CyberWire Daily - Cyberspace and "Cold War Two." Who's leaking to WikiLeaks? Wishbone breached—warn the kids. Crimeware-as-a-service. The Active Cyber Defense Certainty Act.
Episode Date: March 17, 2017In today's podcast, we hear about observers who look around and think they may be seeing Cold War Two in cyberspace. (But this is no bipolar conflict.) Investigation into Vault 7 continues as people w...onder where WikiLeaks gets its leaks. The quiz app Wishbone has been breached—take it as a teachable moment with the children. Fileless malware gets quieter as researchers get close to the cyber gang. A cloud-based keylogger is getting ready to take black market share. Palo Alto Networks' Rick Howard describes a capture-the-flag collaboration. Futurist Brian David Johnson explains Threatcasting. The proposed Active Cyber Defense Certainty Act. And what we're seeing at a policy competition. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Observers look around and think they may be seeing Cold War II in cyberspace,
but this is no bipolar conflict.
Investigations into Vault 7 continue as people wonder where WikiLeaks gets its leaks.
The quiz app Wishbone has been breached.
Take it as a teachable moment with the children.
Fileless malware gets quieter as researchers get close to the cyber gang.
A cloud-based keylogger is getting ready to take black market share.
The proposed active Cyber Defense Certainty Act,
and what we're seeing at a policy competition.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, March 17, 2017.
An increasing operational tempo in international cyber conflict induces some observers to see the beginning of a new Cold War.
Poland sees an uptick in attacks on sites in that country that have some connection with U.S.-Polish combined operations.
Many of those sites belong to towns and cities that have hosted U.S. forces.
Nor are smaller countries immune.
Luxembourg's government reports to Parliament that it's seeing more attacks by state-sponsored actors than it formerly did. It's worth mentioning
that Luxembourg is a country that tends to punch above its 999 square mile size, with an active
CERT and institutions that play an important role in the international economy. If this is indeed a
new Cold War, cyber operations, low barriers to entry,
and the disparate national interests in play make Cold War II much more multipolar than the
original was. See the U.S. indictment of FSB officers in the Yahoo hack, but see also recent
Turkish operations against sites in the Netherlands and Germany. One similarity a new Cold War seems
to bear on the old one,
much of the chill is manifest in propaganda, now called information operations. One difference may
be the convergence of information operations with covert and clandestine work. A Washington Post
op-ed looks at WikiLeaks' Vault 7 and believes it discerns the root cause of the U.S. intelligence
community's security problems, too many contractors. But exactly how this amounts to a weakness in practice isn't
really specified. The lead that there have been a number of leaks traced to government personnel
is buried. Chelsea Manning, formerly of the United States Army, is mentioned in passing as one
counterexample. One might also consider that leaks concerning Stuxnet emanated
from some senior government officials. Turning to cybercrime, the popular quiz app Wishbone
has sustained a breach. 2.2 million email addresses and 287,000 mobile numbers, many if not most of
them belonging to teenagers. They've turned up for sale in dark web markets.
Wishbone said that the information exposed includes usernames,
real names or nicknames provided during registration,
email addresses and telephone numbers.
Optional information that was also exposed includes dates of birth,
but Wishbone says no passwords, user communications or financial account information were compromised in the incident.
Third-party researchers, however, say they've also seen gender among the lost data.
The incident should provide parents with further incentive to warn their children
of the dangers of online data aggregation and identity theft.
Children and teens are unlikely to readily appreciate the risk of someone, for example,
opening accounts with their identity, and they'll need coaching against the temptation to overshare online. Morphosec believes it's traced recent
infestations of fileless malware to a common threat actor. The security company doesn't name names,
presumably because it doesn't know them, but it's confident there's a single actor or group
working from a single platform. Kaspersky and Cisco's Talos
group have been tracking the PowerShell exploit closely. FireEye calls the criminals Fin7 and
reported that they were targeting individuals involved in filings with the U.S. Securities
and Exchange Commission. Morphosec engaged the criminals and sought to win their trust,
but this seems to have spooked the hoods into at least temporary inactivity.
Palo Alto researchers see Nexus Logger, a cloud-based criminal key logger,
taking growing black market share.
