CyberWire Daily - WikiLeaks' Vault 7 "Dark Matter" docs. Information operations, Russian style and ISIS style. Job database exposed.
Episode Date: March 24, 2017In today's podcast we hear assessments of WikiLeaks' latest Vault 7 files—compromised supply chain or damp squib? NATO worries about Russian information operations. ISIS continues to push jihadist i...nspiration online, claiming the London killer as one of the Caliphate's soldiers. Facile attribution can mislead, as seen in a surprising arrest. Comments on America's Joblink Alliance breach. Acalvio's Chris Roberts wonders if AI and Machine Learning are all they're cracked up to be. Palo Alto Networks' Rick Howard has an update on the Cyber Threat Alliance. And Estonian experience suggests to the world that President Putin is a proud spirit who cannot endure to be mocked. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
WikiLeaks releases more Vault 7 files.
Are we talking about compromised supply chain or damp squib?
NATO worries about Russian information operations.
ISIS continues to push jihadist inspiration online,
claiming the London killer as one of the caliphate's soldiers.
Fasol attribution can mislead, as seen in a surprising arrest.
Comments on America's JobLink alliance breach
and Estonian experience suggest to the world
that President Putin is a proud spirit who cannot endure to be mocked.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 24, 2017.
Yesterday, WikiLeaks dumped the second tranche of the Vault 7 documents it maintains came ultimately from the U.S. Central Intelligence Agency.
Julian Assange's group is calling this set of files dark matter,
and they're said to contain documents suggesting that the CIA was able to compromise Mac firmware
if it had physical access to the devices.
Apple thinks its product's vulnerabilities are overstated in the dark matter material.
We Live Security glosses this as damp squib,
but the more disturbing speculation in ThreatPost and elsewhere
is the suggestion that intelligence agencies had access somewhere at some time to Apple's supply chain.
Other Apple-related news concerns the threat from a group calling itself the Turkish crime family,
which is demanding ransom from Cupertino. If Apple doesn't pay either $75,000 in cryptocurrency or
$100,000 in iTunes gift cards, the Turkish Crime Family threatens to remotely wipe 300 million
Apple devices. Apple's hanging tough. They say they weren't breached and that any iCloud
credentials the criminals may have were obtained elsewhere, probably through password reuse. We heard from Fidelis
Security's John Bambinec on the incident, and he's as skeptical as Apple about the threat.
Quote, the hacker group is not following what's become typical operating procedure. For example,
if this were a real ransomware attack, they would be communicating privately with the company
they're targeting.
Based on previous incidents, the current threat has all the hallmarks of a stunt.
If they really have the ability to wipe iPhones, then they would have wiped a few already as proof of life, end quote.
He advises due diligence and reminds anyone who gets this sort of demand that paying ransom only serves to increase the threat.
NATO continues to worry about Russian information operations and how to counter them. U.S. Army General Curtis Scaparrotti, currently serving
as Supreme Allied Commander Europe, is advocating a more concerted effort to counter Russian
government disinformation aimed at the European members of the Atlantic Alliance. He particularly
recommends that the U.S. government reinforce the Russian
Information Group, a joint SACEUR State Department operation, and the State Department's Global
Engagement Center, which he says is not robustly supported. The other, very different information
campaign currently threatening the civilized world is, of course, the one being mounted by ISIS.
The terrorist group has claimed the radicalized London jihadist
as one of the caliphate's soldiers.
ISIS continues to emphasize radicalization, recruitment, and inspiration.
That third goal, inspiration, is expected to grow in importance
as ISIS continues to lose territory and fighters
in its core areas of operations.
Informed observers think that ISIS as a pseudo-state is on its way to oblivion,
but its messaging and attendant terrorist diaspora
will trouble the world long after the endgame in Syria.
It's also likely to be passed on to successor groups.
As British police roll up suspected associates of the London attacker,
another case points out the dangers of
hasty and facile attribution. Jewish community centers in the U.S. have recently sustained a
wave of violent threats that happily have not been executed. In this case, the usual suspects would
probably have been all the wrong suspects. Israeli police have arrested a Jewish man with dual U.S.
Israeli citizenship on suspicion of having
been the one communicating the threats. By all appearances, the man in custody appears to be a
maladapted misfit, perhaps actuated in part by his rejection for military service. So again,
a tribute with duly skeptical caution. On Wednesday, the AP reported that America's
JobLink Alliance, provider of a nationwide employment service for job seekers, had been compromised by a malware infection.
