CyberWire Daily - Panama Papers pinch. North Korean spearphishing against ICS. CyberMaryland notes. Google Home Mini was tale-bearing (but now it's better).
Episode Date: October 12, 2017In today's podcast, we hear that German police raid a Panama Papers connected slush fund. North Korea spearphishes in the North American power grid. Security tools can be dual-use, too. Notes on C...yberMaryland, where we heard about business climates, the Baltimore-to-Birmingham cyber connection, the Red Queen's race, and the curmudgeonly demeanor too many security types cop. Rick Howard from Palo Alto Networks with an update on the Cyber Canon suggested reading list and a call to vote for the nominated books. Guest is John Morello from Twistlock on securing container environments.  And Google Home's Mini speakers were apparently listening and tattling as well as speaking. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Cylance uses cutting edge artificial intelligence to help protect your systems. If you are a woman in cyber security and want make connections with others in the field, check out our own Women in Cyber Security event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
German police raid a Panama Papers-connected slush fund.
North Korea spearfishes in the North American power grid.
Security tools can be dual-use, too.
Notes on Cyber Maryland, where we heard about business climates,
the Baltimore-to-Birmingham cyber connection, the Red Queens race,
and the curmudgeonly demeanor too-many-security-types cop.
And Google Home's mini-speakers were apparently listening and tattling, as well as just speaking.
just speaking.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, October 12, 2017.
Remember the Panama Papers?
The doxed law firm's files that contained apparent signs of illicit or at least questionable money laundering?
The anonymous hack of Panamanian law firm Mossack Fonseca in 2015 has had some
legal fallout in Europe. German federal criminal police rated what Deutsche Welle characterizes
as a two million euro slush fund embezzled by a former Siemens manager. The Panama papers were
particularly interesting because the materials released by the unidentified whistleblower,
or hacktivist, or organization, or agency, known only as John Doe,
included a fair bit of discreditable information about Russian oligarchs close to President Putin.
North Korean cyber operators are reported to be probing various U.S. companies for vulnerability to attack.
FireEye reports that it detected and stopped spear phishing attempts against
utility company officers in late September. An attack of the North American power grid would
of course be attractive to DPRK war planners, but doing so isn't as simple as zombie apocalypse
tales might lead one to believe. ICS security firm Dragos, for one, regards the likelihood of
a grid takedown as fairly remote.
Most of the press attention has understandably focused on targeting of electrical utilities,
but the campaign is broader than that. Pyongyang appears interested in industrial control systems
generally. South Korean sources are reporting an interesting twist on the North's approach
to cyber operations. They think they're seeing hacktivism, which would seem difficult to foster in a country as closed and tightly controlled as
the DPRK. We heard from Phil Nireh of industrial cybersecurity firm CyberX, who offered the
following comment, quote, targeting U.S. energy companies with phishing emails isn't new, but it's
the first time we've seen it tied to North Korean actors rather than Russian or Iranian hackers. And don't be fooled by people saying we shouldn't worry
because the hackers haven't compromised any of our industrial control systems.
The easiest way for adversaries to get into our control networks is to deploy password-stealing
malware onto the computer of a control systems engineer, and then use their legitimate credentials
to directly access the control systems thereafter, and then use their legitimate credentials to directly access
the control systems thereafter.
This immediately bypasses any perimeter protections you might have on the network, such as firewalls.
End quote.
We also heard from Alien Vault's Chris Doman, who thinks, quote, the recent North Korea
cyberhack may relate to the reported August 2016 compromise of the South Korean Ministry
of Defense. The group behind those attacks is Andariel, and likely a subgroup of the attackers
behind the Sony attacks, WannaCry, and SwiftBanks. They are very active, and I continue to see new
malware samples from them every week." Revelations that Kaspersky security software appear to have
been subverted into espionage tools
prompt reflection on the risks antivirus products present, given the access they typically require.
This would seem an instance of the familiar dual-use problem.
Another instance would be the ease with which benign scanners could be converted into denial-of-service tools.
Many software developers are using containers in their development
pipelines, wrapping up their work in lightweight, standalone, executable packages. John Morello is
Chief Technology Officer at Twistlock, a company that specializes in container security, and he
gives us an overview on containers and how to keep them safe. So a container is technology that allows you to basically bundle up
all the parts of your application into a file that's called an image.
Kind of imagine a zip file that includes all the things that are required to run your app,
not just the binaries themselves, but maybe also the libraries that they depend on,
small pieces of other packages that they use to bundle all that up together.
small pieces of other packages that they use to bundle all that up together.
And then a container is basically a way of organizing on Linux, like namespaces that allow you to take a single operating system and to effectively segment it up into multiple
kind of zones, if you will.
So similar to the way that a hypervisor like VMware Hyper-V will segment up a single piece
of hardware and expose
it as individual sort of virtual machines. And each VM kind of only knows about itself and can
only affect itself. Containers do a similar thing, but they virtualize the operating system. So a
container might run inside of a VM or maybe even on a bare metal server. But what the container is
trying to do is to say this particular app, even though it's sharing the same operating system kernel with other applications that are also in containers, it only sees itself.
It only sees its own file system.
It only sees its own process activity and so forth, which enables you to have fewer problems with compatibility and one app requiring a particular version of something that another one doesn't.
And so they can't run at the same time or concurrency problems with an application that's not able to share resources with other applications properly.
Those are all the kinds of things that containers enable you to do.
But the broader value is when you combine containers as a technology with the notion of kind of DevOps and continuous integration as an operational practice,
those two things really go together well and enables you to build your application,
to service your application, deploy your application much more efficiently and much faster. Because with containers, the artifact that you create, that image that you create
during the build process is exactly the same thing that you deploy and run in production,
which enables you to have a really smooth way of saying like, I built this, I tested this,
I deployed this, it's the same everywhere. And I know that I can easily increment that because I don't have to worry about compatibility
and installation and so forth. The underlying tooling really makes me be able to focus just
on the application itself and not worry about how it interplaces with the rest of the parts of the
stack. And so what are the security concerns when it comes to containers? Well, again, I think
fundamentally, we think that containers are not so much a security concern as they are just a different technology,
something that both provides a lot of opportunity to do things from a security standpoint better than you could before because, again, they're much more minimalistic.
You understand what the container is going to do because it's only doing one thing as opposed to a VM, which has all kinds of other stuff inside of it.
only doing one thing as opposed to a VM, which has all kinds of other stuff inside of it.
The things that a lot of people, you know,
oftentimes are focused on with security for containers,
first of all, is often around vulnerability management,
because you're building a lot more of these entities,
they change a lot more frequently,
and the responsibility for securing them
becomes much more the onus of the developer
and less so about the operations team.
So being able to understand like what components
you have in your images,
whether those components have vulnerabilities,
and to be able to kind of continuously understand your vulnerability posture,
both for those things that you're building and what's already running,
that's an important thing that organizations need to deal with.
Secondly, I would say is around the compliance for that,
because containers, as a different technology,
a lot of the same core best practices,
running as the least privileged, a lot of the same core best practices, running as least privilege,
having operational segmentation, making sure that you've got sort of a minimal attack surface,
those things are still just as applicable for containers as they were for VMs and physical servers before that. But because containers are different, you need to have a different set of
tooling to help you deal with that, right? So you need to have something that checks
the configuration and the settings and enforces those things in a way that makes sense for containers versus trying to
retrofit that from virtual machines into this new space. And then finally, and I think probably the
biggest part of it is, as you're running your applications in containers, how can you apply
those capabilities that I talked about earlier, the fact that they're declarative, minimal,
predictable, how can you apply that to help you do security differently? Because
containers, by their nature, you're dealing with a different problem space. Instead of a VM in
which you would deploy it one time and run it for months or maybe years without ever decommissioning
it, you would just upgrade it in place. With containers, not only is that going to be much
more short-lived, like every time you update the app, you're going to destroy the containers and replace them with a new version
of the app. But those containers themselves, you're going to have a lot more of them because
you're going to decompose that big monolith VM into a set of microservices. So your website,
which might have been a single virtual machine, now might be 10 or 20 different microservices
that you're running in individual containers. And so you're dealing with an order of magnitude more end entities to manage.
Those end entities change much more rapidly because, again, as you revision your application,
they're changing on a much more frequent basis.
And the tooling that you've had historically to manage those virtual machines is largely sort of irrelevant.
It doesn't have, I guess, the ability to see into
containers to understand how they work and to give you the kind of protections that you need there.
So those are kind of the big challenges. I wouldn't say there's so much like security
problems with containers. It's just, again, a different problem space, a different set of
tools that you need to address that problem space. That's John Morello from Twistlock.
Cyber Maryland opened yesterday in Baltimore and continues today.
The annual conference this year featured unusually heavy representation from the United Kingdom,
as companies from the English Midlands continued the growing trend of transatlantic cooperation
between two regions that have a great deal in common,
an alpha cybersecurity customer and an ecosystem of startups and established companies around that customer.
A few quick takes on yesterday's sessions. Maryland Governor Larry Hogan described what
he characterized as the deliberately business-friendly environment the state has created,
and Senator Chris Van Hollen talked about the important role federal agencies had assumed in
the state's economy. A panel discussion on the new CISO from tech guru to corporate leader
highlighted the importance of communication between security leaders and boards of directors,
a well-known point but illustrated with examples of how what one panelist called the
curmudgeonly default personality security and IT people tend to assume can interfere with such
communication. It also brought into relief a less commonly
appreciated fact about the security sector, the relative unimportance of formal credentials as
opposed to experience and demonstrated ability. So those who thought they saw a smoking gun in
music and language degrees held by Equifax security leaders were, if you'll forgive the
mixed metaphor, barking up the wrong tree.
And a plenary session on the Red Queen's race,
the race in Alice in Wonderland that requires you to run as fast as you can just to keep up,
concluded with an argument that platforms, not point solutions,
were the way to break free of the Red Queen.
McAfee's Brett Kelsey said,
I don't want a bodyguard for this and for this and for this.
I want a police force.
We'll have more on these and other sessions in upcoming issues of the Cyber Wire.
Finally, Google Home's many smart speakers appear to have been listening as well as speaking,
and worse yet, it was reporting conversations back to Mountain View.
Google has patched to fix the privacy bug, but consumers find it unnerving.
So, Mountain View, don't be evil, and everyone's glad you've patched to fix the privacy bug, but consumers find it unnerving. So Mountain View, don't be evil,
and everyone's glad you've patched.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young
son. But her maternal instincts take a wild and surreal turn as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He's's the chief security officer at palo alto networks and
he also heads up unit 42 their threat intelligence team rick welcome back uh you and i have talked
about the cyber security canon before and uh this hall of fame of books for cyber security pros is
coming up with a round of votes for the people's Choice Awards. Bring us up to date here.
Yes, we are talking about the canon of literature here.
Not the canon where you blow stuff up, but books that you read.
Yeah, well, it's an important distinction, you being a former Army guy, right?
So we've got to make that distinction.
Yeah, my three fans that follow me from the Army, okay?
I need to make that very clear.
So it's sort of
a rock and roll hall of fame for cyber security books and one of the reasons we started it was
the fact that we are all busy people and if you were to decide this year to read a book or two
to get smart on some new cyber security thing you could probably go to amazon.com and look up cyber
security books well Amazon will return
you a list of some 1,500. So how do you choose? All right. So the Canon project consists of
15 committee members. These are network defenders and CISOs, CIOs, CTOs, journalists, consultants,
lawyers, and general practitioners. They read the books and write reviews that make the case
that a particular book is one we all should have read by now or one that doesn't quite meet that criteria.
So we've been running that project for about four years.
And like I said, like the Baseball Hall of Fame, we have about 35 books in the Hall of Fame candidate list.
These are books that the committee has recommended to be considered for the Hall of Fame.
And we've got about 15 books that we've already put into the Hall of Fame from the original candidate list. All right, so that's the backdrop.
So if a book is on the list, it has been properly vetted and it is going to be worth your time.
Yes, we think that any book that makes a candidate list would make a good
addition to the Hall of Fame. It just hasn't made it there yet.
All right.
All right, so this month, to coincide with the U.S. Cybersecurity Awareness Month, we're running what you talked about at the top of this, the People's Choice Award contest.
It started with all the books on the current candidate list. And each week we open the voting to the public.
So the books that got the most votes made it to the next round. And we are currently this week on round three with eight books still in the competition. And as of right now, Dr. Mansour Haseeb's book
called Cybersecurity Leadership is out front, but the others are close behind. I'm hoping that my
two favorites from this year will make it to the next round. That is The Codebook by Simon Singh.
It's about the science and history of keeping secrets. And Metasploit, the Penetration Tester's
Guide. So those are my dark favorites. I hope they
make it to the next round. So if people want to check this out and cast their own votes for the
People's Choice Awards, how do they do that? They go, just look up Canon, that's with one N,
okay, and Palo Alto Networks, because we're sponsoring the project. You'll get to the
Canon webpage, and at the very top, you'll see a box that says cash your vote, and that's where you can vote for your family.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant.
Favorites.
All right. We'll have people check it out. It's definitely worth your time. Check it out,
the Cybersecurity Canon. Rick Howard, thanks for joining us.
Thank you, sir. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.