Cyber espionage in Central and Eastern Europe. Cyber deterrence. Notes from Matrosskaya Tishina. Exabeam describes what crooks can get from your browser.
Dave Bittner: [00:00:00:21] This is the part of the show where I usually ask you to go support us on Patreon but today I'm not going to do that. Instead I'm just going to ask you to share the show with a friend, a colleague, if there's someone you think could benefit from learning about the CyberWire and subscribing to our show, we hope you'll help spread the word. Thanks.
Dave Bittner: [00:00:19:22] Fancy Bear sightings continue, Fancy seems to have settled down in Montenegro. Cyber deterrence is much desired but difficult to achieve. Notes from a Russian jail. Reddit purges influence ops trolls. We'll find out what criminals can learn from your browser and the US FDA wants to block its people from looking at adult content at work.
Dave Bittner: [00:00:46:14] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it any more. They're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach.
Dave Bittner: [00:01:05:00] With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent, and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass.
Dave Bittner: [00:01:31:22] Bring your data loss prevention strategy into the modern era, with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:55:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, March 6th, 2018.
Dave Bittner: [00:02:05:13] Fancy Bear isn't just bothering Germany. Montenegro complains that it's been receiving a lot of unwanted attention from Russia's GRU over the past year. The long-standing beef seems to be over Montenegrin membership in NATO, never a way of getting of the good side of the Bears. Much of the campaign is said to have been waged, since January 2017, with phishing emails baited with NATO-related subjects.
Dave Bittner: [00:02:31:11] Der Spiegel, in its follow-up to reports on Russian intrusion into German government networks, notes that Snake, the threat actor local unofficial experts believe responsible, has been known to be active since at least 2016, yet was still able to penetrate German defenses. Snake is also known as "Turla" or "Uroburos," but the German press seems to prefer "Schlange." It's generally held to be an operation of Russia's GRU. German authorities decline to make an official attribution, but they face calls to do something about this business, better defenses at least, or perhaps even some form of retaliation.
Dave Bittner: [00:03:10:21] The damage to the German government is thought to be limited. The target was, Spiegel says, Department 2 of the Foreign Office, "responsible for German foreign policy within the European Union and for Germany's relations with the countries of Europe, North America and Central Asia, including Russia."
Dave Bittner: [00:03:28:20] Also facing calls to "do something" about Russian cyber operations in particular is the US NSA and Cyber Command. There are calls in the US Senate for development of a deterrent strategy in cyberspace, especially after NSA Director nominee General Nakasone testified last week that the US adversaries don't appear to fear American retaliation for cyberattacks. The current going option remains sanctions, which at least have some potential to impose costs short of a nuclear exchange, and beyond the kind of naming and shaming that results from Federal indictments. Observers think that a fresh round of punitive measures against Russia for last year's NotPetya attacks is likely. One of that campaign's victims, Nuance Communication, estimates that NotPetya will cost it more than $90 million.
Dave Bittner: [00:04:18:20] A nation-state might or might not be embarrassed by a US indictment. Probably not. The US, for example, generally shrugs such things off, and there's little reason to think most other states are generally more sensitive. But one consequence of a US indictment of a foreign state-sponsored hacker on the individual hacker is restriction on travel. You're not going to be extradited if you stay home in Russia, and some of the indicted trolls from the Internet Research Agency have bravely said they're happy to spend the rest of their days there. But not everyone likes that idea. Suppose you wanted to honeymoon on, say, the Costa Brava? Sure, the sand and sun and food are nice, but, well, you do so at the risk of the Spanish police snaffling you up and turning you over to US Marshalls for an alternative holiday at Club Fed.
Dave Bittner: [00:05:06:18] Jeremy Wittkop is the CTO at InteliSecure. They recently launched their critical data protection benchmark survey and they're looking for participants. Jeremy Wittkop shares the story.
Jeremy Wittkop: [00:05:19:06] We've been doing data protection programs since 2002 and we've noticed an increase in adoption of such programs as well as the requirements of such programs as of late, and then we started to look at the regulatory environment and with GDPR that everyone's talking about. But it's not just GDPR, you have Brazil's civil rights framework for the internet, passed in 2014. The cybersecurity law of China passed in November 2016, the act on the protection of personal information in Japan in 2017. Canada passed PIPEDA in the early 2000s.
