The CyberWire Daily Podcast 2.8.21
Ep 1265 | 2.8.21

A junta shuts down a nation’s data networks. Lessons from multi-domain ops against ISIS? SilentFade returns. Iran’s surveillance actors. Data breaches large and small. Company towns returning?

Transcript

Dave Bittner: Myanmar blocks data networks. Notes on offensive cyber operations from present and former Five Eyes officials. SilentFade seems to be back with more ad fraud. Iranian cyber operators up their surveillance game. Brazil's big data breach remains under investigation. Company towns may make a return to Nevada. Rick Howard casts his gaze on the AWS cloud. We welcome Dinah Davis from Arctic Wolf as our newest industry partner. And why in the world are hackers interested in other people's colonoscopies?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 8, 2021. 

Dave Bittner: On Saturday, Myanmar's Ministry of Transport and Communications directed that all mobile operators serving the country block the nation's data network. Voice and SMS services will remain available, TechCrunch reports. The general interdiction of data services follows earlier decisions by the country's new military government to block first Facebook and then Instagram and Twitter. The ruling junta has sought to tamp down opportunities for mobilization of dissent and opposition since it took power in a coup last month. 

Dave Bittner: "The Grey Zone" podcast yesterday featured an interview with GCHQ director Jeremy Fleming and General Sir Patrick Sanders, head of the U.K.'s Strategic Command also responsible for military cyber operations, in which they described Britain's cyber operations against ISIS. British cyber forces disrupted the terrorist group's drone operations, denied their operators mobile service and interfered with online propaganda. 

Dave Bittner: The campaign by Britain's National Cyber Force, most active in 2016 and 2017, is, Sky News says, the U.K.'s only publicly avowed offensive cyber operation to date. The counterpropaganda influence operation is, in some ways, the most interesting and intrusive of the efforts. Fleming is quoted as saying, "we prevented their propaganda, both through physical actions on the battlefield, but also remotely getting to their servers, getting to the places they stored their material," end quote. The intrusion into ISIS networks extended to locking ISIS members out of accounts, deleting or altering the group's information and taking down online posts and videos. 

Dave Bittner: General Sanders said, quote, "we wanted to ensure that when they tried to coordinate attacks on our forces, their devices didn't work, that they couldn't trust the orders that were coming to them from their seniors," end quote. He added that deception and misdirection were important ways of degrading ISIS combat power. 

Dave Bittner: Tactically, British cyber operators said to have been working closely with allies, including the U.S., were able to block ISIS commanders' orders from reaching subordinates and were also able to misdirect ISIS forces on the ground, in some cases sending their units into kill zones. 

Dave Bittner: It was, General Sanders explained, a combined arms, multidomain effort. The cyber operations didn't stand on their own. He said, quote, "we wanted to deceive them and to misdirect them to make them less effective, less cohesive and sap their morale. But you can't just do that in cyberspace. You have to coordinate and integrate that with activities that are going on on the ground, whether it's from our own forces, special forces and others," end quote. 

Dave Bittner: Former director of the US Cybersecurity and Infrastructure Security Agency Chris Krebs drew some press attention over the weekend with an interview he gave the Financial Times. The headline in the media outlet Silicon is representative. Quote, "Ex-US Cyber Boss Calls for Military Strikes on Ransomware Hackers," it says, which suggests a brace of tomahawks prancing downtown to hit Egregor extortionists in their parents' basements or maybe the predawn vertical insertion of a Ranger battalion to put paid to the Ragnar Locker gang in whatever tacky cyber cafe they're using. 

Dave Bittner: But a close reading - or actually a pretty casual reading - of Krebs' remarks indicates that he's pretty much closer in his thinking to GCHQ's Fleming than he is to, say, Curtis LeMay or George Patton. His point is that ransomware is sufficiently destructive and costly to make it worth a government's while to actively disrupt the gang's operations. Military cyber units like US Cyber Command and the UK's National Cyber Force have disruptive capabilities law enforcement organizations don't, and it might be useful to think about how they might be used, if at all. There may be decisive legal objections to doing so. On the other hand, there might be some legal models under which that kind of action might be legitimately organized. What if ransomware actors could be treated like pirates, for example? 

Dave Bittner: New Post reports that Kaspersky has discerned new activity by the crew using the SilentFade malware. SilentFade is an online ad-fraud operation that Kaspersky has observed resurgent against victims in Asia and Europe. They'll be worth watching. The SilentFade gang is thought to have been responsible for some $4 million in fraud against Facebook users in 2019. 

Dave Bittner: Security firm Check Point's updates on Iranian cyber threat actors Domestic Kitten and Infy warns that both groups remain active, mostly against dissident targets. Check Point calls them advanced and writes that they have a lot in common. Quote, "both groups have conducted long-running cyberattacks and intrusive surveillance campaigns, which target both individuals' mobile devices and personal computers. The operators of these campaigns are clearly active, responsive and constantly seeking new attack vectors and techniques to ensure the longevity of their operations," end quote. Iranian dissidents both at home and in the Iranian diaspora are prime targets of surveillance, as are ethnic Kurds, which Tehran regards with suspicion as an unreliable, probably separatist element. 

