Operation Cloudhopper. Chrysaor spyware. Microsoft to upgrade Office security. Notes from SeaAirSpace. High school hacking.
Dave Bittner: [00:00:03:04] Operation Cloudhopper gets to its espionage targets via their cloud and managed service providers. Details are out on the Android version of the Pegasus spyware. Microsoft will upgrade Office security. Notes on the annual Sea-Air-Space expo. And what is going on in Bedford County, Pennsylvania? A place where the laws of physics may not apply.
Dave Bittner: [00:00:30:01] We'd like to take a moment to thank our sponsor Palo Alto Networks. You can find them at go.paloaltonetworks.com/secureclouds. The use of software as a service applications takes data security beyond traditional network perimeters. SaaS environments can create gaps in security visibility and pose new risks for threat propagation, data leakage and regulatory non-compliance. With Palo Alto Networks integrated platform, you get detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. So your organization can achieve complete SaaS protection. With Palo Alto Networks you get the broadest most comprehensive cybersecurity for all cloud and SaaS environments. Make sure your apps and data stay secure and protected. Remember, secure clouds are happy clouds. Find out how to secure yours at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:01:40:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, April 5th, 2017.
Dave Bittner: [00:01:50:16] PricewaterhouseCoopers and BAE are reporting a surge in Chinese government cyber espionage. "Operation Cloudhopper" is said to be targeting cloud and managed service providers with the goal of gathering information on their customers, including not only companies but also diplomatic services. As has so often been the case with Chinese operations, the espionage extends beyond intelligence collection to theft of intellectual property. British targets are thought to be particularly affected, but the campaign is multinational in scope, and a comparable operation is being run simultaneously against Japanese targets. PWC and BAE have been tracking the operation since late last year and they identify the specific threat actor as APT10, also known as Red Apollo, CVNX and Stone Panda.
Dave Bittner: [00:02:44:19] Security firm Lookout's report on Chrysaor, the Android version of Pegasus, is out and worth a look. Pegasus is a spyware product for lawful intercept uses produced by NSO Group. Pegasus came under scrutiny during investigation of surveillance of journalists, activists and dissidents by various regimes, most famously in the United Arab Emirates. Lookout worked with Google on Chrysaor. It had earlier worked with the University of Toronto's Citizen Lab on Pegasus.
Dave Bittner: [00:03:15:19] Microsoft has announced that later this month it will add Advanced Threat Protection Safe Links to Word, Excel and PowerPoint and that Office 365 will receive an upgraded Advanced Data Governance and Threat Intelligence package.
Dave Bittner: [00:03:32:14] We were at the Navy League's annual Sea-Air-Space Exposition this week down in National Harbor, Maryland, where cybersecurity matters receive the increasing attention they now get from all the Services. As Palo Alto Networks put it in conversation with us, there's a perceived need to educate senior leadership to move the Sea Services beyond a patch-and-repair approach to cybersecurity that can still remain the easy default.
Dave Bittner: [00:03:58:11] Rear Admiral Timothy White, Commander, USCYBERCOM National Cyber Mission Force, Vice Admiral Jan Tighe, Deputy Chief of Naval Operations for Information Warfare and Naval Intelligence Chief and Vice Admiral Michael Gilday, head of the US Navy's Fleet Cyber Command, were among the senior leaders who spoke and they did exhibit the mature understanding of the issues Palo Alto hoped would become general.
Dave Bittner: [00:04:22:21] The US Marine Corps was, as it always is, a highly visible presence on the floor. The Corps offered some discussion of its new cyber military occupational specialties, typically called MOSes. These will be available for enlisted Marines as well as noncommissioned, warrant and commissioned officers. Thus experienced personnel won't have to rotate back to a primary specialty after a few years of service. The personnel system is self-consciously modeled on that used by Marine Corps Forces Special Operations Command. See thecyberwire.com for coverage of Sea-Air-Space.
Dave Bittner: [00:04:59:20] All week we're hearing from some of the people we met at the 2017 Women In Cybersecurity Conference. Michelle Dennedy is Chief Privacy Officer at Cisco and was a keynote speaker at the event.
Michelle Dennedy: [00:05:10:15] My role is really the strategic side of privacy to look at what I call turning values to value. So privacy in ethics and morality and these kinds of things sound like ishy-squishy words. What we do is we use a privacy engineering methodology and we're starting to change the culture at Cisco and our customers to be data-centric first, and then use privacy engineering techniques so that we'll have a high quality authenticatable system, that reflects not just the laws of the lands, plural, but really the ethics and the expectations of our customers.
Dave Bittner: [00:05:48:23] The issues that we have with women being underrepresented in the cyber security workforce, it's not getting better and one of the things that really strikes me is that retention is not getting better so even when we get women to join us, they're not staying.
Michelle Dennedy: [00:06:04:18] It's a very tough problem, and I'll tell you what's great about-- this is my first time at the, the WICS event, and I'm loving the energy from these young women, in particular. That they are so positive in their own ability to make change, of their flexibility to say, "Shall I start here, assuming that I'm going to go there and there and there?" So I think that is hopefully going to get better. It's a very hostile work environment still, and not always overt. And, in fact, I think the most pernicious problems are not overt. I think that what if every single person, men and women, picked one diverse candidate from whatever diversity you feel most passionate about, race, ethnicity, economic circumstances, geography, gender, and if every single one of us picked one person, not to mentor, but to sponsor, to push that person, to take those next risks or pull them up when you see them lagging. If every single person did that, it would only take half a generation to get to the place where we have enough competent people working in a respectful environment, where all we're doing is innovating and creating and sort of bringing our best selves to work.
