Another misconfigured AWS S3 bucket, this one with US Army INSCOM files. Apple fixes a major issue in MacOS. Influence ops and autarky. Boyusec disbanded.
Dave Bittner: [00:00:01:04] As always, a big thank you to all of our supporters on Patreon. It's at patreon.com/thecyberwire. Maybe today is the day that you will become a supporter of the CyberWire. we do appreciate it.
Dave Bittner: [00:00:14:14] Another misconfigured AWS S3 bucket holds sensitive US Army files. Cloud security remains a user responsibility. Apple fixes a big, big flaw in the latest MacOS High Sierra version, the password is root. Russia says American aggression in cyberspace is moving it to create its own DNS. Russia and Venezuela seem to be exploiting the Catalan independence movement for disruptive information operations. And the Chinese firm mentioned in the US recent industrial espionage indictment has been disbanded.
Dave Bittner: [00:00:52:00] A quick note about our sponsors at E8 Security. They understand the difference between a buzz word and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free White Paper that explains these new but proven technologies at e8security.com/cyberwire. We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact, unsupervised machine learning can show the human something unexpected? Cut through the glare of information overload and move from data to understanding. Check out e8security.com/cyberwire and find out more. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:59:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, November 29th, 2017.
Dave Bittner: [00:02:08:15] More sensitive information has sloshed from another unsecured Amazon Web Services S3 bucket. This time the exposed data belonged to the US Army's Intelligence and Security Command, INSCOM, that Service's component of the National Security Agency's Central Security Service. The exposed database was found, again, by researchers from security firm UpGuard, which says this is the first time it's found classified information exposed by such an easily avoided configuration error. ZDNet says this latest exposure is by its reckoning the fifth case of NSA data loss in the past five years.
Dave Bittner: [00:02:47:08] The files exposed were associated with the US Army's Red Disk program, a project that has for some time carried the reputation of being a failure. Red Disk was intended to be a customizable cloud system that could bring a common operating picture to large, complex operations, but it proved difficult to use.
Dave Bittner: [00:03:06:13] It was to have been an adjunct to the Army's controversial Distributed Common Ground System, DCGS, which fans of Pentagon acquisition squabbles will recognize as one of the principal antagonists in the Palantir war waged between operators and the Service's procurement arm through much of the past decade. In brief, the field operators liked Palantir a lot as a platform for handling complicated combat information, whereas DCGS, the big program, never found a lot of love on the dirty-boots side of the Army.
Dave Bittner: [00:03:39:07] Red Disk was supposed to have been a powerful, centralized repository of data, readily sharable and readily enriched, able to handle multiple layers of security with access selectively granted.
Dave Bittner: [00:03:50:16] UpGuard is one of two security companies, Kromtech is the other, who've been dining out for most of 2017 on their ability to find misconfigured S3 buckets.
Dave Bittner: [00:04:01:06] No-one seems entirely sure who owned the exposed database, but UpGuard says they found keys in the bucket belonging to a firm called Invertix, which had worked on Red Disk development.
Dave Bittner: [00:04:12:21] So while it's unclear who was responsible for leaving the data out there, it seems unlikely that this is a case of deliberate leaking as opposed to simple carelessness, but the story is likely to bring Congressional and even public pressure for intensified mole-hunting in the Intelligence Community. The biggest mole of them all, if in fact one exists, would seem to be whoever's giving the Shadow Brokers their stuff. We note in passing that it's been awhile since anyone has heard much from the Brokers, which suggests that they've either exhausted their stash and retired to a Black Sea beach house, or that they're husbanding their material to release when it would have its greatest effect. An op-ed on the subject in The Hill by Carbon Black's Eric O'Neill, a former FBI counterintelligence specialist, thinks it probable that the big mole has yet to be discovered. O'Neill notes that it took the FBI almost 22 years before it caught Robert Hanssen, the most notorious Russian agent known to have burrowed into the Bureau.
Dave Bittner: [00:05:11:15] Misconfigurations haven't yet slowed the apparently inexorable move of sensitive information into cloud services. CIA continues to believe the cloud represents both cost savings and better security, and they're not crazy to think so, but do remember that properly configuring a cloud bucket is a user's responsibility. Amazon and others will try to nudge you in the right direction, but haste and inattention can still ruin it all.
Dave Bittner: [00:05:38:12] Apple is fixing a major problem with MacOS High Sierra. The recently upgraded operating system allows root access by typing "root." Mac users shouldn't delay fixing their systems. Apple made a patch available this morning, and it will be automatically installing in High Sierra throughout the day.
Dave Bittner: [00:05:58:04] Software containers are a handy way to package and, well, contain your code, and they're growing in popularity. Jason McGee is an IBM fellow, VP and CTO for IBM's Cloud Platform. And he runs down some of the advantages of using containers.
