The CyberWire Daily Podcast 5.2.19
Ep 835 | 5.2.19

Wipro update. Office 365 attacks. The "Smart Content Store" is bad mojo. Russian Internet sovereignty. Global Cyber Innovation Summit notes.


Dave Bittner: [00:00:01] Hi, everybody, Dave here. Just a quick reminder that if you are only listening to the CyberWire podcast, there's more to the story. You should visit our website and check out our CyberWire daily news brief. You can have it delivered to your email every day. Go to and check it out there. It's our daily news brief. Take a look. Thanks.

Dave Bittner: [00:00:23] The group behind the Wipro attack has been active since 2015. Office 365 are still being targeted by account takeover attacks. A third-party Android app store is serving malware. The U.K. defense secretary has been sacked over leaked information. The U.S. warned Russia to cease its support of Venezuela's Chavista regime. Russia's internet sovereignty bill is signed into law. And notes on the Global Cyber Innovation Summit.

Dave Bittner: [00:00:54] Time for a message from our sponsor, Bandura Cyber. Are you using threat intelligence, or is threat intelligence using you? Threat intelligence gateways, or TIGs, are an exciting, emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational and useful. TIGs aggregate IP and domain indicators of compromise from an unlimited number of sources, such as DHS, information-sharing groups like FS, MS or ONG-ISAC, commercial sources like Webroot or Anomali or even your own internal IOCs from your SIM or TIP. With the need for multiple sources and views of threat intelligence now more important than ever and with existing solutions' limited ability to ingest and block third-party IOCs at scale, TIGs make taking action with massive volumes of threat intelligence easy. Get the definitive guide to this next-generation technology, “Operationalizing Threat Intelligence

Dave Bittner: [00:02:17] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 2, 2019.

Dave Bittner: [00:02:25] Flashpoint reveals finding from its inquiry into the attack on IT outsourcing and consulting company Wipro. The threat actors behind it have been active since 2015. A URL in a phishing document led researchers to infrastructure used in previous attack campaigns. The goal of the Wipro attack and subsequent attacks against Wipro's customers appears to be gift card fraud. Flashpoint says the attackers were seeking access to the portals that managed gift cards and rewards programs at the targeted organizations.

Dave Bittner: [00:02:56] Barracuda is the latest to point out active attacks against users of Microsoft Office 365. Account takeover attacks surged during March. The attackers are opportunistic; brute-forcing, credential-stuffing and social engineering are all in play.

Dave Bittner: [00:03:13] Zscaler warns against a third-party Android app store seemingly specializing in games. It's simply a front for a campaign to install malware into too-trusting victims' devices. The Smart Content Store isn't a smart place to shop and doesn't even offer real content. If you try to download Crazy Birds or Superbros Run, you won't even get a Trojan-ized game; all you'll install is malware.

Dave Bittner: [00:03:39] The Times reports that U.K. Defense Secretary Williamson has been fired after investigation indicated he was the cabinet member who talked out of school about Huawei. Prime Minister Theresa May said that, quote, "no other credible version of events to explain this leak has been identified," end quote. Williamson denies the claims and blames his sacking on a kangaroo court rigged by mandarins who had it in for him. He'll be succeeded by Penny Mordaunt.

Dave Bittner: [00:04:07] After a failed attempt by Venezuela's constitutional acting president to oust President Maduro failed, the Times reports that the U.S. has warned Russia not to continue attempts to prop up the Chavista regime. U.S. Secretary of State Mike Pompeo on Tuesday accused Russia of persuading Maduro to abandon his plan to flee to Cuba.

Dave Bittner: [00:04:27] Russian President Vladimir Putin yesterday signed into law a bill which will see Russia develop an independent internet infrastructure. The law is meant to ensure that the country can stay online in case its adversaries decide to cut it off from the global internet. Internet service providers will have to install special equipment supplied by the Russian government, which will enable them to rely on Russia's alternative DNS and route all traffic through local servers when the government deems it necessary. Most observers assume that the more practical uses of the law will involve censorship and traffic monitoring, although Moscow denies this. The law isn't popular among the Russian people. ZDNet cites a recent poll that found only 23% of Russians support the measure.

Dave Bittner: [00:05:13] Security operation centers, or SOCs, continue to develop and evolve in their scope and complexity, with many organizations adopting a more collaborative approach. Cody Cornell is co-founder and CEO at Swimlane, a security orchestration, automation and response firm, and he joins us to help explain.

