Dave Bittner: [00:00:00:23] Hey everybody, Dave here. A quick reminder that in addition to the CyberWire podcasts that you know and love, we also publish our CyberWire daily news brief, it's got all the days cybersecurity news and stories, much more than we can fit in our daily podcast. It's free, and you can check it out and sign up to have it delivered to your in box ever day when you visit our website cyberwire.com. That's our CyberWire daily news brief. Do check it out.
Dave Bittner: [00:01:07:01] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze computer network or system data, but, to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required, go to observeit.com/cyberwire, that's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:02:10:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday March 15th, 2019.
Dave Bittner: [00:02:18:12] 49 people are dead in Christchurch, New Zealand, as anti-Muslim terrorists shot up two mosques during Friday prayers. Police have made four arrests. Intent to carry out the massacre was announced online shortly before the murders began. A manifesto seeking these sadly familiar goals of terror and depraved inspiration also link to a shooter's Facebook page, where some 17 minutes of the massacre were subsequently live-streamed. It was apparently taken by a camera worn by the shooter, and it included the shooter's own repellent commentary offered as he gunned down worshipers. Of the four arrests, police have charged one man with murder, released another after concluding he wasn't involved in the attacks, and continue to investigate the other two. The inquiry continues among widespread condemnation of the attacks. The video has been taken down and authorities urge anyone who may have it, refrain from sharing.
Dave Bittner: [00:03:40:04] AT&T's Alien Labs have a report out on how cryptojacking has, like so much legitimate commerce, moved into the cloud. The infestations have come in a variety of ways, some pests are compromising open APIs and unauthenticated management interfaces in order to get into container management platforms. Others have gone after control panels of web hosting solutions.AT&Ts Alien Lab's blog has advice on how to recognize such attempts and a list of indicators of compromise.
Dave Bittner: [00:04:12:02] So here's a question: does regulation have a down side? That's one of the issues that was under discussion at the Johns Hopkins University's annual Cybersecurity Conference for Executives Wednesday. Regulations promised upside is clear enough, it's an analogue of public health and public safety measures transposed to cyberspace. And the usual complaints about regulation, it can stifle legitimate trade, it can be an indirect form of patronage and rent seeking, it can be poorly designed, well, those are also obvious enough. In a keynote that opened the proceedings in Baltimore this week Dr Phyllis Schneck, Managing Director of the Global Cyber Solutions Practice at Promontory Financial Group, began by drawing attention to the well known principle that compliance isn't sufficient for security, still less synonymous with it. And one problem with regulation is that compliance can lead to unjustified complacency. But she went on to outline some of the less obvious downsides, and upsides. Schneck offered regulation of personally identifiable information, PII, as an example of regulatory insufficiency, PII is widely regulated but there's a wealth of other types of data that aren't, and which, when aggregated, can be at least as revelatory as what we common think of as PII. Information such as location data and buying habits, for example, can be just as valuable to an attacker as it is to the companies that collect the data. One of the problems with regulation, she said, is that it shows the bad guys what you're not doing, so they can invest their time and money into targeting areas that are unprotected. Attackers will always be ahead because defenders have laws that restrict their actions, attackers can adapt more quickly to new information and are generally more open to sharing information with other attackers. Operational resilience is the only way to address this problem, Schneck argued, companies need to have their recovery strategies set up in advance. She stressed that rehearsal is a necessary component of resilience, companies need to ask themselves what they would do if all the lights went out tomorrow so that they're not dealing with that question when the lights actually do go out.
Dave Bittner: [00:06:24:04] John Forte, Deputy Executive for Johns Hopkins University Applied Physics Laboratory's Homeland Protection Mission Area, delivered the closing key note. He spoke to the proliferation of interconnected devices, transportation, health care, buildings and cities, education, public safety, are increasingly automated and CISOs are going to need to deal with that trend soon. IoT devices will be used to assist in countless tasks, and all of these devices need to interact with each other. The challenge is getting them to interact securely and building them so they can't be hacked. Forte said that the traditional consideration for a CISO is aligning the risk to the mission, in the future, however, CISOs will increasingly need to become business strategists. What CISOs need to start doing today is designing open, resilient, zero trust architectures, mastering the supply chain and enhancing automation and the use of AI. Forte noted that we're currently in the very beginning stages of artificial intelligence.
