CyberWire Daily - ShadowBrokers frustrated with the peoples. Callisto Group was active against UK Foreign Office. US DCI denounces WikiLeaks as a hostile intelligence service. Surveillance vendors said willing to deal with pariah regimes. Weaponized memes.
Episode Date: April 14, 2017In today's podcast, we hear that the ShadowBrokers are fed up with all of you peoples. The Callisto Group spearphised the UK's Foreign Office last year. The US DCI calls out WikiLeaks as a hostile int...elligence service. Lawful intercept shops alleged to be willing to deal with pariah regimes. University of Maryland’s Jonathan Katz discusses Google’s unfulfilled promise of end-to-end encryption in gmail. Ajit Sancheti from Preempt Security explains the tension between security and human nature.  NATO insiders would like to see the Atlantic Alliance weaponized memes. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The shadow brokers are fed up with all of the peoples.
The Callisto Group spearfished the UK's foreign office last year.
Lawful intercept shops are alleged to be willing to deal with pariah regimes.
The U.S. Director of Central Intelligence calls out WikiLeaks as a hostile intelligence service.
And NATO insiders would like to see the Atlantic Alliance weaponize memes.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, April 14th, 2017.
Attention must be paid, right?
I mean, Willy Loman said so in Death of a Salesman.
Anyway, the attack code salesman over at the Shadow Brokers
seemed to be in a Willy Loman-ish mood,
and they're pretty sore at all of you peoples who haven't been taking them seriously enough.
Their latest dump is of Windows exploitation tools,
mostly effective against older versions of the Microsoft operating system that continue to be in use.
Some of the material released appears to indicate some interest in banking information.
Researchers are generally impressed with what the latest batch contains,
but the brokers themselves are feeling like a barker hustling in the wilderness as they hawk their purported NSA equation group wares.
They say, and we quote from Motherboard in a cleaned-up sort of way that nonetheless preserves
the spirit of the broker's diction, quote, this week the shadow brokers be thinking F peoples.
Follow the links for new dumps, windows, swift, oddjob. Oh, you thought that was it? Some of you peoples is needing reading comprehension.
In fairness to all you peoples, the script writer who's preparing the shadow broker's communiques
isn't exactly making reading comprehension easier,
but give them props at least for fluency and demotic American cussing.
One might say some of those peoples is needing remedial composition,
but perhaps we shouldn't quibble.
Maybe the brokers are referring to the leaks,
which we hear include some well-written PowerPoint presentations.
Reports late yesterday from the BBC and the Times of London
said the British Foreign Office was spearfished in 2016 by the Callisto Group.
It's not believed the espionage
campaign, for espionage it was, succeeded in discovering anything particularly sensitive.
Reports on the incident are based on a study of the Callisto Group released yesterday by
Helsinki-headquartered security firm F-Secure. As usual, F-Secure is coy about attribution,
but they do tease with informed speculation that Callisto is connected to a nation-state.
The espionage group has used infrastructure connected to actors in China, Ukraine, and Russia, but also to criminal organizations dealing drugs and other contraband.
The Callisto group seems most interested in the near abroad, especially Eastern Europe and the Caucasus, but the incursion into foreign office networks indicates that they have broader interests as
well. F-Secure also notes similarities in technique to APT-28, aka Fancy Bear, aka the GRU,
so signs both criminal and technical tend, as the headlines have been saying, to point toward Russia.
and technical tend, as the headlines have been saying, to point toward Russia.
The payload Callisto's phishing emails delivered was, according to F-Secure,
the scout tool from the hacking team's RCS Galileo program.
Hacking Team, of course, is the lawful intercept shop that's been involved in controversy over its alleged willingness to sell its tools to unsavory and often unsanctioned governments.
Other such companies have also come under criticism
for allegedly showing readiness to deal with sanctioned regimes.
Al Jazeera late Monday broke an investigative story
in which a reporter posed as a representative of Iran and South Sudan
in the market for surveillance tools.
The network claims that two Italian companies, IPS and AREA,
signaled willingness to deal without appropriate measures taken to ensure that products didn't reach prohibited end-users
through, for example, donation, resale, or trans-shipment.
A third company, Chinese outfit Semtian, was willing to sell surveillance products
without any curiosity about who the end-user might prove to be.
products without any curiosity about who the end user might prove to be.
AREA subsequently told Al Jazeera that it, quote,
works with the relevant governments to ensure the proper export and legal use of our equipment,
end quote.
U.S. Director of Central Intelligence Pompeo had some harsh words for WikiLeaks yesterday,
calling Mr. Assange's organization a non-state hostile intelligence service,
and Mr. Assange himself a narcissist who has created nothing of value.
