CyberWire Daily - Daily: An insider threat deadline approaches. Lawful intercept tools from Italy. Carbanak moves to new targets. Security policy in Germany and the US. A guilty plea in the TalkTalk hack.
Episode Date: November 16, 2016In today's podcast, we hear about some lawful intercept tools that have been found prospecting Android. Synack calls shenanigans on Shazam, but maybe no harm, no foul. Carbanak turns from banks to hos...pitality. Insider threats and how to mitigate them—if you've got a facility clearance, you've got a deadline coming up, and Steven Grossman from Bay Dynamics explains what it means. Arlington Capital merges three of its companies into a new cyber shop, Polaris Alpha. Symantec is rumored to be sniffing at LifeLock. Cyber policy discussions in Germany and the US sound a lot alike. Jonathan Katz from the University of Maryland explains the pros and cons of photonic encryption. A teenager cops to the TalkTalk hack, and, if you're asking for a friend, the tally of accounts affected by the AdultFriendFinder breach hits 412 million. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Sennac calls shenanigans on Shazam, but maybe no harm, no foul. Insider threats and how to mitigate them.
If you've got a facility clearance, you've got a deadline coming up.
Arlington Capital merges three of its companies into a new cyber shop.
Symantec is rumored to be sniffing at LifeLock.
A teenager cops to the TalkTalk hack, and if you're asking for a friend,
the tally of accounts affected by the adult friend-er breach hits 412 million.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 16, 2016.
A new strain of lawful intercept spyware appears to be targeting Android devices.
The manufacturer is not Hacking Team, however, as some had initially suspected.
It's instead thought to be a different Italian company.
But attribution remains both circumstantial,
based on some apparently identifying names in the code, and preliminary.
Sanak points out that the Mac version of music identifying tool Shazam keeps recording even when it's switched off.
It just stops processing. Shazam keeps recording even when it's switched off. It just stops processing.
Shazam says this is a benign behavior,
but that out of sensitivity to user concerns,
it will update its software in a few days.
The Karbanak cybergang known for attacks on banks
has turned its attention to the hospitality sector.
Trustwave has a rundown on the criminal campaign,
which still begins with social
engineering. Carbonac, also known as Anunac, is thought to have skimmed around a billion dollars
from banks, so the threat is not to be taken lightly. Social engineering notoriously is able
to turn good people into insider threats. The insider threat phenomenon is getting a lot of
attention this month, particularly in the United States,
where a change to the National Industrial Security Program, NISPOM, mandates new measures companies must take to secure classified information. On May 18, 2016, the Department
of Defense issued Change 2 to NISPOM, and this is significant because it requires contractors
to implement an insider threat program no later than November 30, 2016.
We're of course just two weeks away from that deadline,
and yesterday the Chesapeake Regional Technology Council convened a panel of experts
on the insider threat at the Chesapeake Innovation Center in Odenton, Maryland,
to give companies some perspective on what NISPOM Change 2 means to them.
In outline, the requirements seem simple
enough to state, as Tanager's Mike Miller laid them out at the forum. First, establish an insider
threat program. Second, designate an insider threat senior official who must be an employee,
a U.S. citizen cleared in connection with and to the level of the facility clearance.
Report insider threat information to the cognizant security authority, train relevant personnel, provide pertinent records, and implement protective measures.
But as always, the devil is in the details.
Sean Thompson of the Insider Threat Management Group pointed out that insider threat management has significant cultural implications for any business.
Privacy, human resources policies part because law and regulation are complicated
and often operate at cross or at least competing purposes.
Keith Moolsdale of Whiteford Taylor Preston told us,
quote,
Indeed, the laws are complex and daunting.
If only the federal government would step in with an omnibus law and put us all out of our misery.
Which we think he meant in a good way, as in good nutrition and a roof over our heads, not euthanasia.
Molesdale went on to say, In the meantime, the best advice for a small USA business is to keep in mind that written notice,
coupled with express consent, solve most but not all
privacy-related risks arising from industry-standard data security programs implemented in the
workplace. We also checked in with Stephen Grossman from Bay Dynamics for his take on NISPOM Change 2.
The NISPOM 2 changes that are going into effect at the end of November
are an important step in the right direction. What it does is it raises visibility, and it highlights the importance of the insider threat.
It's a great first step in that they're advising and implementing training
and monitoring of contractors by their employers,
that is the consultants or the other firms that are employing them.
And that's a great first step to be able to identify people that may be a potential insider threat.
The important next step for them to take is to connect the dots between that behavior that that employee is doing
for their employer, for the contractor, with that that they're doing on the client side.
That is, when they're on the government network and they're working on the government's platform
and on-site at the government's offices,
that they'd be able to monitor the behavior there and connect the dot with what's going on back at
their own employer so that you have a full profile of the person and you understand what's going on
across the board. And what that does also is that enables you to distribute the load of
monitoring and security, incorporating your partners and your
consultants who have a vested interest in making sure that they're doing the right thing for you
as well. When people fall short despite their best efforts, where are the areas where they
usually have trouble? That's a great question. I mean, it's a difficult challenge in that very often people
are not tripping alarms. They're not violating policies necessarily. They may just be doing
things that are out of profile for themselves. And so what we've found is very often it's
left to the SOC, the operation center, to kind of figure it all out. And the SOC is
missing a very important piece of the puzzle, and that is business context.
