In today's podcast, we hear that Adobe has patched a Flash vulnerability. InvisiMole is a discrete, selective cyber espionage tool. A Facebook glitch inadvertently changed users' default privacy settings. Leidos exits the commercial cyber market. China is back at IP theft, and some conventional cyber espionage, too. Congress wants explanations of data-sharing with Huawei and ZTE, and it wants those companies investigated as security risks. Feds Facebook friend felons. Rick Howard from Palo Alto Networks with the winners from this year’s Cyber Security Canon gala. Guest is Corey Petty from BAH, host of the BitCoin podcast, discussing blockchain.
Dave Bittner: [00:00:03] Adobe patches a Flash vulnerability. Invisimole is a discrete, selective cyber espionage tool. A Facebook glitch inadvertently changed users' default privacy settings. Leidos exits the commercial cyber market. China is back at IP theft and some conventional cyber espionage too. Congress wants explanations of data-sharing with Huawei and ZTE, and it wants those companies investigated as security risks. And the feds Facebook friend felons.
Dave Bittner: [00:00:38] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99 percent, and neither should you. They put those 3,000 daily problems into a lightweight kernel-level container where the malware is rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero everytime, solving the malware problem. So with Comodo you can say with confidence, I got 99 problems, but malware ain't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com. And we thank Comodo for sponsoring our show.
Dave Bittner: [00:01:54] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday June 8, 2018.
Dave Bittner: [00:02:06] Adobe issued an emergency patch yesterday of a Flash vulnerability that's being exploited in the wild. The company credits security firm ICEBRG with alerting them to the problem. The exploit CVE-2018-5002 is being used to backdoor a selected set of Windows machines. Most of the exploitation has been against targets in Qatar - still in bad odor with other regional Arab powers, including Bahrain, Egypt, Saudi Arabia and the UAE - all of whom participate in a trade embargo against Qatar. At issue are Qatar's alleged Iranian connections. Iran, of course, representing a regional and religious rival to the Sunni governments in the area. Whether you're in Qatar or Cucamonga, if you use Flash, you'd be wise to apply Adobe's patch.
Dave Bittner: [00:02:57] ESET is analyzing Invisimole, a cyber espionage tool that can backdoor targets, engage in remote code execution and steal audio from infected devices. It's uncommon, and ESET offers no attribution. But the malicious malware has been found in Ukrainian and Russian computers.
Dave Bittner: [00:03:16] A Facebook glitch inadvertently turned some 14 million users' private data public. It changed the default settings on those accounts from private to public at the end of May between the 18 and the 22 of the month. Facebook regrets the issue and advises users to take a look at whatever stuff they may have posted last month.
Dave Bittner: [00:03:37] Leidos becomes the latest U.S. federal contractor to exit the commercial cybersecurity market, selling its commercial unit to the Paris-headquartered multinational Capgemini, which hopes its acquisition will help it make further inroads into the North American market.
Dave Bittner: [00:03:53] CrowdStrike says that after more or less abiding by a 2015 mutual undertaking with the U.S. not to engage in the massive theft of intellectual property, China is back at it with a vengeance. CrowdStrike doesn't offer any particular reason for the upswing, merely making note of what it's seeing. But observers speculate that it's linked to recent trade tension between the U.S. and China. Recorded Future sees a different potential explanation - at least a partial one. They see this shift as the result of reshuffled agency equities after the consolidation of signals in intelligence organizations into China's large Strategic Support Force, a process that began in late 2015.
Dave Bittner: [00:04:35] The Strategic Support Force is intended to play a significant role in China's strategy for achieving technological and economic superiority sooner rather than later this century. And, of course, their royal road to such superiority is much eased if you can simply take the technology as it's developed. The U.S. is aware of this, having taken official note of the matter in a March 22 report by the Office of U.S. Trade Representative. Intellectual property isn't the only concern with respect to China's cyber operations. They're also engaging in more obvious forms of espionage.