The operation, Pompeo argued before the Center for Strategic and International Studies,
provides an implausibly deniable fig leaf for the Russian intelligence services,
at best a fellow traveling useful idiot if not an active agent of influence.
WikiLeaks, of course, has recently been dumping CIA-focused documents from its Vault 7,
with more expected. The reaction to the Vault 7 dumps has been not as strong as many would have expected, since the documents, for the most part, reveal what everybody knew already.
The CIA's mission is foreign intelligence. Much of this conflict
lies in the realm of influence operations as opposed to hacking proper, and some within NATO
would like to weaponize memes, trolling both ISIS and the Russian government. Doing so is easier
said than done, and some recent NATO and U.S. State Department attempts along these lines have
fallen flat with reviewers, particularly when they attempted humor, sarcasm, or snark.
So there's work to be done on the boffo marketing of ideas.
Several suggest the U.S. president's tweets might contain some useful how-to examples.
He seems to be trolling North Korea's Supreme Leader Kim Jong-un.
Anyway.
leader, Kim Jong-un.
Anyway. challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
Joining me once again is Jonathan Katz. He's a professor of computer science at the University
of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan saw a story come by on Wired recently. The headline was, After Three Years, Why Gmail's End-to-End Encryption
is Still Vapor. Take us through this story. Well, basically, Gmail had announced several
years back that they were working on getting end-to-end encryption working for their Gmail.
And basically, what end-to-end encryption means is that it's encrypted
from the sender of the email to the recipient. And so that even Google itself would not be able
to read the contents of the email. And so people had gotten really excited about this and were
looking forward to seeing that come out. And I guess just recently they came out with an
announcement saying that they were essentially going to be giving up the project internally,
but instead making it open source and leaving it for the open source community to go ahead and further develop that code.
There are certainly, you know, many products out there that tout the fact that they have
end-to-end encryption. Why do you think it's particularly challenging for someone like
Google to implement it?
Right. I guess you're speaking in particular about apps like Signal that can do end-to-end
encrypted texts, for example. And I think, And I think the issue is that email is a little bit more complicated,
in part because of the fact that it's a legacy protocol that's been around for a long time.
But also, as a consequence of that, Gmail needs to be able to interoperate
with people who might not be using Gmail to read their mail, right?
So if a Gmail user is sending a mail to, I don't know, a Yahoo
email address, then somehow, you know, Google has to be able to interoperate with them and make sure
that their protocol still works. And that introduces some complexities that maybe aren't
there in a more closed system where you have, you know, the Signal app, for example, only
communicating with other users of that app. With this project going open source now, what are the
odds that it'll actually be turned into some sort of workable solution?
It's hard to say, of course.
I think certainly this is a little bit disappointing, right?
If Google puts their mind to it, they can, you know, and if they're willing to put the resources behind it, then this is something that I think certainly they would be able to do.
Throwing it out there for people to work on who are not going to be paid for what they're doing, it's just unclear, right?
It's just unclear who's going to pick that up and who's going to use it,
and who's going to work on it, rather.
And then it's unclear also, right?
If somebody does develop it, there has to be some measure of trust involved,
because if people don't know who that developer is,
and they don't trust the quality of their code,
then other people just may simply not use it.
So it's really unclear at this point what's going to happen,
but it is disappointing,
and it does seem to make it less likely that this will come to fruition. All right, Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Ajit Senchedi.
He's the CEO and co-founder of Preempt Security,
where they say they deliver the industry's
first behavioral firewall to protect enterprises from security breaches and malicious insiders.
He maintains that one of the fundamental issues cybersecurity professionals need to face
is the inherent tension between security and human nature.
Cybersecurity for most people is not a productive task. It's something that inhibits business.
Cyber security for most people is not a productive task.
It's something that inhibits business.
And most of the time, humans by nature are trying to do their job.
They don't always think about whether it's going to be secure or insecure.
We have an innate notion of what's ethical and what's not ethical.
But generally, when it comes to security issues, we're not that trained to do it.
And so we're usually trying to get our job done.
And sometimes we find out that we did it uh in a manner that was insecure it's you know if you think about the analogy it's not a direct analogy but when you're sitting and watching a tv show about being healthy and eating
healthy foods suddenly some ad comes on and says you can sit at your you can sit at your on your
couch and we have this little band that goes around your waist and you lose all the belly fat
and what do we do we remember that because that's an easy way to get where we want to get to,
not through the diet, the exercise that we want to. And even when we're in the enterprise,
we're looking for easy ways to get our job done because we think it'll be quicker,
it'll be more efficient, we can get on to the next task. So humans by nature have always evolved
to do things quickly. And the problem is nowadays it has impacts on the security
posture of an enterprise. I've heard people sometimes refer to IT as the department of no.
