CyberWire Daily - India hacks back. Rob Joyce discusses cyber conflict. Chinese hackers look for maritime technologies. Google reveals a macOS vulnerability.
Episode Date: March 5, 2019In today’s podcast, we hear that India went on the offensive when its government websites were attacked by hackers from Pakistan. Rob Joyce, Senior Advisor for Cybersecurity Strategy to the Director... of the US National Security Agency, discusses trends in cyber conflict. A Chinese cyberespionage group hacks for maritime technologies. Facebook lets people look you up by your two-factor authentication phone number. And Google researchers disclose a vulnerability in macOS.  CyberWire Editor John Petrik with results from the RSA Conference Innovation Sandbox. Guest Balaji Parimi from CloudKnox weighs the pros and cons of various authorization schemes. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
India went on the offensive when its government websites were attacked by hackers from Pakistan.
Rob Joyce, Senior Advisor for Cybersecurity Strategy to the director of the U.S. National Security Agency,
discusses trends in cyber conflict.
A Chinese cyber espionage group hacks for maritime technologies.
Facebook lets people look you up by your two-factor authentication phone number.
And Google researchers disclose a vulnerability in macOS.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 5th, 2019.
India used offensive measures to counter hackers from Pakistan, who attacked more than 90 Indian government websites
in the hours after the Pulwama suicide attack last month, senior security officials told the
Hindustan Times. The officials didn't give details on the operation or disclose which
agency was behind it, but a cybersecurity advisor to the government says the counterattacks,
did help India get a grip of the situation,
end quote. Times Now points out that Indian hacktivists attacked more than 200 Pakistan
government websites in the days following the Pulwama attack, although it's unclear if this
campaign was related to the government's operation. One interesting detail is the fact that the cyber
attacks against India originated from Bangladesh, India's friendly neighbor.
One of the officials says, however, that the coordinated manner in which the attacks were carried out and the use of facilities in Bangladesh leaves us with no doubt about the nature of the attack.
The officials added that after the attacks from Pakistan failed, the hackers began spreading disinformation on social media.
This morning at RSA Conference, we attended a breakfast sponsored by Maryland's Department of Commerce.
Their speaker was Rob Joyce, who currently serves as Senior Advisor for Cybersecurity Strategy to the Director of the U.S. National Security Agency.
Joyce outlined a shift in cyber
attacks. They've moved from theft of secrets, cyber espionage, toward becoming a means of
imposing national will. We saw this clearly, he argued, in the NotPetya incident that did so much
to disrupt commerce globally. Joyce sees four trends in cyber conflict. First, high-end threat activity has become more sophisticated.
Second, the level of expertise needed to operate as a significant threat has been declining.
These first two trends might seem to be in tension with one another,
but in fact they represent complementary tendencies.
As threat actors become better at their craft,
their tools become easier to use, effectively becoming commodities.
He didn't use this analogy, but he might have.
The gun is a more sophisticated weapon than a sword,
but the gun also made it easier for the poorly trained to be even more lethal
than the highly skilled, carefully trained swordsmen.
Something similar to this is happening in cyberspace.
Third, Joyce argued, we're seeing cyber conflict move from exploitation to disruption.
And here again, NotPetya provides a good example of that progression.
And fourth and finally, Joyce sees the growing application of information operations that are leveraging what he called a cyber gray space.
what he called a cyber gray space. Thus, an attacker might compromise emails, but do so with a view to using their contents in the service of a larger attempt to persuade and influence a
target. He argued that to survive in this emerging world, we need to build on a sound,
solid foundation of the basics. We need to get and stay good at cyber hygiene,
sound configuration, effective patching, those sorts of things.
And laying this kind of foundation is, in his view,
a long-term investment that requires coordinated investment in education and training.
He concluded with a discussion of coming inflection points.
The development and adoption of the smartphone a little more than 10 years ago was one such inflection point.
It was essentially a triumph of integration,
and it enabled the growth of industries and ways of life that few people expected or anticipated.
He thinks that the fielding of 5G networks in the near future will represent a similar inflection point.
5G's higher density, greater speed, and lower latency
will make things possible
that we don't yet, because we cannot, fully envision. In response to a question about
offensive cyber operations, Joyce said that in his view, offensive cyber operations are,
and must remain, an inherently governmental responsibility. Their ramifications and
possible consequences are simply too serious
to open to private actors. Talk of letters of mark and reprisal is, in his view, idle.
