CyberWire Daily - International norms of cyber conflict. Fancy Bear's tradecraft (with a side of дезинформа́ция). RDPPatcher, Cerber, Ticketbleed, and Hermes. And the vibe around RSA 2017.
Episode Date: February 17, 2017In today's podcast, we talk about hybrid warfare, with disinformation, cyber espionage, and spyware infestations—we also hear calls for norms of cyber conflict. BugDrop is active in Ukraine, and res...earchers see some cut-and-paste oddness slip from Fancy Bear's paws. A new X-Agent variant is out: this one infects Macs. Ransomware thumbs its nose at security products. A look at RSA trends as the conference closes. A converation with City of San Diego CISO and author Gary Hayslip. Rick Howard from Palo Alto Networks on a new addition to the Cyber Canon that's all about DevOps. And where do we get one of those "Has no purchase authority" T-shirts? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Hybrid warfare with disinformation, cyber espionage, and spyware infestations.
Bug drop in Ukraine and some cut-and-paste oddness slips from fancy bear's paws.
A new ex-agent variant is out. This one infects Max.
Ransomware thumbs its nose at security products.
A look at RSA trends as the conference closes,
a conversation with San Diego's CISO,
and a T-shirt that we really want to get.
T-shirt that we really want to get.
I'm Dave Bittner, back in Baltimore with your Cyber Wire summary for Friday, February 17, 2017.
Hybrid conflict with all of its ambiguities and attendant fog continues in Eastern Europe.
Deutsche Welle reports a Russian disinformation campaign in the Baltic, with phony news stories planted alleging that German soldiers on NATO deployments
have been responsible for a wave of assaults in Lithuania. Both German and Lithuanian officials
say none of the claimed assaults happened, but the disinformation, while surely crude,
will no doubt leave its residue behind in segments of public opinion, which of course is the point.
Researchers at security firm CyberX have taken a look at a cyber campaign in Ukraine,
possibly criminal, possibly state-directed, possibly a mix of the two,
that's been responsible for a widespread spyware infestation in Ukrainian businesses.
More than 70 enterprises are said to have been affected by
what CyberX is calling bug drop. SYNAC researchers have been taking a look at tools that appear to
have recently slipped from Fancy Bear's paws, and they conclude that those tools look a great deal
like lawful intercept products from Hacking Team. Fancy Bear is generally believed to be Russia's
military intelligence establishment, GRU, if you're keeping score at home.
Synac sees a weirdness in the code that suggests a copy-and-paste job.
Bitdefender believes it's found evidence that there's now a variant of Fancy Bear's X-Agent malware
that targets macOS.
X-Agent is modular malware used in targeted cyber espionage.
It's modular in that once installed, it reports back to its commanders and controllers for instructions.
Those instructions could involve directions to search for various files.
They could direct X-Agent to download and execute other malware packages.
Senior U.S. officials, including the Vice President and the Secretaries of State and Defense,
are making the diplomatic rounds in Europe,
and cyber matters have inevitably arisen during their discussions.
Secretary of Defense Mattis said,
there's very little doubt that Russia has interfered with elections.
One might add, in fairness, that historically it's not been just Russia.
Panda Labs reports a new criminal hack, RDP Patcher,
which simply sells third-party access to a victim computer.
What they do with that access is presumably up to them.
G-Data, the German security firm, has identified a new strain of ransomware they're calling Hermes, after the god of medicine, messaging, and theft.
And there's good news already. The Austrian security company Emsisoft
has already decrypted it. So bravo G-Data, and bravissimo Emsisoft.
RSA 2017 wrapped up today in that city by the other bay, and our stringers and editors have
some thoughts on the conference's recurring themes. First, AI, artificial intelligence,
has been to this year's conference as big data and
threat intelligence have been to the last couple of RSA seances. These have all been dismissed as
buzzwords, which isn't exactly fair since there's a serious reality behind all of them, but caveat
auditor, an awful lot of people will say AI in your presence. It's worth listening to them with respectful, open-minded skepticism.
We're working on a special edition of our podcast covering artificial intelligence,
so stay tuned for that in the coming days.
Second, in the West at least, the crypto wars appear to have been won by the pro-encryption side,
and this is seen by many as essentially a technology-driven trend
even the most obsessively repressive governments will find difficult to resist.
Third, industry is worried about the growing tempo of international conflict in cyberspace
and is urging governments to take seriously their operations in this new domain.
