Dave Bittner: [00:00:00:00] You know when fans of our show meet me for the first time in person, they usually say. "Oh I thought you'd be taller." Well if you want to see what I look like in real life, there's a video of me over on our Patreon page, patreon.com/thecyberwire. While you're there check out all of our benefits for supporters of our show, patreon.com/thecyberwire. Thanks.
Dave Bittner: [00:00:25:03] WikiLeaks dumps another alleged CIA cyber manual from Vault7. Cyberwar is the continuation of war and therefore policy by other means. Counting the cost of NotPetya. AWS S3 misconfigurations could happen to the best of us, but need not. Chasing innovation in the UK and the US. AlphaBay is taken down in an international police operation. And what kind of bait is best for phishing?
Dave Bittner: [00:00:56:06] Time to take a moment to tell you about our sponsor Recorded Future, the real time threat intelligence company. Recorded Future patented technology continuously analyzes the entire web. To give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire, and you can do. Sign up for Recorded Future cyber daily email to get the top trending technical indicators crossing the web. Cyber news targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and more. Subscribe today and stay ahead of the cyber attacks.
Dave Bittner: [00:01:29:03] They watch the web so you have time to think, and make the best decisions possible for your enterprises security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:58:12] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 14th, 2017.
Dave Bittner: [00:02:08:10] WikiLeaks yesterday released a manual for HighRise also known as TideCheck. Allegedly a CIA app that enabled the interception of SMS text messages in earlier versions of Android. The Vault7 leak is dated December 2013. It purports to describe a tool effective against Android version 4.0 through 4.3. That's Ice Cream Sandwich and Jelly Bean.
Dave Bittner: [00:02:33:10] It's worth noting that HighRise wasn't designed to be installed remotely, but required physical interaction with the device on which it was to be placed. This suggests, as Bleeping Computed observes in their coverage of the Vault7 dump, that HighRise may have been more of a tool for providing a secure back channel of communication for CIA officers or agents in the field. It's also worth noting again that there's still no publicly available explanation of how WikiLeaks is getting the contents of Vault7.
Dave Bittner: [00:03:03:12] The one thing that everyone remembers about Karl von Clausewitz is that the Prussian staff officer and philosopher of war famously said that war is the continuation of politics by other means. Now that consensus has come to regard NotPetya as almost surely a Russian operation, observers repeat the conventional Clausewitzian wisdom, and discover that cyberattacks track geopolitical interests. In the case of Russia those interests often involve fostering chaos and degrading trust, from which one may infer that Russian cyber operations will cast a wide net, just the way NotPetya did.
Dave Bittner: [00:03:40:03] Companies affected by the destructive bogus-ransomware campaign are still digging out and assessing the financial damage. They also have financial consequences. Paris-based multi-national building materials manufacturer Saint-Gobain, one of NotPetya's prominent victims, probably lost $230 million in sales due to the attack. That comes to about one percent of the company's first half sales. Saint-Gobain said Monday that it had restored all systems to normal operation before the work week began Monday.
Dave Bittner: [00:04:13:22] After the Verizon-Nice Systems breach, experts advise Verizon customers to change PINs. And of course, enterprises need to consider their exposure to third-party risks, as it seems the cause of the data exposure lay in Verizon's vendor: Nice Systems. Experts also advise everyone to pay more attention to how their AWS S3 buckets are configured. This represents the third significant data breach this year traceable to AWS S3 misconfigurations by vendors. The earlier incidents were the exposure of Republican National Committee information by Deep Root Analytics and the exposure of sensitive but unclassified information from the National Geospatial Agency by Booz Allen contractors. All inadvertent misconfigurations, all affecting organizations that weren't noticeably slipshod, and all apparently, too easy to commit.
Dave Bittner: [00:05:08:01] London based Bupa, the healthcare firm that disclosed a data breach Wednesday, says it wasn't hacked. A rogue insider, now fired exposed the information. That insider was at the time employed by Bupa, but companies are advised to keep an eye on departing employees too. A study sponsored by OneLogin and released yesterday found that about half of all former employees retained access to corporate applications for some time after their departure. And the password management company notes that "Failure to deprovision employees has caused a data breach at 20 percent of the companies represented in the survey."
