Election hacking, OS X patched, cyber saber-rattling, finding security talent, and more.
Dave Bittner: [00:00:00:00] Apple patches Safari and OS X against Trident zero-days. The press takes a look at the cyber arms market. Policy wonks and politicians speak in favor of cyber offense, and militaries speak up for nuance. How companies and governments adjust to a difficult cyber labor market. The contribution of interface design to security. Responsible disclosure, stock shorting, and the importance of cooperation between vendors and researchers. And Guccifer gets four years.
Dave Bittner: [00:00:31:07] Time to take a moment to thank some sponsors. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security are hosting the third annual Senior Executives Cybersecurity conference on Wednesday, September 21st, from 8.30am to 4pm. That's going to be at the Homewood Campus of Johns Hopkins University right here in Baltimore.
Dave Bittner: [00:00:50:12] Hear from industry leaders on cybersecurity best practices and trends that will help you better secure your organization's data. This year's agenda examines the current cybersecurity landscape, threats and challenges ahead for organizations and how senior leaders can work towards shifting their data to being safe and secure.
Dave Bittner: [00:01:08:03] You can find out more online at secsc.compasscyber.com or on the Johns Hopkins University Information Security Institute website at isi.jhu.edu. Do check it out and we thank the Johns Hopkins University Information Security Institute and COMPASS Cyber Security for sponsoring our show.
Dave Bittner: [00:01:37:12] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday, September 2nd, 2016.
Dave Bittner: [00:01:44:24] In response to discovery of the Trident zero-days and their exploitation by spyware kits, Apple last week patched iOS. Yesterday Cupertino pushed out patches to OS X, both Maverick and Yosemite versions, and to its Safari browser. Users are advised to update their systems. The threat of exploitation is both clear and present.
Dave Bittner: [00:02:05:04] Lookout and Citizen Lab exposed the Trident zero-days early in August when their investigation of an Emirati activist's iPhone revealed a Pegasus infestation. They disclosed the bugs quietly to Apple, then to the world when Apple patched iOS. Companies who develop and sell lawful intercept products continue to receive the attention of the industry press. Motherboard has reported obtaining what it regards as a window into the government market for hacking tools.
Dave Bittner: [00:02:31:02] Motherboard is running a story on a catalog from an Indian firm, Aglaya, the magazine obtained. The brochure offers "weaponized information." Some of the products and services on offer involve surveillance, others security, still others, manipulation of search results, for example, tools for information operations. Aglaya says the brochure was an offer to one specific customer. Motherboard notes that the company isn't a large one but it believes the prospectus isn't atypical of the wares being sold in that government marketplace. That's "government" with a small g. Many countries' security services at least browse the stalls in this particular market.
Dave Bittner: [00:03:08:20] Some surprisingly bellicose talk about cyber warfare came from North America this week. Canadian media are discussing a call for offensive cyber capabilities issued by John Adams, the former head of that country's Communications Security Establishment. Adams argued in a July paper that Ottawa would be "negligent" were it to forgo development of cyber weapons. In his view Canada should expect to be attacked in cyberspace and it will need a retaliatory capability.
Dave Bittner: [00:03:37:07] In the US, Presidential candidate Clinton promised that, if elected, she would respond militarily to cyber attacks. Speaking Wednesday to the American Legion, the largest US veterans' association, candidate Clinton specifically put Russia, China, North Korea, and Iran on notice. The promise was, we note, of a military response, not necessarily a lethal or kinetic military response.
Dave Bittner: [00:03:59:24] And we also note that the US Department of Defense and Intelligence Community have been offering a more nuanced take on cyber conflict, observing that there are distinctions to be drawn among crimes, espionage and acts of war. Such distinctions tend to blur in the heat of political discourse.
Dave Bittner: [00:04:16:13] The US Army's Cyber Command earlier this week offered an interesting perspective on cyber conflict. Unlike intelligence collection, which should be quiet, the soldiers say, offensive cyber operations ought to be loud, unambiguous and unmistakable.
