The federal market is ripe with opportunity for SaaS, IaaS, and PaaS providers. More federal agencies are tapping into the cloud, and it’s getting faster and cheaper to achieve FedRAMP authorization. Download Coalfire’s 2019 FedRAMP Securealities report to learn how to take advantage of the rapidly expanding federal market.
Exporting repression? UN Security Council looks at DPRK hacking. Checking AI. Capital One hack. Permanent record? Industry notes.
Huawei said to be involved with domestic surveillance in Uganda and Zambia.
The Wall Street Journal reports that Huawei has embedded technicians in the governments of Zambia and Uganda to help those governments organize and operate extensive domestic surveillance programs. The company has been working to gain a commanding presence in African markets.
Huawei denies any wrongdoing. The company has “never been engaged in ‘hacking’ activities,” a Huawei spokesman told the Journal in a written statement. The statement goes on to say that “Huawei rejects completely these unfounded and inaccurate allegations against our business operations. Our internal investigation shows clearly that Huawei and its employees have not been engaged in any of the activities alleged. We have neither the contracts, nor the capabilities, to do so.”
The Journal doesn’t say that the operations in Zambia and Uganda were directed by Chinese intelligence, nor does it argue that there’s anything about Huawei’s technology peculiarly adaptable to surveillance. But the Washington Post notes that the lesson seems to be that Huawei is willing and able to abet repression. Chinese security services have established a template for repressive surveillance against its own Tibetan and Uighur minorities. That template may have been exported.
Today’s threat environment is complex and dynamic. Traditional response methodologies by themselves are no longer sufficient. To find out how your team can be more responsive and act faster on threat intelligence, download the ebook, Threat Intelligence Platforms: Everything you’ve ever wanted to know but didn’t know to ask. Read to the very end for a TIP checklist!
More on North Korea's financially motivated hacking.
The UN Security Council panel studying North Korean hacking concluded, according to the AP, that Pyongyang has made at least thirty-five financially motivated cyberattacks against seventeen countries as it works to fund its weapons-of-mass-destruction programs. This is the report which the Associated Press saw a fragment of last week. They’ve now seen the whole thing.
The most common operations have been attacks against the SWIFT international banking funds-transfer system, then attacks against cryptocurrency exchanges, most of these in South Korea, and finally cryptojacking to mine alt-coin directly. Monero was Pyongyang’s preferred alt-coin. Their take went to servers at Kim Il Sung University. These three families of attack share the common feature of being well-adapted to quick, difficult-to-trace or interdict money transfer and money laundering. The report also emphasized that the attacks were “low-risk and high-yield” efforts.
US Cyber Command has posted Electric Fish malware from North Korea's APT38 threat group to VirusTotal. FireEye has reported that APT38 is heavily involved in state-directed financial crime. Its activities overlap those of the Lazarus Group.
Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success.
More human review of AI.
Facebook has been paying contractors to review user interactions with its products, Bloomberg reports. The social network is the latest to receive scrutiny over the practice. Google, Apple, Amazon, and Microsoft have all been found doing this, most commonly in human-AI interactions with such digital assistants as Siri, Alexa, and Cortana. Of all of these, Microsoft appears to have had the clearest user opt-in for the practice. Redmond is also sticking faster to the practice: unlike some of its peers, Microsoft will continue the practice. It simply intends, Naked Security reports, to be more transparent about it.
Facebook had offered users of its Messenger the option of having their voice chats transcribed. It hadn't made it clear, however, that human operators would check the quality of the automated transcription. The social network says it stopped this practice about two weeks ago after seeing the reputational hot water in which similar reviews landed Amazon and Apple.
In fairness to Facebook and the other companies who have had humans review user interactions with AI, none of them appear to have do so with any nefarious intent. They do seem to have been working to improve the user experience. If anything, the incidents serve as a reminder that artificial intelligence for all its power and commercial promise remains an immature technology deeply dependent upon human trainers.
The CyberWire’s 6th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.
British Airways sustains another privacy incident.
Wandera published research detailing their discovery of a vulnerability in British Airways' e-ticketing system that exposed passengers' personal information and flight details. When a passenger clicked on a check-in link in an email from British Airways, they would be taken to the airline's website and logged in automatically. In order to log them in, however, the system included the passenger's last name and booking reference code in unencrypted URL parameters. As a result, someone sniffing WiFi traffic—on an airport's public network, for example—could intercept this request and use it to access the passenger's flight itinerary. The itinerary contains detailed flight information, as well as the passenger's full name, email address, phone number, and British Airways membership number. An attacker could also change the booking information.
Michael Covington, vice president at Wandera, told Fortune that the security firm believes around 2.5 million unencrypted connections have been made to British Airways domains in the last six months. Covington expressed surprise that such an obvious and easy-to-fix vulnerability went unnoticed, particularly in light of the fact that British Airways was fined $221 million last month for GDPR violations involving a large breach of customer information.
