Cyberspace and "Cold War Two." Who's leaking to WikiLeaks? Wishbone breached—warn the kids. Crimeware-as-a-service. The Active Cyber Defense Certainty Act.
Dave Bittner: [00:00:03:16] Observers look around and think they may be seeing Cold War Two in cyberspace, but this is no bipolar conflict. Investigations into Vault 7 continue as people wonder where Wikileaks gets its leaks. The quiz app, Wishbone, has been breached, take it as a teachable moment with the children. Fileless malware gets quieter as researchers get close to the cyber gang. A cloud based keylogger is getting ready to take black market share. The proposed Active Cyber Defense Certainty Act. And what we're seeing at a policy competition.
Dave Bittner: [00:00:41:15] Time for a few words about our sponsor, Dragos, and what they can tell us about securing industrial control systems. If you're operating in the electric, water, oil, gas, nuclear, or manufacturing sectors, you're operating an increasingly connected system of systems. You'll need a security operations center, a SOC, to help keep your operation running through outages, disasters and the increasingly common cyber attacks those sectors face. Dragos has a white paper at dragos.com that offers a framework to help you get the right people, processes and technologies in place to secure your piece of the nation's critical infrastructure. It will help you ask the right questions and come up with solutions that fit your needs. You'll find their guide at dragos.com. That's dragos.com. Check it out for insights into securing the new, connected world of industrial control systems. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:01:48:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 17th, 2017.
Dave Bittner: [00:01:59:01] An increasing operational tempo in international cyber conflict induces some observers to see the beginning of a new Cold War. Poland sees an uptake in attacks on sites in that country that have some connection with US-Polish combined operations. Many of those sites belong to towns and cities that have hosted US forces.
Dave Bittner: [00:02:18:14] Nor are smaller countries immune, Luxembourg's government reports to Parliament that it's seeing more attacks by state sponsored actors than it formerly did. It's worth mentioning that Luxembourg is a country that tends to punch above its 999 square mile size, with an active CERT and institutions that play an important role in the international economy.
Dave Bittner: [00:02:39:11] If this is indeed a new Cold War, cyber operations' low barriers to entry and the disparate national interests in play make Cold War Two much more multipolar than the original was. See the US indictment of FSB officers in the Yahoo! hack, but see also recent Turkish operations against sites in the Netherlands and Germany. One similarity a new Cold War seems to bear on the old one, much of the chill is manifest in propaganda, now called information operations. One difference may be the convergence of information operations with covert and clandestine work.
Dave Bittner: [00:03:14:17] A Washington Post op-ed looks at WikiLeaks' Vault 7 and believes it discerns the root cause of the US intelligence community security problems, too many contractors. But exactly how this amounts to a weakness in practice isn't really specified. The lead that there have been a number of leaks traced to government personnel is buried. Chelsea Manning, formerly of the United States Army, is mentioned in passing as one counter-example. One might also consider that leaks concerning Stuxnet emanated from some senior government officials.
Dave Bittner: [00:03:47:01] Turning to cyber crime, the popular quiz app, Wishbone, has sustained a breach. 2.2 million email addresses and 287,000 mobile numbers, many, if not most of them, belonging to teenagers. They've turned up for sale in dark web markets.
Dave Bittner: [00:04:02:13] Wishbone said that the information exposed includes user names, real names or nicknames provided during registration, email addresses and telephone numbers. Optional information that was also exposed includes dates of birth, but Wishbone says no passwords, user communications or financial account information were compromised in the incident. Third party researchers, however, say they've also seen gender among the lost data. The incident should provide parents with further incentive to warn their children of the dangers of online data aggregation and identity theft, children and teens are unlikely to readily appreciate the risk of someone, for example, opening accounts with their identity and they'll need coaching against the temptation to over-share online.
Dave Bittner: [00:04:46:06] Morphisec believes it's traced recent infestations of fileless malware to a common threat actor. The security company doesn't name names, presumably because it doesn't know them but it's confident there's a single actor or group working from a single platform. Kaspersky and Cisco's Talos Group have been tracking the PowerShell exploit closely. FireEye calls the criminals "FIN7" and reported that they were targeting individuals involved in filings with the US Securities and Exchange Commission. Morphisec engaged the criminals and sought to win their trust, but this seems to have spooked the hoods into at least temporary inactivity.
Dave Bittner: [00:05:24:02] Palo Alto researchers see NexusLogger, a cloud based criminal keylogger, taking growing black market share. That share is still low as NexusLogger has only been observed in a few incidents, about 400 attacks, but since it's a cloud crimeware-as-a-service offering, it can be expected to proliferate rapidly, especially among less skilled criminals.
Dave Bittner: [00:05:46:05] There's been some recent talk in the US about draft legislation being circulated in the House of Representatives that would authorize certain forms of hacking back mostly by companies working on attribution and cooperating with Law Enforcement.
