The CyberWire Daily Podcast 9.21.18
Ep 689 | 9.21.18

US National Cyber Strategy. New sanctions. GCHQ beefs up Russia unit. Cryptocurrency heist. Hacking Senatorial Gmail. Crime and punishment.

Transcript

Dave Bittner: [00:00:03] The U.S. has released its National Cybersecurity Strategy and developing international norms, calling out bad actors, establishing a credible deterrent and imposing consequences are important parts of it. The State Department blacklists 33 Russian bad actors. GCHQ is standing up a 4,000-person cyber operations group to counter Russian activity. There's a cryptocurrency heist in Tokyo.

Dave Bittner: [00:00:28] Our guest today is Tanya Janca from Microsoft. She shares her OWASP DevSlop project. Some senators have seen their Gmail hacked. And we've got some notes on crime and punishment.

Dave Bittner: [00:00:46] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:48] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 21, 2018.

Dave Bittner: [00:02:01] The U.S. has released its National Cyber Strategy. It puts an emphasis on deterrence, as described by National Security Adviser John Bolton. The strategy has four pillars - protect the American people, the homeland and the American way of life, promote American prosperity, preserve peace through strength and advance American influence. Each pillar is explained in terms of specific measures.

Dave Bittner: [00:02:27] These pillars are those that appear in the larger national strategy. The Cyber Strategy outlines how cybersecurity policy and operations will serve the four pillars. Thus, the strategy is committed to, first, defend the homeland by protecting networks, systems, functions and data; second, promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation; third, preserve peace and security by strengthening the United States' ability, in concert with allies and partners, to deter and, if necessary, punish those who use cybertools for malicious purposes; and fourth, expand American influence abroad to extend the key tenets of an open, interoperable, reliable and secure internet.

Dave Bittner: [00:03:15] The pillars are preceded by an introduction offering an answer to the question, how did we get here? That answer calls out by name Russia, Iran, North Korea and China, describing them as repressive regimes that exploit open societies and systems while remaining themselves largely and self-consciously closed. Terrorists and criminals are named along with these four adversaries as representing threats to American interests in cyberspace. The introduction says in its discussion of the way forward that responding to these threats will be consistent with commitment to an open internet, and more importantly, to such enduring values as belief in the power of individual liberty, free expression, free markets and privacy.

Dave Bittner: [00:04:01] The priority actions outlined in the third pillar, the peace through strength section of the strategy, are, first, lead with objective collaborative intelligence - that is objective actionable intelligence that will lead to clear and credible attribution. Second, the strategy promises to impose consequences that will be swift and transparent and imposed in collaboration with allies. Third, the strategy declares its intention to build a cyber deterrence initiative, also in cooperation with like-minded states committed to emerging international norms. And fourth, the United States will be committed to countering malign cyber influence and information operations, including propaganda and disinformation from both state and nonstate actors.

Dave Bittner: [00:04:48] Domestically, the strategy has been generally well-received by those who've commented on it, notably including experts who worked in the previous administration. They and others see both continuity and evolution toward a clearer, more active policy in cyberspace. The strategy has been linked with other official declarations of policy that have been generally regarded as taking the gloves off U.S. Cyber Command and other Department of Defense organizations with respect to offensive cyber operations.

Dave Bittner: [00:05:18] In one early example of the sorts of consequences that will be imposed, the U.S. State Department announced that 33 Russian individuals and companies would be blacklisted for what Foggy Bottom characterizes as malign activities. Most are connected with Russian security and intelligence organs. These consequences are, to some extent, an exercise in making the rubble bounce, since a lot of those sanctioned are already under sanction. But in such matters, there is a serious sense in which it's the thought that counts - seriously.

Dave Bittner: [00:05:51] Over in the United Kingdom, the Ministry of Defense and GCHQ are establishing a 4,000-person unit to protect Great Britain against Russian cyber operations. This can be expected to be one of the partners with whom the U.S. will seek to coordinate deterrence.

Dave Bittner: [00:06:09] Tech Bureau Corporation disclosed that roughly $60 million in cryptocurrency had been looted from its Tokyo exchange. The hack occurred over two hours on September 14, was detected on September 17 and was confirmed and reported to authorities on the 18th. The company had been under some regulatory pressure to improve security. A new investment round, it says, will help it reimburse those who lost altcoin and help tighten safeguards against theft.

Dave Bittner: [00:06:40] Google confirmed yesterday that it had notified some senators that their Gmail accounts, and those belonging to their staffers, had been targeted by foreign intelligence services. There's been no public attribution of which intelligence services were involved, but the warning has prompted several senators to complain that the office of the sergeant-at-arms has said helping secure personal email accounts, like Gmail accounts, isn't within the scope of its responsibilities. Government accounts, sure; Gmail, no.