That share is still low, as Nexus Logger has only been observed in a few incidents,
about 400 attacks, but since it's a cloud,
with a lot of cloud-crimeware-as-a-service offering, it can be expected to proliferate rapidly,
especially among less skilled criminals.
There's been some recent talk in the U.S.
about draft legislation being circulated
in the House of Representatives
that would authorize certain forms of hacking back,
mostly by companies working on attribution
and cooperating with law enforcement.
This proposed Active Cyber Defense Certainty Act would permit
victims to access an attacker's computer without authorization, but only to gather information the
victim would then share with law enforcement. It's an interesting proposal, but inevitably
arrives with some controversy. We heard some comments from Plixer's CEO Michael Patterson,
who's particularly concerned that attribution is so complicated by spoofing that innocents could be targeted. On the other hand, for certain kinds of attacks,
the packet is the punishment, as we've been hearing today down at American University.
That's right, we're down in Washington today at American University for the Atlantic Council's
Cyber 912, a cybersecurity competition that focuses on policy as opposed to the more customary and
technical capture the flag. The scenario, set in 2018, is built around a fictitious but interesting
bill, the imagined Cyber Mark and Reprisal Act of 2018. It's timely and interesting. We hope to be
able to share the results with you early next week. In the meantime, stand by to repel borders.
isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto Networks,
and he also leads up their Unit 42 threat intel group. Rick, welcome back. I wanted to touch base on a subject you were eager to talk about, the UAB CTF contest. Fill us in. What is this about?
of February, Palo Alto Networks and the University of Alabama at Birmingham, I know that's a lot of words to string together, we sponsored our first ever joint capture the flag contest designed to
inspire high school students to pursue a career in cybersecurity. So Palo Alto Networks put up
$20,000 of scholarship money and UAB, under the watchful eye of Gary Warner and his
excellent faculty and staff, organized the event. Now, you and I have talked about this before. I
heard this on the Cyber Wire many times. Everybody knows there's a shortage of good cybersecurity
talent. It is especially true when you consider that the minority populations, especially women,
It is especially true when you consider that the minority populations, especially women, are almost non-existent in our field compared to the males. I was looking up some stuff before the event, and according to Forbes magazine, just 11% of the cybersecurity workforce are women compared to about 50% from the general professional workforce and 25% of the IT workforce.
So that's not good.
No, and it doesn't seem to be getting better. In fact, it seems some of the stats that I've seen have shown that we're actually losing
women. I know. And we're trying to figure, scratching our heads and trying to figure
that out. And it's worse when you consider the minorities in women. You're talking about Native
Indians and Hispanics and blacks. The American Association of University of Women says that
picture is stark. So that's the bad news. The good news, though, I think, is that there's a
giant opportunity for women in the cybersecurity field. But the question is, how do we convince
them to pursue it as a career? Now, I've talked to a lot of folks about this, and some of us have
a pet theory that says if we are approaching women as they enter college about these opportunities, that is way, way too late.
What we think we should be able to do is reach further down in the education stack to capture their interest at an early stage.
So Saturday's Capture the Flag contest was the first experiment on the way that we might do it.
Now, this was just a first step, right?
The winners of the competition, as they matriculate up to UAB for college using the Palo Alto
Network scholarship money, we will engage with them each year, you know, presentations
and social events and industry activities, that kind of stuff.
And when they graduate, we'll pursue them to offer them jobs if they want to come work
for us. So we're going to tweak the contest and try to expand it next year. But it was a good
first start. And I'm very happy about what we're trying to do there. All right. Every little bit
helps. Rick Howard, thanks for joining us. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. director of the Threatcasting Lab, and a futurist and fellow at Frost & Sullivan, a strategic consulting company, as well as being an applied futurist.
Our interest in him comes from his involvement in the Threatcasting Lab,
a program from the Army Cyber Institute and Arizona State University.
They recently published a report called A Widening Attack Plane,
based on their most recent workshop last fall.
Threatcasting really started about 10 years ago. As a futurist, I work with organizations to look 10 years out into the future, and based on a number of different inputs, model both positive
and negative futures. As a part of this, I started doing this thing called threatcasting,
and I was working at that time with the United States Air Force Academy, training their cadets
to take this broad
range of inputs and look at possible threats, but not only say these could be the threats in the
future, but to turn around and look backwards and back cast and say, how do we disrupt, mitigate,
and recover from these threats? And so take me through the process. How does it work?
