CyberWire Daily - Cloud Snooper is out and about. US states’ contracts with Chinese vendors. Voatz receives more scrutiny. Facebook’s troll hunt--no joy this time. Notes from RSAC 2020.
Episode Date: February 25, 2020Cloud Snooper is infesting cloud infrastructure servers. A China-skeptical advocacy group draws attention to US states’ contracts with Chinese vendors that aren’t named “Huawei.” Senator Wyden... would like the security company that audited the Voatz to explain the clean bill of health it gave the voting app. Facebook’s campaign troll hunt comes up empty, so far, this time. And what we’re seeing and hearing at RSAC 2020. Our Chief Analyst Rick Howard on SASE and what he’s looking for at RSA, guest is Dr. Chenxi Wang from Rain Capital previewing her panel at RSA and discussing innovations in the industry. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cloud Snooper is infesting cloud infrastructure servers.
A China skeptical advocacy group draws attention
to U.S. states' contracts with Chinese vendors
that aren't named Huawei.
Senator Wyden would like the security company
that audited the votes to explain the clean bill of health
it gave the voting app.
Facebook's campaign troll hunt comes up empty so far this time.
And what we're seeing and hearing at RSAC 2020.
From RSA 2020 in San Francisco, the city by the other bay,
I'm Dave Bittner with your CyberWire summary for Tuesday, February 25th, 2020.
Sophos reports finding a sophisticated infestation of cloud infrastructure servers hosted in the AWS cloud.
The researchers call it CloudSnooper, and they emphasize that this isn't an AWS problem per se.
CloudSnooper is distinctive in the way its command and control traffic rides on top of legitimate normal web traffic,
doing so in a way that bypasses many firewalls. The capability and complexity of the attack, along with its use of purpose-built malware,
suggest to Sophos that the threat actor may be a nation-state,
or at the very least an unusually capable criminal group.
A report from China Tech Threat warns that many U.S. state procurement officials
are buying risky technology from Chinese vendors.
The group's report mentions
Lexmark and Lenovo in particular and urges the National Association of State Procurement Officers
to help its members introduce greater security into their acquisition processes.
Lexmark denied presenting any such threat, telling NextGov that the report contains
inaccuracies and mischaracterizations. Lenovo hadn't replied to
NextGov by the time they went to press. Lexmark may indeed feel ill-used, and China Tech Threat's
warning is based not on any specific behavior on the part of either Lexmark or Lenovo,
but rather on the group's observations of state purchases, the permissions the contracts give to
vendors, and its understanding of China 2017
national intelligence law. China Tech Threat recommends that the states ask themselves two
questions. Have procurement leaders unwittingly allowed China to access sensitive government and
private citizen information? And should state procurement officials eliminate existing contracts
with Chinese-owned manufacturers for the sake of maintaining data privacy and confidentiality. It's perhaps worth noting that
there are Chinese companies other than Huawei and its smaller rival ZTE, and that such companies may
also merit security scrutiny. But it's also worth noting that specific security bad behavior has
been alleged of Huawei far more than it has been
charged to other firms. Meritalk says that U.S. Senator Ron Wyden, Democrat of Oregon,
has written Shift State Security to ask what sort of vetting the company applied to its client
Votes when it checked Votes' voting app. The senator is particularly interested in Shift
State's reaction to an adverse report on
votes that MIT researchers rendered on February 13th. Senator Wyden has asked Schiff State's
chief security officer to provide him, by March 9th, answers to three questions in particular.
How many of the Schiff State personnel who audited votes had experience in election security,
cryptographic protocol design and analysis,
side channel analysis, and blockchain security. Whether Schiff's state discovered the same flaws
as the MIT team, and if they didn't find those flaws, could they please explain why they publicly
said votes did well in the audit? And does Schiff's state disagree with the MIT researchers' findings?
If they do, why? Senator Wyden has also asked NSA,
in a letter to Secretary of Defense Esper and Director NSA Nakasone, to conduct a security
audit of Votes, which suggests that he's unlikely to be fully satisfied by what Shift State winds
up telling him. Votes has strongly disputed the results reported by the MIT researchers,
so the responses, if any, from Shift State will be followed closely.
The Wall Street Journal reports that Facebook has been unable to substantiate claims by an outside researcher
that some ill-behaved supporters of Senator Sanders were in fact either Russian or Republican trolls.
Had Menlo Park found evidence of coordinated inauthenticity, Facebook says,
they'd have taken down the offending sites, pages, posts, and so on.
Dr. Chenzi Wang is the founder and general partner of Rain Capital, a cyber-focused venture fund.
