CyberWire Daily - US National Cyber Strategy. New sanctions. GCHQ beefs up Russia unit. Cryptocurrency heist. Hacking Senatorial Gmail. Crime and punishment.
Episode Date: September 21, 2018In today's podcast, we hear about the US national cyber security strategy, and developing international norms, calling out bad actors, establishing a credible deterrent, and imposing consequences are ...important parts of it. The State Department blacklists thirty-three Russian bad actors. GCHQ is standing up a 4000-person cyber operations group to counter Russian activity. A cryptocurrency heist in Tokyo. Hacking Senatorial Gmail. And some notes on crime and punishment.  Emily Wilson from Terbium Labs on Dark Web exit scamming. Guest is Tanya Janca from Microsoft on her OWASP DevSlop project. Extended interview with Tanya Janca - https://www.patreon.com/posts/21559930 OWASP DevSlop show on Twitch - https://www.twitch.tv/videos/307974412 For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_09_21.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. has released its national cybersecurity strategy
and developing international norms,
calling out bad actors, establishing a credible
deterrent, and imposing consequences are important parts of it. The State Department blacklists 33
Russian bad actors. GCHQ is standing up a 4,000-person cyber operations group to counter
Russian activity. There's a cryptocurrency heist in Tokyo. Our guest today is Tanya Janka from Microsoft. She shares her OWASP dev slop
project. Some senators have seen their Gmail hacked. And we've got some notes on crime and
punishment. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Friday, September 21, 2018.
The U.S. has released its National Cyber Strategy.
It puts an emphasis on deterrence, as described by National Security Advisor John Bolton.
The strategy has four pillars.
Protect the American people, the homeland, and the American way of life.
Promote American prosperity,
preserve peace through strength, and advance American influence.
Each pillar is explained in terms of specific measures.
These pillars are those that appear in the larger national strategy.
The cyber strategy outlines how cybersecurity, policy, and operations will serve the four
pillars.
cybersecurity, policy, and operations will serve the four pillars.
Thus, the strategy is committed to, first, defend the homeland by protecting networks,
systems, functions, and data.
Second, promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation.
Third, preserve peace and security by strengthening the United States' ability,
in concert with allies and partners, to deter and, if necessary, punish those who use cyber tools for malicious purposes.
And fourth, expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.
The pillars are preceded by an introduction offering an answer to the question,
how did we get here? That answer calls out by name Russia, Iran, North Korea, and China,
describing them as repressive regimes that exploit open societies and systems while remaining themselves largely and self-consciously closed. Terrorists and
criminals are named along with these four adversaries as
representing threats to American interests in cyberspace. The introduction says in its discussion
of the way forward that responding to these threats will be consistent with commitment to
an open internet and more importantly to such enduring values as belief in the power of
individual liberty, free expression, free markets, and privacy.
The priority actions outlined in the third pillar,
the peace through strength section of the strategy,
are first, lead with objective collaborative intelligence,
that is, objective actionable intelligence
that will lead to clear and credible attribution.
Second, the strategy promises to impose consequences that will be swift and transparent and imposed in collaboration with allies.
Third, the strategy declares its intention to build a cyber deterrence initiative,
also in cooperation with like-minded state committed to emerging international norms.
And fourth, the United States will be committed to
countering malign cyber influence and information operations,
including propaganda and disinformation from both state and non-state actors.
Domestically, the strategy has been generally well-received by those who've commented on it,
notably including experts who worked in the previous administration.
They and others see both continuity and evolution toward a clearer, more active policy in cyberspace.
The strategy has been linked with other official declarations of policy
that have been generally regarded as taking the gloves off U.S. Cyber Command
and other Department of Defense organizations with respect to offensive cyber operations.
In one early example of the sorts of consequences that will be imposed,
the U.S. State Department announced that 33 Russian individuals and companies
would be blacklisted for what Foggy Bottom characterizes as malign activities.
Most are connected with Russian security and intelligence organs.
These consequences are to some extent an exercise in making the rubble bounce,
since a lot of those sanctioned are already under sanction,
but in such matters there is a serious sense in which it's the thought that counts.
Seriously.
