Skepticism concerning Guccifer 2.0's claimed hack of the Clinton Foundation. NSA contractor arrest. Mirai botnet exploits. Security fatigue.

Dave Bittner: [00:00:03:19] Guccifer 2.0 seems not to have actually hacked the Clinton Foundation. How information operations can work against an election. The arrested NSA contractor's alleged motives remain unclear. How the Mirai botnet got its exploitable vulnerabilities. The US Surgeon General discloses a breach. And if you have a hard time listening to all of this, you may be suffering from "security fatigue." Don't believe us—take it from NIST.

Dave Bittner: [00:00:35:07] Time for a quick message from our sponsor ClearedJobs.Net. If you're a cybersecurity professional and you're looking for a career opportunity, check out the free Cyber Job Fair on the first day of CyberMaryland, Thursday, October 20th, at the Baltimore Hilton, hosted by ClearedJobs.Net. A veteran owned specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cybersecurity professionals, both cleared and non-cleared. It's open to college students and cybersecurity programs too. You'll connect face-to-face with other 30 employers, like SWIFT, DISA, and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching (all of it free) from career expert and Air Force veteran. Patra Frame. To learn more visit clearedjobs.net and click job fairs in the main menu. That's clearedjobs.net. We'll see you in downtown Baltimore, and we thank ClearedJobs.Net for sponsoring our show.

Dave Bittner: [00:01:38:22] I'm Dave Bittner, in Baltimore, with your CyberWire summary and weekend review for Friday, October 7th, 2016.

Dave Bittner: [00:01:46:05] Guccifer 2.0's claim to have hacked the Clinton Foundation now appears spurious to most observers, in fact quite exploded. Researcher Scott Turban, better known by his Dr. Krypt3ia handle, looked at the files' metadata and concluded, as he told CSO, that Guccifer 2.0's dox in fact came from the Democratic Congressional Campaign Committee. Ars Technica and the Hill independently reached the same conclusion on the basis of the same evidence. This is no new hack—the DCCC and the Democratic National Committee are known to have been compromised some time ago. The timeline for the DNC hack is clear. Cozy Bear penetrated the DNC's network in the summer of 2015 and was joined by the noisier Fancy Bear in April of this year. Cozy and Fancy Bear are generally believed to be groups belonging to Russian intelligence services, largely on the strength of research by cybersecurity firms CrowdStrike, Fidelis, and FireEye.

Dave Bittner: [00:02:43:22] Guccifer 2.0, who claims to be a non-Russian hacktivist, is widely regarded as a sockpuppet for Russian intelligence. But, whatever paw may be inside this particular sockpuppet, observers note that doxing need not be authentic to be an effective tool of information warfare. We heard New America's Peter Singer speak about information operations, specifically Russian information operations, this week at the Association of the United States Army's annual meeting. Russia invented information warfare, Singer said. "They don't conceive of it, as we do, in narrowly military terms." The goal of Russian information operations is not to make people love Russia, but rather to disrupt, and create distrust. This may feel new to us, but it goes back at least as far as Stalin's day. Thus, US elections need not be disrupted through hacked voting machines: cultivation of mistrust and consequent questioning of their legitimacy may be enough to achieve an adversary's goal.

Dave Bittner: [00:03:43:08] The case of the former NSA contractor arrested for improper possession of classified material and Government property, is being characterized by observers as not an obvious case of either a whistleblower or a spy. Why he took the material he's alleged to have taken remains obscure, but in this case intent may wind up having little relevance. It appears increasingly unlikely to most that the contractor arrested had any connection with the Shadow Brokers' leaks. Observers also think it unlikely that the arrest will have any noticeable effect on how the US Intelligence Community uses contractors. Both contract and Government personnel are cleared by the same authorities. Both contractors and agencies face similar insider threats.

Dave Bittner: [00:04:27:02] Booz Allen Hamilton has made it clear that they reached out to the FBI as soon as they learned that one of their employees had been arrested, and that from the outset they’ve fully cooperated with the FBI in its investigation. And, as noted in yesterday’s CyberWire, Booz Allen also immediately terminated the employee in question.

Dave Bittner: [00:04:46:01] Looking back at the week just ending, security researchers at Flashpoint have been following what they call the "downstream trail" of vulnerabilities exploited by the Mirai botnet responsible for the large distributed denial-of-service attack against KrebsOnSecurity. They've identified the primary supplier of products whose default credentials are "root" and "xc3511." It's XiongMai Technologies, which sells DVR, NVR, and IP camera boards and software to manufacturers of such devices. Flashpoint thinks more than half a million devices are susceptible to exploitation of this vulnerability.