Personal information from people seeking jobs in at least 10 states—Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont—is thought to have been exposed.
Oklahoma, and Vermont, is thought to have been exposed.
The breach remains under investigation,
and officials are advising anyone who used the systems to review their bank and pay card accounts.
Reaction from the security industry has been decidedly jaundiced.
Vasco Data Security's John Gunn calls it entirely unacceptable
that an organization should fail to secure personal information properly.
Quote,
This is adding injury to misfortune.
Not only are these people out of work,
now they have to worry about identity theft for the rest of their lives.
The final insult is the referral to credit monitoring services
where the victims can pay for ID theft protection.
End quote.
New Data Security's Lisa Bergen agrees that targeting vulnerable job seekers
seems especially awful.
She thinks that every organization entrusted with personally identifiable information
needs to constantly test and harden its external and internal defenses.
And free credit monitoring, she adds, is unlikely to be of much help.
A better course of action is a credit freeze,
and those responsible for losing the data should consider offering it for free.
A quick look at our CyberWire events calendar.
The second annual Billington International Cybersecurity Summit will convene in Washington, D.C. next Thursday, March 30th,
and the Cybersecurity Summit will connect senior-level executives in Atlanta, Georgia, on April 6th.
We'll be covering some of next week's events as well.
In addition to the Billington International Summit, we'll be in Silicon of next week's events as well. In addition to the Billington International Summit,
we'll be in Silicon Valley next Tuesday and Wednesday for Cynet's annual ITSEF conference,
and then we'll head to Tucson over the weekend for the Women in Cybersecurity conference.
Stay tuned for coverage here and in our daily news brief.
And finally, we return to countering Russian information operations.
Estonia may have some valuable lessons to
share in this regard. The Christian Science Monitor's passcode service has an interesting
overview of those lessons. In particular, the Estonian experience appears to suggest
that the Russian government is especially vulnerable to humor and satire, and that the
U.S. government shouldn't hesitate to go negative early and often. We'll try to do our bit with humor.
Knock-knock.
Kato-on.
Our linguistics staff tells me that's Russian for knock-knock,
but honestly, if you asked, I would have guessed Klingon.
Anyway, we got nothing.
These information operations are always harder than they look.
Maybe the State Department could find some gag writers on JobLink.
Oh wait, Cozy and F fancy probably beat them to it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young
son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest
part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch
January 24
only on Disney+.
Cyber threats are evolving
every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto Networks.
He also heads up their Unit 42 threat intel team.
Rick, you've got some updates for us today on the Cyber Threat Alliance,
some good stuff happening there.
Yeah, there were some big announcements at the RSA conference a couple of weeks ago.
And starting about last summer, the Cyber Threat Alliance as an organization has made some
exponential moves forward, culminating in all these announcements at the RSA conference. So
let me just kind of go through them all. Yeah. The first one is the original founding members,
plus a couple of new founding members that I'll talk about, put some money in to invest in this
thing to make it a nonprofit. So it is now a non-profit company, officially, so it's an officially
organization on its own, run similar to what an ISAL
or an ISAC would be. And that took a long time to get that done
with the help of Booz Allen Hamilton helping us with the governance model of that.
So that part is done, very excited about that. At RSA
we announced the new president of that now new nonprofit.
His name is Michael Daniel, and he is the former cybersecurity czar for President Obama.
So we feel very fortunate that he has come on board to lead this thing into the future for us.
Those two new board members I was telling you about, the original ones were Fortinet, Intel Security, Palo Alto Networks, and Symantec. But when we went through this process to form the nonprofit,
Checkpoint came on board and Cisco came on board. So some big heavyweights in the cybersecurity
industry banding together for this alliance to make all of our mutual customers better. So
again, pretty happy about that. And then two more things, two smaller things,
but it's great that we have these.
We brought on three new members just for sharing members.
The RSA company, not the conference, joined us.
Rapid 7 and Insights.
Insights is an Israeli company.
And they joined the original contributing members,
Barracuda, Zscaler, Reversing Labs, and Telefonica.
So we're very happy to have those guys on board.
And the very last thing, and I've talked to you about this before, is the idea of sharing adversary playbooks.
Well, we've rolled out a new sharing platform to all the members called the Cyber Threat Alliance Platform Version 2 that facilitates the sharing of adversary playbooks.
So the bottom line to all this is that
the Cyber Threat Alliance is now a thing and expect good things from it going forward.
