Dave Bittner: [00:00:03] FireEye warns of Messagetap malware and its spying on SMS. NSO Group's Pegasus troubles seem to be expanding. Russia prepares to disconnect its internet. The U.S. opens a national security investigation into TikTok. An android keyboard app is making bogus purchases and doing other adware stuff. E-sports draw criminal attention. And happy birthday, GCHQ.
Dave Bittner: [00:00:33] And now a word from our sponsor, Coalfire. When organizations stand up news services or move existing applications to the cloud, IT security efforts need to be coordinated with business units and partners. A common question inevitably arises - is security the cloud platform provider's responsibility, or is it the customer's responsibility? To optimize data security, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the introduction of the HITRUST shared responsibility program, there's now a solid path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011, and they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor, at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show.
Dave Bittner: [00:01:49] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 1, 2019. FireEye continues to chew on APT41, Double Dragon, the PLA spies who moonlight as crooks or vice versa. In a report issued yesterday, the researchers described the threat group's Messagetap malware. The tool monitors and collects SMS traffic from specific phone and IMSI numbers. It also watches for specific keywords. Messagetap has been deployed in a Chinese government espionage campaign against high-value or high-payoff targets, including dissidents, journalists and selected foreign officials. FireEye calls the approach a combined focus on upstream data and targeted surveillance.
Dave Bittner: [00:03:01] The attention NSO Group's Pegasus tool has attracted from WhatsApp and Citizen Lab has flushed some additional surveillance activity. Reuters reports that Pegasus has been used against government officials in several countries. The Israeli government denies any involvement. The story is still developing.
Dave Bittner: [00:03:20] Roskomnadzor, Russia's internet authority, today began installing the tools necessary to disconnect the country's internet from the global web, should the government decide it needed to do that. The plans for an autarkic web have been in place for some time. Why disconnection is attractive to Moscow is obvious. It would make censorship and information control easier for one thing, and it might also reassure Moscow that its disconnected networks were safer from foreign attack. What the disconnection will mean in practice remains to be seen, as SC Magazine points out. There are powerful commercial forces that tend to operate in favor of an internationally open internet. But Russia has resisted the lure of commerce before, and it might be able to do so again. In any case, the experiment has just begun and will bear watching.
Dave Bittner: [00:04:12] The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, yesterday released details of the North Korean Trojan "Hoplight." And that's Hoplight – this Hoplight is not to be confused with an ancient Greek heavy infantryman. Hoplight opens a backdoor in affected machines through which Hidden Cobra can crawl at will. Washington's warnings about Huawei and ZTE are well-known, as are the strictures against various Chinese manufacturers of commercial drones. The Department of the Interior, for example, has just decided to ground its 800-strong drone fleet, most of which is manufactured in whole or in part by Chinese firms. Interior cites security concerns as the basis for the grounding.
Dave Bittner: [00:05:00] And there have been rumblings inside the beltway that TikTok is also bad news. Those rumblings became semi-official today, as the proverbial sources in a position to know tell Reuters that the Committee on Foreign Investment in the United States has opened a national security investigation into TikTok's owner Beijing ByteDance Technology Company and its $1 billion acquisition, the U.S. social media app Musical.ly two years ago. What specifically they're looking into isn't yet known, but members of Congress have expressed concerns over the possibility that TikTok could become a counterintelligence threat in the U.S.
Dave Bittner: [00:05:39] Upstream Systems warns that the Android keyboard app Ai.type is quietly making unauthorized purchases of premium digital content, racking up a cool $18 million in fraudulent potential charges. And those are just the bogus charges Upstream's Secure-D mobile platform intercepted and blocked. AI.Type represents itself as a free, fun keyboard app, great for people who like to use emojis. But the only emoji this one calls to mind is the poop emoji. Not only will it buy digital content you didn't order and probably don't want, but Ai.type also collects information about the infected user's actual preferences and purchases. And, of course, it does the usual adware shtick of serving up invisible ads and collecting phony clicks.
Dave Bittner: [00:06:25] Upstream recommends, of course, that you not contribute any more downloads to this malware. It's already been downloaded more than 40 million times. Google removed Ai.type from the Play store back in July, at which point the malware's activity spiked for about a month, then reverted to the mean, where it remains. Watch your bills for inexplicable charges, especially for data you don't remember buying, and keep an eye on your mobile devices. If they're behaving oddly, look more closely.
