India hacks back. Rob Joyce discusses cyber conflict. Chinese hackers look for maritime technologies. Google reveals a macOS vulnerability.
Dave Bittner: [00:00:03:20] India went on the offensive when its government websites were attacked by hackers from Pakistan. Rob Joyce, Senior Advisor for Cybersecurity Strategy to the Director of the US National Security Agency, discusses trends in cyber conflict. A Chinese cyber espionage group hacks for maritime technologies. Facebook lets people look you up by your two factor authentication phone number. And Google researchers disclose a vulnerability in mac OS.
Dave Bittner: [00:00:37:08] Now, I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero day vulnerabilities. With 24/7 365 security operation center support around the globe, and over 300 security experts in house, Akamai surrounds and protects your users wherever they are. At the core, in the cloud or at the edge.
Dave Bittner: [00:01:17:19] If you're going to RSA this year, visit Akamai in the north hall, booth 6153 to take part in their crack the code challenge, for an opportunity to win a new 3D printer. Akamai, intelligent security starts at the edge. Learn more at Akamai, that's Akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:45:20] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday March 5th, 2019.
Dave Bittner: [00:01:53:16] India used offensive measures to counter hackers from Pakistan who attacked more than 90 Indian government websites in the hours after the Pulwama suicide attack last month, senior security officials told the Hindustan Times. The officials didn't give details on the operation or disclose which agency was behind it, but a cybersecurity adviser to the government says, the counterattacks did help India get a grip of the situation." Times Now points out that Indian hacktivists attacked more than 200 Pakistan government websites in the days following the Pulwama attack, although it's unclear if this campaign was related to the government's operation.
Dave Bittner: [00:02:35:05] One interesting detail is the fact that the cyber attacks against India originated from Bangladesh, India's friendly neighbor. One of the officials says, however, "That the coordinated manner in which the attacks were carried out, and the use of facilities in Bangladesh, leaves us with no doubt about the nature of the attack." The officials added that after the attacks from Pakistan failed, the hackers began spreading disinformation on social media.
Dave Bittner: [00:03:03:01] This morning at RSA Conference, we attended a breakfast sponsored by Maryland's Department of Commerce. Their speaker was Rob Joyce, who currently serves as Senior Advisor for Cybersecurity Strategy to the Director of the US National Security Agency. Joyce outlined a shift in cyber attacks. They've moved from theft of secrets, cyber espionage, toward becoming a means of imposing national will. We saw this clearly, he argued, in the Notpetya incident that did so much to disrupt commerce globally.
Dave Bittner: [00:03:35:12] Joyce sees four trends in cyberconflict. First, high end threat activity has become more sophisticated. Second, the level of expertise needed to operate as a significant threat has been declining. These first two trends might seem to be in tension with one another, but in fact they represent complementary tendencies. As threat actors become better at their craft, their tools become easier to use, effectively becoming commodities. He didn't use this analogy but he might have. The gun is a more sophisticated weapon than a sword, but the gun also made it easier for the poorly trained to be even more lethal than the highly skilled, carefully trained swordsman. Something similar to this is happening in cyberspace.
Dave Bittner: [00:04:19:07] Third, Joyce argued, we're seeing cyber conflict move from exploitation to disruption, and here again, Notpetya provides a good example of that progression.
Dave Bittner: [00:04:29:05] And fourth, and finally, Joyce sees the growing application of information operations that are leveraging what he called, "A cyber gray space." Thus an attacker might compromise emails but do so with a view to using their contents in the service of a larger attempt to persuade and influence a target.
Dave Bittner: [00:04:48:08] He argued that to survive in this emerging world, we need to build on a sound, solid foundation of the basics. We need to get, and stay, good at cyber hygiene, sound configuration, effective patching, those sorts of things. And laying this kind of foundation is, in his view, a long term investment, that requires coordinated investment in education, and training.
Dave Bittner: [00:05:11:22] He concluded with a discussion of coming inflection points, the development and adoption of the smartphone a little more than ten years ago was one such inflection point. It was essentially a triumph of integration and it enabled the growth of industries and ways of life that few people expected or anticipated. He thinks that the fielding of 5G networks in the near future will represent a similar inflection point. 5G's higher density, greater speed, and lower latency will make things possible that we don't yet, because we cannot, fully envision.
Dave Bittner: [00:05:45:02] In response to a question about offensive cyber operations, Joyce said that in his view, offensive cyber operations are and must remain an inherently governmental responsibility. Their ramifications and possible consequences are simply too serious to open to private actors. Talk of letters of marque and reprisal is in his view, idle. He did note that the US government has now taken what he calls a "more proactive, aggressive," stance with its doctrine of continuous engagement. We're now willing to introduce some friction into the adversaries' operations, and we've shown the ability to do so.
