Trolling the trolls. Triton/Trisis attributed to Russia. Asset management in ICS. Threat intelligence drives threat evolution. Shadow web-apps. Apple likes GDPR, hates the Data-Industrial Complex.
Peter Kilpe: [00:00:04] U.S. Cyber Command reaches out to tell the trolls Uncle Sam cares. Industrial control system security suffers from poor asset management practices. FireEye looks at the TRITON malware and says the Russians did it. Of course, things are complicated. Are hostile intelligence service hackers superheroes, salarymen, nebbishes or something in between? How threat intelligence drives threat evolution. The risk of shadow web apps. And Apple speaks on privacy.
Dave Bittner: [00:00:39] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the cyber CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show.
Peter Kilpe: [00:01:44] Major funding for the CyberWire is provided by Cylance.
Peter Kilpe: [00:01:47] From the CyberWire studios at DataTribe with your CyberWire summary for Wednesday, October 24, 2018, I'm Peter Kilpe, executive editor, sitting in for Dave Bittner, who's taking a well-deserved vacation. Don't fret; he'll be back in the studio on Monday.
Peter Kilpe: [00:02:01] The U.S. has begun to reach out directly to individuals involved in Russian influence operations. U.S. Cyber Command is reported to be direct messaging trolls engaged in attempts to disrupt elections and otherwise make mischief. The message is simple and direct - we know who you are. We know what you're doing. And you'd be well advised to knock it off. Observers differ on how effective this will be as a deterrent, but the U.S. indictments of individual Russian nationals for their role in influence operations give the warning some point. And it's unknown what other retaliatory operations Cyber Command may have under preparation or underway.
Peter Kilpe: [00:02:36] We're hearing in Atlanta at the ICS security conference that there's a growing awareness among corporate board members of the cyber risks to industrial control systems. That's one of the relatively positive outcomes of the pain inflicted by last year's NotPetya infestations. Conference symposiasts expressed some gratification at the extent to which traditional risk management framework practices are increasingly being adopted. Some gratification at the extent to which traditional risk management framework practices are increasingly being adopted.
Peter Kilpe: [00:03:08] Unsurprisingly, they think there's more work to be done, especially with respect to asset management. Several panelists and speakers told of the many cases of incident response they've seen in which a company under attack tries to improvise asset management on the fly. The speaker stressed the importance of knowing what you have and what it's connected to. They also emphasized the importance of documentation and configuration management.
Peter Kilpe: [00:03:31] Yesterday, FireEye attributed with high confidence the TRITON/TRISIS attack against safety systems in a Saudi petrochemical facility to Russia. The attribution might strictly be one of association or involvement. FireEye concluded that some of the code was written by the Central Scientific Research Institute of Chemistry and Mechanics in Moscow, an organization, of course, operated by the Russian government.
Peter Kilpe: [00:03:54] Who else may have been involved in the attacks and how they came to be given the code remain complicated questions. The evidence FireEye cites is of the convincing circumstantial variety - code written using Cyrillic characters, its preparation coinciding with Moscow office hours, an apparent handle linked to a known Russian individual, IP addresses, et cetera. That the institute has the capability to prepare code like TRITON/TRISIS seems clear.
Peter Kilpe: [00:04:20] Industrial cyber security firm Dragos, in a presentation at the ICS security conference, described Xenotime, the threat actor behind TRITON/TRISIS. They emphasized the disturbing news that cyberattacks were now designed to kill. Dragos CEO Robert M. Lee offered some encouragement when he cautioned people against forming a picture of the attacker as hyper-confident, effectively invincible. Instead, he argued - remember that bad actors make mistakes too, quote, "just like you," unquote. They certainly did with Trisis. Their attack on safety systems shut the facility down twice, which wasn't their intention. They wanted to operate in an unsafe mode. Lee suggested an alternative picture of the industrial control system hacker. They're 18 to 30 years old. They're in their first government job. And they're dealing with management and PowerPoint, quote, "just like you," unquote.
Peter Kilpe: [00:05:11] A study by cybersecurity firm Cylance concludes that threat intelligence, while itself a good thing, also drives bad actors to improve. In a study they call Whack-A-Mole, released yesterday, they described the ways in which surveillance tools sold to repressive regimes are tweaked and reused after they're publicly burned. The stories they follow concern Prometheum spyware, also known as StrongPity, which was exposed in a Citizen Lab report. Prometheum has since returned. Its indicators of compromise may no longer appear, but rest assured, it's just a dodge. They're back and in an evolved form. As the report puts it, quote, "minimal effort and code changes were all that were required to stay out of the limelight. Cylance observed new domains, new IP addresses, filename changes and small code obfuscation changes," unquote.
Peter Kilpe: [00:05:59] CSO magazine, in their account of the Whack-A-Mole study, points out the complexity that the, quote, "mercenaries," unquote, introduced into the matter. Those mercenaries may not just be the Russian mob or a university-affiliated research institute in Moscow - could be a Western company that dabbles in the lawful intercept field and associated markets. Italy, Canada, Israel and Germany, says CSO, seem to be particularly tolerant of such activity.