Dave Bittner: [00:05:10] This afternoon, U.S. officials, speaking under conditions of anonymity, told the Washington Post that Chinese intelligence services had hacked an unnamed contractor working at the Naval Undersea Warfare Center in Rhode Island and successfully exfiltrated sensitive data concerning submarine operations. There are also human intelligence concerns related to data-sharing and analysis. As the South China Morning Post sees it, cribbing from the late Baltimore novelist Tom Clancy, extensive data-sharing with Huawei in particular represents the sum of all fears for the U.S., as the paper puts it, quoting a tweet by Senator Marco Rubio, a Republican from Florida. Quote, "if Facebook granted Huawei special access to social data of Americans, it might as well have given it directly to the government of China," end quote.
Dave Bittner: [00:06:09] Here's an irony. Facebook is banned in China, where the regime isn't particularly open to platforms that facilitate social interaction. But the government there is thought to be interested, indeed, in the data Facebook holds on its users elsewhere. Facebook did acknowledge earlier this week that it had shared access to data with a number of Chinese companies that included Lenovo, Oppo, TCL and of course Huawei. They did so, said Facebook's vice president of mobile partnerships, in a controlled way. Controlled or not, Huawei denied collecting or analyzing Facebook user data. Few in Congress seem mollified. Indeed, the U.S. Congress appeared to be loaded for bear in its investigations of ZTE and Huawei and their alleged U.S. partners Facebook and Google.
Dave Bittner: [00:06:51] Senator Warner, a Democrat from Virginia, has promised to lead efforts to pull away the lifeline President Trump tossed ZTE. ZTE, you will recall, was in Commerce Department hot water for its evasion of U.S. sanctions against various pariah regimes, especially Iran and North Korea. It was also in hot water for lying about its dealings with those countries. ZTE agreed, in exchange for renewed access to American products it needs to stay in business, to pay a fine of more than a billion dollars, to overhaul its board of directors and to install a U.S.-designated compliance team that would look to its good behavior over the next 10 years. But Congress intends to continue its investigations. Security and not sanctions evasion is the issue with the Chinese companies.
Dave Bittner: [00:07:40] Google seems likely to be hit with a record EU antitrust fine over the way in which it manages apps in the Android ecosystem. The fines, which Reuters expects the European commissioners to announce in about a month, during the week of July 9, are thought likely to exceed the 2.4 billion euros Google endured last year. The 2017 fines were over the ways in which the search engine favored its own products over those of competitors. This time, they're mostly concerned with the ways in which Google's dominant position in Android enables it to bend app developers to its commercial will.
Dave Bittner: [00:08:16] The U.S. Federal Trade Commission wants to hear from cryptojacking victims. If you've been the victim of cryptomining software installed in your devices, you can let the FTC know online at ftc.gov/complaint. The commission's announcement is thought by observers to amount to the first notice by the U.S. government that cryptojacking is illegal.
Dave Bittner: [00:08:39] Finally, we found out - and we were asking for a friend - that law enforcement personnel often make it a practice of friending convicted felons on - where else? - Facebook once such felons have served their time and are out of the slammer. Why do they do it? To keep an eye on them. Felons, for example, aren't supposed to own guns, yet they persist in posing with them in front of their Facebook friends. A Delaware court ruled that the undercover practice is perfectly legal. So caveat shooter if, that is, you're a felon - not that any of you would be.
Dave Bittner: [00:09:20] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain. They're too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:10:26] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, welcome back. You all recently had your Cybersecurity Canon Hall of Fame Gala - by all accounts, a successful, fun evening. And you wanted to bring us up to date and share with us who were the winners this year.
Rick Howard: [00:10:48] Yeah, this is the culmination of the 2018 season, where we actually gave the Hall of Fame awards to the winning authors. And you know what the Canon project is.
Dave Bittner: [00:10:58] Yeah.