Over in the United Kingdom, the Ministry of Defense and GCHQ
are establishing a 4,000-person unit to protect Great Britain against Russian cyber operations.
This can be expected to be one of the partners with whom the U.S. will seek to coordinate deterrence.
Tech Bureau Corporation disclosed that roughly $60 million in cryptocurrency
had been looted from its Tokyo exchange.
The hack occurred over two hours on September 14th,
was detected on September 17th,
and was confirmed and reported to authorities on the 18th.
The company had been under some regulatory pressure
to improve security.
A new investment round, it says,
will help it reimburse those who lost altcoin
and help tighten safeguards against theft.
Google confirmed yesterday that it had notified some senators that their Gmail accounts
and those belonging to their staffers had been targeted by foreign intelligence services.
There's been no public attribution of which intelligence services were involved,
but the warning has prompted several senators to complain that the Office of the Sergeant-at-Arms has said helping secure personal email accounts, like Gmail accounts,
isn't within the scope of its responsibilities. Government accounts, sure. Gmail, no.
And finally, two arrests have resulted in two guilty pleas. You may recall a ransomware attack staged through
networked Washington, D.C. police traffic cameras shortly before President Trump's inauguration.
Romanian national Evaline Sismaru admitted guilt to two of 11 charges she's faced,
conspiracy to commit wire fraud and computer fraud. Ms. Sismaro may get a break on her sentence if she follows through on her promise
to help investigators against her co-conspirators.
And why not?
It worked for the guys behind Mirai, after all.
The motivation for the hacking was criminal
and not, as was widely suspected at the time, political.
And the timing of the attack to coincide with the inauguration
seems to have been merely coincidental.
The hackers may not have even been aware that the devices they compromised were connected to police networks.
And in what we might as well call a case of super-duper privacy, since it involves Deadpool,
a gentleman took a guilty plea to charges involving his posting the entire Deadpool movie to his Facebook page.
involving his posting the entire Deadpool movie to his Facebook page.
In what has become a leitmotif for online acting out,
Mr. Trevon Franklin also unwisely tweet-taunted federal law enforcement.
Quote,
Well, right now, they at sentencing recommendation of six months.
In plain sight, but not hiding, Mr. Franklin, who was also known in social media by his nom-de-hack Trayvon M. King,
also established a site he called Bootleg Movies.
Do crooks today really need remedial instruction in such old-fashioned criminal skills as hiding out, going on the lam, or being D&D instead of a canary?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the Fraud Intelligence Manager at Terbium Labs.
Emily, welcome back.
We wanted to talk today about this notion of exit scamming,
some of the things that you all have been seeing.
When it comes to the
dark web, what can you share with us? Sure. So glad to be back. Thank you for having me.
Yes, you know, I've been out of the world for the last few weeks on this thing they call vacation,
which I highly recommend. And I came back to find that one of the markets has recently exit scammed.
I thought this was a good idea to talk to, uh, you and your listeners about how exit scamming works in the dark web, what it is and, and where we see it
show up. So in this situation, um, I'll set the scene for you. This is a market that, uh, came
into play kind of after the alpha bay takedown kind of in that vacuum that we saw form there.
They've always been a little sketchy, you know, they haven't played nicely with others. They've always been a little sketchy. They haven't played nicely with others. They actually took down somebody else's site in sort of a big display of power, only to realize that
it was going to backfire. And a couple of weeks ago, this is my favorite piece here of a little
dark web drama, they reached back out to that person they'd gone after and said,
hey, are you interested in doing business together? And what the community now thinks
is probably an attempt to, you know,
censor some reporting around the inevitable exit scam. And then they disappeared. And that's what
an exit scam is. An exit scam is when, you know, one of these dark web markets just disappears,
just goes offline. And the reason you do that is because, you know, these are fairly sophisticated
platforms. They hold money in escrow for buyers and sellers. And so if you're looking to make a purchase, you know,
you pick your listing, you say, I'd like to buy this cocaine, please, or these credit cards.
And you, you know, you send your money. And while they're waiting for the transaction to process,
the market holds that money in escrow until the seller actually releases the good, right? It's meant to be a safety mechanism. So you have a sort of a trusted third party
that handles the money, so you make sure you get your goods.
