The CyberWire Daily Podcast 2.21.20
Ep 1029 | 2.21.20
DISA data breach. More complaint against alleged GUR operations in Georgia. Trolls move from creation to curation. The UK deals with high-risk 5G vendors.
Transcript

Dave Bittner: [00:00:03] The U.S. Defense Information Agency discloses a data breach affecting personal information of up to 200,000 individuals. More international reprobation of the alleged GRU hack of Georgian websites. Trolls move from creation to curation. Stalkerware data exposure. And a look at how the U.K. might actually implement its compromised position on high-risk 5G venders. 

Dave Bittner: [00:00:34]  And now a word from our sponsor, ExtraHop - securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption just like they want to support enterprises' IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multi-cloud and hybrid enterprises. Or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:29]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 21, 2020. 

Dave Bittner: [00:02:03]  The U.S. Defense Information Systems Agency, DISA, disclosed that between May and July of 2019, one of its systems sustained a data breach that may have compromised personal data. According to Fifth Domain, DISA wrote affected personnel, who may number up to 200,000, that their names and Social Security numbers may have been compromised. Which systems were breached is unclear, as is whether the incident was an attack or a data exposure. Reuters emphasizes that DISA provides telecommunication services to the White House and other high-level U.S. government organizations. That's true but possibly misleading, as DISA does far more than that. It's a combat support agency whose mission is to "conduct Department of Defense Information Network Operations for the joint warfighter." Most Service Members, Defense employees, and contractors touch DISA networks, so this would appear to be a case of a breach of PII as opposed to the penetration of sensitive executive branch networks. 

Dave Bittner: [00:03:06]  Other countries have joined the U.S., the U.K. and Georgia in condemning what they call a large-scale GRU defacement attack against Georgian websites last October, Fifth Domain and others report. Naming and shaming are thought part of a broader effort to reinforce international norms of conduct in cyberspace. Other allied governments, including governments with strong institutional memories of Russian hybrid operations, like those of Estonia and the Czech Republic, have also joined in the criticism of Moscow's operations against Georgia. The Georgian operations were almost purely disruptive, figurative sand in the metaphorical gears of civil society. With that in mind, it's worth reviewing. The Atlantic looks at Russian influence operations directed against the 2020 U.S. elections and concludes that the Americans themselves are doing a good job of creating divisive content all on their own and that the Russians seem to have moved from creation to curation. 

Dave Bittner: [00:04:04]  It's impossible to resist the temptation to quote Pogo Possum on this. We have met the enemy, and he is us, as he famously said more than half a century ago. There is enough ill will and paranoia in domestic production to leave the troll farms of St. Petersburg with little to do beyond retweeting it. As the Atlantic observes, quote, "the U.S. doesn't need Russians to erode faith in its elections. One buggy app at the Iowa caucus did that just fine," end quote. 

Dave Bittner: [00:04:33]  Moscow remains interested in weakening American civil society and can be expected to continue its efforts along those lines. But we may not see a revival of 2016-style hacking and creative disinformation. Amplification and curation may well do it. The Atlantic talked to Graham Brookie, director of the Digital Forensic Research Lab at the Atlantic Council - no relation to the Atlantic magazine, by the way. They quote Brookie as saying of Russia's Internet Research Agency, the highest-profile troll farm of them all, that at this point, quote, "they could spike the football and say mission accomplished," end quote. Maybe they will. 

Dave Bittner: [00:05:12]  TechCrunch reports that KidsGuard, an app designed to monitor what children do with their phones - also spouses, employees and so on - exfiltrates data to a leaky Alibaba bucket. KidsGuard is a legal tool that, as its name implies, is marketed to parents interested in keeping a handle on their wards' and offspring's online shenanigans. It's manufacturer, ClevGuard, says KidsGuard can access all the information on a targeted device, and that includes real-time location, text messages, browser history, photos, videos, app activities and recordings of phone calls. The exposure of exfiltrated data seems to be the result of a misconfiguration and not a deliberate choice on the vendor's part. Apps like KidsGuard have come to be known as stalkerware for the relative ease with which they're repurposed to snoop on people who decidedly aren't underage children. 

Dave Bittner: [00:06:07]  And finally, as the U.S. continues to try to persuade its allies that they should keep Huawei out of their 5G infrastructure, the chief technology officer of Huawei's networking unit, Paul Scanlan, told CNBC that the U.S. government would find it difficult to come up with companies that would be credible 5G alternatives to Huawei. The U.S. has urged the U.K. and others to recognize and resist Huawei propaganda to the effect that the hardware giant is 5G deployment's indispensable company. 