Rick Howard: [00:10:59] It's kind of a Rock & Roll Hall of Fame for cybersecurity books. It's been going on for five years. And so if you're going to better yourself this year and read some book on some new topic, how do you decide - OK - which book you want to read? And if you go to Amazon and look up cybersecurity books, you're going to have to choose between some 2,000 to 3,000 entries. So how do you decide? So here's this give-back-to-the-community service. The community reads the books, finds out which books you should read. And those are the ones you should start with.
Rick Howard: [00:11:29] You want to hear who won the Canon Gala Awards for this year?
Dave Bittner: [00:11:33] I'm on the edge of my seat.
Rick Howard: [00:11:34] I can tell. Right. So...
Rick Howard: [00:11:37] The first one, it's been on the candidate list for a couple of years. Right? But we're very happy to put it in the Hall of Fame, a book called "Metasploit: The Penetration Tester's Guide" by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni - I think that's how you say his name. Now, you've heard of "Metasploit" before, right?
Dave Bittner: [00:11:56] Sure.
Rick Howard: [00:11:57] Yeah, it's a tool that's been around for years. It's the default tool for penetration testers. But what's great about this book it's written for beginners. So if you're new to the craft, you can take it and learn how to become a penetration tester using this tool. There's also lots of information for the seasoned practitioner. So "Metasploit" has made it into the Hall of Fame.
Dave Bittner: [00:12:19] All right. Who else?
Rick Howard: [00:12:20] Second one - "Site Reliability Engineering: How Google Runs Production Systems" by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy. Now, I've been hawking this book for the last year or two. I love this book. OK? It is the follow-on reader if you've already read "The Phoenix Project" and you are interested in DevOps and the DevOps philosophy this particular book, "Site Reliability Engineering," now is the how-to manual. All right? It's how Google did it when they started their first search engine back in 2004. They were doing this DevOps kinds of thing, you know, six years before DevOps even had a name for itself. So you want to figure out how to do it, that's the one to do.
Rick Howard: [00:13:02] No. 3, for my social engineers in the crowd, "Unmasking the Social Engineer: The Human Element of Security" by Christopher Hadnagy. OK. Now, this book is for serious readers - OK? - who want to understand everything they can about the topic of social engineering. Hadnagy relies heavily on some research by Dr. Paul Ekman, the renowned psychologist. All right? This is a fantastic entry-level book for how do you do social engineering. So Mr. Hadnagy's is in the Hall of Fame.
Rick Howard: [00:13:32] The fourth entry is a book called "Worm" by Mark Bowden. Do you remember Mark Bowden? He's a famous author in other subjects. He is probably most famous for writing "Blackhawk Down." And...
Dave Bittner: [00:13:44] Oh, sure.
Rick Howard: [00:13:45] Yeah. And he wrote the screenplay to the movie. All right? And so he wrote this book about the Conficker Cabal, you know, and how a bunch of people in our - a bunch of network defenders in the industry got together and tried to take that thing down. It is a great slice of cybersecurity history. And Mr. Bowden came out to the gala. And we gave him his, you know, Academy Award-like trophy. And he was very eloquent as so. And I got to interview him on TV. All right? So...
Dave Bittner: [00:14:12] Yeah (laughter).
Rick Howard: [00:14:12] It was fantastic. Yeah, it was the highlight of my career.
Dave Bittner: [00:14:15] All right. So those four books - go to the Canon website, and start your education from there.
Dave Bittner: [00:14:21] All right. As always, Rick Howard, thanks for joining us.
Dave Bittner: [00:14:28] And now a few words from our sponsor CYBRIC. We all heard the important and welcome themes coming out of RSA this year on resiliency and collaboration. This is underscored, of course, by the steady stream of innovations we see coming out of the cybersecurity industry. But what does all this really mean for IT, security and development teams day to day? Join Mike Brown, retired rear admiral in the U.S. Navy and former director, cybersecurity coordination for DHS and DOD, for a lively discussion on the industry's current direction, that type of collaboration that yields immediate results to teams and the criticality of protecting application infrastructure. This insightful webinar is taking place on Wednesday, June 20, at 1 p.m. Eastern time. So be sure to register at cybric.io/cyberwire and tune in on the 20. That's cybric.io/cyberwire. And we thank CYBRIC for sponsoring our show.