This Thursday at RSAC 2020, she's part of a panel discussion titled, Do Investors Care
About Cyber Risk? She stopped by our booth in
Broadcast Alley to share her insights. RSA is a conference that I've been to for
probably more than 10 years now, right? And it used to be just one in one building and now in
two buildings, or several years ago in two buildings now. I tend to prefer the smaller booth where you see the more early
stage companies, you see more innovations, not to say large companies don't have innovation,
but they're more established. You kind of know their technologies, solutions better. The small
ones, you tend to find pleasant surprises, right? So new approach to solving a problem or new ways,
new perspective, looking at a challenge, I find that really interesting. So I usually go to the,
I call the fringe of the conference, right? The smallest booth, people can't afford
to buy a big booth. Those companies I pay more attention to.
to buy big booth, those companies I pay more attention to.
Let's say someone has that booth around the fringe of the conference and they do attract your attention and you say, let's have a meeting.
What's your advice to that person?
How should she prepare to get the most out of your time, not waste your time?
What sort of things do you like to see in those initial presentations?
Great question.
So I think as a pitch to an investor,
it's somewhat similar to a pitch to a potential customer, right?
You have to convince them that this is an interesting solution,
that it's worth your time to dig into.
And there's some nuances for investors,
particularly, I'm going to talk in a little bit,
but the general framework that I advise people start with
is what is a problem?
Why is a problem important?
Why are we uniquely qualified to solve this problem?
What is the shape of the solution that we bring it to you?
And then the fifth one for investors is,
how big is the market?
Well, here at the conference,
you are going to be part of a panel discussing the question,
do investors care about cyber risk?
What can folks who attend that, what can they
expect to hear discussed? Yes. So this is an interesting panel because the two gentlemen
I'm on the panel with, one of them is an analyst from Goldman Sachs and the other one is a former CISO from Moody. So both of them sit from the position of analyzing companies.
The reason that the organizer of the panel wanted me is to add that perspective from the other side
of the table versus people who are analyzing companies. And I can tell you from my perspectives of these different roles that I take on these days,
investors care a lot about cyber risks.
So I sit on a board of a public utility and construction company.
And being a utility company, they operate critical infrastructure, right?
So consumers, depending on their electricity
and natural gas services,
and that cannot be disrupted.
So cybersecurity is very important
for that sector of the industry.
And their investors,
along with investors of other public companies,
are increasingly asking public companies
to disclose more information
about what they do in terms of cyber defense.
And the same thing goes with their increasing pressure on disclosing more information on environmental and sustainability issues.
And those all sort of go hand in hand.
As a private investor, meaning that people who invest in private companies,
As a private investor, meaning that people who invest in private companies,
we care a lot about the operation of the company,
whether they take security into consideration,
because at some point, as an investor, you want the company to exit, right?
So that means they either become a public company,
which will be under the same level of scrutiny,
or they have an exit being sold to a larger company who in the M&A process will scrutinize their cybersecurity maturity.
Because of these reasons, we investors,
whether it's private company investors or public company investors,
all care a lot these days about cybersecurity risks.
As we look towards the coming year, you know, looking towards the horizon, what sort of trends are you tracking? Where do you think
from an investor's point of view, are there things that you see changing in the short term?
So a few things I think are notable in terms of trends. One is the attitude and treatment towards privacy. I would
say three, four years ago, you would be hard pressed to find a privacy tech company in this
conference. And I think this year you'll see more than a handful of companies that are automating privacy engineering or providing privacy services for data for data
protection and those are I think a notable shift in industry right so we consumers and companies
paying more attention to privacy and how to provide privacy to users is a big shift.
Another thing is the general acceptance of cloud computing.
Because cloud is here and is here to stay,
cloud security is now a very, very visible strategic initiative for many companies.
I am also looking forward to seeing more women at the conference this year.
So I'm seeing a lot of new blood into the industry
and people want to take on being a security engineer
or being a hacker from different walks of life,
which is very interesting to us.
And I'm looking forward to more diversity in this industry.
That's Dr. Chenzi Wang from Rain Capital.
Yesterday's big event at RSAC was, as it usually is on Opening Monday,
the Innovation Sandbox.
In this event, the conference honors a particularly innovative startup. They typically begin with a field of about 100 applicants, then winnow them down to
the 10 finalists who present in the sandbox itself. And yesterday, the judges selected 2020's winner.
Privacy specialist Security.ai was named this year's most innovative startup in the Innovation
Sandbox. Master of Ceremonies Dr. Hugh Thompson called this year's field
maybe the strongest we've ever seen.
The judges found the problem the company focused on, privacy, compelling.
They thought the way in which regulators would drive the market in privacy solutions
was particularly important, and that security.ai was well positioned to ride that market force.
The company's theme is transforming privacy operations with robotic operations.
Its presentation emphasized that privacy is a basic human right,
but data sprawl makes it difficult for organizations to effectively safeguard that right at the individual level.
Security.ai argued for an approach in which privacy operations overlaid automation and orchestration atop people data intelligence.
It's worth mentioning the other nine companies selected as finalists.
AppOmni, Blue Bracket, Elevate Security, For All Secure, Inky, Obsidian, Screen, Talasecurity, and Vulcan Cyber.
Innovation Sandbox finalists have over the years
compiled an enviable record of both effective innovation
and business success.
