CyberWire Daily - Wipro update. Office 365 attacks. The "Smart Content Store" is bad mojo. Russian Internet sovereignty. Global Cyber Innovation Summit notes.
Episode Date: May 2, 2019The group behind the Wipro attack has been active since 2015. Office 365 are still being targeted by account takeover attacks. A third-party Android app store is serving malware. The UK Defense Secret...ary has been sacked over leaked information. The US warned Russia to cease its support of Venezuela’s Chavista regime. Russia’s Internet sovereignty bill is signed into law. And notes on the Global Cyber Innovation Summit. Jonathan Katz from UMD on law enforcement requests for “ghost” encryption. Guest is Cody Cornell from Swimlane on collaborative SOCs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The group behind the WePro attack has been active since 2015.
Office 365 are still being targeted by account takeover attacks.
A third-party Android app store is serving malware.
The UK Defense Secretary has been sacked over leaked information.
The U.S. warned Russia to cease its support of Venezuela's Chavista regime.
Russia's Internet sovereignty bill is signed into law.
And notes on the Global Cyber Innovation Summit.
Cyber Innovation Summit.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 2, 2019.
Flashpoint reveals finding from its inquiry into the attack on IT outsourcing and consulting
company WePro.
The threat actors behind it have been active since
2015. A URL in a phishing document led researchers to infrastructure used in previous attack
campaigns. The goal of the WePro attack and subsequent attacks against WePro's customers
appears to be gift card fraud. Flashpoint says the attackers were seeking access to the portals
that manage gift cards and rewards programs at the targeted organizations.
Barracuda is the latest to point out active attacks against users of Microsoft Office 365.
Account takeover attacks surged during March.
The attackers are opportunistic.
Brute forcing, credential stuffing, and social engineering are all in play.
Zscaler warns against a third-party Android app store seemingly specializing in games.
It's simply a front for a campaign to install malware into too-trusting victims' devices.
The Smart Content Store isn't a smart place to shop and doesn't even offer real content.
If you try to download Crazy Birds or Super Bros. Run,
you won't even get a trojanized game. All you'll install is malware. The Times reports that UK Defense Secretary Williamson
has been fired after investigation indicated he was the cabinet member who talked out of school
about Huawei. Prime Minister Theresa May said that, quote, no other credible version of events to explain this leak has been identified, end quote.
Williamson denies the claims and blames his sacking on a kangaroo court
rigged by mandarins who had it in for him.
He'll be succeeded by Penny Mordant.
After a failed attempt by Venezuela's constitutional acting president
to oust President Maduro failed,
the Times reports that the U.S. has warned Russia not to continue attempts to prop up the Chavista regime.
U.S. Secretary of State Mike Pompeo on Tuesday
accused Russia of persuading Maduro to abandon his plan to flee to Cuba.
Russian President Vladimir Putin yesterday signed into law a bill
which will see Russia develop an independent Internet infrastructure.
The law is meant to ensure that the country can stay online
in case its adversaries decide to cut it off from the global Internet.
Internet service providers will have to install special equipment supplied by the Russian government,
which will enable them to rely on Russia's alternative DNS
and route all traffic through local servers when the government deems it necessary.
Most observers assume that the more practical uses of the law will involve censorship and traffic monitoring,
although Moscow denies this.
The law isn't popular among the Russian people.
ZDNet cites a recent poll that found only 23% of Russians support the measure.
Security operations centers, or SOCs,
continue to develop and evolve in their scope and complexity,
with many organizations adopting a more collaborative approach.
Cody Cornell is co-founder and CEO at Swimlane,
a security orchestration automation and response firm,
and he joins us to help explain.
SOC is a security operations center,
so basically a group of individuals,
sometimes analysts, sometimes analysts and engineers,
that are responsible for monitoring the security posture of an organization.
So we spend a lot of resources on threat detection and threat monitoring technologies,
and those alerts have to go to somebody, and that's typically the SOC.
