More notes on the RCMP espionage scandal. The CSE’s preliminary assessment sounds serious indeed, and Canadian intelligence services are trying to identify and contain the damage Cameron Ortis is alleged to have done. And the other Four Eyes are doing so as well. Australia considered that a hacking incident early this spring may have been a Chinese effort to compromise election systems. ISIS is back online. And Mr. Snowden wouldn’t mind asylum in France. David Dufour from Webroot with thoughts on backups. Carole Theriault interviews ethical hacker Zoe Rose, who shares insights on entering the industry.
Dave Bittner: [00:00:03] More notes on the RCMP espionage scandal. The CSE's preliminary assessment sounds serious indeed, and Canadian intelligence services are trying to identify and contain the damage Cameron Ortis is alleged to have done; the other Four Eyes are doing so as well. Australia considered that a hacking incident early this spring may have been a Chinese effort to compromise election systems. ISIS is back online. And Mr. Snowden wouldn't mind asylum in France.
Dave Bittner: [00:00:37] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first; it's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 17, 2019. The presumably now former director general of the Royal Canadian Mounted Police National Intelligence Coordination Center, Cameron Ortis, had access to sensitive intelligence provided by Canada's Five Eyes partners, Canadian officials now say. Mr. Ortis was indicted last week on charges of violating the Information Security Act. The CBC reports that Canada's Communications Security Establishment's preliminary assessment holds that the damage done by the release of these reports and intelligence is high and potentially devastating, which sounds serious indeed. The word high in the CSE's assessment is in all capital letters for emphasis. Crown Counsel is understandably not saying too much, but prosecutors did say, without going into too much detail, it is alleged he obtained, stored and processed sensitive information, the Crown believes, with the intent to communicate that information with people he shouldn't be communicating to.
Dave Bittner: [00:03:13] The CSE is the rough equivalent of the Australian Signals Directorate, New Zealand's Government Communications Security Bureau, Britain's Government Communications Headquarters and the American National Security Agency. How much intelligence from the other Eyes - Australia, New Zealand, the United Kingdom and the United States - was compromised is unclear, but The Washington Post observes that Canada is reckoned a net consumer of information, receiving more than it gives. So Ottawa is concerned not only about its own counterintelligence problems, but about the possibility of fallout on its key allies.
Dave Bittner: [00:03:50] As his job title suggests, Mr. Ortis was no small fish. He held an important position in Canadian intelligence, and he had access to a great deal of sensitive information. Global News reported that, quote, "Ortis had access to the following information - identities of undercover Canadian police and undercover Canadian agents operating domestically and abroad," quote. Again, it's not known how much of this is blown, nor to whom it may have been blown, but the potential damage is indeed serious. At the time of his arrest, among other official duties, Mr. Ortis is said to have been overseeing an investigation of Russian money laundering, specifically a $230 million fraud scheme Sergei Magnitsky exposed in 2008. Magnitsky, a Russian tax adviser, blew the whistle on the fraud believed to have been run by senior Russian interior and tax officials.
Dave Bittner: [00:04:47] He was arrested by Russian police and murdered in jail in 2009. The U.S. Magnitsky Act, passed by Congress in 2012, is named in his honor and forbids those implicated in the murder from entering the U.S. or using the U.S. banking system. Mr. Ortis apparently approached Phantom Secure Communications, a Vancouver firm whose CEO is now in a U.S. prison, serving time for offenses related to provision of encryption services to the Sinaloa drug cartel. In June 2017, a joint investigation by the FBI, RCMP and Australian Federal Police resulted in the indictment of Phantom Secure executives in the U.S. District Court for the Southern District of California. The company's CEO, Vincent Ramos, was sentenced to nine years on May 28 of this year. He's a Canadian citizen. Four of his colleagues from Phantom Secure remain at large.
Dave Bittner: [00:05:44] Evidence of Mr. Ortis' contact with the company was discovered, the Globe and Mail reports, on a laptop the FBI seized during its investigation of Phantom Secure. The content of some emails, among other evidence, prompted the investigation that resulted in his arrest. Canadian police completed their investigation, according to reports, with a quiet search of Mr. Ortis' condo last month. A conviction on all counts could earn Mr. Ortis a sentence of 37 years.
Dave Bittner: [00:06:16] We should note that Phantom Secure Communications, the company implicated in the FBI's case against those who helped the Sinaloa Cartel's drug traffickers evade surveillance and wiretapping, has no connection to the 2016 RSAC Innovation Sandbox winner, Phantom, a cybersecurity company that's now owned by Splunk.
Dave Bittner: [00:06:37] Many of us consider it important to provide mentorship, guidance and inspiration for the next generation of cybersecurity professionals. How do we make sure the messages we're putting out there are the types of things they really need to hear? Carole Theriault files this report.
Carole Theriault: [00:06:53] So I dedicate a lot of time to educating people on how to be safer online through podcasts like this one, speaking at schools and events and so on. Zoe Rose is an ethical hacker based in the U.K., and she too is very involved in helping people be safer online. I asked her about her experiences and what advice she had for young people, especially women who might want to get into the industry. Here's Zoe Rose.
