CyberWire Daily - Xenotime is now interested in the power grid. Vulnerable Exim servers under attack. Mr. Assange goes to court. Credential-stuffing attacks on gamers. And that Ms Katie Jones? Not a real person.
Episode Date: June 14, 2019Xenotime is detected snooping around the North American power grid. Hacking groups exploit the Return of the Wizard vulnerability in Exim servers. Hearings on the extradition of WikiLeaks’ Julian As...sange have begun. Online gamers are being chased with credential stuffing attacks: they’re after your skins, your accounts, your credit cards. And some LinkedIn catphish seem to be going to AI charm school. Justin Harvey from Accenture with advice for job-hunting grads. Guest is Dr. Matthew Dunlop, Vice President and Chief Information Security Officer for Under Armour, on the challenges of protecting one of the world’s most well-known brands. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Xeno time is detected snooping around the North American power grid.
Hacking groups exploit the return of the wizard vulnerability in XM servers. Thank you. Chief Information Security Officer at Under Armour. And some LinkedIn catfish seem to be going to AI charm school.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, June 14, 2019.
E&E News reports that the North American Electric Reliability Corporation, commonly known by its acronym NERC,
issued a non-public warning to utilities that Xenotime, a threat hitherto seen mostly in the oil and gas sector,
has been conducting reconnaissance against the grid.
The NERC warning is based on research by Dragos, which says that the Xenotime activity group has evidently expanded its target list to the electrical power sector without necessarily abandoning its earlier interests.
Dragos thinks Xenotime should be taken seriously but cautions against over-hyping the problem.
Quote, no new capabilities are being deployed and the activity observed amounts to early reconnaissance,
not compromises of electric utilities, end quote.
So, while, as always, it's good to avoid the sort of fear, uncertainty, and dread
that all too often accompanies news reports and sales calls,
what are the reasons for taking this discovery seriously?
The first one, and this is indeed a sufficient reason,
this discovery seriously. The first one, and this is indeed a sufficient reason, is that Xenatime is, after all, the group responsible for the Trisis or Triton malware that was used against
oil and gas installations in Saudi Arabia. That malware was designed to affect safety subsystems
of the industrial control system, and it was therefore arguably designed to injure or kill.
It didn't do so because the malware induced a
plant shutdown as opposed to a catastrophic accident. That relatively benign outcome is
generally thought to have been accidental. Most analysts believe the malicious code was designed
deliberately with lethal potential. This is not to say that the power grid is about to turn on you,
your family, or your friends and neighbors,
but it is to say that whoever's behind Xenotime is unlikely to be inhibited by humanitarian concerns.
So the activity is reconnaissance, and the tools aren't new,
and there's no evidence that electrical power utilities have been compromised.
But Dragos' discovery is certainly worth the attention NERC appears to be giving it.
At least two hacking groups are exploiting the return-of-the-wizard remote execution vulnerability in Exim mail servers that was publicly disclosed last week, ZDNet notes.
Exim servers handle a large fraction of the world's email traffic, and users are urged
to patch.
Bleeping Computer suggests that an encouragingly large fraction of users are doing just that.
If you're running version 4.92, you're good to go,
and if you're not, then you should probably upgrade as soon as possible.
WikiLeaks proprietor Julian Assange's extradition proceedings advanced today.
Saeed Javid, the UK's Home Secretary, has signed the request
that Mr. Assange be extradited to
the US. He's currently in a
British jail for
skipping bail.
British authorities arrested him
after Mr. Assange wore out seven years
of welcome in Ecuador's London embassy
and was shown the door by Ecuador's
government. He had taken to
the embassy to avoid extradition to Sweden,
where he was wanted to answer allegations of sexual assault.
The Home Secretary's request now goes to the courts,
who will decide whether to send Mr. Assange stateside
to face charges of conspiracy to commit computer intrusion.
He also faces 17 charges under the Espionage Act of 1917.
The extradition request is expected to take several months to work its way through British courts.
Gamers have money and spend money, and criminals are noticing.
