CyberWire Daily - Dispatches from RSA 2018. Russia continues to test the Five Eyes' patience and resolve. Trustjacking, Stresspaint, and an exposed AWS bucket.
Episode Date: April 19, 2018In today's podcast we have some RSA notes: an industry-led cyber Geneva Convention, threats and deterrence, and addressing a labor shortage. New Zealand joins Australia, the UK, and the US in warning... that someone's exploiting vulnerable routers. Moscow demands to see the evidence that this someone is Russia. Trustjacking afflicts iOS users. Stresspaint Trojan is out in the wild, posing as an innocent app. Another exposed AWS bucket is found. Rick Howard from Palo Alto on the notion of a "cyber moon shot." Guest is Malcolm Harkins from Cylance on why it's unacceptable to adopt the attitude that bad guys getting in is inevitable. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got RSA notes, an industry-led Cyber Geneva Convention,
threats and deterrence, and addressing a labor shortage.
New Zealand joins Australia, the UK, and the US in warning that someone's exploiting vulnerable
routers.
Moscow demands to see the evidence that this someone is Russia.
Trust jacking afflicts iOS users.
Stress paint Trojan is out in the wild posing as an innocent app.
And another exposed AWS bucket is found.
Coming to you from San Francisco, I'm Dave Bittner with your CyberWire summary for Thursday,
April 19, 2018.
We start off with some quick reflections on what we're hearing around RSA.
The Microsoft-led initiative in which 34 companies signed an undertaking not to engage in offensive cyber operations hasn't, for all of its good intentions, received uniformly positive reviews.
The agreement was featured on the conference's opening day.
Some observers think it resembles other large-scale resolutions and legislation in that it fails
to make necessary distinctions
and fails to do justice to the complexity of computer network operations.
So, an expression of good intentions and a desire to reduce tensions, but perhaps not
ultimately something that will have much effect.
One such complexity involves the familiar problem of dual use.
Some security legislation and international cyber non-proliferation agreements,
Vossener prominent among them,
have come under criticism for the possibility that they might unintentionally criminalize
legitimate vulnerability research, for example,
or, to take the obvious analogy with the Geneva Conventions seriously,
who might count as protected persons.
Are there any forbidden targets?
Other issues raised concern the undertaking's lack of teeth
– it is, after all, a voluntary avowal of intentions –
and the signatory's lack of involvement in delivering offensive cyber capabilities to governments.
Early in the conference, U.S. Secretary of Homeland Security Nielsen,
while expressing hope that nations would evolve some sensible norms to restrain them in cyberspace, made it clear that the U.S. had offensive cyber capabilities and would be willing to use them in response to an attack.
Miles characterized Secretary Nielsen's speech as the administration's way of laying down a marker that consequences would be imposed on nations who conduct cyberattacks against the U.S.
Yesterday, European Commission Vice President Andras Ansip
described the real and current threat of nation-state cyberattacks
with the hard-won, disillusioned clarity an Estonian official usually brings to the matter.
He called out numerous examples of Russian offensive operations in cyberspace, and it's
noteworthy that he included descriptions of that country's recent information operations,
especially the disinformation surrounding the Salisbury nerve agent attacks.
He offered a warning near the end of his presentation concerning the necessity of preparing for a full spectrum of cyber conflict.
He said, quote,
If we fail to do so, if the West fails to unify, we risk being exploited by those who would use cyberspace as a weapon to harm our free and open societies and economies.
By not acting, we make ourselves an easy target.
End quote.
By not acting, we make ourselves an easy target.
End quote.
The RSA conference continues to grow year after year,
and on the show floor it does feel a good bit more crowded and noticeably louder,
as vendors do their best to draw you to their booths and show off their wares.
Malcolm Harkins is Chief Security and Trust Officer at Silance,
and I met up with him on the show floor for his take on the conference.
There's so many vendors. Again, it's getting more and more and more crowded.
More and more people are showing up.
At the same time, I think there's hope for what we're seeing in the industry.
I think the innovators who've reimagined and rethought what is possible, like silence, have made a difference.
And I think you're starting to see innovation in other areas in security with security orchestration and automation.
Focusing on, again, using automation to enhance the capability of the security team.
You were mentioning to me before we came on the air here that you took part in a panel
as part of the program here.
And you got your hackles raised a little bit.
Why don't you share that story with us?
I think CISOs in many ways have gotten habitualized to being compromised.