Dave Bittner: [00:06:55] Trend Micro notes a cresting wave of criminal cyberattacks on e-sports. These have become big business, estimated last year to have become a billion-dollar industry, and money draws criminals as rotting meat draws flies. E-sports are pursued recreationally and professionally. And colleges and universities have established e-sports teams to go along with their football, basketball and beer pong teams. We're just kidding about the beer pong. As far as we know, that's not risen above the level of a club sport. In the U.S., the NCAA, the National Collegiate Athletic Association, considered bringing e-sports under its regulatory scrutiny, but for the time being at least has shelved the idea. But plenty of NCAA schools haven't. Some even offer scholarship to good gamers, and it seems surprising that those don't appear to figure in the Varsity Blues scandal. Go figure, you'd have thought Hollywood would have been up on e-sports.
Dave Bittner: [00:07:51] The criminality is, as you might expect, opportunistic, running from selling hacks and cheats on the black market to rigging games, to DDoSing tournaments or holding them up for ransom. All of this is in addition to the trade in various in-game purchases as a means of laundering money. Trend Micro sees no near-term end in sight, so hold on to your loot boxes.
Dave Bittner: [00:08:15] And finally, happy birthday to the oldest of the Five Eyes. GCHQ turns 100 years young this week.
Dave Bittner: [00:08:27] And now a word from our sponsor, KnowBe4. Having spent over a decade as part of the CIA's Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She's seen firsthand how the bad guys operate. She knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yourself a hard target. Get the inside spy scoop and find out why Rosa, now KnowBe4's SVP of cyber operations, encourages organizations like yours to maintain a healthy sense of paranoia. Go to knowbe4.com/cia to learn more about this exclusive webinar. That's knowbe4.com/cia. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:09:29] And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. I wanted to touch today on teaching. That is something that I know is important to you. And it's interesting to me that as your company has grown, and I think Dragos is up over - what? - 150 people now, it is still something that you carve out time throughout your year to teach. Why is that? What's the value there for you?
Robert M. Lee: [00:09:58] Yeah, the thing that I like about Dragos and the thing that I like about the industrial security space is the community feel. And I think that's present in a lot of infosec circles, but I know it's really present in ICS security for me personally. And I've always felt that the answer can't just be technology or building a company. It's got to be building a community.
Robert M. Lee: [00:10:20] And actually, I started the class - so I built the SANS ICS515 class with the active defense and incident response, basically getting in your industrial networks and hunting and responding to attacks, I built that years before I built Dragos. I actually built that when I was still in the military and the intelligence community because we didn't have people to pull from. And so I, you know, I got challenged by one of my mentors, Mike Assante, to go build this class so that we could onboard more people into the community so that we could start trying to solve this challenge.
Robert M. Lee: [00:10:49] And as Dragos has expanded, I definitely had to cut back. I used to teach, you know, 10 times a year, 15 times a year, which is - they're each a week-long class, and that's a lot of time to take out. As the demands of the company have increased, I've had to cut back. I think next year, I'm only going to be teaching five or six times. But it's still - it still can be a drain to do it because the company is moving very quickly, and there's tons of things to do. But I find it really important to do for really three big reasons - one, very selfishly, it's like my therapy, being able to break out of the CEO role and still go be the practitioner that shares lessons learned and case studies with anybody, including our competitors that come through class, but just trying to advocate to the community about what the community needs to be, irrespective of vendors.
Robert M. Lee: [00:11:34] No. 2 is I think it's incredibly important to kind of expose the lessons learned that we're getting through Dragos to an audience that isn't bound to a vendor training. So instead of necessarily just bringing everybody in to Dragos - we've got our own training classes and similar, but there's a place and a role for that. But then there's kind of that vendor agnostic, like I don't even have our technology and stuff in the class. It's just a - it's a vendor-agnostic way to just share true lessons learned to the community. So I think it's useful from that community-building perspective.
Robert M. Lee: [00:12:04] And then third, I do take and consider the fact that I'm the CEO of the company. I don't think that title has a whole lot of weight, but some people do. And I don't want my employees and folks that are coming and going, oh, well, Rob is always so busy, so we have to be busy. I like the idea that showing people, hey, I even when running the company can break away to go engage the community in a non-vendor way. I challenge you to do the same. Like, go figure out ways to go teach at a local university. Go speak at a local conference. Do things that aren't there for business purpose; they're just there for community engagement. Go be better. And I think in setting that example, hopefully we will always continue to have that culture at Dragos.
