CyberWire Daily - Cyber espionage in Central and Eastern Europe. Cyber deterrence. Notes from Matrosskaya Tishina. Exabeam describes what crooks can get from your browser.
Episode Date: March 6, 2018In today's podcast we hear that Fancy Bear sightings continue—Fancy seems to have settled down in Montenegro, and Germany is seeing bears and snakes. Cyber deterrence is much desired but difficult ...to achieve. Notes from a Russian jail. Reddit purges influence ops trolls. What criminals can learn from your browser. CFIUS puts hold on Broadcom's bid for Qualcomm. The US FDA wants to block its people from looking at adult content at work. Daniel Prince, Senior Lecturer in Cyber Security at Lancaster University, introduces himself as our newest academic research partner. Guest is Jeremy Wittkop from InteliSecure with a call for participants in their Critical Data Protection Benchmark Survey. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy bear sightings continue.
Fancy seems to have settled down in Montenegro.
Cyber deterrence is much desired but difficult to achieve.
Notes from a Russian jail.
Reddit purges InfluenceOps trolls.
We'll find out what criminals can learn from your browser.
And the US FDA wants to block its people from looking at adult content at work.
I'm Dave Bittner with your CyberWire summary for Tuesday, March 6, 2018.
Fancy Bear isn't just bothering Germany.
Montenegro complains that it's been receiving a lot of unwanted attention from Russia's GRU over the past year.
The long-standing beef seems to be over Montenegrin membership in NATO,
never a way of getting on the good side of the Bears.
Much of the campaign is said to have been waged since January 2017,
with phishing emails baited with NATO-related subjects.
Der Spiegel, in its follow-up to reports on Russian intrusion
into German government networks,
notes that Snake, the threat actor local unofficial experts believe responsible,
has been known to be active since at least 2016, yet was still able to penetrate German defenses.
Snake is also known as Turla or Ouroboros, but the German press seems to prefer Schlange.
It's generally held to be an operation of Russia's GRU.
German authorities declined to make an official attribution,
but they face calls to do something about this business, better defenses at least,
or perhaps even some form of retaliation. The damage to the German government is thought to
be limited. The target was, according to Spiegel, Department 2 of the Foreign Office,
responsible for German foreign policy within the European Union and for Germany's
relations with the countries of Europe, North America and Central Asia, including Russia.
Also facing calls to do something about Russian cyber operations in particular is the US NSA
and Cyber Command.
There are calls in the US Senate for development of a deterrence strategy in cyberspace, especially
after NSA Director Nominee General Nakasone testified last week that the U.S. adversaries
don't appear to fear American retaliation for cyberattacks.
The current going option remains sanctions, which at least have some potential to impose
costs short of a nuclear exchange, and beyond the kind of naming and shaming that results from federal indictments.
Observers think that a fresh round of punitive measures against Russia for last year's NotPetya attacks is likely.
One of that campaign's victims, Nuance Communication, estimates that NotPetya will cost it more than $90 million.
A nation-state might or might not be embarrassed by a U.S. indictment. Probably not.
The U.S., for example, generally shrugs such things off, and there's little reason to think
most other states are generally more sensitive. But one consequence of a U.S. indictment of a
foreign state-sponsored hacker on the individual hacker is restriction on travel. You're not going
to be extradited if you stay home in Russia.
And some of the indicted trolls from the Internet Research Agency have bravely said they're happy to spend the rest of their days there.
But not everyone likes that idea.
Suppose you wanted to honeymoon on, say, the Costa Brava?
Sure, the sand and sun and food are nice,
but, well, you do so at the risk of the Spanish police snuffling you up
and turning
you over to U.S. Marshals for an alternative holiday at Club Fed.
Jeremy Witkop is the CTO at Intellisecure.
They recently launched their Critical Data Protection Benchmark Survey, and they're looking
for participants.
Jeremy Witkop shares the story.
We've been doing data protection programs since 2002,
and we've noticed an increase in adoption of such programs
as well as the requirements of such programs as of late.