Dave Bittner: [00:05:47:18] Governments on both sides of the Atlantic are looking for ways of fostering innovation and closing their security skills gap. In the UK, GCHQ has established a cybersecurity accelerator, the intelligence agency's second such center. And in the US, the Defense Department is seeking to streamline acquisition of cybersecurity products in ways that bypass the familiar cumbersome and long-lead time procurement mechanisms. The US Army for its part has introduced an innovative recruiting gimmick, solve a hacker's problem, to attract technical experts who may be eligible for a direct accession to Cyber Branch.
Dave Bittner: [00:06:27:10] AlphaBay, Silk Road's successor as market leader in the dark web contraband world, now really is gone. Its fundamentally criminal clientele feared last week that Alpha Bay's operators were absconding with their money. Not so, it's worse than that. Alpha Bay was taken down in a joint police operation by Canadian, US, and Thai authorities. Its alleged proprietor, Alexander Cazes, is dead. An apparent suicide in a Thai Jail. A sad dead-end to a young life, he was only 26.
Dave Bittner: [00:07:02:03] Finally a study by social-engineering training and security firm KnowBe4 shows that the one weird trick to getting people to bite on your phishbait is to stay professional. Sound like you're from HR or IT and the people who get your emails are less likely to spit the hook. KnowBe4's look at successful subject lines in phishing emails is a good news, bad news story. The good news is that people aren't swallowing traditional lurid click bait or pleas from royal or ministerial Nigerian widows as much as they once may have. The bad news is that the phishbait is getting more plausible as it grows more prosaic.
Dave Bittner: [00:07:39:16] The leading lures in the KnowBe4's study were security alerts, vacation and sick time policy announcements, and package delivery notifications. The one relatively old school outlier came in tied at number four. "BREAKING: UNITED AIRLINES PASSENGER DIES FROM BRAIN HEMORRHAGE - VIDEO," which suggests some lingering morbid sensibilities in the workforce, although two baits tied with it. "A DELIVERY ATTEMPT WAS MADE" and "ALL EMPLOYEES: UPDATE YOUR HEALTHCARE INFO" They were consistent with the new more businesslike phishing style. So be careful out there.
Dave Bittner: [00:08:20:11] Time to take a moment to tell you about our sponsor ThreatConnect. Are you going to Black Hat this year? Of course you are. And when you go you will not want to miss talking to the experts at ThreatConnect. The team will be there at booth number 120 answering questions, sharing insights, and doing demos. Of course they'll also be handing out some of their famous t-shirts, and raffling off an incredible Sona surround system. And who would not want to get in on an opportunity to win an awesome surround sound system. In addition to all of the activities at the booth, executives will also be on hand and available to meet in the ThreatConnect media suite. Visit threatconnect.com/blackhat to learn more. That's threatconnect.com/blackhat. Surround sound, it sounds awesome.
Dave Bittner: [00:09:02:20] And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:09:11:23] Joining me once again is Rick Howard, he's the chief security officer at Palo Alto Networks. And he also heads up Unit 42, which is their threat intel team. Rick welcome back. You've got a great story to share with us today, and this involves the girl Scouts of America.
Rick Howard: [00:09:25:07] Absolutely, thanks for having me on David. You and I have talked in the past about majorities of cybersecurity professionals just in general. CSO Magazine said this year that worldwide, there is a million unfilled jobs. And when you consider women in the network defender community Forbes said last year that they make up only 11% of the cybersecurity workforce. And if you add a minority to that checklist, say a black woman, or an Hispanic woman, that number drops to under 1%.
Dave Bittner: [00:09:54:05] Oh.
Rick Howard: [00:09:54:18] Yeah, I know, it's just amazing right? And the network defender community you know, we have been talking about this for a number of years okay. And hope to fill the gap. But it's clear to all of us that in order to fix it, we're going to have to hire a bucket-load more women and minorities if we're going to have any chance of closing the gap.
Dave Bittner: [00:10:11:13] Right.
Rick Howard: [00:10:12:09] So the problem though is that many women and minorities lose interest in stem stuff, you know I always have to look up the acronym, but it's Science, Technology, Engineering, and Math. They seem to lose interest before they get to college, and there's lots of reasons for this, and they've been well documented. There's a male dominated culture that turns women off. There's popular culture that pushes women into, I'm quoting here, "Traditional women's roles."
Dave Bittner: [00:10:40:05] Right.
