Dave Bittner: [00:00:03:24] The Shadow Brokers are fed up with all of the peoples. The Callisto Group spearphished the UK's Foreign Office last year. Lawful intercept shops alleged to be willing to deal with pariah regimes.The US Director of Central Intelligence calls out WikiLeaks as a hostile intelligence service and NATO insiders would like to see the Atlantic Alliance weaponized memes.
Dave Bittner: [00:00:31:08] Time for a message from our sponsor Palo Alto Networks. You can learn more about them at go.paloaltonetworks.com/secure clouds. With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organizations data protected in this new environment? Palo Alto Networks integrated platform provides detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention so organizations can achieve complete sas protection. Palo Alto Networks has the broadest most comprehensive cyber security for all cloud and SaaS environments because secure clouds are happy clouds. Get started at go.paloaltonetworks./secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:01:32:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, April 14th, 2017.
Dave Bittner: [00:01:42:05] Attention must be paid, right? I mean, Willie Loman said so in Death of a Salesman. Anyway, the attack code salesmen over at the Shadow Brokers seem to be in a Willie-Lomanish mood, and they're pretty sore at all of you peoples who haven’t been taking them seriously enough.
Dave Bittner: [00:01:58:02] Their latest dump is of Windows exploitation tools, mostly effective against older versions of the Microsoft operating system that continue to be in use. Some of the material released appears to indicate some interest in banking information. Researchers are generally impressed with what the latest batch contains, but the brokers themselves are feeling like a barker hustling in the wilderness as they hawk their purported NSA Equation Group wares. They say, and we quote from Motherboard, in a cleaned-up sort of way that nonetheless preserves the spirit of the Brokers' diction, "This week the shadowbrokers be thinking F peoples. Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension." In fairness to all of you peoples, the script writer who's preparing the Shadow Brokers communiques isn't exactly making reading comprehension easier, but give them props at least for fluency in demonic American cussing. One might say some of those peoples is needing remedial composition, but perhaps we shouldn't quibble. Maybe the Brokers are referring to the leaks, which we hear include some well-written PowerPoint presentations.
Dave Bittner: [00:03:08:03] Reports late yesterday from the BBC and the Times of London said the British Foreign Office was spearphished in 2016 by the Callisto Group. It's not believed the espionage campaign, for espionage it was, succeeded in discovering anything particularly sensitive. Reports on the incident are based on a study of the Callisto Group released yesterday by Helsinki-headquartered security firm F-Secure. As usual, F-Secure is coy about attribution, but they do tease with informed speculation that Callisto is connected to a nation-state. The espionage group has used infrastructure connected to actors in China, Ukraine, and Russia, but also to criminal organizations dealing drugs and other contraband. The Callisto Group seems most interested in the Near Abroad, especially Eastern Europe and the Caucasus, but the incursion into Foreign Office networks indicates that they have broader interests as well. F-Secure also notes similarities in technique to APT28, a.k.a. Fancy Bear, a.k.a. the GRU, so signs both criminal and technical tend, as the headlines have been saying, to point toward Russia.
Dave Bittner: [00:03:56:14] The payload Callisto's phishing emails delivered was, according to F-Secure, the Scout tool from the HackingTeam's RCS Galileo program. HackingTeam of course is the lawful intercept shop that's been involved in controversy over its alleged willingness to sell its tools to unsavory and often unsanctioned governments. Other such companies have also come under criticism for allegedly showing readiness to deal with sanctioned regimes. Al Jazeera late Monday broke an investigative story in which a reporter posed as a representative of Iran and South Sudan in the market for surveillance tools. The network claims that two Italian companies, IPS and AREA, signaled willingness to deal without appropriate measures taken to ensure that products didn't reach prohibited end-users through, for example, donation, resale, or transshipment. A third company, Chinese outfit, Semptian, was willing to sell surveillance products without any curiosity about who the end-user might prove to be. AREA subsequently told Al Jazeera that it, "Works with the relevant governments to ensure the proper export and legal use of our equipment."