Dave Bittner: [00:06:24:14] Controlling data access in your organization, who has access to what, can be a persistent challenge and as companies move more of their resources to the cloud, the complexity can get out of hand. Balaji Parimi is CEO and co-founder of CloudKnox, and he makes the case for moving away from traditional role based access control and toward adopting activity based authorization.
Balaji Parimi: [00:06:48:13] Traditionally, authorization and authentication are two different things. Role based access control mechanism has been created with the advent of LDAP in the early 90s. But that was created for convenience purposes and at that point the infrastructure was completely different. Everything was static, everything was physical. The automation was nowhere near what it is today. So once authentication is utilized, you know who can get in. But once the person gets in, what can that person do is completely managed by authorization.
Balaji Parimi: [00:07:17:22] That's been working great for some time, but when it comes to cloud computing, there are a lot more risks and a lot more inherent things that make this approach very risky. For example, in the traditional world, if you're not looking at cloud computing, or virtualization for that matter, you're basically looking at managing a physical server like a Windows machine, or a Linux machine, or a Unix machine, and if something happens there, the damage is confined to just that one machine.
Dave Bittner: [00:07:51:01] Whereas in cloud, you're looking at every aspect of the entire infrastructure that powers all applications within the company. Now, computer storage, network and everything, and this cloud is the foundation for all the applications of the company.
Balaji Parimi: [00:08:07:09] 15 years ago, if somebody had to decline application, it would take literally months. Now it will take literally a few minutes. And even if you have one identity managing that, cloud has all kinds of resources, storage resources, computer resources, network resources. If you look at the combinations of how many combinations an identity can use all these different functions, that number could grow into millions. So, it is almost impossible to manage this manually.
Balaji Parimi: [00:08:37:04] Which means an identity, if their credentials are compromised, the entire company could go out of business. A simple accident can cause a lot more damage.
Dave Bittner: [00:08:48:22] Explain to me, what are we talking about, when we're saying we're giving access based on activity rather than roles?
Balaji Parimi: [00:08:56:11] If you keep track of every activity, every change that happens, create a data delete, and with proper accounting and attribution to which identity has actually done that, you establish a pattern of this identity is using these ten privileges on these five resources. Now, that identity, like John is using these 50 privileges on these 1,000 resources, Craig is using these 20 privileges on these 50 resources, now once you create a pattern of the usage, based on the activity of each and every identity, you could provision exactly the privileges that they need, in order to do their day to day jobs.
Balaji Parimi: [00:09:35:24] And they won't see any hindrance to their productivity, because whatever they have been doing, they could continue to do and if they have to do something new, they can go through their own normal approval process in order to get those extra privileges. So on one hand, you reduce the risk significantly, while preserving what they need, in order to do their day to day operations. And if they need anything, they can get them through their formal approval process.
Dave Bittner: [00:10:06:11] When you're provisioning someone for this type of system, is there a training period? Is the system keeping an eye on what they're doing and learning? How do you get them set up at the outset?
Balaji Parimi: [00:10:17:13] On day one, we look at all the historical data. If the enterprise maintains a history forever, we have a history of everything. If they start off with the read only for everybody, so not a lot of damage can be done. As they need to do more and more like create this [UNSURE OF WORD] update, let them [UNSURE OF WORD] those kind of privileges and then over a period of 90 days, you have a pattern.
Balaji Parimi: [00:10:41:08] Once you have that pattern established with the 90 days, you could use that pattern as a set of privileges that each individual identity needs in order to do their jobs. And you can expand it to 120 or 30 days, or 60 days or whatever time period. So basically the idea is, look at what they have been doing and based on what they need, provide them just enough privileges.
Dave Bittner: [00:11:03:07] That's Balaji Parimi, he is founder and CEO of CloudKnox.
Dave Bittner: [00:11:09:08] FireEye published details on the suspected Chinese cyber espionage actor they're calling APT40. The threat actor's activity has previously been attributed to two separate groups known as Periscope and Jumper. FireEye noted in July of last year that there was significant overlap between the two groups, and it's now decided to merge them under the same term. FireEye states with moderate confidence, that APT40 is sponsored by the Chinese state, based on a number of technical clues, as well as the fact that the group's targeting falls in line with Chinese state interests.
Dave Bittner: [00:11:43:19] The group targets the engineering, transportation and defense industries, as well as universities, in search of maritime technologies that could be used to build up China's naval capabilities. The group has also been observed influencing elections and focusing on other political goals in support of China's Belt and Road initiative.
Dave Bittner: [00:12:03:04] Last year, FireEye observed the group, then known as Periscope, compromising targets related to Cambodia's elections. APT40's hacking techniques involve web server compromise, phishing operations, and strategic web compromise. They also use a variety of publicly-available and custom-made malware to establish footholds, escalate privileges and exfiltrate information.
