A look back at Black Hat and Def Con. Sometimes failures that look like accidents are accidents. Russia wants better content suppression from Google. Notes on intelligence services.
Dave Bittner: [00:00:03] A look back at Black Hat and DEF CON, with notes on technology and public policy. Participants urge people to contribute their expertise to policymakers. Power failures in the U.K. at the end of last week are largely resolved, and authorities say they've ruled out cyberattack as a possible cause. Russia puts Google on notice that it had better moderate YouTube content to put an end to what Moscow considers incitement to unrest. And China says reports of criminal activity are bunkum.
Dave Bittner: [00:00:38] And now a message from our sponsors, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:26] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 12, 2019.
Dave Bittner: [00:01:49] Black Hat and DEF CON have concluded, and the attendees have now left the Nevada desert and returned to wherever they came from. We heard speakers in several sessions at DEF CON urge that those professionally involved with cybersecurity also involve themselves with legislators, that they attend congressional hearings, send direct messages to their representatives and so on. Some of this was civics-class, good-government advice, some advocacy, and some a call to contribute from the distinctive perspective security expertise might lend a citizen. There were signs of mutual interest. Several members of Congress attended, which speaks to some recognition of the security community's importance, and of interest in the conversations taking place last week in Nevada. Phil Stupak, an organizer of AI Village and a fellow at the Cyber Policy Initiative at the University of Chicago, told CNN, quote, "we are trying to break down the barriers between the people in tech who know what they're doing and the people in Congress who know how to take that knowledge to make laws," end quote.
Dave Bittner: [00:02:51] There were comparable signs of such interest at Black Hat. Bruce Schneier delivered an address in which he called for technologists to contribute their expertise to the public process. Infosecurity Magazine quoted him as saying, "no policymakers understand technology. Technologists are in one world, and policymakers are in a different world. It's no longer acceptable for them to be in separate worlds, though, as technology and policy are deeply intertwined," end quote. Your influence as a consumer, he argued, is negligible, but your influence as a technologist can be considerable. And that influence can also be wielded within the companies technologists work for.
Dave Bittner: [00:03:31] There was some commendable self-awareness and appreciation of complexity on display. A proposal for widespread online voting, for example, received a cool reception because the audience of technologists perceived how hard it would be to pull that off.
Dave Bittner: [00:03:46] And on Right to Repair laws, a hot-button issue to many, one salient point made to the hacker crowd was that corporations are not necessarily malicious in their intent and that they are often good people making decisions answerable to a different set of criteria from those a consumer or hacker might use. Others noted that decisions about the Right to Repair are largely made in first-world settings that have moved toward a more disposable economy. The same rules might not necessarily apply to emerging economies where equipment has a much longer life cycle and repair and reuse are not only common, but necessary.
Dave Bittner: [00:04:24] Ralph Russo is director of information technology programs for Tulane University School of Professional Advancement. Educational institutions like Tulane are tasked with preparing their students for the rapidly evolving demands of employers in technical fields like IT and cybersecurity. It's a challenge they're equipped to take on, but it is, indeed, a challenge.
Ralph Russo: [00:04:45] The word I would use would be transitional. Just like the rest of society, we're going from a pretty well-articulated process - you go to college, you get your education, you move on to a job, generally speaking. However, things are changing. We need to change. Speaking from an academic perspective, we need to change with it. So what that is - the traditional get your education, then move into industry, maybe get a certification or two, get some experience - I think that's being upended and disrupted. Going forward, folks will need to be lifelong learners. They'll need to be more alive, need to be more adaptive. And universities, therefore, will need to position themselves to provide that kind of education.
Dave Bittner: [00:05:33] And how do you see that transition taking place on the ground there at Tulane?
