany has moved forward with plans to create a new agency under the Ministry of Defense that would invest in and direct cybersecurity research. The Agency for Innovation in Cybersecurity (Agentur für Innovation in der Cybersicherheit, informally being called "Deutsche DARPA") will receive €200 million in funding over the next three years, and will eventually have a staff of one hundred (Fifth Domain).
As Germany develops an offensive cyber capability, observers suggest it's time Berlin also developed its own version of a Vulnerability Equities Process (Council on Foreign Relations).
Information security requirements, particularly in the form of NIST 800-171, occupy an increasingly prominent place in US Federal contracting (Forbes). NIST is currently at work on another framework, this one intended to serve consumer privacy. It will begin gathering information next month to help it formulate the guidelines (Nextgov).
The US House of Representatives passed three measures intended to toughen US cybersecurity policy. One advanced the Department of Homeland Security's Continuous Diagnostics Mitigation (CDM) program (The Hill). A second would allow the Department of Homeland Security to bar foreign firms from participating in Federal contracts should the Department have grounds to believe such companies posed a supply chain threat (The Hill). The third would direct the President to name and sanction foreign individuals and entities identified as engaging in cyberattacks against the US (The Hill).
US Cyber Command would like to see its contracting cap raised to $250 million (Defense Daily).
Fortunes of commerce.
Even as it acknowledges its banning from Australia's 5G network (Fibre Systems), Huawei has asked the US Federal Trade Commission for an explanation of the restrictions the US Government placed on the company (Caixin). Suspicion of the Chinese device maker spreads: the Republic of Korea is considering restricting the company's operations over security concerns (Korea Times).
Google is purchasing access to transaction records from Mastercard, a deal that's apparently been some four years in the making. That the data will be monetized is obvious. How that monetization will be accomplished is unclear. Both Google and Mastercard say that individual purchases won't be linked to individual accounts, still less specifically tracked, but details are sparse, emerging mostly through leaks, and suspicions of privacy and consumer advocates have been foreseeably aroused. Mastercard told Bloomberg that the data are anonymized, and intended to give advertisers a more precise assessment of their marketing return on investment (Naked Security).
Google's decision not to send a senior executive to testify before the Senate Select Committee on Intelligence left Mountain View represented by a conspicuously empty chair. Most observers think this a bad look, especially since Congressional moods are swinging in a regulatory direction, pushed by public moods (WIRED).
A Pew Center study concludes that 44% of Americans in the important 18-to-27-year-old demographic have deleted their Facebook app. This is apparently linked to concerns about Facebook's issues with data handling, and these appear across all demographics. Many users who haven't gone that far have still significantly reduced their usage, and many more have tightened their privacy settings (Motherboard).
Amazon joins Apple as the second company to achieve $1 trillion market capitalization (Telegraph). Some dismiss the milestone as purely psychological (Quartz) but so too are the markets themselves.
LinkedIn tells the IEEE that, in the US, data scientists are in short supply and that supply is rapidly getting shorter. The biggest shortfall is in New York, followed by San Francisco and then Los Angeles. Cleveland, Minneapolis, and Cincinnati all have surpluses, but these are one or two orders of magnitude smaller than the shortages in the other metropolitan areas, and those surpluses are fast evaporating. It's not just data scientists who are in demand. Two skill sets that are even rarer than data science, interestingly, are social media expertise and oral communication skills (Spectrum).
Mergers and acquisitions.
Atlassian has a definitive agreement to acquire OpsGenie for $295 million, with $259M in cash and the rest in Atlassian restricted shares. The transaction, expected to close next month, will enable Atlassian to integrate OpsGenie's detection and altering systems into its incident-response offerings (Help Net Security).
L3 Technologies has closed its acquisition of two companies for undisclosed terms: Australia-based security analysis and penetration testing firm Azimuth Security and UK-based software development shop Linchpin Labs (Jane's 360).
Investments and exits.
Austin, Texas, based Infinite IO closed a $10.3 million Series B round last week. The company offers data storage and migration solutions that feature deep packet inspection (CRN).
Cloud security start-up Avid has emerged from stealth. It's led by a number of security industry veterans, alumni of LinkedIn, Yahoo!, and Cisco who say the take DevSecOps seriously indeed (SDX Central).
Spectrum Equity, with participation from TenEleven Ventures, has made an investment of unspecified size in Offensive Security, specialists in delivering training for penetration testers (BusinessWire).
Arkose Labs has received $6 million in Series A funding from US Venture Partners. The company will use the investment to further develop its anti-fraud offerings (Bristol Herald Courier).
VPN company AnchorFree, makers of the Hotspot Shield virtual private network (VPN) software, has raised $295 million in new funding. One would expect a round of this size to have many partners, and it did: WndrCo led, with participation from Accel, 8VC, SignalFire, Green Bay Ventures, and others. WndrCo and Accel got seats on AnchorFree's board (SecurityWeek).
And security innovation.
Australia's Defence Ministry's Innovation Hub will maintain cyber as one of its highest priorities (ARN).
US Cyber Command has established a partnership with DreamPort, a new facility for technical innovation and rapid prototyping operated by the Maryland Innovation and Security Institute in Columbia, Maryland, close to Cyber Command's headquarters at Fort Meade. A particularly interesting feature of DreamPort is the way it's designed to bridge the classified and unclassified worlds: companies without cleared personnel can work there easily, without the necessary-but-often-tiresome security rigmarole such collaboration might otherwise be expected to entail. The atmosphere of experimentation is expected to be free, but clearly use-inspired (Fifth Domain).
StackRox announced a strategic partnership with, and an investment from In-Q-Tel, the US Intelligence Community's venture fund and technology accelerator. The company offers a Container Security Platform (Stackrox).
On Wednesday, Dreamit Ventures, the Philadelphia-based fund and accelerator, announced the first cohort of its SecureTech portfolio. Seven security start-ups were selected. All but one work in cyber. The outlier and alphabetically first company is ARMR, whose product is a combat lifesaver: a persistent, wearable, high junctional tourniquet system to stop hemorrhage. The other six are all cyber start-ups. Cyber Skyline has a cloud-based platform that evaluates cyber talent and matches it to job openings. Cybri also addresses the labor market, but from a different approach, offering vetted expertise-on-demand. CyR3con (cyber reconnaissance) specializes in forecasting cyber attacks before they happen, matching prioritized vulnerabilities with multi-sourced diligence and advanced dark web scanning. Graphus automates protection against social engineering with a "self-governing" detection, investigation, and active response to attacks. JustProtect offers cybersecurity management, identifying risks and suggesting mitigation decisions to enterprises threading their way through complex compliance assessments. And SignPass offers an innovative yet retro approach to authentication: handwritten passwords you only need "a finger and a smartphone" to use.
Mobile Pwn2Own has been renamed to the less restrictive Pwn2Own Tokyo. The event will now extend to the Internet-of-things (SecurityWeek).
Today's issue includes events affecting China, Germany, Russia, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.