Akamai's recent study of the underworld's interest in the world of online gaming
indicates that between November 2017 and March of 2019,
gaming websites sustained 12 billion credential stuffing attacks. We know, we know, as the tween gamers would put it, one
attack is hella bad if it's against you, but, you know, 12 billion of them is just the kind of
statistic that only your parents would be interested in. And these kinds of attacks are low-level
attempts that are easy to automate, so the stats less overwhelming than its sheer size would lead one to think, at least before reflection.
Still, it's a lot.
Over that same period and across all sectors, Akamai counted 55 billion credential stuffing attacks,
so gaming alone received more than 20% of this particular kind of criminal attention.
received more than 20% of this particular kind of criminal attention.
The Associated Press reports that a fictitious persona, Katie Jones, is seeking connections on LinkedIn.
The story speculates that the fictional Ms. Jones is a catfish deployed by a foreign intelligence service,
trolling for recruits.
The affair is reminiscent of 2010's Robin Sage experiment,
in which a completely imaginary persona with an implausible personal history of experience beyond the persona's 20-something years succeeded in attracting not only connections but even a couple of job offers.
Katie Jones represents an advance over Robin Sage in that the persona seems to have been built in part with the aid of artificial intelligence. The picture seems to have been created using generative adversarial networks,
an artificially intelligent approach to creating a face from scratch.
By contrast, the picture of Robin Sage was a stock image.
Katie Jones's LinkedIn profile identifies her as a Russia and Eurasia fellow at the Center for Strategic and International Studies,
the well-known Washington think tank. her as a Russia and Eurasia fellow at the Center for Strategic and International Studies,
the well-known Washington think tank. It also said she was a University of Michigan alumna.
None of this, of course, can be true since Ms. Jones doesn't exist. The AP story points out the telltale signs that the profile picture is bogus, but in fairness to those who've been taken in,
those signs are easy to overlook unless one is either given to a very suspicious mind or is teetering on the edge of some sort of unhealthy obsession.
No one is being credited so far with the creation of Katie Jones, but a number of observers have
pointed out that LinkedIn has become a kind of happy hunting ground for Chinese intelligence
services in particular. So, connect with caution. And please don't be put out if you've sent one of Thank you. Collegial. Any fictitious people listening should instead send their friend requests or Let's Connect invitations directly to Chen Wangqing,
care of the Ministry of State Security, Zhiyuan, Beijing. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. response leader at Accenture. Justin, it's great to have you back. You know, it's that time of year, it's graduation time. We're going to have a whole lot of people out there looking for jobs,
and a lot of them are going to be looking for jobs in cybersecurity. And I wanted to check in
with you to see if you had any tips or advice for those folks who are going to be out there
on the job market. Absolutely. This is the perfect time to be entering the workforce for cybersecurity.
the perfect time to be entering the workforce for cybersecurity. The number of unfilled roles and jobs around the world, no matter what industry, no matter if it's nonprofit, business, military,
there is simply not enough people to fill all of those roles. So it's a great time to get involved.
And I also think that cyber defense and cybersecurity is really exciting
for a domain. I consider myself lucky getting in very early in the ground floor of the cybersecurity
industry. And I think to myself, what would it be like waking up every day and still programming or
working on ERP systems? I think that those jobs where you're just building systems or engineering them,
they're certainly needed in today's industry. But it's also great to have an end goal in mind. The
end goal, of course, is protecting whatever organization you're working for and with
from cyber attacks, both commodity-style cyber attacks and targeted-style cyber attacks.
I think that what newly graduated young professionals
need to think about is if they're interested in cybersecurity, thinking about what part of
cybersecurity do they want to focus on? Do they want to be part of a master level domain
like incident response where I liken it to as a child, you want to fly the biggest jets. You want to fly in 747s and A380s,
but it takes time and a lot of education to get up to that level. Let's say that you finished
flight school, much like our young professionals have just finished college and they said, okay,
I'm ready to fly a 747. But what they don't realize is those large planes and just like
incident response has a lot of moving parts to it,
a lot of technical complications. It's about people. It's about pulling that all together.