Dave Bittner: [00:05:28:03] US Director of Central Intelligence Pompeo had some harsh words for WikiLeaks yesterday, calling Mr. Assange's organization a "non-state hostile intelligence service" and Mr. Assange himself "a narcissist who has created nothing of value." The operation, Pompeo argued before the Center for Strategic and International Studies, provides an implausibly deniable figleaf for the Russian intelligence services, at best a fellow-traveling useful idiot if not an active agent-of-influence. WikiLeaks, of course, has recently been dumping CIA-focused documents from its Vault 7, with more expected. The reaction to the Vault 7 dumps has been not as strong as many would have expected, since the documents for the most part reveal what everyone knew already; the CIA's mission is foreign intelligence.
Dave Bittner: [00:06:17:08] Much of this conflict lies in the realm of influence operations as opposed to hacking proper, and some within NATO would like to weaponized memes, trolling both ISIS and the Russian government. Doing so is easier said than done, and some recent NATO and US State Department attempts along these lines have fallen flat with reviewers, particularly when they attempted humor, sarcasm, or snark. So there's work to be done on the boffo marketing of ideas. Several suggest the US President's tweets might contain some useful how-to examples; he seems to be trolling North Korea's Supreme Leader Kim Jong-un, anyway.
Dave Bittner: [00:06:59:05] Time to take a moment to tell you about our sponsor Control Risks. For 41 years across over 130 countries Control Risks has partnered with the world's leading companies to help them succeed in complex physical, political and virtual risk environments. They've been with their clients as risks have evolved from kidnapping in the jungles of Colombia to extortion by cyber attack. In an increasingly interconnected world cyber risks are everywhere you operate. Control Risks has a comprehensive view of cyber security as a business risk within a context of geopolitical, reputational regulatory and competitive complexity. And thanks to their unique heritage they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings order to chaos. Let them show you what over 40 years in the risk business has taught them. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank ControlRisks for sponsoring our show.
Dave Bittner: [00:08:06:20] Joining me once again is Jonathan Katz, he's a Professor Computer Science at the University of Maryland and he's also Director of the Maryland Cyber Security Center. Jonathan this whole story come by on wired recently. The headline was, After three years why Gmail's end to end encryption is still vapor. Take us through this story.
Jonathan Katz: [00:08:23:24] Well basically Gmail had announced several years back that they were working on getting end to end encryption working for their Gmail and basically what end to end encryption means is that it's encrypted from the sender of the email to the recipient so that even Google itself would not be able to read the contents of the email. And so people had gotten really excited about this and were looking forward to seeing that come out and I guess just recently they came out with an announcement saying that they were essentially going to be giving up the project internally but instead making it open source and leaving it for the open source community to go ahead and further develop that code.
Dave Bittner: [00:08:58:14] There are certainly, you know, many products out there that tout the fact that they have end to end encryption. Why do you think that it's particularly challenging for someone like Google to implement it?
Jonathan Katz: [00:09:07:10] Right I guess you're speaking in particular about apps like Signal that can do end to end encrypted text for example and I think, you know the issue is that email is a little bit more complicated, in part because of the fact that it's a legacy protocol that's been around for a long time. But also as a consequence of that, Gmail needs to be able to interoperate with people who might not be using Gmail to read their mail right. So if a Gmail user is sending a mail to I don't know, a Yahoo email address, then somehow, you know, Google has to be able to interoperate with them and make sure that their protocol still works. And that introduces some complexities that maybe aren't there in a more closed system where you have, you know, the signal app for example only communicating with other users of that app.
Dave Bittner: [00:09:49:16] With this project going open source now what are the odds that it will actually be turned into some sort of workable solution?
Jonathan Katz: [00:09:56:06] It's hard to say of course. I think certainly this is a little bit disappointing right. If Google puts their mind to it they can and if they're willing to put their resources behind it, then this is something that I think certainly they would be able to do. Throwing it out there for people to work on who are not going to be paid for what they're doing, it's just unclear right, it's just unclear who is going to pick it up and who is going to use it and even if, and who is going to work on it rather. And then it's unclear also right if somebody does develop it, there has to be some measure of trust involved because if people don't know who that developer is and they don't trust the quality of their code, then other people just may simply not use it. So it's really unclear at this point what's going to happen but it is disappointing and it does seem to make it less likely that this will come to fruition.
