The CyberWire Daily Podcast 10.12.17
Ep 453 | 10.12.17

Panama Papers pinch. North Korean spearphishing against ICS. CyberMaryland notes. Google Home Mini was tale-bearing (but now it's better).

Transcript

Dave Bittner's son: [00:00:01:04] Dad, why are you telling these crazy stories about my teeth? I have all my teeth. The tooth fairy never visits me anymore. She's always at Bobby's house.

Dave Bittner: [00:00:11:13] Patreon.com

Dave Bittner's son: [00:00:11:24] Patreon.com

Dave Bittner: [00:00:14:01] Slash the CyberWire.

Dave Bittner's son: [00:00:15:03] Slash the CyberWire.

Dave Bittner: [00:00:16:09] Alright, here's your money.

Dave Bittner's son: [00:00:17:21] Okay.

Dave Bittner: [00:00:21:12] German police raid a Panama paper's connected slush fund. North Korea spear fishes in the North American power grid. Security tools can be dual use too. Notes on CyberMaryland where we heard about business climates, the Baltimore to Birmingham cyber connection, the Red Queen's race and the curmudgeonly demeanor too many security types cop. And Google Home's mini speakers were apparently listening and tattling as well as just speaking.

Dave Bittner: [00:00:52:24] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than Artificial Intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you. Go to e8security.com/cyberwire and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So, visit e8security.com/cyberwire and see how they can help address your security challenges today. That's e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:54:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 12th, 2017.

Dave Bittner: [00:02:03:07] Remember the Panama Papers, the doxed law firm's files that contained apparent signs of illicit or at least questionable money laundering? The anonymous hack of Panamanian law firm Mossack Fonseca in 2015 has had some legal fallout in Europe. German Federal Criminal Police raided what Deutsche Welle characterizes as a 2 million Euro slush fund embezzled by a former Siemens manager. The Panama Papers were particularly interesting because the materials released by the unidentified whistle-blower, or hacktivist or organization or agency, known only as John Doe, included a fair bit of discreditable information about Russian oligarchs close to President Putin.

Dave Bittner: [00:02:46:21] North Korean cyber operators are reported to be probing various US companies for vulnerability to attack. FireEye reports that it detected and stopped spearphishing attempts against utility company officers in late September. An attack of the North American power grid would of course be attractive to DPRK war planners, but doing so isn't as simple as zombie apocalypse tales might lead one to believe. ICS security firm Dragos, for one, regards the likelihood of a grid take-down as fairly remote. Most of the press attention has understandably focused on targeting of electrical utilities, but the campaign is broader than that: Pyongyang appears interested in industrial control systems generally.

Dave Bittner: [00:03:29:23] South Korean sources are reporting an interesting twist on the North's approach to cyber operations. They think they're seeing hacktivism, which would seem difficult to foster in a country as closed and tightly controlled as the DPRK. We heard from Phil Neray of industrial cyber security firm CyberX, who offered the following comment, "Targeting US energy companies with phishing emails isn't new but it's the first time we've seen it tied to North Korean actors, rather than Russian or Iranian hackers. And don't be fooled by people saying we shouldn't worry because the hackers haven't compromised any of our industrial control systems. The easiest way for adversaries to get into our control networks is to deploy password stealing malware onto the computer of a control systems engineer, and then use their legitimate credentials to directly access the control systems they're after. This immediately bypasses any perimeter protections you might have on the network, such as firewalls."

Dave Bittner: [00:04:26:17] We also heard from AlienVault's Chris Doman, who thinks, "The recent North Korea cyber hack may relate to the reported August 2016 compromise of the South Korean ministry of defense. The group behind those attacks is Andariel and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active and I continue to see new malware samples from them every week."

Dave Bittner: [00:04:52:19] Revelations that Kaspersky security software appear to have been subverted into espionage tools prompt reflection on the risks antivirus products present, given the access they typically require. This would seem an instance of the familiar dual-use problem. Another instance would be the ease with which benign scanners could be converted into denial-of-service tools.

Dave Bittner: [00:05:14:24] Many software developers are using containers in their development pipelines, wrapping up their work in lightweight, standalone, executable packages. John Morello is Chief Technology Officers at Twistlock, a company that specializes in container security. He gives us an overview on containers, and how to keep them safe.