Dave Bittner: [00:07:24:08] Agence France Presse reports that China's National People's Congress has approved a law said to be intended to inhibit government agencies from forcing foreign companies to give proprietary technology to their Chinese partners in joint ventures. The bill also makes a gesture in the direction of establishing mechanisms for adjudicating disputes over intellectual property among Chinese and International partners. The measure is widely seen as a peaceful gesture in the direction of Washington as Sino-American trade negotiations enter what appears to be their endgame, but, few observers think the law will have much of an effect on Chinese conduct with respect to intellectual property. While the American Chamber of Commerce in China did say that the last minute efforts are appreciated, it also regretted that the new law addresses just a small slice of the overall set of concerns our members have about the uneven playing field foreign companies encounter in China. On balance that seems to be the international reaction, too many loop holes and uncertainties remain for those who would do business in China. Perhaps it's the thought that counts. Agence France Presse, by the way, helpfully, if sourly, calls the National People's Congress China's rubber stamp parliament. The vote in the National People's Congress was 2929 for it, eight against it, and eight with nothing to say. That's a pretty big rubber stamp, it must need quite a stamp pad.
Dave Bittner: [00:08:59:22] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users, in fact, a whopping 60% of online attacks today are carried out by insiders, can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze computer network or system data, but, to stop insider threats you need to see what users are doing before an incident occurs, ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required, go to observeit.com/cyberwire, that's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:10:08:01] And joining me once again is Craig Williams, he's the director of Talos Outreach at Cisco, Craig, great to have you back, I wanted to check in with you this time about where we stand when it comes to cryptominers?
Craig Williams: [00:10:20:17] Well, so, one of the things that we always suspected is that as the cryptocurrency markets continued to soften, a lot like the other economies, that we were going to see some sort of impact in the behavior of the attackers using that as a preferred payload. And so we looked at our climatory, obviously we have a climatory from our customers who decide to opt in, and, funnily enough I made a fun mistake, I noticed a little bit of a dip in November, and so I talked to Nick and we were talking about the theory, and we agreed that, yes, there could be something to this, let's dive in.
Dave Bittner: [00:10:54:03] And?
Craig Williams: [00:10:55:22] Well, it turned the day I was looking at it was Thanksgiving.
Dave Bittner: [00:10:58:12] [LAUGHS]
Craig Williams: [00:11:02:02] So, for those of you outside of the United States, that's when we all quit work and go and eat turkey for a while.
Dave Bittner: [00:11:10:10] I think we may have just got a little glimpse in your personal life there as well, Craig.
Craig Williams: [00:11:17:06] Yes, and so it turned that we were able to prove that, yes, the tiny little window I saw absolutely happened.
Dave Bittner: [00:11:23:12] Alright.
Craig Williams: [00:11:24:15] But, when you looked at it from an overall perspective, that was really just a temporary dip, so, in fact, we basically confirmed the opposite of our theory, not only is cryptocurrency mining continuing relatively steadily, previous infections are also being maintained.
Dave Bittner: [00:11:41:24] Yes, that's interesting, because I've seen stories recently about how, on the legitimate mining side of things, you know, some of the graphics cards manufacturers have been lowering their forecast expectations for earnings and in a large part because of the dip in the profitability of mining.
Craig Williams: [00:11:59:18] Absolutely, and so, naturally, I think it's normal to assume that, hey, maybe that will carry over through that landscape, but I think what we were able to determine was that because the risk is so low, and the barrier to entry is zero, because the kids are just out there littering the internet, that it doesn't matter how low the price goes, you know, until there's something that's even lower risk with a good pay out people are going to continue using these tools for the foreseeable future.
Dave Bittner: [00:12:27:07] Yes, and it's also interesting that, as far as these things go, this one can have a low impact on the end users, lots of folks have cryptomining going on and might not even know that it's happening.
Craig Williams: [00:12:40:10] Well, so that's an interesting discussion and I'm glad you brought that up, so yes, I've heard that argument a lot and I think there is a kernel of truth to it, if you have cryptocurrency mining going on, well, your networks not going to go down immediately, you know, your data's not going to be held hostage and you can probably carry on with business as usual for a while. The big flashing red lights need to be, if you have a cryptocurrency mining on your network, that's just what you're aware of, right, you have left the door unlocked somewhere and you know that people are going through it, maybe you know what one person who went through the door is doing, maybe they're cryptomining quietly in the corner, but you have no idea who else has come through that door and what data has gone out that door, and so I think while it's true that the cryptomining itself is not that damaging, right, and yes, sure there's some power loss and maybe slightly higher expenses are on that, but I think the real risk is that the door is open and any attacker who wants and can find it can come through that door and cause additional damage.
Dave Bittner: [00:13:40:03] Sort of a canary and the coal mine if you will.
Craig Williams: [00:13:43:09] Exactly.
Dave Bittner: [00:13:43:23] Yes. Alright, well good insights as always, Craig Williams, thanks for joining us.