Dave Bittner: [00:10:35:12] Alright Jonathan Katz thanks for joining us.
Dave Bittner: [00:10:43:07] Time for a message to share some research from our sponsor Cylance. Satan is as bad as it sounds. This particular Prince of Darkness is a ransomware as a service offering, that's an RAAS. It's a fairly sophisticated crypto ransomware variant. The criminals who wrote it seek riches in the crook to crook market. Selling Satan to skids who would otherwise be unable to code it themselves. If you're hit by Satan don't pay the ransom, there's no guarantee you'll get your promised encryption key. You're dealing after all with the father of lies. Better to get the protection up front. For information on Satan and those who followed all its empty promises, reject the glamor of evil and go to Cylance.com/blog and check out the threat spotlight paper on Satan RAAS and while you're there, take a look at the protection Cylance offers. That's cylance.com/blog. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:11:46:20] My guest today is Ajit Sancheti. He is the CEO and co-founder of Preempt Security where they say they deliver the industry's first behavioral firewall to protect enterprises from security breaches and malicious insiders. He maintains that one of the fundamental issues cyber security professionals need to face is the inherent tension between security and human nature.
Ajit Sancheti: [00:12:09:04] Cyber security for most people is not a productive task. It's something that inhibits business and most of the time humans by nature are trying to do their job. They don't always think about whether it's, you know, it's going to be secure or insecure. We have an innate notion of what's ethical and what's not ethical but generally when it comes to security issues we're not that trained to do it. And so we're usually trying to get our job done and sometimes we find out we did it in a manner that was insecure.
Ajit Sancheti: [00:12:37:06] It's, you know, if you think about the analogy it's not a direct analogy but when you're sitting and watching a TV show about being healthy and eating healthy foods, suddenly some ad comes on and says you can sit here on your couch and we have this little band that goes around your waist and you lose all the belly fat. Now what do we do, we remember that because that's an easy way to get where we wanna get to, not through the diet, the exercise that we want to. And even within the enterprise we're looking for easy ways to get our job done because we think it will be quicker, it will be more efficient, we can get onto the next task. So humans by nature have always evolved to do thinks quickly and the problem is nowadays it has impacts on the security posture of an enterprise.
Dave Bittner: [00:13:14:24] I've heard people sometimes refer to IT as the Department of No. People will say that, you know, it's easier for me to do the thing that I, even if I'm unsure that that thing might not be the right thing to do from a security point of view I'm going to get my work done faster if I go ahead and do it. Maybe get my hand slapped later rather than having to go check with IT and probably be told no.
Ajit Sancheti: [00:13:36:15] It's because of the posture that the two sides have taken. I think that's the challenge is we think that IT, the Department of No and IT thinks that people are always going to do the wrong thing. We actually have to change that behavior. You have to consider that these employees and these people are not the weakest link. You have to enable them, make them part of the security posture and then you will have fewer incidents because when people are aware they tend to make better choices.
Dave Bittner: [00:14:02:14] How do you promote a collaborative culture between the systems users and the IT folks?
Ajit Sancheti: [00:14:08:06] Yes so that's a very good question. One of the things we set out to do which is as you're doing your job, for example you are working and one day you suddenly access three new servers. You access them with the credentials of the person sitting next to you because you didn't want to go to IT to get permission to access those servers. Somebody give you their credentials, you log in from your end point and you get the job done. But what you've just done is now that person's credentials show up on your end point and if you're compromised, two peoples credentials are exposure to some hacker.
Ajit Sancheti: [00:14:39:13] So what if, when you were trying to access these servers somebody bumps you and says, "Well you're trying to access this server from an endpoint that we haven't seen before, are you sure this is what you wanted to do?" As soon as you see something like that well you can verify your identity or you can say, okay this is not what I wanted to do. But what happens is now you're aware that whenever you do something that's unexpected, whether you do something that's insecure, if somebody is looking at and somebody is prompting you to and asking you to verify what you're doing, you will do less of it.
