Dave Bittner: [00:00:03:16] Lastpass is working on a patch for an undescribed bug. What IT staff actually work on. Eric Geller from POLITICO joins us to talk about emerging Trump administration cyber policy, and have you patched your MacOS and iOS devices?
Dave Bittner: [00:00:23:09] Time for a message from our sponsor, Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time, save money and improve security, with their automated solution. How many sites do you visit and therefore scan, that are password protected? With most other security products, you've got to record a log in macro, but not with Netsparker. Just specify the user name, the password and the URL of the log in page and the scanner will figure out everything else. Visit Netsparker.com to learn more. And if you'd like to try it for yourself, you can do that too, go to Netsparker.com/CyberWire, for a free 30 day fully functional trial of Netsparker Desktop. Scan your websites and let Netsparker show you how easy it can be. That's Netsparker.com/CyberWire. And we thank Netsparker, for sponsoring our show.
Dave Bittner: [00:01:24:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, March 30th, 2017.
Dave Bittner: [00:01:34:15] Today we'll be talking about the new US Administration's emerging cyber security policy. But before we get to that, a few quick observations about developing news. Lastpass, the widely used password manager, was praised last week for their swift response to a vulnerability disclosed to them by white hat researchers. Google's Project Zero has found and disclosed a second bug. This one is more complicated, and it's expected it will take Lastpass some time to fix it. Exactly what that bug is isn't generally known, and Project Zero and Lastpass, who do know, are sensibly not telling. So far, there's no exploit for the vulnerability in the wild.
Dave Bittner: [00:02:13:08] Gemalto's report on data breaches in 2016 claims that nearly a billion and a half data records were obtained by cyber criminals last year. We heard from Robert Capps, of NuData Security, who commented on the report. He sees criminals targeting large databases to get as much personal consumer information as possible. They then correlate data from multiple breaches to create detailed profiles of individuals. Those profiles can then be used for identity theft, banking fraud, account takeovers, and other crimes. And, as we heard yesterday at ITSEF, many of those criminals, particularly in Russia, work hand-in-glove with intelligence services, whose appetite for data has traditionally been insatiable.
Dave Bittner: [00:02:56:11] Here in the US, we're only a couple of months into the Trump presidential administration, and it's fair to say the transition has had its fits and starts. Eric Geller is cyber security reporter at POLITICO and he joined us from Washington, with his take on President Trump.
Eric Geller: [00:03:11:04] He takes a military centered approach to cyber security. Throughout all of his speeches, he has made sure he'll emphasize that he wants the Pentagon to be taking the lead. A number of his more concrete cyber policy promises involve a complete overview and an audit of the entire Federal Government computer system, looking for vulnerabilities, the development of new offensive capabilities, so you have the defensive and the offensive sides there. And with both of those, he originally said that he wanted the Joint Chiefs of Staff and his Secretary of Defense to present him with a way of going about that. Now, whether that actually ends up happening is unclear. Of course, we're waiting for the Executive Order on cyber security and that is not expected led by the Joint Chiefs, it's expected to be led by the Office of Management and Budgets.
Eric Geller: [00:03:59:02] Already you can see that his initial way of thinking has been sort of moderated, if you will, by the bureaucracy. But that is certainly his philosophy: he sees cyber as a military domain, first and foremost. I don't know necessarily if he understands exactly what the Department of Homeland Security does in this space, I think he is much more familiar with cyber command and the National Security Agency. And that I think is going to color a lot of discussions that we have, or that the government has, with the public and amongst themselves about exactly how we want to pursue these different policy options. He's come at it from a perspective of, let's give the military more money and more power and more authority. Those are already things we can see happening in the non-cyber context.
Eric Geller: [00:04:43:01] And so my question will be, what happens to the development of international norms at the State Department? What happens to public-private partnerships with security researchers at the Commerce Department? What happens to DHS programs? These are all avenues that we, here at POLITICO, are tracking very closely to see if we can get a sense, an early sense, of what it means that his focus seems to be so much on the military.