At what point in an organization's lifecycle do they typically stand up their own SOC?
Organizations really differ in when they decide it's important, right?
We see really large organizations that you would typically expect to have a lot of security analysts and a large SOC.
Really not.
Either using managed services or doing it with a few people.
And then you have sometimes a small organization that is maybe the IP, intellectual property,
is the backbone of the organization.
They'll invest heavily in a security operations center in an early phase.
So typically it's mid-sized to larger organizations that have a dedicated SOC,
but you see that across the spectrum of different organizations and different sizes.
So today we're focusing on this notion of collaborative SOX. What's the
differentiator there? Historically, we've seen, you know, organizations move towards a little bit
more sharing, right? So threat intelligence sharing and things along those lines. Organizations
really will benefit from the fact that, you know, one group of people, no matter how big it is,
if it's 10, 20, 50, 100 people, really don't have a monopoly on all the good ways to thwart
adversaries.
And the ability for them to collaborate across organizations on what they're seeing and how
they're responding really enables organizations that may be competitive in the marketplace
actually collaborate on security and really help the whole security operations function
across organizations.
Now, is there a natural resistance there?
I can imagine
organizations, especially when it comes to interacting with their competitors,
that they might want to keep their cards close to their vest.
I think there's a tendency to think that that's the case, but we see if it's banks or retail
organizations or a broad variety of verticals actually collaborate. You see a lot of collaboration
in the government. You see a lot of collaboration in the energy and utility sector. Do they share everything? Absolutely not. But how I'm
detecting something, how I'm responding to it, what the good sources for investigation information
are, those are all things that we see people sharing across organizations, regardless of
their competitors. I think most verticals at this point have established an ISAC,
so an information sharing organization around threat intelligence. I think that's maturing a lot to include what, you know,
is typically called a course of action. So what to do when we see bad. And, you know,
I think that's a great place to start. Obviously, a lot of the vendors in the community have started
building communities within their product stacks and their portfolios. And I think that's a great
place to contribute. And then all the classic places that people contribute, if it's GitHub
or otherwise,
there's lots of resources out there for contributing and collaborating.
Are there any misconceptions that people have that you run across when it comes to this sort of collaboration?
I think there's a kind of a misnomer that people aren't excited to share or that people aren't willing to share.
And I think that's actually not the case.
There's a lot of organizations that, you know, they're investing heavily in protecting their organization, but they understand that
sharing is a raising tides, raises all ships moment for them. And the ability to share and
collaborate on how to do things and how to respond and how to build playbooks and all these things
are really enabling organizations to do more with the same amount of resources. And I think
the fact that that's coming to fruition is a surprise to some folks who haven't
seen that historically.
That's Cody Cornell from Swimlane.
Today is the second and final day of the Global Cyber Innovation Summit in Baltimore's Fells
Point.
If yesterday's focus was on security technology, today's is much more on the threat.
Author and cybersecurity expert Richard Clark opened the conference this morning with a technology today's is much more on the threat author and cyber security expert richard clark
opened the conference this morning with a discussion about some of the conclusions he
reached in his forthcoming book fifth domain he observed that his earlier book cyber war
written with robert knake and published in 2010 had drawn scoffing reviews as being nothing more
than alarmist fiction he noted with satisfaction that much of what they predicted,
especially their claim that we'd soon see the rise of military offensive operations in cyberspace,
including attacks on infrastructure, had been borne out by the events of the last few years.
But, interestingly, he wanted to draw attention to some of the positive developments
that he and his co-author did not foresee.
Specifically, he argued that the last few years had shown that existing technology,
properly applied, can indeed defend the corporate network. He has seen that appropriate levels of
investment in cybersecurity by corporate leadership that understands the risk to the company can make
security a priority, and when that happens, companies are generally successful in fending
off attacks. And he argued that companies should defend themselves and not expect Cyber Command or other elements of the U.S. military to protect them in cyberspace.
