CyberWire Daily - Another misconfigured AWS S3 bucket, this one with US Army INSCOM files. Apple fixes a major issue in MacOS. Influence ops and autarky. Boyusec disbanded.
Episode Date: November 29, 2017In today's podcast we hear that another misconfigured AWS S3 bucket has turned up. This one holds sensitive US Army files. Apple fixes a big flaw in the latest MacOS High Sierra version—the passwo...rd is…"root." Russia says American aggression in cyberspace is moving it to create its own DNS. Russia and Venezuela exploit the Catalan independence movement for disruptive information operations. Boyusec, mentioned in recent US indictment, has been disbanded.  Dale Drew from CenturyLink with lessons on consolidation. Jason McGee from IBM on software containers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another misconfigured AWS S3 bucket holds sensitive US Army files.
Cloud security remains a user responsibility.
Apple fixes a big, big flaw in the latest Mac OS High Sierra version.
The password is root.
Russia says American aggression in cyberspace is moving it to create its own DNS.
Russia and Venezuela seem to be exploiting the Catalan independence movement for disruptive
information operations.
And the Chinese firm mentioned in the U.S. recent industrial espionage indictment has been disbanded.
I'm Dave Bittner with your CyberWire summary for Wednesday, November 29, 2017.
More sensitive information has sloshed from another unsecured Amazon Web Services S3 bucket.
has sloshed from another unsecured Amazon Web Services S3 bucket.
This time, the exposed data belonged to the U.S. Army's Intelligence and Security Command,
INSCOM, that services component of the National Security Agency's Central Security Service.
The exposed database was found, again, by researchers from security firm UpGuard,
which says this is the first time it's found classified information exposed by such an easily avoided configuration error. ZDNet says this latest exposure is, by its reckoning, the fifth case of NSA data loss in the past five years.
The files exposed were associated with the U.S. Army's Red Disk program, a project that has for
some time carried the reputation of being a failure.
Red Disk was intended to be a customizable cloud system that could bring a common operating picture
to large, complex operations, but it proved difficult to use. It was to have been an adjunct
to the Army's controversial Distributed Common Ground System, DCGS, which fans of Pentagon acquisition squabbles will
recognize as one of the principal antagonists in the Palantir war waged between operators
and the service's procurement arm through much of the past decade.
In brief, the field operators liked Palantir a lot as a platform for handling complicated
combat information, whereas DCGS, the big program, never found a lot of
love on the dirty boot side of the Army.
Red Disk was supposed to have been a powerful centralized repository of data, readily shareable
and readily enriched, able to handle multiple layers of security with access selectively
granted.
UpGuard is one of two security companies, ChromTech is the other, who've been dining out for most of 2017 on their ability to find misconfigured S3 buckets.
No one seems entirely sure who owned the exposed database,
but UpGuard says they found keys in the bucket belonging to a firm called Invertix,
which had worked on RedDisk development.
So while it's unclear who was responsible for leaving the data out there,
it seems unlikely that this is a case of deliberate leaking as opposed to simple carelessness,
but the story is likely to bring congressional and even public pressure
for intensified mole hunting in the intelligence community.
The biggest mole of them all, if in fact one exists,
would seem to be whoever's giving the shadow brokers their stuff.
We note in passing that it's been a while since anyone has heard much from the brokers,
which suggests that they've either exhausted their stash and retired to a Black Sea beach house,
or that they're husbanding their material to release when it would have its greatest effect.
An op-ed on the subject in The Hill by Carbon Black's Eric O'Neill, a former FBI counterintelligence specialist,
thinks it probable that the big mole has yet to be discovered.
O'Neill notes that it took the FBI almost 22 years before it caught Robert Hansen,
the most notorious Russian agent known to have burrowed into the Bureau.
Misconfigurations haven't yet slowed the apparently inexorable move of sensitive information
into cloud services.
CIA continues to believe the cloud represents both cost savings and better security, and
they're not crazy to think so, but do remember that properly configuring a cloud bucket is
a user's responsibility.
Amazon and others will try to nudge you in the right direction, but haste and inattention can still ruin it all.
Apple is fixing a major problem with macOS High Sierra.
The recently upgraded operating system allows root access by typing root.
Mac users shouldn't delay fixing their systems.
Apple made a patch available this morning, and it will be automatically installing in High Sierra throughout the day.
Software containers are a handy way to package and, well, contain your code,
and they're growing in popularity.
Jason McGee is an IBM Fellow, VP and CTO for IBM's cloud platform,
and he runs down some of the advantages of using containers.