Exactly. And that, you know, provides a dispute mechanism if something goes wrong, which of course
it inevitably does. Except when, of course, these markets that you quote-unquote trust decide to disappear.
And so they run off and they take all of the money held in escrow,
which can be quite a large amount of money depending on the market,
and they're gone and you can't do anything about it.
You know, they shut down the site, they disappear,
and there goes all of your money and all of your friends' money.
And that's what happened here.
Is it reasonable to think that this may actually be some of these folks' business plan from the
outset to kind of build up this forum and build trust and the ultimate plan is to run off with
the money? Absolutely. That's definitely, it's very lucrative if you do it right. And I'm sure
you can imagine, you know, one of the biggest exit scams was a market called Evolution that exit scammed back in 2015. And at the time, they ran off with
something like, you know, $10 to $15 million worth of Bitcoin. And that was before the Bitcoin price
spike. So you can imagine it was particularly attractive this past fall when we saw Bitcoin,
you know, spike up in the tens of thousands of dollars. So I guess this is one of those things where if you're doing business in
unregulated, shady markets, this is something you might fall victim to. Absolutely. And it's the
sort of thing that everyone knows can happen. You have to choose where you want to place your trust.
And when markets go offline briefly, or if the
connection is shoddy, or if something is not quite right, this is the first thing people think of.
They think, oh, they're going to exit scam because everyone's fallen victim to it one or more times
over the course of their dark web life. This was what people thought originally was happening with
Alphabay. When Alphabay, who had historically had incredible uptime, this is the market, disappeared last July. Everyone thought, oh, I'm sure it's fine
because AlphaBay wouldn't do this. They're making enough money, they wouldn't just exit scam.
And then over the next couple of days, people got increasingly angry thinking like,
we trusted you, we built this community together. Did you really just do what
everyone else does? And so it really, it is something people expect, but then, you know,
it's very easy for these admins because all they have to do is just walk away. They have the money
in their wallet and their Bitcoin wallet. They can just walk away and really no one can stop them.
All right. Well, I guess buyer beware, right? Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Tanya Janka.
She's a senior cloud advocate for Microsoft, specializing in application security.
She's one of the project leaders of the OWASP DevSlop Tool Project,
which they describe as a collection of DevOps-driven applications
specifically designed to showcase security catastrophes and vulnerabilities
for use in security testing, software testing, learning, and teaching
for both developers and security professionals.
So OWASP is the Open Web Application Security Project,
which is a huge international nonprofit.
And our entire goal is to teach about application security.
And we're expanding out to cloud security,
op security, all sorts of other things
that surround that idea.
Almost all of us are volunteers.
And basically we have the Global Foundation,
which is not that visible to
the public. And then we have chapters. And I run a chapter in Ottawa where you hold meetings and
stuff. And then we have projects. And projects include things like Zap, which is a web proxy,
and it's free. And Defect Dojo, which will track all of your vulnerabilities. It's like vulnerability
management. And then I met a woman named Nicole Becker
from New York City who's amazing.
And she said, do you want to start a project with me?
I was like, I can't think of anything more fun to do.
And she's one of my professional mentors.
She's incredible.
And so she created this vulnerable app
that had sort of new DevOps-y types of things.
And both of us wanted to learn about DevSecOps.
And so I went down to New York and we spent a few days together hacking away at it.
And then we presented it at Microsoft Tech Days, long before I actually worked for Microsoft.
So it has like broken APIs, like insecure APIs, and we use the mean stack.
And we just want to learn new ways to kind of like hack DevOps, if that makes sense.
And then we did that workshop a whole bunch of times all over the world together.
And then I decided to make my own DevOps pipeline to create our website.
Like, well, why not eat my own dog food?
And if I'm going to make a website or a web app for our project,
I'm going to do it with the DevOps pipeline.
Cool.
So then I started adding security things to it,
and I thought I wanted to open source it.
But it turns out it's really hard to open source your actual pipeline.
Mine is an Azure DevOps pipeline.
It turns out it's really hard to share.
You can export it in JSON, but because of all the different licenses and stuff, it's just this huge mess.
