The CyberWire Daily Podcast 11.26.18
Ep 731 | 11.26.18

A quick look at the state of spam. Phishing for power grids. Industrial espionage. Free and command economy versions of social control. Lessons from JTF Ares.

Transcript

Dave Bittner: [0:00:00] Hello, everyone. A quick reminder that in addition to our daily podcast, we also publish a daily news brief that you can subscribe to and have delivered via email every day. It's a great companion piece to the daily podcast, with dozens of links to all of the day's cybersecurity news. So do check it out and subscribe over on our website. That's thecyberwire.com. It's the CyberWire Daily News Brief at thecyberwire.com. Thanks.

Dave Bittner: [0:00:28] Emotet ramped up for Black Friday, so beware of the spam. Social engineering and the power grid. Industrial espionage resurfaces as an issue in Sino-American relations. Huawei remains unforgiven in Washington. We'll talk about China's emerging social credit system. Bottom-up social control in the U.S. First, they came for the dog walkers. Making a Dutch book on social media. Russia tightens internet laws. And the U.S. Army learns some lessons, in a good way, from Joint Task Force Ares.

Dave Bittner: [0:01:06] And now a word from our sponsor, ObserveIT. (Singing) It's the most wonderful time of the year. Well, sort of. We're talking about budgeting season. Most cybersecurity professionals agree that they need more budget. Unfortunately, many organizations wait until a costly incident occurs to provide the budget their security teams need. A case in point, insider threats cost organizations, on average, $8.76 million per year according to a Ponemon Institute survey. But 34 percent of cybersecurity professionals named lack of budget as a major barrier to establishing an effective insider threat management program. So how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives an in-depth look at insider threat budgeting, including determining top cost centers, evaluating your organization's risks and, especially, making the case to management for a dedicated insider threat management line item. Visit observeit.com/cyberwire and check out ObserveIT's "Guide to Budgeting for Insider Threat Management" today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [0:02:34] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:02:38] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 26, 2018. Emotet ramped up phishing attacks last week. Its Black Friday spam delivered malicious XML files with a .doc extension, and this, as WeLiveSecurity points out, is a bit of a departure for this criminal enterprise. Phishing is, of course, a matter of great concern to consumers during this season. It's important to recall, however, that this particular form of social engineering is also a preferred tactic of threat actors who've gone after power grids.

Dave Bittner: [0:03:15] ICS security firm Novetta is reminding people that the hackers who took down portions of the Ukrainian power grid started with phishing. The recent Liberty Eclipse exercise conducted on Plum Island, N.Y., indicated that there are ways of restarting a power distribution system that's been taken down. It's called a black start. And Control Global's blog points out that the exercise, while small, seems to have yielded scalable results. But Control Global also urges further work to see whether such recovery would be possible in the event of sensor compromise.

Dave Bittner: [0:03:51] The U.S. trade representative has taken official notice of more Chinese hacking as trade tensions intensify. This is widely regarded as placing China in breach of the agreement made during the Obama administration to cut back industrial espionage. The U.S. is urging its allies on security grounds to steer clear of Huawei. Huawei, which some see as caught in the middle of a trade dispute, professes itself surprised by this unfavorable treatment by American authorities, but the U.S. security warnings seem to be gaining some traction.

Dave Bittner: [0:04:26] To stay with news affecting China, the city of Beijing plans to bring each of its 22 million citizens under a Social Credit System, aggregating and scoring each individual's actions and reputation. If you've been behaving and are well-thought-of, life will be easier. If not, you'll be unable to move a step, as Bloomberg's report puts it. The capital city's program is the forerunner of one envisioned for the country as a whole, a kind of mark-of-the-beast as reconceptualized for big data. Imagine a panopticon mash-up of a credit bureau, a moderated Twitter mob, a Yelp for human beings and traffic cameras. One of the social debits that will cost you, like points on a life license, is failure to clean up after your dog.

Dave Bittner: [0:05:15] And it's not just Beijing, either. Recently, a prominent business leader, Dong Mingzhu - she's the president of China's leading maker of air conditioners - was publicly shamed in the city of Ningbo for asocial behavior. At 3.5 million people, Ningbo isn't in the big leagues of China's cities but still large enough. The Ningbo police quickly retracted and apologized for the shaming, when various people pointed out to them that the image that led them to ding Dong was, in fact, just her face on an advertisement plastered to the side of a passing bus.

Dave Bittner: [0:05:50] So they're sorry, and it would be easy to laugh this one off as just the vicissitudes of still-maturing biometric technology, if it weren't for the way it revealed the extent and ambitions of social control. Consider this. The face on the passing bus was interpreted as crossing a street outside the crosswalk and against the light. That's right. The full technical capability of Ningbo's law enforcement was brought to bear on a jaywalking charge. Think about that.