If there are restraints on kinetic warfare, albeit imperfect restraints,
that are designed to contain it, limit its effects on non-cometic warfare, albeit imperfect restraints, that are designed to contain it, limit its
effects on non-combatants, and seek to induce combatants to fight in ways that don't make
the restoration of peace impossible, shouldn't there be similar restraints placed on cyber-conflict?
The time for this would appear to have come. Cyber-warfare is no longer in its infancy,
but it hasn't yet left its adolescence, and this may be the last best
opportunity to influence its development.
Fourth and last, there's a general sense in the air that consolidation in some form
lies in the security industry's near future.
Our own experience of the conference differs a bit from that reported by Software Development
Times, which notes that the conference has gone smaller and focused on enduring issues.
Both may well be true objectively, but subjectively we felt a nervous urgency and heard much more
barking in the carny roustabout sense of the word than we remember from past conferences.
We'll give the last word on the atmosphere to the words on a t-shirt worn by an executive
we interviewed.
The shirt said,
Does not have purchase authority.
Many of those walking through the exhibits this year
might have wished they'd worn similarly legible apparel.
And finally, we'll leave RSA and return to ransomware.
Late last month,
Trend Micro began tracking a new variant
of the familiar Cerber ransomware.
It's an odd duck.
It encrypts the files on a victim's machine,
except for one interesting class of software, security products.
These it has whitelisted, and it leaves them studiously alone
for reasons that are quite unclear.
Bleeping Computer has some speculation about the criminal coder's motives
that seem as good as any.
They're going out of their way to thumb their nose at the security vendors.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous
film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Rick Howard. He's the CSO at Palo Alto Networks,
and he also heads up their Unit 42 Threat Intel team.
Rick, we've spoken before about the CyberCanon,
your list of must-read books when it comes to cybersecurity,
but you've got some updates for us. Bring us up to date.
So Think of the Canon as a project, as a rock and roll hall of fame for cybersecurity books.
We have 10 outside practitioners, you know, CISOs,
journalists, lawyers, those kinds of folks who review the most important cybersecurity books
on the shelves and make the case why we all should have read them by now. I say all of this because I
want to talk about one of the books that made it onto the candidate list this year. It's called
The Phoenix Project. It was written by Gene Kim, Kevin Baer, and George Stafford.
It is a novel now about the emerging idea called DevOps. Have you heard of DevOps before?
I have.
All right. So DevOps is perhaps, I think, the most important innovation that has happened
to the IT sector since the invention of the personal computer back in the early 1980s. But it is a
relatively new and complex idea. And it emerged out of three converging thoughts sometime in the
late 2009. All right. So first one was the agile development method that all your developers are
looking at. A talk given by Alan Allspaugh and Paul Hammond at the 2009 Velocity Conference and the talk
was called 10 Plus Deploys Per Day.
And this third thing, a book called Eric Rice called The Lean Startup.
So DevOps is this idea that there needs to be a much tighter integration between software
developers and information technology operations.
So let me give you an example. Most organizations today pass IT and security work through internal black boxes,
you know, product managers, marketing people, developers, quality assurance folks,
system engineers, all the way down the line.
DevOps is the recognition that instead of managing each of these black boxes separately,
the organization needs to think of IT and security
work as one big system of systems and manage it that way, sort of a production line of IT work
with the goal of reducing or eliminating completely any kind of technical debt that
grows through that process. So that is a very subtle but disruptive idea. So the authors behind the Phoenix Project, instead of writing a technical IT book on the benefits of this emerging idea,
they chose to write a novel to make the material more acceptable to the general populace.
But it centers on an online retail store that used to be the number one player.
But they've fallen behind because they can't keep up with its competitors.
The IT department has projected to fix all that.
They have a project for it called Project Phoenix,
but it's two years behind schedule.
So at the beginning of the book, the CEO has fired the CIO
and promoted a mid-tier IT manager as the acting CIO
and has given him six months to fix the problem.
So with the aid of an Obi-Wan Kenobi-like figure from the board of directors, this interim CIO learns the way of DevOps and saves the company. So what I'm telling
you is if you're just hearing about DevOps now or want to learn more about it, this book, The Phoenix
Project, is a great way to get introduced to the material. So it's kind of that notion of a spoonful
of sugar makes the medicine go down, right? It is. It really is. It makes it so much easier to learn, too, let me tell you.
All right. Well, I'll have to check that one out.
The Phoenix Project, part of the Cyber Cannon.
Rick Howard, as always, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Gary Hayslip.
He's the Chief Information Security Officer for the City of San Diego, California.