Dave Bittner: Reuters reported this morning that Experian is investigating the large quantity of personal information found in January, apparently for sale on the internet. The data's provenance was and remains unclear, and Experian has been looking into whether the information might have come from its Brazilian subsidiary Serasa. The data include photographs, Social Security details, vehicle registrations and social media login details, none of which its subsidiary collects. Experian says it's been unable to find evidence that its systems had been compromised and that the data breach doesn't appear to have originated with Serasa. 

Dave Bittner: Threat actors obtained and posted patient information from two medical centers, one in Florida, the other in Texas. Patient names, dates of birth, letters to insurers and colonoscopy results were posted, but to what end is unclear. Leon Medical Centers in Miami and Nocona General Hospital in Texas were affected by the incident. 

Dave Bittner: According to NBC News, the hospitals' data weren't locked up, and the medical centers haven't received the extortion demands one would expect in a ransomware attack. It's difficult to imagine that this is simply a case of art for art's sake, but what's in it for the attackers? Surely not the lulz, one would think, but what else it might have been remains obscure. 

Dave Bittner: Always wanted to be a local politician, but you've always thought you'd like it better if local government were run more like a business and so forth? Hey, move to Nevada. 

Dave Bittner: The U.S. state of Nevada, in a bid to foster economic development, is considering the creation of Innovation Zones, effectively alternative forms of local government. Companies with large tracts of undeveloped land - there's no shortage of undeveloped land in Nevada - would be able to organize local governments with authority to impose taxes, form school districts and courts and provide government services. Effectively, they would be able to do the sorts of things a county government is able to do. 

Dave Bittner: So if you've got the right business, and the right business would be one of those sexy, high-tech kinds - IT, cyber, biotech, sustainable energy and so on - and if you're the happy owner of a lot of empty desert, then, hey, "Bonanza." It would be like being a Pennsylvania coal town in the 19th Century, a Disney town in Florida in the late 1960s or, in some ways, a university today. 

Dave Bittner: A question for businesses - how attractive would providing basic services actually be? Would it be worth the taxation and regulatory freedoms the arrangement might bring? A word to the wise - check your water rights before you buy. It can get pretty dry out there. 

Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and chief analyst. Rick, it's great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So last week, you wrapped up a two-part miniseries that you did on Microsoft Azure and how to deploy first principle strategies in that virtual environment. This week you are tackling Amazon AWS. Now that you have looked into two of these massive cloud servers, cloud providers, were there any aha moments, anything that popped out to you? 

Rick Howard: Well, that's a great question. You know, before I started this project, if I would've thought about it for more than two seconds, I would've anticipated that all cloud providers have a shared vocabulary to describe, you know, the concepts of how these cloud services work. But here's the but - and this is a big but (laughter), right? The ideas are similar - OK? - but many of them have slightly different names and offer little, subtle differences in capability. 

Dave Bittner: For instance? 

Rick Howard: Well, my favorite one - OK? - it's the first one that always comes to mind - is this basic networking concept that facilitates access to and from the internet. Both Microsoft and Amazon use an old legacy networking trick called network address translation, or NAT, to pull it off. You're familiar, right? 

Dave Bittner: Yeah, yeah. 

Rick Howard: So Amazon calls its cloud version a NAT gateway, but Microsoft calls its version a source network address translation, or - wait for it - SNAT for short, which I love, OK? And... 

(LAUGHTER) 

Rick Howard: And just for the record... 

Dave Bittner: Because of course they do (laughter). 

Rick Howard: I know. SNAT. 

Dave Bittner: Yeah, OK. 

Rick Howard: So SNAT's become my favorite acronym of 2021, narrowly outpacing, by the way, my other favorites this year, taint analysis and APT side hustle. And... 

(LAUGHTER) 

Rick Howard: And if you're trying to understand what those words mean, you should absolutely be subscribing to another one of our CyberWire podcasts called "Word Notes," where we take five minutes, define the word, describe where it comes from and - my favorite part - we try to link it back to hacker culture. 

Dave Bittner: Yeah. Well, my favorite word from "Word Notes" so far is Daemon, which is the Unix name for those little programs that pop up, perform a little task and then, poof, they disappear again. 

Rick Howard: Yeah, we published that one over the Christmas break. And there is a fantastic hacker novel called "Daemon" written by Daniel Suarez that takes that idea to the extreme, and I highly recommend it. I can't wait for the movie to come out, right? 

Rick Howard: But for this week's "CSO Perspectives" podcast, though, we're going to cover some basic cloud networking 101 for both Azure and AWS and then double down on how to implement first principle strategies in AWS. 