Dave Bittner: [00:05:59:14] This proposed "Active Cyber Defense Certainty Act" would permit victims to access an attacker's computer without authorization, but only to gather information the victim would then share with law enforcement. It's an interesting proposal, but inevitably arrives with some controversy. We heard some comments from Plixer's CEO, Michael Patterson, who's particularly concerned that attribution is so complicated by spoofing that innocents could be targeted. On the other hand, for certain kinds of attacks, the packet is the punishment as we've been hearing today down at American University.
Dave Bittner: [00:06:32:16] That's right, we're down in Washington today at American University for the Atlantic Council's Cyber 9/12, a cybersecurity competition that focuses on policy as opposed to the more customary and technical capture the flag. The scenario, set in 2018, is built around a fictitious but interesting bill, the imagined "Cyber Marque and Reprisal Act of 2018." It's timely and interesting. We hope to be able to share the results with you early next week. In the meantime, stand by to repel boarders.
Dave Bittner: [00:07:08:14] Time for a message from our sponsor, Palo Alto Networks. You can learn more about them at go.paloaltonetworks.com/secureclouds. With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization’s data protected in this new environment? Palo Alto Network's integrated platform provides details, SaaS visibility and granular control, data governance, automated risk remediation and malware prevention, so organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest, most comprehensive cyber security for all cloud and SaaS environments, because secure clouds are happy clouds. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:08:06:02] And joining me once again is Rick Howard, he's the chief security officer at Palo Alto Networks, and he also leads up their Unit 42 Threat Intel Group. Rick, welcome back. I wanted to touch base on a subject you're eager to talk about, the UABCTF Contest. Fill us in, what is this about?
Rick Howard: [00:08:25:03] Well at the end of February, Palo Alto Networks and the University of Alabama at Birmingham sponsored our first ever joint capture the flag contest, designed to inspire high school students to pursue a career in cyber security. So Palo Alto Networks put up a $20,000 of scholarship money, and the UAB students, under the watchful eye of Gary Warner and his excellent faculty and staff, organized the event. Now - you and I have talked about this before and I have heard this on the CyberWire many times - everybody knows there's a shortage of good cybersecurity talent. It is especially true when you consider that the minority populations, especially women, are almost non-existent in our field compared to males. According to Forbes Magazine, just 11% of the cybersecurity workforce are women compared to about 50% of the general professional workforce and 25% of the IT workforce, so that's not good.
Dave Bittner: [00:09:30:16] No, and it doesn't seem to be getting better. In fact, it seems some of the stats that I've seen are showing that we're actually losing women.
Rick Howard: [00:09:37:06] I know, and we're scratching our heads and trying to figure that out, and it's worse when you consider the minorities in women, when you're talking about Native Indians and Hispanics and Blacks. The American Association at the University of Women says that picture is stark. So that's the bad news. The good news though is that there is a giant opportunity for women in the cybersecurity field, but the question is how do we convince them to pursue it as a career? Now, I've talked to a lot of folks about this, and some of us have a pet theory that says that if we are approaching women as they enter college about these opportunities, that is way, way too late. What we think we should be able to do is reach further down in the education stack to capture their interest at an early stage, so, Saturday's capture the flag contest was the first experiment on the way that we might do it.
Rick Howard: [00:10:30:12] Now, this was just a first step. The winners of the competition as they matriculate up to UAB for college using the Palo Alto Network's scholarship money, we will engage with them each year; presentations and social events and industry activities, etc., and when they graduate we will pursue them by offering them jobs if they want to come work for us. So we're going to tweak the contest to try to expand it next year, but it was a good first start and I'm very happy about what we're trying to do there.
Dave Bittner: [00:11:00:16] All right, every little bit helps. Rick Howard, thank you for joining us.
Dave Bittner: [00:11:08:19] And now a few words about our sponsor, Control Risks. For 41 years, across over 130 countries, Control Risks has partnered with the world's leading companies to help them succeed in complex, physical, political and virtual risk environments. They've been with their clients as risks have evolved. From kidnapping in the jungles of Columbia, to extortion by cyber attack. In an increasingly interconnected world, cyber risks are everywhere you operate. Control Risks use cybersecurity comprehensively as a business risk with a context of geopolitical, reputational, regulatory and competitive complexity, and thanks to their unique heritage they provide clarity and actionable guidance that only decades of risk experience can bring. Start your journey to confident risk management with a visit to controlrisks.com/cyberwire. Control Risks brings order to chaos. Let them show you what over 40 years in the risk business has taught them. That's controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:12:21:17] My guest today is Brian David Johnson. He's the futurist in residence at the Center for Science in the Imagination at Arizona State University. A Professor in Practice at the School For The Future on Innovation in Society, Director of the Threat Casting Lab, and a Futurist and Fellow at Frost and Sullivan, a strategic consulting company, as well as being an applied futurist. Our interest in him comes from his involvement in the Threat Casting Lab, a program from the Army's Cyber Institute in Arizona State University. They recently published a report called "A Widening Attack Plain," based on their most recent workshop last fall.
Brian David Johnson: [00:12:58:19] Threat Casting really started about ten years ago, as a futurist I work with organizations to look ten years out into the future, and, based on a number of different inputs modeled both positive and negative futures. As a part of this I started doing this thing called Threat Casting, and I was working, at that time, with the United States Air Force Academy, training their cadets to take this broad range of inputs and look at possible threats, but not only say these could be the threats in the future but to turn around and look backwards, and back cast, and say how do we disrupt, mitigate and recover from these threats?
