CyberWire Daily - Daily & Week in Review: Election hacking, OS X patched, cyber saber-rattling, finding security talent, and more.
Episode Date: September 2, 2016In today's podcast, we discuss Apple's patches against the Trident zero-days, and review what the press is saying about the cyber arms market. Policy wonks and politicians speak in favor of cyber offe...nse, and militaries speak up for nuance. Election hacks continue, this time in Hong Kong. How companies and governments adjust to a difficult cyber labor market, with insights from Level 3's Dale Drew. Gene Stevens from ProtectWise explains the contribution of interface design to security. Responsible disclosure, stock shorting, and the importance of cooperation between vendors and researchers. A quick look at the week in the security industry. More old breaches show its's a bad idea to reuse passwords. And Guccifer gets four years. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me. I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners,
today get 20% off your Delete.me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K and enter code N2K at checkout.
That's joindelete me.com slash N2K code N2K.
Apple patches Safari and OS 10 against Trident Zero days.
The press takes a look at the cyber arms market.
Policy wonks and politicians speak in favor of cyber offense,
and militaries speak up for nuance.
How companies and governments adjust to a difficult cyber labor market.
The contribution of interface design to security,
responsible disclosure, stock shorting,
and the importance of cooperation between vendors and researchers.
And Guccifer gets four years. responsible disclosure, stock shorting, and the importance of cooperation between vendors and researchers.
And Guccifer gets four years.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, September 2, 2016.
In response to discovery of the Trident Zero days and their exploitation by spyware kits,
Apple last week patched iOS.
Yesterday, Cupertino pushed out patches to OS X, both Mavericks and Yosemite versions,
and to its Safari browser.
Users are advised to update their systems.
The threat of exploitation is both clear and present.
Lookout and Citizen Lab exposed the Trident Zero days early in August when their investigation of an Emirati activist iPhone revealed a Pegasus infestation. They disclosed
the bugs quietly to Apple, then to the world when Apple patched iOS. Companies who develop and sell
lawful Intercept products continue to receive the attention of the industry press. Motherboard has
reported obtaining what it regards as a window
into the government market for hacking tools. Motherboard is running a story on a catalog from
an Indian firm, Aglaya, the magazine obtained. The brochure offers weaponized information.
Some of the products and services on offer involve surveillance, other security, still others,
manipulation of search results, for example, tools for information
operations. Aglaya says the brochure was an offer to one specific customer. Motherboard notes that
the company isn't a large one, but it believes the prospectus isn't atypical of the wares being
sold in that government marketplace. That's government with a small g. Many countries'
security services at least browse the stalls in this particular market.
Many countries' security services at least browse the stalls in this particular market.
Some surprisingly bellicose talk about cyber warfare came from North America this week.
Canadian media are discussing a call for offensive cyber capabilities issued by John Adams,
the former head of that country's communications security establishment.
Adams argued in a July paper that Ottawa would be negligent were it to forego development of cyber weapons.
In his view, Canada should expect to be attacked in cyberspace, and it will need a retaliatory capability.
In the U.S., presidential candidate Clinton promised that if elected, she would respond militarily to cyber attacks.
Speaking Wednesday to the American Legion, the largest U.S. Veterans Association,
candidate Clinton specifically put Russia, China, North Korea, and Iran on notice.
The promise was, we note, of a military response, not necessarily a lethal or kinetic military response.
And we also note that the U.S. Department of Defense and Intelligence community have been offering a more nuanced take on cyber conflict,
observing that there are distinctions to be drawn among crimes, espionage, and acts of war.
Such distinctions tend to blur in the heat of political discourse.
The U.S. Army's Cyber Command earlier this week offered an interesting perspective on cyber conflict.
Unlike intelligence collection, which should be quiet, the soldiers say,
offensive cyber operations ought to be loud, unambiguous and unmistakable.
U.S. elections aren't the only ones being targeted in advance of voting.
FireEye says that APT3, the Chinese cyber espionage group,
has spearfished its way into at least two Hong Kong agencies
involved with Sunday's upcoming elections in the city.
Looking back at the week's industry news and rumors,
the labor market for pen testers is very hot.
Companies continue to have difficulty finding security talent.
So do governments.
The U.S. Department of Defense is said to be looking for recruits
who look more DEFCON than they do G.I. Joe or G.I. Jane.
A bit later, we'll hear from Level 3's Dale Drew
about how his company has found some creative ways to approach staffing.
Colorado-based LogRhythm picked up $50 million in investment this week.
