CyberWire Daily - Trolling the trolls. Triton/Trisis attributed to Russia. Asset management in ICS. Threat intelligence drives threat evolution. Shadow web-apps. Apple likes GDPR, hates the Data-Industrial Complex.
Episode Date: October 24, 2018In today's podcast, we hear that US Cyber Command has been reaching out to tell the trolls Uncle Sam cares. Industrial control system security suffers from poor asset management practices. FireEye ...looks at the Triton malware and says the Russians did it, but of course things are complicated. Are hostile intelligence service hackers superheroes, salaryman nebbishes, or something in between? How threat intelligence drives threat evolution. The risk of shadow web-apps. Apple speaks on privacy. Ben Yelin from the University of Maryland Center for Health and Homeland Security talks with us about the EFF coming out against license plate sharing between retailers and law enforcement. Our UK correspondent Carole Theriault speaks with ESET’s Lysa Meyers about overcoming the cyber skills shortage and attracting new talent to the industry. For links to all the stories in today's podcast, check out today's Daily Briefing: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_24.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. Cyber Command reaches out to tell the trolls Uncle Sam cares.
Industrial control system security suffers from poor asset management
practices. FireEye looks at the Triton malware and says the Russians did it. Of course, things
are complicated. Are hostile intelligence service hackers, superheroes, salarymen,
nebbishes, or something in between? How threat intelligence drives threat evolution.
The risk of shadow web apps.
And Apple speaks on privacy.
From the CyberWire studios at DataTribe, with your CyberWire summary for Wednesday, October 24th, 2018,
I'm Peter Kilby, executive editor, sitting in for Dave Bittner, who's taking a well-deserved vacation.
Don't fret, he'll be back in the studio on Monday. The U.S. has begun to reach out directly to individuals
involved in Russian influence operations. U.S. Cyber Command is reported to be direct messaging
trolls engaged in attempts to disrupt elections and otherwise make mischief. The message is simple
and direct. We know who you are, we know what you're doing, and you'd be well advised to knock it off. Observers differ on how effective this will be as a deterrent, but the U.S. indictments
of individual Russian nationals for their role in influence operations give the warning some point,
and it's unknown what other retaliatory operations Cyber Command may have under preparation or
underway. We're hearing in Atlanta at the ICS Security Conference that
there's a growing awareness among corporate board members of the cyber risks to industrial control
systems. That's one of the relatively positive outcomes of the pain inflicted by last year's
not-Petya infestations. Conference symposiums express some gratification at the extent to which
traditional risk management framework practices are increasingly being adopted.
Unsurprisingly, they think there's more work to be done, especially with respect to asset management.
Several panelists and speakers told of the many cases of incident response they've seen
in which a company under attack tries to improvise asset management on the fly.
The speakers stress the importance of knowing what you have and what it's connected to.
They also emphasize the importance of documentation and configuration management.
Yesterday, FireEye attributed with high confidence the Triton-Trisis attack against safety systems
in a Saudi petrochemical facility to Russia. The attribution might strictly be one of association
or involvement. FireEye concluded that some of the code was written by the Central
Scientific Research Institute of Chemistry and Mechanics in Moscow, an organization, of course,
operated by the Russian government. Who else may have been involved in the attacks and how they
came to be given the code remain complicated questions. The evidence FireEye cites is of the
convincing circumstantial variety, code written using Cyrillic characters, its preparation
coinciding with Moscow office hours, an apparent handle linked to a known Russian individual,
IP addresses, etc. That the Institute has the capability to prepare code like Triton-Trisis
seems clear. Industrial cybersecurity firm Dragos, in a presentation at the ICS Security Conference,
described Xenatime, the threat actor
behind Triton Trisis. They emphasized the disturbing news that cyber attacks were now
designed to kill. Dragos CEO Robert M. Lee offered some encouragement when he cautioned people
against forming a picture of the attacker as hyper-confident and effectively invincible.
Instead, he argued, remember that bad actors make mistakes too, quote, just like you, unquote. They certainly
did with Trisis. Their attack on safety systems shut the facility down twice, which wasn't their
intention. They wanted to operate in an unsafe mode. Lee suggested an alternative picture of the
industrial control system hacker. They're 18 to 30 years old. They're in their first government job,
and they're dealing with management and PowerPoint, quote, just like you, unquote.
A study by cybersecurity firm Silance concludes that threat intelligence, while itself a good thing, also drives bad actors to improve.
In a study they call Whack-A-Mole, released yesterday, they describe the ways in which surveillance tools sold to repressive regimes are tweaked and reused after they're publicly burned. The stories they follow concern Prometheum spyware, also known as
Strong Pity, which was exposed in a Citizen Lab report. Prometheum has since returned. Its
indicators of compromise may no longer appear, but rest assured it's just a dodge. They're back and
in an evolved form. As the report puts it, quote,
minimal effort and code changes were all that were required to stay out of the limelight.