And you actually need to start a little bit smaller. For these pilots, they start with 737s
and A320s and work their way up. The same is true for cybersecurity. You really need to
start with the basics and learn about threat modeling and what threats
are out there and what those style of attacks look like. And then, of course, you can branch
out for them. Maybe you have a passion for identity and access management and you want to
go into a digital identity field, or maybe you want to be crafty and you like the ability to
move around undetected and to socially engineer people. Well, that's a great penetration tester or adversary simulator.
And then there's different aspects of the cybersecurity ecosystem.
If you have business knowledge and you're not really that technical,
but you have a passion for cybersecurity,
there's a ton of startups and well-established organizations out there
that would love to have someone with a business mind
work on and build new
cybersecurity solutions. And let us not forget, Dave, that there are the technologists and the
geeks out there like myself. And there are so many both open source and commercial off-the-shelf
applications and platforms that have such a deep level of knowledge out there to discover.
I think about my career journey when I really got into SIEM and log management and working
with ArcSight and Splunk and QRadar and all of the other types of platforms out there.
But if you don't want to do commercial stuff, there's also open source. I'm really astonished for people that have
the personal drive, how much they can actually download from the internet. They can download
whole VMs that have malware that simulate what an attack looks like. And you can wire those VMs up
and connect them to Elasticsearch and Logstash and be able to actually code new solutions,
new means to detect these types of attacks.
So today is the perfect time for these young college graduates to get into the workforce.
When you're sitting there and contemplating a stack of resumes that have come to your
desk, what are the things you look for?
What makes one of those bubble up to the top?
From a pet peeve perspective, I like to see short and sweet resumes. I can't underscore that enough.
In fact, I had recently had a candidate resume come across my desk and they had obviously been
in the workforce for 20 plus years, but their history only went back to 2000. I said, well,
what was before 2000? The answer was, well, none of that's really relevant. It would have gone to a second page. So I think a very concise, succinct resume is a big
standout. I'd like to see examples or notations of big projects they've taken on and maybe a little
bit of information of how they solved that. I don't like to see a broad listing of all the certifications and all
of the programming languages they know. Candidates need to think a little bit higher level and put
themselves in a hiring role. Maybe they've never been in a hiring role, but they need to think
about what would someone look at when they read this resume? How can they truly convey that they
have the skills necessary in order to get the role?
Well, it's interesting advice for sure.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Dr. Matthew Dunlop.
He's Vice President and Chief Information Security Officer at Under Armour,
one of the most well-known retail and e-commerce brands in the world. Matthew Dunlop. He's Vice President and Chief Information Security Officer at Under Armour,
one of the most well-known retail and e-commerce brands in the world.
Before Under Armour, he served nearly 30 years in the U.S. Army, where he helped build Cyber Command and served as Director of Applied Research and Development. When he retired
from the military, he had no shortage of opportunities.
I really wanted to go a different direction. I didn't want to, I knew that if I made that choice, I'd probably pigeonhole myself into the federal space the rest
of my career. And I'd like to continue to grow and experience new things. And so I wanted to
have that flexibility. And I really wanted to work somewhere where I truly believed in the product.
And I mean, don't get me wrong, working for the government is fantastic. I truly believe in that
mission, but I just wanted something very different.
I was ready for a change, and Under Armour is a fantastic brand with a fantastic history and a fantastic value system.
And so that was a perfect fit.
It's fascinating to me because one of the questions I wanted to ask you was about dealing with the scale of an organization like Under Armour.
But scale was nothing new to you because of the
scale you dealt with at Cyber Command. There were some of the jobs I had. One of the jobs I had in
Army Cyber Command as the Director of Operations for the Joint Force Headquarters Cyber. We were
directing operations globally with 41 different cyber mission teams spread throughout the world,
really. So let's go through what your day-to-day is like
at Under Armour. What are your responsibilities and how do you manage your team? So at Under
Armour, it's actually a very unique environment that most people probably don't realize. Most
people think of Under Armour as a retail shirts and shoes company, and it is that, but it's a lot
more. Under Armour has a huge connected fitness application side to it where there's, you know, MapMyFitness, MyFitnessPal, and Demando.