Dave Bittner: [00:07:12] And finally, two arrests have resulted in two guilty pleas. You may recall a ransomware attack staged through networked Washington, D.C., police traffic cameras shortly before President Trump's inauguration. Romanian national Eveline Cismaru admitted guilt to 2 of 11 charges she's faced - conspiracy to commit wire fraud and computer fraud. Ms. Cismaru may get a break on her sentence if she follows through on her promise to help investigators against her co-conspirators. And why not? It worked for the guys behind Mirai, after all.

Dave Bittner: [00:07:46] The motivation for the hacking was criminal and not, as was widely suspected at the time, political. And the timing of the attack to coincide with the inauguration seems to have been merely coincidental. The hackers may not have even been aware that the devices they compromised were connected to police networks.

Dave Bittner: [00:08:04] And in what we might as well call a case of super-duper privacy, since it involves "Deadpool," a gentleman took a guilty plea to charges involving his posting the entire "Deadpool" movie to his Facebook page. In what has become a leitmotif for online acting out, Mr. Trevon Franklin also unwisely tweet-taunted federal law enforcement, quote, "I see all these people talking the Feds gone get me. Well, where they at," quote. Well, right now, they at sentencing recommendation of six months.

Dave Bittner: [00:08:38] In plain sight, but not hiding, Mr. Franklin, who was also known in social media by his nom de hack Tre-Von M. King, also established a site he called Bootleg Movies. Do crooks today really need remedial instruction in such old-fashioned criminal skills as hiding out, going on the lam or being D and D (ph) instead of a canary?

Dave Bittner: [00:09:05] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:10:06] And joining me once again is Emily Wilson. She's the fraud intelligence manager at Terbium Labs. Emily, welcome back. We wanted to talk today about this notion of exit scamming. Some of the things that you all have been seeing when it comes to the dark web - what can you share with us?

Emily Wilson: [00:10:22] Sure. So glad to be back. Thank you for having me. Yes. You know, I've been out of the world for the last few weeks on this thing they call vacation, which I highly recommend. And I came back to find that one of the markets has recently exit scammed. I thought this was a good idea to talk to you and your listeners about how exit scamming works on the dark web, what it is and where we see it show up. So in this situation - I'll set the scene for you. This is a market that came into play kind of after the AlphaBay takedown, kind of in that vacuum that we saw form there.

Dave Bittner: [00:10:55] Right.

Emily Wilson: [00:10:55] They've always been a little sketchy. You know, they haven't played nicely with others. They actually took down somebody else's site in sort of a big display of power, only to realize that it was going to backfire.

Emily Wilson: [00:11:07] And a couple of weeks ago - this is my favorite piece here of a little dark web drama - they reached back out to that person they'd gone after and said, hey, are you interested in doing business together, in what the community now thinks is probably an attempt to, you know, censor some reporting around the inevitable exit scam. And then they disappeared.

Emily Wilson: [00:11:25] And that's what an exit scam is. An exit scam is when, you know, one of these dark web markets just disappears, just goes offline. And the reason you'd do that is because, you know, these are fairly sophisticated platforms. They hold money in escrow for buyers and sellers. And so if you're looking to make a purchase, you know, you pick your listing. You say, I'd like to buy this cocaine, please, or these credit cards. And, you know, you send your money. And while they're waiting for the transaction to process, the market holds that money in escrow until the seller actually releases the good, right? It's meant to be a safety mechanism.

Dave Bittner: [00:12:02] To have a sort of a trusted third party that handles the money, so you make sure you get your goods.

Emily Wilson: [00:12:08] Exactly. And that, you know, provides a dispute mechanism if something goes wrong, which, of course, it inevitably does, except when, of course, these markets that you, quote, unquote, "trust" decide to disappear. And so they run off and they take all of the money held in escrow, which can be quite a large amount of money, depending on the market. And they're gone. And you can't do anything about it. You know, they shut down the site. They disappear. And there goes all of your money and all of your friends' money. And that's what happened here.

Dave Bittner: [00:12:38] Is it reasonable to think that this may actually be some of these folks' business plan from the outset to kind of build up this forum and build trust, and the ultimate plan is to run off with the money?

Emily Wilson: [00:12:51] Absolutely. That's definitely - it's very lucrative if you do it right. And I'm sure you can imagine. You know, one of the biggest scams was a market called Evolution that exit scammed back in 2015. And at the time, they ran off with something like, you know, $10-to-$15 million dollars' worth of bitcoin. And that was before the bitcoin price spike. So you can imagine it was particularly attractive this past fall when we saw bitcoin, you know, spike up in the tens of thousands of dollars.

