CyberWire Daily - More cyber battlespace preparation. Hacking as the continuation of war by other means. Ongoing social media privacy concerns. Tech glitch extends tax deadline. Notes from RSA.
Episode Date: April 18, 2018Reconnaissance and staging in cyberspace, with Five Eye warnings to Russia. Privacy class action suit complains of Facebook facial recognition. Australia joins the ranks of ZTE sceptics. Cyberwarfare ...discussed at RSA: retaliation, deterrence, renunciation, and a private sector push for international norms. Attention tax procrastinators: the IRS says it was hit by a glitch, and not hacked. Zulfikar Ramzan from RSA with thoughts on the conference. Guest is Kevin McNamee from Nokia, discussing threat intelligence and mobile device ransomware. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Reconnaissance and staging in cyberspace with Five Eyes warnings to Russia.
A privacy class action suit complains of Facebook facial recognition.
Australia joins the ranks of ZTE skeptics.
Cyber warfare is discussed at RSA.
Retaliation, deterrence, renunciation,
and a private sector push for international norms.
And attention tax procrastinators.
The IRS says it was hit by a glitch and not hacked.
the IRS says it was hit by a glitch and not hacked.
Coming to you from San Francisco,
I'm Dave Bittner with your Cyber Wire summary for Wednesday, April 18, 2018.
The U.S. and U.K. continue to warn that Russian cyber operators,
associated in most reports with Grizzly Step,
continue the reconnaissance phase and possibly the staging phase of their ongoing battle space preparation.
U.S. CERT's warning contained a good deal of actionable advice on how to reduce vulnerability to such probes.
Observers note that the intelligence offered in justification of the airstrikes against targets in Syria associated with the Assad regime's use of
chemical agents against restive civilians was based to a great extent on open sources.
Comments by both the U.S. and French governments indicate that social media were a particularly
important source of information, drone policies and tactics appear to be informing allied
cyber action.
A U.S. federal judge in California has ruled that a class action suit complaining of Facebook's facial recognition technology can go forward.
The judge noted that damages could be very high.
Indeed, concerns about social media and privacy continue to run high.
Forbes reports that an Israel-based surveillance firm,
Terrogents, has used facial recognition features in Facebook and other platforms to build a very large database of biometric profiles.
Australian intelligence services are joining their counterparts in the UK and the US
in regarding Chinese device manufacturer ZTE with suspicion.
Our coverage of the RSA Conference continues. regarding Chinese device manufacturer ZTE with suspicion.
Our coverage of the RSA conference continues.
If you'll be at San Francisco's Moscone Center this week,
stop by and say hello to the Cyber Wire team.
We'll be at the Akamai booth, 3625 in the North Hall.
We hope to see you there, and we thank Akamai for their hospitality.
The conference's formal opening was noteworthy for its discussions of cyber conflict.
The U.S. has a full spectrum of response options available to it,
and she suggested that some of those options might well be exercised.
Microsoft's President Brad Smith led the announcement of an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government.
34 companies have signed the Cybersecurity Tech Accord.
The company's concern is commendably ironic,
but one notes that the signatories are unlikely to have offensive cyber capabilities
as part of their offerings.
Some of the companies on board with Redmond are Facebook, Cisco, Avast, Nokia, Dell, RSA, FireEye, LinkedIn, Symantec, and Juniper Networks.
Microsoft has long pushed for adoption of a Cyber Geneva Convention.
The Accord represents a private sector move in that direction.
Kevin McNamee is head of the Threat Intelligence Lab at Nokia.
He was also a presenter at the RSA
conference discussing the security of mobile devices. We caught up with him on the show floor.
I think in the past three or four years, threat intelligence has become one of the key
aspects in cybersecurity. People have had security information management systems,
they've had firewalls, intrusion detection, and you now realize that you have to, in order to make these systems work properly, you have to feed them with information.
And that information is what we call threat intelligence. So it's a key aspect of today's
security landscape. And so how does the transformation work from pure information to
actionable intelligence? I can give you an example from what we do in my lab.