Dave Bittner: [00:04:31:08] US elections aren't the only ones being targeted in advance of voting. FireEye says that APT3, the Chinese cyber espionage group, has spearphished its way into at least two Hong Kong agencies involved with Sunday's upcoming elections in the city.
Dave Bittner: [00:04:46:21] Looking back at the week's industry news and rumors, the labor market for pentesters is very hot. Companies continue to have difficulty finding security talent. So do governments. The US Department of Defense is said to be looking for recruits who look more DefCon than they do G.I. Joe or G.I. Jane. A bit later we'll hear from Level 3's Dale Drew about how his company has found some creative ways to approach staffing.
Dave Bittner: [00:05:10:16] Colorado-based LogRhythm picked up $50,000,000 in investment this week. Publicly traded security companies continue to jockey for position in the stock market as traders look for value in results, expectations, and new directions in corporate strategy. One hedge fund, Muddy Waters Capital, and one security company, MedSec, engaged in a controversial bit of disclosure, reporting vulnerabilities in St. Jude medical pacemakers, then shorting St. Jude stock. St. Jude says the research is shoddy and stands by both its products and the company's commitment to patient safety. Reaction to the Muddy Waters and MedSec move has been decidedly mixed.
Dave Bittner: [00:05:48:16] The big rumor at week's end is that Hewlett Packard Enterprises is said to be hawking its software business to Thoma Bravo, hoping to realize between eight and ten billion dollars from a sale. Reuters cites "people familiar with the matter" as its authority for the story.
Dave Bittner: [00:06:03:14] Concerns about cybercrime continue to focus on ransomware. Familiar variants and vectors continue to work damage and as always good backup is prudent.
Dave Bittner: [00:06:12:15] F-Secure reports finding a firmware vulnerability in Inteno EG500, FG101, and DG201 routers. The company says that other models may also be affected but that Inteno hasn't been willing to cooperate with F-Secure in checking for the bugs.
Dave Bittner: [00:06:28:13] We heard from Tripwire's Craig Young who commented on the benefits of vendor-researcher cooperation. Quote, "It's always difficult when vendors are not willing to work with researchers. Unfortunately this is the world we live in, and as a result, there are hundreds of thousands of easily exploited routers indexed on Shodan with publicly available exploits. Routers are in control of so much data and expose a great deal of attack surface, yet they are one of the most overlooked elements in home security," end quote.
Dave Bittner: [00:06:56:20] And, finally, Guccifer, that's the actual Guccifer, Marcel Lazar, of political pwning fame, and not the Guccifer 2.0 sockpuppet shilling for Cozy Bear and Fancy Bear, has received his day in court. He'll be serving four years in a US prison.
Dave Bittner: [00:07:15:21] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insight into emerging threats.
Dave Bittner: [00:07:29:07] We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security.
Dave Bittner: [00:07:53:05] Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:08:13:15] Joining me once again is Dale Drew. He's the chief security officer at Level 3 Communications. Dale, it's certainly no secret that there's major staffing shortages in the cybersecurity industry but you all have come up with some methodologies that are pretty clever to try to deal with some of these shortages.
Dale Drew: [00:08:29:19] You know, trying to identify qualified security personnel to place them within a security practice is becoming more and more challenging as that market becomes more and more demanding. And so, yeah, we've had to absolutely be creative and being able to find the right talent with the right culture and the right mindset to be able to provide continuing and evolving security capability to our company.
Dale Drew: [00:08:57:23] And so, you know, one of the things that we've learned over, over this is to, to identify the mindset that we're after. Not necessarily the security training, but, but the mindset that we're after, and how we can adapt that mindset to more of, of a security mindset. So we've had a tremendous amount of success in hiring musicians as an example.
Dale Drew: [00:09:20:24] And so, you know, we, we have found that musicians have a very unique capability of, of sort of identifying organization through chaos. They're able to see patterns. They're able to take a lot of sort of chaotic, you know, structure and, and create organization around it. Same thing with people who have a financial background. They're able to sort of dive into the minutiae and, and provide structure and organization to, to activities, whether it's an incident response issue, whether it's forensics or log analysis.
