CyberWire Daily - Daily: Info ops drive hacks. Cryptowar resurgence in Europe, and more.

Episode Date: August 25, 2016

In today's podcast, we look at ways in which terrorist incidents have motivated France and Germany to seek ways of compelling encrypted messaging apps to open traffic to inspection. In the UK such inc...idents have also prompted a harsh Parliamentary report on social media companies' efforts to combat radicalization. Shadow Brokers leaked exploits continue to appear in the wild. Investigation continues, but observers begin to see the incident as part of a general attack on US official credibility. Assange promises more leaks of Clinton material. Ransomware appears in India and Vietnam. A new Android banking Trojan uses Twitter for command-and-control. Dale Drew from Level 3 Communications shares tips on setting up a SOC, and Ralph Cita explains how they make free training available at Cybrary. And Ashley Madison gets bad reports in three of the Five Eyes. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try DeleteMe. I have to say, DeleteMe is a game changer.
Starting point is 00:00:59 Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me. Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. to open their traffic to inspection, Shadow Brokers' leaked exploits continue to appear in the wild,
Starting point is 00:02:05 Assange promises more leaks of Clinton material, ransomware appears in India and Vietnam, and Ashley Madison gets bad reports on three of the five eyes. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 25, 2016. A transatlantic version of the crypto wars is flaring up in the European Union. Terrorist attacks have led German and French policymakers to rethink their national commitment to privacy and to look for ways of requiring makers of messaging applications like Telegram and WhatsApp to give security services access to encrypted traffic.
Starting point is 00:02:46 The proposed measures would be used pursuant to investigation of terrorist activity. Public sentiment in Germany continues, in general, to oppose widespread Internet surveillance, but increasingly that opposition is tempered by a willingness to accept significant exceptions in cases of terrorism investigation and prevention. exceptions in cases of terrorism investigation and prevention. Reports suggest that distaste for dark web traffic and lethal contraband runs particularly high. French policymakers have similar concerns. Jihadists' use of telegram to promote their imminent murder of a priest during mass in a church prompted the interior ministry to call for some way of eavesdropping on telegram conversations. Many vendors cooperate
Starting point is 00:03:25 like this already with French authorities, but Telegram is not among them. Several observers have noted that Telegram is a favorite messaging application of French legislators and executives. And it's not just encryption. Media that enable radicalization and terrorist inspiration are also receiving legislative scrutiny. In the UK, members of parliament this week took social media companies to task for enabling extremism. The House of Commons Home Affairs Committee reported on the matter and specifically called it alarming that companies like Google, Facebook and Twitter devote such slim resources to monitoring their customers' accounts for extremist content. Tech companies, for their part, point out
Starting point is 00:04:05 both their unilateral actions, notably Twitter's claim to have shuttered 360,000 extremist accounts over the past year, and the assistance they routinely provide in security investigations. Turning to international cyber conflict and its consequences, there are some developments in the Shadow Brokers incident. Researchers at Silent Signal report that a relatively easy upgrade of the Shadow Brokers leaked extra bacon exploit renders it effective against newer versions of Cisco's ASA. Others, not just researchers but black hats, have found the exploits relatively easy to use. A honeypot set up by a researcher at New York University noticed the same sorts of probes Cisco honeypots have seen this week, so the leaked attack code is clearly circulating in the wild.
Starting point is 00:04:52 Security expert Bruce Schneier cites the incident as further evidence of poor U.S. government disclosure policy, and that NSA is hoarding zero days when it thinks it's the only outfit that has them. Schneier also thinks this is not Snowden stuff, that is, not the work of an arguably misguided whistleblower, but rather the work of an outsider. That outsider is widely believed, of course, to be the Russian intelligence services, and observers think the leaking reflects a new normal in which cyberattacks directly serve the goals of information operations.
Starting point is 00:05:24 In recent cases, those goals apparently center on discrediting the U.S. political system as irredeemably corrupt. WikiLeaks' Assange promises to release soon more discreditable information about Democratic presidential candidate Clinton. WikiLeaks isn't obviously connected with the shadowbrokers, although Assange did say that some of the material wasn't news to him. More direct attacks on the U.S. election are also feared. Analysts predict direct vote hacking come November. Ransomware has hitherto most affected European and North American enterprises, but it's now being observed in both India, where a pharmaceutical concern has sustained an attack, and in Vietnam, where email vectors are carrying ransomware to potential victims. A new variety of backdoor banking trojan called TwitTour
Starting point is 00:06:11 has been discovered in the Android ecosystem. It's noteworthy in that its command and control is accomplished over Twitter. It's no secret that there's a shortage of qualified workers in cybersecurity, with thousands of jobs going unfilled. Education and training for those jobs can be expensive, and one company, Cybrary, has taken a different approach. It's made all of its online training free. We spoke with Ralph Sita, CEO of Cybrary. Seeing the maturation and the development of the physical brick-and-mortar training and classrooms being held and so on,
Starting point is 00:06:46 we kind of came to the realization that this industry is very difficult on so many ends because you have students trying to come up with money to pay for expensive classes and you have these certifications that somebody can invest $3,000, $4,000, $5,000 for a week-long class, and they become obsolete. So we kind of saw that the industry was getting very commoditized and a lot of competition, and price was a real pain point for students. pain point for students. So we kind of came up with the idea, hey, let's make education free, and we'll hopefully get to a point where we're monetizing it on the corporate side of it with companies to help fund our operations. And we're going to keep making education free, keep developing classes for free, and we will never charge for the education component of CyberAid.