Zoe Rose: [00:07:18] Reality is - I mean, if you look back before there was all this technology in our lives and we were coding through, you know, sheets of paper that have holes punched in it - but if you looked at it, these people, the majority of them, were women. If you watch the "Hidden Figures" movie, they were - those women were the computers, you know. They were the ones doing all the technical. So it's not really unique to women, but I think it's more the cultural change of where we've made that assumption that it makes us unique. And so I think identifying to young people that, actually, it does come naturally, and you're not - it's not going to be ridiculously challenging for you to get into it because you probably have a good understanding.
Carole Theriault: [00:08:05] Do you feel that women are treated differently in the industry?
Zoe Rose: [00:08:11] What I've noticed is - in the beginning, I found it very challenging. This is more than 10 years ago, mind you, but I was told by one organization they don't hire women because they're too distracting to men.
Carole Theriault: [00:08:24] (Laughter).
Zoe Rose: [00:08:25] I've had - yeah, I know. I told them to stop hiring children.
Zoe Rose: [00:08:33] I've also had situations where I've had to block colleagues and, you know, remove them from my life because they've become very uncomfortable and I've felt unsafe. But what I've noticed was, in those situations, it was the top down that was allowing that culture to exist.
Carole Theriault: [00:08:53] Right.
Zoe Rose: [00:08:53] It wasn't, everybody thought that; it was that senior leadership didn't say anything or actively participated in that belief. And actually, finding organizations that aren't like that, I mean, back then I found it very challenging, but now I find it actually quite a bit easier. And when I find an organization I potentially want to work for, I look at how senior leadership, you know, approaches this.
Carole Theriault: [00:09:24] So I don't know if it's easier now because I am much more knowledgeable in security and, you know, know a lot more than I did 15, 20 years ago. My instincts say to me that the environment is changing for the good, and it is - I think it's easier for women to get into the industry now than it may have been. But at the same time, there's probably going to be new challenges now.
Zoe Rose: [00:09:45] Definitely. So last year I spoke in Sri Lanka, and then what really stood out to me and the reason I bring this up is I presented - I think I called it In The Life Of An Ethical Hacker, and afterwards I got a lot of young men, school-aged to just about to graduate, and the young men came up and they were like, oh, I'm going to be the most elite pen tester, or I'm going to be the coolest hacker. And none of them talked about their skills or anything; they just talked about how they're going to be super elite.
Zoe Rose: [00:10:17] And then these two young women came up to me, and they were like, you know what? Actually, it was really cool hearing your talk because I never thought I'd be good enough to be a hacker or I'd be good enough to be a programmer; I really thought that I just don't have the skill. So I was talking to them about their experience, and my goodness, Carole, these two young ladies are more advanced, more intelligent than I could ever dream to be. They were so skilled. It was bloody impressive.
Zoe Rose: [00:10:49] And I was thinking about that after, and I was, like, looking at the males and how, you know, confident they were that they were going to take over the world, whereas these two young women, they were highly technical but didn't think they were. They were very intelligent, very hardworking, and yet they still worried that they wouldn't be good enough.
Carole Theriault: [00:11:09] It is really refreshing to hear about young people that understand that, in order to become really good at something, it takes a lot of patience and work and skill. And that's how you develop the skill, by just dedicating yourself to it.
Zoe Rose: [00:11:19] Definitely. I mean, my background is networking, network architecture, and then I went into network security, and then I went into cybersecurity. So I admit that I've got gaps in my knowledge. I mean, I was never a programmer, and I would never say I am. And that, to me, is vital because people will come to me and be like, how can I be the best programmer? And I'll be like, honestly, I'm not going to be most effective person, but here's the people that you should speak to because they're brilliant.
Carole Theriault: [00:11:46] I like what she says about women and technology having always been intertwined and that women tend to really work on their skills before they get into the industry. This could just give them a bit of edge. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:12:02] Australian officials were concerned that attacks on Parliament and three major political parties, now generally thought to have been conducted by China, also aimed at compromising state and territorial election systems, the Australian Broadcasting Corporation reports. The several electoral commissions were asked to investigate whether they'd been penetrated and to let Canberra know what they found. In all cases, the report says, the findings were negative - they had not been hacked.
Dave Bittner: [00:12:30] The Islamic State, ISIS, which has for some time been hidden from view, has resurfaced online with messages urging adherents to establish new bases of operation in Southeast Asia and howling for any lone wolves who might be listening to do whatever they can to free ISIS detainees from whatever jails, prisons or camps that are holding them. And finally, in the midst of other Edward Snowden news that's come out this week, as the bad boy of the sys-admin world talks to people about his forthcoming memoir, is this nugget. The AP says Ed Snowden would rather receive asylum in France than Russia. Well, we would, too, if it came down to it. But asylum in France? Pick a number, Ed.
