CyberWire Daily - Daily & Week in Review: Skepticism concerning Guccifer 2.0's claimed hack of the Clinton Foundation. NSA contractor arrest. Mirai botnet exploits. Security fatigue.
Episode Date: October 7, 2016In today's podcast we discuss the consensus that Guccifer 2.0 didn't actually hack the Clinton Foundation. We hear how information operations might work during an election. The arrested NSA contractor...'s alleged motives remain unclear. The Mirai botnet got its exploitable vulnerabilities by downstream propagation of default credentials. The US Surgeon General discloses a breach. Dr. Charles Clancy from Virginia Tech's Hume Center considers policy statements from US presidential candidates. Joyce Brocaglia tells us about the Executive Women's Forum. And if you have a hard time listening to us, you may be suffering from "security fatigue." Don't believe us—take it from NIST. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Guccifer 2.0 seems not to have actually hacked the Clinton Foundation.
How information operations can work against an election,
the arrested NSA contractors' alleged motives remain unclear. I'm Dave Bittner in Baltimore. Take it from NIST.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, October 7th, 2016.
Guccifer 2.0's claim to have hacked the Clinton Foundation now appears spurious to most observers, in fact quite exploded. Researcher Scott Turbin, better known by his Dr. Cryptia handle,
looked at the file's metadata and concluded, as he told CSO,
that Guccifer 2.0's docs, in fact, came from the Democratic Congressional Campaign Committee.
Ars Technica and The Hill independently reached the same conclusion on the basis of the same evidence.
This is no new hack. The DCCC and
the Democratic National Committee are known to have been compromised some time ago. The timeline
for the DNC hack is clear. Cozy Bear penetrated the DNC's network in the summer of 2015 and was
joined by the noisier Fancy Bear in April of this year. Cozy and Fancy Bear are generally believed
to be groups belonging to Russian intelligence services,
largely on the strength of research by cybersecurity firms
CrowdStrike, Fidelis, and FireEye.
Guccifer 2.0, who claims to be a non-Russian hacktivist,
is widely regarded as a sock puppet for Russian intelligence.
But whatever paw may be inside this particular sock puppet,
observers note that doxing need not be authentic to be an effective tool of information warfare.
We heard New America's Peter Singer speak about information operations,
specifically Russian information operations,
this week at the Association of the United States Army's annual meeting.
Russia invented information warfare, Singer said.
Quote, they don't conceive of it as we do in narrowly military terms.
The goal of Russian information operations is not to make people love Russia, but rather to
disrupt and create distrust. This may feel new to us, but it goes back at least as far as Stalin's
day. Thus, U.S. elections need not be disrupted through hacked voting machines. Cultivation of
mistrust and consequent questioning of their legitimacy may be enough to achieve an adversary's
goal. The case of the former NSA contractor arrested for improper possession of classified
material and government property is being characterized by observers as not an obvious
case of either a whistleblower or a spy.
Why he took the material he's alleged to have taken remains obscure,
but in this case intent may wind up having little relevance.
It appears increasingly unlikely to most that the contractor arrested
had any connection with the shadow broker's leaks.
Observers also think it unlikely that the arrest will have any noticeable effect
on how the U.S. intelligence community uses contractors.
Both contract and government personnel are cleared by the same authorities.
Both contractors and agencies face similar insider threats.
Booz Allen Hamilton has made it clear that they reached out to the FBI as soon as they learned that one of their employees had been arrested,
and that from the outset they've fully cooperated with the FBI in its investigation.
And, as noted in yesterday's Cyber Wire, Booz Allen also immediately terminated the
employee in question.
Looking back at the week just ending, security researchers at Flashpoint have been following
what they call the downstream trail of vulnerabilities exploited by the Mirai botnet,
responsible for the large distributed denial-of-service attack against Krebs on security.
They've identified the primary supplier of products whose default credentials are root and xc3511.
It's Xiongmai Technologies, which sells DVR, NVR, and IP camera boards and software to manufacturers of such devices. Flashpoint thinks more than half a million devices are susceptible to exploitation, On Monday, the U.S. Surgeon General warned his organization's employees
that their personal data may have been accessed in a breach achieved by unspecified hackers.