So we begin by looking at a broad range of multidisciplinary inputs. What's the
social science, the ethnographic and social science background of the actors who are involved?
From a technical research standpoint, what will technically be possible 10 years from now?
We look at cultural history. Cultural history is incredibly important, not only for the people and
the cultures you're looking at, but also for the organizations that you'll be working with. We look at economics. We look at a little bit of trend work. We also do
global interviews where we go and talk to people who are actually making the future. And then we
also use a little bit of science fiction, science fiction based on science fact to model this out.
And we take all of those and I get together in a room full of practitioners. we take all of those, and I get together in a room full of practitioners, we take
all of those inputs and we model both positive and negative futures. So we look at the possible
threats and say, well, what's the best way that threat could happen? What's the worst way that
could happen? And then we turn around and look backwards and say, well, here's an event. An event
is the physical or digital instantiation of the threat. And then we model, okay, how could we disrupt, mitigate, or recover from that threat?
And then we also think about who are the different people in the broader ecosystem, whether that
be government, military, academia, private industry, what steps does each need to take
to really secure from that threat?
Can you take me through who the players are and what are the things that they all bring to the table? For the threat casting that we did in August at West Point,
we had a large component of the Army. Again, this was very specifically looking at what does the
Army need to do. So we had a large representation from the Army. We also had a representation from
private industry. We had people from places like Citibank, USAA. We had also folks from
different parts of academia. So for myself, from Arizona State University, but we also had people
from California College of Art. We had people from Carnegie Mellon. And then we even had some
science fiction authors. We had one of the creators of X-Men. And so we wanted to make sure that we
filled the room with different perspectives. That's one of the most important part of the threat casting.
Though, Dave, what I should say is what we learned in August and what is in this final report is the requirement that we needed to have a much broader participation of people.
We began to see very quickly that we're seeing a widening of the attack plane.
that we're seeing a widening of the attack plane. That's actually the name of the report,
is a widening attack plane, that really there's a wide swath of threats that the DOD and the military really can't do anything about. There's certainly things that they can do,
but we're beginning to see that we need a broader participation from private industry,
from trade associations, from academia, and actually even from private citizens, that
everybody has a role to play. And that's really why, as we start to move into the next phase of
the project and start to do more of these based in the threat casting lab, we're trying to bring
in more and more people as a part not only of the modeling process, but also then implementing that
in the real world. So what does this process provide in the end?
What does it provide for the military?
What does it provide for those of us living our day-to-day lives?
How does this inform what we can do going forward?
I think there's multiple ways.
Specifically, the work of the Threatcasting Lab is really kind of a think tank.
That's the best way to...
That what we do is we convene a broad group of people, bring them together,
use the threat casting process to model these possible threats, to look backwards and say,
what action do we need to take? And then be able to give them to those organizations. So to give
them to the military so they can begin to take action, to give them to private industry so they
can take them in and take action, to give them to academia so that they can create courses to prepare the next generation, or even to give
them to industry trade groups so they can begin to create more training and certification.
The whole point is to model the threats and create enough detail so that we can have people
take action. And that's really one of the requirements of sort of participation
in the lab is you need to be able to take it back and take action to better secure your
business, to better secure certainly the nation, to better secure states and ports and things like
that. It's very, very specific. But another thing that we called out that was very important is
to understand that for the average citizen, I think for the average citizen that many folks in the press and many folks in industry and research have done a terrible job
looking at the future and talking about cyber threats and digital threats. Oftentimes for the
average individual, it is seen as scary and insurmountable. And I think this is a disservice
to the average people, to average folks who really want to take action.
So one of the things that the threat casting process is really looking to do is to demystify it, to show that you can do this type of work.
You can look out and even as an individual, you can take very specific actions so that we are empowering both individual people in the public, but we're empowering everybody else to actually go and really make themselves more safe and secure.
That's Brian David Johnson, a futurist from the Center for Science and the Imagination at Arizona State University.
You can find the Threatcasting Report, Widening the Attack Plane, by searching online for Army Cyber Institute Threatcasting. Bittner, thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.