John Morello: [00:05:33:16] Container is a technology that allows you to bundle up all the parts of your application into a file that's called an image. Imagine a zip file that includes all the things that are required to run your app. Not just binaries themselves, but also the libraries that they depend on; small pieces of other packages that they use, to bundle all that up together. A container is basically a way of organizing named spaces that allow you to taking a single operating system and to segment it into multiple zones. Similar to the way that a hypervisor like VMware or Hyper V will segment a single piece of hardware and expose it as individual virtual machines and each VM only knows about itself, it can only affect itself. Containers do a similar thing but they virtualize the operating system.

John Morello: [00:06:27:17] A container might run inside of a VM or even on another server but the container is trying to say this particular app, sharing the same operating system kernel with other applications that are also in containers, it only sees it's own file system, it's process activity, which enables you to have fewer problems with compatibility and one app requiring a version of something that another one doesn't, so they can't run at the same time or concurrency problems with an application that's not able to share resources with other applications. Those are all the things that containers enable you to do. But the broader value is when you combine containers as a technology with the notion of DevOps and continuous integration as an operational practice, those two things really go together well and enables you to build your application, to service it, deploy it much more efficiently and faster.

John Morello: [00:07:20:23] With containers, the artifact that you create, that image that you create during the build process is exactly the same thing that you deploy and run in production, which enables you to have a really smooth way of saying, I built this, tested this, deployed this. It's the same everywhere and I know that I can easily increment that because I don't have to worry about compatibility, installation and so forth. The inner-lying tooling makes me be able to focus on the application itself and not worry about how it inter-places with the rest of the stack.

Dave Bittner: [00:07:50:06] What are the security concerns when it comes to containers?

John Morello: [00:07:55:01] We think the containers are not so much a security concern as they are a different technology. Something that provides a lot of opportunity to do things from a security standpoint better than you could before because they're much more minimalistic. You understand what the container's going to do because it's only doing thing, as opposed to a VM which has all kinds of other stuff inside of it. A lot of people are focused on security for containers, first of all, around vulnerability management. You're building a lot more of these entities. They change more frequently. And the responsibility for securing them becomes more the onus of the developer and less about the operations team. Being able to understand what components you have in your images, whether they have vulnerabilities and to continuously understand your vulnerability posture both for what you're building and what's already running. That's an important thing that organizations need to deal with.

John Morello: [00:08:48:12] Secondly, I would say is around the compliance for that. Because containers as a different technology, a lot of the core best practices, running is the least privilege, having operational segmentation, making sure you've got a minimal attack surface. Those things are still just applicable for containers as they were for VMs and physical servers before that. Because containers are different, you need to have a different set of tooling to help you deal with that, something that checks the configuration and the settings and enforces those things in a way that makes sense for containers versus trying to retrofit that from virtual machines into this new space. Finally, the biggest part of it is, as you're running your applications in containers, how can you apply those capabilities that I talked about earlier? That fact that they're declared as minimal, predictable. How can you apply that to help you do security differently?

John Morello: [00:09:40:03] Because containers by their nature, you're dealing with a different problem space. Instead of a VM which you deploy in one time and run it for months or years without ever decommissioning it, you would just upgrade it in place. With containers, that's going to be much more short lived. Every time you update the app, you're going to destroy the containers and replace them with a new version of that app. But containers themselves, you're going to have a lot more of them because you're going to decompose that big monolith VM into a set of micro-services. So, your website which might have been a single virtual machine, now might be 10 or 20 different micro-services that you're running in individual containers.

John Morello: [00:10:16:14] You're dealing with an order of magnitude more end entities to manage. Those end entities change much more rapidly. As you reversion your application, they're changing on a more frequent basis. The tooling that you have historically to manage those virtual machines is largely irrelevant. It doesn't have the ability to see into containers and understand how they work and to give you the protection you need there. Those are the big challenges. I wouldn't say they were security problems with the containers, it's a different problem space, set of tools that you need to address it.

Dave Bittner: [00:10:49:19] That's John Morello from Twistlock.

Dave Bittner: [00:10:53:16] CyberMaryland opened yesterday in Baltimore, and continues today. The annual conference this year featured unusually heavy representation from the United Kingdom, as companies from the English Midlands continued the growing trend of transatlantic cooperation between two regions that have a great deal in common, an alpha cyber security customer and an ecosystem of start-ups and established companies around that customer. A few quick takes on yesterday's sessions, Maryland Governor Larry Hogan described what he characterized as the deliberately business-friendly environment the state has created and Senator Chris Van Hollen talked about the important role federal agencies had assumed in the state's economy.

