The CyberWire Daily Podcast 9.19.17
Ep 437 | 9.19.17
Russia Spy Files from WikiLeaks. Disinformation and influence operations. Equifax sustained a breach in March. Software supply chain issues.
Play
Play
Transcript

Dave Bittner: [00:00:00:22] It's no secret that people who support the CyberWire on Patreon are smart and attractive. Find out how you can join them at patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:14:12] WikiLeaks is shocked, shocked, to learn that there's gambling… uh, um, actually Russian surveillance going on. Advice from Ukraine about influence operations. The Equifax story may have gotten worse: there may have been an earlier breach in March. Software supply chain issues come up in an Avast backdoor. Industry notes, and the "Unlucky 13," presented by Johns Hopkins.

Dave Bittner: [00:00:43:17] Time to take a moment to tell you about our sponsor, Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2017 in Washington, DC on October 4th and 5th, and say hello to us. The CyberWire will be there and podcasting from the floor on the 5th. This year's annual conference promises to be at least as good as the last five, after all, it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the Web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2017. Meet others like you. People who understand that cybersecurity depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence powered by machine learning. RFUN is the place to be. Register now at recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:53:00] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire Summary for Tuesday, September 19th, 2017.

Dave Bittner: [00:02:03:14] Here's something out of the ordinary. WikiLeaks has posted documents purporting to describe the Russian state surveillance apparatus and some of its operations. This dump, which they're calling "Spy Files Russia," has received a very mixed reception, which we'll discuss in a moment.

Dave Bittner: [00:02:20:06] Spy Files Russia's central revelation, if revelation it be, is that Russia conducts mass surveillance, and that a company in St. Petersburg, "Peter Service," is a contractor for Russian state security services.

Dave Bittner: [00:02:35:01] The former revelation should come as no surprise to anyone. What the documents purport to show about Peter Service are perhaps more interesting. The company was established in 1992, initially as a billing solution vendor. It evolved into a significant supplier of mobile telecoms software. The story Spy Files Russia tells about Peter Service and Russian intelligence has literary parallels with the things Edward Snowden leaked concerning US activities.

Dave Bittner: [00:03:04:06] Here's why Spy Files Russia has received a standoffishily skeptical reception. WikiLeaks has long looked to many observers like a Russian cat's paw, so why this dump, now? Some read it as a refutation of the Russian connection, which may be what Julian Assange's organization intends. Many others, however, see it as dragging a red herring across the path that leads back to Moscow. What better way to deflect such suspicions than by tossing out some anodyne wolf meat?

Dave Bittner: [00:03:35:09] Some lessons on how to wage information operations come from Ukraine, as Germany continues to look for the signs of Russian activity they've long expected as they prepare for Sunday's elections. The Ukrainian observations, reported in the Voice of America, come down to the conclusion that fighting propaganda with propaganda, disinformation with disinformation, is ultimately a mug's game. Students of Russian activity in its hybrid war against Ukraine and its influence operations against the West, say that the best answers to these increasingly sophisticated "active measures" that blend truth with fabrication, are fostering a more critical approach to media among the general public while simultaneously encouraging and enabling serious journalism. And, of course, they think blocking Russian television isn't a bad idea, either.

Dave Bittner: [00:04:25:15] In other news on state-sponsored cyber operations, North Korean cryptocurrency raids draw more attention as Pyongyang looks for fresh sources of revenue. Chinese intelligence services are now being considered possible suspects in the cyber attacks against Scotland's parliament. And from the company's perch in Mountain View, California, a senior Google executive says they think of the US NSA as a nation-state threat actor.

Dave Bittner: [00:04:53:03] You are likely familiar with the notion of adopting a DevOps software development process and the advantages it can provide when it comes to communication and collaboration. But what about security? Mike Kail is chief technology officer at Cybric and he makes the case that DevOps should transform into DevSecOps.

Mike Kail: [00:05:12:23] So if you look at the mega-trends of digital transformation, cloud migration, the move to containerization and this notion of the rise of the developer and that developers have more power within an organization, because the application economy is really what's driving revenue. So developers are incentivized to deliver features at a much higher velocity and that's powered by the adoption of DevOps culture and the core tenets of collaboration, automation, measurement and sharing. And meanwhile, security has been left behind, or off to the far right, so they're still ingrained in manual processes and disparate tools.

