CyberWire Daily - A look back at Black Hat and Def Con. Sometimes failures that look like accidents are accidents. Russia wants better content suppression from Google. Notes on intelligence services.
Episode Date: August 12, 2019A look back at Black Hat and Def Con, with notes on technology and public policy. Participants urge people to contribute their expertise to policymakers. Power failures in the UK at the end of last we...ek are largely resolved, and authorities say they’ve ruled out cyberattack as a possible cause. Russia puts Google on notice that it had better moderate YouTube content to put an end to what Moscow considers incitement to unrest. And China says reports of criminal activity are bunkum. Joe Carrigan from JHU ISI with thoughts on corporate password policies. Guest is Ralph Russo from Tulane University on how schools like Tulane are shaping their programs to meet the needs of business and government. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look back at Black Hat and DEF CON with notes on technology and public policy.
Participants urge people to contribute their expertise to policymakers.
Power failures in the UK at the end of last week are largely resolved,
and authorities say they've ruled out cyber attack as a possible cause.
Russia puts Google on notice that it had better moderate YouTube content
to put an end to what Moscow considers incitement to unrest.
And China says reports of criminal activity are bunkum.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
August 12, 2019. Black Hat and DEF CON have concluded and the attendees have now left the
Nevada desert and returned to wherever they
came from. We heard speakers in several sessions at DEF CON urge that those professionally involved
with cybersecurity also involve themselves with legislators, that they attend congressional
hearings, send direct messages to the representatives, and so on. Some of this was
civics class, good government advice, some advocacy, and some a call to contribute from the distinctive perspective security expertise might lend a citizen.
There were signs of mutual interest.
Several members of Congress attended, which speaks to some recognition of the security community's importance and of interest in the conversations taking place last week in Nevada.
conversations taking place last week in Nevada. Phil Stupak, an organizer of AI Village and a fellow at the Cyber Policy Initiative at the University of Chicago, told CNN,
quote, We are trying to break down the barriers between the people in tech who know what they're
doing and the people in Congress who know how to take that knowledge to make laws, end quote.
There were comparable signs of such interest at Black Hat. Bruce Schneier delivered an address in which he called for technologists to contribute their expertise to the public process.
Infosecurity magazine quoted him as saying,
No policymakers understand technology.
Technologists are in one world, and policymakers are in a different world.
It's no longer acceptable for them to be in separate worlds, though, as technology and policy are deeply intertwined.
Your influence as a consumer, he argued, is negligible, but your influence as a technologist can be considerable,
and that influence can also be wielded within the companies technologists work for.
There was some commendable self-awareness and appreciation of complexity on display.
A proposal for widespread online voting, for example, received a cool reception because the audience of technologists perceived how hard it would be to pull that off.
point made to the hacker crowd was that corporations are not necessarily malicious in their intent and that they are often good people making decisions answerable to a different set of
criteria from those a consumer or hacker might use.
Others noted that decisions about the right to repair are largely made in first-world
settings that have moved towards a more disposable economy.
The same rules might not necessarily apply to emerging economies
where equipment has a much longer life cycle
and repair and reuse are not only common but necessary.
Ralph Russo is Director of Information Technology Programs
for Tulane University's School of Professional Advancement.
Educational institutions like Tulane are tasked with preparing their students
for the rapidly evolving demands of employers in technical fields like IT and cybersecurity.
It's a challenge they're equipped to take on, but it is indeed a challenge.
The word I would use would be transitional.
Just like the rest of society, we're going from a pretty well articulated process.
You go to college, you get your education,
you move on to a job, generally speaking. However, things are changing. We need to change,
speaking from an academic perspective, we need to change with it. So what that is,
the traditional get your education, then move into industry, maybe get a certification or two,
get some experience. I think that's being upended and disrupted. Going forward, folks will need to
be lifelong learners. They'll need to be more alive, need to be more adaptive. And universities,
therefore, will need to position themselves to provide that kind of education.
And how do you see that transition taking place on the ground there at Tulane?
Well, we've taken multiple steps towards ensuring that we're turning out students
that are well aligned to what industry needs.
Some of the things we've done, well, to take a step back, we think,
or at least I think, that students leaving our programs need to have
three distinct areas
that they're adept in. One is the traditional academic areas, knowing the concepts very well.
