The CyberWire Daily Podcast 8.3.18
Ep 655 | 8.3.18

Russian threats and threats to Russia. Cryptojacking wave spreads out from Brazil. Recovering from malware in Alaska and Atlanta. Notes on automotive cybersecurity.

Transcript

Dave Bittner: [00:00:00] You may have heard yesterday that Apple became the first U.S. company to reach a $1 trillion market cap. Here at The CyberWire, we're not quite there yet, but you can help us by going to patreon.com/thecyberwire and becoming a CyberWire supporter. At the $10-per-month level, you get access to an ad-free version of our show, so check it out - patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:28] The U.S. intelligence community warns of Russian threats again. A criminal spear-phishing campaign hits Russian industrial companies. A cryptojacking wave is installing CoinHive in MikroTik routers. Speakers at the Billington Automotive Cybersecurity Summit stress collaboration designed for security and the convergence of cyber and safety, and municipalities hit by malware feel the pain.

Dave Bittner: [00:00:59] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire, and we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:59] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, Aug. 3, 2018. The U.S. intelligence community has reiterated warnings about a clear and present threat of Russian cyberactivity directed against both elections and infrastructure. Those same agencies and the White House have pledged what they characterize as a vast government-wide effort to protect the coming midterm elections against foreign interference. General Nakasone, who leads both NSA and U.S. Cyber Command, indicated that both of his organizations will be involved in that effort.

Dave Bittner: [00:02:39] Kaspersky Lab reports a criminal campaign against roughly 400 Russian industrial companies. It begins with highly targeted spear-phishing designed to induce the victims to install remote administrative tools on their systems.

Dave Bittner: [00:02:53] A large cryptojacking effort is also underway. Trustwave and Censys.io report that more than 170,000 MikroTik routers are infected with the CoinHive cryptominer. Ground zero of the campaign appears to be in Brazil, but the infestations are thought to be spreading rapidly. Users of MikroTik routers should look through their systems.

Dave Bittner: [00:03:18] The second Billington Automotive Cybersecurity Summit is running today. The two morning keynotes were delivered by Michael Chertoff, CEO of The Chertoff Group and former secretary of homeland security, and GM President Daniel Ammann, who expressed optimism about the benefits of connected and autonomous vehicles. They argued that cybersecurity designed in from the beginning would be essential to securing those benefits, as would effective cooperation across the sector.

Dave Bittner: [00:03:48] Chertoff said we shouldn't overlook the implications of connectivity for data privacy. The data being requested of cars and drivers by insurers, for example, could amount to intrusive surveillance. One need look no farther than Facebook to see the possibilities of a serious consumer backlash. He also warned of the potential for terrorist exploitation of weaknesses in connected vehicles. He said, quote, "it's not too much of a leap to consider that some small terrorist will decide it's easier to hack a vehicle and control it as a weapon," end quote. He closed with remarks about regulation, which will, he says, be inevitable and will be better if industry anticipates it with voluntary standards. When it comes, he argued, it should be based on outcome and effects and should not involve micromanagement. The SAFETY Act, designed to encourage investment in competent and capable counterterror technologies, in his view represents a good legislative model. It might be worth extending this law to the auto industry.

Dave Bittner: [00:04:52] GM's direction for the future may be summed up as electrification, connectivity and autonomy. Ammann framed automotive cybersecurity as an issue that's converged with safety. It's also in his view a sector-wide issue. He said, quote, "failure by any one company will be regarded by the public as failure by all," end quote. Thus, cybersecurity must be a matter for cooperation across the industry. In this, he reiterated a long-standing GM theme. The company says it won't treat cybersecurity as an area in which it seeks competitive advantage. Autonomous vehicles are poised to bring huge positive benefits in terms of availability, affordability and safety. Cybersecurity incidents could halt progress toward those benefits, which means that customers are best served by industry-wide security collaboration.

Dave Bittner: [00:05:46] During a break, we were able to speak with Robert Anderson of The Chertoff Group. He said that in his view, most people remained unaware of the advantage attackers enjoy in cyberspace. This advantage isn't a matter of superior technical capability, he thinks. Rather, it has two principal sources. First, the criminals - hacktivists and intelligence services that constitute the threat groups - don't operate under the sorts of legal or even social restraints legitimate businesses in most parts of the world do. In this, we heard an echo of what we've heard during a morning panel session from Jake Belunski (ph), supervisory special agent in the FBI's Detroit field office. In the U.S., Belunski pointed out, you can't go to the FBI or the NSA and say, we need this widget; go steal it for us. In some other countries, notably China, you can.