Dave Bittner: [00:13:20] So I guess this is one of those things where if you're doing business in unregulated, shady markets, this is something you might fall victim to.

Emily Wilson: [00:13:30] Absolutely. And it's the sort of thing that everyone knows can happen. You have to choose where you want to place your trust. And when markets go offline briefly, or if, you know, the connection is shoddy, or if something is not quite right, this is the first thing people think of. They think, oh, they're going to exit scam because everyone's fallen victim to it one or - you know, one or more times over the course of their dark web life.

Emily Wilson: [00:13:53] This was what people thought originally was happening with AlphaBay when AlphaBay, who had historically had incredible up-time - you know, this is the market - you know, disappeared last July. You know, everyone thought, oh, I'm sure it's fine because AlphaBay wouldn't do this. You know, they're making enough money. They wouldn't just exit scam. And then over the next couple of days, it - you know, people got increasingly angry thinking, like, we trusted you. We built this community together. Did you really just do what everyone else does? Emily Wilson: [00:14:22] And so it really - it is something people expect. But then, you know, it's very easy for these admins because all they have to do is just walk away. They have the money in their wallet - in their bitcoin wallet. They can just walk away. And, really, no one can stop them.

Dave Bittner: [00:14:36] All right. Well, I guess buyer beware, right? Emily Wilson, thanks for joining us.

Dave Bittner: [00:14:45] I'd like to take a minute to tell you about an exciting CyberWire event. It's the Fifth Annual Women in Cyber Security Reception. It's taking place October 18 at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at various points in their careers. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event; it's just about creating connections.

Dave Bittner: [00:15:30] We're grateful to our sponsors. Here are some of them. Our hosting sponsor is Northrop Grumman. Our presenting sponsors are CenturyLink and Cylance. Our platinum sponsor is Cooley. Gold sponsors include T. Rowe Price, VMware, Accenture Security, ObserveIT, Saul Ewing Arnstein & Lehr and Exelon. The art sponsor this year is ZeroFOX.

Dave Bittner: [00:15:51] And if your company is interested in supporting this important event, we still have a few sponsorship opportunities available. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs, that's thecyberwire.com/wcs. We look forward to hearing from you, and we hope to see you there.

Dave Bittner: [00:16:21] My guest today is Tanya Janca. She's a senior cloud advocate for Microsoft, specializing in application security. She's one of the project leaders of the OWASP DevSlop Tool Project, which they describe as a collection of DevOps-driven applications specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.

Tanya Janca: [00:16:48] So OWASP is the Open Web Application Security Project, which is a huge international non-profit. And our entire goal is to teach about application security. And we're expanding out to cloud security, Op security - all sorts of other things that surround that idea. Almost all of us are volunteers. And basically, we have the global foundation, which is not that visible to the public. And then we have chapters, and I run a chapter in Ottawa, where you hold meetings and stuff.

Tanya Janca: [00:17:17] And then we have projects. And projects include things like ZAP, which is a web proxy, and it's free, and DefectDojo, which will track all of your vulnerabilities. It's like vulnerability management. And then I met a woman named Nicole Becker from New York City, who's amazing. And she said, do you want to start a project with me? It's like, I can't think of anything more fun to do.

(LAUGHTER)

Tanya Janca: [00:17:41] And she's one of my professional mentors. She's incredible. And so she created this vulnerable app that had sort of new DevOps-y (ph) types of things. And both of us wanted to learn about DevSecOps. And so I went down to New York, and we spent a few days together hacking away at it. And then we presented it at Microsoft TechDays long before I actually worked for Microsoft. So it has, like, broken APIs - like, insecure APIs and we used the MEAN stack. And we just wanted to learn new ways to kind of, like, hack DevOps, if that makes sense. And then we did that workshop a whole bunch of times all over the world together.

Tanya Janca: [00:18:22] And then I decided to make my own DevOps pipeline to create our website. Like, well, why not, you know, eat my own dog food? And if I'm going to make a website or a web app or a project, I'm going to do it with the DevOps pipeline. Cool. So then I started adding security things to it, and I thought I wanted to open source it. But it turns out it's really hard to open source your actual pipeline. Mine is an Azure DevOps pipeline. And it turns out it's really hard to share. Like, you can export it in JSON, but because of all the different licenses and stuff, it's just, like, this huge mess.