And so a SOC operator who's responding to a potential insider threat may see a tool
like our own or others that are identifying unusual behavior.
What they're often missing is the business context of whether that unusual behavior is
really bad or whether that unusual behavior is really truly unusual.
And the only person that really can provide that is the person who has the understanding
and the knowledge of the application, that being the application security owner.
The other area that very often companies fall short is connecting the dots between that
insider threat and their assets and their data, as well as the vulnerabilities on the system,
to be able to really provide a complete view of risk.
User activity in isolation is just user activity,
and user behavior analytics just adds more alerts to the pile
if not put in the right context of business and vulnerabilities.
That's Stephen Grossman from Bay Dynamics.
vulnerabilities. That's Stephen Grossman from Bay Dynamics.
In industry news, Arlington Capital, advised by the Chertoff Group, assembles a new cybersecurity firm, Polaris Alpha, from EOIR, Intelligent Software Solutions and Proteus Technologies.
The new company's headquarters will be divided between Fredericksburg, Virginia and Colorado
Springs. Elsewhere, CRN reports rumors that security company Symantec may be considering buying
the identity protection shop LifeLock for as much as $2 billion.
In policy news, Germany's new cybersecurity strategy is attracting attention in Berlin
and elsewhere.
It appears to exhibit familiar tensions.
Calls for public-private
partnership, but without clarity about how such might be realized, and a simultaneous commitment
to both widely available strong encryption and to the ability of security and legal agencies
to access communications in cases of need. How that latter circle might be squared remains to be seen.
In the U.S., NSA Director Rogers reiterates his
long-standing call for closer cooperation between the intelligence community and private industry.
And as the transition team gets down to business, lobbyists are already approaching the incoming
administration to advocate strong encryption and limits on surveillance. A British teen has copped
to the TalkTalk hack. The 17-year-old boy, whose identity
is decently shielded by Her Majesty's law, will be sentenced next month. He apparently told a friend
he was in big trouble on the day of the hack itself. Events have proved him, sadly, right.
Finally, the tally from the adult friend finder breach has been creeping up,
reaching a reported 412 million
if you're keeping score at home. Spread the word among your 412 million friends.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLockrosoft.com technology magazine, and it was called Cryptography Could Get a Boost from Photonic Technology.
It looks like some researchers were trying to do some cryptography making use of light.
What do you make of this?
Well, I only took a look at the news article.
I haven't looked at the research paper on which the article is based.
But from the look of it, it sounded like what they were trying to do is to do cryptography
in a continuous domain using light and using physical properties of light rather than what we typically do, which is to think about cryptography in a digital domain where the ciphertext just consists of zeros and ones.
In the continuous domain, does that mean there are more variables that you can use to get your randomness, if you will?
Yeah, you can think about that. I mean, basically, the key that the two parties would share
would now be chosen from a continuous set of possibilities,
which gives you more possibilities for that key,
thereby presumably making it a little bit more difficult
for an attacker to attack.
Other than that, however, it seemed to me,
as far as what I could read in the news article,
that they were essentially doing something very similar to the one-time pad, which is a classical scheme that goes back to Shannon in the 1950s.
So in the article here, it says that they did attack the system. Did they have any success?
They did. I mean, what's interesting is apparently there's been some research going on in this area for a couple of years.
But it looked to me, again, like these attacks were very similar to known attacks on the one-time pad.
They were basically allowing the researchers to learn the key after observing a couple of encryptions of known plain text.
And also to learn the key after a couple of decryptions of known ciphertext.
And these are all kind of standard attacks that have been applied in the digital domain to the one-time pad. And it looks like now they're just applying it to the continuous
domain as well. Let's dig in a little bit to that. Can you sort of describe to us what's the
difference between the digital domain and the continuous domain? Well, in the digital domain,
you have data just represented by a sequence of zeros and ones. So, you know, your message will
be represented by a bunch of zeros and ones. Your key would be a bunch of zeros and ones. So, you know, your message will be represented by a bunch of zeros and ones, your key would be a bunch of zeros and ones, and then the ciphertext that you get from encrypting
would also just be a sequence of zeros and ones. And this, of course, is how we think about things
being stored on a computer and being transmitted over the internet. But, of course, it's also
possible to have things in the continuous domain, right, where basically something that you measure
can take on, say, any value in a given range
and not limited to a finite set of possibilities.
So you think about, just as an example, measuring the wavelength of light.
So the wavelength of light is not limited to some discrete set of possibilities.
Instead, it can take any value in a very large range, actually.
And so you can imagine packing more information into that light than we can do with digital information. But of course, this also means that you need physical
mechanisms to store and transmit that information, and you can't easily store it in a computer or
transmit it on the computer networks we have today. So at some point, that information from
the continuous domain, would it have to be converted to a digital domain? Well, most likely,
for practical scenarios, it would have to be. I mean, in principle,
right, you could just imagine having somebody look at it at the other end, but that's not likely to be very useful. So yeah, you're right, that ultimately, you would probably have to start
with it in a digital domain, and then transfer it, transform it to a continuous domain. And then at
the other end, similarly, you're going to receive something, and then convert it back to the digital
domain for further processing by a computer. So it's true, actually, that from at the other end, similarly, you're going to receive something and then convert it back to the digital domain for further processing by a computer.
So it's true, actually, that from that point of view, everything ultimately nowadays is
going to end up back in the digital domain.
All right.
Interesting stuff.
Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.