Jeremy Wittkop: [00:05:55:11] All these regulations hinged on the point that organizations have a responsibility to the general public in each of these countries to protect information that that information is holding for those people, and they all have very specific protections that organizations have a requirement that they need to uphold as well as rights that they need to confer to those data subjects.
Jeremy Wittkop: [00:06:17:20] Well the only way to really do that well is to understand the data in your environment, where it resides, how it transitions in your environment and that's all about building a program. So we thought as we go through, we don't work with every company in the world, how can we take some of the things we've learned, allow organizations to see how we're doing with respect to critical data protection and building a program, with governance structures and all the things we would need in place to build any kind of program focused on any specific type of information whether it be compliance data or intellectual property or other.
Jeremy Wittkop: [00:06:50:21] So what we did was we put together this survey. It's really short, you can take it in five to ten minutes. It's got some general questions, and what it's designed to do is benchmark against other companies and assess readiness to undertake a program. One of the things that we've seen be really helpful for our champions inside of an organization in these types of surveys when we used them for consulting engagements, is that a lot of times security or compliance or privacy is trying to drive this in a vacuum and the result is a survey that can go back to the business units and the governance stakeholders that they're trying to get their attention and they can say, "If we want to be successful here are the things we need to put in place, and I need your commitment and your buy in and help to do that as well."
Dave Bittner: [00:07:35:16] We certainly have no shortage of surveys in the industry and I think a lot of companies use them as much for gathering information as they do for marketing purposes. But you are making the point that this survey has some usefulness beyond that?
Jeremy Wittkop: [00:07:50:13] Yes absolutely. For us, it's really more about building awareness of what it takes to build a successful data protection program than it is necessarily a direct marketing exercise. We're not using these lists to call into people or anything like that. But for us what we believe in, is these types of programs work, they're necessary, they're in the interest of national security for all the different countries that we operate in. They're also in the interest of our way of life as free people, and we've seen that reflected in legislation around the world.
Jeremy Wittkop: [00:08:25:20] And to that end, in order for people to continue to undertake these programs and build on this effort, they have to experience some success because as people struggle to build these programs which a lot of people are, the reputation in the industry of the program itself starts to be damaged, and we start to see less people embracing this and we start to see more large scale data breaches which hurt everyone.
Dave Bittner: [00:08:46:05] One of the things that caught my eye is that if you participate in this survey you'll get a follow up report that'll let you know how your answers compare to your peers. Then ultimately you'll be able to see the complete results of the report when that's published sometime later this spring.
Jeremy Wittkop: [00:09:01:00] Yes, absolutely and that's one of the things that our clients have been asking us for a number of years. Anything that we collect in an engagement is covered under NDA, so we wanted to put something into a survey format where the people who chose to participate, we could benchmark them against their peers. It's frustrating I think for my clients when they ask me over and over again to compare them against their peers, and I can't do it because of contractual limitations to what I can disclose.
Dave Bittner: [00:09:28:05] So if people want to find out more, if they want to take a look and see if they want to participate in the survey, what's the best way for them to do that?
Jeremy Wittkop: [00:09:33:24] They can either go to our website at intelisecure.com and they'll find it. There's also a website for the survey itself, criticaldataprotection.com.
Dave Bittner: [00:09:42:18] That's Jeremy Witkopp from InteliSecure.
Dave Bittner: [00:09:47:04] A January study of Iranian state-sponsored hacking by the Carnegie Endowment receives fresh attention as Iran's non-proliferation agreements come under closer, more hostile scrutiny. Experts are considering ways in which Iranian hackers might also be deterred. The country's Revolutionary Guard has also recently been fingered by ClearSky as being involved in establishing bogus BBC and Radio Farda sites to spread disinformation. Radio Farda is the Farsi language service of Radio Free Europe / Radio Liberty.
Dave Bittner: [00:10:20:23] More charges against Russian hacking and influence operations during US elections are still expected to emerge from Special Counsel Mueller's investigation. One guy is ahead of the game, Konstantin Kozlovsky is singing like a canary to Fast Company and anyone else who cares to listen about how he says he hacked the Democratic National Committee and the Clinton campaign. Mr. Kozlovsky is a guest of the Russian state, currently resident in prison, what's described as a high-security facility, but security there isn't too high to keep him from chattering. He says he developed software tools, which he calls "LDCS," that enabled him to "replace information on Twitter, Facebook, Google and leading U.S. media outlets." And he's ready to cooperate with US authorities to show them how he did it.
Dave Bittner: [00:11:09:14] How he might do so from the confines of a Russian prison is unclear. Perhaps via his Facebook account, where he manages to be quite active in between court appearances.