Dave Bittner: [00:05:22:16] On Monday, the US Surgeon General warned his organization's employees that their personal data may have been accessed in a breach achieved by unspecified hackers. This is the most recent in a series of breaches coming from targeted attacks on government agencies. The CyberWire heard from Michael Patterson, CEO of Plixer, who noted that, when medical professionals like those who work for the Surgeon General have their personal information compromised, there's a risk that the data could be subsequently used for prescription or insurance fraud.

Dave Bittner: [00:05:53:16] And finally, do you find yourself run down, feeling tired when confronted with security warnings? Do exhortations to change this, watch out for that, do this first, even, dare one say it, Stop, Think, Connect, leave you jaded? Well apparently you're not alone. A study released this week by the US National Institute of Standards and Technology, NIST, diagnosed "security fatigue" in the general population of computer users. The syndrome is defined as "weariness or reluctance to deal with computer security," and by all accounts it's pretty widespread. The NIST investigators responsible for the study are planning a follow-up inquiry to look for ways in which security might be made less fatiguing.

Dave Bittner: [00:06:35:10] A security industry executive offered us an introspective look at how the cyber sector might be contributing to the malaise. Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told the CyberWire that there are just too many security products being rolled out to capitalize on the fear we find so tiring. Kolochenko said, "Today, too many security vendors offer similar solutions without genuine technological differentiators." This adds to the troubles of those who are most likely to be exhausted by security, yet whose exhaustion can have some of the worst consequences—enterprise security teams. Kolochenko added, "In addition to their daily fight with cybercrime and human negligence, they've now also got to perform complicated due diligence on the cybersecurity vendors among whose products they must select."

Dave Bittner: [00:07:25:14] So, spare a thought for the hard-working CISOs out there, and spare them as much FUD as you decently can. And, if you find the CyberWire's contributing to your security fatigue? We're sorry. Please, take a break. Take a stroll. And remember, we all still live in physical space.

Dave Bittner: [00:07:48:02] Time for a message from our sponsor Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money and improve security with their automated solution. How many sites do you visit, and therefore scan, that are password protected? With most other security products, you've got to record a login macro, but not with Netsparker. Just specify the username, the password, and the URL of the login page, and the scanner will figure out everything else. Visit netsparker.com to learn more. And if you'd like to try it for yourself, you can do that too. Go to netsparker.com/cyberwire for a free 30 day, fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:08:44:18] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, of course, we have an election coming up here in the United States and the candidates have started talking about cyber policy. What's your take on the kinds of things they've been saying?

Dr. Charles Clancy: [00:09:02:23] Indeed, there have been a number of policy positions put forward, particularly by the Clinton campaign, talking about what the future of cyber policy might look like here within the United States, if they're successful in winning the White House. And I think one of the areas that's really interesting in terms of attention is this notion of destructive cyber attacks. So these are attacks where they either exploit an information system and use it to transcend into a physical environment in order to cause a physical impact. You can think a Stuxnet-style attack. Or, a scenario where they are exploiting a system and then they are deleting data in a destructive way. And the campaigns have come out essentially saying that if you are having a destructive impact, some sort of cyberattack, then this is beyond the sort of traditional boundaries of cyber espionage, and now we're kind of starting to tread into the waters of cyber warfare.

Dr. Charles Clancy: [00:10:03:23] And here, if you look at the United States's doctrine in cyber warfare, basically the United States can engage in a destructive attack under sort of two scenarios. One is if we're at war with someone, and this falls under Title 10 of the General Legal Framework that the US Military operates under. If we're in a declared state of war with someone, we can do destructive cyberattacks. And if we seek to have a destructive cyberattack against a non wartime target, then this is possible as a covert action through espionage laws of Title 50. But, the line between those gets particularly blurred, particularly when you have a longstanding engagement such as the global war on terrorism. And I think it's important that policy makers really make sure that they understand the difference, because particularly as tensions escalate with Russia and China, some sort of destructive cyberattack that involves them, could actually lead to a declared state of war, which is a frightening outcome I think for all of us.

Dave Bittner: [00:11:06:01] And is it correct that the current administration, certainly, has been reticent to draw a line in the sand? To define where that line might be?

Dr. Charles Clancy: [00:11:16:12] Indeed, and I think many people are concerned about drawing a line, because of many of the US's activities abroad in cyberspace, and a concern that drawing such a line might indicate that some of our activity was over that line. So, it will be interesting to see, particularly as the new administration comes in, in the winter, to see how policy shifts, if it does at all.

Dave Bittner: [00:11:40:13] Alright. Dr. Clancy, thanks for joining us.

Dave Bittner: [00:11:44:21] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company, whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We, at the CyberWire, have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:12:38:07] My guest today is Joyce Brocaglia. She's the CEO of Alta Associates, an executive search firm specializing in cyber professionals. And she's founder of the Executive Women's Forum, a member organization that says its core mission is to attract, develop and sustain women in the information security, IT risk management and privacy industries, through education, leadership development and the creation of trusted relationships. I began our conversation by asking her to describe the origins of the Executive Women's Forum.