Cylance observed new domains, new IP addresses, file name changes, and small code obfuscation
changes, unquote. CSO Magazine, in their account of the whack-a-mole study, points out the complexity
that the, quote, mercenaries, unquote, introduce into the matter.
Those mercenaries may not just be the Russian mob or a university-affiliated research institute in
Moscow. It could be a Western company that dabbles in the lawful intercept field and associated
markets. Italy, Canada, Israel, and Germany, says CSO, seem to be particularly tolerant of such
activity. Shadow IT has long been a matter of concern to enterprise security officers.
High Tech Bridge, in a report released this morning, says there are other worrisome shadows out there.
Abandoned Shadow and legacy web applications remain a threat to both enterprise security and business compliance.
Information sharing among public and private organizations is often praised as a way of enhancing security,
but it also raises concerns about privacy.
Ben Yellen from the University of Maryland Center for Health and Homeland Security talks about the issues the Electronic Frontier Foundation has with license plate sharing between retailers and law enforcement.
We'll hear that interview from Dave after the break.
Thank you. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We saw some information come by from the EFF, the Electronic Frontier Foundation,
and they were taking issue with some private companies, I believe some shopping malls,
that were sharing license plate information with law enforcement.
What was getting their dander up here?
So this is a company based in Irvine, California,
a private real estate company that was collecting people's license plate numbers
using what's called automated license plate readers, ALPR.
And they claimed that they were only doing this at a
limited number of their shopping centers. Now, the legal problem here is that they were submitting
the data to Vigilant Solutions. They are a contractor who deals with state and local law
enforcement agencies. And of course, a main civil libertarian concern is that identifying information will be submitted to
immigration and customs enforcement and could potentially be used in deportation proceedings.
So if the government was trying to track a person down, they could search a large database,
which would contain a bunch of different license plates numbers and would be able to at least
identify whether that license plate had been at a given location and that can help in their investigative process. So the company says
that the data was only used for limited purposes, wasn't being transmitted to a larger government
database of license plate reading information. It was only being used to be sent to local law enforcement
to enforce the rules and regulations of the three malls that were under surveillance.
EFF went and actually looked at the terms and conditions and the usage of privacy policies
of that company. And they affirmed that the company was not representing what they would
do with that data. EFF is claiming that the privacy policies are very, very broad,
that they are allowed, according to their own policies,
to send collected license plate data to a searchable database
accessible by multiple law enforcement agencies.
And by multiple law enforcement agencies,
that can include everyone from local police, state police,
to federal organizations like the DEA and Immigration and Customs Enforcement.
So this is a major Fourth Amendment concern because even though people are exposing their
license plate to the general public, and thus, according to our Fourth Amendment jurisprudence,
they don't have a reasonable expectation of privacy and that information. I don't think most of us would expect a private contractor to store our license plate
and send it into a giant database accessible by all different types of law enforcement agencies.
So I think it's a big civil liberties concern. Now, what about just from a practical point of
view, the mall, you know, you go to your local mall and a lot of times you'll walk in and you'll see they have rules of civility and things like that.
When you're a guest in our mall, this is private property and here's what we expect of you.
This seems to me to be a different thing of that. ocean of a EULA with a mall, would they have to post it at the entrance or everywhere where you
might drive in that, hey, your license plate might be scanned here? How would that work?
I mean, they already have their rules and regulations about telling people that they're
being surveilled in other ways. So I'm not sure exactly what this California civil code is on
this, but I think they're required to post signs on the premises of a piece of property that uses simple video surveillance.
So I think the same logic would apply here.
California code specifically relating to license plate identification says that there has to be a notice to the consumer.
You know, what the FF is alleging is that the company has not given proper notice.
And once people are aware that that technology not only exists, but potentially could be used in law enforcement investigations, then they would at least have some agency to decide whether to make themselves public.
I think the fact that most people don't really realize that that technology exists, that license plate readers can very quickly and efficiently collect license plate identifying information and put it in a giant database. I think that's really the nature of the concern.
No, it's fascinating.
Ben Yellen, thanks for joining us.
Thank you.
Apple CEO Tim Cook has called for a comprehensive U.S. privacy law.
Speaking in Brussels this morning, he said that the effects of the EU's GDPR have been positive,
and he expressed the hope that the U.S. would follow suit with comparable regulation.
Apple, of course, has long differentiated itself from other Silicon Valley tech giants by its
public commitment to privacy. Apple sells devices, not data, which would be the basic
product of companies like Google and Facebook. Mr. Cook would like everyone to understand that.