Dave Bittner: [00:13:32:09] And so take me through the process? How does it work?
Brian David Johnson: [00:13:35:05] We begin by looking at a broad range of multidisciplinary inputs. It's the social science, the ethnographic and social science background of the actors who are involved; from a technical research standpoint, what will technically be possible ten years from now. We look at cultural history, cultural history is incredibly important, not only for the people and the cultures you're looking at but also for the organizations that you'll be working with. We look at economics, we look at a little bit of trend work, we also do global interviews where we go and talk to people who are actually making the future. And then we also use a little bit of science fiction, science fiction based on science fact, to model this out, and we take all of those and I get together in a room full of practitioners, we take all of these inputs and we model both positive and negative futures, so we look at the possible threats and say, well, what's the best way that threat could happen? What's the worst way that could happen? Then we turn around and look backwards and say, well, here's an event, an event is the physical or digital instantiation of the threat, and then we model how could we disrupt, mitigate or recover from that threat? And then we also think about who are the different people in the broader ecosystem, whether that be government, military, academia, private industry. What steps does each need to take to really secure from that threat?
Dave Bittner: [00:14:56:14] Can you take me through who the players are and what are the things that they all bring to the table?
Brian David Johnson: [00:15:00:19] For the Threat Casting that we did in August at West Point, we had a large component of the Army. Again, this was very specifically looking at what does the Army need to do. So we had a large representation from the Army, we also had a representation from private industry, we had people from places like City Bank, USAA, we had also folks from different parts of academia, so, for myself, from Arizona State University, but we also had people from California College of Art, we had people from Carnegie Mellon, and then we even had some science fiction authors. We had one of the creators of X-Men, and so we wanted to make sure that we filled the room with different perspectives, that's one of the most important parts of the Threat Casting.
Brian David Johnson: [00:15:42:02] Though, Dave, what I should say is, what we learned in August and what is in this final report is the requirement that we need to have a much broader participation of people. We began to see very quickly that we're seeing a widening of the attack plain, that's actually the name of the report is A Widening Attack Plain, that really there's a wide swath of threats that the DOD and the military really can't do anything about. There's certainly things that they can do, but we're beginning to see that we need a broader participation from private industry, from trade associations, from academia, and actually even from private citizens, that everybody has a role to play, and that's really why, as we start to move into the next phase of the project and start to do more of these based in the Threat Casting Lab, we're trying to bring in more and more people as a part, not only of the modeling process but also of then implementing that in the real world.
Dave Bittner: [00:16:38:01] So, what does this process provide in the end? What does it provide for the military? What does it provide for those of us, you know, living our day-to-day lives? And how does this inform what we can do going forward?
Brian David Johnson: [00:16:50:09] I think there's multiple ways, and specifically the work of the Threat Casting Lab is really kind of a think tank. What we do is we convene a broad group of people, bring them together, use the Threat Casting process to model these possible threats, to look backwards and say what action do we need to take, and then be able to give them to those organizations, so, to give them to the military so they can begin to take action, to give them to private industry so they can take them in and take action, to give them to academia so that they can create courses to prepare the next generation, or even to give them to industry trade groups so they can begin to create more training and certification. The whole point is to model the threats and create enough detail so that we can have people take action, and that's really one of the requirements, so that participation in the lab is you need to be able to take it back and take action to better secure your business, to better secure certainly the nation, to better secure states and ports and things like that, it's very ,very specific.
Brian David Johnson: [00:17:52:21] But another thing that we called out that was very important is to understand the average citizen. I think, for the average citizen, many folks in the press and many folks in industry and research have done a terrible job looking at the future and talking about cyber threats and digital threats, oftentimes for the average individual it is seen as scary and insurmountable. I think this is a disservice to the average people, to average folks who really want to take action. So one of the things that the Threat Casting process is really looking to do is to demystify it, to show that you can do this type of work, you can look out, and even as an individual you can take very specific actions, so that we are empowering both individual people in the public but we're empowering everybody else to actually go and really make themselves more safe and secure.
Dave Bittner: [00:18:43:16] That's Brian David Johnson, a Futurist from the Center for Science and the Imagination at Arizona State University. You can find the Threat Casting report, Widening The Attack Plain, by searching online for Army Cyber Institute Threat Casting.
Dave Bittner: [00:19:02:23] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the cyberwire possible, especially to our sustaining sponsor, Cylance. To find out how they can protect you from cyberattacks, visit cylance.com. Be sure to check us out on Twitter and Facebook and LinkedIn, and, if you have the inclination, we would really appreciate it if you would take the time to leave a review on iTunes. It really does help people find the show.
Dave Bittner: [00:19:30:01] A quick shout out to Matthew Reitman from the RealClearLife website for interviewing me on the subject of internet of things threats, you can check it out at realclearlife.com.
Dave Bittner: [00:19:40:21] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody, thank you for listening.