I see it in other organizations that are still focused on a reactive model.
And I think if you take a broader responsibility to say, my job is to do my
best to manage and mitigate that, you will focus on a different business outcome. You'll look for
different technologies and solutions and approaches to managing risk. That's what I try and do. That's
what I encourage my peers to do. I see some changes in that in the industry, which is great.
That's Malcolm Harkins from Cylance.
We spoke yesterday with Booz Allen Hamilton Vice President Chad Gray
about his company's just-released Cyber Talent Survey.
That survey calls out the pressure businesses feel from investors and boards
to take ownership of their cybersecurity,
and it observes that this pressure has in some cases driven companies into short-term
solutions that can have long-term deleterious effects.
Gray cautioned against thinking that technical solutions would be able to do more than augment
human talent.
Some functions can and will be de-skilled through automation, but the net effect of such
advances will be to increase the efficiency of an organization's human talent. That there is a
talent shortage seems clear, and contrary to what you might have heard, it's not just a cynical
gambit on the part of Silicon Valley captains of industry to import large numbers of lower-cost
workers on H-1B visas.
But the shortage isn't merely a special case of some more general shortage of technically skilled workers.
The shortfall, Gray said,
"...is driven by more frequent, more sophisticated attacks,
and especially by repurposed nation-state tools being used by criminals." It's the protean, adaptable quality of the threat
that makes it difficult for security
practitioners to handle.
They need to stay current and engaged, since the opposition's tactics shift and require
new skill sets of defenders.
Top talent attracts other top talent, Gray observed.
Experts in various domains cross-pollinate when they work together on teams.
It's important to rotate experts to face different challenges, lest their skills grow Experts in various domains cross-pollinate when they work together on teams.
It's important to rotate experts to face different challenges,
lest their skills grow stale.
This isn't a matter of creating career paths, he noted.
There's no reason a highly skilled analyst, for example,
should have to become a manager.
But there are many reasons to give that analyst fresh opportunities to work against new and emerging threats.
New Zealand has joined the three Five Eyes sisters
who have called out exploitation of Cisco smart install-enabled devices.
CERT-NZ doesn't specifically call out Russia
as the author of the ongoing campaign against such devices,
but it does reference with agreement the U.S. CERT report that does,
so it's safe to conclude that the view from Wellington is much the same as that from Canberra, London,
and Washington.
Russia, for its part, has denied doing anything of the kind.
Government spokesman Dmitry Peskov said the accusations were unfounded.
Echoing the sorts of demands for evidence Moscow issued after the nerve agent
attack in Salisbury, Peskov called the accusations feeble and said Russia had no idea what the Five
Eyes' assertions were based on. Quote, such accusations are typically thrown into the air
and no one even bothers to offer any arguments anymore. End quote. Symantec researchers warn of a new problem, trust jacking.
It occurs when a user pairs an iPhone to a Mac laptop or workstation,
at the point where users are asked if they trust this computer,
a reminder that users should be more circumspect.
Radware warns of StressPaint,
a Chrome login information-stealing trojan served by a Windows app
that presents itself as a stress relief tool. Trust the researchers, it will not relieve your stress.
Unless you're an adrenaline junkie, steer clear. LocalBlocks, a company that scrapes data from the
various sources on the web and builds profiles of individuals for marketing purposes, has been
found to have leaked data.
It's apparently, according to researchers at UpGuard, another AWS misconfiguration issue.
They say they found 48 million records exposed in an S3 bucket.
So again, watch your buckets.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He's the chief security officer at Palo Alto Networks. And he also heads up Unit 42, which is their threat intelligence team.
Rick, you know, recently your CEO, your boss, Mark McLaughlin, he traveled to Davos.
And he was part of a forum with some world leaders,
and the theme was creating a shared future in a fractured world.
And one of the things that Mark discussed was this notion of a cyber moonshot.
And I think this is a pretty compelling metaphor here.
Can you take us through what was Mark getting at with this?
Yeah, I love the idea of
a cyber moonshot. Whenever somebody brings it up, you can't help but be inspired by it. It stems
from a speech by President Kennedy that he gave back at Rice University back in the early 60s.
And so let me read the snippet that really gets me every time I get it. Here it is. This is
President Kennedy talking now. He says, we choose to go to the moon in this decade
and do the other things not because they are easy but because they are hard because that goal will
serve to organize and measure the best of our energies and skills because that challenge is
one that we are willing to accept one we are unwilling to postpone and one which we intend to
win goosebumps i get goosebumps every time I hear that.
