Facebook breach details. Privacy issues and an image problem for advocates. Supply-chain-attack skepticism. Info ops, bikers, and deniable paramilitaries.
Dave Bittner: [00:00:03] Facebook finds that fewer users than feared were affected by its breach but that, in this case, fewer still means a lot. Do privacy advocates have an image problem? The supply chain seeding attack story draws more skeptical comment. A pipeline accident turns out not to have been a cyberattack. Estonia joins the U.K. and the Netherlands in an effort to clarify EU cyber sanctions, but Italy pumps the brakes. Do Putin's angels rejoice?
Dave Bittner: [00:00:38] Time to take a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:59] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 15, 2018. Today's news is highlighted by some follow-up stories that have been developing over the past few weeks. Late Friday, Facebook released more information on the cyberattack that led it to log some 90 million users out at the end of September. In brief, it seems that fewer users were affected than feared but that the information exposed was more sensitive than hoped. Approximately 30 million people were affected. Here's roughly how they broke down. One million lost nothing. Fifteen million lost name and contact details. Fourteen million lost name, contact information and other data they had in their profiles. Such other information included username, gender, locale or language, relationship status, religion, hometown, date of birth, education and work. Various aspects of their online activity were also revealed - the last 10 places they checked into or were tagged in, website, people or pages they follow and the 15 most recent searches. That's according to Facebook's update.
Dave Bittner: [00:03:12] Facebook points out that people's accounts have been secured since the social network reset access tokens about two weeks ago. The incident has pushed opinion in the U.S. a bit in the direction working to develop a set of national data protection regulations along the lines of Europe's GDPR. Although there's skepticism among observers about how easy it would be for legislators to get the complex issues right. In the meantime, everyone, but especially the 30 million affected Facebook users, should be alert to the possibility of more plausible social engineering.
Dave Bittner: [00:03:46] For all that, a survey shows that online privacy advocates suffer from an image problem. Research sponsored by security software firm HideMyAss! and conducted in concern with Censuswide surveyed over 8,000 people in France, Germany, the U.K. and the U.S. Their conclusion is that people, quote, "perceive privacy advocates as untrustworthy, paranoid, male loners with something to hide" - end quote, as if they're outlaw preppers trying to get off the grid. It's worth thinking about - and leave aside your reasonable suspicion that a company's calling itself HideMyAss! - exclamation point - may not be doing its customer's image any favors.
Dave Bittner: [00:04:28] There are plenty of reasons to value data privacy, even if, in fact, you really don't have anything in particular to hide. You don't have to be the Dread Pirate Roberts to see, to take an obvious example, a social engineer who knew personal facts like your age, work history, religion and hometown would be able to craft more convincing spear-phishing messages. And in fact, about 14 million Facebook users now have that to worry about. And surely, no more than, say, 5 million of them are probably untrustworthy, paranoid, male loners with something to hide, right?
Dave Bittner: [00:05:03] Bloomberg's story of a Chinese seeding attack on the IT supply chain remains controversial. But at this point, reactions are trending strongly toward skepticism. Bloomberg has been standing by its story. But one of those they interviewed in their follow-up piece, Sepio's Yossi Appleboum, told ServeTheHome that he's disappointed his words were used to reinforce Bloomberg's claims that Supermicro was compromised. He says, quote, "I think they are innocent" - end quote. He adds, instead, it's a general problem and not even necessarily a manufacturing one. Attacks can occur anywhere in the supply chain. It seems likely that the reporting will continue to unravel. Supply chain vulnerabilities and attacks on them are a real concern. But this particular story is not holding up well.
Dave Bittner: [00:05:52] The September 13 lethal explosion involving the Columbia Gas low-pressure natural gas distribution system in Massachusetts was greeted with much speculation that the tragedy was caused by a cyberattack. But a preliminary report by the U.S. National Transportation Safety Board concludes that it was indeed an accident. It occurred while an old section of cast-iron, low-pressure pipe was being replaced. The sensing lines still functioning in the section of pipe that was being abandoned interpreted the disconnection as a loss of pressure and reported this to the regulator devices, which increased the pressure in the system beyond safe limits. As Control Global's Unfettered Blog notes, not only was this not an attack, it wasn't even a network monitoring problem but rather an engineering and people problem.
Dave Bittner: [00:06:43] It's worth remembering, as we consider the pipeline explosion and the supply chain seeding attack stories, that caution in explanation and attribution are always important and that bad things happen through accident, oversight, inattention and negligence as well as through malign intent.