And that's very important because as things change, if you understand fundamentally how things
are built, how things, the history of things, then you could survive that change as opposed to the second item in my list,
which would be experience. And the third item would be certification. Certifications are done
to teach you a specific concept or a specific technical or technology at a specific time,
which are great. I think they're important for students, but they do not replace academic,
nor does academic fulfill the entire need. And the third is experiential. In technology,
employers, which I've done many interviews and hired many folks myself, employers want
some level of hands-on experience. So universities need to go beyond the academic
and teach things that are more hands-on, provide more experiential opportunity for students, and also perhaps provide an inroad to getting certification for students.
I hear a lot of stories from folks who are out there trying to get jobs that they're frustrated because many of the employers are saying, we've got a ton of openings available here.
But those openings, they're looking for folks with a lot more experience than you'd come out
of college with. Yeah. And I've seen the same thing and I hear the same thing. I maintain
many relationships throughout industry. In fact, in rebuilding and building my programs,
including a new cybersecurity management master's, what I did was I went out to industry. I brought 30 or so CEOs,
CIOs, and CISOs into a room and said, what are you getting versus what you need? And I heard
some things very clearly, and some of them surprised me. I knew that they'd want more
hands-on technical, so we responded by adding more than 200 labs to my program. So the students were able to go, quote unquote,
hands-on around each piece of academic learning. The second thing I heard very much was that
students were coming out, and one of the problems was they didn't understand governance, for example,
governance, for example, governance and interacting with teams and leadership, that kind of workplace wrapper that's needed. So we've leaned in on governance and teaching best practice,
alignment, training, risk management. And then lastly, what I heard and very strongly from
business was that technology students were coming out and they didn't have a grasp of how technology drives the business. technology was about technology, when really in most businesses and most government technology
operations, your job is to drive the business. There was a lack of understanding of how to
communicate around the business of technology. There was a lack of ability to talk to people
who weren't in the technical end of the business, for example, people in the C-suite. So we made sure that our
programs are all teaching those skills and we're doing it in a very practical way.
That's Ralph Russo from Tulane University.
Turning to other events, the UK sustained a power failure Friday that left about a million users in
England and Wales without electricity. The Independent reports that two power stations,
one wind-driven, the other gas-fired,
went offline almost simultaneously,
after which automatic safety features
caused outages to protect the grid as a whole.
Some had jumped to the conclusion
that the outages were the result of a cyber attack,
but according to the Washington Post,
this was quickly ruled out.
Power was largely restored Friday evening, but railroads felt the effects linger into Saturday.
It was not a case of graceful degradation.
Some essential medical and transportation systems were disrupted.
Authorities tell the BBC they're determined to learn lessons.
It is striking how quickly early speculation about power outages turned to the possibility of cyber attack.
It's also striking how quickly the authorities were able to rule out an attack,
especially given the extent to which an attack could be masked as an accident.
It will be interesting to learn more about what the investigation
ultimately determines about the cause of the incident.
For now, the criticism in the British press has centered largely
on what the editorialists are complaining, the criticism in the British press has centered largely on what
the editorialists are complaining about the ramshackle quality of the UK's grid.
Deutsche Welle reports that Russia's internet regulatory body, Roskomnadzor, warned Google
not to permit YouTube to incite opposition protests. On Saturday, between 20,000 and nearly
50,000 demonstrators took to the streets in Moscow over allegations of municipal election fraud, according to The Guardian.
The lower figure comes from police, the higher from independent estimates.
Municipal election fraud seems to have engaged the Russian opposition more than it would in many other countries.
The recent incidents of unrest came in response to the exclusion of a number of
opposition candidates from the ballots. Protests of various sizes have taken place over the past
few weeks, and they've generally met with a stiff response from riot police.
YouTube users in Russia did share a number of protest videos. Russian authorities professed
to see this as interference with democratic processes. Roskomnadzor complained to Google about structures using tools like push notifications
to spread information about the mass protests.
The protests would seem to be illegal under Russian law,
and the structures, a term not further explained,
would appear to refer to some organized and arguably coordinated set of political actors.
A failure on the part of Google to take action would be regarded as, quote,
interference in Russia's sovereign affairs and hostile influence and obstruction of democratic
elections in Russia, end quote.
Moscow says it would respond appropriately to Mountain View's failure to moderate YouTube's
content in a satisfactory way.
to Mountain View's failure to moderate YouTube's content in a satisfactory way.
PC Magazine comments on some forthcoming research by Insights that explores the connections between Russia's cyber-criminal gangs
and the country's intelligence services.
The gangs operate with the toleration of the security organs
on the condition that they leave certain targets alone
and from time to time accept certain taskings. The intelligence and security services themselves find the relationship useful.
