CyberWire Daily - LYCEUM active against Middle Eastern energy-sector targets. LinkedIn used to recruit spies. Autonomous car expert indicted. Imperva exposure. VPN software patches. AI writes.
Episode Date: August 28, 2019LYCEUM is active against the oil and gas sector in the Middle East. Leaving government service? That nice offer from the head-hunters you got on LinkedIn may be the beginning of an approach by Chinese... Intelligence. Autonomous car expert indicted for alleged theft of trade secrets. Imperva discloses a possible breach. Exploitation attempts against VPNs reported. And why did the chicken cross the road? The AI’s not sure, but it thinks the chicken used LIDAR. Joe Carrigan from JHU ISI on the federal office of the CIO’s Cyber Reskilling Academy graduating their first class. Guest is Peter Smith from Edgewise on microsegmentation. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Lyceum is active against the oil and gas sector in the Middle East.
Leaving government service?
That nice offer from the headhunters you got on LinkedIn
may be the beginning of an approach by Chinese intelligence. An autonomous car expert's been
indicted for alleged theft of trade secrets. Imperva discloses a possible breach. Exploitation
attempts against VPNs have been reported. And why did the chicken cross the road?
The AI is not sure, but it thinks the chicken used LiDAR.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
August 28, 2019. SecureWorks has identified a new threat group active in the Middle East.
They're calling it Lyceum. It may have been active as early as April of 2018,
with some signs of activity in South Africa.
But since late spring of this year,
it's increased its operations significantly.
It's currently engaging Middle Eastern infrastructure targets,
specifically in the oil and gas sector.
While SecureWorks says it sees some stylistic similarities to known threat groups Cobalt Gypsy, itself connected to OilRig, Krambus, and APT34, and Cobalt Trinity, also known
as Elfin or APT33, it says that it can't connect either the malware itself or the attack
infrastructure to any of those actors.
Quote, as of this publication, there is insufficient technical evidence to support an attribution
assessment, end quote.
Other outlets are less circumspect.
Bleeping Computer runs with Lyceum's association with Hexane, tracked earlier by Dragos.
Technology Review calls a culprit, Iran.
The campaign's goal is apparently espionage.
Chinese intelligence services continue to use LinkedIn as a way of approaching people they'd
like to recruit as assets. The New York Times reports that former government officials are
attractive potential targets. Counterintelligence officials in France, Germany, the UK, and the US
have all warned against the recruitment efforts.
This appears to be an update of traditional espionage tradecraft. Approach a potential recruit, establish some common ground, and proceed until they're too compromised to spit your hook.
The hook is often a job offer, sometimes done through the cutout of a headhunting firm.
The lure is often a trip to China, perhaps on a
paid speaking, research, or consulting gig. From that point on, from the intelligence service's
point of view, it's all customer relationship management. Prospects who've recently left or
are soon to leave the government service are particularly vulnerable. Not only are they
likely to have information and, better yet,, the Chinese services would like to use,
but they're at an unsettling point in their life, moving from a familiar government career into the unfamiliar private sector.
Government agency HR and security people handling transitioning employees might take note.
Some help is probably in order here, more than just getting them to turn in their badge
and signing separation paperwork. One of the stars of the self-driving car world, Anthony
Lewandowski, has been indicted by the U.S. Attorney for the Northern District of California.
Mr. Lewandowski, who had been a founding member of Google's self-driving car team,
is charged with 33 counts of theft of trade secrets.
It's alleged that a few months before he resigned from Google,
Mr. Lewandowski downloaded company files
relating to the company's LiDAR sensor and self-driving technology.
He was arraigned in San Jose yesterday.
It's a common practice in network defense to segment your network,
to split it into sections to limit exposure, or perhaps to be able to dial in different access controls for different areas of risk.
Microsegmentation takes this notion to an even more sophisticated level.
Peter Smith is CEO at Zero Trust Segmentation firm, Edgewise. So micro-segmentation at its most basic level is just saying that you're going to
create groups of systems and shrink the boundary just around those small groups of systems. And
those groups of systems are typically aligned with either a type of data or a specific business
application. So for instance, you could plausibly create a micro
segment containing a variety of databases that all have the same class of data. And really,
the point is, let's say it's a replicated Postgres database. There's no reason to segment them out
individually. Once you have access to one, you effectively have access to all of the data across all of the databases.
So you're grouping them together based on their risk, based on the risk of a breach and putting a perimeter around those.