He did note that the U.S. government has now taken what he calls a more proactive,
aggressive stance with its doctrine of continuous engagement. We are now willing
to introduce some friction into the adversary's operations, and we've shown the ability to do so.
Controlling data access in your organization, who has access to what, can be a persistent challenge,
and as companies move more of their resources to the cloud, the complexity can get out of hand.
Balaji Parimi is CEO and co-founder of CloudKnox, and he makes the case
for moving away from traditional role-based access control and toward adopting activity-based
authorization. Traditionally, authorization and authentication are two different things.
Role-based access control mechanism has been created with the advent of LDAP in the early 90s,
but that was created for convenience purposes.
And at that point, the infrastructure was completely different. Everything was static,
everything was physical. The automation was nowhere near what it is today. So once
authentication is centralized, you know who can get in. But once the person gets in,
what can that person do is completely managed by authorization. That's been working great for
some time. But when it comes to cloud computing, there are a lot more risks and a lot more
inherent things that make this approach very risky. For example, in the traditional world,
if you're not looking at cloud computing or virtualization for that matter, you're basically looking at managing a physical server,
like a Windows machine or a Linux machine or a Unix machine.
And if something happens there, the damage is confined to just that one machine.
Whereas in cloud, you are looking at every aspect of the entire infrastructure
that powers all applications within the company.
You have compute, storage, networking, everything.
And this cloud is the foundation
for all the applications of the company.
15 years ago, if somebody had to deploy an application,
it would take literally months.
Now it will take literally a few minutes.
And even if you have one identity managing that,
cloud has all kinds of resources,
storage resources, compute resources, network resources.
If you look at the combinations of how many combinations
an identity can use all these different functions,
that number could grow into billions.
So it is almost impossible to manage this manually.
So which means an identity,
if the identity's credentials are compromised,
entire company could go out of business. A simple accident can cause a lot more damage.
Explain to me, what are we talking about when we're saying we're giving access based on activity
rather than roles? If you keep track of every activity, every change that happens, create,
update, or delete, and with proper accounting and attribution to which identity has actually done
that, you establish a pattern of this identity is using these 10 privileges on these five resources.
Another identity, like John is using these 50 privileges on these thousand resources.
Like John is using these 50 privileges on these thousand resources.
Craig is using these 20 privileges on these 50 resources.
Now, once you create a pattern of the usage based on the activity of each and every identity, you could provision exactly the privileges that they need in order to do their day-to-day jobs.
And they won't see any hindrance to their productivity because whatever
they have been doing they could continue to do and if they have to do something
new they can go through their own normal approval process in order to get those
extra privileges so on one hand you reduce the risk significantly while
preserving what they need in order to do their day-to-day operations. And if they need anything, they can get them through their formal approval process.
When you're provisioning someone for this type of system, is there a training period?
Is the system keeping an eye on what they're doing and learning?
How do you get them set up at the outset?
On day one, we look at all the historical data.
If the enterprise maintains the history forever, we have the history of everything.
So, say, start off with read-only for everybody, so that not a lot of damage can be done.
As they need to do more and more, like create, destroy, update, let them self-grant those kinds of privileges.
And then, over a period of 90 days, you have a pattern.
Once you have that pattern established within 90 days,
you could use that pattern as a set of privileges
that each and every identity needs in order to do their jobs.
And you can expand it to 120 or 30 days or 60 days or whatever the time period.
So basically the idea is look at what they've been doing
and based on what they need, provide them just enough privileges.
That's Bala G. Parimi. He is founder and CEO of CloudKnox.
FireEye published details on the suspected Chinese cyber espionage actor they're calling APT40.
The threat actor's activity has previously been attributed to two separate groups,
known as Periscope and Jumper. FireEye noted in July of last year that there was significant
overlap between the two groups, and it's now decided to merge them under the same term.
FireEye states with moderate confidence that APT 40 is sponsored by the Chinese state,
based on a number of technical clues, as well as the fact that the group's targeting falls in line with Chinese state interests.
The group targets the engineering, transportation and defense industries,
as well as universities, in search of maritime technologies
that could be used to build up China's naval capabilities.
The group has also been observed influencing elections
and focusing on other political goals in support of China's Belt and Road Initiative.
Last year, FireEye observed the group, then known as Periscope, compromising targets related to Cambodia's elections.