Dave Bittner: [00:12:27:21] Facebook is again facing criticism after users realized that the phone number they provided for two factor authentication could be used to look up their profiles. Users also can't opt out of this feature. The default setting for the look up feature is set to everyone, and it can only be restricted down to friends. Facebook's former CSO Alex Stamos tweeted that. "this isn't a mistake now, this is clearly an intentional product choice." Last year, Facebook admitted that it was using phone numbers provided for 2FA to carry out targeted advertising.
Dave Bittner: [00:13:05:02] Researchers from Google's Project Zero publicly disclosed a zero-day privilege-escalation vulnerability in macOS, after Apple missed Google's 90 day deadline to release a patch. The proof of concept demonstration published by Project Zero takes advantage of a loophole in macOS's copy on write protection. Copy on write protects data being used by multiple processes by requiring each process to make a copy of the data before making changes to it. This prevents one process from disrupting all the other processes. The Project Zero researchers found that macOS allows users to mount and unmount filesystem images without alerting the memory manager, meaning that an attacker can stealthily replace higher privileged information. The researchers are calling the vulnerability, BuggyCow. The flaw is serious, but it's difficult to exploit and depends on malware already running on the system.
Dave Bittner: [00:14:03:12] Finally, again back to RSA. What's the trend in conference swag? It's socks, friend. Brightly colored, whimsical socks, the better to keep your feet warm and secure.
Dave Bittner: [00:14:19:19] Now, a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys. Your employees, contractors and privileged users. In fact a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to.
Dave Bittner: [00:14:44:08] See, most security tools only analyze computer network or system data. But to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to Observeit.com/cyberwire, that's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:28:04] And joining me is our CyberWire editor, John Petrik. John is out at RSA Conference. He is joining the masses who are out there taking in everything and John, we wanted to start off today by talking about the RSA innovation sandbox. What were the results from this annual competition?
John Petrik: [00:15:48:04] Well the results were that they did this year as they began the practice last year, offering two finalists and then announcing the second one in a reveal that has a little bit of suspense. So the two finalists were Duality Technologies. They're specialists in homomorphic encryption technologies that enable you to work on data without decrypting it. And then a company called Axonius which offers an asset management solution and the winners it turned out was Axonius which is an interesting choice because as Axonius themselves said, in their pitch, that they work on the unsexiest problem in cybersecurity which is asset management.
John Petrik: [00:16:28:05] But the panel of judges found that it's a sufficiently interesting product and solution warrant selecting them as the winner of the Sandbox, so it is Axonius that won this year. The judges commented in their remarks at the end, explaining their choice, that Axonius was interesting to them, because they're solving a problem that has been around for decades and the CISOs on the panel said that they've really succeeded in addressing a pain point, that enterprise security has had for a long time and never could get a straight answer about their assets. If you ask someone how many assets have you got? The answer will range, "Well we have between 3,000 and 100,000" which is to say "We don't have any idea whatsoever of how many assets we got." So that was the winner yesterday.
Dave Bittner: [00:17:10:23] Were there any common threads that you saw in terms of the variety of companies who are competing this year?
John Petrik: [00:17:16:20] Yes. Dr Hugh Thompson who was the MC, the impresario this year as he has been for many years now, began by having a little quick fireside chat, a back and forth with one of the judges, an RSA veteran, Niloo Howe, and they were yakking it up a bit on stage saying that they didn't have anything on quantum or block chain or AI. So those were last year's buzzwords, or the buzzwords from two years ago. So none of that.
John Petrik: [00:17:46:23] But there were some clear themes that the finalists did address, and those I think, on a short list, would be cloud issues, and particular hybrid cloud issues, problems with asset discovery, container security, API security and of course privacy. I think from walking the floor a little bit, we just had our opening yesterday evening, so I haven't been on the floor much, nobody has been. But that's a good list I think of high profile topics that seem to be engaging people here at the conference.
Dave Bittner: [00:18:18:11] Do you have any sense for what the overall tone is this year, and any trends that you're tracking?
John Petrik: [00:18:23:10] I'm going to be very interested in looking for what people have to say about content moderation and content screening. I think that's an interesting problem and I think that it's one that people are going to increasingly have to grapple with. I think there may be some false paths, some false lights that people are going to follow as they try to do that. I don't have the same sense of worry that I felt very strongly on the floor last year. Not so far at any rate. Last year, the conference felt very much like a convention being attended by people in an industry that was about to undergo some severe consolidation, and I don't feel that right now.
Dave Bittner: [00:18:59:11] John Petrik, thanks for joining us.
John Petrik: [00:19:01:21] You're welcome.
Dave Bittner: [00:19:06:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at Observeit.com.
Dave Bittner: [00:19:19:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.