Dispatches from RSA 2018. Russia continues to test the Five Eyes' patience and resolve. Trustjacking, Stresspaint, and an exposed AWS bucket.
Dave Bittner: [00:00:00:17] Hey everybody, Dave here. As the RSA Conference wraps up today I just want to take a moment to thank our friends at Akamai for hosting us this week. I had a great time interviewing some of their experts on stage about some of the challenges their organization is facing and helping their customers address and thanks to everyone who came to visit us at the Akamai booth. It was great meeting so many of you face to face. We hope you enjoy the stickers, pens and notebooks that we gave out. It really is nice to meet you all and to find out that what we're doing here is value to you. So thanks. Hope to see you next year.
Dave Bittner: [00:00:33:15] We got RSA notes, an industry-led cyber Geneva Convention, threats and deterrence, and addressing a labor shortage. New Zealand joins Australia, the UK, and the US in warning that someone's exploiting vulnerable routers. Moscow demands to see the evidence that this someone is Russia. Trustjacking afflicts iOS users. Stresspaint Trojan is out in the wild, posing as an innocent app, and another exposed AWS bucket is found.
Dave Bittner: [00:01:07:23] Now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spear phishing; those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phish-net could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. We thank Cylance for sponsoring our show.
Dave Bittner: [00:02:11:07] Major funding for the CyberWire podcast is provided by Cylance. Coming to you from San Francisco, I'm Dave Bittner with your CyberWire summary for Thursday, April 19th, 2018.
Dave Bittner: [00:02:22:06] We start off with some quick reflections on what we're hearing around RSA. The Microsoft-led initiative in which 34 companies signed an undertaking not to engage in offensive cyber operations hasn't, for all of its good intentions, received uniformly positive reviews. The agreement was featured on the Conference's opening day. Some observers think it resembles other large-scale resolutions and legislation in that it fails to make necessary distinctions, and fails to do justice to the complexity of computer network operations. So, an expression of good intentions and a desire to reduce tensions, but perhaps not ultimately something that will have much effect.
Dave Bittner: [00:03:03:09] One such complexity involves the familiar problem of dual use. Some security legislation and international cyber non-proliferation agreements, Wassenaar prominent among them, have come under criticism for the possibility that they might unintentionally criminalize legitimate vulnerability research, for example. Or, to take the obvious analogy with the Geneva Conventions seriously, who might count as protected persons? Are there any forbidden targets?
Dave Bittner: [00:03:32:02] Other issues raised concern the undertaking's lack of teeth, it is after all a voluntary avowal of intentions, and the signatories' lack of involvement in delivering offensive cyber capabilities to governments.
Dave Bittner: [00:03:45:18] Early in the conference US Secretary of Homeland Security Nielsen, while expressing hope that nations would evolve some sensible norms to restrain them in cyberspace, made it clear that the US had offensive cyber capabilities and would be willing to use them in response to an attack. In a conversation this morning the Chertoff Group's Adam Isles characterized Secretary Nielsen's speech as the Administration's way of laying down a marker that consequences would be imposed on nations who conduct cyber attacks against the US.
Dave Bittner: [00:04:17:10] Yesterday, European Commission Vice-President Andrus Ansip described the real and current threat of nation-state cyber attacks with the hard-won, disillusioned clarity an Estonian official usually brings to the matter. He called out numerous examples of Russian offensive operations in cyberspace, and it's noteworthy that he included descriptions of that country's recent information operations, especially the disinformation surrounding the Salisbury nerve agent attacks. He offered a warning near the end of his presentation concerning the necessity of preparing for a full spectrum of cyber conflict. He said, "If we fail to do so, if the West fails to unify, we risk being exploited by those who would use cyberspace as a weapon to harm our free and open societies and economies. By not acting, we make ourselves an easy target."
Dave Bittner: [00:05:10:10] The RSA Conference continues to grow, year after year, and on the show floor it does feel a good bit more crowded and, noticeably, louder as vendors do their best to draw you to their booths and show off their wares. Malcolm Harkins is Chief Security and Trust Officer at Cylance and I met up with him on the show floor for his take on the conference.
Malcolm Harkins: [00:05:31:19] There's so many vendors, again. It's getting more and more and more crowded, more and more people are showing up. At the same time, I think there's hope for what we're seeing in the industry. I think the innovators who've re-imagined and re-thought what is possible, like Cylance, have made a difference, and I think you're starting to see innovation in other areas in security, with security orchestration automation. Focusing on, again, using automation to enhance the capability of the security team.
Dave Bittner: [00:06:04:23] You were mentioning to me before we came on the air that you took part in a panel as part of the program here and you got your hackles raised a little bit. Why don't you share that story with us?