Dave Bittner: [00:11:19:20] It's also possible that the Mr Kozlovsky's talk isn't exactly what the lawyers call an admission against interest. He is in the slammer not for hacking the DNC, but for cyber-robbing Russian banks, and maybe Allentown or Leavenworth sound nicer to him than northeast Moscow.
Dave Bittner: [00:11:37:23] In other influence operations fallout, Reddit, which has concluded its platform was used for influence operations during the 2016 US elections, has taken down a large number of "Russia-linked" accounts.
Dave Bittner: [00:11:51:24] Exabeam has released a study of what attackers can learn about you and your habits from your browser. From visited sites, cookies, HTML5 LocalStorage, saved login information, and autofill, they were able to discover accounts and devices, extract location history, and derive a picture of user interests.
Dave Bittner: [00:12:11:20] In industry news, citing potential security issues, the Committee on Foreign Investment in the United States has put a thirty-day hold on Broadcom's attempt to takeover Qualcomm.
Dave Bittner: [00:12:23:20] And finally, attention all civil servants working at the US Food and Drug Administration. Your bosses would like you to stop watching adult content on Uncle Sam's dime. It's just unseemly and probably unsanitary. After all, who knows where that content's been?
Dave Bittner: [00:12:46:14] Now a word about our sponsor the Johns Hopkins University Information Security Institute. Providing the technical foundations and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security, assurance and privacy. We value their expertise and insights as one of the CyberWire's academic partners and of course they're one of the world's great research universities.
Dave Bittner: [00:13:10:06] The Institute is also an NSA and DHS designed center of academic excellence in information assurance and cyber defense and research. Visit isi.jhu.edu to learn more, and there are scholarships available. That's isi.jhu.edu and we thank The Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:13:41:10] And it's my pleasure to welcome to the show Daniel Prince, he's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome to the CyberWire.
Daniel Prince: [00:13:49:04] Thanks a lot for having me on.
Dave Bittner: [00:13:51:11] As we always do, we want to introduce you to our audience so can we start off, just tell us a little bit about yourself, how you got started in the business and the type of work you do at Lancaster?
Daniel Prince: [00:14:02:04] So I've been associated with security research for probably over 15, 16 years now. When I started I primarily was delivering education, training courses in terms of professional training courses here at Lancaster University, but I have an academic background in computer networks, so I did my PhD on mobile wireless networks, particularly programmable networks, so networks that you could really change their configuration on the fly and I did a lot of work with IPv6. I did a lot of work with CISCO and Microsoft developing protocol implementations for them while I was doing my PhD.
Daniel Prince: [00:14:46:19] Then I started doing these training courses and developing new academic programs for Lancaster University and that led me to set up and run the Masters Degree in Cybersecurity that we have here which at the time was really one of the only multidisciplinary cybersecurity programs that you could do at the Masters Degree level because it blended technical programs such as penetration testing, forensics and systems design with management, risk management specifically, politics, criminology, psychology and law. So a really broad church here.
Daniel Prince: [00:15:23:07] On that program, I was teaching the network elements of the penetration testing and their forensics components, and then also teaching the risk management course. Sitting alongside that I was developing a lot of research interests in risk management and really the sort of technical side of computer networks and particularly computer security and the new sets of protocols that were coming along and at that time that was IPv6. Also the new types of support protocols such as routing protocols and naming protocols and all the things that sit around network communication, and trying to understand where the security vulnerabilities but also new security opportunities might sit.
Daniel Prince: [00:16:11:08] Then about five years ago, it really started to consolidate looking at multidisciplinary aspects of cybersecurity and that's where a lot of my interest in the human side of cybersecurity really took off. Real in depth looking at the risk management aspects and the risk perception in particular and really starting to question are we having strong and good robust security conversations with individuals, and if we're not, why aren't we and what is it about organizations that are preventing those types of conversations?
Daniel Prince: [00:16:49:20] So I've got quite a broad and varied background, and along the way I picked up a number of interesting activities with various organizations in the UK and internationally which again afforded me an opportunity to explore some very exciting areas in cybersecurity.
Dave Bittner: [00:17:08:08] Well welcome to the show. We're looking forward to having you contribute. Daniel Prince from Lancaster University, thanks for joining us.
Dave Bittner: [00:17:18:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit E8security.com to learn more.
Dave Bittner: [00:17:40:00] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams, and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.