Dave Bittner: [00:11:33:19] A panel discussion on "the new CISO: from tech guru to corporate leader" highlighted the importance of communication between security leaders and boards of directors. A well known point, but illustrated with examples of how what one panelist called the "curmudgeonly" default personality security and IT people tend to assume can interfere with such communication. It also brought into relief a less commonly appreciated fact about the security sector: the relative unimportance of formal credentials as opposed to experience and demonstrated ability. So, those who thought they saw a smoking gun in music and language degrees held by Equifax security leaders were, if you'll forgive the mixed metaphor, barking up the wrong tree.

Dave Bittner: [00:12:16:20] And a plenary session on the Red Queen's race, the race in Alice in Wonderland that requires you to run as fast as you can just to keep up, concluded with an argument that platforms, not point solutions, were the way to break free of the Red Queen. McAfee's Brett Kelsy said, I don't want a bodyguard for this, and for this, and for this. I want a police force. We'll have more on these and other sessions in upcoming issues of the CyberWire.

Dave Bittner: [00:12:42:08] Finally, Google Home's Mini smart speakers appear to have been listening as well as speaking and, worse yet, it was reporting conversations back to Mountain View. Google has patched to fix the privacy bug, but consumers find it unnerving. Mountain View, don't be evil, and everyone's glad you've patched.

Dave Bittner: [00:13:05:06] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance Protect Engine into VirusTotal. You'll know VirusTotal as the free online service that analyses files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Cylance has pledged to help Virus Total in its mission of making the security industry more perceptive and the internet a safer place. It's like public help for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look and their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:04:22] And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42, the threat intelligence team. Rick, welcome back, you and I have talked about the Cybersecurity Canon before and this hall of fame of books for cyber security pros is coming up with a round of votes for the People's Choice Awards. Bring us up to date here.

Rick Howard: [00:14:27:21] We are talking about the canon of literature of here, not the cannon where you blow stuff up, but books that you read.

Dave Bittner: [00:14:35:10] It's an important distinction with you being former army, right?

Rick Howard: [00:14:41:10] Yeah, my three fans that follow me from the Army, okay, I need to make that very clear. It's a rock and roll hall of fame for cyber security books. One of the reasons we started it was the fact that we are all busy people. And if you were to decide this year to read a book or two to get smart on some new cyber security, you could go to amazon.com and look up cyber security books. Amazon will return you a list of some 1500. How do you choose? The Canon project consists of 15 committee members, who are network defenders and CSOs, CIOs, CPOs, journalists, consultants, lawyers and general practitioners. They read the books and write reviews that make the case that a particular book is one we all should have read by now, or one that doesn't quite meet that criteria.

Rick Howard: [00:15:30:07] We've been running that project for about four years. Like the baseball Hall of Fame, we have about 35 books in the candidate list. These are books that the committee has recommended to be considered for the Hall of Fame. We've got about 15 books we've already put into the Hall of Fame from the original candidate list.

Dave Bittner: [00:15:50:15] If a book is on the list, it has been vetted and it is going to be worth your time?

Rick Howard: [00:15:55:20] Yes. We think that any book that makes the candidate list would make a good addition to the Hall of Fame, it just hasn't made it there yet. This month to coincide with the US Cybersecurity Awareness Month, we're running the People's Choice Award contest. It started with all the books on the current candidate list. Each week we open the voting to the public. The books that got the most votes made it to the next round and we are currently on round three with eight books still in the competition. As of right now, Dr Mansur Hasib's book called Cybersecurity Leadership is out in front but the others are close behind. I'm hoping that my two favorites from this year will make it to the next round. That is the Code Book by Simon Singh. It's about the science and history of keeping secrets. And Metasploit, the Penetration Tester's Guide. Those are my dark favorites, I hope they make it to the next round.

Dave Bittner: [00:16:48:23] If people want to check this out and cast their own votes for the People's Choice Awards, how do they do that?

Rick Howard: [00:16:55:00] Just look up "canon", that's with one N, and Palo Alto Networks because we're sponsoring the project. You'll get to the Canon web page, at the very top, you'll see a box that says "cast your vote", that's where you can vote for your favorites.

Dave Bittner: [00:17:08:23] We'll have people check it out. It's definitely worth your time. Check out the Cybersecurity Canon. Rick Howard, thanks for joining us.

Rick Howard: [00:17:16:04] Thank you, sir.

Dave Bittner: [00:17:19:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com.

Dave Bittner: [00:17:31:16] A quick reminder that if you have the inclination if would be great if you could go to iTunes and leave a review for our show and also subscribe there. It is really one of the best ways you can help people find our show. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.