Dale Drew: [00:09:54:23] So we've been able to take that sort of capability and sort of reorient them and retrain them on, on a security mindset and we've had a tremendous amount of success.
Dale Drew: [00:10:05:09] I'll, I'll also say as well, and this is more of a generic category, but millennials in general, they come to the table with sort of a passion and an eagerness to be able to take on chaotic situations and non sort of structured and, you know, well formulated processes and be able to create that structure and that organization themselves. So, you know, we, we've taken people who-- from, from a millennial mindset without any security training and had a tremendous amount of success in getting them adapted to the security structure.
Dave Bittner: [00:10:41:04] Dale Drew, thanks for joining us.
Dave Bittner: [00:10:45:12] I want to take a break and tell you about an exciting CyberWire event happening next month, the third annual Women in Cybersecurity Reception. Taking place September 27th at the Columbus Center on the beautiful Waterfront in downtown Baltimore, the Women in Cybersecurity Reception highlights and celebrates the value and successes of women in the cybersecurity industry.
Dave Bittner: [00:11:05:11] The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at varying points in the career spectrum. The reception also provides a forum for women seeking cybersecurity careers, to connect with the technical and business professionals who are shaping the future of our industry.
Dave Bittner: [00:11:23:21] It's not a marketing event, it's just about creating connection. This year we're pleased to be partnering with our friends over at the Cybersecurity Association of Maryland, CAMI. If your company is interested in supporting this important event, we have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them.
Dave Bittner: [00:11:45:19] As it's been in previous years, this is an invitation only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you.
Dave Bittner: [00:12:14:14] My guest today is Gene Stevens. He's the chief technology officer and co-founder of ProtectWise, a cybersecurity company out of Colorado. ProtectWise caught our eye at Black Hat earlier this year and I mean that literally. It was their unusual user interface that made one of our editors stop in his tracks to check them out. After the show I caught up with Gene Stevens to learn more about ProtectWise and why they think user interface design is an important component of cybersecurity.
Gene Stevens: [00:12:41:11] We focus heavily on the network, but we are building a large scale platform that is delivered from the cloud that allows us to absorb a lot of the signal more widely across the entire enterprise.
Dave Bittner: [00:12:52:13] One of the things that caught our eye when we saw your product at Black Hat this year, was the interface itself. You know, in a world of command line interfaces you all have taken the trouble to build something that is actually, I would say, quite beautiful.
Gene Stevens: [00:13:06:24] Absolutely. That was a top priority for us. Visualization is a core product, it's not an afterthought. We live in a market that is, you know, a lot of securities, pieces of software, a lot of point products are very much organized, and they look like a Linksys router, you know, and so we wanted to differentiate in that space and try to excite the imagination and a level of interest, that beauty, that sense of form and function being well unified. And we wanted to create something that generates also, like, a sense of identity and attachment to the system and a technology that you use on a daily basis, make that very pleasant for people.
Gene Stevens: [00:13:42:10] And so for us we went deep on this. Actually we went out to Hollywood and met a guy who was the lead designer for Digital Domain in Hollywood and did the creative direction for movies such as Tron Legacy, Terminator Salvation, that Oblivion movie with Tom Cruise, Morgan Freeman and look at all the sci fi interfaces. And from the audience perspective, and I know I have done this many times, look at that and so, "Wow, technology does not work that way, but can't you imagine, wouldn't it be neat to live in a place, you know, in a future state where that stuff was real?"
Gene Stevens: [00:14:14:17] And so we thought to ourselves, "Well, why can't it be?" Why can't we create something like this and use it to help reinvigorate enterprise security and help also shift that psychology, that's sending away from that cynical sense that our products are weak, they're modest, they're not very engaging, they miss a lot of stuff, and say, "I can imagine that future state for myself, my architect and my team." We wanted to do that in a beautiful, in a beautiful manner.