Dave Bittner: [00:12:50] Do you continue to find value in interacting with people who are still at a very early stage of their experience here? To have those fresh sets of eyes come in, does that provide you with a unique perspective?
Robert M. Lee: [00:13:06] Oh, absolutely. And that's a beautiful thing, too, about SANS is I'll get not only absolutely new people in the field, but you also get seasoned professionals that come through those classes. You know, 500-level class, so maybe somebody career changing over or even some has been doing it for a while, and they're just trying to figure out if they've been doing the right things. And I think the reason you teach, above everything, is a love of the topic, and that means that you should be a constant learner. Like, I learn more from the collective that is my students than any of them individually ever learn from me. And so the opportunity for me to just sit there and share in their experiences and be grounded in that community consistently, that's super valuable for me personally.
Dave Bittner: [00:13:49] All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: [00:13:56] Now it's time for a few words from our sponsor, BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids. But to keep this savvier hoods' hands off your endpoints, Blackberry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:14:55] My guest today is Phil Quade. He's the chief information security officer at Fortinet and author of the recently published book, "The Digital Big Bang: The Hard Stuff, The Soft Stuff, And The Future Of Cybersecurity."
Phil Quade: [00:15:08] The cosmic Big Bang of, you know, 14 billion years ago, which launched our universe, created - we ultimately discovered that there are some fundamental elements and forces within it which we ultimately characterized in some sciences called physics and chemistry. And humans really started to hit their groove development-wise when we learned those sciences and starting obeying those laws and understanding the elements that govern them.
Phil Quade: [00:15:34] I look at the past 40-50 years, I think it's a great analogy. I think we're in the midst of a digital Big Bang. There's a massive amount of information just exploding from our culture. We need to understand what are the fundamental forces, the fundamental elements within this digital universe. And we need to identify the core sciences that govern those digital Big Bang forces and put them to use, and then start flourishing in our digital universe.
Dave Bittner: [00:16:00] You start off the book - even in your introduction, you cover what we got right and what we got wrong. What are you talking about there?
Phil Quade: [00:16:07] Yeah. So let's start with the precursor, which is the fundamental elements, which is, you know, in the case of the universe Big Bang, cosmic Big Bang, it's things like gravity, matter, energy, time, things like that. Well, in the digital Big Bang, the fundamental elements of which all cybersecurity needs to be based around, those are things like speed and connectivity, right?
Phil Quade: [00:16:29] So when the internet was, quote, "created" 40-50 years ago, it was about connecting more people than ever imagined and doing so at speeds - higher speeds than ever imagined. So if you're going to create cybersecurity solutions, you better create those solutions based around those fundamental elements of cyberspace, which is doing things as fast as possible and doing so in an integrated way since the internet is fundamentally an integration function.
Phil Quade: [00:16:56] But back specifically to your question, you asked, you know, what are the things that we kind of got wrong collectively when the internet was first started up a few decades ago - several decades ago? One of those things was authentication. The original internet was conceived mostly as a collection of colleagues who knew each other, so personal authentication and data authentication wasn't that important. We've been paying the price for that for a really, really long time. Almost everything on the internet today is - all the flaws of the internet today are based on lack of trustworthy authentication of people, of machines, of information.
Phil Quade: [00:17:30] So that first section of the book that you asked about talks about the elementary shortfalls that we just never got right from the beginning. A few that me my colleagues listed were authentication, patching and training.
Dave Bittner: [00:17:44] One of the sections of the book deals with the fundamental strategies. You call it proven strategies that don't let us down.
Phil Quade: [00:17:51] One of them is an old favorite, especially from the place I used to work for. Before coming to Fortinet, I spent about 30 years in the intelligence and national security community. And in those jobs, we spent a whole lot of time getting cryptography right, becoming masters of cryptography. And cryptography, of course, is a means to provide some really strong mathematical principles to ensure that information is kept private and to ensure information isn't changed and information is authenticated. And it turns out that there - that's one of the three fundamental strategies that me and my colleagues write about in the digital Big Bang as things that absolutely need to be leveraged from the beginning - cryptography, access control and segmentation.
Phil Quade: [00:18:33] If I could, I'd like to just say a couple words about segmentation. It's one of the earliest of cybersecurity strategies. And some people may mistakenly think that early or age of that strategy means it becomes less important. I personally think the opposite is true, that segmentation has become the primary cybersecurity strategy of our day, right? Ten-fifteen years ago, the preeminent strategy was about creating a big border around our networks, either a physical or a logical one, and then doing some act or defense at that boundary around our networks. But we all know that those boundaries have disappeared because of things like wireless and mobility.