Dave Bittner: [00:05:09:24] Yeah, you know, we were all expecting the Executive Order not long after the inauguration. It was said that we actually had a date. We were expecting it and then it got put off. When it got put off, they said it wasn't going to be too long and here we are, still waiting on it.
Eric Geller: [00:05:22:17] My understanding is that they had a first draft written, essentially, by transition team people, which was leaked. That was widely questioned for some of the ways that it was written, and for some of the things that it contained. They overhauled that, they did a second draft, which was also leaked. They were getting ready to have the President sign that. We were briefed on where it was going to be going, on the morning of the signing day, and then he had a meeting in the Roosevelt Room with Mayor Giuliani and Jared Kushner and former NSA director, Keith Alexander, some of the outside people who have been advising him on cybersecurity. And he said, we're going to go and sign this thing later. And then we were told that it had been canceled. So I don't know that that has ever happened, where they've canceled a signing that close to the actual signing time.
Dave Bittner: [00:06:12:20] Is there a sense from insiders, in terms of, is cyber within the government, something that maybe doesn't need to be the top priority, or there are other things that should take appropriately higher priority in the first 100 days of his administration?
Eric Geller: [00:06:27:19] I think if you talk to the career staffers who have been there, been working on this for quite a long time, they will tell you that they see cyber security as an incredibly important issue, particularly in the wake of some of these damaging hacks that we've seen over the past few years. And those were not, you know, necessarily super sophisticated. In a lot of cases, those were taking advantage of spear phishing, social engineering, things that involve training and protocols, perhaps more so than locking down the networks with super high grade firewalls and things like that. And so for the people who lived through that, they understand that this is an issue that you have constantly train on, you have to constantly equip people with the right tools and the right knowledge. And so, you know, it remains to be seen whether the political appointees who have come in, see that as a pressing issue.
Eric Geller: [00:07:15:17] I think you look at the first two months and they've been focused on a lot of other things. I don't see cyber as something that the President feels like he got elected on and he needs to deliver on right away. And he certainly didn't; he got elected on a number of other issues. And so I think this is an issue where people are working on it in the background, and they're trying to evaluate whether they want to keep a lot of these Obama-era directives. The Obama administration did a lot on information security and they started a number of progress reports and upgrades and overhauls. I would be surprised to see a lot of that end, just because it's not controversial. It's the kind of the thing that if you have experienced cyber professionals – Chief Information Security Officer, that kind of thing – those people are not going to recommend that Trump OMB, start killing these programs left and right.
Eric Geller: [00:08:06:03] So I don't see a lot of change on that non-political side of things. I think what you will see is that this is a business-friendly administration. There are regulations that relate to data breaches, that relate to risk management and compliance and so we could potentially see some changes there. But I think it's too early right now, to say exactly what form that's going to take.
Dave Bittner: [00:08:28:24] Alright, Eric Geller, thanks for joining us.
Eric Geller: [00:08:30:07] Sure thing, thank you.
Dave Bittner: [00:08:33:17] The software life-cycle automation shop IE has released a study of how IT professionals actually spend their working lives. The key finding is that, as a group, IT pros are in a reactive profession. They asked more than a 1,000 what they do at work, and found that, on average, IT workers spend 29% of every day reacting to "unplanned incidents and emergencies". More than half of them spend between 25% and 100% of their day on such emergencies. The most common incidents are outages and performance issues. About half of the incidents are discovered within an hour, but the mean time to fix them is more than five hours. And the bigger you are, the worse it seems to get. Companies with 50,000 or more seats are three times more likely than smaller enterprises to take more than a week to resolve a "business-critical request".
Dave Bittner: [00:09:22:19] And, finally, for all you Apple users, we hope you've applied the important patches Cupertino issued earlier this week. The patches fixed twenty-three kernel-level vulnerabilities. The affected products include not only MacOS Sierra 10.12.4 and iOS 10.3, but also the iWork suite. Take a look at your systems, and update as required.
