CyberWire Daily - Nation-states or criminal gangs? Update on Polish banking attacks. And an update on RSA.
Episode Date: February 15, 2017In today's podcast we consider the difficulty of distinguishing nation-state hacks from criminal capers. It's not always clear, and sometimes it's a distinction without a difference. But in any case, ...many call for international norms of cyber conflict. Waterholes and catphish. Ben Yelin reviews President Obama's security legacy. Steve Grobman from Intel Security on the challenges of changing course. RSA is at its midpoint; we offer some of what we're hearing on the floor about false alarms, where to draw the perimeter, and concerns about the Internet-of-things. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. clear, and sometimes it's a distinction without a difference. But in any case, many call for international norms of cyber conflict.
Rasputin and Zeus, waterholes and catfish.
RSA is at its midpoint.
We offer some of what we're hearing on the floor about false alarms,
where to draw the perimeter, and concerns about the Internet of Things.
I'm Dave Bittner. Not as usual in Baltimore, but out here in the city by the other bay, San Francisco,
covering RSA and offering your Cyber Wire summary for Wednesday, February 15, 2017.
Concerns about nation-state hacking continue to rise.
Observers see signs that governments are making increased use of criminal gangs
and operations those governments are directing, organizing, or inspiring.
The activities of the Lazarus Group may provide a particularly interesting example.
Whoever may be directing them, their crimes do seem to chime with the interests of one or two states,
and the Internet is looking at you, Russia, and North Korea.
FireEyes' Kevin Mandia counsels everyone not to expect any
markedly reformed behavior from the Russian government. In this regard, observers continue
to mull Microsoft's call for international norms that would govern conflict in cyberspace.
They might bear comparison with those implied by the new edition of the Talon Manual.
Booz Allen Hamilton's Cyber Foresight has an interesting account of the malware used
in the watering hole attacks on Polish banks and other financial institutions. Cyber Foresight
notes with commendable caution that it's too early for attribution. Polish media initially
called it a Russian attack. That's unclear. There are equally compelling signs of purely criminal
activity, although here again it's worth recalling the degree to which in many parts of the world there's significant interpenetration among security services and criminal organizations.
There are, of course, more familiar banking threats as might be expected out in the wild.
A new variant of the Zeus Trojan is out and about.
The security firm Dr. Webb is tracking it, and it seems only fair,
for all the stick Russian institutions attract in the security space,
to mention that Dr. Web is a Russian company doing some good work on the threat front.
Journalists and activists interested in Gulf region migrant worker issues appear,
according to Bleeping Computer, to be receiving the ministrations of an as-yet-unattributed cyber espionage campaign.
That campaign seems to feature catfishing organized around the social media profiles of an apparent young woman
known as Safina Malik, evidently the Robin Sage of this particular effort.
The campaign involves long-term cultivation of targets with the eventual goal of inducing them to visit a watering hole site disguised as a Google login page, whence the victim's credentials are extracted.
As is traditional in recruiting for espionage, the catfish, the false persona, professes a common
interest in migrant labor laws and in activism. Thus, it might be conceived as a kind of affinity
scam. Ransomware continues its predictable evolution.
Observers note that the extortionists' preferred target sets are becoming better defined.
They're focusing their attentions on what are being called high-value targets,
but these would be better characterized as high-payoff targets,
those most likely to pay, governments, health care, and small businesses.
In industry news, or more accurately, in industry rumor,
Google is thought to be shopping for Indian cybersecurity companies.
And in legal news, former NSA contractor Hal Martin has pled not guilty to charges he purloined,
stashed, and hoarded highly classified information.
The probable lines of his defense have yet to emerge,
but it seems
significant that although charged under the U.S. Espionage Act, he wasn't charged with espionage
as such. Some quick notes on RSA as the conference reaches its midpoint. According to experts on the
technical, operational, and political aspects of the matter, nation-state operations in cyberspace
are expected to increase. Those operations are expected to include espionage, information and influence operations,
destruction or disabling of systems and data,
and more complete integration with kinetic military operations.
Nation-states are also expected to become coyer about how they conduct such operations.
The pullback some observers say they see isn't conciliatory.
Rather, it's a sign that states are increasingly turning to non-state actors, especially criminal groups or front
organizations. The goal isn't good world citizenship, still less peace. Rather, it's plausible
deniability. Some speakers have expressed cautious optimism about Western states' growing ability and
resolution to act effectively against cyber challenges, but no one thinks it's going to be easy
security products go through natural life cycles and today's protection might
not work against tomorrow's threats but there can be non-technical barriers to
making a change Steve Grobman is chief technology officer for Intel Security. STEVE GROBMAN, Chief Technology Officer, Intel Security, USA, USAID, There is a psychological
challenge with the products. And what that is, is if you think about the way that technology
typically operates in an environment, it's most effective when it's first installed.