I really wish we had more world leaders that talk like that. So, but if you substitute,
make the internet safe in place of, you know, go to the moon and that speech,
we have a vision statement that I can get behind. We choose to make the internet safe and do the other things, not because they are easy, but because they are hard.
and do the other things, not because they are easy, but because they are hard.
So a cyber moonshot is essentially this.
In 10 years, if we're going to make the Internet safe, not just safer, not incrementally safer, but safe,
what would you have to do?
The reason that a cyber moonshot is important to talk about is it gets us out of our heads about what we think is possible.
Like you said, when Kennedy made his speech, NASA had no idea how to get a man to the moon and back safely. But by setting the aiming stick so
far out in front of what we thought we could do, he didn't let the naysayers backbite him by pointing
out all the reasons this could not be done. He just said, this is what we're going to do. Go
figure it out. All right. So the purpose of a cyber moonshot, at least in the beginning,
is to decide what we need to do in order to make the Internet safe.
Again, not incrementally safer, but safe.
So this is an open question.
We don't have a full list yet.
My gut tells me there's probably seven to ten very large things that we will probably need to do in order to successfully navigate a cyber moonshot.
All right.
Give me a couple.
What are some of the top things you think we can do?
All right.
So, yeah, I've been thinking about it, and there's probably way more,
and I'd love to hear what the audience has to think about this.
But here's my first one, okay?
International digital identity.
Okay?
This is the ability to uniquely identify a user or a system or an application,
and it's non-reputable, kind of like a passport, only digital.
This implies not only would governments have to deploy this technology, they would have
to make it available to everybody in their country for free and build services for making,
maintaining, and replacing them, essentially the administration of the program.
The international digital ID would be used for all official transactions that the government sanctions, like voting and paying taxes and other things.
Commercial organizations could opt in, but it would make sense for banking and legal services and other monetary services to use this ID for all transactions.
And before the privacy naysayers kick in and decry how this is not possible or as one of my heroes salim ismail
would say the immune system kicks in and says you can't do this because it might change the status
quo let me just say that you wouldn't have to use the digital id for all transactions just the
official ones you can still operate anonymously in your online butterfly quilting circle as i know
you do david all right gosh you know me so well, Rick.
If you want to do that anonymously, that is still fine to do. Okay. All right. If you want to,
if you want to make an official online transaction, you're going to have to use your digital ID.
What else? Give us another one. All right. Here's my number two then. Okay. Anti-fake news protocols. Now what I mean by that is the ability to provide online readers, you know,
news, social media, et cetera, with some sort of rating of source material.
Now, influence operations by nation states and other activist organizations have been going on since the world was young.
But before the Internet, you needed a concentrated cache of resources to make a dent in the influence you were trying to peddle.
in the influence you were trying to peddle.
With the internet and social media today,
it is possible to conduct successful influence operations with very little resources
and without fear of any consequence if you get discovered.
So in my cyber moonshot,
I would like to see everything I read online
with a tag that says who the author is,
see the bullet number one, okay?
Some kind of rating about how true the particular post is
and a rating of how true the source's other postings are, right?
And a tag that says, this is an opinion piece,
like I think so-and-so, or a journalism piece,
just the facts, sir, or a combination,
this thing happened and here's what I think about it, right?
Now, some social media companies can choose to do this now voluntarily,
but I'm talking about an international standard that is so ubiquitous. if an article shows up with an anti-fake news tag the general
population would just dismiss it out of hand that's where i'd like it to go what do you think
well i i think it's a who watches the watchman kind of thing because you know one one person's
uh straight down the middle moderate is another person's extreme left or extreme right so
i think figuring out i mean we're functioning in a world right now where we can't agree on
whether the earth is spherical or not right so well that's very true but again okay cyber moonshot
is not to worry about how we might do it yet okay it's just to identify the things that we need all
right sure fair enough fair enough all right well rick we don't have time for any more of them. I am behind this notion. I think,
you know, bold ideas you need, you know, to really move the needle, these bold ideas are
often what it takes. So I think you're on to something here. Like you, I'd love to hear what
our listeners have to say about this. They can, of course, write us here at the Cyber Wire.
And as always, Rick Howard, thanks for joining us. Thank you, sir. It was fun.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.