Dave Bittner: [00:06:37]  A decision by what the Register calls the Ministry of Fun suggests that the actual implementation of Britain's compromise position on Chinese manufacturers may be more restrictive than many had believed. The Department for Digital, Culture, Media and Sport - to give the Ministry of Fun its proper name - has opened bidding on nine rural 5G pilots with a total value of 35 million pounds. In requesting proposals, the department said, however, that none of the winning projects or future projects from 5G Create will use equipment from high-risk vendors. 

0:07:13:(SOUNDBITE OF TRAILER) 

Unidentified Actor: [00:07:14]  (As narrator) England, in the gallant days when history hung on the point of an arrow or the slice of a sword, when feudal barons ravaged the countryside to live in pomp and splendor, when one man alone dared challenge the might of his country's oppressors - Robin Hood, outlaw of Sherwood Forest, and his stalwart men, robbing the rich to feed the poor, ready to fight for king, for country or for maiden fair. 

Errol Flynn: [00:07:36]  (As Robin Hood) Are you with me? 

0:07:36:(CHEERING) 

Dave Bittner: [00:07:38]  The specific nature of some of those products is suggestive of how expansive the notion of core infrastructure is becoming. They include water pollution control projects, woodland and livestock remote monitoring and even an interactive system designed for tourists visiting Sherwood Forest - specifically, a virtual-reality Robin Hood and his merry men. 

Dave Bittner: [00:08:00]  That AVR Robin Hood would be too sensitive to allow Huawei in - hence that the reality of the U.K.'s implementation of compromise restrictions on Huawei and other Chinese vendors won't be as far from the notoriously harder American line as Washington fears. Unless, of course, Sherwood Forest is a bigger national security deal than it appears to us over here - Sheriff of Nottingham, Prince John. What was that passage in the movie? 

0:08:27:(SOUNDBITE OF FILM, "THE ADVENTURES OF ROBIN HOOD") 

Olivia De Havilland: [00:08:28]  (As Maid Marian) Why, you speak treason. 

Errol Flynn: [00:08:31]  (As Robin Hood) Fluently. 

Dave Bittner: [00:08:31]  Right. 

Dave Bittner: [00:08:37]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single sign-on password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization. Add an additional layer of security to every single login through multi-factor authentication. Securely authenticate into your work using biometrics like fingerprint or face. Deliver a passwordless login experience for employees while securing every password in use through Enterprise password management, and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, go to lastpass.com/enterprise. That's lastpass.com/enterprise. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:10:04]  And it is my pleasure to welcome back to the studio, in studio this time, is Rick Howard, who regular CyberWire listeners will recognize. Rick has joined us over the years. For many years, you were the chief security officer at Palo Alto Networks. 

Rick Howard: [00:10:20]  That's right. And so thanks for letting me into the inner sanctum of... 

0:10:24:(LAUGHTER) 

Rick Howard: [00:10:24]  ...The CyberWire. I've been listening to it for years, and now I get to see how it's really done. So I'd say it's pretty exciting for me. 

Dave Bittner: [00:10:30]  Yeah. Well, we're excited to have you here. And part of what we want to talk about today is a little bit of a career journey that you've been on for the past couple months. Bring us up to date. What's been going on? 

Rick Howard: [00:10:41]  Well, I was - as you said, I worked at Palo Alto Networks. I was their chief security officer, and I was there for a good six years. And I was talking to my wife about this earlier. I was 75% on the road. 

Dave Bittner: [00:10:53]  Wow. 

Rick Howard: [00:10:53]  I didn't realize how insane that was until I actually stopped. And it was, like, oh this is what normal people do. 

0:10:59:(LAUGHTER) 

Dave Bittner: [00:11:00]  You reintroduced yourself to your wife and family. 

Rick Howard: [00:11:02]  That's right. I had dinner with my wife and walked my dogs. Yeah, so it was enlightening that normal people have that kind of life. So I had the opportunity to just kind of think about what I wanted to be when I grow up. And I knew that didn't just want to go and, you know, work for another corporation just to make money. I've been doing this job and similar jobs for - geez, 25 years. And you may notice I have some opinions about how to do stuff (laughter). 

Dave Bittner: [00:11:27]  Yeah. Yeah. I noticed. 