He's also co-author of the book, The CISO Desk Reference Guide, a practical guide for CISOs.
Most people, when they hear that you're the CISO for a city, they just assume cities are, hey, you've got a network you've got to manage.
And I'm like, no, I don't have one network.
I have 24 networks.
I've got 11,000 employees.
I've got somewhere in the neighborhood of about close to 45,000 to 50,000 endpoints.
They kind of give you an idea.
My network is not static.
My network is on the move. I mean, my network is
trash trucks with GPS sensors and police cars, you know, connected to our wireless systems and
HVAC systems and, you know, golf courses and libraries and desktops and, you know, public
works employees out in the field with tablets. It's a very dynamic, very malleable collection of enterprise networks.
And so how do you approach a system that large with that much variety?
Well, I mean, one of the things I've kind of realized right away is the fact that we'll never really totally know by that is that, you know, I mean, I used to believe, you know, years ago when I was in DOD and maybe it was because I was in a more controlled environment that, you
know, you'd be able to control your perimeters and you would know everything that was connected
to your networks and, you know, everyone's going to follow the rules. And, you know, what you kind
of learned once I got out of that environment and actually got out here in the real world,
is that networks tend to be chaotic.
Controlling your perimeter is only as good as your users actually following the rules,
which a lot of them will follow until it interferes with them being able to do business,
to be able to do work, and then they're going to figure out workarounds.
You've got to deal with the fact that your perimeters aren't solid, that your perimeters are on people's cell phones and tablets and
laptops. I've come to the conclusion that, for me, cybersecurity is a life cycle.
It's a continuous process of monitoring and scanning and remediation and breaches. You're
going to take them. Having a completely secured network that never gets breached is fantasy.
It's not going to happen.
When you use networks, when you use technology, it gets dirty
because the Internet is not a clean place.
And the way I work with it is that I use a framework like NIST
to be able to take what I have, break it down,
and help me understand where my risk is, you know, and help me prioritize, you know,
what needs to be fixed now and what we can fix next when I have the personnel or the resources or the funding.
And I spend a lot of my time in my departments, you know, talking with,
you know, it's one of the biggest things I have learned after I left DOD is that I cannot dictate and tell people, cybersecurity, you have to do this, you know, you're going to put us at risk.
You know, I got to make people want to work with me. I've got to advocate and be a cheerleader and
get people to want to go ahead and follow cybersecurity
and get them to understand that it's actually in the best interest of the business.
And that if we're secure, we can even be more innovative and be more successful and more effective.
But to get them to that stage, I've got to make the case.
I've got to make the case as to why, from a business perspective,
why we should be doing cybersecurity. What are some of the unique challenges you face,
you know, being in a government situation versus someone in the private sector?
You know, some of the things that, you know, we deal with here, some of the decisions we're
making on technology and stuff have some, you know, life and death consequences when you think
about, you know, water, when you think about the 911 system. I think, you know, life and death consequences when you think about,
you know, water, when you think about the 911 system. I think, you know, some of the things that make it really hard for us is the fact that we're a 24-7 business. You know, the city of San
Diego is a $4 billion business. You know, we're running 24 hours a day, seven days a week.
So how do you do change? If I've got to rip out a network and put in some new fibers or put in a new routers and switches and stuff backbone-wise to handle HD video?
Well, I can't shut the network down.
And so a lot of times this will make our projects actually go twice as long because the complexity involved.
Sometimes we have to do things in parallel.
And then once we have it built up, then plan to switch over, you know,
with the least amount of interruption to services as possible.
You know, because a lot of the services that we provide are to my neighbors,
and they have no problem coming over and yelling at me about stuff.
You know, whether it's buying permits because you want to open up a new business
or whether it's, you know, you want to pay your water bill or pay a parking ticket.
That's some of the things that I've noticed right away is that in this position is that
some of the decisions we make have an immediate impact, you know, and not only that, they
have an immediate impact on a wide range of people, on organizations.
And then, like I said, you said, we have a lot of our challenges
in the fact that you're dealing with technology that is 20-some years old to new technologies
like cloud and virtualized networks. You're connecting these disparate technologies together.
And so there is unknown risk. You're constantly trying to update a lot of your older technologies and replace them,
but at the same time you have to maintain them until you can get them replaced.
And so it's a very interesting environment from a risk perspective.
That's Gary Haislip, the Chief Information Security Officer for the City of San Diego, California.
He's co-author of the book, The CISO Desk Reference Guide,
A Practical Guide for CISOs.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.