Signs of incipient compromise? The high cost of high turnover.
The Wall Street Journal reports that employees at Capital One expressed concern over what they saw as high turnover among the bank's cybersecurity unit. There are reports that a third of the cybersecurity staff left in 2018. The unit was responsible for threat hunting, firewall configuration, and similar security tasks. Even given the turnover, Capital One points out that total cybersecurity headcount actually increased over that period.
Capital One has long enjoyed a reputation as a technologically savvy organization, sometimes described as a tech company with a bank as opposed to a bank with a serious commitment to technology. Approximately five years ago the bank began its migration to the cloud. Some observers think that the tech-friendly culture paradoxically made the enterprise more difficult to secure. Many of the bank's personnel were empowered to make tech decisions, and that decentralization may have left the bank open to the sort of misconfiguration allegedly exploited by the accused hacker "erratic" to compromise its data.
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Your permanent record from elementary school may be out there...
...or not, because the vulnerability has been addressed.
At Def Con last week Bill Demirkapi, eighteen years old and a recent high school graduate, demonstrated a vulnerability in the widely used student record system Blackboard and its associated Aspen data management system. TechCrunch says that some three-thousand school systems and over five-million students could in principle be affected by the vulnerability. As Demirkapi explained it, his disclosure to Blackboard and Follett, the vendors whose products were affected, wasn't entirely smooth, particularly given the eleventh-grade style he brought to the process. That included a message to every user, displaying their login cookies on their screen and a reassuring coda, "Don't worry, I didn't steal them." He understands with the maturity of a recent high school graduate that he could have handled it better. "The school wasn't thrilled with it. Fortunately, I got off with a two-day suspension."
Both Blackboard and Follett have patched the vulnerability Demirkapi found, but he thinks the bug disclosure process in the educational software sector could be smoother, as it took him some months to get his point across. Blackboard agreed that there was room for improvement. In an email to TechCrunch, the company said, "One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention."
WIRED, which describes Demirkapi as an APT, "advanced persistent teen," contacted Blackboard and Follett for their reactions. Both companies said they were pleased to have worked with Demirkapi, glad he told them what he found, that they've fixed the problems, and that they've found no evidence that anyone had exploited the vulnerabilities. The data that could have been exposed were serious by any measure, including such items as grades, phone numbers, disciplinary notes, attendance, bus routes, vaccinations--the whole proverbial permanent record. Principal Skinner, call your office.
Microsoft this week released patches for "DéjaBlue," a family of vulnerabilities affecting the remote desktop protocol. Unlike BlueKeep, which represented a risk to older unpatched Windows 7 and earlier instances, DéjaBlue affects current versions. Redmond warns that there are seven new vulnerabilities in that new family. Two of those are regarded as particularly serious in that they could be wormable, exploited to deploy a worm that could propagate from one infected system to others. Microsoft advises patching immediately. “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.”
Crime and punishment.
In court filings, US prosecutors signaled their intention to file more charges against accused Capital One hacker "erratic." Paige Thompson is now thought to have worked against a number of other organizations.
PC Magazine comments on some forthcoming research by IntSights that explores the connections between Russia's cyber criminal gangs and the country's intelligence services. The gangs operate at the sufferance of the security organs, on the condition that they leave certain targets alone, and from time-to-time accept taskings. The intelligence and security services themselves find the relationship useful.
Police in South Wales are proceeding with a trial of a facial recognition system that uses NEC hardware and software developed in-house, Infosecurity Magazine reports. The system is controversial for all the privacy issues and problems with errors that usually accompany such police technology. The trial faces a court challenge on the grounds that it invades privacy, discourages peaceful protest, and is prone to various forms of invidious discrimination.
Courts and torts.
Deutsche Welle reports that Russia's Internet regulatory body, Roskomnadzor, warned Google not to permit YouTube to incite opposition protests. On Saturday between twenty-thousand and nearly fifty-thousand demonstrators took to the streets in Moscow over allegations of municipal election fraud, according to the Guardian. The lower figure comes from police, the higher from independent estimates.
Policies, procurements, and agency equities.
Defense Department officials discussed supply chain risk management and workforce issues at FCW's Cybersecurity Summit, Meritalk reports. The DoD's cyber director John Garstka said the Defense Department is building a five-level model to help contract managers specify what they need in acquisitions. Jason Martin, Vice Director of the Development and Business Center and Acting Director of the Cyber Development Directorate at DISA, added that workforce culture at the DoD is another challenge that needs to be addressed, explaining that the cybersecurity workforce operates differently. He said that cross training between multiple teams is one way to help bring new people into the industry.