Dave Bittner: [00:07:01] Estonia joined the Netherlands and U.K.'s push to clarify sanctions for cyberattacks. Italy pushed back following its recent tendency to seek relaxation of tensions, particularly with Russia, as opposed to pursuing confrontation or sharper deterrence. Italy is likely to be an outlier here. There's widespread concern about Russian cyber operations in Europe and growing concern about the possibility of hybrid operations as well.
Dave Bittner: [00:07:29] Foreign Affairs notes the very odd presence of a paramilitary biker gang, the Night Wolves, that's established itself in eastern and central Europe. The Night Wolves seem to be or are feared to be more akin to the green men of Crimea, paramilitaries in eastern Ukraine or the PMC Wagner mercenaries in Syria; that is, they look like deniable proxies. The Slavic daily Pravda has been reporting since July on how the gang established a headquarters in a Slavic village, even borrowing surplus combat vehicles under the pretense of establishing a military museum. Those vehicles have since been repossessed. But as we say, it's a very odd story. The Night Wolves are also known informally as Putin's Angels. And whatever they're up to, they bear watching. This motorcycle club is not your father's crew of one-percenters well-known on the North American highways for weekend runs, opposition to helmet laws and, north of the 49th parallel, some cigarette trafficking in high tobacco tax Canada. Expect various information operations to emerge positioning the Night Wolves as patriotic hobbyists, just the way the GRU officers accused of nerve agent attacks in the U.K. and hacking in the Netherlands were tourists and tulip enthusiasts. That's continued to be Moscow's story, and they're sticking to it.
Dave Bittner: [00:08:57] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:09:58] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. And he also heads up Unit 42, which is their threat intel team. Rick, it's good to have you back. We've got an interesting topic to discuss today. We're going to talk about exponential growth and how it applies to cybersecurity. And along the way, you've got some book recommendations. But what are we talking about here today?
Rick Howard: [00:10:20] Yeah. Thanks, Dave, for having me back. I picked up a couple of books this year. And I have been fascinated by the idea about it. And the two books are called "Abundance." First one's "Abundance," and it's by Peter Diamandis and Steven Kotler, published back in 2012 and recommended by Bill Gates. And the second one is called "Exponential Organizations" by Salim Ismail, Mike Malone and Yuri van Geest. That was published back in 2014. Now, in both books, the authors discuss these things called exponential technologies. And this is how they define them - tools or systems where the power and/or speed doubles each year and/or the cost drops by half each year.
Rick Howard: [00:11:01] Now, abundance is this radical idea that exponential technologies - OK, this one's defined by that definition, I guess. OK, these are the ones that double each year and the cost goes down each year - will flip our common notion about scarcity. In the abundant future described in these two books, the cost of solar power, for example, and the exponential technologies that drive it might become so cheap and so powerful that energy becomes essentially free for every person on the planet, OK? That seems really hard to believe when you say it out loud like that. But in both books (laughter)...
Dave Bittner: [00:11:37] Yes, it does (laughter).
Rick Howard: [00:11:38] ...The authors - yes, it does. So I know, so stay with me, OK?
Dave Bittner: [00:11:41] I'm with you. I'm with you.
Rick Howard: [00:11:43] All right. The authors in both books - all right - they track the cost and power of those exponential technologies, not just the energy community but in all the exponential technologies they were looking at over the last 25 years. And the cost is indeed exponentially going down or the computing power is exponentially growing. The authors did not list cybersecurity as one of their things. But I believe that cybersecurity is right at the beginning of exponentiation, and nobody has noticed it yet. So let me show you what I mean.
Dave Bittner: [00:12:12] OK.
Rick Howard: [00:12:13] OK. Diamandis and Ismail talk about these things called the six D's of exponentiation. The first one is called digitization, OK? And that means once a technology becomes digitized, it is easy to access, share and distribute. Like, solar power went digital about 25 years ago, OK? This means that all the data collected from solar panels and all the devices it takes to manage them had been put online. Before the technology went digital, maintenance and repairs were all manual. But with the data online, solar farms can now remotely monitor and maintain their systems. And some are even using machine-learning algorithms to anticipate problems automatically.
Rick Howard: [00:12:50] So in the early days of the cybersecurity space, vendors sold network defenders hardware appliances to perform one or more blocking functions down the intrusion kill chain. Today, many vendors have already started to collect their customer data and process it in the cloud. So that's the change. They are starting to transform themselves from hardware manufacturers into software as a service companies where they deliver security service from the cloud. This is digitization. The next one's deception.