What we have to do is we have to feed malware detection rules
to Nokia's network-based malware detection systems.
In order to do that, we have to know how the malware communicates
on the wire, on the network.
So what we do is we take malware samples
and we bring them into our lab,
we run them in a sandbox environment,
and we actually let them generate network traffic. From that, we can then, a security analyst will
look at that network traffic and build the detection rules that we then deploy in our
products. So that's an example of threat intelligence being directly applied to a product in the field in real time.
You gave a talk here at RSA about ransomware on mobile devices.
Can you give us an overview? What were you talking about?
Okay, sure. Ransomware has been a huge topic in the past year,
with WannaCry, NotPatch, and all the rest of that.
And they gave a day-long seminar on ransomware here at RSA.
Being from Nokia and being an expert in mobile security, I was asked to present the section on mobile ransomware.
And so we talked a little bit about ransomware that you see on the Android phone, on the iPhone
platform, and explained to the crowd, the group there at the meeting, how the malware worked,
the group there at the meeting, how the malware worked, how it got paid, and what type of techniques it used on the platform to make sure that it could lock it and encrypt those files.
And so what are you seeing in terms of trends? Are we seeing a growth in malware on the mobile
platforms? Certainly over the years, we've noticed an increase in the trend. Typically in the mobile, like in the smartphone, we're looking at about just 1% infection rate across the board.
That's been pretty steady for the past few years.
What we are seeing more of now is the IoT sector is becoming more of a factor.
So in the mobile networks where we monitor,
we see a lot of IoT devices are being hacked,
they're being compromised, and they're being used in denial-of-service attacks.
You're probably familiar with Mirai and a host of other IoT malware botnets.
So we're seeing a huge increase in that recently.
When you look around here at the show, What strikes you as being looking forward?
Some of the trends that you're seeing for the next year.
What are the things that you think people are going to have their eye on?
Okay, well, I certainly see the trend we've been talking about today,
which is the increase in threat intelligence and making the whole thing work.
Certainly, there are a lot of people talking about ransomware.
And I think the main thing is that what we're focused at from Nokia is security
orchestration, automation and response. And we've got a very large scale program, R&D program at
Nokia to bring that to the fore. So that's what we're working on. That's Kevin McNamee from Nokia.
Last night, we heard an interesting panel discussion at an event organized by Recorded Future.
Three well-informed panelists, Matt Tate, Robert M. Lee, and Juan Andres Hierosade,
discussed cyber warfare in a session moderated by Recorded Future CEO Christopher Ahlberg.
The panel agreed that cyber warfare was undoubtedly real,
but also thought it made little sense to talk in terms of a cyber war
as a mode of conflict that could be confined and contained within that single fifth operational
domain. This doesn't reflect reality any more than space war or sea war do. Instead, nations use
cyber attack tools in the course of larger conflicts. We are, the panel thought, effectively
in a state of continuing cyber conflict, which is thought, effectively in a state of continuing cyber
conflict, which is to say simply in a state of continuing conflict. This is a sharper version
of Clausewitz's famous dictum that war is the continuation of policy by other means.
Consider, panelist Lee said, speaking more or less hypothetically, a hellfire strike against
an ISIS cyber operator in the Levant.
That sort of clearly kinetic and lethal action might itself be understood in the context of cyber-warfare.
ISIS operators could not be placed on notice more forcefully that their activities, even
if conducted from a keyboard, makes them combatants.
This observation clearly has implications for considerations of cyber deterrence.
The panel's other operations included thoughts on recognized false flag operations.
Russia's Olympic destroyer that presented itself as a DPRK operation was the first such false flag recognized and unmasked.
On officialdom's unrealistic squeamishness about attribution,
Russia's two attacks on Ukraine's power grid
were not only obvious, but were intended by the Russians to be seen and interpreted as their work,
and a need for clarity when drawing red lines. If NATO intends to invoke Article 5 in response
to a cyber attack, the alliance might, in the interest of deterrence, say where an attack would
rise to the level of an act of war. And there was much skepticism expressed concerning the effects of U.S. indictments of foreign
individuals carrying out attacks on behalf of their governments.