Dave Bittner: [00:06:39] The other attacker's advantage, Anderson pointed out, was the efficiency of the black market and its success in commodifying attack tools. You don't have to have any particular technical expertise anymore, he said, to mount a damaging cyberattack. The means to do so are readily available in the dark web, and these reasons are why it's so hard to get ahead of the threat. We'll have more coverage of the Billington Automotive Cybersecurity Summit in upcoming issues of The CyberWire daily news brief.

Dave Bittner: [00:07:09] Two attacks on municipal systems are drawing attention. The smaller is the attack Matanuska-Susitna Borough sustained last week in Alaska. The town has declared that the incident amounts to an official emergency and is taking various measures to contain and remediate its problems, including reversion to typewriters for routine tasks like preparing receipts. The attack included installation of the Emotet Trojan and BitPaymer CryptoLocker ransomware.

Dave Bittner: [00:07:39] Matanuska-Susitna is calling it the biggest attack on a U.S. city or town, but Atlanta might dispute the claim. Atlanta's costs to remediate the SamSam ransomware attack it sustained in March is now estimated at $17 million according to a confidential document obtained by The Atlantic Journal-Constitution and WBDTV. The city document indicates that another $11 million will be needed on top of the $6 million already spent on recovery. The Journal-Constitution's lead is direct and damning - quote, "taxpayers foot bill for years of neglected network security," end quote.

Dave Bittner: [00:08:23] And now a word from our sponsor ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #throwbackthursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from "Ghostbusters," you're a pretty righteous dude. Visit observeit.com/cyberwire and take that quiz today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:43] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting story from The New York Times about the Justice Department seizing the records from a Times reporter, both telephone and email records. Give us the background here. What's going on?

Ben Yelin: [00:10:03] This is actually, you know, one of the instances where this is more of a continuation of an effort made during the Obama administration to really hold reporters accountable for information being leaked to them. And I think it's a major First Amendment concern. Certainly, the groups that are formed for the purpose of protecting media sources are very concerned about this like Reporters Committee for the Freedom of the Press - those types of groups.

Ben Yelin: [00:10:30] What happened here is this Senate intelligence aide, James Wolfe, has been charged in criminal court with lying to investigators about his contacts with certain reporters. And as part of that investigation, the Justice Department has been able to obtain records from the encrypted accounts of some of these reporters. One of them is actually a New York Times reporter named Ali Watkins. She previously worked for Buzzfeed and had broken some major stories based on information she got from Mr. Wolfe.

Ben Yelin: [00:11:02] Now, this is a perfectly legal process in a couple of respects. For one, the Justice Department, while it has guidelines to protect First Amendment rights, also allows for a procedure in which the communications of members of the press can be collected. And that's under what we call Section 2703(d) of the Stored Communications Act. Sometimes that's shorthanded to a D search. If you have reason to believe that somebody's electronic - stored electronic communications will aid in a criminal investigation, you can obtain those records via subpoena through the electronic communications company.

Ben Yelin: [00:11:43] And that's exactly what happened here. The Justice Department went to - I think it was Google and maybe one other electronic service provider or internet service provider and was able to obtain those records. Those will be used in the government's case against James Wolfe. It's obviously very problematic. Members of the press want to protect their sources, and they also don't want the government snooping in their information. You know, when the Obama administration took actions to prosecute leaks and obtained the private communications of journalists, they were opening a Pandora's box, especially given that the administration now is certainly more hostile to members of the mainstream media. It's problematic from a First Amendment perspective. It's problematic from a journalism perspective. If you fear that your communications are going to be submitted to the government as part of an ongoing criminal investigation, you might not chase that very important story angle. It's certainly a matter of great concern.

Dave Bittner: [00:12:48] Now, did the Justice Department have to get a warrant here? Did they have to convince a judge?