This is the most recent in a series of breaches coming from targeted attacks
on government agencies. The Cyber Wire heard from Michael Patterson, CEO of Plixer, who noted that
when medical professionals like those who work for the Surgeon General have their personal
information compromised, there's a risk that the data could be subsequently used for prescription
or insurance fraud. And finally, do you find yourself run down,
feeling tired when confronted with security warnings?
Do exhortations to change this, watch out for that,
do this first, even dare one say,
stop, think, connect, leave you jaded?
Well, apparently you're not alone.
A study released this week by the U.S. National Institute of Standards and Technology, NIST,
diagnosed security fatigue in the general population of computer users.
The syndrome is defined as weariness or reluctance to deal with computer security,
and by all accounts, it's pretty widespread.
The NIST investigators responsible for the study are planning a follow-up inquiry
to look for ways in which security might be made less fatiguing.
A security industry executive offered us an introspective look at how the cyber sector
might be contributing to the malaise. Ilya Kolachenko, CEO of web security firm Hitech
Bridge, told the Cyber Wire that there are just too many security products being rolled out to
capitalize on the fear we find so tiring. Kolachenko said, quote, today too many security
vendors offer similar solutions without genuine technological differentiators, end quote. This
adds to the troubles of those who are most likely to be exhausted by security, yet whose exhaustion
can have some of the worst consequences, enterprise security teams. Kolachenko added, quote, in
addition to their daily fight with cybercrime
and human negligence, they've now also got to perform complicated due diligence on the
cybersecurity vendors among whose products they must select, end quote. So spare a thought for
the hardworking CISOs out there and spare them as much FUD as you decently can. And if you find
the cyber wires contributing to your security fatigue,
we're sorry.
Please, take a break.
Take a stroll.
And remember,
we all still live in physical space.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora, have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, of course, we have an election coming up here in the United States,
and the candidates have started talking about cyber policy.
What's your take on the kinds of things they've been saying?
Indeed, there have been a number of policy positions put forward, particularly by the Clinton campaign,
talking about what future cyber policy might look like here within the United States if they're successful in winning the White House and I think one of the areas that's really
interesting in terms of attention is this notion of destructive cyber attacks
so these are attacks where they either exploit an information system and use it
to transcend into a physical environment or order to cause a physical impact. You can think of a Stuxnet-style attack, or a scenario where they are exploiting a system
and then they are deleting data in a destructive way.
And the campaigns have come out essentially saying that if you are having a destructive
impact as some sort of cyber attack, then this is beyond the sort of traditional boundaries of cyber espionage and now
we're kind of starting to tread into the the waters of cyber warfare
and here if you look at that that the united states doctrine in cyber warfare
a basically the united states can engage in a destructive attack under two
scenarios
one is uh... if rat war with someone in this falls under uh... title ten of the
uh... general legal framework that the U.S. military operates under.
If we're in a declared state of war with someone, we can do destructive cyberattacks.
And if we seek to have a destructive cyberattack against a non-wartime target, then this is possible as a covert action through espionage laws of Title 50.
action through espionage laws of Title 50.
But the line between those gets particularly blurred, particularly when you have longstanding engagements such as the global war on terrorism.
And I think it's important that policymakers really make sure that they understand the
difference, because particularly as tensions escalate with russia and china uh... some sort of destructive cyber attack uh... that involves them
i could actually lead to uh... the declared state of war which is uh...
frightening outcome i think for all of us
and is it correct that uh... that it
the current administration certainly has been uh... has has been reticent to draw
a line in the center to define
where that line might be
uh... indeed and i think many people are concerned about drawing the line because of many of
the U.S.'s activities abroad in cyberspace, and a concern that drawing such a line might
indicate that some of our activity was over that line.
So it will be interesting to see, particularly as the new administration comes in in the
fall, I'm sorry, in the winter, to see how policy shifts, if it does at all.
All right, Dr. Clancy, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Joyce Bricoglia.
She's the CEO of Alta Associates, an executive search firm specializing in cyber professionals,
and she's founder of the Executive Women's Forum, a member organization that says its
core mission is to attract, develop, and sustain women in the information security, IT risk
management, and privacy industries through education,
leadership development, and the creation of trusted relationships.
I began our conversation by asking her to describe the origins of the Executive Women's Forum.