Dave Bittner: [00:15:35] My guest today is Corey Petty. He's a blockchain scientist at Booz Allen Hamilton and host of "The Bitcoin Podcast" and "Hashing it Out."
Corey Petty: [00:15:44] When I got into this, we always wondered when people would understand or know about blockchain or bitcoin or cryptocurrencies. And now, based on the plethora of ICOs and the public interest they've received, most people have heard the words but don't quite understand what it means or what they do or the implications of what they can do. And right now, we're in a state of building the basic infrastructure that's required for people to interface with these technologies without really knowing it, like how we use the internet today.
Dave Bittner: [00:16:16] Now, with all of the enthusiasm, particularly with bitcoin and sort of the - I don't know - the gold rush, if you will, do you suppose that blockchain has suffered for that? It seems like, in some areas, it's become a bit of a punchline.
Corey Petty: [00:16:31] That's kind of a sign of the times for me. What had happened, we created something called the ERC20 token and made it simple enough for people to use and interact with without them really knowing what they're doing. And so I liken it to us finding out how to use fire and burning ourselves a little bit during the process of figuring out how to use it. And we're going to see this happen multiple times as we keep creating new standards and new tools people can use that's based on blockchain and then watch as people play around with it to see where it's useful.
Dave Bittner: [00:17:04] What do you have your eye on? What are some of the areas of focus for you in terms of the usefulness of blockchain?
Corey Petty: [00:17:10] I have a hard time not spreading myself too thin, to be honest. It's such a infrastructure level - like, the ground zero of how computers operate and transact digital assets that it has a finger in almost all parts of human existence, whether it be how we come together on large decisions in a decentralized manner across the globe, how we transact value, how we send money. I try and figure out how this is impacting things, but I really want to do it in a way that takes trust away from an individual and puts it into a system so that greed can't be a part of it, if that makes any sense.
Dave Bittner: [00:17:48] Yeah, it does. Where do you think we are most likely - a typical consumer, where do you think they're most likely to see an effect in their daily lives based on some sort of underlying blockchain technology?
Corey Petty: [00:18:00] Initially, you'll start to see two main things come into play where people will start to actually use them and know that they're using them. And that's going to be with games because games are always the first way to play around with a new technology, that enables things in a setting that isn't too daunting or scary in terms of money or problems or trust of information. And you'll also see it in things like social networks, especially with the modern cry of how people use the data you give them when interacting with the centralized social networks that we have today. Blockchain-based social networks don't have that problem because in a quality blockchain network, the user still controls that data.
Dave Bittner: [00:18:41] Now, let's dig into that a little bit. When you say a quality blockchain social network, what do you mean by that?
Corey Petty: [00:18:48] One that's run in a trustless manner. The word blockchain is a very general term. And what people typically associate with it is either bitcoin or Ethereum or maybe one of the few other open trustless networks which have to operate in a manner that you basically don't trust anybody you're interacting with. And the system runs OK, but there's also a long string of experiments and attempts for people to write permissions and trusted networks that don't offer the same types of guarantees. But they're all under the same moniker blockchain, so it's really hard to kind of digest and grok the difference between these things if you don't understand that type of concept.
Dave Bittner: [00:19:27] What would the most obvious benefits be for a user of that sort of network?
Corey Petty: [00:19:32] Not having their data mined or not having to care about who can make decisions on the types of transactions you'd like to do or who you'd like to interact with. Right now, in a lot of these centralized services that we use, they're free because you're the product. It's not one of those things where the person who uses it gets to control the information they put into that network. It ends up putting a lot of power and a lot of profit into the hands of the people who own the network as opposed to a decentralized network, where that value is usually spread across the people who actually use it and not the people who administer it.