Congratulations to them all on some well-merited recognition.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I am pleased to welcome to the show Rick Howard, our latest addition to our CyberWire team.
Rick, always great to have you here.
It's great to be here.
We are here at the RSA conference for 2020.
And I wanted to get your insights.
Back when you were working at Palo Alto and you would come to a show like this, how did you approach it?
When you were deciding what sort of tools you were going to purchase for Palo Alto
or checking out the competition, those sorts of things,
how did you approach a show this big?
Well, first, I just love this show, right?
Because, first, San Francisco is one of my favorite cities.
And this week, the weather is just fabulous.
Right.
So it's gorgeous.
And, you know, RSA is kind of a mix between Mardi Gras for nerds and high school reunion.
Anybody that you've ever met in the industry comes here at some point in their career.
That is true. This morning, exactly, I've been meeting the same person at the same corner at the same time for seven years.
And we only see each other once a year, and that's what we do.
Somebody needs to write a movie.
So what's great about the RSA conference is everybody comes here.
Every vendor comes here.
And then every serious cyber defender comes here.
And if you're trying to network with people,
this is a way to get a lot of things done very quickly
in a very compressed amount of time.
The presentations are really good,
but most of the work going on here at RSA is not being done
in the actual conference session.
It's being done in all the hotels and all the bars around the area.
So you get to talk to a lot of different vendors, and you get to talk to a lot of cybersecurity thought leaders right here in San Francisco.
So that's one approach.
Make time to do those things, and it's a networking event for security professionals.
Right.
The second thing I would say is make time to spend on the floor.
I know people kind of avoid the floor
because you're going to get your badge scanned
and then 1,000 emails are going to come your way.
Right, right.
But that's where all the new ideas are.
And just spend the day, even half a day if you can.
Just go see what everybody has.
And you're going to be able to see what are the new ideas,
what's the same idea being repackaged,
and what even the vendors that you're using,
you can get the vision statement
from what they're going to be doing later on.
So make time to hit the floor.
You know, one of my favorite things to do
at a conference like this is to spend some time
around the edges of the show floor, where those little startups of, because that's where you're going to find that idea, that innovation that nobody's thought of.
And they're just trying to get someone's attention to say, look, we may have a solution here.
Yeah, and they're very passionate.
And you learn a lot by just talking to those folks.
That's the two guys and the dog in the garage team, right?
Right, right.
And if it is any good,
they're likely to get picked up by one of the big vendors
in the next year or two.
So that's where you get your first entry into all that.
What about for someone who is just starting out in the field
and they're walking around and maybe they're seeing some folks,
names they recognize from social media,
from publications and things like that.
It seems to me like they should not be intimidated to come up and say hello,
shake your hand, introduce themselves, try to expand their social network that way.
Yeah, virus worries notwithstanding.
But everybody here comes because they want to meet the people.
And everybody you talked about,
all those people who are celebrities
or thought leaders in our industry,
they will absolutely spend
whatever amount of time they have for you
if you want to come up and talk to them.
And this is the place to do it, right?
Because you're trying to learn
and they want the new folks to do well in the industry.
So yeah, please take advantage of that.
Anything in particular that you have your eye on this year?
Anything you have your sights set on
that you're looking to explore?
Yeah, I've been studying the SASE development.
In fact, when you say SASE,
you should really say SASE.
Wasn't that something from the Flintstones?
Wasn't that Dino's girlfriend was sassy?
Was it sassy?
I think you're right about that.
Sorry.
No.
We're dating ourselves here, Rick.
I'm totally going to use that in all my slides from now on, though.
And I think sassy, I've been interested in it because I think it's going to disrupt how
we all receive security services in the future.
Okay.
It's changing the paradigm. So I'm looking for people talking about that, any discussions about that.
SASE stands for?
Secure Access Service Edge. It's a horrible name. Gartner coined it back last August.
There have been companies delivering those services for the last three or four years,
but it really hasn't caught on as a movement yet until Gartner gave it a name, so SASE.
And what it really is is changing how we deliver the service.
You know, when I did this back in the old days,
we would build a security stack and put it everywhere our data was.
We would trombone data from remote locations
back through the security stack,
and it's really not very efficient.
SASE is really a combination of MSSPs,
but a cloud vendor that has a security stack
that they manage in the cloud,
but you run your policy on it.
And instead of tromboning all the traffic out
from wherever you are,
your first hop wherever you are
is through a SASE vendor in the cloud.
So if I'm a remote user at RSA, I don't run my traffic back to headquarters.
I go to the local node here in California.
It goes through my security stack, and then it goes to the internet if that's where it needs to go.
Yeah, so it's the perfect solution, I think, for small to medium-sized businesses.
And for big business like Fortune 500 companies,
I think it's probably pretty good this year
for non-essential stuff.
Okay. All right.
Well, good insights.
Rick Howard, as always, great to have you on board.
Nice to talk to you.
Thank you, sir.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com