Peter Kilpe: [00:06:25] Shadow IT has long been a matter of concern to enterprise security officers. High-tech Bridge, in a report released this morning, says there are other worrisome shadows out there. Abandoned shadow and legacy web applications remain a threat to both enterprise security and business compliance. Information sharing among public and private organizations is often praised as a way of enhancing security. But it also raises concerns about privacy.
Peter Kilpe: [00:06:49] Ben Yelin, from the University of Maryland's Center for Health and Homeland Security, talks about the issues the Electronic Frontier Foundation has with license plate sharing between retailers and law enforcement. We'll hear that interview from Dave after the break.
Dave Bittner: [00:07:06] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at the thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. That's thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:08:06] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. We saw some information come by from the EFF, the Electronic Frontier Foundation. And they were taking issue with some private companies - I believe some shopping malls that were sharing license plate information with law enforcement. What was getting their dander up here?
Ben Yelin: [00:08:33] So this is a company based in Irvine, Calif., a private real estate company, that was collecting people's license plate numbers - using what's called automated license plate readers, ALPR. And they claimed that they were only doing this at a limited number of their shopping centers. Now, the legal problem here is that they were submitting the data to Vigilant Solutions. They are a contractor who deals with state and local law enforcement agencies.
Ben Yelin: [00:09:02] And, of course, a main civil libertarian concern is that identifying information will be submitted to Immigration and Customs Enforcement. It could potentially be used in deportation proceedings. So if the government was trying to track a person down, they could search a large database which would contain a bunch of different license plates numbers. It would be able to at least identify whether that license plate had been at a given location. And that could help in their investigative process.
Ben Yelin: [00:09:31] So the company says that that data was only used for limited purposes. It wasn't being transmitted to a larger government database of license plate reading information. It was only being used to be sent to local law enforcement to enforce, you know, the rules and regulations of the three malls that were under surveillance. EFF went and actually looked at the terms and conditions and the usage of privacy policies of that company. And they affirmed that the company was not representing what they would do with that data.
Ben Yelin: [00:10:05] EFF is claiming the privacy policies are very, very broad - that they are allowed, according to their own policies, to send collected license plate data to a searchable database accessible by multiple law enforcement agencies. And by multiple law enforcement agencies, that can include everyone from local police, state police to federal organizations, like the DEA and Immigration and Customs Enforcement.
Ben Yelin: [00:10:32] So this is, you know, a major Fourth Amendment concern because even though people are exposing their license plate to the general public - and thus, according to our Fourth Amendment jurisprudence, they don't have a reasonable expectation of privacy to that information - I don't think most of us would expect a private contractor to store our license plate and send it into a giant database accessible by all different types of law enforcement agencies. So I think it's a big civil liberties concern.
Dave Bittner: [00:11:01] Now, what about, just from a practical point of view, the mall? You know, you go to your local mall. And a lot of times, you'll walk in, and you'll see they have rules of civility and things like that. You know, when you're a guest in our mall, this is private property, and here's what we expect of you. This seems to me to be a different thing of that. I guess I'm trying to wrap my head around the notion of a EULA with a mall. You know, would they have to post it at the entrance or everywhere where you might drive in that, hey, your license plate might be scanned here? How would that work?
Ben Yelin: [00:11:34] I mean, they already have - there are rules or regulations about, you know, telling people that they're being surveilled in other ways. So I'm not sure exactly what the California Civil Code is on this. But I think they're required to post signs on the premises of a piece of property that uses simple video surveillance. So I think the same logic would apply here. California code specifically relating to license plate identification says that there has to be a notice to the consumer.
Ben Yelin: [00:12:03] You know, what EFF is alleging is that the company has not given proper notice. You know, and once people are aware that that technology not only exists but potentially could be used in law enforcement investigations, then they would at least have some agency to decide whether to make themselves public. But I think the fact that most people don't really realize that that technology exists - that license plate readers can very quickly and efficiently collect license plate identifying information and put it in a giant database - I think that's really the nature of the concern.
Dave Bittner: [00:12:38] No, it's fascinating. Ben Yelin, thanks for joining us.
Ben Yelin: [00:12:41] Thank you.
Peter Kilpe: [00:12:45] Apple CEO Tim Cook has called for a comprehensive U.S. privacy law. Speaking in Brussels this morning, he said that the effects of the EU's GDPR have been positive. And he expressed the hope that the U.S. would follow suit with comparable regulation. Apple, of course, has long differentiated itself from other Silicon Valley tech giants by its public commitment to privacy. Apple sells devices not data, which would be the basic product of companies like Google and Facebook.
Peter Kilpe: [00:13:10] Mr. Cook would like everyone to understand that. He famously pointed across Silicon Valley, in the general direction of Google, and said, quote, "if you're not paying for the product, you are the product," unquote. Cook also strongly reiterated the company's longstanding opposition to any weakening or subversion of device encryption. Giving governments easy access to people's devices is a threat, he maintains, to basic rights to privacy. Not everyone, he notes, may feel that way - especially those in what he called the, quote, "data industrial complex," unquote.