Ralph Russo: [00:05:38] Well, we've taken multiple steps towards ensuring that we're well - we're turning out students that are well-aligned to what industry needs. Some of the things we've done - well, to take a step back, we think, or at least I think, that students leaving our programs need to have three distinct areas that they're adapting. One is the traditional academic areas - knowing the concepts very well. And that's very important because as things change, if you understand fundamentally how things are built, how things - the history of things, then you could survive that change, as opposed to the second item in my list, which would be experience. If you - and the third item would be certification. Certifications are done to teach you a specific concept or a specific technical or technology at a specific time, which are great. I think they're important for students, but they do not replace academic, nor does academic fulfill the entire need. And the third is experiential. And in technology, employers, which I've done many interviews and hired many folks myself - employers want some level of hands-on experience. So universities need to go beyond the academic and teach things that are more hands-on, that provide more experiential opportunity for students and also perhaps provide an inroad to getting certification for students.
Dave Bittner: [00:07:04] I hear a lot of stories from folks who are out there trying to get jobs that they're frustrated because many of the employers are saying, we've got a ton of openings available here, but those openings - they're looking for folks with a lot more experience than you'd come out of college with.
Ralph Russo: [00:07:20] Yeah, and I've seen the same thing, and I hear the same thing. I maintain many relationships through our industry. In fact, in rebuilding and building my programs, including a new cybersecurity management master's, what I did was I went out to industry. I brought 30 SOs, CEOs, CIOs and CISOs into a room and said, what are you getting versus what you need? And I heard some things very clearly, and some of them surprised me. I knew that they'd want more hands-on technical. So we responded by adding more than 200 labs to my program so that students were able to go, quote, unquote, "hands-on" around each piece of academic learning.
Ralph Russo: [00:08:02] The second thing I heard very much was that students were coming out, and one of the problems was they didn't understand governance, for example - governance and interacting with teams and leadership - that kind of workplace rapport that's needed. So we've leaned in on governance and teaching best practice, alignment, training, risk management. And then lastly, what I heard, and very strongly, from business was that technology students were coming out, and they didn't have a grasp of how technology drives the business. They knew - they thought technology was, according to the folks we interviewed as part of building our programs, they thought technology was about technology, when really, in most businesses and most government technology operations, your job is to drive the business. There was a lack of understanding of how to communicate around the business of technology. There was a lack of ability to talk to people who weren't in the technical end of the business, for example, people in the C-suite. So we made sure that our programs are all teaching those skills, and we're doing it in a very practical way.
Dave Bittner: [00:09:21] That's Ralph Russo from Tulane University.
Dave Bittner: [00:09:25] Turning to other events, the U.K. sustained a power failure Friday that left about a million users in England and Wales without electricity. The Independent reports that two power stations - one wind-driven, the other gas-fired - went offline almost simultaneously, after which automatic safety features caused outages to protect the grid as a whole. Some had jumped to the conclusion that the outages were the result of a cyberattack. But according to The Washington Post, this was quickly ruled out. Power was largely restored Friday evening, but railroads felt the effects linger into Saturday. It was not a case of graceful degradation. Some essential medical and transportation systems were disrupted.
Dave Bittner: [00:10:07] Authorities tell the BBC they're determined to learn lessons. It is striking how quickly early speculation about power outages turned to the possibility of cyberattack. It's also striking how quickly the authorities were able to rule out an attack, especially given the extent to which an attack could be masked as an accident. It will be interesting to learn more about what the investigation ultimately determines about the cause of the incident. For now, the criticism in the British press has centered largely on what the editorialists are complaining about the ramshackle quality of the U.K.'s grid.
Dave Bittner: [00:10:41] Deutsche Welle reports that Russia's internet regulatory body, Roskomnadzor, warned Google not to permit YouTube to incite opposition protests. On Saturday, between 20,000 and nearly 50,000 demonstrators took to the streets in Moscow over allegations of municipal election fraud, according to the Guardian. The lower figure comes from police, the higher from independent estimates. Municipal election fraud seems to have engaged the Russian opposition more than it would in many other countries. The recent incidents of unrest came in response to the exclusion of a number of opposition candidates from the ballots. Protests of various sizes have taken place over the past few weeks, and they've generally met with a stiff response from riot police.