Malcolm Harkins: [00:06:15:10] I think systems in many ways have gotten habitualized to being compromised. I see it in other organizations that are still focused on a reactive model. I think if you take a broader responsibility to say my job is to do my best to manage and mitigate that you will focus on a different business outcome, you'll look for different technologies and solutions and approaches to managing risk. That's what I try and do, that's what I encourage my peers to do. I see some changes in that, in the industry, which is great.
Dave Bittner: [00:06:52:00] That's Malcolm Harkins from Cylance. We spoke yesterday with Booz Allen Hamilton vice president, Chad Gray, about his company's just released Cyber Talent Survey. That survey calls out the pressure businesses feel from investors and boards to take ownership of their cyber security, and it observes that this pressure has, in some cases, driven companies into short term solutions that can have long term deleterious effects. Gray cautioned against thinking that technical solutions would be able to do more than augment human talent. Some functions can, and will be, de-skilled through automation, but the net effect of such advances will be to increase the efficiency of an organization's human talent.
Dave Bittner: [00:07:35:18] That there is a talent shortage seems clear and, contrary to what you might have heard, it's not just a cynical gambit on the part of Silicon Valley captains of industry to import large numbers of lower-cost workers on H-1B visas. But the shortage isn't merely a special case of some more general shortage of technically skilled workers. The shortfall, Gray said, "is driven by more frequent, more sophisticated attacks, and especially by re-purposed nation-state tools being used by criminals." It's the protean, adaptable quality of the threat that makes it difficult for security practitioners to handle. They need to stay current and engaged, since the opposition's tactics shift and require new skill sets of defenders.
Dave Bittner: [00:08:21:14] "Top talent attracts other top talent," Gray observed. Experts in various domains cross-pollinate when they work together on teams. It's important to rotate experts to face different challenges, lest their skills grow stale. This isn't a matter of creating career paths, he noted. There's no reason a highly skilled analyst, for example, should have to become a manager. But there are many reasons to give that analyst fresh opportunities to work against new and emerging threats.
Dave Bittner: [00:08:51:10] New Zealand has joined the three Five Eyes sisters who have called out exploitation of Cisco Smart-Install-enabled devices. CERT-NZ doesn't specifically call out Russia as the author of the ongoing campaign against such devices, but it does reference with agreement the US-CERT report that does, so it's safe to conclude that the view from Wellington is much the same as that from Canberra, London and Washington.
Dave Bittner: [00:09:17:00] Russia, for its part, has denied doing anything of the kind. Government spokesman Dmitry Peskov said the accusations were unfounded. Echoing the sorts of demands for evidence Moscow issued after the nerve agent attack in Salisbury, Peskov called the accusations "feeble," and said Russia had no idea what the Five Eyes' assertions were based on. "Such accusations are typically thrown into the air and no one even bothers to offer any arguments anymore."
Dave Bittner: [00:09:47:04] Symantec researchers warn of a new problem, "trustjacking." It occurs when a user pairs an iPhone to a Mac laptop or workstation, at the point where users are asked if they trust this computer. A reminder that users should be more circumspect.
Dave Bittner: [00:10:04:16] Radware warns of "Stresspaint," a Chrome login information-stealing Trojan served by a Windows app that presents itself as a stress-relief tool. Trust the researchers; it will not relieve your stress. Unless you're an adrenaline junkie, steer clear.
Dave Bittner: [00:10:20:19] LocalBlox, a company that scrapes data from the various sources on the web and builds profiles of individuals for marketing purposes, has been found to have leaked data. It's apparently, according to researchers at UpGuard, another AWS misconfiguration issue. They say they found 48 million records exposed in an S3 bucket. So again, watch your buckets.
Dave Bittner: [00:10:51:17] Now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption and they'll round out what they can do for you with micro segmentation and analytics. VMWare's white paper on a comprehensive approach to security across the digital workspace will take you through the details and more. See what workspace ONE can do for your enterprise security; thecyberwire.com/vmware. We thank VMWare for sponsoring the CyberWire.
Dave Bittner: [00:11:52:08] I'm pleased to be joined once again by Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42, which is their threat intelligence team. Rick, recently your CEO, Mark McLaughlin, traveled to Davos and he was part of a forum with some world leaders. The theme was creating a shared future in a fractured world. One of the things that Mark discussed was this notion of a cyber moonshot and I think this is a pretty compelling metaphor here. Can you take it through what was Mark getting at with this?
Rick Howard: [00:12:27:04] Yeah, I love the idea of a cyber moonshot. Whenever somebody brings it up you can't help but be inspired by it. It stems from a speech by President Kennedy that he gave back at Rice University back in the early sixties and so let me read this snippet that really gets me every time I get it. Here it is. This is President Kennedy talking now. He says, "We choose to go to the moon in this decade and do the other things, not because they're easy but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we're willing to accept, one we are unwilling to postpone and one which we intend to win."