And then we started to look at the regulatory environment
and with GDPR that everyone's talking about,
but it's not just GDPR.
You have Brazil's civil rights framework for the Internet passed in 2014.
The cybersecurity law of China passed in November of 2016.
The Act on the Protection of Personal Information in Japan in 2017.
Canada passed PIPEDA in the early 2000s. that organizations have a responsibility to the general public in each of these countries to protect information that that organization is holding for those people.
And they all have very specific protections that organizations have a requirement that they need to uphold,
as well as rights that they need to confer to those data subjects.
Well, the only way to really do that well is to understand the data in your environment, where it resides, how it transitions in your environment. And that's really all about
building a program. And so we thought, as we go through, we don't work with every company in the
world. How can we take some of the things that we've learned, allow organizations to see how
are we doing with respect to critical data protection and building a program and governance
structures and all the things that we would need in place to really build any kind of program focused on
any specific type of information, whether it be compliance data or intellectual property or other.
So what we did was we put together this survey. It's really short. You can take it in five to
ten minutes. It's got some general questions. And really what it's designed to do is benchmark
against other companies and assess readiness to undertake a program. And one what it's designed to do is benchmark against other companies and assess
readiness to undertake a program. And one of the things that we've seen, these types of surveys we
used to do in consulting engagements, one of the things that we've seen be really helpful for our
champions inside of an organization is that a lot of times security or compliance or privacy is
trying to drive this in a vacuum. And the result of this survey, they can go back to the business units and the governance stakeholders that they're trying to
get their attention. And they can say, look, guys, if we want to be successful, here are the things
that we need to put in place. And I need your commitment and your buy-in and help to do that as
well. You know, we certainly have no shortage of surveys in the industry. And I think a lot of
companies use them as much for
gathering information as they do for marketing purposes. But you all are making the point that
this survey has some usefulness beyond that. Yeah, absolutely. For us, it's really more about
building awareness of what it takes to actually build a successful data protection program
than it is necessarily a direct marketing exercise.
We're not using these lists to call into people or anything like that. But for us, what we believe in
is these types of programs work. They're necessary. They're in the interest of national security
for all the different countries that we operate in. They're also in the interest of our way of
life as free people. And we've seen that reflected
in legislation around the world. And to that end, in order for people to continue to undertake these
programs and build on this effort, they have to experience some success. Because as people
struggle to build these programs, which a lot of people are, the reputation, the industry of the
program itself starts to be damaged. And we start to see less people embracing this, and we start to see more large-scale
data breaches, which hurt everyone.
Yeah, one of the things that caught my eye is that if you participate in this survey,
you'll get a follow-up report that'll let you know how your answer's compared to your
peers.
And then ultimately, you'll be able to see the complete results of the report when that's
published sometime later this spring.
Yes, absolutely. And that's one of the things that our clients have been asking us for
for a number of years. And anything that we collect in an engagement is covered under NDA.
So we wanted to put something into a survey format where the people who chose to participate,
we could benchmark them against their peers. Because it's frustrating, I think, for my clients
when they ask me over and over again to compare them against their peers, and I can't do it because of contractual limitations
to what I can disclose.
So if people want to find out more, if they want to take a look and see if they want to
participate in the survey, what's the best way for them to do that?
They can either go to our website at Intellisecure.com and they can find it.
There's also a website for the survey itself, criticaldataprotection.com.
That's Jeremy Witkop from IntelliSecure.
A January study of Iranian state-sponsored hacking by the Carnegie Endowment
receives fresh attention as Iran's non-proliferation agreements come under closer, more hostile scrutiny.
Experts are considering ways in which Iranian hackers might also be deterred.
The country's Revolutionary Guard has also recently been fingered by Clear Sky as being
involved in establishing bogus BBC and Radio Farda sites to spread disinformation. Radio
Farda is the Farsi language service of Radio Free Europe, Radio Liberty.
More charges against Russian hacking and influence operations
during U.S. elections are still expected to emerge
from Special Counsel Mueller's investigation.
One guy is ahead of the game.
