In today's podcast, we look at ways in which terrorist incidents have motivated France and Germany to seek ways of compelling encrypted messaging apps to open traffic to inspection. In the UK such incidents have also prompted a harsh Parliamentary report on social media companies' efforts to combat radicalization. Shadow Brokers leaked exploits continue to appear in the wild. Investigation continues, but observers begin to see the incident as part of a general attack on US official credibility. Assange promises more leaks of Clinton material. Ransomware appears in India and Vietnam. A new Android banking Trojan uses Twitter for command-and-control. Dale Drew from Level 3 Communications shares tips on setting up a SOC, and Ralph Cita explains how they make free training available at Cybrary. And Ashley Madison gets bad reports in three of the Five Eyes.
Dave Bittner: [00:00:03:01] France and Germany look for authority to compel encrypted messaging apps to open their traffic to inspection. Shadow Brokers leaked exploits continue to appear in the wild. Assange promises more leaks of Clinton material. Ransomware appears in India and Vietnam. And Ashley Madison gets bad reports on three of the Five Eyes.
Dave Bittner: [00:00:28:00] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire Web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the Web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:40:22] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 25th, 2016. A transatlantic version of the crypto-wars is flaring up in the European Union. Terrorist attacks have led German and French policy makers to rethink their national commitment to privacy and to look for ways of requiring makers of messaging applications, like Telegram and WhatsApp, to give security services access to encrypted traffic. The proposed measures would be used pursuant to investigation of terrorist activity.
Dave Bittner: [00:02:10:01] Public sentiment in Germany continues in general to oppose widespread Internet surveillance, but increasingly that opposition is tempered by a willingness to accept significant exceptions in cases of terrorism investigation and prevention. Reports suggest that distaste for dark web traffic in lethal contraband runs particularly high.
Dave Bittner: [00:02:29:21] French policy makers have similar concerns. Jihadists' use of Telegram to promote their imminent murder of a priest during Mass in a church prompted the Interior Ministry to call for some way of eavesdropping on Telegram conversations. Many vendors cooperate like this already with French authorities, but Telegram is not among them. Several observers have noted that Telegram is a favorite messaging application of French legislators and executives.
Dave Bittner: [00:02:55:15] And it's not just encryption. Media that enable radicalization and terrorist inspiration are also receiving legislative scrutiny. In the UK, Members of Parliament this week took social media companies to task for enabling extremism. The House of Commons Home Affairs Committee reported on the matter and specifically called it "alarming" that companies like Google, Facebook, and Twitter devotes such slim resources to monitoring their customers' accounts for "extremist content." Tech companies for their part point out both their unilateral actions, notably Twitter's claim to have shuttered 360,000 extremist accounts over the past year, and the assistance they routinely provide in security investigations.
Dave Bittner: [00:03:36:14] Turning to international cyber conflict and its consequences, there are some developments in the Shadow Brokers incident. Researchers at Silent Signal report that a relatively easy upgrade of the Shadow Brokers' leaked Extrabacon exploit renders it effective against newer versions of Cisco's ASA. Others, not just researchers but black hats, have found the exploits relatively easy to use. A honeypot set up by a researcher at New York University noticed the same sorts of probes Cisco honeypots have seen this week, so the leaked attack code is clearly circulating in the wild.
Dave Bittner: [00:04:11:04] Security expert, Bruce Schneier, cites the incident as further evidence of poor US Government disclosure policy, and that NSA is hoarding zero-days when it thinks it's the only outfit that has them. Schneier also thinks this is "not Snowden stuff," that is, not the work of an arguably misguided whistleblower, but rather the work of an outsider. That outsider is widely believed, of course, to be the Russian intelligence services, and observers think the leaking reflects a "new normal" in which cyberattacks directly serve the goals of information operations. In recent cases those goals apparently center on discrediting the US political system as irredeemably corrupt. Wikileaks' Assange promises to release, soon, more discreditable information about Democratic Presidential Candidate Clinton. Wikileaks isn't obviously connected with the Shadow Brokers, although Assange did say that some of the material wasn't news to him.
Dave Bittner: [00:05:04:22] More direct attacks on the US Election are also feared. Analysts predict direct vote hacking come November.
Dave Bittner: [00:05:12:01] Ransomware has hitherto most affected European and North American enterprises but it's now being observed in both India, where a pharmaceutical concern has sustained an attack, and in Vietnam, where email vectors are carrying ransomware to potential victims.
Dave Bittner: [00:05:27:00] A new variety of backdoor banking Trojan - called "Twitoor" - has been discovered in the Android ecosystem. It's noteworthy in that its command-and-control is accomplished over Twitter.
Dave Bittner: [00:05:38:06] It's no secret that there's a shortage of qualified workers in cybersecurity, with thousands of jobs going unfilled. Education and training for those jobs can be expensive and one company, Cybrary, has taken a different approach. It's made all of its online training free. We spoke with Ralph Cita, CEO of Cybrary.
Ralph Cita: [00:05:57:18] Seeing the maturation and the development of the physical brick and mortar training in classrooms being held, we kind of came to the realization that this industry is very difficult on so many ends because you have students trying to come up with money to pay for expensive classes, and you have these certifications that somebody can invest three, four or $5,000 for a week long class and they become obsolete. So we saw that the industry was getting very commoditized and a lot of competition and price was a real pain point for students, so we came up with the idea of let's make education free, and we'll hopefully get to a point where we're monetizing it on the corporate side of it with companies to help fund our operations. And we're going to keep making education free, keep developing classes for free and we will never charge for the education component of Cybrary.