Rick Howard: [00:10:40:10] Minorities don't have access to strong STEM education. There's a bunch of others okay. Well we're tired of just you know listing what the problem is, and we at Palo Alto Networks decided to do something about it. So we've invested in partnering with the Girl's Scouts, to build a cybersecurity training program for the 1.8 million girl scouts in the world today. I think it's fabulous right. We're going to build a curriculum for 18 cybersecurity badges intended for grades K through 12 in the Girl Scout program.
Rick Howard: [00:11:14:11] The instructional will be roughly divided in two categories, online safety, and network defender education. And we plan to roll the first badges out sometime in the fall of 2018. And I can't tell you have proud I am that I work for a company that supports an idea like this. Almost two million girl scouts will receive cybersecurity training throughout their educational career. They'll be nurtured, and trained, and coached to not only be experts in the field, but also believe that they can make a difference in the field, and then they can be leaders in the field, and that cybersecurity is a fantastic place to change the world for the better.
Rick Howard: [00:11:50:20] This is Palo Alto Networks and the Girl Scout organization saying, that we want women in the network defender community, we value what they bring to the table, and we are willing to help them get there.
Dave Bittner: [00:12:00:10] Yeah, it really is a great effort, and hats off to you for this. And it seems to me like one of the other things that it really does is that it gives them an opportunity to explore this in an environment that they're already comfortable in.
Rick Howard: [00:12:13:21] I agree with that totally, you know, and you know the girl scouts are fabulous about it. Their entire educational curriculum, not just cybersecurity. And the chance, the idea that we get a chance to kind of hook into their fantastic infrastructure, and to kind of inject cybersecurity into their environment. I mean, that's just a win, win.
Dave Bittner: [00:12:31:07] All right Rick Howard, it's good stuff. Thanks again for joining us.
Rick Howard: [00:12:34:08] Thank you sir.
Dave Bittner: [00:12:39:09] Now a few words about our sponsor Domain Tools. The company that helps security analysts turn threat data into threat intelligence. They've got some new insights into DNS Forensics which as they explain in a new white paper, is where intuition meets experience. Their integration of human and machine intelligence brings in the high relief that footprints and intruders into your network leave behind.
Dave Bittner: [00:13:02:04] Go to domaintools.com/cyberwire to learn more. Domain Tools take indicators from your network and connects them with nearly every active domain on the Internet. Fortune 1000 companies, global government agencies, and leading security solutions vendors use the Domain Tools platform to investigate and mitigate threats. Find out more by going to domaintools.com/cyberwire. To learn about the leverage the domain name system can bring to your investigations of virtually every cyber attack that's snuffling around in the wild today, check out domaintools.com/cyberwire. And we thank Domain Tools for sponsoring our show.
Dave Bittner: [00:13:49:12] My guest today is Raj Samani. He's chief scientist and McAfee fellow at McAfee. And also special advisor to the European Cybercrime Center. We begin our conversation with a look back at Petya, NotPetya.
Raj Samani: [00:14:03:05] I think the key thing to recognize is, you know, we've talked about Petya, NotPetya as being a ransomware attack. The reality is I think both this campaign and equally WannaCry, they don't actually follow the same modus operandi that we would expect normal ransomware to take. You can argue that WannaCry may have been a ransomware campaign and there are certain indications to suggest that they at least had some mechanism to communicate with victims.
Raj Samani: [00:14:32:01] But in Petya's example it would appear that this was a campaign designed to cause destruction. And you know, looking at the number of files they encrypt you, there was only 65 file types. And so it was designed to be spread fast, quickly and as fast as possible. And so where are we with all of this? Well we know obviously that attempts have been made with regard to attribution, but I don't think it was actually settled on a malicious act here. We haven't even settled on a name for Petya actually. So I think we're a little way away but you know, in terms of trying to determine, you know, why they did this, how they did this, and indeed and who it was?
Raj Samani: [00:15:12:05] I think the lesson to learn from all of this is that there's a broader acceptance now amongst businesses that what we do is not an IT issue. You know, we've seen examples where nuclear parts have had to switch monitor modes to manual. We've even seen examples where the companies have had write downs of quarterly revenue earnings. And so if anything comes out of this it has to be recognition that this is not an IT problem, this is a business issue.
Dave Bittner: [00:15:41:08] What about the notion that perhaps Petya, NotPetya was a targeted attack that escaped and went a little farther in the wild than the people who sent it out there had planned for it to?