Michelle Dennedy: [00:07:23:01] Tell you what, a couple of the young gals came up to me this morning and were so cute, because they were, you know, "Oh, I'm getting my second PhD and I have two Masters and, you know, would I need to learn anymore?" And I think for both genders, I would just say, "Nothing." It's not so much stuff you can stuff in your head, just go out there and fail, you know. Try so hard and dream so big that you don't reach it. Because if all you're doing is planning, planning, planning, planning to get there and doing everything you need to do to get there, and then executing on that plan, then you're going to look back and realize I probably could have done more. If you've failed a few times and you've reached and reached and your fingers slipped off at the very last second, that's your edge. So find your edge.
Dave Bittner: [00:08:13:02] That's Michelle Dennedy from Cisco. You can hear more from her in our upcoming CyberWire special edition on the 2017 Women in Cybersecurity Conference.
Dave Bittner: [00:08:23:10] And finally, there's some news out of Bedford County, Pennsylvania. Last week, around 6:30 on the morning of March 28, the network of Chestnut Ridge High School in New Paris was knocked offline. Pennsylvania State Police are investigating, but they say that the outage was induced by a juvenile male student, that is a local high school boy, who was hacking from home. As far as we've heard, no-one's saying anything about charges, but the Chestnut Ridge School District Superintendent said the outage was a significant inconvenience to the school's staff. So please, kids, don't do this kind of thing from home.
Dave Bittner: [00:08:59:12] But there may be another angle to the story. In a CyberWire exclusive brought to us by a stringer who vacations in New Paris, Bedford County is one of those places where the laws of physics may not apply. We're referring of course to Gravity Hill on Bethel Hollow Road. Put your car in neutral, make sure it's safe, take your foot off the brake and your car rolls uphill. Our stringer swears he's done it more than once and he's seen it with his own eyes. So that's that.
Dave Bittner: [00:09:32:12] So have the State Police considered a possible trans-gravitational effect as the cause of the network outage? If New Paris is the site of such kinetic effects, who's to say it couldn't have informational weirdness as well?
Dave Bittner: [00:09:44:22] If anyone's interested, by the way, there's a US Marine Corps recruiter just down the Lincoln Highway in Bedford. Just saying. So semper fi. And go, Lions.
Dave Bittner: [00:10:01:05] Time to take a moment to tell you about our sponsor, Control Risks. If you own cybersecurity in your organization, let's be honest, you might not sleep easily. If you lie awake thinking about new threats over the horizon or how to allocate your limited resources, Control Risks can help. It's often impossible to separate threats to your data from geopolitical swings, local regulatory shifts and competitors' maneuvering. Without a risk-led approach, how can you be sure all your shiny tools are working? Talk to Control Risks. They treat information security as a business risk, not just a technical problem. For over 40 years, they've helped clients proactively identify and mitigate risk, respond to and recover from disruption and capitalize on opportunities. In short, they bring order to chaos, and reassurance to anxiety. Let Control Risks help you spend money where it really counts, protecting what really matters. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risks from sponsoring our show.
Dave Bittner: [00:11:13:17] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, today you wanted to talk about security ecosystems and the way that they handle the disruption cycle.
Dale Drew: [00:11:25:01] Yeah. So, our view might be a little biased as a network provider, but with that sort of lens we have been sort of watching this exploit ecosystem over the past handful of years and made an observation that a lot of the sort of approach to security ecosystems is based on how fast the security research community can get mitigation, or corrective action in the hands of the end system. Whether it's the consumer's desktop or whether it's the computing device in the data center, you know, a company's end system. But it's largely based on the actual computer itself. And so, we've seen on average about a four month life cycle from the time that it takes to detect a piece of malware in the wild, to capture it, to analyze it, to test it, to build a corrective action like a signature and then push it out to all the clients.
Dale Drew: [00:12:24:17] So, we've really been trying to do like a bit of a call of arms to the network community, other ISPs, as an example, other application hosting providers, and saying that if we can get other ISPs in this fray, to be able to actively shut down the command and control piece of this, while the rest of the security research community focuses on the clients, I think we're going to have a significant disruption capability in the bad guys to be able to operate this sort of large extortionist related botnet infrastructure.
Dale Drew: [00:13:01:13] There is a new protocol being proposed to that community called DOTS. It's the DDoS Open Threat Signaling protocol. I don't know if that's the right answer, but it's definitely in the direction of the right answer. Because, that is moving us toward a reputation based routing environment. So imagine an environment, let's say it's two years from now, let's say it's three years from now, but imagine an environment where ISPs, the security research community and large enterprises are all sharing threat data real time and live, and agreeing on how to assign reputation scores to compromised IP addresses. And agreeing to automatically take action, whether it's no-routing, whether it's blackholing, whether it's firewalling, compromised IPs on the global Internet while they work with the victim to get that machine corrected.
Dale Drew: [00:13:56:14] If the entire network environment, the global Internet environment was oriented toward a reputation based routing environment, it would be nearly impossible for a bad guy to operate on the global Internet. We believe that's the direction that we need to get the overall research community headed toward. And we think it's going to have a very significant impact on being able to stop bad guys from operating.
Dave Bittner: [00:14:22:10] Dale Drew, thanks for joining us.
Dave Bittner: [00:14:26:05] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyberattacks, head on over to cylance.com.
Dave Bittner: [00:14:38:03] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Our technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.