The first benefit that everyone sees is that kind of packaging benefit.
In other words, one of the real challenges in software over the years
has been when I build an application,
how do I take that application and all of its dependencies
and deliver that into another computing environment?
Whole operations teams would spend their life in setting up dependencies
and versions of software and other things. And just like in the shipping industry, when we went from loading ships package
by package to loading with standardized modules, software containers allow us a reliable way to
package up that app and dependencies and deliver it anywhere I need. So that's the first benefit,
that speeds development. It makes it easier for developers to iterate on their code and to move through the development lifecycle.
But the secondary benefit, which is, I think, even more powerful in the long run, is it standardizes how we operate software.
So I can have a common solution to scaling, to recovery from failures, to security and network configuration, to storage.
And I can apply that kind of standardized operational model across a variety of systems.
And so one of the reasons I think containers have become such a rapidly growing technology
is that they are good for developers and they are good for operations at the same time.
And so how do they strengthen your security?
They strengthen security in a whole variety of ways.
One obvious way is by running a standard operational environment, by allowing the operations team to build a container infrastructure in a standardized way, you can apply security practices kind of outside the application.
application. So you can configure the network that the container runs in, you know, the right firewall rules with the right packet inspection and intrusion prevention mechanisms in place,
and apply that standardized network configuration to any application that you deploy into that
environment instead of having to do it system by system and application by application. So I think
network security can become stronger because you can run in a standardized environment.
Another example would be you can standardize the software itself.
So because containers have a standard package, I can start to do things like scan those packages for known software vulnerabilities and automatically, as part of my DevOps pipeline, detect whether I'm about to deploy a piece of software into production
that has a vulnerability in it. And I can do that in a standardized way. I can sign container images
in a standard way and set up policies that say I'm not allowed to run any software in this
production system that isn't signed by this certificate authority that I trust for running
my system.
So by creating this standard package, we can wrap around it, you know, software security,
network security, permissions, standard configurations, kind of take the security best practices out of the realm of being a document and actually implement them in software and policy within
the operational system.
So if someone's looking to explore containers, they want to get into it,
what's your advice for the best way to get started?
I mean, as always, I think there's lots of materials online to help people kind of start
to get their head around the technologies. I think what most people do is actually do it for real.
Pick a project, you know, pick an actual application that you're going to use as your first foray into container technologies and start the process of containerizing that as images with Docker and then deploying that into an orchestration system like Kubernetes.
I think doing that on cloud actually makes a lot of sense because it means that as a developer, you don't have to start your journey with, well, how do I install and configure and run container software?
I can just worry about my application and let the cloud services take care of providing me the environment to do that.
That's Jason McGee from IBM Cloud Services.
Alleging information aggression from Washington, Moscow says it's going to build its own DNS.
Russian from Washington, Moscow says it's going to build its own DNS.
U.S. Secretary of State Rex Tillerson this week criticized Russia for its information operations against Western targets.
These continue.
There are reports that Russia is partnering with Venezuela
to keep the Catalan independence controversy roiling in Spain.
While the Ops are objectively pro-independence,
it's unlikely that the Catalan cause is close to the Kremlin's heart.
That cause is, however, an embarrassment to NATO member Spain.
Karim Bartof, a Canadian man charged in connection with the 2014 Yahoo hack, pled guilty yesterday in a San Francisco federal court.
In his allocution, Bartof admitted that his role in the crime was to
hack webmail accounts of individuals of interest to the FSB, that's Russia's foreign intelligence
service, and institutional heir to the KGB. Three of Bartov's co-defendants are at large in Russia.
They're unlikely to join Bartov in a U.S. courtroom. The U.S. indictment of three Chinese for hacking Moody's, Siemens, and Trimble,
presumably for their intellectual property,
is directed, the U.S. attorney says, against individuals,
and that there's no allegation that the spying was state-sponsored
in the indictment itself.
That said, practically everyone reads this as a case of a front company,
Guangdong Boyu Information Technology Company,
also known as Boyusec, working for Chinese intelligence.
Boyusec was, as it happens, disbanded earlier this month.
The investigation that led to the indictment was conducted by the FBI's Pittsburgh field office,
and we'd like to say we've always liked Yin's guys.
The Chinese government says it knows nothing about the affair
and wouldn't approve it even if it did.
And finally, a survey of U.S. federal hiring managers released this week
says they value four traits in prospective cybersecurity workers.
Courage, creativity, agility, and resilience.