Dave Bittner: [00:09:49:09] Today our show is sponsored by Palo Alto Networks. You can learn more about them at Go.PaloAltoNetworks.com/secureclouds. Cloud security isn't your public cloud provider's sole responsibility, it's a shared responsibility. And while public clouds tend to do a good job of securing their cloud infrastructure, you still need to protect your apps and data, wherever they may be. Next generation cloud security gives you the complete visibility you need to control your apps and reduce your threat surface, from the network to the cloud. Palo Alto Networks has the broadest, most comprehensive cyber security for all clouds and software service environments, because secure clouds are happy clouds. Put their security to work for you. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:10:46:00] And I'm pleased to be joined once again by Emily Wilson. She's the director of analysis at Terbium Labs. Emily, there's this notion of, hope for the best and plan for the worst. And then when it comes to having your information exposed online, there's timeline issues that you have to deal with. Maybe when the information gets out there, that might not be the end of it.
Emily Wilson: [00:11:05:11] It's true, you know, in some cases, people are leaking information as soon as they gain access to it; it's a much shorter time frame. And even then, you're dealing with the fallout of, "great, all of my customers and all their information is now online, I'm going to have to deal with this for years to come." In other cases, though, and I think, you know, all of the, "legacy breaches" we saw at the end of last year are a good example. Just because your information was exposed, doesn't mean it's going to be leaked right away.
Dave Bittner: [00:11:34:15] What do you mean by a legacy breach?
Emily Wilson: [00:11:37:07] You think about things like LinkedIn, or Tumblr, these were older breaches, this is from years ago. Poor Yahoo wouldn't want to be in that position of, "we found a breach. We found another one a little bit older than that." These are things that happened years ago, that we're just hearing about now. And I think that there are a lot of instances where the headline is "company is breached; all of their customers were exposed". There's no evidence yet of information being leaked online. That doesn't mean it won't happen. In a lot of cases, there's a lot of benefit in waiting to show your hand at the right moment. I think we're going to see over the next couple of years, as this becomes increasingly commonplace, information from breaches that happened this year, that we haven't heard more about yet. A good parallel here is the RNC and the DNC were both hacked. We've heard quite a bit about the DNC. We haven't really seen a bunch of RNC data yet. Will we ever? I don't know.
Emily Wilson: [00:12:35:12] At the opposite end of the spectrum, the parent company for Hello Kitty had a bunch of their information exposed. And a lot of this is actually minors. Will we see this information end up online for sale? Will it end up leaked somewhere? I don't know yet. But just because you've been breached and it hasn't shown up online yet, doesn't mean it won't ever.
Dave Bittner: [00:12:56:02] And what a situation to be in, if you know they've gotten the goods, now what? The worst may be yet to come.
Emily Wilson: [00:13:01:16] Right. And it's the issue of the devil you know versus the devil you don't. If someone's leaking information, then you can at least get a sense of what they have. If you're not sure what they got away with, if they have access to everything, what were they going for? What's their plan? Were they looking at your customer records? Were they looking at your HR records? We're they looking at your donor list? What were they doing? And just because they release certain pieces of information, doesn't mean that's all they have. So you're stuck in the situation where you don't know what they got away with, you don't know what's gonna be exposed, if it's gonna be exposed. You can't be lulled into this false sense of security that "we had a breach last year, but we haven't heard anything yet, so I'm sure everything is fine." That's just not the case. It may just be that you need to wait a few more years.
Dave Bittner: [00:13:45:06] Someone's biding their time, waiting for the right opportunity to maximize their return on that information.
Emily Wilson: [00:13:51:00] It's true. And it may even be a situation where someone gets all of the benefit that they wanted to get out of whatever information they took. And now, they're going to just dump it for vandalism, because they can. That final blow of, maybe I'm done exploiting your customers, or maybe I got whatever kind of piece of sensitive information or intellectual property I needed, but as insult to injury, here are a bunch of your internal emails, you're welcome.
Dave Bittner: [00:14:16:06] Not fun to think about. All right, Emily Wilson, thanks for joining us.
Dave Bittner: [00:14:21:18] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber threats, visit Cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.