Dave Bittner: [0:06:20] It's also, according to multiple reports, a lifelong score, a bit similar to a U.S. credit score but harder to improve and more comprehensive in its effect. As piloted in the city of Rongcheng, you start with a score of 1,000 points. You can earn some points by, say, donating blood, but you'll lose them for quarreling with your neighbors or, yes, jaywalking. Spreading rumors online will cost you 50 points. A good score gets you discounts, free cable channels and invites to community events. A bad one can keep you from booking a train ride or getting a promotion at work.

Dave Bittner: [0:06:59] Much grimmer than this is the comprehensive surveillance and control deployed in both human and technical forms to constrain China's largely Muslim Uighur minority in the western part of the country. As Spiegel reports, there, it's not just a matter of getting free cable. For the Uighurs, suspicion will land you in a re-education camp.

Dave Bittner: [0:07:20] Lest we think that these things are confined to China - or even to authoritarian regimes in general - or that a social credit system couldn't evolve from the bottom up, consider Predictim, a screening service that scans thousands of social media posts to score a potential hire for babysitting or dog walking services - and again, dogs - don't know what's up with that - with a risk rating for a variety of traits parents are likely to worry about - drug abuse, bullying, harassment, disrespect or possession of a bad attitude.

Dave Bittner: [0:07:54] The service, according to The Washington Post and its own site, uses advanced artificial intelligence to analyze a prospective babysitter's social media to derive its scores. How long this is likely to remain uncontroversial is unclear. And parents are, of course, entitled - heck, they're obliged - to protect their children. But consider how Twitter's opaque reasons for suspending accounts have aroused suspicion and mistrust.

Dave Bittner: [0:08:21] In any case, analysis of individual behavior online is what's landed Facebook into the parliamentary hot water it finds itself in over in the U.K. Authorities have obtained Facebook internal documents they intend to use in quizzing the social network at hearings tomorrow in Westminster. They're equally concerned with privacy and providing a platform for proscribed communications, especially terrorist content, concerns that would seem to be in mutual tension.

Dave Bittner: [0:08:51] Stung by the outing of GRU officers involved in the Salisbury nerve agent attack, Russia is tightening control over personal information. A draft law before the Duma would criminalize the unauthorized creation and publication of databases drawn from official sources. Another regulation would increase penalties imposed on firms that fail to observe requirements to delete certain search results, share encryption keys with security services or store all data maintained about Russian citizens on servers located in Russia.

Dave Bittner: [0:09:25] General Igor Korobov, director of Russia's GRU since 2016, has died at the age of 62, after what the defense ministry called a long and serious illness. His deputy, Vice-Admiral Igor Kostyukov, who has filled in for General Korobov during his illness, will serve as interim director. As the BBC mentioned in their account of the change, Admiral Kostyukov is also known for his earlier role commanding Russian forces in Syria.

Dave Bittner: [0:09:56] The U.S. Army, drawing lessons from participation in Joint Task Force-Ares, is working to push tailored cyber capabilities down to brigade level. As Fifth Domain reports, the brigades are likely to see task-organized cyberpackages chopped to them based on mission and area of operations. In U.S. Army practice, the brigade is the tactically interesting level of organization. And a decision to place cyber operators under brigade control indicates that the Army thinks it has both the need for and the ability to use such capabilities on the battlefield.

Dave Bittner: [0:10:33] Watch for this. If brigades routinely show up for their National Training Center rotations with cyber teams attached and if the opposing force at Fort Irwin shows a credible suite of cyber capabilities, then you'll know the Army is serious in its intent. Joint Task Force-Ares, you'll recall, is the U.S. cyber operations task force deployed against ISIS and similar groups. If Fort Leavenworth would like to tell us more about the lessons the Army believes it's learned, we're all ears.

Dave Bittner: [0:11:08] And now a word from our sponsor, Edgewise. If you've been following cybersecurity news in the past year, you've probably heard the phrase zero trust security more than once. The tl;dr of zero trust is to never trust and always verify every connection in your environment. That all may sound well and good, but the next questions are how, why, and where to begin. If you're in search of a guide to help you get from zero to zero trust, Edgewise Networks has you covered. They recently published "Zero Trust Security for Dummies" to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. "Zero Trust Security for Dummies" has the answers to all your zero trust questions. And the book is available for free. You can download it at edgewise.net/cyberwire. That's edgewise.net/cyberwire. And we thank Edgwise for sponsoring our show.

Dave Bittner: [0:12:19] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and he's also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.

Joe Carrigan: [0:12:28] It's good to be back, Dave.

Dave Bittner: [0:12:29] So you recently attended the NICE Conference and came back with some interesting things to share. What do you have for us this week?

Joe Carrigan: [0:12:38] Yes. The one I wanted to talk about this week was the closing keynote from Raj Samani. He's a bigwig at McAfee.

Dave Bittner: [0:12:45] OK.