Rick Howard: [00:13:21] So after digitization, growth is deceptively small until the numbers break the whole number barrier. So if the speed of your exponential technology grows from, like, .34 to .68, nobody will notice that. But once it grows to, like, 1.088 or something like that, that's crossing the whole number barrier. And when it doubles 10 times more, it starts to become a very big number. The point to note is that the growth is not linear. It is exponential. And this is exactly what's happening to solar energy and the exponential technologies that drive it, and it is the phase that the cybersecurity industry is in right now. We're in the deception phase. All right?
Rick Howard: [00:14:00] So the third D is disruption. So this is - after the whole number barrier's broken, the existing market is disrupted by the new market's effectiveness and cost. And here's where it gets interesting. The next D is the demonetization, OK? Exponential technologies increasingly become cheaper. In 1998, residential solar power installation cost was about $12 per watt. Seventeen years later, the cost has been reduced by two-thirds.
Rick Howard: [00:14:27] In the cybersecurity space, once venders can deliver point products solutions as SaaS services from the cloud, the cost of hardware, maintenance and training for each product practically goes to zero. All the security apps run over existing infrastructure. Yes, you pay for maintenance and training of the initial infrastructure, but you don't have to pay for it for each point product deployed. So the price of everything starts to get reduced, which leads us to the next phase, dematerialization.
Rick Howard: [00:14:54] Physical products get removed. In energy, more people move to solar power. Oil company refineries will start to vanish. The reliance on utility companies to distribute power start to disappear, too, replaced by the individual homeowners' ability to generate and store their own power. In the cybersecurity space, hardware point products start to disappear. All right? And so that's the first five.
Rick Howard: [00:15:17] And the last one is the one that's kind of, you know, pie in the sky. It's called democratization. And once the first five D happen, the technology price becomes so cheap that anybody can have it. Solar power and the technology that supports it becomes essentially free. All right. So Diamandis and Ismail predicted this can happen in the next 10 years in the energy sector. The trick for the energy sector then is, how does your business receive revenue from a formerly scarce resource when it flips to being abundant everywhere?
Rick Howard: [00:15:46] In the cybersecurity space, open source, cloud delivered security applications will emerge in much the same way as point product, open source products happen today, tools like Bro intrusion detection systems and NMap and Metasploit, just to name three. The tools will become free, the data will become what is valuable and everything will run on the underlying platform. So those are the six D's. How does that sound? Does that make sense to anybody?
Dave Bittner: [00:16:13] It's a lot to take in, but I certainly think - I mean, the thing in solar is interesting. I also think about things like the music industry, where, you know, the scarcity of having to go to the record store to buy your favorite album for, you know, an $18 CD, and now you have all the world's music available to you for 10 bucks a month on your mobile device. So certainly we've seen this sort of disruption before as data becomes available and, to your point, essentially free.
Rick Howard: [00:16:41] Diamandis and Ismail make a strong case that exponential technology will help solve some of the world's grandest challenges. But, you know, they didn't include cybersecurity in their set, but it's clear to me that cybersecurity's just beginning down the six D's of exponentiation, right? And like Diamandis and Ismail's grand challenges, I expect cybersecurity to move through these six D's fairly quickly, most likely in the same timeframe as solar power, most likely in the next 10 years. The future is exciting.
Dave Bittner: [00:17:12] Yeah. Well, (laughter), it certainly is. And I'll tell you - you know, Rick, as we both know, everything on the internet is forever. So I'm looking forward to 10 years from now...
Rick Howard: [00:17:21] (Laughter).
Dave Bittner: [00:17:22] ...One of our listeners reaching out and sending an email to you and me with a recording of this and giving us a score on how it turned out. But it certainly could be interesting to watch, right? Interesting time, as always.
Rick Howard: [00:17:35] (Laughter). That's great. It's always great to be a futurist predictor 'cause, you know, it doesn't matter. You can make up anything you want 'cause no one will remember it.
Dave Bittner: [00:17:40] Yeah. That's right. That's right. All right. Well, as always, Rick Howard, thanks for joining us.
Rick Howard: [00:17:44] Thank you, sir.
Dave Bittner: [00:17:48] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:17:56] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:18:14] And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:23] We hope you'll check out the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute.
Dave Bittner: [00:18:42] Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment, called, "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:11] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.