Dave Bittner: All right. Well, it is the "CSO Perspectives" podcast. It is part of CyberWire Pro. You can learn all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And it is my pleasure to welcome to the show Dinah Davis. She is a VP of R&D at Arctic Wolf. Dinah, it is great to have you back and to welcome you to be one of our new corporate partners. Welcome back to the CyberWire. 

Dinah Davis: Thank you. I am so pumped to be here. This is going to be great fun. 

Dave Bittner: Yeah, yeah. Well, let's get started as we always do when someone joins us this way. Let's get to know you a little bit. Can you take us through your professional journey? Where'd you get your start, and what led you to where you are today? 

Dinah Davis: Yeah. So I actually started off thinking I was going to be a math teacher because, you know, the counselor in the high school said, you know, you're a woman, and you're good at math, so you should... 

Dave Bittner: (Laughter) We've noticed you're a woman. 

Dinah Davis: Yeah, we've noticed you're a woman, and you're good at math, so you should be a math teacher. And at 17, I was quite naive about that and thought, OK, I guess that's what I should do. But I quickly found when I went to university to do that that I enjoyed the mathematics far more than I enjoyed figuring out how to interact with children. 

(LAUGHTER) 

Dinah Davis: I do love children, but I think I loved math more. And so I ended up going into the more math side and in my third year finally took my first computing course 'cause I was putting it off. All my friends in humanities said it was really hard. And I realized - in the first day, I was like, oh, my God, this is the way I think. This is amazing. This is an actual, real, technical application, real-life application of how my brain thinks. This could be my job. This is amazing. And so that's how I got into computing. And I started to take as many computing courses as possible. 

Dinah Davis: And then looking for a summer co-op program, which is what we call internships in Canada, except you get paid, and we - I saw a job posting for the Canadian government, and it said, somebody who's good at math, like, and can code. And I was like, hey - oh, hey, that's me. That's me. Let's check this out. And so I ended up working for the federal government, and that was my first introduction to cybersecurity. 

Dinah Davis: And what I did was actually help them evaluate the Bluetooth algorithm for AES because the new AES contest was on. Of course, I believe they ended up choosing Blowfish - right? - where it had been Triple DES. And so it turns out Bluetooth - really not secure. We all know that now, but great pairing tool. So, you know, aged myself there (laughter). 

Dinah Davis: But that's where I really got into this world of, my goodness, you know, cryptography is this manifestation of mathematics combined with computer science. This is, like, just the perfect meeting of all my worlds. 

Dinah Davis: So I got a degree in - from University of Waterloo, a master's in cryptography, and ended up landing a job at BlackBerry when there was less than a thousand employees and less than a million people using BlackBerrys. 

Dave Bittner: Wow. 

Dinah Davis: And I was on the - we called it the CryptoDev team. It was about five people at the time. And that team grew huge as I was there. And we were the team that was responsible for security on BlackBerry. And so it was an extremely exciting job. It was the bleeding edge of mobile security. And it was an amazing ride to go on. Of course, we all know how that story ends, but, you know, the eight years I was there were pretty amazing. 

Dinah Davis: And after I left there, I was looking for that same experience again, looking to be part of something really big, something, you know, that would hockey stick, something that would be really cool like that. And I tried out a few places until 5 1/2 years ago, I met the co-founder of Arctic Wolf, was explaining her what - to her what I wanted to do for my career. And she was just like, oh, you should come work for me. And I was like, seriously? I thought she was joking. And then... 

(LAUGHTER) 

Dinah Davis: I soon found out she doesn't joke. And at the end of the conversation, she was like, oh, no, seriously, our CEO is in town from Silicon Valley. You need to come meet him. And, like, three weeks later, I was the director of R&D at Arctic Wolf Networks, running their R&D team. And I've been there ever since. And we have been on an amazing journey. And we have - I would say we are exceeding the BlackBerry, in my opinion, experience - for myself, anyway. 

Dave Bittner: Yeah. 

Dinah Davis: And I'm still in security, loving security and growing development teams, which is what I love to do. 

Dave Bittner: And as you mentioned, I mean, you know, watching the growth of Arctic Wolf and the rounds of investment that the company has received and the growth, I mean, it's not the small company you joined just five or so years ago. 

Dinah Davis: No. There was like 34 people in the company when I started, and now we're over 700. 

Dave Bittner: Wow. 

Dinah Davis: Yeah, it's super crazy. My development team was 15 people. We're closer to 150 devs now, yeah. 

Dinah Davis: You know, and there were some very tough years. It was not all roses. You know, like the first couple years, I think we were a bit early for the market. People didn't really realize how much they needed security monitoring. And then, basically, WannaCry and NotPetya hit, and everybody went, oh, yeah, we really do need that. 

(LAUGHTER) 

Dinah Davis: And it became a lot easier to sell (laughter). 

Dave Bittner: Right, right, right. All right, well, Dinah Davis, looking forward to what's to come and our ongoing discussions. So happy to have you aboard. Thanks for joining us. 

Dinah Davis: Absolutely. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Made in the USA. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.