Fortunes of commerce.
Cyber insurance policies currently fetch a surprisingly low premium, but that's not entirely a good thing. As TechTarget summarizes from discussions it heard at Black Hat, the low cost is a supply-side phenomenon: a lot of insurers are working to get into the market, and they're competing on price. But the low premiums being charged probably mean that the underwriters are still working without the actuarial data and models they need to be fully comfortable with the risk they're accepting in transfer from their customers. Expect prices to change as the actuaries catch up with the consequences of cyber incidents.
TechRoots offers advice for those looking to pursue a career in cybersecurity. Most jobs in the field can be categorized as technical or managerial, although there's usually some degree of overlap between the two. Managerial roles focus more on policy, risk management, and business functions, while technical jobs require more in-depth knowledge of computer science. It's best to learn a broad set of skills before deciding to specialize in a specific area.
Mergers and acquisitions.
CyberScoop notes that there have been more than eighty cybersecurity industry mergers or acquisitions in the first half of 2019, compared to fifty-eight in the first half of 2018. Experts told CyberScoop that security vendors are buying tools and startups with the hope of becoming the first dominant player in the cybersecurity market.
Observers continue to offer their opinion of Broadcom's acquisition of Symantec's brand and enterprise business. Robert Herjavec, CEO of cybersecurity firm Herjavec Group and a star on Shark Tank, called the Broadcom-Symantec deal a "[dinosaur] buying another dinosaur before both dinosaurs go out of business," according to CRN. Herjavec said Symantec has fallen behind when it comes to endpoint security, and he's not optimistic about the firm's ability to compete with newer companies like CrowdStrike, SentinelOne, and Carbon Black. Writing in Forbes, Jeb Su from Atherton Research said it's not clear yet how Broadcom will benefit from the deal. Broadcom's CEO Hock Tan told analysts that "by acquiring this number one cybersecurity franchise, we will gain a portfolio of mission-critical security solutions, which are deeply embedded among our global 2000 customers," but Su has difficulties perceiving the synergies. CRN reports that Hock plans to nearly quadruple earnings from Symantec's enterprise security business.
ChannelWeb reports that Computacenter has bought back the RDC IT asset disposition unit from Arrow for an undisclosed amount. Computacenter had sold the business to Arrow for £56 million in 2015, but Arrow announced last month that it would have to shut the unit down. Computacenter had maintained a partnership with RDC, and purchased the unit in order to continue providing the service for its customers.
McAfee announced that it's acquiring application security provider NanoSec for an undisclosed amount, ZDNet reports. It plans to use NanoSec's technology to augment its cloud-based MVISION products. This is McAfee's third acquisition since splitting from Intel in 2017.
British private security contractor G4S is looking at offers for its cash transport unit. MarketWatch says the company plans to sell the unit in the first half of 2020. Reuters Breakingviews calls the move "a no-brainer given the shift to digital money."
Investments and exits.
TechCrunch reports that memory augmentation platform provider Polarity has raised $8.1 million in a Series AA funding round led by TechOperators, with participation from Shasta Ventures, Strategic Cyber Ventures, Kaiser Permanente Ventures, and Gula Tech Adventures. Yahoo Finance says that Polarity offers "on-screen overlays [that] reduce cognitive load by helping knowledge workers keep track of data beyond the capacity of human memory."
And security innovation.
Lockheed Martin has released a new, trademarked model for assessing the cyber resiliency of weapon, mission, and training systems, Fifth Domain reports. The Cyber Resilience Level (CRL) framework has four levels, with CRL 4 being the most resilient. The rankings are based on six categories: visibility, cyber hygiene, requirements, test and evaluation, architecture, and information sharing. The model was tested internally on ten pilot programs, including combat aircraft and satellites.
The World Economic Forum has announced its roster of Technology Pioneers for 2019, Silicon Republic notes. The list includes six cybersecurity startups: New York-based data governance and protection company BigID, London-based AI-driven authentication provider Callsign, San Francisco-based cyber risk analysis firm CyberCube, London-based browser isolation company Garrison, Tel Aviv-based secure collaboration platform provider Qedit, and Mountain View, California-based fraud and bot prevention company Shape Security.
Today's issue includes events affecting China, Iran, the Democratic Peoples Republic of Korea, Russia, Uganda, the United Kingdom, the United States, and Zambia.
Research Saturday is up. This episode is "Detecting dating profile fraud." Researchers at King’s College London, the University of Bristol, Boston University, and the University of Melbourne have recently collaborated to publish a report, “Automatically Dismantling Online Dating Fraud.” Their research outlines techniques to analyze and identify fraudulent online dating profiles with a high degree of accuracy. Professor Awais Rashid is one of the report’s authors, and he joins us to share their findings.