He offered a sourly realistic review of military failures to protect their own weapons and networks, and suggested that this argued that the military is not the place to look for defense of the private sector.
He did note language in a recent Defense Authorization Act
that observed that the U.S. military was authorized in effect to hack adversary systems in peacetime,
and he viewed this as a positive sign that the government lawyers, as he characterized them,
who had regarded such offensive cyberaction as illegal under Title X, have been effectively overruled.
He said, quote,
Now there's every reason to think Cyber Command is doing that. They weren't doing that before.
End quote.
He closed with general observations on conflict and with a plea for an understanding of how the federal government can help.
Reflecting on his early career in nuclear arms control negotiation,
he remarked that, quote,
crisis instability comes when an aggressor thinks it can win, end quote.
When the offense thinks it has an advantage and the defense isn't credible,
you're in a dangerous phase.
He saw three areas in which federal action can make a positive contribution.
First, appropriate regulation, particularly in electrical power and election security. Clark sees the potential for regulation to have the sort of positive effects he argued it
had on the financial sector. Second, investment in research, particularly in defense artificial
intelligence and machine learning. And third, in diplomacy. There were some genuine achievements
in arms control during the Cold War, and Clark thinks there are reasons to hope for comparable diplomatic success with respect to cyber conflict. We'll have more
accounts of the summit's proceedings over the next several days. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, it's great to have you back.
I saw an article from Slate recently.
It was called Give Up the Ghost, and it was about a plan in the U.K. to break encryption or add, I guess, a backdoor to encryption.
They're referring to something called ghost encryption.
What's going on here?
They're referring to something called ghost encryption.
What's going on here?
So as we know, there's a lot of discussion in the U.S., in the U.K., and in Australia and other countries as well about the extent to which products offering encryption should be weakened
in order to allow this special access for law enforcement.
And I guess what's going on here is that there's been a new proposal
about a way to try to allow access to certain conversations by law enforcement
officials without necessarily weakening encryption on the whole. And it's sort of an interesting idea.
They didn't put technical details out, so it's just kind of a high-level sketch of what they're
thinking. But it seems like what they're talking about is something that would not weaken encryption
for all conversations that people are having, but basically allow them to choose a specific
sender or receiver and weaken conversations that that person is having with other people.
And so that could be perhaps a way to try to strike a balance between the needs both for
encryption in general, but also for this access when needed.
So is this a situation where, say, law enforcement would need to do the
equivalent of asking a judge for a warrant, and then this different kind of encryption would be
put into motion so that they could then decrypt things? Yeah, something like that. So that's my
understanding, is that they would have to get a warrant, and then they would approach the company,
actually, that's providing the platform where this communication is being done, and then they would approach the company actually that's providing the platform where this communication is being done. And then they would essentially ask this platform to weaken the encryption or
weaken the protocol being used for some particular pair of sender and receiver. And that way it would
allow law enforcement to target that particular conversation without necessarily degrading
security for the other conversations taking place. And in terms of the actual encryption going on there,
what's your take on this? Is this a good compromise? Well, it's a compromise, I'll say
that. Whether it's a good compromise or not depends on the details. I think certainly it does
at least partly address some of the concerns that people have raised with other proposals,
namely that they would weaken encryption for everybody. And if the single master key falls into the wrong hands, then it could potentially
be disastrous. Here, it looks like there is no central master key to be stolen. Rather,
it does depend on trusting the company, trusting this company providing the service,
that they will only weaken encryption when specifically requested with a warrant in place,
and otherwise would leave other conversations alone.
So you're putting a little bit more trust in the company,
but nevertheless it represents maybe just a different point on the spectrum,
perhaps striking a better balance than other proposals.
Yeah, and I guess with all these things, the devil's in the details.
Yeah, that's right.
It obviously depends a lot on how exactly the process is managed
and what the technical details are when they come to light.
Well, Jonathan Katz, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.