Konstantin Kozlovsky is singing like a canary to Fast Company
and anyone else who cares to listen about how he says
he hacked the Democratic National Committee and the Clinton campaign.
Mr. Kozlovsky is a guest of the Russian state, currently resident in prison, what's described
as a high security facility, but security there isn't too high to keep him from chattering.
He says he developed software tools, which he calls LDCS, that enabled him to, quote,
replace information on Twitter, Facebook, Google, and leading U.S. media outlets, end quote.
And he's ready to cooperate with U.S. authorities to show them how he did it.
How he might do so from the confines of a Russian prison is unclear,
perhaps via his Facebook account,
where he manages to be quite active in between court appearances.
It's also possible that Mr. Kozlovsky's talk isn't exactly what the lawyers call
an admission against interest.
He is in the slammer not for hacking the DNC, but for cyber-robbing Russian banks.
And maybe Allentown or Leavenworth sound nicer to him than northeast Moscow.
In other influence operations fallout,
Reddit, which has concluded its platform was used for influence operations during the 2016 U.S. elections, has taken down a large number of Russia-linked accounts.
Exabeam has released a study of what attackers can learn about you and your habits from your browser. From visited sites, cookies, HTML5 local storage, saved login information and autofill,
they were able to discover accounts and devices, extract location history and derive a picture of user interests.
In industry news, citing potential security issues,
the Committee on Foreign Investment in the United States has put a 30-day hold on Broadcom's attempt to take over Qualcomm.
And finally, attention all civil servants working at the U.S. Food and Drug Administration.
Your bosses would like you to stop watching adult content on Uncle Sam's dime.
It's just unseemly and probably unsanitary.
After all, who knows where that content's been.
Probably unsanitary. After all, who knows where that content's been.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And it's my pleasure to welcome to the show Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome to the Cyber Wire.
Thanks a lot for having me on.
So as we always do, we want to introduce you to our audience. So can we start off just here,
tell us a little bit about yourself, how you got started in the business and the type of work you do at Lancaster.
So I've been associated with security research for probably over 15, 16 years now.
When I started, I primarily was delivering education training courses in terms of professional training
courses here at Lancaster University. But I have an academic background in computer networks. So
I did my PhD on mobile wireless networks, particularly programmable networks. So
networks that you could really change their configuration on the fly. And I did a lot of work with IPv6 so I did a lot of work with
Cisco and Microsoft developing the protocol implementations for them while I was doing my PhD
and then I started doing these training courses and developing new academic programs for Lancaster
University and that led me to set up and run the master's degree in
cyber security that we have here which at the time was really one of the only multidisciplinary
cyber security programs that you could do at the master's degree level because it blended technical
programs such as penetration testing, forensics and systems design with management, risk management specifically, politics, criminology,
psychology and law. So a really broad church here. And on that program, I was sort of teaching
the network elements of the penetration testing and the forensics components, and then also
teaching the risk management course. Sitting alongside that I
was developing a lot of research interests in risk management and really the sort of technical side
of computer networks and particularly security in the new sets of protocols that were coming along
and at that time that was IPv6 but also the new types of support protocols such as routing
protocols and naming protocols and all the things that sit around network communication
and trying to understand where the security vulnerabilities but also new security opportunities
might sit.
And then towards the end of five years ago, it's really started to consolidate looking
at multidisciplinary aspects of cyber
security and that's where a lot of my interest in um the the human side of uh cyber security uh
really took off real in-depth looking at uh the risk management aspects and the risk perception
in particular and i'm really starting to question are we having strong and
good robust security conversations with individuals and if we're not why aren't we
and what is it about organizations that are preventing those types of conversations so I've
got a quite a broad and varied background and along the way I picked up a number of interesting activities with various
organizations in the UK and internationally, which afforded me an opportunity to really explore
some very exciting areas in cybersecurity. Well, welcome to the show. We're looking
forward to having you contribute. Daniel Prince from Lancaster University. Thanks for joining us.
Daniel Prince from Lancaster University, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.