He famously pointed across Silicon Valley in the general direction of Google and said,
quote, if you're not paying for the product, you are the product, unquote.
Cook also strongly reiterated the company's longstanding opposition to any weakening or
subversion of device encryption. Giving governments easy access to people's devices is a threat, he maintains,
to basic rights to privacy. Not everyone, he notes, may feel that way, especially those in
what he called the, quote, data industrial complex, unquote. If you talk to recruiters
and HR professionals, they're likely to tell you that they can't find nearly enough qualified people to fill their open jobs in cybersecurity.
And if you speak with recent graduates, you're likely to hear how tough it is to get your foot in the door, to get that first big break.
Our UK correspondent, Carol Terrio, caught up with ESET's Lisa Myers to explore this contradiction.
contradiction. At the recent VB conference 2018, Lissa Myers, a security researcher for IT security firm ESET, presented a paper called, Where Have All the Good Hires Gone? Lissa says that much ink
has been spilt on the subject of how difficult it is to hire and retain people for these positions.
I got a chance to catch up with Lissa to find out more about this problem and to see what she thinks can help solve it.
So first off, can you tell me a bit about what led you to look into this problem?
Well, it's kind of a personal one for me.
I mean, I've been in this industry for 20 some years now, and I have heard a lot of people, well, complain basically about the hiring process, both people who are trying to get into the industry and people who are more experienced and being recruited or trying to get other jobs.
Right, because I don't understand the skill shortage, because I keep reading about people who find it impossible to get into the industry. It's like they want to work in cyber,
but the doors seem closed to them. Yeah, it's absolutely true. The thing that I hear over and
over again from people is that there are very few truly entry-level jobs. There's an expectation
that you'll be coming into your first entry-level job with certification or a degree and certification, which somehow magically
has several years of experience as well. So it's like a catch-22, you're saying. It's like
the entry positions demand skills, and how do they get those skills?
Exactly. A lot of what needs to change happens on the side of hiring managers and organizations.
There's a lot we're doing right now of having unrealistic expectations of people
and setting up these catch-22s or finding arbitrary hurdles that exclude people who
have both interest and inclination in getting into this industry.
Finding those people with interest and inclination and then asking them to agree to get a certification after they get hired, or training them in house,
or, you know, partnering with organizations that do train people specifically on tech or
cybersecurity skills. Yeah. And do you find that kids, for example, in high school are actually
interested in coming into this industry,
the industry of cybersecurity? Oh, yeah, absolutely. We have an event every year
called Cyber Boot Camp. And we interact with middle school and high school kids. And they have
even the ones who come in thinking that they don't necessarily want to go into a job in this industry
end up really motivated. And a lot of them do change their minds and think, oh, you know,
this actually could be a really cool thing to do for a job.
Right. So there's kind of maybe some onus upon us in the industry to get the word out that it's
actually fun. It's a great industry to work in. I mean, I've worked in it for almost as long as
you have. And, you know, we're still here.
I think some of the problem, too, is how this is taught. General thinking with teaching is that
you want to tie it into kids' interests and their knowledge that they already have. And computer
science, when it isn't taught in school, it tends not to focus on the fun aspects or things that
might interest the kids. And so it kind of reinforces the idea that it's this boring and
lonely thing. People like you and me who've been in this industry for a while know that computing
is a lot of fun. It's a great tool for doing other fun things as well.
Right. So you're basically saying we need to think outside the box about how to recruit
new talent to this industry, because technology certainly isn't going anywhere fast.
Exactly. And it really benefits everybody to have a really diverse background. But to this industry, because technology certainly isn't going anywhere fast.
Exactly. And it really benefits everybody to have a really diverse background. But,
you know, people who come from different socioeconomic backgrounds, or different cultures, or different neurotypes, or, you know, abilities, all these things are what make up the
population. And those are the people who use our products. And so by having
a representative group of people who are making the products, we're better able to make the
products work well for the people who we want to use them. That's a really good point that a
heterogeneous environment is really good for the industry. One of my favorite security researchers
actually had a degree in philosophy when he first came into the industry. One of my favorite security researchers actually had a degree in
philosophy when he first came into the job. Yeah, my background is kind of very unusual as well.
Like I was that kid who took so many art classes that they had to have an intervention to make me
take something a little bit more balanced. And I was a florist before I started working in computers,
which it seems about as opposite as you can get. But the way that I did things was different enough from my coworkers that I was able to see some things that other people didn't because I have such a different background.
Lissa, thank you so much. This was Carol Terrio for Cyber Wire.
for Cyber Wire. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.