Jason McGee: [00:06:13:10] The first benefit that everyone sees is that kind of packaging benefit, in other words, one of the real challenges in software over the years has been when I build an application, how do I take that application and all of its dependencies and deliver that into another computing environment. And whole operations teams would spend their life in setting up dependencies and versions of software and other things. And just like in the shipping industry when we went from loading ships package by package to loading with standardized modules, software containers allow us a reliable way to package up that app independences and deliver it anywhere I need. So that's the first benefit, that speeds development, it makes it easier for developers to iterate on their code and to move through the development life-cycle.
Jason McGee: [00:06:58:19] But the secondary benefit, which is I think even more powerful in the long run, is it standardizes how we operate software, so I can have a common solution to scaling, to recovery from failures, to security and network configuration, to storage, and I can apply that kind of standardized operational model across a variety of systems. So one of the reasons I think containers have become such a rapidly growing technology is that they are good for developers and they are good for operations at the same time.
Dave Bittner: [00:07:29:08] And so how do they strengthen your security?
Jason McGee: [00:07:31:21] They strengthen security in a whole variety of ways. You know, one obvious way is by running a standard operational environment, by allowing the operations team to build a container infrastructure in a standardized way, you can apply security practices kind of outside the application, so you can configure the network that the container runs in, you know, the right firewall rules with the right packet inspection and intrusion prevention mechanisms in place and apply that standardized network configuration to any application that you deploy into that environment, instead of having to do it system by system and application by application. So I think network security can become stronger because you can run it in a standardized environment.
Jason McGee: [00:08:15:03] Another example would be you can standardize the software itself, so, because containers have a standard package I can start to do things like scan those packages for known software vulnerabilities and automatically, as part of my devops pipeline, detect whether I'm about to deploy a piece of software into production that has a vulnerability in it, and I can do that in a standardized way. I can sign container images in a standard way and set up policies that say I'm not allowed to run any software in this production system that isn't signed by this certificate authority that I trust for running my system. So by creating this standard package we can wrap around it, you know, software security, network security, permissions, standard configurations, kind of take the security best practices out of the realm of being a document and actually implement them in software and policy within that operational system.
Dave Bittner: [00:09:13:01] So if someone's looking to explore containers, they want to get into it, what's your advice for the best way to get started?
Jason McGee: [00:09:19:17] I mean, as always I think there's lots of materials online to help people start to get their head around the technologies. I think what most people do is actually do it for real, pick a project, you know, pick an actual application that you're going to use as your first foray into container technologies, and start the process of containerizing that as images with Docker and then deploying that into an orchestration system like Kubernetes. I think doing that on cloud actually makes a lot of sense because it means that as a developer, you don't have to start your journey with, well, how do I install and configure and run container software. I can just worry about my application and let the cloud services take care of providing me the environment to do that.
Dave Bittner: [00:10:03:03] That's Jason McGee from IBM Cloud Services.
Dave Bittner: [00:10:08:07] Alleging information aggression from Washington, Moscow says it's going to build its own DNS. US Secretary of State Rex Tillerson this week criticized Russia for its information operations against western targets. These continue. There are reports that Russia is partnering with Venezuela to keep the Catalan independence controversy roiling in Spain. While the ops are objectively pro-independence, it's unlikely that the Catalan cause is close to the Kremlin's heart. That cause is, however, an embarrassment to NATO member Spain.
Dave Bittner: [00:10:42:18] Karim Bartov, a Canadian man charged in connection with the 2014 Yahoo hack, plead guilty yesterday in a San Francisco Federal court. In his allocution Bartov admitted that his role in the crime was to "hack webmail accounts of individuals of interest to the FSB." That's Russia's foreign intelligence service and institutional heir to the KGB. Three of Bartov's co-defendants are at large in Russia. They're unlikely to join Bartov in a US courtroom.
Dave Bittner: [00:11:12:15] The US indictment of three Chinese for hacking Moody's, Siemens, and Trimble, presumably for their intellectual property, is directed, the US Attorney says, against individuals, and that there's no allegation that the spying was state-sponsored in the indictment itself. That said, practically everyone reads this as a case of a front company, Guangdong Bo Yu Information Technology Co., also known as Boyusec, working for Chinese intelligence. Boyusec was, as it happens, disbanded earlier this month. The investigation that led to the indictment was conducted by the FBI's Pittsburgh Field Office, and we'd like to say, we've always liked yinz guys. The Chinese government says it knows nothing about the affair, and wouldn't approve it even if it did.
