CyberWire Daily - Kaspersky burned a JSOC op? Facebook affair: apps, legal fallout, regulatory inspiration, apologies and resolution to sin no more. Tariffs against IP theft. Best Buy shows Huawei the highway.
Episode Date: March 22, 2018In today's podcast, we learn that Kaspersky Lab appears to have burned a US operation. Facebook has some other governments to answer to, now. Facebook CEO Zuckerberg finally discusses the Cambridge A...nalytics affair in public. Lawsuits and calls for regulation are shouted up. Best Buy shows Huawei the highway. And we have a brief wrap-up of the Billington International CyberSecurity Summit. Joe Carrigan from JHU ISI responding to a listener inquiry about job hunting. Guests are Chad Seaman: Senior Engineer, Security Intelligence Response Team and Lisa Beegle: Senior Manager, Security Intelligence, Akamai, describing the record-setting DDoD attack they recently experienced and helped mitigate. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kaspersky Lab appears to have burned a U.S. operation.
Facebook has some other governments to answer to now.
And Facebook's CEO Zuckerberg finally discusses the Cambridge Analytica affair in public.
Lawsuits and calls for regulation are shouted up.
Best Buy shows Huawei the highway.
And we have a brief wrap-up of the Billington International Cybersecurity Summit.
I'm Dave Bittner with your CyberWire summary for Thursday, March 22, 2018.
Kaspersky Labs' description of slingshot malware is said by anonymous U.S. officials
to have burned a long-running Joint Special Operations Command operation, that's JSOC,
against the Islamic State and al-Qaeda.
JSOC is thought to have abandoned the intelligence collection effort.
Kaspersky did not identify the U.S. as the operators of Slingshot.
That's consistent with the company's typical practice.
They usually stay away from attribution to particular governments.
But they did call Slingshot an advanced persistent threat, which has come to be practically synonymous
with intelligence service nowadays, and suggested that it was the work of a nation state.
Slingshot is thought to have been active for about six years.
It was designed to pull large volumes of data from infected systems.
It's an interesting case for several organizational reasons.
CyberScoop, the publication with whom U.S. officials spoke, notes that it's the first
known case of a cyber operation being conducted by Joint Special Operations Command.
JSOC is not to be confused with U.S. Cyber Command or any of the service cyber commands.
It is a component of U.S. Special Operations Command.
The disclosure is unlikely to win friends and influence people in the U.S. government,
which has kicked Kaspersky products out of its networks because the intelligence community
assesses them as representing a security risk.
Too close to Moscow.
Kaspersky is indeed headquartered in Moscow, but that's not the closeness the U.S. government
objects to.
It's upset about the prospect of the company's security products
being used to collect on behalf of the Russian intelligence services.
Kaspersky is challenging the government's ban in U.S. federal court,
alleging that it's been subjected to an unconstitutional bill of attainder.
Maybe, but the slingshot report is unlikely to tamp down the zeal of government lawyers defending the ban.
Facebook's legal and reputational trouble continues.
German authorities have joined other governments in requesting explanations from Facebook
over the Cambridge Analytica data use scandal in which the company is embroiled.
The whistleblower, who drew attention to what Cambridge Analytica was up to,
says that Facebook knew about but chose to disregard that company's use of Facebook data.
Yesterday, Facebook founder and CEO Mark Zuckerberg broke his public silence on the affair.
Heavy snowfalls aside, the sighting does not mean four weeks of winter, but most observers
think his statement was too little and too late, and a good lesson in how not to respond to the public about a very public incident.
Reports to the contrary, Zuckerberg did indeed on CNN say he was sorry the whole thing had happened
and promised to do better with customer data.
He framed the incident as being fundamentally about third-party apps,
and it appears that Facebook's response will initially at least concentrate on reining those in.
Zuckerberg indicated his intent to testify before U.S. congressional panels investigating the company's data protection practices.
So far, however, testimony has come from elsewhere in Facebook's leadership.
And predictably, shareholders are filing lawsuits against Facebook.
The data handling incident has severely hit the company's value in the markets.
The whole Cambridge Analytica affair continues to prompt calls for more regulation of social media
to include efforts to stifle fake news, which some see as posing a war risk,
as well as the now familiar prospect of opinion manipulation.
How this might be done in a way that respects, for example, freedom of speech is unclear.