Peter Kilpe: [00:13:42] If you talk to recruiters and HR professionals, they're likely to tell you that they can't find nearly enough qualified people to fill their open jobs in cybersecurity. And if you speak with recent graduates, you're likely to hear how tough it is to get your foot in the door - to get that first big break. Our U.K. correspondent, Carole Theriault, caught up with ESET's Lysa Myers to explore this contradiction.
Carole Theriault: [00:14:04] At the recent VB conference 2018, Lysa Myers, a security researcher for IT security firm ESET, presented a paper called "Where Have All The Good Hires Gone?" Lysa says that much ink has been spilled on the subject of how difficult it is to hire and retain people for these positions. I got a chance to catch up with Lysa to find out more about this problem and to see what she thinks can help solve it. So first off, can you tell me a bit about what led you to look into this problem?
Lysa Myers: [00:14:36] Well, it's kind of a personal one for me. I mean, I've been in this industry for 20 some years now. And I have heard a lot of people, well, complain basically about the hiring process - both people who are trying to get into the industry and people who are more experienced and being recruited or trying to get other jobs.
Carole Theriault: [00:14:58] Right because I don't understand the skills shortage because I keep reading about people who find it impossible to get into the industry. It's like they want to work in cyber, but the doors seem closed to them.
Lysa Myers: [00:15:10] Yeah, that's absolutely true. The thing that I hear over and over again from people is that there are very few truly entry-level jobs. Like, there's an expectation that you'll be coming into your first entry-level job with certification or a degree and certification - and, you know, which somehow magically has several years of experience as well.
Carole Theriault: [00:15:35] So it's like a Catch-22, you're saying. It's like the entry positions demand skills. And how do they get those skills?
Lysa Myers: [00:15:43] Exactly. A lot of what needs to change happens on the side of hiring managers and organizations. There's a lot we're doing right now of having unrealistic expectations of people and setting up these Catch-22s or finding arbitrary hurdles that exclude people who have both interest and inclination in getting into this industry - finding those people with interest and inclination and then asking them to agree to get certification after they get hired or training them in-house or, you know, partnering with organizations that do train people specifically on tech or cybersecurity skills.
Carole Theriault: [00:16:20] Yeah. And do you find that kids, for example in high school, are actually interested in coming into this industry - the industry of cybersecurity?
Lysa Myers: [00:16:29] Oh, yeah, absolutely. We have an event every year called Cyber Boot Camp. And we interact with middle school and high school kids. And they have - even the ones who come in thinking that they don't necessarily want to go into a job in this industry end up really motivated. And a lot of them do change their minds and think, you know, this actually could be a really cool thing to do for a job.
Carole Theriault: [00:16:51] Right. So there's kind of maybe some onus upon us in the industry to get the word out that it's actually fun. It's a great industry to work in. I mean, I've worked in it for almost as long as have, and, you know, we're still here.
Lysa Myers: [00:17:03] I think some of the problem too is how this is taught. General thinking with teaching is that you want to tie it into kids' interests and their knowledge that they already have. And computer science, when it is taught in school, it tends not to focus on the fun aspects or things that might interest the kids. And so it kind of reinforces the idea that it's this boring and lonely thing. People like you and me who've been in this industry for a while know that computing is a lot of fun. It's a great tool for doing other fun things as well.
Carole Theriault: [00:17:36] Right. So you're basically saying, we need to think outside the box about how to recruit new talent to this industry because technology certainly isn't going anywhere fast.
Lysa Myers: [00:17:47] Exactly. And it really benefits everybody to have a really diverse background. But, you know, people who come from different socioeconomic backgrounds or different cultures or different neurotypes or, you know, abilities - all these things are what make up the population. And those are the people who use our products. And so by having a representative group of people who are making the products, we're better able to make the products work well for the people who we want to use them.
Carole Theriault: [00:18:18] That's a really good point - that a heterogeneous environment is really good for the industry. One of my favorite security researchers actually had a degree in philosophy when he first came into the job.
Lysa Myers: [00:18:31] Yeah, my background is kind of a very unusual as well. Like, I was that kid who took so many art classes that they had to have an intervention to make me take something a little bit more balanced. And I was a florist before I started working in computers, which seems about as opposite as you can get. But the way that I did things was different enough from my coworkers that I was able to see some things that other people didn't because I have such a different background.
Carole Theriault: [00:19:00] Lysa, thank you so much. This was Carole Theriault for CyberWire.
Peter Kilpe: [00:19:07] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you using artificial intelligence, visit cylance.com And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. Thanks to our supporting sponsor VMware, creators of Workspace One intelligence. Learn more at vmware.com
Peter Kilpe: [00:19:38] The CyberWire podcast is proudly produced in Maryland out of the startup of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. And I'm Peter Kilpe, sitting in for Dave Bittner. He'll be back next week. Thanks for listening.