Dave Bittner: [00:07:04:03] So let's speak to that notion of skepticism. Certainly, everybody knows the saying "you get what you paid for" and you're providing this training for free. How do you put people's mind at ease that the training that they're getting is high quality?
Ralph Cita: [00:07:17:21] We get tremendous validation every day. The users are members - they are not only vetting our product, they are proclaiming it. And when they find a flaw, they're the first ones that say "Hey, you guys really messed this up," which is fine, we'll take the good with the bad.
Dave Bittner: [00:07:38:20] And how about the employers? When people are coming, résumés in hand and some of their training includes Cybrary, what are the responses that they're getting?
Ralph Cita: [00:07:48:01] We've had a lot of good feedback on that, and just from a little bit of a different angle, we also have a spot on our website called "Talent Services" where we are having these companies you are speaking of place jobs on our website, when they're using our site to recruit. There's over a million and a half worldwide jobs. There's almost 300,000 in the United States of cyber professional jobs that aren't filled. Absolutely jobs have to be nurtured, there has to be a better grassroots effort made in getting them there, start it much earlier.
Dave Bittner: [00:08:25:09] You are a business, you are a company, you have people, instructors and infrastructure to pay for, where's the money coming from?
Ralph Cita: [00:08:31:01] We are monetizing it on the corporate side of the house. So we have developed something called "Channels" which is a place where companies such as Cisco Talos or Tripwire, AlienVault or ObserveIT, can go ahead, put their content out there, put their upcoming events out there and once it's consumed and once these companies get all these eyeballs coming to their page on our Channels, they are realizing the benefit of "a rising tide raising all ships" kind of methodology.
Dave Bittner: [00:09:10:20] That's Ralph Cita, CEO of Cybrary.
Dave Bittner: [00:09:14:21] The US Department of Health and Human Services Office of Civil Rights, one of several agencies aspiring to extend its equities into cyber regulation, appears ready to undertake enforcement actions against small businesses that fail to properly protect data. Hitherto the OCR has tended to restrict enforcement actions to breaches affecting more than 500 people. We heard from Ebba Blitz, CEO of Alertsec, who said, "the news from the US Health and Human Services Office for Civil Rights should be a wake up call to small business. If the OCR uncovers widespread HIPAA compliance issues, that could mean small companies are at risk for new fines." And such fines, of course, could prove business killers.
Dave Bittner: [00:09:57:23] And finally Avid Media, the corporate parent of the adultery-facilitating service Ashley Madison, is in trouble in at least three countries, all of whom apparently have enough adulterers to make careless handling of personal information both a consumer protection and a privacy issue. The US Federal Trade Commission is conducting an inquiry into whether Ashley Madison misrepresented itself to its customers, and a joint report of Canadian and Australian privacy commissioners finds much to complain about in the way Ashley Madison did business. So we end with some advice on privacy in such matters - straighten up and fly right, girls and (mostly) boys.
Dave Bittner: [00:10:40:14] Time for another message from our sponsor Recorded Future. So attention threat intelligence enthusiasts, the first week in October, consider heading to Washington DC and joining Recorded Future and the rest of your community in DC for RFUN 2016, this October 5th and 6th. Share experiences, insights and best practices, learn from exclusive presentations by threat intelligence thought leaders and you can be the first to know, get a sneak peak of new Recorded Future product features and the company's development road map. Meet others like you, people who understand that cyber security depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:11:39:03] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, let's say I'm an organization and I'm ready to stand up my own security operation center. There's a lot that goes into that if I want to build my own SOC. You all have a lot of experience with that, what are some tips that you can provide for someone who's thinking about building their own SOC?
Dale Drew: [00:11:59:05] We've been on a sort of a marathon run in building security operation centers throughout the globe, and we have five operation centers up and running today. We built a sort of practice methodology on how to create and operate a security operation center. I'd say the major lessons learned for us are in the area of staffing and training and ownership. What I mean by that, from a staffing perspective, we've had a lot of success in hiring non-security experts. What we tend to do when we build a SOC is we hire some core baseline security expertize to the foundation of the SOC infrastructure, and then we hire a lot of SOC analysts who don't necessarily have to have SOC training or SOC expertize, because we provide them with training and certification on the job. We've had tremendous success in hiring SOC staff that has financial and musical backgrounds, because they're able to take chaotic environments and seek out organization of that chaos. And in an incident response sort of environment, that is fundamental and key. That becomes a much more important skill set baseline than the security baseline; it turns out to be much easier for us to train them on security than it is to train them on the fundamentals of how to have an incident response mindset.
Dale Drew: [00:13:39:07] The other one I'd say is keeping up to date on trends and keeping up to date on best practices. We do that by visiting other companies who operate security operation centers and not only imparting our wisdom on them, but also getting from them what works well for them and what does not work well for them, and incorporating some of those best practices into an ever evolving sort of SOC mentality. The key to managing your risk portfolio is not only just a good technology center, it's also having the staff that can identify and respond and mitigate quickly to those threats. So security operation centers are becoming a much larger component in the security arsenal for CSOs these days.
Dave Bittner: [00:14:29:09] Dale Drew, thanks for joining us.
Dave Bittner: [00:14:33:15] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. And our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
This annual networking event highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships and build new ones.