Those are good, sure, we agree,
but maybe they're a little general to provide
useful guidance. We mean, who's going to say, hey, we'd really like to find an unimaginative
crowd, slow-footed and brittle, because we think that's the perfect fit for us here.
But anyway, polish up on your description on LinkedIn. Courageous, creative cyber professional
seeks challenging position where agility and resilience can thrive and prosper.
Sounds good.
One of our stringers reminded us of counterintelligence training he once had to sit through. The instructor hipped them all to the acronym M.I.C.E. for money, ideology, compromise, and ego,
and said that it summarized all the reasons someone would turn traitor.
An old major in the audience who'd clearly been around the block a few times, and had
reached his limit, stood up and hollered,
Hey genius, why does anybody do
anything?
But anyway, we'd all like to say, for the record,
that we're courageous, creative, agile,
and resilient. Not that we're
looking, you understand.
Stay passionate, all Yin's professionals.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and
wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Dale Drew.
He's the Chief Security Strategist at CenturyLink.
And Dale, our regular listeners will know that that's a relatively new title for you. You were formerly with Level 3 Communications and, of course, CenturyLink acquired
Level 3. And we want to talk about market consolidation today, something you've just been
through. Yeah, I mean, ironically enough, market consolidation and integrations and acquisitions
is very near and dear to my heart right now. And so having been
part of level three that was also involved in market consolidation from a buyer perspective,
and now being part of a market consolidation as a buyee, you know, there's a ton of lessons
learned with regards to making sure that you navigate both ends of that spectrum carefully.
What kinds of things have you learned along the way?
Well, you know, I'd say that one of the advantages that you have when doing a consolidation,
at least from a security vantage point, is, you know, the hard part is sort of evaluating the culture and the risk tolerance of the other company
to make sure that the control framework they have that matches their risk tolerance of the other company to make sure that the control framework they have
that matches their risk tolerance, that you can sort of normalize that with your risk tolerance
to understand what controls you may want to change or what controls you may want to introduce.
So the first thing is just making sure that the culture of the risk tolerance is sort of matched
up. And then that gives you a good sort of independent view of the rest of the controls.
The other thing is to realize that you're getting capability for free. When you purchase a company,
you're able to evaluate what they've deployed and have the advantage of comparing their capability
against your capability. And it might make a lot of sense to replace some of your capability with their capability because you're going to get that capability for free. I'd say overall, the sort
of steps that I would sort of focus on is one is to understand, right? That's utilize questionnaires
to understand the capabilities, policies, and risk tolerance. Be objective. Carefully compare
and contrast to find what needs to be improved, removed, or replaced within your own program based on capabilities from what you're acquiring.
Obtain measurements. Look for those metrics and KPIs and independent audits to validate the controls, not just based on what they're saying, but based on what's been tested.
not just based on what they're saying, but based on what's been tested.
And do that cost versus value.
We've done a lot of these where there's two sets of controls,
and they're relatively the same,
but the cost of those controls is vastly different,
either based on how the company's negotiated or the vendor they happen to be using.
And so doing that sort of value versus cost assessment
plays a huge role there.
Carefully connect.
When the companies want to start
interconnecting to be able to do all hands presentations or start sharing data or even
employees getting access to basic services like email, I'd recommend first doing sort of a data
pilot of carefully connecting. Deploy a small version of your security controls within that
acquiring company, your vulnerability scanners and your intrusion detection collectors that can sort of assess
the network as if it was your own to look for security controls that sort of match up with
your expectations before you completely open up the two. And then the last, which is not the least
important, it's very important, is to focus on talent. You know, we have a pretty strong philosophy of focusing on heartbeats, not head
count around here. And, you know, making sure that, you know, security talent is really, really hard
to find and really, really hard to grow and evolve. And so when the company comes to you and
says, hey, we're going to be combining two assets together and two companies together. And as a result, we're expecting a degree of synergy to occur, not only in cost, but in headcount.
And we want you to sort of pony up from a synergy perspective.
The security team has a little bit of an advantage in that standpoint of saying,
do you expect the security function to grow over the next eight to 10 months?
And if the answer is yes, well, it takes about
that long to find security resources. So in a number of cases, the company may give that security
group a little bit of a reprieve on Synergy, because if you happen to let security resources go,
and then a few months later need to start growing your organization again, it's going to take you
eight to 10 months to be able to find the right resources. And you're typically going to be looking for the people you just let go.
You know, so it's all about the right sort of risk evaluation, risk tolerance, normalization, and talent.
That's my very recent as well as, you know, long involved tips on mergers and acquisitions.
Good advice as always. Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.