And because of that, there is often a motivation for security operations to choose and deploy a particular technology into their environment.
But once adversaries figure out how to evade it or create countermeasures, it often doesn't work nearly as effective.
there's this psychological issue where the same principals who have advocated for bringing the technology in-house would need to be the ones to very quickly turn around and say,
it's actually not working and the right thing to do to maximize return on efficacy for our environment would be to remove it.
for environment would be to remove it.
That's very difficult for a lot of peoples and managers to say,
although I recommended doing a full deployment into our organization last year,
this year I'm recommending we remove that.
And that's one of the reasons we're advocating taking a platform-based approach where you're looking at technologies that can much more easily be introduced into an environment
and then optimized to have the right set of technologies operating in an enterprise.
And that includes when things aren't as effective as they need to be from a value perspective. They can either be reduced in scope or very easily removed
and leaving that operations team with a high value, high intensity,
high efficacy set of technology that remains in their environment.
That's Steve Grobman from Intel Security.
For unsolved problems in various stages of solution,
the biggest challenge still seems to be the false positive problem.
Too many security teams continue to be overwhelmed with chattering alerts,
and proliferation of point solutions isn't likely to help.
The perimeter has clearly contracted to the endpoint,
and maybe even to the user or to the app,
and there are a number of interesting approaches to defense being offered and discussed.
People continue to grapple with the security challenges
posed by the Internet of Things,
and there's a growing appreciation
that the world of operational technology
has needs that security,
born and bred in the world of information technology,
just might not be up to meeting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, you know, as we make the transition to the new
presidential administration, I think a lot of people are looking back to President Obama's
legacy when it comes to civil liberties in the cyber domain. He's received a good bit
of criticism when it comes to that.
Yeah. So I think a lot of people on the left of center side for the past
eight years during the Obama administration, there were a group of true believers, folks at the
intercept, the Glenn Greenwalds of the world who had said things that, you know, despite his
orientation as a liberal Democrat, he's been relatively aggressive in using the surveillance
state to gain national security information. And people should be
concerned about this. There were others on the center left who said, you know, he's Obama.
We trust him. He's not going to abuse these channels. The problem is once you create the
tools, once you use the tools, they're going to get into the hands of people you're not comfortable
with. And I think for those people on the center left, that would be the Donald Trump administration. And that's why I think so many civil liberties advocates were disappointed on January 12th when we found out that President Obama, in one of his last acts related to surveillance, had rolled back limits on the National Security Agency's surveillance operations.
agency's surveillance operations. Previously, the agency would comb through the data and classify certain elements of the data before they send it to the 16 other government agencies that deal with
intelligence. Due to the Obama administration's January 12th action, now the raw data collected
by the National Security Agency
goes directly to these other intelligence agencies. The positive side from the perspective
of the administration is that it will be easier to find the needle in the haystack.
You get that entire block of raw data. It goes to all the intelligence agencies. It's going to be
much easier for one of them to find something that catches their eye, that can be a hint as to what a suspect is up to, what a known terror suspect is plotting.
The negative aspect of it is that it can also reveal information from people who are perfectly
innocent. It's more likely that amongst that raw data, you're going to have irrelevant information,
information either unlawfully
collected or incidentally collected. I think the timing certainly did raise some eyebrows,
but obviously the president was conscious of that. What are people on the other side saying?
Is it a point that this is the president merely handing the next administration a better set of
tools to do the jobs that they're tasked with?
I mean, I think, you know, every president who's come into office promising to curtail the power of the surveillance state gets into office, sees the awesome power that the surveillance state
affords them, and realizes that they're responsible for preventing terrorist attacks.
And I think that's exactly what happened with President Obama. He had come in as a critic of
some of the Bush administration's surveillance practices,
but by the end of his administration, he was a strong believer in some of these surveillance tools.
Even though he signed the USA Freedom Act, he originally had been a supporter of the bulk metadata program
to collect the metadata of phone calls from almost all domestic users.
He had been a supporter of foreign intelligence surveillance operations.
And I think, at least in his view, it significantly contributed to the lack of a substantial 9-11
style terrorist attack during his administration.
So I think he genuinely believes that these tools are important to combat terror threats.
And no matter who the next president is or not, I think knowing that these tools are valuable, he wanted to give that president at least the availability of these surveillance tools.
Ben Yellen, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.