Cody Cornell: [00:05:31] SOC is a security operation center, so basically, a group of individuals, sometimes analysts, sometimes analysts and engineers, that are responsible for, you know, monitoring the security posture of an organization. So we spend a lot of resources on threat detection and threat monitoring kind of technologies, and those alerts have to go to somebody, and that's typically the SOC.

Dave Bittner: [00:05:51] At what point in an organization's lifecycle do they typically stand up their own SOC?

Cody Cornell: [00:05:56] Organizations really differ in when they decide it's important, right? We see really large organizations that you would typically expect to have a lot of security analysts and a large SOC really not, either using managed services or doing it, you know, with a few people. And then you have, you know, sometimes a small organization that is - you know, maybe the IP, intellectual property, is the backbone of the organization; they'll invest heavily in a security operation center at an early phase. So you know, typically it's, you know, midsize to larger organizations that have a dedicated SOC, but you see that across the spectrum of different organizations and different sizes.

Dave Bittner: [00:06:30] So today we're focusing on this notion of collaborative SOCs. What's the differentiator there?

Cody Cornell: [00:06:36] Historically, we've seen, you know, organizations move towards a little bit more sharing, right? So threat intelligence sharing and things along those lines. Organizations really will benefit from the fact that, you know, one group of people - no matter how big it is; if it's 10, 20, 50, 100 people - really don't have a monopoly on all the good ways to thwart adversaries. And the ability for them to collaborate across organizations on what they're seeing and how they're responding really, you know, enables, you know, organizations that may be competitive in the marketplace actually collaborate on security and really help the whole security, you know, operations function across the organization.

Dave Bittner: [00:07:11] Is there a natural resistance there? I can imagine organizations, especially when it comes to interacting with their competitors, that they might want to keep their cards close to their vest.

Cody Cornell: [00:07:20] I think there's a tendency to think that that's the case, but we see - if it's banks or retail organizations or a broad variety of verticals actually collaborate. You see a lot of collaboration on the government. You see a lot of collaboration in the energy and utility sector. You know, do they share everything? Absolutely not. But you know, how I'm detecting something, how I'm responding to it, you know, what the good sources for investigation information are - those are all things that we see people sharing across organizations, regardless of their competitor.

Cody Cornell: [00:07:48] I think most verticals at this point have establishing an ISAC, you know, some information sharing organization around threat intelligence. I think that's maturing a lot to include what, you know, is typically called a course of action - so what to do when we see that. And you know, I think that's a great place to start. Obviously, a lot of the vendors in the community have started building communities within their product stacks and their portfolios, and I think that's a great place to contribute. And then all the classic places that people contribute, if it's GitHub or otherwise, there's lots of resources out there for contributing and collaborating.

Dave Bittner: [00:08:17] Are there any misconceptions that people have that you run across when it comes to this sort of collaboration?

Cody Cornell: [00:08:22] I think there's a kind of a misnomer that people aren't excited to share, or that people aren't willing to share, and I think that's actually not the case. There's a lot of organizations that - you know, they're investing heavily in protecting their organization, but they understand that sharing is a raising-tides-raises-all-ships moment for them, and the ability to share and collaborate on how to do things and how to respond and how to build playbooks and all of these things are really enabling organizations to do more with the same amount of resources. And I think the fact that that's coming to fruition is a surprise to some folks who haven't seen that historically.

Dave Bittner: [00:08:56] That's Cody Cornell from Swimlane.

Dave Bittner: [00:09:00] Today is the second and final day of the Global Cyber Innovation Summit in Baltimore's Fells Point. If yesterday's focus was on security technology, today's is much more on the threat.

Dave Bittner: [00:09:12] Author and cybersecurity expert Richard Clarke opened the conference this morning with a discussion about some of the conclusions he reached in his forthcoming book, "Fifth Domain." He observed that his earlier book, "Cyber War," written with Robert Knake and published in 2010, had drawn scoffing reviews as being nothing more than alarmist fiction. He noted with satisfaction that much of what they predicted - especially their claim that we'd soon see the rise of military offensive operations in cyberspace, including attacks on infrastructure - had been borne out by the events of the last few years.

Dave Bittner: [00:09:46] But interestingly, he wanted to draw attention to some of the positive developments that he and his co-author did not foresee. Specifically, he argued that the last few years had shown that existing technology, properly applied, can indeed defend the corporate network. He has seen that appropriate levels of investment in cybersecurity by corporate leadership that understands the risk to the company can make security a priority, and when that happens, companies are generally successful in fending off attacks.