Starting point is 00:07:47 So let's speak to that notion of skepticism. I mean, certainly everybody knows the saying, you get what you paid for, and you're providing this training for free. How do you put people's mind at ease that the training that they're getting is high quality? We get tremendous validation every day. The users, our members, they are not only vetting our product, they are proclaiming it. And you know what? When they find a flaw, they're the first ones to say, hey, you guys really messed this up, which is fine. We'll take the good with the bad. And how about the employers? When people are coming, resumes in hand and some of their
Starting point is 00:08:25 training includes Cyberary, what are the responses that they're getting? We've had a lot of good feedback on that. And just from a little bit of a different angle, we also have a spot on our website called Talent Services, where we are having these companies you're speaking of place jobs on our website. When they're using our site to recruit, there's over a million and a half worldwide jobs. There's over almost 300,000 in the United States of cyber professionals that just jobs that aren't filled. Absolutely, jobs have to be nurtured. There has to be a better grassroots effort made in getting them there.
Starting point is 00:09:04 Start it much earlier. You are a business. You are a company. You have people, instructors, and infrastructure to pay for. Where's the money coming from? We are monetizing it on the corporate side of the house. So we have developed something called Channels, which is a place where companies such as a Cisco Talos or a Tripwire Alien Vault or Observe at IT and so forth can go realizing the benefit of a rising tide, raising all ships kind of methodology. That's Ralph Sita, CEO of Cybrary.
Starting point is 00:09:55 The U.S. Department of Health and Human Services Office of Civil Rights, one of several agencies aspiring to extend its equities into cyber regulation, appears ready to undertake enforcement actions against small businesses that fail to properly protect data. Hitherto, the OCR has tended to restrict enforcement actions to breaches affecting more than 500 people. We heard from Ebba Blitz, CEO of AlterSec, who said, quote, The news from the U.S. Health and Human Services Office for Civil Rights should be a wake-up call to small business. If the OCR uncovers widespread HIPAA compliance issues,
Starting point is 00:10:30 that could mean small companies are at risk for new fines, end quote. And such fines, of course, could prove business killers. And finally, Avid Media, the corporate parent of the adultery facilitating service Ashley Madison, is in trouble in at least three countries, all of whom apparently have enough adulterers to make careless handling of personal information both a consumer protection and a privacy issue. The U.S. Federal Trade Commission is conducting an inquiry into whether Ashley Madison misrepresented itself to its customers,
Starting point is 00:11:01 and a joint report of Canadian and Australian privacy commissioners finds much to complain about in the way Ashley Madison did business. So we end with some advice on privacy in such matters. Straighten up and fly right, girls, and mostly boys. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Starting point is 00:11:39 But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
Starting point is 00:12:49 ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, let's say I'm an organization and I'm ready to stand up my own security operations center. There's a lot that goes into that if I want to build my own SOC. You all have a lot of experience with that. What are some tips that you can provide for someone
Starting point is 00:13:34 who's thinking about building their own SOC? You know, we've been on sort of a marathon run in building security operations centers throughout the globe. And we have five operation centers up and running today. And, you know, we've built a sort of a practice methodology on how to create and operate a security operations center. And, you know, I'd say the major sort of lessons learned for us are, you know, in the area of staffing and training and ownership. And what I mean by that, from a staffing perspective, we've had a lot of success in hiring non-security experts. What we tend to do when we build a SOC is we hire some core baseline security expertise to be sort of the foundation of the SOC infrastructure. And then we hire a lot of SOC analysts who don't necessarily have to have SOC training or SOC
Starting point is 00:14:33 expertise because we provide them with training and certification sort of on the job. We've had tremendous success in hiring SOC staff that has financial and musical backgrounds because they're able to take chaotic environments and seek out organization of that chaos. And in an incident response sort of environment, that is sort of fundamental and key. And that becomes a much more important skill set baseline than the security baseline. It's much easier, turns out to be much easier for us to train them on security than it is to train them on the fundamentals of how to have an incident response sort of mindset. The other one I'd say is keeping up to date on trends and keeping up to date on best practices. and keeping up to date on best practices. And we do that by visiting other companies who operate security operation centers and not only imparting our wisdom on them, but also getting from them
Starting point is 00:15:33 what works well for them and what does not work well for them and incorporating some of those best practices into an ever-evolving sort of SOC mentality. So the key to managing your risk portfolio is not only just a good technology center. It's also having the staff that can identify and respond and mitigate quickly to those threats. And so security operation centers are becoming a much larger component in the security arsenal for CSOs these days. All right, Dale Drew, thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
Starting point is 00:16:25 executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Starting point is 00:17:45 Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.