Some think they see a model in 19th century newspaper reforms, but that's not clear either.
William Randolph Hearst is unavailable for comment.
We recently reported a new high-water mark for DDoS attacks, thanks to the Memcache vulnerability.
The attack, reported by Akamai, topped out at 1.3 gigabits per second,
over twice the size of the September 2016 attacks associated with the Mirai botnet.
Chad Seaman is Senior Engineer on Akamai's Security Intelligence Response Team,
and Lisa Beagle is a Senior Manager for Security Intelligence at Akamai.
They join us
to describe the record-setting distributed denial-of-service attack they recently experienced
and helped mitigate. DDoS attacks are not uncommon. We see a lot of them every day,
thousands of them a quarter, and they're being leveraged by all kinds of different actors for
different reasons constantly. The previous high watermark for us was, I believe,
628 gigs. 623. 623 gigs in September of 2016. That was beat just the other day with the 1.3
terabit. Lisa, can you sort of take us through what happens when something like this starts to
come in? When do the alarms go off and how do you kick into action?
So that obviously depends on the posture of the customer themselves. You have some customers that
are always on the network. You have some customers that have onsite mitigation. You have some
customers that make a business decision to be alerted internally and then route. And this last
particular instance, this was an entity that had a protocol to actually
monitor their environment independently and then make that decision. So that's what happened was
there was a learning mechanism that occurred by the time they had actually identified what that
anomaly was. There was a level of degradation. And then it takes a few minutes to process that
BGP change and for it to obviously propagate
upstream. By that point, we had already deployed the ACLs that were required. So we had already
identified what the attack was. It was obviously an exchange with the end user based on what they
were seeing and what we had been seeing prior to so that we could harness the traffic and then
immediately mitigate the attack. And so what are your recommendations for folks in terms of mitigation against this Memcache attack?
Hold on?
Sure.
No, that is the advice.
Oh, hold on.
I see.
Please hold on to the bar.
Well, I think when you think about attacks in general, right, so MemcASH included, I think one of the most important things that any organization can continue to do is understand what their internal environment looks like.
And some of that requires internal dialogue with regards to security and network teams so that folks understand not only what the vulnerabilities potentially could be, but they understand what assets they have and what process and protocols are in place as it relates to those potential events and that they practice them.
So I think what happens is, is we all get caught up in the, you know, the newest, latest, greatest
type of attack. And when things seem to be dying down, which technically they're not, but at the
same time, there's not this huge insurgence of
press and attack activity. They become complacent. And it's at that point that they become vulnerable
to potential impact. And in terms of this arms race, this sort of cat and mouse game that's
being played here, are the defenses against DDoS growing in parallel? Have we reached the point where defending against a DDoS is fairly routine?
It depends on the DDoS, but yeah, I mean, it is fairly routine at this point.
I would even say that at times it's somewhat boring.
The attackers have their handful of tools, and they continue to just beat everything to death with them.
You know, it's just another day in DDoS.
It feels like a lot. Yeah, I think from our perspective, I think from an end user standpoint,
they may have a different perspective because, again, it's based on what they have in place,
what their appetite for risk is, what that posture is. And it also does depend on the actor,
right? So if you have an actor that understands
an environment, the attack itself could become a little more complex. Now, can we handle it?
Absolutely. That being said, could there potentially be impact to that end user based on
the knowledge from an attacker perspective and what their posture is? Sure. So again, that's
where it becomes very important that they understand what is potentially vulnerable or at risk or what they can have as it relates to an appetite for risk within the environment and then making decisions based on that.
That's Lisa Beagle along with Chad Seaman. They are both from Akamai.
Major U.S. electronics retailer Best Buy has stopped selling Huawei phones,
evidently responding to security concerns about the Chinese company.
This is seen as a significant blow to Huawei in the consumer market.
The Billington International Cybersecurity Summit met yesterday,
despite the early spring blizzard that hit the eastern seaboard.
The policy leaders who spoke showed striking agreement
that cyberspace had become normalized in policy and planning.
It's no longer an exotic technical area accessible only to specialists,
but a domain where nations, businesses, and individuals
lead much of their daily life.
Discussions noted on the way in which like-minded nations,
emphatically not including Russia, by the way,
were increasingly working collaboratively, both within alliance structures and bilaterally,
to accept and manage common risk. In this context, information sharing has clearly become far less
aspirational than it has been. U.S. DHS Assistant Secretary Jeanette Manfra called for nations to
begin thinking of cybersecurity as a matter of international digital public health.