Dave Bittner: [00:11:26] YouTube users in Russia did share a number of protest videos. Russian authorities professed to see this as interference with democratic processes. Roskomnadzor complained to Google about structures using tools like push notifications to spread information about the mass protests. The protests would seem to be illegal under Russian law, and the structures - a term not further explained - would appear to refer to some organized and arguably coordinated set of political actors. A failure on the part of Google to take action would be regarded as, quote, "interference in Russia's sovereign affairs and hostile influence and obstruction of democratic elections in Russia," end quote. Moscow says it would respond appropriately to Mountain View's failure to moderate YouTube's content in a satisfactory way.
Dave Bittner: [00:12:16] PC Magazine comments on some forthcoming research by IntSights that explores the connections between Russia's cybercriminal gangs and the country's intelligence services. The gangs operate with the toleration of the security organs on the condition that they leave certain targets alone and from time to time accept certain taskings. The intelligence and security services themselves find the relationship useful.
Dave Bittner: [00:12:41] It would be a mistake, however, to view Russian intelligence and security activities as closely and monolithically coordinated. Kimberly Zenz, who directs threat intelligence for the German industry consortium DSCO (ph), pointed out at Black Hat last week that, in fact, the organs are often mutually competing. She named the big three cybersecurity players as the Ministry of Interior, the MVD, the GRU, which is the military intelligence service responsible for Fancy Bear, and the FSB, the foreign intelligence service that's the principal heir to the Soviet-era KGB. One example she cited involved activities directed against U.S. political campaigns in 2016. Cozy Bear, the FSB, was in early and quietly. Fancy Bear came in noisily, in the American idiom, loaded for bear.
Dave Bittner: [00:13:32] And finally, to consider another case of intelligence services acting either like criminals or in concert with criminals, China's Foreign Ministry has reacted to FireEye's report last week on APT41. You will recall that the researchers suggested that a number of state operators were moonlighting as crooks. China's Foreign Ministry dismissed FireEye's report on APT41 as ill-intentioned fabrications. Besides, the spokesman adds, attribution is difficult, and China opposes all forms of cybercrime, as is well-known. It's also well-known, the spokesman hinted darkly, who's behind most of the bad stuff in cyberspace. They don't say so exactly, but we can't escape the impression that they have someone stateside in mind. Fort Meade, they're looking at you, we guess.
Dave Bittner: [00:14:26] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:15:42] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:15:51] Hi, Dave.
Dave Bittner: [00:15:51] Joe, I was thinking recently about passwords. And I know you think a lot about passwords yourself.
Joe Carrigan: [00:15:59] I do.
Dave Bittner: [00:15:59] Here's my question.
Joe Carrigan: [00:16:00] Yes.
Dave Bittner: [00:16:00] So we advocate that organizations use password managers.
Joe Carrigan: [00:16:05] Yes.
Dave Bittner: [00:16:06] We - and individuals use password managers.
Joe Carrigan: [00:16:08] Yes, we do.
Dave Bittner: [00:16:09] So if I'm in an organization that has mandated that my employees use a password manager, why am I allowing them to use their own passwords, to generate their own passwords? Is there any reason why my employees should be allowed to pick their own password rather than having a random string of characters generated for them and stored in that password manager?
Joe Carrigan: [00:16:34] So you're asking if it's reasonable to set a policy that you will not be able to set your password, that we will pick one for you and you'll use that.
Dave Bittner: [00:16:43] Correct.
Joe Carrigan: [00:16:44] I think that's a hundred percent reasonable. I don't know if it's possible in the enterprise password managers, but I imagine that it might be.
Dave Bittner: [00:16:50] Yeah.
Joe Carrigan: [00:16:50] It's certainly a feature that, if it's not there, should be there.
Dave Bittner: [00:16:53] It just strikes me that - why even give people the option of reusing passwords...
Joe Carrigan: [00:16:58] I agree a hundred percent.
Dave Bittner: [00:16:58] ...In the corporate environment? We still have - it seems like we've got this legacy notion that you should be able to choose a password and make it something easy to remember.