Ajit Sancheti: [00:15:07:03] I'll give you another example. You have privileged users which are the users that most hackers are trying to get to, the credentials. You have a privileged user who has gone out for a party, you know, a friends place and suddenly there is an issue to be handled and he needs to log in to resolve it. What does he do, he usually takes his privilege credentials and he logs into a laptop that he finds and tries to get the job done. Well one of the systems suddenly tells him well you use dubious credentials, you're coming in remotely, you're coming from an end point that's not managed by us, our business, were not going to let you do it. Now suddenly he becomes aware that this was being tracked in real time and preventing him from doing it. So the more we start to engage the users and say this is what you're doing, this is why it's different, the less they're going to do of it.
Dave Bittner: [00:15:47:18] What about the notion of the carrot versus the stick? You know, I think to a lot of people they think the only time IT comes knocking on my door is when I've done something wrong.
Ajit Sancheti: [00:15:57:07] Ah, uh, [LAUGHS] that's a really, really good question. We see that quite often almost like should I be put in a penalty box because I did these things that were insecure and there are enterprises starting to talk about that. When you see for example a phishing email came in, you clicked on that phishing email, your risk level is high, we don't know if you've been compromised but for the next three days you don't get access to these sensitive servers. That's, that is happening today in enterprises where they want to penalize people for doing things like that. You know it can get really, really bad, the extreme financial services organizations can even say it'll impact your bonus because you're compromising the integrity of our business. But that's really on the other extreme.
Ajit Sancheti: [00:16:42:04] But we are seeing people say that there is an impact on what your risk does to what you can assess and how quickly you can access it. Now that's, you can call it a carrot and stick policy but the stick there also can be of different kinds, you can grade it, you can say well we think, we're not sure you've been compromised so we may block you from accessing this resource or we may force you to do verification of your identification multiple times during the day just so that we know you are who you say you are and you're going to have to do it on your phone for example. It doesn't all have to be, you know, it's an extreme situation where if you do something wrong we're going to force you, you're going to be restricted in many different ways and you can actually have many different kinds of responses. You can also take away somebody's remote access privileges if they do things that are insecure outside of the business of the enterprise network. So it is a carrot and stick policy and mostly stick, less carrot. You can make it more or less severe depending on the kind of infraction.
Dave Bittner: [00:17:41:08] If you come at it from the other direction, how can you reward people for doing the right thing?
Ajit Sancheti: [00:17:45:20] What we're saying, in fact gamification is driving some of this so I've seen a bank, actually a bank that has, I think even the users or customers, it's a private bank. And what they've done for their internal employees, they're using scores and if you hit a certain score in your department or if you hit a certain score in your organization they get things like Starbucks cards or reward cards, twenty dollars, fifty dollars and they're making it very public that somebody got this bonus for what they did from a security standpoint.
Ajit Sancheti: [00:18:18:06] So these are little little things, but they found that the impact was much higher than they expected in a positive direction. Because people really want to be recognized, especially for something as nebulous and as hard as security. It doesn't take much of the organization. I think the biggest challenge there is mostly cultural because some organizations don't want to do something like that. They don't want to reward the behavior that they think has to be part of your job. I don't believe that that's the right way to look at it. We have to get them to be part of the security program and when you do that you're going to find benefits that you didn't expect and they're going to be known in your benefits for enterprise if they did that.
Dave Bittner: [00:18:56:14] That's Ajit Sancheti from Preempt Security.
Dave Bittner: [00:19:05:05] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you through their use of artificial intelligence check our cylance.com.
Dave Bittner: [00:19:19:01] A quick reminder there's a new podcast we're producing in partnership with our friends at Recorded Future. It's focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future or visit recordedfuture.com/podcast.
Dave Bittner: [00:19:34:17] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody, see you back here on Monday. Thanks for listening.