Mike Kail: [00:05:58:11] What really needs to happen in this cultural transformation, is what we're calling shifting left. So how do we bring security into that collaborative DevOps, DevSecOps pipeline and conversation? We can't keep trying to scale out cybersecurity engineering talent and human capital. There's the well-publicized shortage of engineers that's just growing. So then it's taking an automated, orchestrated platform approach to this. So now, taking all these disparate tools and powering them with a true automation platform, to then free up the security engineers to do higher order work and be much more close to the development life-cycle and the developers themselves.

Dave Bittner: [00:06:40:00] What do you suppose is the driving force behind the need for this shift?

Mike Kail: [00:06:45:09] CIOs and CISOs have lost visibility, so as the security perimeter has dissipated and applications have migrated or been greenfielded in the cloud, they've lost visibility around the security controls of that. There's no hardware device that can now protect a cloud application. And so you have to have different, newer software constructs to provide that visibility. In conjunction with that, you have hackers attacking your application infrastructure continuously and the current way of security is doing periodic tests, instead of continuous. So we have to level the playing field against the hackers and hackers only have to get it right once. You know, we, as defenders, have to be right and secure all of the time. The only way to really give that assurance is take a continuous approach and try to find vulnerabilities and software defects earlier and earlier in the development life-cycle.

Dave Bittner: [00:07:44:12] And so, looking forward in an ideal world, how would you see this playing out?

Mike Kail: [00:07:51:12] So in an ideal world, there's the cultural transformation like I talked about, that the security team is collaborating with the development and DevOps teams and trying to work towards this common framework of continuous security assurance. To do that, you have to do this testing continuously, as well as correlation and looking at the global threat feeds and in different stages of the vulnerability. If you look at the classic stance of defense and depth, apply that to the SDLC. So looking for defects at the code commit level, at the CI build and then at the delivery and correlating all those results and having this measurement of continuous assurance.

Mike Kail: [00:08:35:23] This is a cultural change and that's harder than technology. Technology is much easier to be adopted and it's about changing hearts and minds, versus, here's this new, cool technology.

Dave Bittner: [00:08:48:19] That's Mike Kail from Cybric.

Dave Bittner: [00:08:52:24] We're at the fourth annual Cyber Security Conference for Executives on the Johns Hopkins campus today. We'll have full coverage later this week, but Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University's Whiting School of Engineering, set the day's agenda by reviewing what he calls his "Unlucky Top 13" list. These are, in reverse order, with a hat tip to David Letterman:

13. The announcement in March of the Apache Struts bug's discovery. 

12. Scams and thefts plague new cryptocurrencies. 

11. Kaspersky security software is booted from US Government systems. 

10. Discovery of Apple's questionable use of "differential privacy. "

9. Apple's iPhone X with FaceID. 

8. The US Navy investigated possible cyber causes of the USS McCain collision. Nothing found, but it's interesting to see that cyber forensics are now a routine part of major accident investigations. 

7. Ultrasonic hijacking of Siri and Alexa devices was demonstrated. 

6. BlueBorne, a Bluetooth vulnerability, is discovered. 

5. New flaws were found in DLink routers. 

4. ExpensiveWall Android malware charges users for fake in-app purchases (without their knowledge). 

3. Bugs are found in German voting software. 

2. Symantec finds that hackers have gained direct access to at least 20 power companies. 

And the number one item in the Johns Hopkins University Unlucky Top 13 list, of course, Equifax was breached.

Dave Bittner: [00:10:35:14] The central lesson he draws from these, and which he commends to his conference, is that we need a serious national conversation about a national identity system.

Dave Bittner: [00:10:44:20] Speaking of Tony's number one Unlucky 13, the Equifax breach, there are developing reports that Equifax learned of a major breach back in March. The company has said that breach is unrelated to the Apache Struts exploit the company disclosed the week before last. As Bloomberg primly put it, "The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives." The US Department of Justice is said to have opened a criminal investigation into the stock sales.