Dave Bittner: [00:13:53:09] Now it's time for a few words from our sponsor, Blackberry Cylance. They're the people who protect our own end points here at the CyberWire, and you might consider seeing what Blackberry Cylance can do for you. You probably i know all about Legacy anti-virus protection, it's very good as far as it goes, but, do you know what? The bad guys know all about it too. It will stop the skids, but, to keep the savvier hoods hands off your end points, Blackberry Cylance thinks you need something better. Check out the latest version of Cylance Optics, it turns every endpoint into its own security operations center. Cylance Optics deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, Cylance Optics can help. Visit cylance.com to learn more, and we thank Blackberry Cylance for sponsoring our show.
Dave Bittner: [00:14:59:21] My guest today is Nirma John, he's a journalist living in India and author of the book, Breach. Remarkable stories of espionage and data theft and the fight to keep secrets safe.
Nirmal John: [00:15:11:05] Dave, I think one of the fundamental problems we have right across the world, frankly, is the gap in knowledge, an awareness between the people who are in the cybersecurity business and the normal person on the street. I think that particular issue is a little more acute in India, because of the fact that we have got hundreds of millions of people who are coming on board onto the digital bandwagon for the first time. These are people who do not have any reference point when it comes to the idea of digital security.
Dave Bittner: [00:15:47:21] Can you give us an idea, what is the situation that people find themselves in, there in India, when it comes to cybersecurity and protecting themselves?
Nirmal John: [00:15:57:12] There are two or three different strands to this question, one is in the context of corporates, in that context I think one of the things that I've tried to bring out in the book, and this is primarily aimed at that audience, what I'm trying to bring out is the fact that it is often individual mistakes that lead into breaches, it's silly things like a sharing of passwords for example, or clicking on the wrong link, which starts a domino effect of things happening in the background. The other thing, as a larger view, is the fact that a lot of these instances can actually come down through simple awareness programs frankly, I think there are people who are making mistakes, the silly kind of mistakes, where you click on something, divulge bank account numbers and ATM pins and that sort of thing, to people who call, it's mostly low level stuff that's happening right now, and that is what is worrying about, as I said, when you have hundreds of millions of people who are coming on board, onto the digital world, it's the low level stuff that's actually creating most of the issues.
Dave Bittner: [00:17:24:12] Now, as you're getting feedback from the book, as people are reading it, are any of the stories that they're coming back with where they saying, this was a particularly remarkable one?
Nirmal John: [00:17:34:18] Yes, I think one of the stories that I narrated, in fact it's in the first chapter, is of a Indian businessman, he is one of India's richest men, you know, and he's a very powerful man, and this man was the victim of a pfishing e-mail back in 2011, the fact that somebody as powerful as him could be the victim of something like that, I think that in itself shows the gravity of the situation, and I think that's the feedback that I got when people came back to me after reading the book. Some of these instances, and some of the simple ways in which the breach has happened, that's something that stood out for most people.
Dave Bittner: [00:18:26:21] Are there any things in particular about India that you find unique to that country? To that part of the world? That might be different from what we're used to here in the United States?
Nirmal John: [00:18:35:24] I think broadly notions of things like privacy, we culturally have a different kind of makeup and outlook on things like that. And that has a direct impact on cybersecurity I think, there is a culture of sharing which is a little more overt compared to other countries, the more information that is out there the easier it is for malicious people to capitalize on it. So I think one of the fundamental issues is our willingness to over share. The center of the cybercrime universe has been in other countries over the years, but I think as India grows further, and as the population becomes more and more digitized, I think crimes are actually taking off in a big way, I mean, the sheer numbers, I mean 1.2 billion people in a country, that in itself gives those who have malicious intentions a great market. What is especially worrying is the fact that this is a market where awareness is low, so, that's a great combination, right? While the ticket sizes themselves in a banking heist might be smaller, the fact that it's easier work for malicious people I think that is something that stands out for me in India.
Dave Bittner: [00:20:14:08] What do you hope people take away from the book? Folks who've read it? What are some of the lessons you want them to take from it?
Nirmal John: [00:20:20:11] One of the fundamental things that I want people to take away is that it could happen to you. I think we, in India, we often think that bad things happen to somebody else, and therefore there is a reluctance to take responsibility and invest in terms of things like training and organization, or in terms of building the right technology to protect yourself. I think I want people to be a little more skeptical, I think a little more skepticism in how they interact with the digital world around them would go a long way.
Dave Bittner: [00:20:59:21] That's Nirmal John, he's a journalist and author of the book Breach, remarkable stories of espionage and data theft and the fight to keep secrets safe.
Dave Bittner: [00:21:13:10] And that's the CyberWire, thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. This CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.