Rick Howard: [00:11:29]  So - and, you know, I could either do what my traditional peers have done, which is, you know, consult or, you know, go work on boards. And - but I'm looking for scale, all right? How do I transmit some of these ideas to - you know, to a larger audience? That's kind of what I was thinking about. 

Dave Bittner: [00:11:46]  And so ultimately, the decision that you made - which, I have to admit, benefits me personally, everyone here at the CyberWire and all of our listeners - is - what is it, Rick? 

Rick Howard: [00:11:57]  I have taken a job - starting today, as a matter of fact - to be the chief security officer and senior fellow and chief analyst for the CyberWire. 

Dave Bittner: [00:12:07]  Yes. It's been so hard to hold back the news that - I knew the potential was that you'd be coming and joining our team. And we're just so excited, pleased as punch for you to join us. Of course, I looked it up. You know, you and I met probably five years ago... 

Rick Howard: [00:12:22]  Is that right? Has it been... 

Dave Bittner: [00:12:22]  Yeah. 

Rick Howard: [00:12:22]  ...Five years ago? 

Dave Bittner: [00:12:23]  Yeah. On the show floor at RSA, we came and did an interview together, of course, when you were at Palo Alto. And I feel like we just hit it off and have been doing these segments ever since. We've brought you on as a partner, and it's just been really great. So to have you join our team here at the CyberWire - it's just really exciting for all of us here. 

Rick Howard: [00:12:41]  Well, you know, it's amazing. I'm a big podcast guy. I was - I've been listening to podcasts before there were podcasts because I hate radio commercials. 

Dave Bittner: [00:12:49]  Uh-huh. 

Rick Howard: [00:12:50]  Right? And so - and, by the way, you may know this, but there are thousands of cybersecurity podcasts, and most of them are not very good. So over the years, I've picked two that I listen to all the time, and the No. 1 has been the CyberWire. So when I was looking around, as a lark, when I - over the Christmas break, I sent you a note and said, hey, how about bringing me on as a podcast host? And then it just kind of snowballed to this kind of opportunity, so... 

Dave Bittner: [00:13:17]  Right. 

Rick Howard: [00:13:17]  ...Very excited. 

Dave Bittner: [00:13:18]  Yeah, yeah - us too. Well, I mean, let's dig in a little bit for our audience. I mean, what kinds of things are you hoping to do here as you join our team? And we've got our sights set on having you have some shows of your own. What sort of things do you have in mind? 

Rick Howard: [00:13:30]  I'm very interested in how the cybersecurity industry - I call the people that work there our network defenders, right? - and how we think about cybersecurity. It feels like we haven't really innovated in a very long time. We have been incrementally improving cybersecurity but not really disrupting cybersecurity. So I like to think about those kinds of ideas - how to take a giant leap in how we do our job as opposed to just every day getting a little bit better. So those are the kinds of things that interest me a lot. 

Dave Bittner: [00:14:00]  Yeah. Well, I have to say, I'm sure everyone out there can hear my own excitement here. 

Rick Howard: [00:14:05]  (Laughter). 

Dave Bittner: [00:14:05]  It's great to have you aboard. I know you're excited, too. I guess for the first time, I will say it - the CyberWire's Rick Howard. 

Rick Howard: [00:14:12]  Excellent. 

0:14:13:(LAUGHTER) 

Dave Bittner: [00:14:14]  Thanks for joining us. 

Rick Howard: [00:14:15]  Thank you, sir. 

Dave Bittner: [00:14:21]  And now a word from our sponsor, Plextrac. Plextrac is the ultimate purple teaming platform, guiding the healthy collaboration of your red and blue teams through a single web-based interface. Plextrac does this by first elevating red teams, eliminating the struggle of reporting and allowing the team to focus on what's important - identifying security issues. Red teams are provided with an easy-to-use platform that allows reports to be created and then exported with a click of a button, saving the team valuable time. Plextrac also powers up blue teams by providing them with a platform to consolidate findings and then remediate them in an efficient and timely manner. Gone are the days of 500-page penetration test reports, as Plextrac streamlines the process with a status tracker, integrations with ticketing systems, dashboards and analytic capabilities and much more. We're also excited to announce that Plextrac will be at RSA 2020 in San Francisco, so make sure to stop by booth No. 16 at their early-stage expo hall to learn why Plextrac is the ultimate purple teaming platform. However, if you won't be at RSA, you can visit their website at plextrac.com/demo to learn more. That's plextrac.com/demo. And we thank Plextrac for sponsoring our show. 