Dave Bittner: [00:14:41:23] Well, you know, it kind of reminds me of the old days with the old Mac versus Windows debate where people would say that the, you know, the graphical user interface, there were people would turn their noses up and say "Well, then it must be a toy if it looks that good." Do you ever get that sort of response from people?
Gene Stevens: [00:14:57:00] Not very often, believe it or not. I am actually somewhat surprised on the warmth of the reception. I found-- we felt like we would have to fight more cynicism to say, "But trust us, it really works,", you know, that kind of idea. And I want to be very careful and say that we do not disregard the command line. In fact, I have command line terminals on my desktop right now and if you're amongst our engineering team you'd see a lot of command line out there.
Gene Stevens: [00:15:22:12] And a lot of security happens at that level but what we wanted to do was put something on top of that that brought forward at a very straight manner, the power of that kind of functionality but in the workflow and team and collaboration opportunities that you can do in these graphical environments.
Gene Stevens: [00:15:40:06] And then to couple that with saying, "Hey, instead of showing me, like, the top five or top ten things in my very large surface area that I need to be focused on," don't-- which is all oriented around how much data can we hide from you? We decided to take on a visual metaphor that said, "Well, let's show everything and make it possible to zero in on the stuff that matters most," but against hiding data, let's promote it and use the human capability of reasoning spatially about even very sophisticated and challenging signal rich environments. Take that ability and make that an intermediate experience.
Dave Bittner: [00:16:14:21] And so obviously at no small expense to you to do this, but has it paid off? Has it been a worthwhile investment so far?
Gene Stevens: [00:16:23:01] Absolutely. So from a pure business strategy perspective, it has been really phenomenal. It was a good early decision that we made. It's paid very well, we get a lot of recognition for it, we get a lot of attention for it. And it allows people to have a conversation, like, so we now have the positive version of that cynical question which you asked a moment ago, do we get that cynical version?
Gene Stevens: [00:16:44:13] We don't, because we capture this-- at the end of the day we're technologists, we're nerds, we love the opportunity to do new and creative things with technology, right? And so we're capturing that little glimmer of hope that something out there is really pleasant and works really well. And so the pivot in the conversation normally goes in that direction where we're able to actually get people excited, which helps us tremendously from a business perspective but also helps our customers get comfortable with the breadth and reach of our technology which due to the nature of it, it gets pretty deep, gets pretty deep, far into the bits and the bites and the esoteric matters of enterprise security. We can allow that sense of wonder and that sense of joy and a sense of accuracy to go all the way down.
Dave Bittner: [00:17:31:14] So take me behind the screen then. We've got this interface that's engaging. What's going on under the hood?
Gene Stevens: [00:18:08:11] And so with that in mind, it's sitting on top of this strong real time system, so under the covers there's a very different approach to how analytics and how analysis happens in security and we think it actually creates opportunity to stitch a lot of things together and allow them to have a conversation that promotes denoising the stack and allows you to actually have a wide view, concurrently over even very widely distributed architecture, DMZ, the enterprise, your corporate HQ, remote locations, the cloud, industrial control. It all works in all those assets at the same time. So that's very much under the covers, what you're seeing is that kind of living, breathing system, the inhale and exhale of the network.
Dave Bittner: [00:18:53:10] That's Gene Stevens. He's the chief technology officer and co-founder of ProtectWise.
Dave Bittner: [00:19:01:21] And that's the CyberWire.
Dave Bittner: [00:19:03:01] For our American listeners, we hope you enjoy the long Labor Day weekend. We're going to take Monday off but we'll be back as usual on Tuesday, September 6th.
Dave Bittner: [00:19:11:05] The break isn't coming a moment too soon for the productivity of our editorial staff. They've been too preoccupied streaming Youngstown State football and scrolling through the SMOD's Twitter feed to get anything useful done. Wish them well and let's all hope they get back in battery bright and early Tuesday.
Dave Bittner: [00:19:26:19] For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible.
Dave Bittner: [00:19:34:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody, we'll see you Tuesday.