Phil Quade: [00:19:12] And so what we need to do now really, really well is segmenting off our assets so we can avoid breaches, so we can minimize their scope. Then we can recover from them quickly. So segmentation is really, really important to get right. So that's why we call it one of the fundamental strategies.
Dave Bittner: [00:19:30] You know, I can't help thinking, given your title about the notion of the Cosmic Calendar, which is something that I think Carl Sagan popularized back when he did his original "Cosmos" book and TV series, which was this notion that if you stretched out time across a calendar and you started with the Big Bang on - you said that was January 1, that, you know, it's only the last moments of the last day of that cosmic year that humans show up in the course of evolution. I'm curious, where do you suppose we are on a cyber Cosmic Calendar? How far along are we in the cosmic evolutionary scale?
Phil Quade: [00:20:09] Love the question. I think that we're in the pre-scientific age of the digital Big Bang. So let me just, as you just did, just go back in history just a little bit. Back in the Middle Ages, we invented explanations that weren't based on science. And we feared them. It often paralyzed us. And it wasn't until we started, I'll say, admitting our ignorance, that we, in fact, didn't know a lot about the world, that we ultimately started to really flourish as a culture. That's when we started the age of exploration, right? At the time, ocean explorers were worried about falling off the edge of the world. You know, today, astronomers are looking at the edge of the universe. What a fantastic amount of advancement we've made as humans just in the past, you know, few hundred years or so.
Phil Quade: [00:20:58] Now in cybersecurity, we're starting to worry about the cyber edge - right? - that the edge is about to get a whole lot more interesting to those doing cybersecurity. It used to be the desktop, then the laptop, then a tablet, then the smartphone. But as we all know, the new definition of the edge is going to be the explosion of devices that sit out there in the physical domain. I call it the cy-phy (ph), cyber-physical integration. These are the IoT devices that are instrumenting everything from our coffee makers to our health monitors to our automobiles. So the edge in cybersecurity has its own meaning. And we're just about to start exploring that edge.
Phil Quade: [00:21:34] So to answer your question, I think that we're just exploring - entering the scientific age of cybersecurity and - which is why this book, "The Digital Big Bang," advocates treating cybersecurity like a science. Let's admit what we don't know. Let's observe what works well and why and rigorously and methodically adopt the things that work well, and then keep building on the shoulders of those successes. So it's trying to inspire people to recognize the moment we're in. Ninety percent of all data has been invented just in the past few years. We're in the midst of a digital Big Bang. That's both a huge opportunity and a responsibility for us to, you know, get - set the course for a bright future. So it's designed to be a little bit inspiration and a little bit call for a little bit perspiration.
Dave Bittner: [00:22:23] You know, I suppose I can't help wondering, you know, is it in our best interest to look to the sky for that cybersecurity version of an asteroid, you know, for some sort of extinction event? Is that something we need to be mindful of as well?
Phil Quade: [00:22:41] Great analogy. I wish I'd worked that one into the book. There's some fearmongers out there that say that things like AI is going to be the - be our doom or even that the adversary is going to shut down, quote, "the grid." I think both of those are a little bit too much fearmongering, meaning, you know, AI is not a bad thing or a good thing on its own. It's just a technology. People need to how to - need to know how to best leverage that technology and use it for good. So I don't see that as an asteroid.
Phil Quade: [00:23:15] Now the threat's a little bit - one where we need to keep our eye on. As you know - right? - we earthlings look out into near space for evidence that a future asteroid - an asteroid is going to hit us in the future. I think we need to do the same about threats, right? I'm not so worried about our entire power grid going down. Our electric grid is much more better segmented than most people understand and pretty resilient. But we do need to understand what nation states aspire to do to us, both on the electric grid and our other critical infrastructures. So to answer your question, I do think that the asteroid analogy is a pretty good one. And I think that we need to do a better job of keeping our eye on those asteroids figuratively to protect our critical infrastructures.
Dave Bittner: [00:24:01] That's Phil Quade from Fortinet. The book is titled "The Digital Big Bang: The Hard Stuff, The Soft Stuff, And The Future Of Cybersecurity."
Dave Bittner: [00:24:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. learn more at observeit.com.
Dave Bittner: [00:24:27] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.