Dave Bittner: [00:11:59:08] And, finally, a survey of US Federal hiring managers released this week says they value four traits in prospective cybersecurity workers, courage, creativity, agility, and resilience. Those are good, sure, we agree, but maybe they're a little general to provide useful guidance. We mean, who's going to say, hey, we'd really like to find an unimaginative crowd, slow-footed and brittle, because we think that's the perfect fit for us here? But anyway, polish up your description on LinkedIn, courageous, creative cyber professional seeks challenging position where agility and resilience can thrive and prosper. Sounds good. One of our stringers reminded us of counterintelligence training he once had to sit through. The instructor hipped them all to the acronym MICE, for Money, Ideology, Compromise and Ego, and said that it summarized all the reasons someone would turn traitor. An old major in the audience, who'd clearly been around the block a few times and had reached his limit, stood up and hollered, "Hey genius! Why does anybody do anything?!!"
Dave Bittner: [00:13:01:18] But anyway, we'd all like to say, for the record, that we're courageous, creative, agile and resilient. Not that we're looking, you understand. Stay passionate, all yinz professionals.
Dave Bittner: [00:13:17:04] Time to share some news from our sponsor, Cylance. Cylance has integrated its artificially intelligent Cylance Protect Engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:14:16:23] Joining me once again is Dale Drew. He's the Chief Security Strategist at CenturyLink and, Dale, you know, our regular listeners will know that that's a relatively new title for you. You were formerly with Level 3 Communications, and, of course, CenturyLink acquired Level 3, and we wanted to talk about market consolidation today, something you've just been through.
Dale Drew: [00:14:37:01] Yeah, I mean, ironically enough, marketing consolidation and integrations and acquisitions is very near and dear to my heart right now. And so, having been part of Level 3, that was also involved in market consolidation, from a buyer perspective, and now being part of a market consolidation as a buyee, you know, there's a ton of lessons learned with regards to making sure that you navigate both ends of that spectrum carefully.
Dave Bittner: [00:15:04:23] What kinds of things have you learned along the way?
Dale Drew: [00:15:06:23] Well, you know, I'd say that one of the advantages that you have when doing a consolidation, at least from a security vantage point, is, you know, the hard part is sort of evaluating the culture and the risk tolerance of the other company to make sure that the control framework they have that matches the risk tolerance, that you can sort of normalize that with your risk tolerance, to understand what controls you may want to change or what controls you may want to introduce. So, the first thing is just making sure that the culture of the risk tolerance is sort of matched up and then that gives you a good sort of independent view of the rest of the controls. The other thing is to realize that you're getting capability for free, you know, when you purchase a company, you're able to evaluate what they've deployed and have the advantage of comparing their capability against your capability and it might make a lot of sense to replace some of your capability with their capability because you're going to get to that capability for free.
Dale Drew: [00:16:08:21] I'd say over all, the sort of steps that I would sort of focus on is one is to understand, right? That's utilize questionnaires to understand the capabilities, policies and risk tolerance. Be objective. Carefully compare and contrast to find what needs to be improved, removed or replaced within your own program based on capabilities from what you're acquiring. Obtain measurements, you know, look for those metrics and KPIs and independent audits to validate the controls, not just based on what they're saying but based on what's been tested. And do that cost versus value. We've done a lot of these where there's two sets of controls and they're relatively the same but the cost of those controls is vastly different, either based on how the company's negotiated or the vendor they happen to be using and so doing that sort of value versus cost assessment plays a huge role there.
Dale Drew: [00:17:03:01] Carefully connect, when the companies want to start interconnection to be able to do all hands presentations or start sharing data or even employees getting access to basic services like email, you know, I'd recommend first doing sort of a data pilot of carefully connecting, deploy a small version of your security controls within that acquiring company, you know, your vulnerability scanners and your intrusion detection collectors that can sort of assess the network as if it was your own to look for security controls that sort of match up with your expectations before you completely open up the two.
Dale Drew: [00:17:39:14] And then the last, which is, you know, is not the least important, it's very important, is to focus on talent. You know, we have a pretty strong philosophy of focusing on heartbeats not headcount around here and, you know, making sure that your security talent is really, really hard to find and really, really hard to grow and evolve, and so when the company comes to you and says, hey, we're going to be combining two assets together and two companies together, and as a result we're expecting a degree of synergy to occur, not only in cost but in headcount, and we want you to sort of pony up from a synergy perspective, the security team has a little bit of an advantage in that same point of saying, do you expect the security function to grow over the next eight to ten months, and if the answer's yes, well, it takes about that long to find security resources. So in a number of cases, a company may give that security group a little bit of a reprieve on synergy because if you happen to let security resources go and then a few months later need to start growing your organization again, it's going to take you eight to ten months to be able to find the right resources and you're typically going to be looking for the people you just let go.
Dale Drew: [00:18:46:07] You know, so it's all about the right sort of risk evaluation, risk tolerance, normalization and talent. That's my very recent as well as, you know, long involved tips on mergers and acquisitions.
Dave Bittner: [00:19:02:03] Good advice as always. Dale Drew, thanks for joining us.
Dave Bittner: [00:19:07:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, they use artificial intelligence, check out cylance.com.
Dave Bittner: [00:19:20:06] The CyberWire podcast is produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:19:30:04] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.