Growing up in information security and being kind of a Jersey girl, so spending a lot of my time
in Wall Street and being the only woman in the room, I started to be aware that there were more
and more women holding positions of influence inside corporations and as entrepreneurs of security-related startups.
And I really recognized that there was no place for these ladies to gather or share ideas.
And oddly enough, having drinks with the same gentleman, Steve Katz, and he said,
you know, there's not a lot of women in security. And I said, no, really there is, and literally started writing women's names down on a drink napkin
and opened it up again and said, hey, what would you think if I put a cocktail party together
for these remarkable women I know?
And what started in my mind as a cocktail party ended up nine months later as a conference
for 125 women in Sanibel Island, Florida.
So I kind of tease Steve to this day and say, you know, I had drinks with you on a cold winter's night, and nine months later the EWF was born. Today, the Executive Women's Forum is the largest member organization that serves emerging leaders as well as the most prominent and influential women in our field.
And our real true mission that I'm incredibly passionate about is that we are continuing to engage, develop, and advance women leaders in information security, IT risk management, privacy, and the related industries.
Looking at the industry, and certainly I think what is generally considered to be an
under-representation by women in cybersecurity, what is your take on that situation?
Well, I think that there's a lot of questions asked about the number of women in security.
As a matter of fact, the Executive Women's Forum this year
has partnered with ISC Squared.
Every two years they produce something called the Global Workforce Study,
and this year we worked very closely with ISC Squared
in developing and refining their survey
to include questions very specific to women and minorities.
The last survey that came out in 2015 had showed that the number of women in information security
dropped from 12% in 2013 to 10% in 2015.
And the EWF has made a huge commitment to really double the number of women in the field over the next 10 years.
So we are doing everything possible.
You know, I get questioned all the time about how come there's not a lot of women in security.
And, you know, that's a problem that stems all the way back into grammar school and, you know, how young women are focused away from technology. It's not a problem just
in security. It's a problem in STEM. But what I focus on is kind of the dirty little secret part,
which is not just the problem of why isn't there enough women in security. It's that
why are so many women that are in security opting out? And I think that companies need to really take a look at what are they doing to better develop and retain those women that are on boards of security organizations already.
My solution to that is, A, providing them better leadership development opportunities earlier on in their careers.
leadership development opportunities earlier on in their careers.
That's one of the reasons why we developed the leadership journey was because so many women said that, you know, they were given opportunities to do, you know, seminars or,
you know, Sheryl Sandberg came and everybody leaned in, but there was no real practical
application of what they had learned.
And, you know, a lot of times companies reserve executive coaching opportunities
and true leadership development for very senior-level women.
Well, what happens if you only give it to women at the top?
I mean, you're losing a lot of women in the middle that, for whatever reasons,
kind of throw their hands up and decide to opt out.
One of the things we do with that program, and whether it's through a leadership development program or just as a part of a corporate structure, is the concept of sponsorship.
And that's something that both men and women, you know, certainly should be doing for high
potential and high performing women in their organizations is become a sponsor. You know,
and what I would say to men is to sponsor these women in the same way that they would
sponsor their male counterparts.
A lot of times when women are given sponsorships by men, they are often schooled in areas of
presentation skills or confidence or areas like that, but often are not schooled in terms of
how to really talk in business terms or present to the board or frame things in a way that will
get the type of attention that they need. So I think the concept of sponsoring high potential
women, and when I say sponsoring instead of mentoring, I use the word sponsoring because that means they have some skin in the game. They actually are using their political capital within
a corporation to help that woman. That might mean giving her stretch assignments or introducing her
to other opportunities or putting her on a high track for promotion or rotations. So I think,
you know, those are the kinds of things that companies could think
about and start making a difference. You know, if not us, then who? I think it is the responsibility
of people that are currently in the field of information security, IT risk, cybersecurity,
to lift as they rise. I mean, that's what we call our mentorship program,
lift. And I think that everyone should take that responsibility very seriously.
And, you know, the only way that we're going to really create the next generation of leaders is if we take action ourselves.
And if not us, then who?
That's Joyce Bricoglia from Alta Associates and the Executive Women's Forum.
They've got their big national conference coming up later this month in Scottsdale, Arizona,
and there's more information about that on their website.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your