She also didn't neglect deterrence and the imposition of consequences.
The Assistant Secretary explicitly cited last week's round of sanctions against Russian
individuals and organizations as a response to ongoing Russian operations preparing a
campaign against the U.S. power grid.
There was also some ambivalence about innovation on display.
Several speakers cautioned that novel technologies represented risk as well as opportunity.
As we mentioned on yesterday's show, Singapore's Commissioner of Cybersecurity, David Koh,
was particularly clear on this point, saying,
We exploit the technology and run the risk of being exploited ourselves.
Mr. Coe holds many other titles, too many to list here, and he explained the reason
for the many hats he wears.
Should something go spectacularly wrong, he said, quote, I can publicly resign in ignominy
and then quietly move to a new job I already have, end quote. Good for you, sir. And congratulations, too.
Mr. Koh was yesterday the inaugural winner of the Billington Cybersecurity International Leadership Award.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Hi, Dave.
So I got a message from one of our listeners on LinkedIn, and it's a common request.
Someone who is getting into cybersecurity, has a career in another line of work.
This person happens to have an MBA already and is taking some classes to get into cyber,
but they're wondering when they get their new degree,
how are they going to head out into the employment world?
And it struck me that, well, you folks over at Johns Hopkins
are in the business of preparing people to enter the business world.
So what advice do you have for someone in this situation?
So in that situation, that's kind of different from our students.
Our students are generally coming right out of a bachelor's program and coming right into our program.
It is a full-time, immersive, three-semester, very intense program.
Right.
So during the summer, we like to see all of our students take an internship.
They have to complete a capstone research project.
It requires pretty much all their time.
So I'm assuming that this person,
and there are lots of other people in this position too,
where they have full-time jobs that are currently available.
My advice is that assess your situation.
Are you in a situation where your company
is paying for your master's degree in cybersecurity
or your second bachelor's in cybersecurity?
If so, then look within that company and see if there's other
positions in that company where you can kind of move laterally, but get into the career field now.
If you're paying for it yourself, then you have a lot more freedom, right? You can look outside of
the company to try to move into the career field. Even just having a couple classes under your belt
is good. Being able to say on your resume that I'm pursuing a master's
degree in cybersecurity or a second bachelor's or even a first bachelor's in cybersecurity,
and I'm doing it part-time. Getting into the field is going to be the most important part
of the career, is actually making that first move. And one of the points you made, we were
chatting beforehand, was that don't discount your previous experience as a sort
of a connection to your cyber knowledge. Absolutely not. Your previous experience is
invaluable. You're going to go into this field, in the cybersecurity field, coming from a different
background. You're going to present a different way of thinking to the team you're going to be
working on. And that is going to be, don't underestimate the value of that.
It's going to be very valuable to the team.
And so how do you go out and market that particular, you know, that aspect of your career?
I suspect, you know, some people feel like, well, I don't have a computer science degree.
You know, maybe I'm at a disadvantage to some of these folks who are coming through pure cybersecurity all the way.
Right. Well, one of the biggest hurdles that cybersecurity and any kind of IT or programming people face is they just don't have what I'll call real-world experience.
I mean, they have real-world experience in whatever their skill set is, but they've never been on the other side of the computer screen,
so to speak. So they may not have the understanding of the business processes that are involved
with whatever it is that is done. A great case in point is, you know, I actually did a lot of
business process analysis early on in my career to help people automate the process. And you go into these folks who do this business,
and the process is actually very, very complex.
There's a lot of or gates or if-then-else statements
that you have to account for within a business process.
A lot of engineering people just don't understand that. And that is probably
the biggest value that you'll bring to the table, the familiarity with the process.
So if I'm a hiring person, I guess these folks should look at that previous career.
It isn't something that holds them back. That could actually be a benefit because if I'm that
hiring person, I'm going to say, well, there's a whole bunch of stuff that I'm not going to have to worry about with this person.
They've been out there. Right, exactly. I'm not going to have to explain to them. You can't just
tell them not to do that because they need to do that. I see. Whatever that may be. Yeah. All right.
Good insights. That is a variable here, I guess. Okay. Good insights. Joe, as always,
thanks for joining us. It's my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.