So I'm like, how can I share it?
So I started a video show, and it's, I guess, the OWASP Dev Slot show, and I stream live on Twitch.
I'm going to add Mixer and YouTube.
Apparently, you can stream to all three at the
same time. We've had five episodes so far and basically members of the public can watch myself
and a guest quite often. It's someone else from the DevSlot project doing things on my DevOps
pipeline as we turn it into a DevSecOps pipeline. So this Sunday, we added all sorts of security headers.
We're going to add a bunch more
until we have all the security headers.
And we're adding a certificate together
and then talking about why you need a certificate,
talking about what all the different headers do.
And I'm going to have an episode
where Simon Bennett comes on
and he's the one that created Oh Awesome Zap
and we're going to add it to my pipeline. And the idea is slowly, we're just going to add things to the
pipeline and make little lessons and explain how to do it. And the audience can participate with
us. They'll say, Hey, what about this? Or have you done that? Or this is broken. And whenever
I screw something up, they're always helping me, which is really sweet. It's like having
several little helpers all
the time it's great so that is my show yeah now but when you say uh the community who who are you
attracting so far who who are your uh who are your viewers who's checking it out um so so far on
twitch it's a lot of people who are just interested on about cool things on twitch my friend suze or noop cat she's um
she does super cool iot types of things so she'll live code iot things so she'll like live code a
thing where if people sends her a cute picture of a cat it'll turn on the light and stuff like that
and just to show people how to code iot. So she's been sending her followers to follow me, which is really great. And then members of the OWASP community.
And I love the idea of people being able to ask questions and me being able to answer them real
time. And sometimes on the show, we're going to start interviewing people about things I think
are cool. Like someone's going to come on and talk about smart contracts and then how to hack them,
which I think is neat. And I'm going to have different OWASP project leaders come on and then actually implement
their project as part of my project, which is like super, super cool. Yeah. So just any
DevSecOps thing that I want to know, I'm just asking cool people to come on the show. And so
far, a lot of them are saying yes, which is really neat.
And I think one of the things that I think is interesting and charming about this is that you're putting yourself out there for folks to watch you in the midst of your learning process.
You're not putting yourself in front of them and saying, hey, I'm an expert. Here is my knowledge
that I will rain down upon you. Your mistakes are out there, the missteps along the way,
and it's really a community collaborative process.
Yes, as a perfectionist, it's kind of hard to make mistakes in front of other humans.
But I'm working on being cool about it.
Franziska and I, she's one of, Franziska Buehler, she's one of my project members,
and she's also a super anal retentive perfectionist
like I am.
And so both of us are comforting each other.
We tried to implement a certificate on our site
three times now.
Failed three times.
Nicole and I, Nicole Becker and I,
we wanted to learn about DevSecOps
and she wants to learn about how to break it
because she is a red teamer. And I want to learn about the vulnerabilities and then how to defend
against them because I am a purple teamer. And then Francisca is a WAF expert. She writes the
core rule set for mod security. She's on the open source team. And so she's been like adding WAFs to pipelines,
which is kind of badass. So you can test your new WAF rules and to make sure it doesn't block like
real business traffic, which is really neat. And so she's going to add a WAF to our pipeline,
which is pretty cool. Now, in terms of how this intersects with your work at Microsoft, are they supportive of your efforts here?
Is this a side project you're doing off the clock?
How much are they involved?
So they've given me unlimited Azure resources, which is really amazing.
And I don't only have to show Microsoft products, which is really cool.
which is really cool. So basically, they've given us like free server space. And basically,
like, I have security sensor and all this monitoring and all of that's free because I work for them, which is really, really cool. So they're being super, super ridiculously supportive.
Our thanks to Tanya Janka for joining us today. We only had time here for a small part of our
conversation. We discussed her thoughts on being a woman in tech, the fearlessness she learned from a previous career
as a professional musician,
the importance of mentoring, and much more.
We posted the full extended version of our conversation
over on our CyberWire Patreon page.
There's a link in today's show notes,
and we hope you'll check it out.
You don't need to be a Patreon contributor to listen,
but while you're there, we hope you'll check out
all the ways you can help support our show.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.