Dave Bittner: [00:11:16:22] It seems clearer that Equifax was aware of the Apache Struts vulnerability and the patch was available for the bug. The credit bureau is seen by some as finally getting a handle on its messaging, but the breach is drawing more lawsuits. And, of course, the acknowledgment that there was another, earlier breach, has caused them further problems. Mandiant, the FireEye unit, is said to have been brought in at the time of the first breach. It's also been engaged to help mop of the second, more recent incident.

Dave Bittner: [00:11:47:20] The compromise of Avast's CCleaner with a backdoor, prompts discussion and concerns about software supply chains.

Dave Bittner: [00:11:55:15] In industry news, Mantech has bought InfoZen for $180 million. Threat Stack has raised a $45 million investment. And the US Senate attached an amendment to the Defense Authorization bill banning Kaspersky products.

Dave Bittner: [00:12:15:20] A quick note about our sponsors at E8 Security. They understand the difference between a buzz-word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven, technologies at e8security.com/cyberwire.

Dave Bittner: [00:12:34:20] We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out e8security.com/cyberwire and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:19:24] And I'm pleased to be joined, once again, by Professor Awais Rashid. He heads up the Academic Center of Excellence in Cyber Security Research at Lancaster University. Professor, welcome back. I think, particularly with larger organizations, sometimes there is a tendency for people to think that the job of cyber security belongs to the folks in IT. But you want to make the point that it's really more complex than that.

Professor Awais Rashid: [00:13:44:06] Indeed. I think, particularly in large organizations, there are cyber security teams, or IT security or information security teams, and they do a great job at protecting the infrastructure and information in the organization. But equally often, other employees in an organization think that it is really their responsibility to deal with security. However, it is in fact everyone's responsibility. When I sit on my computer and an email comes through and I click on an embedded link, I am implicitly making a security decision. I am making a judgment, knowingly or unknowingly, that it's safe for me to click on that link. And someone else, sitting in procurement, procures some third party service or some hardware, they are implicit in making a judgment. And you can see this in all our work practices.

Professor Awais Rashid: [00:14:34:15] The key thing is, the world is very highly digitally connected. We bring our devices into our workplaces, we interact with others outside our organizations using computers and other electronic devices and every time you do something, we are implicitly making, at least, security risk decisions, if not concrete security choices. And as a result, the only way, in a modern organization, which doesn't want to use the model of battening down the hatches, so to speak, and keeping everybody out, because that way you would do no business with anyone elsewhere in the world, then there really is an important need to have cyber security culture. It has to be an ingrained practice.

Professor Awais Rashid: [00:15:18:03] Of course, the key challenge is, how do you actually raise awareness amongst various employees of the organization and bring it to the fore that security is everyone's responsibility?

Dave Bittner: [00:15:28:21] Do you think there is perhaps a false sense of security, where people think, "Well, if I click on this link, surely the folks at IT have tools that will protect me from anything bad happening."

Professor Awais Rashid: [00:15:39:02] Yes. I think it's quite interesting to understand and I think it's a big research question and some people have explored these kind of issues as to what are the users' mental models of security, and how do they perceive particular activities in their day to day work? Whether those mental models of security represent the reality. And you're right, people might think that somebody else has thought of that and hence, there is some protection in place. It could also be that they think, "No harm can come from it because what value might I have on my computer?" But the point is, many times the mental models do not fully relate to the networked setting in the organization and as a result, there is often not a clear understanding on the part of users, that their actions actually have a much wider impact.

Professor Awais Rashid: [00:16:33:14] And I think we can do a lot in communicating better to users, but also making things easier for them in that regard, so that they don't have to understand all these complexities when they make decisions, yet they have awareness of the impact of their decisions on the overall security of the organization.

Dave Bittner: [00:16:50:12] Alright. Awais Rashid, thanks for joining us.

Dave Bittner: [00:16:57:21] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit cylance.com.

Dave Bittner: [00:17:09:18] If you enjoy our show, we hope you'll consider leaving us a review on iTunes. It is one of the best ways you can help people find us. We do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.