CyberWire Daily - Russia Spy Files from WikiLeaks. Disinformation and influence operations. Equifax sustained a breach in March. Software supply chain issues.
Episode Date: September 19, 2017In today's podcast, we hear that WikiLeaks is shocked, shocked, to learn that there's gambling…uh, we mean, Russian surveillance going on. Advice from Ukraine about influence operations. The Equifa...x story may have gotten worse—there may have been an earlier breach in March. Software supply chain issues come up in an Avast backdoor. Awais Rashid from Lancaster University on security being the responsibility of everyone in an organization, not just the IT folks. Mike Kail from Cybric on the DevSecOps trend. Industry notes, and the "Unlucky 13,' presented by Johns Hopkins. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Wikileaks is shocked, shocked to learn that there's gambling,
actually, Russian surveillance going on.
Advice from Ukraine about influence operations.
The Equifax story may have gotten worse.
There may have been an earlier breach in March.
Software supply chain issues come up in a vast backdoor.
Industry notes and the unlucky 13, presented by Johns Hopkins.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, September 19, 2017.
Here's something out of the ordinary.
WikiLeaks has posted documents purporting to describe the Russian state surveillance apparatus and some of its operations.
This dump, which they're calling Spy Files Russia, has received a very mixed reception, which we'll discuss in a moment.
Spy Files Russia's central revelation, if revelation it be, is that Russia conducts mass surveillance and that a company in St. Petersburg, Peter's Service, is a contractor for Russian state security services.
The former revelation should come as no surprise to anyone.
What the documents purport to show about Peter's service are perhaps more interesting.
The company was established in 1992, initially as a billing solution vendor.
It evolved into a significant supplier of mobile telecom software.
The story Spy Files Russia tells about Peter's service and Russian intelligence
has literary parallels with the things Edward Snowden leaked concerning U.S. activities.
Here's why Spy Files Russia has received a standoffishly skeptical reception.
WikiLeaks has long looked to many observers like a Russian cat's paw.
So why this dump now?
Some read it as a refutation of the Russian connection,
which may be what Julian Assange's organization intends.
Many others, however, see it as dragging a red herring
across a path that leads back to Moscow.
What better way to deflect such suspicions
than by tossing out some anodyne wolf meat?
Some lessons on how to wage information operations come from Ukraine,
as Germany continues to look for the signs of Russian activity they've long expected
as they prepare for Sunday's elections.
The Ukrainian observations, reported in the Voice of America,
come down to the conclusion that fighting propaganda with propaganda,
disinformation with disinformation, is ultimately
a mug's game. Students of Russian activity and its hybrid war against Ukraine and its influence
operations against the West say that the best answers to these increasingly sophisticated
active measures that blend truth with fabrication are fostering a more critical approach to media
among the general public while simultaneously encouraging and enabling serious journalism.
And of course, they think blocking Russian television isn't a bad idea either.
In other news on state-sponsored cyber operations,
North Korean cryptocurrency raids draw more attention as Pyongyang looks for fresh sources of revenue.
Chinese intelligence services are
now being considered possible suspects in the cyberattacks against Scotland's parliament.
And from the company's perch in Mountain View, California, a senior Google executive says they
think of the US NSA as a nation-state threat actor. You're likely familiar with the notion
of adopting a DevOps software development process
and the advantages it can provide when it comes to communication and collaboration.
But what about security?
Mike Kael is chief technology officer at Cybrick,
and he makes the case that DevOps should transform into DevSecOps.
So I think if you look at the megatrends of digital transformation, cloud migration, the move to containerization and this notion of the rise of the developer and the developers have more power within an organization because the application economy is really what's driving revenue. So developers are incentivized to deliver features at a much higher velocity.
And that's powered by the adoption of DevOps culture and the core tenets of collaboration, automation, measurement, and sharing.
And meanwhile, security has kind of been left behind or off to the far right.
So they're still kind of ingrained in manual processes and disparate tools.
And what really needs to happen in this cultural transformation is what we're calling shifting
left. So how do we bring security into that collaborative DevOps, DevSecOps pipeline and
conversation? We can't keep trying to scale out cybersecurity engineering talent and human capital. There's the well
publicized shortage of engineers that's just growing. So then it's taking an automated,
orchestrated platform approach to this. So now taking all these disparate tools and powering
them with a true automation platform to then free up the security engineers to do higher order work
and be much more close to the development
lifecycle and the developers themselves.
What do you suppose is the driving force behind the need for this shift?
CIOs and CISOs have lost visibility.
So as the security perimeter has dissipated and applications have migrated or been greenfield
in the cloud,
they've lost visibility around the security controls of that.
There's no hardware device that can now protect a cloud application.
And so you have to have different newer software constructs
to provide that visibility.
In conjunction with that, you have hackers attacking
your application infrastructure continuously.
In conjunction with that, you have hackers attacking your application and infrastructure continuously.
And the current view or current way of security is doing periodic tests instead of continuous.
So we have to level the playing field against the hackers.
And hackers only have to get it right once.
We as defenders have to be right and secure all of the time. The only way to really give that assurance is take a continuous approach and try to find vulnerabilities and software defects earlier and earlier in the
development lifecycle. And so looking forward in a perfect world, in an ideal world, how would you
see this playing out? So in an ideal world, there's the cultural transformation, like I talked about,
that the security team is collaborating with the development and DevOps teams and trying to work towards this common framework of continuous security assurance.