Dave Bittner: [00:10:14] And he argued that companies should defend themselves and not expect Cyber Command or other elements of the U.S. military to protect them in cyberspace. He offered a sourly realistic review of military failures to protect their own weapons and networks and suggested that this argued that the military is not the place to look for defense of the private sector. He did note language in a recent Defense Authorization Act that observed that the U.S. military was authorized in effect to hack adversary systems in peacetime, and he viewed this as a positive sign that the government lawyers, as he characterized them, who had regarded such offensive cyber action as illegal under Title 10 have been effectively overruled. He said, quote, "now there's every reason to think Cyber Command is doing that; they weren't doing that before," quote.

Dave Bittner: [00:11:02] He closed with general observations on conflict and with a plea for an understanding of how the federal government can help. Reflecting on his early career in nuclear arms control negotiation, he remarked that, quote, "crisis instability comes when an aggressor thinks it can win," end quote. When the offense thinks it has an advantage and the defense isn't credible, you're in a dangerous phase.

Dave Bittner: [00:11:25] He saw three areas in which federal action can make a positive contribution. First, appropriate regulation, particularly in electrical power and election security. Clarke sees the potential for regulation to have the sort of positive effects he argued it had on the financial sector. Second, investment in research, particularly in defense, artificial intelligence and machine learning. And third, in diplomacy. There were some genuine achievements in arms control during the Cold War, and Clarke thinks there are reasons to hope for comparable diplomatic success with respect to cyber conflict. We'll have more accounts of the summit's proceedings over the next several days.

Dave Bittner: [00:12:06] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:13:17] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an article from Slate recently; it was called "Give Up The Ghost," and it was about a plan in the U.K. to break encryption or add, I guess, a backdoor to encryption. They're referring to something called ghost encryption. What's going on here?

Jonathan Katz: [00:13:41] So as we know, there's a lot of discussion in the U.S. and the U.K. and in Australia and other countries as well about the extent to which products offering encryption should be weakened in order to allow this special access for law enforcement. And I guess what's going on here is that there's been a new proposal about a way to try to allow access to certain conversations by law enforcement officials without necessarily weakening encryption on the whole. And it's sort of an interesting idea. What seems - they didn't put technical details out, so it's just kind of a high-level sketch of what they're thinking.

Jonathan Katz: [00:14:13] But it seems like what they're talking about is something that would not weaken encryption for all conversations that people are having, but basically allow them to choose a specific sender or receiver and weaken conversations that that person is having with other people. And so that could be perhaps a way to try to strike a balance between the needs both for encryption in general but also for this access when needed.

Dave Bittner: [00:14:39] So is this a situation where, say, law enforcement would need to do the equivalent of asking a judge for a warrant, and then this different kind of encryption would be put into motion so that they could then decrypt things?

Jonathan Katz: [00:14:52] Yeah, something like that. So that's my understanding, is that they would have to get a warrant, and then they would approach the company, actually, that's providing the platform where this communication is being done. And then they would essentially ask this platform to weaken the encryption or weaken the protocol being used for some particular pair of sender and receiver, and that way it would allow law enforcement to target that particular conversation without necessarily degrading security for the other conversations taking place.

Dave Bittner: [00:15:20] And in terms of the actual encryption going on there, what's your take on this? Is this a good compromise?

Jonathan Katz: [00:15:27] Well, it's a compromise, I'll say that. Whether it's a good compromise or not depends on the details.

Dave Bittner: [00:15:31] Yeah.

Jonathan Katz: [00:15:32] I think, certainly, it's a - it does at least partly address some of the concerns that people have raised with other proposals, namely that they would weaken encryption for everybody, and if the single master key falls into the wrong hands, then it could potentially be disastrous. Here it looks like there is no central master key to be stolen, rather it does depend on trusting the company, trusting this company providing the service, that they will only weaken encryption when specifically requested, with a warrant in place, and otherwise would leave other conversations alone. So you're putting a little bit more trust in the company, but nevertheless, it represents maybe just a different point on the spectrum, perhaps striking a better balance than other proposals.

Dave Bittner: [00:16:13] Yeah. And I guess with all these things, the devil's in the details.

Jonathan Katz: [00:16:16] Yeah, that's right. It obviously depends a lot on how exactly the process is managed and what the technical details are when they come to light.

Dave Bittner: [00:16:22] Well, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:16:24] Thank you.

Dave Bittner: [00:16:29] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:16:51] Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.