All right. And you can find out more about it at CyberThreatAlliance.org.
Rick Howard, thanks for joining us.
Thank you, sir.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
My guest today is Chris Roberts. He's the Chief Security Architect at Acalvio Technologies and a popular speaker at security conferences around the world with a reputation for having
a direct and unfiltered style when sharing his perspectives.
style when sharing his perspectives. than I think most of us would prefer them to use. Talk to a lot of the vendors out there about, you know,
what do they define as AI?
What do they define as machine learning?
And unfortunately, most of them, it just seems to still be very, very rule-based.
You know, the whole genesis of their architecture comes down to an if and or not statement, which isn't true AI and sure as hell isn't really machines learning you know you take
another step back and you go down towards what the darpa project actually put together uh the
grand cyber challenge and that is where you're starting to get more intelligence and the actual
machines themselves understanding both defensive and offensive tactics and actually being able to react accordingly
without necessarily the restraining rules that most of the vendors are putting around something.
I mean, they had a lot more free reign and the architecture was built a lot more freely,
whereas most of the vendors and most of the systems don't want to tread on anybody else's toes
and spend a lot of time actually just building architectures that don't necessarily have good heuristics they're still based on a very very structured learning
architecture when you see a lot of the security fence guys go hey we have you know built-in ai
to help you you know understand and track attackers it's like well you know you're doing anything more
than a set of flippant splunk rules? Or, you know, do you actually have intelligence built in there?
Or are you now using machine learning and AI in place of big data?
Because everybody's gotten fed up of hearing the words big data.
With all of the technology, we still have these basic problems of the insider threat,
either intentional or otherwise.
And so this notion of, you know of people being one of the weakest links
in the chain, where do you come down on that? Oh, I mean, it's huge. I mean, again, 20 years plus,
and we still haven't figured out how to protect a basic password, let alone, in many cases,
actually understanding that that is still the keys to the kingdom. I mean, we still engage in pen tests and assessments on an extremely regular basis.
We'll walk into a client and we've got a list of, you know, three, four, five thousand
default passwords that they'll have on any of their regular enterprise, scalar, ICS,
IoT devices, and 99 times out of 100, we can pop the architecture simply because they forgot to change the basics.
So it's not even a fact that they've not actually defined passwords correctly.
They haven't even changed the bloody default ones that are sitting all over the Internet in the first place.
So where do we have to go?
We've got to go somewhere different.
I mean, you know, again, another test that we've done a few times now with organizations
is we'll approach members of their staff and of their team and you start taking a discussion with somebody
and i think the statistics are now that the average cost of a password if i need to buy it
rather than crack it's a thousand dollars so worst case scenario i offer somebody i said a crisp 100
and i walk into the enterprise with their password and their credentials. There's got to be a much better solution.
I mean, there's got to be.
The problem is, is when we start looking at the alternatives, you start looking at any
kind of potentially biometrics, you start looking at any kind of, you know, two or three
or multi-factor solution, and then you start entering into the realm of a national identity or
maybe the corporation holds some level of biomatter on you or some kind of other very very sensitive
information on you but i mean do we have to go to that one do we start looking at you know i've got
one of my systems has keyboard biometrics on it, so the only way somebody gets in is if they A, know the password, and they can B, type the bloody thing in the same manner.
So you've got to put a better set of combinations in place, or you remove passwords altogether and you start building in something to do with – same with the military.
You've got the cat cards with the military.
At least it's something you have, and yes, you have to have something else with it.
But you remove the human a little bit more effectively from it.
Looking forward, what are the take-homes?
What are the things you think people should be thoughtful about?
People need to ask more questions.
Whether it's listening to the propaganda getting put out by the latest companies spouting AI or machine learning or user behavior analytics
or next generation IPS or any of that other BS. I wish people would ask more questions. You know,
when my mother picks up the phone and she's told it's, you know, the director of MI6 is calling her
to tell her that, you know, she needs to press these buttons on the computer and tells them to
go pound sand because she asked more
questions that's what i that's what i really that's all i can ever ask for at the moment
do i really believe that this day and age we are going to get the entire you know network of systems
talking together i think eventually but i think for the minute that the best we can ask is that
people ask a few more bloody questions rather than trusting everything that comes out or trusting and maybe doing a one-time verify,
continual verification, and just continually questioning. If we can get people to do that,
I think we're on the right road, to be perfectly honest. That's Chris Roberts from Akalvio. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.