Dave Bittner: [00:15:50]  My guest today is Aisling MacRunnels. She is chief business officer at Synack. She's also among a team of organizers of the Courageous Women CISO Brunch as well as a women-only capture the flag at the upcoming RSA Conference in San Francisco. 

Aisling Macrunnels: [00:16:06]  At Synack, we are the trusted leader in crowdsourced security. That means we have a crowdsource security testing platform that is based on harnessing the best of artificial intelligence and human intelligence together to provide the best possible results. Now, when you do that, you have to be able to harness the best and most brilliant humans from a security perspective across the planet in order to be able to bring the diversity of plots to the table to be able to test thoroughly. What we found is - that was we were harnessing researchers across the world - and we do so from 80 different countries. We found that we were well represented culturally but that we were very underrepresented from a female perspective. 

Aisling Macrunnels: [00:17:02]  And so, because of that, we've had for the last number of years a focus on being able to encourage more women to consider security as a career and encourage the women in security to continue to play a ongoing, vibrant role in participating very fully in the security ecosystem. 

Dave Bittner: [00:17:26]  Well, let's talk about the brunch that you're going to be hosting at RSA. This is the Courageous Women CISO Brunch. What can attendees expect? 

Aisling Macrunnels: [00:17:35]  So this is, I think, the eighth one of these that we've actually done across the country. And we've always had rave reviews. It's actually a pretty lighthearted brunch where we have a group discussion about some of the challenges and opportunities that we see in security today. Some of them are technical issues. Some of them are more career-oriented. 

Aisling Macrunnels: [00:18:00]  In general, what we have found is that women are dramatically underrepresented in security, as I mentioned. Today, we have only 1 in 5 women playing a C-level role in the security industry. And it's even worse at the practitioner level, believe it or not. And this is an industry that is right now struggling with a massive talent gap where we need to recruit just great people across the board, and so women are very, very underrepresented in that group. So what we have put together is a meeting that we hold regularly - this one is a brunch - where people can chat and encourage and empower each other to be part of this community. 

Dave Bittner: [00:18:48]  You know, when I've had conversations with a variety of women in cybersecurity, something that I've heard many times is that there are conversations that can take place at events like this that just can't happen at mixed-sex events where they have men and women together - that by having women together, that opens up an avenue for conversations of frankness and candor that would be difficult to have in a mixed environment. Is that your experience as well? 

Aisling Macrunnels: [00:19:19]  It actually is. We've had amazing sessions where, you know, the feedback I've gotten before is tremendous. And I think it's exactly what you're saying - is that there's a lot of different networking sessions in the security industry. Very few of them are focused in on women, allowing women to speak in a way that's very comfortable, to open up and ask for advice from others in a comfortable, easy way. 

Dave Bittner: [00:19:43]  Now, you're also organizing a women-only capture-the-flag event. Can you share some of the details on that one for us? 

Aisling Macrunnels: [00:19:49]  Yeah, absolutely. Similarly, we find that from a researcher perspective - again, we source researchers from 80 different countries across the world. And yet, the women only make up about 12% of that group - so, given that it should be closer to 50%, just massively underrepresented. Now, this one's really interesting for me because a lot of people may not understand the life of a, you know, great, ethical researcher. For us, we have a wonderful group of researchers, many of whom are dads who work from home and have a great lifestyle because they're able to participate in earning an income by working on the Synack platform and finding vulnerabilities for our clients. And our clients are the government and some of the largest enterprises out there. 

Aisling Macrunnels: [00:20:48]  Now, these stay-at-home dads often can, like I said, work in a normal setting, and they can work from wherever they live. I think it's a shame that more women don't realize that this is a career that they can also participate in, and that being a great, ethical hacker gives you an enormous amount of freedom to be able to earn an income from wherever you live and to earn it on your own schedule and your own hours. 

Aisling Macrunnels: [00:21:17]  So the women-only capture the flag, again, is an initiative to try and encourage women to be able to support each other in getting into this career and see each other - you know, see the great researchers that we have that are making a living here. And hopefully, that will motivate others. This forum is really about women advocating for women, supporting women in a really positive way. 

Dave Bittner: [00:21:41]  That's Aisling MacRunnels from Synack. 

Dave Bittner: [00:21:49]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing too. 

Dave Bittner: [00:21:59]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:22:11]  Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com. 

Dave Bittner: [00:22:31]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Don't forget - tomorrow is Research Saturday. We'll see you back here next week.