Ben Yelin: [00:12:53] They do not need a warrant in a traditional sense. You do not need probable cause to, you know, go in front of a court and say that a crime is being committed or has been committed. In order to simply obtain these electronic messages, the standard is much lower. You just have to prove that you have reasons to believe - so it doesn't have to be, you know, anything above a suspicion that these texts, that these emails are going to be relevant to an ongoing criminal investigation. That's a very low standard. It's not a high burden for the government to meet. And even outside of the context of journalism, I think that's problematic to people - that the government can obtain our stored communications without a traditional warrant.

Ben Yelin: [00:13:39] But this is the choice that Congress has made. It has allowed for the government to work directly with communications providers and compel those providers to turn over information based on simply what amounts to a reasonable suspicion. If a layperson asks me, what's the biggest concern about the government collecting my emails or my text messages, I would say that you're vulnerable to searches under Section 2703(d) of the Stored Communications Act. It's a very, very powerful government tool - a compliance nightmare for a lot of these tech companies because they get so many of these search requests. But that's what the law is. It's been upheld as reasonable by the Supreme Court. It's something that all of us, as consumers of electronic media sources, have to be concerned about.

Dave Bittner: [00:14:28] All right. Ben Yelin, as always, thanks for joining us.

Ben Yelin: [00:14:31] Thank you.

Dave Bittner: [00:14:36] Now a few words about our sponsor Invictus - we've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company, headquartered in Northern Virginia, boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service, disabled, veteran-owned small business, over 60 percent of Invictus's workforce is comprised of veterans. And it's not just in the government space. It delivers for commercial clients, too. An award-winning company, recently named to 2018's Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus has also won the most valuable industry partner award at the ISC2 15th annual Information Security Leadership Awards. So check them out at invictusic.com. That's invictusic.com. And we thank Invictus for sponsoring our show.

Dave Bittner: [00:15:52] My guest today is David Spark. He's the co-host of the “CISO-Security Vendor Relationship” podcast and owner of Spark Media Solutions, which does content marketing for the tech industry. He joins us to share some of the insights he's gained in the conversations he had with CISOs, specifically when it comes to marketing.

David Spark: [00:16:11] This really comes from the work that I've been doing with security companies. You know, I own a content marketing agency. And we've been working with tech companies - security specifically companies for nine years in particular. And inevitably, you know, when you're doing any kind of marketing effort, you ask, so, you know, what's the audience you want to reach? And everyone - and I don't mean, you know, a few exceptions. I mean everyone. Their answer to that question is CISOs, to which my reaction was, join the club. And then it dawned on me. If every single one of my clients wants to reach CISOs, then everyone of their competitors wants to reach CISOs. And CISOs are probably getting hammered right now.

Dave Bittner: [00:16:53] And so what's the situation with the CISOs? I mean, is it a fire hose of requests and offers every day?

David Spark: [00:17:01] Yeah, I mean, they get sometimes 100 and 200 - like, just before an event especially, they could get 100 or 200 requests a day. And so they've gotten to the point where they go in shutdown mode. They can't handle it. And there is a mutual dependency between the two groups. They need each other - that's the vendors and the CISOs. But it's an asymmetrical relationship, meaning that there are thousands of vendors hammering a very small quantity of CISOs. And so they still need the help from the vendors. But the way the engagement is going is just - it's something they physically can't handle.

Dave Bittner: [00:17:35] And so what are some of the mistakes that you see people making when they're trying to engage with the CISOs?

David Spark: [00:17:40] Well, one of the most classic ones that got a lot of discussion was the 15-minutes-of-your-time request. And this one - oh, man, everyone sort of jumped on the bandwagon on this. And I'm sure you've heard this. I'm sure people have said this to you. And what this really preys on is the goodwill of the person who's receiving it. Please give me, this person you don't know, 15 minutes of your time. It's not, hey, I'm going to answer all your problems in 15 minutes. It's more, pay attention to me for 15 minutes. And there's just so much goodwill a CISO can spread around. And to every single vendor who requests that, it's not much. I mean, the irony is a friend of mine asked me to do that to a CISO - you know, give me an introduction to a CISO. And he goes, oh, I just want 15 minutes of his time. And every time I get that now, I just point them to the article that I wrote about that very subject. I go, I don't think you want to be making that request. And you'll see that the response to it is not positive.

Dave Bittner: [00:18:37] (Laughter) Now, one of the articles I saw that you wrote was about - it was called "Nine Reasons Why Selling Fear Does Not Work on a CISO." So let's dig into that. What was that about?