Publicly traded security companies continue to jockey for position in the stock market
as traders look for value in results, expectations, and new directions in corporate strategy.
One hedge fund, Muddy Waters Capital, and one security company,
MedSec, engaged in a controversial bit of disclosure, reporting vulnerabilities in
St. Jude medical pacemakers, then shorting St. Jude stock. St. Jude says the research is shoddy
and stands by both its products and the company's commitment to patient safety.
Reaction to the Muddy Waters and MedSec move has been decidedly mixed.
The big rumor at week's end is that Hewlett Packard Enterprises is said to be hawking its software business to Tomabravo,
hoping to realize between $8 and $10 billion from a sale.
Reuters cites people familiar with the matter as its authority for the story.
Concerns about cybercrime continue to focus on ransomware.
Familiar variants and vectors continue to work damage, and as always, good backup is prudent.
F-Secure reports finding a firmware vulnerability in Inteno EG500, FG101, and DG201 routers.
The company says that other models may also be affected,
but that Inteno hasn't been willing to cooperate with F-Secure in checking for the bugs.
but that Inteno hasn't been willing to cooperate with F-Secure in checking for the bugs.
We heard from Tripwire's Craig Young, who commented on the benefits of vendor-researcher cooperation.
Quote, routers indexed on Shodan with publicly available exploits. Routers are in control of so much data and expose a great deal of attack surface,
yet they are one of the most overlooked elements in home security.
End quote.
And finally, Guccifer, that's the actual Guccifer, Marcel Lazar, of political pwning fame,
and not the Guccifer 2.0 sock puppet shilling for Cozy Bear and Fancy Bear,
has received his day in court.
He'll be serving four years in a U.S. prison.
Miller Lite.
The light beer brewed for people who love the taste of beer and the perfect pairing for your game time. When Miller Lite set out to brew a light beer, they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer
is the beer.
Your game time tastes like Miller time.
Learn more at MillerLite.ca.
Must be legal drinking age.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Dale Drew.
He's the chief security officer at Level 3 Communications.
Dale, it's certainly no secret that there's major staffing shortages in the cybersecurity industry, but you all have come up with some methodologies that are pretty clever to try to deal with some of these shortages? You know, trying to identify qualified security personnel to place them within a security practice
is becoming more and more challenging as that market becomes more and more demanding.
And so we've had to absolutely be creative in being able to find the right talent
with the right culture and the right mindset to be able to provide
continuing and evolving security capability to our company. And so, you know, one of the things
that we've learned over this is to identify the mindset that we're after, not necessarily
the security training, but the mindset that we're after and how we can adapt that mindset to more of a security mindset.
So we've had a tremendous amount of success in hiring musicians as an example.
And so we have found that musicians have a very unique capability of sort of identifying organization through chaos.
They're able to see patterns.
of identifying organization through chaos.
They're able to see patterns.
They're able to take a lot of sort of chaotic structure and create organization around it.
Same thing with people who have a financial background.
They're able to sort of dive into the minutia
and provide structure and organization to activities,
whether it's an incident response issue,
whether it's forensics or log analysis. So we've been able to take that sort of capability
and sort of reorient them and retrain them on a security mindset. And we've had a tremendous
amount of success. I'll also say as well, and this is more of a generic category, but millennials in general, they come to the table
with sort of a passion and an eagerness to be able to take on chaotic situations and non sort
of structured and well-formulated processes and be able to create that structure and that
organization themselves. So we've taken people from a millennial mindset
without any security training and had a tremendous amount of success in getting
them adapted to the security structure. Dale Drew, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Gene Stevens.
He's the chief technology officer and co-founder of ProtectWise, a cybersecurity company out of Colorado.
ProtectWise caught our eye at Black Hat earlier this year, and I mean that literally.
It was their unusual user interface that made one of our editors stop in his tracks to check them out. After the show, I caught up with Gene Stevens to learn more about ProtectWise and why they think user interface design is an
important component of cybersecurity. We focus heavily on the network, but we are building a
large-scale platform that is delivered from the cloud that allows us to absorb a lot of the
signal more widely across the entire enterprise. One of the things that caught our eye when we
saw your product at Black Hat this year was the interface itself. In a world of command line
interfaces, you all have taken the trouble to build something that is actually, I would say,
quite beautiful. Absolutely. That was a top priority for us.
Visualization is a core product. It's not an afterthought.
We live in a market that is, you know, a lot of securities, pieces of software,
a lot of point products are very much organized.
They look like a Linksys router, you know.