APT40's hacking techniques involve web server compromise, phishing operations, and strategic web compromise.
phishing operations, and strategic web compromise.
They also use a variety of publicly available and custom-made malware to establish footholds, escalate privileges, and exfiltrate information.
Facebook is, again, facing criticism after users realized
that the phone number they provided for two-factor authentication
could be used to look up their profiles.
Users also can't opt out of this
feature. The default setting for the lookup feature is set to everyone, and it can only
be restricted down to friends. Facebook's former CSO Alex Stamos tweeted that, quote,
this isn't a mistake now, this is clearly an intentional product choice, end quote.
Last year, Facebook admitted that it was using phone numbers provided for 2FA to carry out targeted advertising.
Researchers from Google's Project Zero publicly disclosed a zero-day privilege escalation vulnerability in macOS
after Apple missed Google's 90-day deadline to release a patch.
The proof-of-concept demonstration published by Project Zero
takes advantage of a loophole in macOS's copy-on-write protection.
Copy-on-write protects data being used by multiple processes
by requiring each process to make a copy of the data before making changes to it.
This prevents one process from disrupting all the other processes.
The Project Zero researchers found that macOS allows users to mount and unmount file system images
without alerting the memory manager,
meaning that an attacker can stealthily replace higher privileged information.
The researchers are calling the vulnerability buggy cow.
The flaw is serious, but it's difficult to exploit and depends on malware already running on the system.
Finally, again back to RSA.
What's the trend in conference swag?
It's socks, friend.
Brightly colored, whimsical socks.
The better to keep your feet warm and secure.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge
of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant
to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me is our CyberWire editor, John Petrick.
John is out at RSA Conference.
He is joining the masses who are out there taking in everything. And John, we wanted to start off today by talking about the RSA Innovation Sandbox.
What were the results from this annual competition?
Well, the results were that they did this year, as they began the practice last year,
offering two finalists and then announcing the second one in a reveal that has a little bit of
suspense. So the two finalists were Duality Technologies. They're specialists in homomorphic
encryption and technologies that enable you to work on data without decrypting it. And then a
company called Axionis, which offers an asset management solution. And the winner of the
turnout was Axionis, which is an interesting choice because as Axionis themselves said
in their pitch that they work on the unsexiest problem in cybersecurity, which is asset management.
But the panel of judges found that a sufficiently interesting product and solution weren't selecting them as the winner of the sandbox.
So it is Axionis that won this year.
The judges commented in their remarks at the end explaining their choice that Axionis was interesting to them
because they're solving a problem
that has been around for decades.
And the CISOs on the panel said that they really succeeded in addressing a pain point
that enterprise security managers have had for a long time.
They never can get a straight answer about their assets.
If you ask someone how many assets have you got, the answer will range,
well, we have between 3,000 and 100,000,
which is to say we don't have any idea whatsoever of how many assets we have.
So that was the winner yesterday.
Were there any common threads that you saw
in terms of the variety of companies who are competing this year?
Yes.
Dr. Hugh Thompson, who is the emcee, the impresario this year,
as he has been for many years now,
began by having a little quick fireside chat back and forth with one of the judges,
an RSA veteran, Nilou Hao.
And so they were yucking it up a bit on stage,
saying that they didn't have anything on quantum or blockchain or AI.
So those are last year's buzzwords, or the buzzwords from two years ago.
So none of that.
But there were some clear themes that the finalists did address.
And those, I think, in a short list would be cloud issues, in particular hybrid cloud issues, problems with asset discovery, container security, API security, and, of course, privacy.
container security, API security, and of course, privacy. And I think from walking the floor a little bit, we just had our opening yesterday evening here, so I haven't been on the floor
much. Nobody has been. But that's a good list, I think, of the high-profile topics to soon be
engaging people here at the conference. Do you have any sense for what the overall tone is this
year and any trends that you're tracking? I'm going to be very interested in looking for what people have to say about content moderation and content screening. I think that's
an interesting problem. And I think that it's one that people are going to increasingly have to
grapple with. And I think that there may be some false paths and false lights that people are
going to follow as we try to do that. I don't have the same sense of worry that I felt very strongly on the floor last year.
Not so far at any rate.
That last year, the conference felt very much like a convention being attended by people
in an industry that was about to undergo some severe consolidation.
And I don't feel that right now.
John Petrick, thanks for joining us.
You're welcome.
Thanks for joining us.
You're welcome.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.