Tanya Janca: [00:18:57] So I'm like, how can I share it? So I started a video show, and - I guess the "OWASP DevSlop" show - and I stream live on Twitch. I'm going to add Mixer and YouTube. Apparently, you can stream to all three at the same time. We've had five episodes so far. And basically, members of the public can watch myself and a guest - quite often it's someone else from the DevSlop Project - doing things on my DevOps pipeline as we turn it into a DevSecOps pipeline.

Tanya Janca: [00:19:27] So this Sunday, we added all sorts of security headers. We're going to add a bunch more till we have all those security headers (laughter). And we're adding a certificate together and then, like, talking about why you need a certificate, talking about what all the different headers do. And I'm going to have an episode where Simon Bennetts comes on. And he's the one that created OWASP and ZAP, and we're going to add it to my pipeline.

Tanya Janca: [00:19:52] And the idea is that slowly, we're just going to add things to the pipeline and make, like, little lessons and explain how to do it. And the audience can participate with us. Like, they'll say, hey, what about this? Or, have you done that? Or, this is broken. And whenever I screw something up, they're always helping me, which is really sweet. It's like having, like, several little helpers all the time. It's great. So that is my (inaudible) show. (Laughter).

Dave Bittner: [00:20:15] Yeah. No, but when you say the community, who are you attracting so far? Who are your - who are your viewers? Who's checking it out?

Tanya Janca: [00:20:24] So far on Twitch, it's a lot of people who are just interested about cool things on Twitch. My friend, Suz, or @noopkat, she does super-cool IoT types of things. So she'll LiveCode IoT things. So she'll, like, LiveCode a thing where people send her a cute picture of a cat, it'll turn on the light and stuff like that just to show people how to code IoT things. So she's been sending her followers to follow me, which is really great. And then members of the OWASP community. And I love the idea of people being able to ask questions and being able to answer them real-time.

Tanya Janca: [00:21:00] And sometimes on the show, we're going to start interviewing people about things I think are cool. Like, someone's going to come on and talk about smart contracts and then how to hack them, which I think is neat. And I'm going to have different OWASP project leaders come on and then actually implement their project as part of my project, which is, like, super, super cool. Yeah. So just any DevSecOps thing that I want to know, I'm just asking cool people to come on the show. And so far, a lot of them are saying yes, which is really neat.

Dave Bittner: [00:21:30] And I think that one of the things that I think is interesting and charming about this is that you're putting yourself out there for folks to watch you in the midst of your learning process. You're not putting yourself in front of them and saying, hey, I'm an expert, here is my knowledge that I will rain down upon you. Your mistakes are out there, the missteps along the way. And it's really a community, collaborative process.

Tanya Janca: [00:21:57] Yes. As a perfectionist, it's kind of hard to make mistakes in front of other humans. (Laughter). But I'm working on being cool about it. Franziska and I - Franziska Buhler - she's one of my project members. And she's also a super anal-retentive perfectionist like I am. And so both of us are, like, comforting each other. Like, we tried to implement a certificate on our site three times now. (Laughter). Failed three times.

Tanya Janca: [00:22:24] Nicole and I - Nicole Becker and I - we wanted to learn about DevSecOps. And she wants to learn about how to break it 'cause she is a Red Teamer. And I want to learn about the vulnerabilities and then how to defend against them because I am a Purple Teamer. And then Franziska is a WAF expert. She writes the core rule set for ModSecurity. She's on that open-source team. And so she's been, like, adding WAFs to pipelines - which is kind of bad ass - so you can test your WAF rules and to make sure it doesn't block, like, real business traffic, which is really neat. And so she's going to add a WAF to our pipeline. So it's pretty cool.

Dave Bittner: [00:23:05] Now, in terms of how this intersects with your work at Microsoft, are they supportive of your efforts here? Is this a side project you're doing off the clock? How much are they involved?

Tanya Janca: [00:23:18] So they've given me unlimited Azure resources, which is really amazing. And I don't only have to show Microsoft products, which is really cool. So basically, they've given us, like, free server space and basically, like, I have a security sensor and all this monitoring, and all of it's free 'cause I work for them, which is really, really cool. So they're being super, super, ridiculously supportive.

Dave Bittner: [00:23:41] Our thanks to Tanya Janca for joining us today. We only had time here for a small part of our conversation. We discussed her thoughts on being a woman in tech, the fearlessness she learned from a previous career as a professional musician, the importance of mentoring and much more. We posted the full, extended version of our conversation over on our CyberWire Patreon page. There's a link in today's show notes, and we hope you'll check it out. You don't need to be a Patreon contributor to listen, but while you're there, we hope you'll check out all the ways you can help support our show.

Dave Bittner: [00:24:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:24:34] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:24:42] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.