And so we wanted to differentiate in that space and try to excite the imagination
and the level of interest, that beauty, that
sense of form and function being well unified.
And we wanted to create something that generates also like a sense of identity and attachment
to the system and the technology that you use on a daily basis, make that very pleasant
for people.
And so for us, we went deep on this.
Actually, we went out to Hollywood and met a guy who was the lead designer for Digital
Domain in Hollywood and did the creative direction for movies such as Tron Legacy, Terminator
Salvation, that Oblivion movie with Tom Cruise, Morgan Freeman. And look at all the sci-fi
interfaces. And from the audience perspective, and I know I have done this many times, I look at it
and so, wow, technology does not work that way. But can't you imagine?
Wouldn't it be neat to live in a place, you know, in a future state where that stuff was real?
And so we thought to ourselves, well, why can't it be?
Why can't we create something like this and use it to help reinvigorate enterprise security and help also shift that psychology, that sentiment away from that cynical sense that our products are weak,
they're modest, they're not very engaging, they miss a lot of stuff and say, I can imagine a
future state for myself, my architecture, my team. We wanted to do that in a beautiful manner.
You know, it kind of reminds me of the old days with the old Mac versus Windows debate,
where people would say that the graphical user interface, there were people who would turn their noses up and say, well, that must be a toy if it
looks good. Do you ever get that sort of response from people? Not very often, believe it or not.
I am actually somewhat surprised on the warmth of the reception up front. We felt like we would
have to fight more cynicism to say, but trust us, it really works, you know, that kind of idea. And I want to be very careful and say that we do not disregard the command line.
In fact, I have command line terminals on my desktop right now. And if you're amongst our
engineering team, you'd see a lot of command line out there. And a lot of security happens at that
level. But what we wanted to do was put something on top of that that brought forward in a very straight manner the
power of that kind of functionality, but in the workflow
and team and collaboration opportunities that you can do in these graphical environments.
And then to couple that with saying, hey, instead of showing me like the top
five or top ten things in my very large surface area that I need to be focused
on, which is
all oriented around how much data can we hide from you.
We decided to take on a visual metaphor that said, well, let's show everything and make
it possible to zero in on the stuff that matters most.
But against hiding data, let's promote it and use the human's capability of reasoning
spatially about even very sophisticated and
challenging signal-rich environments, take that ability and make that an immediate experience.
And so obviously at no small expense to you to do this. And has it paid off? Has it been
a worthwhile investment so far? Absolutely. So from a pure business
strategy perspective, it has been really phenomenal. It was a good early decision that we made.
It's paid very well.
We get a lot of recognition for it.
We got a lot of attention for it.
And it allows people to have a conversation.
So we now have the positive version of that cynical question, which you asked a moment ago, do we get that cynical version?
We don't because we got through this.
At the end of the day, we're technologists.
We're nerds.
We love the opportunity to do new and creative things with technology. Right.
And so we're capturing that little glimmer of hope that something out there is really pleasant and works really well.
And so the pivot in the conversation normally goes in that direction where we're able to actually get people excited,
where we're able to actually get people excited, which helps us tremendously from a business perspective, but also helps our customers get comfortable with the breadth and reach of our technology,
which due to the nature of it, it gets pretty deep, gets pretty deep, far into the bits and the bytes
and the esoteric matters of enterprise security.
We can allow that sense of wonder and that sense of joy and a sense of accuracy to go all the way down.
So take me behind the screen then.
We've got this interface that's engaging.
What's going on under the hood?
That is a real-time system you're looking at there.
And so what you are seeing is that interface is HTML5, CSS, JavaScript, that kind of stuff, right?
There's no static images.
It's all vectors, SVG.
And it is wired in real time to a set of streaming APIs that relay data at the same rate at which it occurs on our platform.
And so what you're seeing now is maybe time shifted only by latency of Internet delivery from our cloud server to your web browser.
And so with that in mind, it's sitting on top
of this strong real-time system.
So under the covers, there's a very different approach
to how analytics and how analysis happens in security.
And we think it actually creates opportunity
to stitch a lot of things together
and allow them to have a conversation
that promotes denoising the stack
and allows you to actually have a wide view concurrently over even very widely distributed
architecture, your DMZ, the enterprise, your corporate HQ, remote locations, the cloud,
industrial control. It all works in all those assets at the same time. So that's very much
under the covers. What you're seeing is that kind of living, breathing system, the inhale and exhale of the network.
That's Gene Stevens.
He's the chief technology officer and co-founder of ProtectWise.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.