Joe Carrigan: [00:17:08] Right.
Dave Bittner: [00:17:09] But what we know - that's part of the problem. That's why people reuse their passwords.
Joe Carrigan: [00:17:13] That's exactly right.
Dave Bittner: [00:17:14] And if we have password managers, which takes away that problem...
Joe Carrigan: [00:17:18] Yeah, then we should enforce the proper use of the password managers through policy. Yeah.
Dave Bittner: [00:17:23] I guess they still have to choose a password for the password manager.
Joe Carrigan: [00:17:25] They do.
Dave Bittner: [00:17:26] Darn it (laughter).
Joe Carrigan: [00:17:26] They do, but you can also protect that password with multifactor authentication using a token or something.
Dave Bittner: [00:17:33] Right. Right. Right. Right. Right. All right, but - so my line of thinking here is not crazy or out of line or irrational or...
Joe Carrigan: [00:17:40] No, I think that line of thinking is exactly right. I think that - in fact, if - I'm not familiar with the enterprise-level password managers because I've never had to use one. I use a personal password manager. If that's not a feature in them, it should be. As the corporation - as the CISO of this corporation, I can mandate - I can click a box that says, don't let users pick their passwords; generate a unique password for every site that users use. And then when a user says, well, I already have a password for this website, your response is, it's time to change it.
Dave Bittner: [00:18:12] Yeah, why not?
Joe Carrigan: [00:18:13] Right.
Dave Bittner: [00:18:13] If it's a business-related...
Joe Carrigan: [00:18:15] Right.
Dave Bittner: [00:18:15] ...Application...
Joe Carrigan: [00:18:17] Yeah.
Dave Bittner: [00:18:17] ...Where you're going to put that in your password manager, we're going to spin up a new one for you.
Joe Carrigan: [00:18:21] Right.
Dave Bittner: [00:18:21] And it's going to be strong.
Joe Carrigan: [00:18:22] And you shouldn't be - you know, this is just my personal opinion, but I don't think if I had a - if I was working at a company where they had an enterprise password manager, I wouldn't be putting my personal passwords into the enterprise password manager.
Dave Bittner: [00:18:35] No, no. I mean, I think, in some ways, this takes a burden off of the employee.
Joe Carrigan: [00:18:39] I agree a hundred percent. That's what I tell people. I always - when I'm giving talks about password hygiene, I always tell them the long, you know, litany of things they have to do. These passwords have to be long and complex...
Dave Bittner: [00:18:52] Right.
Joe Carrigan: [00:18:52] ...And difficult. And you try not to remember them. And you have to change them every so often. And we've talked about changing passwords before.
Dave Bittner: [00:18:58] Yeah.
Joe Carrigan: [00:18:59] And you have to have a different password for every site. And everybody just goes, uh...
Dave Bittner: [00:19:04] Right.
Joe Carrigan: [00:19:04] ...At what I say. But, you know, instead of trying to do all that, just use a password manager...
Dave Bittner: [00:19:07] Yeah.
Joe Carrigan: [00:19:08] ...And it will make it so much easier. Once you start using a password manager, you will wonder how you've lived without one before.
Dave Bittner: [00:19:15] No, I can vouch for that.
Joe Carrigan: [00:19:16] Yep.
Dave Bittner: [00:19:16] It's absolutely true. All right, well, it's something to think about. I'm sure if there's some flaw in my logic, our faithful listeners will let us know...
Joe Carrigan: [00:19:25] Dutifully.
Dave Bittner: [00:19:25] ...Because they're very good at that.
Joe Carrigan: [00:19:27] Yes.
Dave Bittner: [00:19:27] So perhaps there's something that neither of us are thinking about, and if that is the case, please do let us know. That way...
Joe Carrigan: [00:19:33] Yeah, let us know.
Dave Bittner: [00:19:33] We want to know, and we'll share that with everybody. But I don't know. It's something to ponder, so we'll see. All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:41] My pleasure, Dave.
Dave Bittner: [00:19:46] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.