It would be a mistake, however, to view Russian intelligence and security activities
as closely and monolithically coordinated. Kimberly Zentz, who directs threat intelligence
for the German industry consortium DSCO, pointed out at Black Hat last
week that in fact the organs are often mutually competing. She named the big three cybersecurity
players as the Ministry of Interior, the MVD, the GRU, which is the military intelligence service
responsible for Fancy Bear, and the FSB, the foreign intelligence service that's the principal
heir to the Soviet-era KGB.
One example she cited involved activities directed against U.S. political campaigns in 2016.
Cozy Bear, the FSB, was in early and quietly.
Fancy Bear came in noisily, in the American idiom, loaded for bear.
And finally, to consider another case of intelligence services acting either like criminals or in concert with criminals,
China's foreign ministry has reacted to FireEye's report last week on APT41.
You will recall that the researchers suggested that a number of state operators were moonlighting as crooks.
China's foreign ministry dismissed FireEye's report on APT41 as ill-intentioned fabrications.
Besides, the spokesman adds, attribution is difficult and China opposes all forms of cybercrime, as is well known.
It's also well known, the spokesman hinted darkly, who's behind most of the bad stuff in cyberspace.
They don't say so exactly, but we can't escape the impression that they have someone stateside in mind.
Fort Meade, they're looking at you.
We guess.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back.
Hi, Dave. Joe, I was thinking recently about passwords,
and I know you think a lot about passwords yourself.
Here's my question.
Yes.
So we advocate that organizations use password managers.
Yes.
And individuals use password managers.
Yes, we do.
So if I'm in an organization that has mandated that my employees
use a password manager, why am I allowing them to use their own passwords, to generate their
own passwords? Is there any reason why my employees should be allowed to pick their own password
rather than having a random string of characters generated for them
and stored in that password manager.
So you're asking if it's reasonable to set a policy that you will not be able to set your password,
that we will pick one for you and you'll use that.
Correct.
I think that's 100% reasonable.
I don't know if it's possible in the enterprise password managers, but I imagine that it might be.
It's certainly a feature that if it's not there, should be there.
It just strikes me that why even give people the option of reusing passwords in the corporate
environment?
We still have, it seems like we've got this legacy notion that you should be able to choose
a password and make something easy to remember.
Right.
But what we know, that's part of the problem.
That's why people reuse their passwords.
That's exactly right.
And if we have password managers, which takes away that problem.
Yeah. Then we should enforce the proper use of the password managers through policy.
Yeah.
I guess they still have to choose a password for the password manager.
They do.
Darn it.
They do. But you can also protect that password with multi-factor authentication using a token
or something.
Right, right, right, right.
All right.
So my line of thinking here is not crazy or out of line or irrational.
No, I think your line of thinking is exactly right.
I think that, in fact, I'm not familiar with the enterprise-level password managers because I've never had to use one.
I use a personal password manager.
If that's not a feature in them, it should be.
personal password manager. If that's not a feature in them, it should be. As the corporation,
as the CISO of this corporation, I can mandate, I can click a box that says, don't let users pick their passwords, generate a unique password for every site that users use. And then when
a user says, well, I already have a password for this website, your response is, it's time
to change it.
well, I already have a password for this website, your response is it's time to change it.
Yeah, why not?
If it's a business-related application, you're going to put that in your password manager.
We're going to spin up a new one for you.
Right.
And it's going to be strong. And you shouldn't be – this is just my personal opinion,
but I don't think if I was working at a company where they had an enterprise password manager,
I wouldn't be putting my personal passwords into the enterprise password manager.
No, no.
I mean, I think in some ways this takes a burden off of the employee.
Agreed, 100%.
That's what I tell people.
When I'm giving talks about password hygiene, I always tell them the long litany of things they have to do.
These passwords have to be long and complex and difficult, and you try not to remember them. And you have to change them every so often.
And we've talked about changing passwords before. And you have to have a different password for
every site. And everybody just goes, oh. And I say, but instead of trying to do all that,
just use a password manager. And it will make it so much easier. Once you start using a password
manager, you will wonder how you lived without one before.
No, I can vouch for that.
Yep.
It's absolutely true.
All right.
Well, something to think about.
I'm sure if there's some flaw in my logic, our faithful listeners will let us know.
Dutifully.
Because they're very good at that.
Yes.
So perhaps there's something that neither of us are thinking about.
And if that is the case, please do let us know.
We want to know and we'll share that with everybody.
But there's something to ponder.
So we'll see.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.