Joyce Brocaglia: [00:13:08:05] Growing up in information security and being kind of a Jersey girl, so spending a lot of my time in Wall Street and being the only woman in the room, I started to be aware that there were more and more women holding positions of influence, inside corporations and as entrepreneurs of security related startups. And I really recognized that there was no place for these ladies to gather or share ideas. And, oddly enough, having drinks with the same gentleman Steve Katzen, he said, "You know, there's not a lot of women in security?" And I said, "No, really there is," and literally started writing women's names down on a drinks napkin and opened it up again and said, "Hey, what would you think if I put a cocktail party together for these remarkable women I know?" And what started in my mind as a cocktail party, ended up nine months later as a conference for 125 women in Sanibel Island, Florida.

Joyce Brocaglia: [00:14:01:21] So, I kind of tease Steve to this day and say, you know, "I had drinks with you on a cold winter's night, and nine months later the EWF was born." So, fast forward 14 years from there, today the Executive Women's Forum is the largest member organization that serves emerging leaders, as well as the most prominent and influential women in our field. Our real true mission, that I'm incredibly passionate about, is that we are continuing to engage, develop and advance women leaders in information security, IT risk management, privacy and the related industries.

Dave Bittner: [00:14:41:05] Looking at the industry, and certainly I think what is generally considered to be an underrepresentation by women in cybersecurity, what is your take on that situation?

Joyce Brocaglia: [00:14:50:20] Well, I think that there's a lot of questions asked about the number of women in security. As a matter of fact, the Executive Women's Forum this year has partnered with ISC². Every two years they produce something called the Global Workforce Study. And this year we worked very closely with ISC² in developing and refining their survey, to include questions very specific to women and minorities. The last survey that came out in 2015 had showed that the number of women in information security dropped from 12% in 2013 to 10% in 2015. And the EWF has made a huge commitment to really double the number of women in the field over the next ten years. So, we are doing everything possible. You know, I get questioned all the time about how come there's not a lot of women in security? And, you know, that's a problem that stems all the way back into grammar school and, you know, how young women are focused away from technology. It's not a problem just in security. It's a problem in STEM.

Joyce Brocaglia: [00:16:02:17] But, what I focus on as kind of the dirty little secret part, which is not just the problem of why isn't there enough women in security, it's that why are so many women that are in security, opting out? And I think that, you know, companies need to really take a look at what are they doing the better develop and retain those women that are on board of security organizations already? My solution to that is, A, providing them better leadership development opportunities earlier on in their careers. That's one of the reasons why we developed the leadership journey, was because so many women said that, you know, they were given opportunities to do, you know, seminars or, you know, Sheryl Sandberg came, everybody leaned in. But, there was no real practical application of what they had learned. You know, a lot of times companies reserve executive coaching opportunities and true leadership development for very senior level women. Well, what happens if you only give it to women at the top, then you're losing a lot of women in the middle that, for whatever reasons, kind of throw their hands up and decide to opt out.

Joyce Brocaglia: [00:17:15:10] One of the things we do at that program, and whether it's through a leadership development program, or just as a part of a corporate structure, is the concept of sponsorship. And that's something that both men and woman, you know, certainly should be doing for high potential and high performing women in their organizations, is become a sponsor. You know, and what I would say to men, is to sponsor these women in the same way that they would sponsor their male counterparts. A lot of times when women are given sponsorships by men, they are often, you know, schooled in areas of presentation skills or confidence or areas like that. But often are not schooled in terms of how to really talk in business terms or present to the board, or frame things in a way that will get the type of attention that they need. So, I think the concept of sponsoring high potential women, and when I say sponsoring instead of mentoring, I use the word sponsoring because that means they have some skin in the game. They actually are using their political capital within a corporation to help that woman. That might mean giving her stretch assignments, or introducing her to other opportunities, or putting her on a high track for promotion or rotations. So I think, you know, those are the kinds of things that companies could think about and start making a difference.

Joyce Brocaglia: [00:18:43:04] You know, if not us, then who? I think it is the responsibility of people that are currently in the field of information security, IT risk, cybersecurity, to lift as they rise. I mean, that's what we call our mentorship program, Lift. And, I think that everyone should take that responsibility very seriously. And, you know, the only way that we're going to really create the next generation of leaders, is if we take action ourselves. And if not us, then who?

Dave Bittner: [00:19:12:11] That's Joyce Brocaglia from Alta Associates and the Executive Women's Forum. They've got their big national conference coming up later this month in Scottsdale, Arizona and there's more information about that on their website.

Dave Bittner: [00:19:28:21] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody.