CyberWire Daily - RSA wraps up. Staging offensive cyber operations. (Information ops, too.) Business email compromise affects maritime shipping sectors. Sanctions bit Chinese device giants.
Episode Date: April 20, 2018In today's podcast, we take look back at RSA as the big security conference wraps up. Tension between Russia and the West continues to manifest itself in apparent staging attacks and information opera...tions. ISIS in its diaspora returns to recruiting and inspiration. A business email compromise campaign afflicts the maritime shipping sector. Atlanta still struggles to recover from SamSam rasomware. Sanctions drive Huawei from the US market; ZTE may soon follow. David Dufour from Webroot, with thoughts on the conference. Guest is CyberWire editor John Petrik, with thoughts on a cyber Geneva convention. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look back at RSA as the big security conference wraps up.
Tension between Russia and the West continues to manifest itself
in apparent staging attacks and information operations. This is the end of this edition of the SamSam Ransomware Podcast. and sanctions drive Huawei from the U.S. market. ZTE may soon follow.
I'm Dave Bittner with your CyberWire summary for Friday, April 20, 2018.
The 2018 RSA Conference wraps up today.
We're returning this afternoon to the city by the bay, the Chesapeake Bay, as we head back to Baltimore.
But we've got some final notes on the conference before we leave San Francisco.
One unpleasant note appeared on the final day.
The mobile app offered to attendees has proved to be leaky.
RSA tweeted a disclosure early this morning,
Our initial investigation shows that 114 first and last names of RSA Conference mobile app users were improperly accessed. Russian information operations continue
as Western nations brace for a round of hacking
expected to emerge from Russian battlespace preparation and staging in cyberspace.
Russia plans to allege before the UN that victims of a sarin nerve agent in Syria
were bribed to falsely report the attack.
The battlespace preparation consists, at least in part, of exploitation of vulnerabilities
in the smart install tool found in widely used Cisco routers.
The FBI's preliminary assessment of the risk focuses on the likelihood of espionage, as the initial stage of any Russian operation, with the possibility of other offensive operations to follow.
Cisco's Talos research unit estimates that some 168,000 systems could be affected.
ISIS and its splinter groups appear to be resuming activities in cyberspace
as the terrorist groups enter their diaspora phase.
Their activities appear to be renewed marketing, inspiration and recruitment.
SecureWorks has described a Nigerian criminal operation, Gold Galleon,
that concentrates on stealing from maritime shipping firms and their customers.
Their customary approach is business email compromise,
a well-known form of social engineering in which a criminal impersonating an executive
sends an email to an employee directing them to transfer funds to the criminal's account.
sends an email to an employee directing them to transfer funds to the criminal's account.
The U.S. city of Atlanta continues its slow recovery from a crippling attack that hit municipal systems with SAM-SAM ransomware on March 22nd.
Direct costs of remediation are said to have amounted to $2.7 million so far.
Some observers have pointed out that the ransom is believed to have amounted
to only $51,000, but that's still not a good reason to pay the extortionists. There's no
particular reason anymore to think the criminals are likely to make good on their promise to
restore your files, and there's also the general principle that one should avoid encouraging
crooks.
Chinese device manufacturer ZTE is being effectively excluded from the U.S. market, as the U.S.
government imposes penalties for the company's circumvention of sanctions against North Korea,
Iran, Sudan, and Cuba.
ZTE is protesting, of course, what could amount to a business-killing decision.
Sanctions against Huawei have moved the Chinese company toward a complete exit from the U.S. market.
The company says it intends to concentrate on European markets.
The U.S. beef with Huawei involved American suspicions that their equipment was insecure
and that there was too much risk of Huawei devices being exploited by China's intelligence services.
of Huawei devices being exploited by China's intelligence services.
It's an anecdotal observation, but at least one of our stringers was struck by how untrafficked and understaffed the large Huawei booth at RSA was this year.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dave DeFore. He's the Vice President of Engineering and Cybersecurity at WebRoot.
Dave, we are here at an undisclosed location at RSA.
Welcome back.
Hey, thanks for having me, and it is undisclosed.
And it was kind of sketchy getting here, but we made it.
We did. We did. We made it safe and sound.
So let's decompress a little bit.
Today it is Thursday as we record this, the last day of RSA.
Looking back, a good show for you.
What was your takeaway from this year's show?
Well, one of my first takeaways was the matching outfits that marketing made us wear were a hit.
Very popular with the green shoes we have, so thumbs up to that.
Very important.
But from a pure cybersecurity play play i honestly i think it
was a little toned down this year compared to other years i don't know that anyone really
landed on a specific topic um to talk about um we saw a lot of interest in threat intelligence
once again um i think over the last four or five years there were a lot of people that ramped up
realized it was hard and kind of backed away so we had a lot of discussion there. My old, you know, drum that I beat about AI not being ML, I had some really
good discussions with folks there. And a lot of discussions about, you know, I think people are
getting machine learning and understanding it's harder than you think, and that, you know, you
really got to commit to it. And people are understanding as it matures what questions to ask.
So I think the consumer is getting smarter about security and machine learning as well.
Do you think we're seeing an overall sort of maturation of the industry?
I agree with you that it felt like things were a little more settled this year.
Yeah, and I wonder, are we peaking?
Are we going to see some shift?
Because maybe this is getting a little bit
tired. There's a lot of fatigue, I think. Everybody's always like, we can't find people
to watch our sock. We can't find good security professionals. So one thing on that point,
David, I would say, I believe people are wanting us to start as an industry, for lack of a better
description, Apple-fy some of these solutions because they're so technical
and so many of us engineers build them that regular folks either don't care enough or can't
possibly use them. And as an industry, we need to start driving towards that or we're going to lose
people. So you could be a differentiator for folks to really pay attention to that interface design.
That's exactly right. And understand your customer, because you can't be all things
to all people. If you're trying to protect people from pointed attacks, maybe a country,
nation, state, or somebody really trying to penetrate you, and you have a solution for that,
don't try to sell it down market to somebody who just wants to protect their office computers and
then send out invoices at the
end of the month to make some money and run their business. You've really got to understand your
customer, I think. When you look at the show overall and you see people walking around,
when they go home, is there anything particular that you hope they take away from this year's
show? And any words of wisdom? Yeah, actually. So I guess I would point back to people are getting
smarter about, you know, the tech speak and stuff like that.
And hopefully they're walking away with more intelligent questions to ask of vendors or products that maybe they have.
And they're able to pay attention and cut through the noise and really get to what's important rather than being excited about some shiny new object.
All right.
David DeFore, as always, thanks for joining us.
Thanks for having me, David. It's great seeing you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me now is John Petrick, our CyberWire editor.
John, welcome back.
As we look back at this week here at RSA, what are your thoughts?
What's your overall take on the show?
It was an interesting show, as it always is.
I was struck this year by a somewhat more relaxed tone to the show than what I saw last year.
Last year, I remember being struck by the number of people who were shoving and throwing elbows and thinking that there was an almost palpable tension on the
floor. I didn't see that this year. There seemed to be a calmer, a less concerned atmosphere.
As far as the conduct of the show itself, there were a lot more barkers,
that the exhibit hall sounded a lot more like a carnival midway than I've heard them in the past. The giveaways have changed, that socks are now a
thing. If you need socks, the exhibitors are prepared to give them to you. So those are some
of the things we saw on the floor. In some of the presentations, I think the most interesting
big presentations were the presentation by Secretary Nielsen of the U.S. Department of
Homeland Security. And it's clear that as the senior administration official speaking at the
world's major security conference, she was the one who was delivering the message that the U.S.
has offensive cyber capabilities and is prepared to retaliate against the nation-state cyber attack.
Now, obviously, DHS is not going to be the agency that's going to do the counterattacking,
cyber attack. Now, obviously, DHS is not going to be the agency that's going to do the counter attacking. But that was a clear marker being laid down for a new deterrence regime.
And in terms of messages from vendors, evolution of tools, that sort of thing,
was this an evolutionary year? I don't really think I saw anything revolutionary out there.
year. I don't really think I saw anything revolutionary out there. No, nor did I. I did see some interesting signs of people being concerned about directly addressing some of the
threats that the sector has faced over the past year. There was considerable attention to distributed
denial of service attacks, for example, and how you manage those. That was new. There was the familiar emphasis on the importance of basic hygiene,
that the zero days may get the press and all of the scare stuff,
but the actual attacks are typically carried out
using known vulnerabilities against unpatched systems.
They're being carried out through social engineering.
They're being carried out using very well-understood ways
that organizations can prepare themselves through PARI. So there was a lot of talk of that.
There was an interesting emphasis on the part of some of the vendors on a specific kind of
training, specifically wargaming and exercises of that kind. I had a chance to talk with Chad Gray
of Booz Allen Hamilton about that. That is now a major part of what they offer their
clients. And it's used as both a planning tool and a preparation tool. Also interesting enough,
they see it used as a training tool and even a tool for vetting prospective employees. So that
was an interesting development. There was a lot of attention given to the private sector Cyber Geneva Convention,
where some 34 tech companies, led for the most part by Microsoft,
and Microsoft has been banging the drums for a long time
for some sort of international norms to govern conduct in cyberspace.
So anyway, you've got 34 companies that have signed on
to agree that they will not conduct offensive cyber operations
on behalf of any nation state.
If you look at the list of the companies that signed on for that,
I don't think any of them would have been in that business anyway.
I didn't see any people who were developing attack tools or who were likely to be major contractors
for any government that was interested in conducting offensive operations.
So you might want to take that avowal with a grain of salt.
Facebook was one of the signatories,
and there's perhaps a degree of irony there
since Facebook's data collection has been controversial,
to say the least, over the past year.
If they're serious about supporting the development of international norms,
I think that it's a good idea for companies to take their metaphors seriously.
If you say you want a Geneva Convention for cyberspace, think about what the actual Geneva Convention does.
The Geneva Convention is doing a number of things, but if you're understanding of them,
heck, anyone who's watched reruns of Hogan's Heroes has some rough appreciation of the Geneva Conventions. The Great Escape was on cable here in the hotel over the
last two nights, so you had a chance to refresh yourself there. But one of the major things the
Geneva Conventions have done is they establish certain norms for the protection of non-combatants, of people who are protected categories. Prisoners
of war, for example, that's the Hogan's Heroes angle, but also civilians, different kinds of
non-combatants. These people have a kind of status and there are rules of war designed to protect
them. There are rules of war designed to protect certain kinds of infrastructure to, for example,
discourage attacks against medical facilities, that kind of thing. And it would be worthwhile
thinking through what you think the conventions would look like in cyberspace, what they should
look like, how you'd like to see them evolve. It's clear, and we heard this at an after party
for Recorded Future, an interesting session they held, in which they had some experts talking about cyber warfare, cyber conflict.
And the point they made, and I think they're correct in this, is that cyber conflict or cyber warfare isn't going to be conducted in a vacuum.
It's not going to be a purely cyber conflict, that cyber tools are going to be used in fighting larger conflicts,
just the way it is not usual to see a purely maritime war or purely land war or purely air
war. You don't see those. What you do see is you see these different domains being
operated in by combatants, by contesting powers. And cyber is one of those.
One of the speakers at that event was talking about one of the more significant acts of cyber war that he had seen in the fight against ISIS was basically the use of intelligence collected
through cyber means for targeting ISIS cyber operators. And so that wasn't a case of hacking back.
That was a case of finding them, identifying them, and then attacking them with a drone
launched Hellfire missile.
So I think that those kinds of things are worth some thought as people think about the
extension of the rules of armed conflict to cyberspace.
John Petrick, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.