People will say that, you know, it's easier for me to do the thing that I, even if I'm unsure that
that thing might not be the right thing to do from a security point of view, I'm going to get my work
done faster if I go ahead and do it, maybe get my hand slapped later, rather than having to go
check with
IT and probably be told no? It's because of the posture that the two sides have taken. I think
that's the challenge is we think that IT is the department of no, and IT thinks that people are
always going to do the wrong thing. We actually have to change that behavior. You have to consider
that these employees and these people are not the weakest link. You have to enable them, make them part of the security posture, and then you will have fewer incidents.
Because when people are aware, they tend to make better choices.
How do you promote a collaborative culture between the systems users and the IT folks?
Yeah, so that's a very good question.
One of the things we set out to do, which is as you're doing your job, for example,
you are working and one day you suddenly access three new servers. You access them with the credentials of the person sitting next to you because you didn't want to go to IT and get
permission to access those servers. Well, somebody gives you their credentials, you log in from your
endpoint, and you get your job done. But what you've just done is now that person's credentials
show up on your endpoint,
and if you're compromised, two people's credentials are exposed to some hacker.
So what if when you were trying to access these servers,
suddenly prompts you and says,
well, you're trying to access the server from an endpoint that we haven't seen before.
Are you sure this is what you wanted to do?
As soon as you see something like that, well, you can verify your identity,
or you can say, okay, this is not what I wanted to do.
But what happens is now you're aware that whenever you do something that's unexpected, whenever you do something that's insecure, somebody is looking at it, somebody's
prompting you to and asking you to verify what you're doing, you will do less of it. I'll give
you another example. You have privileged users, which are the users that most hackers are trying
to get to, the credentials. You have a privileged user who's gone out for a party.
He's at a family, a friend's place, and suddenly there's an issue to be handled,
and he needs to log in to resolve it.
What does he do?
He usually takes his privileged credentials and logs into a laptop that he finds and tries to get the job done.
But what if the system suddenly tells him, well, you used privileged credentials.
You're coming in remotely.
You're coming from an endpoint that's not managed by us, our business. We're not going to let you do it. Now, suddenly,
he becomes aware that this was being tracked in real time and preventing him from doing it.
So the more we start to engage the users and say, this is what you're doing and this is why it's
different, the less they're going to do of it. What about the notion of the carrot versus the
stick? I think to a lot of people, they think the only time IT comes knocking on my door
is when I've done something wrong.
Ah, that's a really, really good question.
We see that quite often,
almost like, should I be put in a penalty box
because I did these things that were insecure?
And there are enterprises starting to talk about that
where they say, for example, a phishing email came in,
you clicked on that phishing
email your risk level is high we don't know if you've been compromised but for the next three
days you don't get access to these sensitive servers that's that's that is happening today
in enterprises where they want to penalize people for doing things like that you know it can get
really really bad the extreme The extreme financial services organizations can
even say it'll impact your bonus because you're compromising the integrity of our business.
But that's really on the other extreme. But we are seeing people say that there is an impact
on what your risk does to what you can access and how quickly you can access it. Now, you can call
it a carrot and stick policy, but the stick there also can be of different kinds, right?
You can grade it.
You can say, well, we're not sure you've been compromised, so we may block you from accessing this resource,
or we may force you to do verification of your identification multiple times during the day,
just so that we know that you are who you say you are, and you're going to have to do it on your phone, for example.
It doesn't all have to be, you know, it's an extreme of situation where if you do something wrong we're going to force you
to do you're going to be restricted in many different ways you can actually have many
different kinds of responses you you can also take away somebody's remote access privileges
if they do things that are insecure outside of the business of the enterprise network so
it is a carrot and stick policy and
mostly stick, less carrot. You can make it more or less severe depending on the kind of infraction.
If you come at it from the other direction, how can you reward people for doing the right thing?
What we're seeing, in fact, gamification is driving some of this. So I've seen a bank,
actually a bank that has, I think eight million users uh customers it's
a pretty big bank and what they've done is for their internal employees they're using uh scores
and if you hit a certain score in your department or if you hit a certain score in your organization
they get things like starbucks cards little reward cards twenty dollars fifty dollars and
they're making it very public that somebody got this for what they
did from a security standpoint.
So these are little, little things, but they found that the impact was much higher than
they expected in a positive direction.
Because people really want to be recognized, especially for something as nebulous and as
hard as security.
It doesn't take much of the organization.
I think the biggest challenge there is mostly cultural
because some organizations don't want to do something like that.
They don't want to reward the behavior that they think
has to be part of your job.
I don't believe that that's the right way to look at it.
We have to get them to be part of the security program.
And when you do that, you're going to find benefits
that you didn't expect.
And they're going to be nonlinear benefits for an enterprise if they did that.
That's Ajit Sancheti from Preempt Security.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.