To do that, you have to do this testing continuously, as well as correlation and looking at the global threat feeds and in different stages of the vulnerability.
If you look at the classic stance of defense in depth, apply that to the SDLC.
So looking for defects at the code commit level, at the CI build, and then at the delivery,
and correlating all those results and having this measurement of continuous assurance.
This is a cultural change, and that's harder than technology.
Technology is much easier to be adopted,
and, you know, it's about changing hearts and minds
versus, you know, here's this new cool technology.
That's Mike Kael from Cybrick.
We're at the fourth annual Cybersecurity Conference for Executives
on the Johns Hopkins campus today.
We'll have full coverage later this week, but Anton Dabura, director of the Information Security Institute at the Johns Hopkins University's Whiting School of Engineering,
set the day's agenda by reviewing what he calls his unlucky top 13 list.
These are, in reverse order with a hat tip to David Letterman.
Number 13, the announcement in March of the Apache Struts bug's discovery.
Number 12, scams and thefts plague new cryptocurrencies.
Number 11, Kaspersky security software is booted from U.S. government systems.
Number 10, discovery of Apple's questionable use of differential privacy.
9. Apple's iPhone X with Face ID.
8. The U.S. Navy investigated possible cybercauses of the USS McCain collision.
Nothing found, but it's interesting to see that cyberforensics are now a routine part of major accident investigations.
7. Ultrasonic hijacking of Siri and Alexa devices was demonstrated.
Number six, BlueBorn, a Bluetooth vulnerability, is discovered.
Number five, new flaws were found in D-Link routers.
Number four, expensive wall Android malware charges users for fake in-app purchases without their knowledge.
Number three, bugs are found in German voting software.
Number two, Symantec finds that hackers have gained direct access
to at least 20 power companies.
And the number one item in the Johns Hopkins University
unlucky top 13 list, of course, Equifax was breached.
The central lesson he draws from these, and which he commends to his conference,
is that we need a serious national conversation about a national identity system.
Speaking of Tony's number one unlucky 13, the Equifax breach, there are developing reports
that Equifax learned of a major breach back in March. The company has said that breach is
unrelated to the Apache Struts exploit
the company disclosed the week before last.
As Bloomberg primly put it,
the revelation of a March breach will complicate the company's efforts
to explain a series of unusual stock sales by Equifax executives.
The U.S. Department of Justice is said to have opened a criminal investigation
into the stock sales.
It seems clearer that Equifax was aware of the Apache Struts vulnerability,
and the patch was available for the bug.
The credit bureau is seen by some as finally getting a handle on its messaging,
but the breach is drawing more lawsuits.
And of course, the acknowledgement that there was another earlier breach has caused them further problems.
that there was another earlier breach has caused them further problems.
Mandiant, the FireEye unit, is said to have been brought in at the time of the first breach.
It's also been engaged to help mop up the second, more recent incident.
The compromise of Avast's C-Cleaner with a backdoor prompts discussion and concerns about software supply chains.
In industry news, Mantec has bought InfoZen for $180 million.
ThreatStack has raised a $45 million investment.
And the U.S. Senate attached an amendment to the defense authorization bill banning Kaspersky products.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid.
He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back.
I think particularly with larger organizations, sometimes there's a tendency for people to think that the job of cybersecurity belongs to the folks in IT.
But you want to make the point that it's really more complex than that. Indeed, I think, particularly in large organizations, there are cybersecurity teams or IT security or information security teams, and they do a great job at
protecting the infrastructure and information in the organization. But equally often,
other employees in an organization think that it is really their responsibility to deal with security. However, it is, in fact, everyone's responsibility. When I sit on my computer and an email comes
through and I click on an embedded link, I am implicitly making a security decision. I'm making
a judgment, knowingly or unknowingly, that it's safe for me to click on that link. And someone
else sitting in procurement procures some third-party service or some hardware.
They are implicitly making a judgment.
And you can see this in all our work practices.
The key thing is that the world is very highly digitally connected.
We bring our devices into our workplaces.
We interact with others outside our organizations
using computers or other electronic devices.
And every time we do something, we are implicitly making at least security risk decisions, if not
concrete security choices. And as a result, the only way in a modern organization, which
doesn't want to use the model of batting down the hatches, so to speak, and keeping everybody out,
because that way you would do no business with anyone elsewhere in the world,
then there really is an important need to have cybersecurity culture.
It has to be an ingrained practice.
Of course, the key challenge is how do you actually raise awareness amongst various employees in the organization
and bring it to the fore that security is everyone's responsibility.
Do you think there's perhaps a false sense of security where people think,
well, if I click on this link, surely the folks at IT have tools that will protect me from anything bad happening?
Yes, I think it's quite interesting to understand.
And I think it's a big research question.
And some people have explored these kind of issues as to what are the users' mental models of security and how do they perceive particular activities in their day- could also be that they think no harm can come from it, because what valuable data might
I have on my computer? But the point is, many times
the mental models do not fully relate to
the network setting in the organization. And as a result,
there is often not a clear understanding on part of
users that their actions actually have a much, much wider impact.
And I think we can do a lot in communicating better to users, but also making things easier for them in that regard so that they don't have to understand all these complexities when they make decisions.
Yet they have awareness of the impact of their decisions
on the overall security of the organization.
All right.
Awais Rashid, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.