David Spark: [00:18:48] Selling fear has traditionally been a successful tactic to sell security products, period. It just is. And, you know, people could argue this all they want. But individual companies could probably come to you and to I and say, look at this; I have evidence that this technique works. So you can tell me to stop selling fear, but I sell more when I sell fear. But the problem is, as you go up the chain of command - to the people who are dealing with that fear on a daily basis - for a vendor to reintroduce that is, A, insulting and, B, realize they don't know who they're dealing with at that time. So it's a very - it's a high level of frustration. They just - they don't like it. And it's just really inappropriate. The one thing, though, that they should really watch out for - and this really gets every CISO annoyed - is when they use that fear tactic to sell over the CISO's head and go straight to CEO. Oh, that drives them crazy - really crazy.

Dave Bittner: [00:19:56] So they get it down from the top. If they are successful in rattling the CEO, the CISO has to mop up the mess.

David Spark: [00:20:05] Exactly. The idea being this is a person that I have formed a relationship with, and now you're screwing it up by selling them fear. Not only do I not want your product now, now I hate you, you know. It's like, don't do that because you're making my life miserable. I mean, my life is difficult enough as a CISO. Now you're really making it difficult.

Dave Bittner: [00:20:25] So let's come at it from the other direction. When you talk to see CISOs, how do they want people to approach them?

David Spark: [00:20:31] So this is the one thing that we try to really sell on our podcast - is that it is not negativity. It is a lot - there's a lot of positivity. Yes, we may say, stop doing this. But - and we talked about this in the last episode - is we try to compliment every negative with a positive - like, this is what you should do. So the advice that we get a lot of is, just talk to us. And I go, well, we just want 15 minutes of your time. He goes, well, CISOs are in public spaces. Like, they're online. And every CISO has their space. Sometimes, it's not digitally. Sometimes, you've got to meet them in person. And, yeah, that takes more time. The one thing that we hear repeatedly is getting involved in local events. Getting involved in local ISSA chapters and local security events are truly the most popular ways to connect with CISOs.

Dave Bittner: [00:21:20] Are there any absolutely just toxic things that you absolutely should not do when you're trying to kick off this relationship?

David Spark: [00:21:28] Well, going back to the selling fear, like, the one that sort of set the ball in motion - there was some breach that had come out, and he was just waiting for the torrent of emails that would come in that said, hey, you know, had you had our product, this problem never would have happened. And you can't, A, make those claims a lot of times or protect all breaches or detect all breaches. It's kind of a unrealistic claim. So be very, very wary of using the latest attack as a means to instill fear. But there are positive ways to use the latest attack as a - hey, by the way, I know you're aware of this attack, you should know that our product does this, and kind of leave it at that - kind of a thing, but not, you know, we are the solution, like, we would have stopped this kind of thing. Those claims really infuriate CISOs.

Dave Bittner: [00:22:23] Yeah, it's an interesting perspective. I mean, it seems like the CISO has so many balls in the air all the time. To even, you know, grab some of their attention, the thing you must not do is waste their time.

David Spark: [00:22:37] Don't waste their time. But don't create unnecessary stress. I think that's what it's all about. I mean, all this advice is that they don't need additional stress. They've got plenty as it is. Reduce their stress. And, you know, the classic thing is, understand my needs, understand that. And everyone's like, well, if you would just talk to me. And one of my articles actually goes into how to find out about a CISO's needs when they won't talk to you because there's actually a lot of public information that - you can do little bit of investigative reporting to actually understand it. And this goes into account-based marketing. And, sure, it takes a lot more work, but, you know, a lot of these vendors are selling, you know, six-, seven-figure products, so it's worth it to do that work.

Dave Bittner: [00:23:21] Yeah, do your homework. All right. Well, David Spark, thanks for joining us. Tell us a little bit about the podcast. What's the best way to find it?

David Spark: [00:23:28] Well, the best way to find the podcast is you can either find it on Security Boulevard, or if you'd just like to listen to it on your phone or whatever podcasting device you use, you can search on the “CISO-Security Vendor Relationship” podcast. But you may not need to type all that in. I believe if you just type in CISO, it's the No. 1 result.

Dave Bittner: [00:23:46] All right, great. David Spark, thanks for joining us.

Dave Bittner: [00:23:53] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:24:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.