Dave Bittner: [00:13:21] And now a word from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to electric infrastructure are progressing in both frequency and sophistication. In their latest whitepaper and webinar, Dragos re-analyzes the 2016 Ukraine cyberattack to reveal previously unknown information about the Crashoverride malware, its intentions and why it has far more serious and complex implications for the electric community than originally assessed. Learn more about Crashoverride and what defenses to take to combat future sophisticated cyberattacks by reading the whitepaper at dragos.com/white-papers or watching their webinar at dragos.com/webinars. To learn more about Dragos' intelligence-driven approach to industrial cybersecurity, register for a free 30-day trial of their ICS threat intelligence at dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:14:32] And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. I wanted to touch today on file backups and some of the nuances in how people define backups and what's the difference between backups and syncing and things like that.
David Dufour: [00:14:51] Great to be back, David. And, you know, this was, literally, for the past three years, one of my hot-button topics. If any of your listeners ever find me at a conference and they want to watch me, you know, fall over...
Dave Bittner: [00:15:02] (Laughter).
David Dufour: [00:15:02] ...Just bring up this topic and it makes me pass out because we do it - I cannot talk about this enough; it's so important. Fundamentally, file syncing - this is when you're using your OneDrive or your iCloud, where - or Dropbox, and these are all amazing, wonderful products, and I use them heavily. And what they do is they keep my data synchronized across my machines. And one of the most beautiful things they do is, when one of my machines dies or I drop it, you know, in a lake and it's no longer usable, I know my data is in the cloud. I can go to the store, buy a new computer and bring my data down. Folks like you and me, David, we remember the good old days, back in the '90s, when you bought a new computer and it'd take you four days to get your data over, right?
Dave Bittner: [00:15:46] (Laughter) Yeah, yeah. Yeah, I do.
David Dufour: [00:15:48] But that synchronization process and because you can buy a new computer and get your data onto that machine quickly, that process has people thinking, oh, my data is backed up. The problem with that is one instance of your data exists, and you're able to get to it from many devices. And my point in this, a proper backup is - whether it's online or offline - is something that is iterative. You can roll back to different versions. You are able to pull it down or pull it out of a drawer because you did it on a disk and put it in a machine and get your information back. Again, a lot of the services today are doing a really good job of protecting your information, etc. But what happens if you get corrupted data and that corrupted data then syncs to all your machines?
Dave Bittner: [00:16:38] Right.
David Dufour: [00:16:38] Guess what? You don't have a backup; you have a bunch of synced-up corrupted data.
Dave Bittner: [00:16:43] I think for a lot of people, probably myself included, at some point along the way, you learn that lesson the hard way.
David Dufour: [00:16:50] You do because all of a sudden - and this is a very extreme case. It's possible it doesn't happen that often. But it's possible your local folder gets hacked, ransomware encrypts all that data, that data syncs up to the cloud, and what you thought was a backup is no longer a backup; it's just a synchronized bunch of ransomware data. So that's an extreme case. But, David, that's not the only case. A more common case is, you know, you're a big photo-taker. I know you're taking those selfies all the time on your iPhone, David.
Dave Bittner: [00:17:20] That's true.
David Dufour: [00:17:20] Because the world would be a lesser place without them.
Dave Bittner: [00:17:24] (Laughter) I can't deny that.
David Dufour: [00:17:25] Yes. But what happens when you fill up that synchronization folder and that data is no longer synchronizing, but you're not paying attention to it - you're just clicking ignore, clicking ignore - your sync folder's full, and all of a sudden, the important information that's on one machine is lost; you don't have it anymore. This is again why - it's another example of why proper backups are so critical, especially for businesses, but individuals should think about it as well.
Dave Bittner: [00:17:51] Now, what about this notion that I hear from folks in the backup game that one is none, that one backup is not sufficient - if something's important to me, I need to have it in at least two places aside from the original?
David Dufour: [00:18:03] I could not agree more. I do believe in online backup technology. I think it's great. But you're absolutely right - one is none. I'm a huge proponent of backing up your data, having it in that synchronized place as well. But being in the industry I'm in, one of the biggest things I believe in is, if it's something you cannot lose - it is so important to you your life will be over if you lose it - put it on hard media, and put it in a drawer somewhere. That is the best way to have data backed up.
Dave Bittner: [00:18:31] So that external hard drive that external flash drive - whatever it is - just keep that copy disconnected from the main system.
David Dufour: [00:18:40] That's exactly right.
Dave Bittner: [00:18:41] Yeah.
David Dufour: [00:18:42] Because you don't want hackers getting to it.
Dave Bittner: [00:18:44] Right. Yeah. Have that high impedance air gap, right?
David Dufour: [00:18:47] Exactly.
Dave Bittner: [00:18:49] All right. Well, as always, David Dufour, thanks for joining us.
David Dufour: [00:18:52] Hey, great being here, David.
Dave Bittner: [00:18:58] And that's the CyberWire.
Dave Bittner: [00:19:00] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:11] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.
Dragos, Inc. is an industrial cybersecurity company focused on protecting infrastructure such as power grids, water sites, manufacturing networks, and oil and gas pipelines. Our Dragos Platform, Threat Operations Center, and Dragos Intelligence team provide the community with the technology, services, and intelligence it needs to safeguard civilization. Learn more at dragos.com.