Raj Samani: [00:15:54:19] That may well have been the case, and you know, I think if we look at the facts that are presented to us, you know, it would suggest and it would appear in terms of the way that the infections occurred, that the initial target was the Ukraine. Now that's based upon you know the evidence that we have before us, in terms of the fact that the majority of infections came from there. But it's not as simple as that. You know, I remember the good old days, and by the good old days I mean like February or March. When you know, when we had like the Shamoon attacks and you know, we did a significant amount of analyst on the latest situation with Shamoon. And that was great because it was you know, it waved it's hand and it said,"Hey, we are a targeted campaign, mostly likely nation state directly or you know, our single purpose it there to destruct and wipe the computers that are owned within Saudi Arabia.
Raj Samani: [00:16:50:10] With Petya, NotPetya, it kind of appears to be you know, I'm kind of using terms like, maybe and probably, and we think. And certainly we think it was a campaign meant to disrupt the Ukraine. Of course the customers of MeDoc were more than just Ukrainian companies, and that's part of the reason why we saw this. But also you know, we have to remember that the propagation method was pretty effective. I mean, there were multiple propagation methods associated with this. So I suspect that it was you know, it may well have been. But again you know, every answer in our industry is a maybe, or a probably, or yeah, it could be, or depends.
Dave Bittner: [00:17:29:08] It seems as though with Petya, NotPetya that this is another example of people sort of bracing themselves, wondering if this is the big one. Like it's inevitable that one of these is going to hit that it's going to be a global pandemic, and you know, it's going to cause huge damage and then we sort of whistle past the graveyard that well we dodged this bullet.
Raj Samani: [00:17:51:10] I don't think we did, I mean, you know, you ask the individuals that were impacted, you ask the shipping companies, you ask the legal firms, you ask the major PR in advertising firms, did they dodge the bullet? No, but you know and I think Dave this is probably something that we all kind of feel in this industry, and certainly I feel it anyway. These last couple of months have just been insane. I mean you know, we had WannaCry, we had the Cybellum work, we had Vault 7 disclosures. You know, it appears that we veer from crisis to crisis to crisis. One of the reasons why it's becoming such a big issue is because our dependency on technology is almost ubiquitous, you know, and you saw this when you know, hospital hit by ransomware. Whereby the ability to be able to revert back to manual systems, to be able to continue to provide patient care, you know, we've almost moved on from that. You know the ability to be able to revert back to manual systems, or to be able to not leverage technology.
Raj Samani: [00:18:45:22] I think it's lost to products. And so our dependency on technology is almost ubiquitous now. And it's going to continue as well.
Dave Bittner: [00:18:53:23] So if I am a board member and I'm looking at my company, and I'm looking across at companies like Maersk who've got you know, their shipping capabilities affected by Petya. What should my approach be? How do I respond to these sorts of things and protect myself?
Raj Samani: [00:19:08:14] I guess I could answer the usual answer which is security and privacy by design, and so on and so forth. But I think it's deeper than that. Look I used to be a CSO, my boss, I think I was there for four years, I probably met them three times. The reality is that there's this perception that security is an IT issue, and so do we have the security team, the security department, engaged at board level? The answer is no. I mean, I spoke at the CSA Summit in London just recently, and I asked and there were quite a lot of senior people there. And I said, "How many of you have spent any time with the CEO?" and less than 5% put their hands up. And the reason is is because there's still this perception that what we do is an IT issue. And yet it's not, because any firm, if you lose access to your systems, if you lose the shop window to what you do, not only do you lose the day to day business, but also, and there's this great term that the Ponemon Institute talk about which is this thing of the abnormal turn rate.
Raj Samani: [00:20:08:13] You know, customers will end up leaving you, and actually that's going to be between two to five percent. And in fact that could be higher. I mean, when Talk Talk were hit, the reports were they lost 90 plus thousand customers. So it's a significant issue and I think the board need to recognize that this is not an IT problem. It's actually part of business risks, and true business risk. And actually most firms today are IT companies, whether they like it or not. And so there has to be that acceptance and recognition, and then hiring the right people, and then enabling them, and empowering them to be able to be senior to be able to make those decisions.
Dave Bittner: [00:20:46:09] That's Raj Samani, from McAfee. One of the initiatives he's particularly proud of is the No More Ransom Project, which combines the efforts of companies like McAfee, Intel, Amazon, and others, along with international law enforcement to help Ransom where victims and to bring the bad guys to justice. You can check that out at nomoreransom.org.
Dave Bittner: [00:21:12:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsors, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit, cylance.com.
Dave Bittner: [00:21:24:21] The CyberWire Podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.