A different example would be to say you're going to put a perimeter around a business application.
A good example of that would be I'm going to put a perimeter around just the components that make up my
SharePoint infrastructure. And that could be a web front end, an application tier,
one or more databases on the back end, and you're putting a boundary just around that one business
application. So you can think of it as coordinating off data types or cordoning off business applications.
And what are your recommendations for folks who want to get started with this?
How do you educate yourself and figure out what the best approach is?
You know, micro-segmentation is, frankly, quite difficult.
And what you need to do first is determine what your objective is.
Is your objective to protect specific critical
applications and their assets, or is your objective to fully segment the entire environment? Either
way, you need to choose a starting point. And that typically centers around a specific application
that you wish to protect. My advice personally is to start with your backup infrastructure.
And I know that sounds counterintuitive. Why would you care about your backup infrastructure?
But the reason you care about it is because it has every piece of protected information
you could ever wish to protect. It is the most compelling target I can think of in the cloud
or at the data center. If you get into the backup infrastructure, you've got all the keys to the
castle. It's also worth noting that most backup systems are effectively command and control
systems. So to give you an example, backup infrastructure has to deal with a variety of scenarios. I need to quiesce
a database before I back it up so that I've got a crash consistent copy of the database files.
Well, to do that for Postgres, MySQL, MongoD, Oracle Database, MS SQL, they all have different
commands that need to be issued. Do you think the backup software vendor builds special routines
that only allow those individual commands to be run?
Of course not.
They've got a mechanism that allows you to run really arbitrary commands
to do the QES functions, to prep file systems for backup, so on and so forth.
And what that means is that if I can get into your backup system,
I basically have entered the superhighway of connectivity
that allows me to command and control every system in the environment
and access all data that is sensitive and precious to you.
The last point I would make is that as you're exploring the world of microsegmentation,
the backup infrastructure is a perfect candidate
because it generally is not
the primary supporting function of the business.
If you happen to make a fat finger per se
on the backup infrastructure,
you're not gonna take down
the revenue generating application for the business.
So it's both safe, it's both a very
big target for both the command and control capabilities as well as the data that it holds.
That's Peter Smith from Edgewise.
Imperva has disclosed an issue affecting its cloud web application Firewall,
the product formerly known as Encapsula. The source and scope of the incident remain under investigation,
but it appears to involve exposure of customer data through September 15, 2017.
The company will release more information as its investigation turns up details.
Imperva recommends that customers change their passwords,
implement single sign-on, enable two-factor authentication,
generate and upload a new SSL certificate, and reset their API keys.
Pulse Secure is also reaching out to customers
who may have been affected by the widely reported attempts
to exploit a vulnerability in its popular virtual private network software,
urging them to apply the patch that's been available since April.
It's an interesting case.
The patch has been available for some time,
but the vulnerability drew considerable attention from hackers in the wild
only after it was publicly discussed at Black Hat.
Researchers at the threat intelligence firm Bad Packets reported that on August 22nd,
they began seeing what they call opportunistic mass scanning for vulnerable servers.
The scanning originated from hosts in Spain.
Finally, the BBC takes up some breathless warnings that artificial intelligence is getting
really good at writing fake news stories, and that the GPT-2 text generator developed
by researchers at OpenAI is too dangerous to be let out in its fully trained
form to the general public. Not only will it write almost convincing fake news stories,
but it will even finish jokes in an almost convincing way. Emphasis on almost. The BBC's
tests fell short of full conviction, although they do suggest that some human writers might
well fail a reverse
Turing test, leading readers to think, dude, you write like a machine and don't mean that in a good
way. It's also unclear how new this really is. The postmodern generator, for example, has been
dazing and confusing comp lit and lit crit TAs with bogus scholarly argle-bargle for a generation now,
and lit crit TAs with bogus scholarly argle-bargle for a generation now,
long enough, no doubt, for some users to have received tenure.
But take the business of finishing jokes, please.
The borscht belt has little to fear because the AI seems humorless.
Here's what happened when the AI consultancy The Envisioners tested it on the old family of jokes that begin,
A man walks into a bar.
The AI thought this was how it should go.
A man walks into a bar and ordered two pints of beer and two scotches.
When he tried to pay the bill, he was confronted by two men,
one of whom shouted,
This is for Syria!
That's all we'll reproduce because the rest isn't really suitable for a family show.