Dave Bittner: [00:20:09] You know, we had a listener write in with a question. And I think it may be a good one for you. They were asking, how do you deal with the tension between GDPR, which includes the right to be forgotten, and something like the blockchain, where information can't be easily deleted?
Corey Petty: [00:20:30] Or it can't be deleted whatsoever.
Dave Bittner: [00:20:32] Yeah.
Corey Petty: [00:20:32] That's going to be an interesting concept. And in the current state of blockchains, the thing that you use to interact with them is a pseudonymous address or just a string of numbers that ends up being your user ID, if you will. Your personal information attached to that address can be obfuscated or hidden so that people don't really need to know who you are when you interact with the blockchain and how you use it.
Corey Petty: [00:20:56] Further along the lines, we'll have things that require more information about the link between that user ID and the person who owns it, which could have pretty interesting consequences in terms of the right to be forgotten and such things because open and public blockchains get their trustlessness from the fact that they can't be changed.
Dave Bittner: [00:21:17] Right.
Corey Petty: [00:21:17] And I think it's more along the lines of, we need a change in these social interactions, and how we think about using applications needs to be changed. We can't assume that because we interact with something, it can be deleted later because that's the way it's always been.
Dave Bittner: [00:21:33] So take us through "The Bitcoin Podcast." What do you talk about there? And what do you hope your audience gets out of that one?
Corey Petty: [00:21:39] We started out creating that show because we felt that the majority of media surrounding bitcoin and blockchain - it was just bitcoin when we started, so it's called "The Bitcoin Podcast" - was overly technical and focused on a few projects that were the frontrunners of the entire ecosystem. We wanted to get a voice of everyone in the entire ecosystem.
Corey Petty: [00:22:00] So we've made it a point to interview everyone - the leaders, the creators, the people who trade things, the people who use it that's changed their lives in various ways. So we try and cast a very wide net in the types of information we put on that podcast. And I think we've been successful with it.
Dave Bittner: [00:22:18] Are there any particular insights that have struck you over the course of doing the show, things that you learned that you didn't expect when you were going into it?
Corey Petty: [00:22:28] I always heard the things that - or the ideologies that people pushed when this technology started becoming larger and larger and larger. As the different networks have been created, I've realized that they're all wrong. They're not necessarily wrong. They're just not complete.
Corey Petty: [00:22:44] There is - I think it's arrogant to say you know what blockchain will look like in the future because every time someone's said that, we've done something to make it look different. And it's so young, and there's so much to be learned and figured out that you have to take it at a grain of salt and roll with the punches.
Corey Petty: [00:23:05] And when we first started, bitcoin was the only thing that existed. And so people thought anything that tried to be like bitcoin would automatically fail or was an intruder. And over time, we've seen Ethereum grow and grow and grow and become something that is a very viable, useful network that is different than bitcoin.
Corey Petty: [00:23:22] And it's not one chain to rule them all. It's more along the lines of, many things to do, many types of applications and interaction. And so the future of what this whole thing is going to become is beyond my scope or understanding. And anyone who says they understand, I think, is naive.
Dave Bittner: [00:23:39] That's Corey Petty from Booz Allen Hamilton. Don't forget to check out his podcasts, "The Bitcoin Podcast" and "Hashing It Out."
Dave Bittner: [00:23:49] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:24:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik - social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Comodo Enterprise delivers a unified suite of next-generation cybersecurity solutions to protect 360 degrees of the enterprise attack surface. From stopping zero-days at the endpoint to providing rich threat intelligence across the globe, Comodo delivers strategic, multi-layer value to its' enterprise customers.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Test drive ObserveIT today – no installation required.
CYBRIC is the first to orchestrate and automate code and application security across the DevOps lifecycle. CYBRIC's Continuous Application Security Platform leverages patent-pending technology to seamlessly integrate security into the development process, delivering frictionless security assurance from code commit to application delivery. Learn more.