And finally, hello American taxpayers.
Have you heard that the IRS is giving you an additional day to file your 2017 returns?
That's right.
And it's not because the boss is on
vacation and they've all gone crazy, or because their secret is volume. No, the Internal Revenue
Service's online system failed as 11th hour taxpayers attempted to file yesterday. The IRS
says it's a hardware issue, which is generally being interpreted as a veiled way of saying
we weren't hacked. And also a veiled way of saying, see't hacked and also a veiled way of saying,
see Congress, we told you It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Zulfiqar Ramzan from RSA.
We are at RSA. It's good to see you again.
You too, in person this time.
In person. It's nice meeting
all these folks face to face. So here we are at the conference, another big year as always.
What's your take on the show so far? What do you sense in terms of the tone of people out on the
show floor this year? It's just hyper exciting. I mean, just seeing 50,000 plus people coming
together to think about cybersecurity issues
is something we've never seen before in this industry.
Obviously, it's our biggest turnout yet.
And to me, it's a sign of the times.
When I first came to RSA Conference, it was significantly smaller.
In fact, last night, I was having dinner with our security scholars,
people we've basically given funding to to attend the conference for the first time.
They're students. They're the future of our industry.
And one of them asked me about the history of the RSA conference.
And I said, you know what?
I think the first RSA conference, the entire conference could have fit in the room we're
having dinner in, which was not much bigger than the room we're in now.
And to see the conference grow over so much time is probably the most exciting and optimistic
thing I can think of for our industry.
And to me, the biggest trend, in addition to that,
has been this turning point where we're seeing more and more people
talk about and accentuate the positive aspects
of what's happening in our field.
It's so easy to become negative about the different threats out there
and the challenges, and those are not going to go away.
There definitely are some serious clouds we have to deal with.
But on the flip side, there are some important silver linings
that we can't forget about, and we have to celebrate as a community when we are successful
and continue to do so. Because if we're not going to celebrate, I guarantee the hackers
aren't going to celebrate for us. Yeah, I do sense that people, I think,
are starting to feel as though equilibrium is on the horizon. It's not right around the corner,
but we may be heading towards a time where we're able to manage this. It's not going to be year after year exponential growth on our budgets and our efforts.
I agree wholeheartedly.
I think the key elements to that are that, number one,
we're converging more and more into some of the most critical problems we have to work on as an industry,
and we're taking advantage of the fact that we understand what's most relevant.
And so knowing even what to work on is, in and of itself, a fundamental open issue and
an issue that requires a lot of thought and investigation.
The second element is that we're seeing the application of more and more advanced techniques
to the problems we're trying to attack.
There's certainly areas like artificial intelligence, machine learning, and whatnot.
Now, I say that with a slight chagrin because the reality is that we've been using this
technique for a long time in our environments. I think this RSA, as far as I can tell, I think
started at least a dozen plus years ago applying machine learning in production environments.
But we're talking about it more publicly more recently because the community is more interested
in knowing how things work, not just why they work or what they do. And so we're trying to move past
that point in our industry.
And so I think the combination of focusing on the right kinds of problems,
putting more advanced techniques towards those problems,
and having more and more people just looking at these problems all generally bodes well.
Now, whether we're going to be in equilibrium now
or in five years or ten years,
to me the most important part is that we continue to make progress.
And that's the one thing we have control over.
We don't have control over whether we're going to get to the right state
and how far it's going to take because
the actors are unpredictable and they do what they want to do.
But if we can just continue to make marginal improvements every day
and build on those improvements
and take that philosophy of marginal gains to heart,
we can make so much progress.
And I'm excited about the road ahead in that regard.
All right. Zulfiqar Ramzan, thanks for joining us.
Again, always a pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.