Joe Carrigan: [0:12:46] And one of the things he said that resonated with me was, we don't have a cybersecurities skills gap. What we have is a courage shortage.

Dave Bittner: [0:12:58] Go on.

Joe Carrigan: [0:12:59] Meaning that companies are not willing to take the risks they need to go out and find the people that need - that can possibly fill these positions. And he says that there are people out there who can fill these positions. And this is something I've been saying for a while now, is that when a company starts looking for a cybersecurity professional, you can't put a job posting up that says, we have an entry-level cybersecurity position, and you have to have a CISSP to be considered.

Dave Bittner: [0:13:27] Right. Right.

Joe Carrigan: [0:13:27] OK? A CISSP is not an entry-level credential. You have to have five years of experience to have that credential, to even hold the credential. If you think about how long cybersecurity has been a career field - right? - maybe 15 years.

Dave Bittner: [0:13:41] Yeah.

Joe Carrigan: [0:13:41] Right? Somebody who is in the career for five years is not entry level. Somebody who's been in this job, in this career, for two years is no longer entry level. Entry level is going to have to start meaning entry level - no experience required. OK?

Dave Bittner: [0:13:55] So fresh out of college?

Joe Carrigan: [0:13:56] Fresh out of college. Maybe not even college.

Dave Bittner: [0:13:58] Yeah.

Joe Carrigan: [0:13:58] But I have an idea.

Dave Bittner: [0:14:00] OK.

Joe Carrigan: [0:14:00] And I'd like to share it.

Dave Bittner: [0:14:01] OK.

Joe Carrigan: [0:14:02] If you are a company and you're looking for cybersecurity talent at the entry level, I make this suggestion to you. Talk to your vendors who sell you your cybersecurity products, and tell them, we're having a hard time filling entry-level positions, and here's what I'd like you to do. I'd like you to give me seats for training for free - your most basic training for free, so I can distribute that to people who might have an aptitude for your product. OK? And if they have a training and an assessment test, or if there is another test, like maybe a prometric test that you can go, and you can sit for the test. Possibly that can be some cost that can be absorbed by the employee.

Joe Carrigan: [0:14:47] But then you put an ad in the paper that says, entry level, cybersecurity, no experience necessary. And when the interviewees come in, you tell them that you're going to give them this course, which they're going to take on their own time. And they're going to take a test. And if they pass the test, you're going to give them a job. And the job is only guaranteed for, like, six months.

Dave Bittner: [0:15:09] OK.

Joe Carrigan: [0:15:10] Right? And it's a low-paying job, maybe $15 an hour.

Dave Bittner: [0:15:14] Right.

Joe Carrigan: [0:15:14] There are people out there who, I think, will jump at this opportunity, who would love to get into the field of cybersecurity. There's no shortage of people telling other people that cybersecurity's the place to be. There's no shortage of people that want to get into this field. What there is a shortage of is companies that are willing to invest in employees who might be able to fill the roles.

Dave Bittner: [0:15:34] Yeah. I hear this all the time. People reach out to me on Twitter and other social media things, and they say, how do I get - it's this Catch-22.

Joe Carrigan: [0:15:43] Right. Absolutely.

Dave Bittner: [0:15:43] Right? I want to get into the field, but everybody's saying, in order to begin in the field, I have to already have five years of experience in the field.

Joe Carrigan: [0:15:50] This is why we have the gap (laughter).

Dave Bittner: [0:15:52] Right. And that's the thing. And yet, they're saying - companies are saying, we can't find anybody to hire. Well (laughter).

Joe Carrigan: [0:15:58] And I'm not saying you lower your standards. I'm saying you've got to look in other places that you haven't traditionally looked.

Dave Bittner: [0:16:03] Right.

Joe Carrigan: [0:16:03] There are quality people out there who want to have these positions. They just don't have the five years of experience that you're looking for. These could be the best people out there.

Dave Bittner: [0:16:12] Yeah.

Joe Carrigan: [0:16:12] So you assess whether or not they're good enough - right? - by having them take some kind of assessment test and training.

Dave Bittner: [0:16:19] Give them a few months on a trial basis.

Joe Carrigan: [0:16:21] Give them a few months on a trial basis, and who knows, you may find the next cybersecurity superstar.

Dave Bittner: [0:16:25] All right. Well, it's an interesting possibility. I mean, for sure, there needs to be some creative solutions to this problem.

Joe Carrigan: [0:16:33] That's correct. And this is just a cursory, you know, brainstorming idea. I mean, I'm not saying that I have the complete and total answer. You're going to have to spend a little bit of time, come up with a plan. But here's a skeleton for you.

Dave Bittner: [0:16:44] Right. Right. All right. Joe Carrigan, thanks for joining us.

Joe Carrigan: [0:16:47] My pleasure, Dave.

Dave Bittner: [0:16:52] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [0:17:12] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [0:17:20] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.

Dave Bittner: [0:17:35] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [0:17:49] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.