Also, it's not funny. Now,
a funny version would have had the guy talking into his hand or producing a small piano from
his pocket, but anyway, share your versions among yourselves and maybe share them with the AI.
The issue, some are saying, is that the AI is just trained by being turned loose on the internet.
Everybody remember Tay, Microsoft's
attempt at artificially intelligent voice assistant a few years ago? Redmond was going for a sassy
teen girl persona, and boy did they succeed. In a certain way. After a week on the internet,
Tay had become a foul-mouthed racist sociopath. Redmond had to put Tay in a timeout that, as far as we know, is still going on.
Aye, aye, aye, machines,
you're breaking your human parents' hearts.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the Hacking Humans podcast. Joe, it's great to have you back.
Hey, it's good to be back, Dave.
Saw an article come by. This was from FCW, which is Federal Computer Week. And the article is
titled, Cyber Reskilling Grads Grow Skills But May Not Be Headed for Cyber Jobs. This is written by
Adam Mazmanian over at FCW. Give us the background here.
What's going on?
So the federal government, the office of the CIO, has this program called the Cyber Reskilling Academy.
And it's designed to retrain feds for cybersecurity positions.
They just graduated their first cohort in July.
Suzette Kent, who is the federal CIO, said at a roundtable discussion that she's very
happy with the outcome.
They had 30 people who were selected from a pool of 1,500 people.
So it's a pretty tough selection process.
Right.
Right.
And these graduates were able to get some credentials.
They got the GIAC, which is a Global Information Assurance Certification, for security essentials and certified incident handler.
Now, here's the interesting thing.
These people who were selected for this cohort were all from the GS-12 to GS-15 pay grades, right?
These are people who are more senior in their careers.
So the GS system is how government pay grades are ranked.
Correct.
The higher the number, the more you make.
These folks have essentially trained and are now skilled enough to become entry-level cybersecurity workers, right?
Thanks to this academy.
Thanks to this academy.
However, the problem with that is that the entry-level cybersecurity positions usually rank around the GS7 to GS9 range, depending on how much experience and education you have.
And that's substantially lower salary.
Yeah. It's not surprising to me that these folks are not moving on to,
into the cybersecurity field. The benefit, I'm not saying this is a total write-off. That's
not at all what I'm saying. I like the idea that you're taking senior people and introducing them
to the skills and problems of cybersecurity. That is going to pay off down the road.
Mm-hmm. and problems of cybersecurity. That is going to pay off down the road. We have a real shortage
in this country of cybersecurity workers, particularly within the federal government.
So I think that they should be targeting this training towards people who are GS9 and below
so that they can actually say to people, government employees, we are going to give
you an opportunity to move into this field where you'll have room for rapid advancement through the government and not telling people in order for you to move into this high advanced field, you have to take a really huge pay cut.
Right, right. Now, I know, I mean, one of the things from your line of work at Hopkins, sending people out into the world, the government is a place where there are opportunities that there may not
be in private business.
Correct.
One of the things that I will say the U.S. federal government does very well when compared
to industry is that if you go into an entry-level position, they are not expecting you to have
any experience.
You might have to have a certification like an A-plus certification or a security plus
rather certification, but that's relatively easy to acquire. That's a very low barrier to entry.
You can take a training class, pass the test, and you will qualify for these as an entry level
for a lot of these positions. So you don't see these requests for you to apply for a job where
it says an entry level position must have 10 years experience. Right, and a CISSP. Right, right, right.
I've actually seen entry-level postings that require a CISSP.
Nobody with a CISSP is going to take your entry-level $40,000 a year job.
Sorry, that's not going to happen.
But the federal government actually knows that, and they actually do that very well. alignment here is the notion that this program, this Cyber Reskilling Academy,
is going to fill empty jobs in cybersecurity within the federal government. Yeah, I don't
think that that's going to happen, at least not with what they did with the first cohort. Now,
maybe the first cohort was a test. It was only open to people who were not in IT, which I find
interesting. The second cohort, which has already been selected, is open to anybody. Anybody could
apply for a position in the second cohort. i'd like to see what happens with this
again i don't diminish the value of the training for these gs12 through gs15 people these are
senior people who are who now have uh a glimpse into the horrors that we have that we look at
every day and i think that's important it has has real value. Yeah. All right. Well, it's interesting.
Again, the article is over at FCW.
It's Cyber Reskilling Grads Grow Skills But May Not Be Headed for Cyber Jobs.
Do check it out.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. Designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.