Rick Howard: [00:13:05:07] I get goosebumps every time I hear that. I really wish we had more world leaders that talk like that. But if you substitute, "make the Internet safe" in place of, "go to the moon," in that speech we have a vision statement that I can get behind. We choose to make the Internet safe and do the other things, not because they are easy but because they are hard. So, a cyber moonshot is essentially this: In ten years, if we're going to make the Internet safe, not just safer, not incrementally safer, but safe, what would you have to do? The reason that a cyber moonshot is important to talk about is it gets us out of our heads about what we think is possible.
Rick Howard: [00:13:45:12] Like you said, when Kennedy made a speech NASA had no idea how to get a man to the moon and back safely. But by setting the aiming stick so far out in front of what we thought we could do he didn't let the naysayers backbite him by pointing out all the reasons this could not be done. He just said, this is what we're going to do, go figure it out. So the purpose of a cyber moonshot, at least the beginning, is to decide what we need to do in order to make the Internet safe. So this is an open question. We don't have a full list yet. My gut tells me there's probably seven to ten very large things that we will probably need to do in order to successfully navigate a cyber moonshot.
Dave Bittner: [00:14:26:02] What are some of the top things you think we can do?
Rick Howard: [00:14:30:00] I've been thinking about it, and there's probably way more, and I'd love to hear what the audience has to think about this. But here is my first one: International digital identity. This is the ability to uniquely identify a user, or a system, or an application and it's non-reputable. Kind of like a passport, only digital. This implies not only would governments have to deploy this technology, they would have to make it available to everybody in their country for free, and build services for making, maintaining and replacing them, essentially the administration of the program. The international digital ID would be used for all official transactions that government sanctions. Like voting and paying taxes and other things. Commercial organizations could opt in, but it would make sense for banking and legal services and other monitor services to use this ID for all transactions.
Rick Howard: [00:15:20:18] Before the privacy naysayers kick in to decry how this is not possible - or, as one of my heroes, Salim Ismail, would say, the immune system kicks in and says you can't do this because it might change the status quo - let me just say that you wouldn't have the use the digital ID for all transactions - just the official ones. You can still operate anonymously in your online butterfly quilting circle, as I know you do David, all right?
Dave Bittner: [00:15:45:13] You know me so well, Rick.
Rick Howard: [00:15:48:10] If you want to do that anonymously that is still fine to do. But if you want to make an official online transaction you're going to have to use your digital ID.
Dave Bittner: [00:15:56:18] What else? Give us another one.
Rick Howard: [00:15:58:04] Here's my number two: Anti-fake news protocols. Now what I mean by that is the ability to provide online readers: news, social media, etc. with some sort of a rating of source material. Influence operations by nation states and other activist organizations have been going on since the world was young. But before the Internet you needed a concentrated cache of resources to make a dent in the influence you were trying to pedal. With the Internet and social media today it is possible to conduct successful influence operations with very little resources and without fear of any consequence if you get discovered. anti-fake news tag the general population will just dismiss it out of hand. That's where I'd like it to go. What do you think?
Rick Howard: [00:16:34:24] So in my cyber moonshot I would like to see everything I read online with a tag that says: who the author is, some kind of rating about how true the particular post is, and a rating of how true the source's other postings are; and a tag that says this is an opinion piece. Like, I think so and so, or a journalism piece, just the facts sir, or a combination; this thing happened and here's what I think about it. Now, some social media companies can choose to do this now voluntarily, but I'm talking about an international standard that is so ubiquitous. If an article shows up with an anti fake news tag, the general population will just dismiss it out of hand. That's where I'd like it to go. What do you think?
Dave Bittner: [00:17:18:18] I think it's a who watches the watch man kind of thing because, you know, one person's straight down the middle moderator is another person's extreme left or extreme right. I mean we're functioning in a world right now where we can't agree on whether the earth is spherical or not, right?
Rick Howard: [00:17:37:12] That's very true but, again, a cyber moonshot is not to worry about how we might do it yet - it's just to identify the things that we need.
Dave Bittner: [00:17:43:10] Fair enough. Rick, we don't have time for any more of them. I am behind this notion. I think to really move the needle these bold ideas are often what it takes. So I think you're onto something here. Like you, I'd love to hear what our listeners have to say about this. They can, of course, write us here at The CyberWire and, as always, Rick Howard, thanks for joining us.
Rick Howard: [00:18:08:17] Thank you sir, it was fun.
Dave Bittner: [00:18:12:04] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit Cylance.com, and thanks to our supporting sponsor, VMWare, creators of workspace ONE intelligence. Learn more at wmware.com.
Dave Bittner: [00:18:33:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.