Not only is there the traditional what you think about with global retail and e-commerce and infrastructure,
but there's also security around the connected fitness and the whole app environment that I'm responsible for as well.
Each of those environments has specific challenges. How do they differ and how do they cross over?
There's actually a great question because there's a team in Baltimore that has traditionally focused
on more of the corporate and retail side of security. And as we expand more and more into the cloud,
they're required to really stretch their skills.
And it's a fantastic team.
And they're really stepping up to the challenge
and doing really well at it.
It's really expanding their knowledge set
into not only their traditional networking challenges
that most people face, but it's the cloud,
it's code security, it's code security, it's
bot management, it's all that stuff that you think about when you move into application
development and cloud development and cloud infrastructure.
It's a huge span of responsibility.
And that's the one thing I can honestly say is that I find one of the most fascinating about Under Armour.
The team I have, every single person on the team is fantastic.
And, you know, you always have the one guy, you know.
Usually it's me.
And I can honestly say that there is no one on the team that I feel like we could do without
or I feel like is, you know, falling behind the rest of the group.
And so it makes the job that much more rewarding.
Well, how do you go about recruiting that team?
Obviously, Under Armour has a strong brand presence.
Does that help when you're out and about trying to recruit folks to join you?
So I think, you know, I think the folks that join the team do get that, you know, cool factor from joining Under Armour.
And I think that's one of the reasons why the team has been there as long as they have been.
But honestly, you know, recruiting under that brand name is challenging.
It's not because people don't want to work at Under Armour because, you know, Under Armour is a cool place to work.
It's that if you're a cyber person, you know, you're thinking of Google, you're thinking of Apple, you're
thinking of, if you're thinking of federal space, you're thinking of, you know, the bigs in this
area, Northrop Grumman and Parsons and those sorts of things. But you're not thinking about
places like Under Armour because that's a retail company. And so what I've started to do is I've
started to go around to the different universities and talk to their cyber groups and explain to them basically they're in an extremely unique position.
They can work anywhere they want.
There's no one else that can work anywhere they want.
Every different company has a requirement for cyber from the smallest ma and pa, although they may outsource it, to the huge companies.
And so there is a place for a cyber IT professional in every single organization. So it's pretty much where do you
want to work? And then go look at the job openings in that area because they exist. And the mission
is really the same. It's just whatever you're protecting changes. So if there's something that
you are passionate about, even if the primary business is not a cyber business, you can extend your passion for that thing, whatever it is, into their needs from a cyber perspective.
Yeah, I mean, absolutely. If your dream is to design bike helmets, or at least work with a company that designs bike helmets, you can certainly help them protect their designs.
helmets, you can certainly help them protect their designs.
What do you see as you look towards the future? I mean, companies like Under Armour, we're in a,
I think, a rapidly changing retail environment. In terms of the work that you and your team do in protecting an organization of that size, of that scale, what are you looking forward to?
What are the challenges you think we're facing ahead?
So that's a great question because, you know, a lot of people, you hear the machine learning, the AI, the blockchain, the typical cyber buzzwords.
And it's true that technology continues to expand and we've got to stay on top of technology.
But at the end of the day, you really have to make sure you're doing the simple stuff right.
If you're not doing the simple stuff, I don't care what tools you have in place.
And so the approach I've taken is it's really all about the workforce. You've got to get
the workforce on board and you've got to get them security minded. And so I've charged my team with
starting to do individual, you know, lunch and learns with different business units and say,
hey, here's how to properly use the tools you have in front of you. Here's how to better protect
your data. Here's how to more effectively
leverage email and things like that to where, you know, you can reduce the risk. You know,
some recent statistics said 95% of all cyber attacks are due to user error. Well, if you can
make the users better at using the technology, then you reduce the chance of user error.
And then once you are able to actually, you know, tighten up that space,
then let's talk about the tools you can put in place.
I mean, if you look at every one of these things in the news you hear about recently,
you can point to an employee error.
This S3 bucket was left open.
Well, somebody didn't click something right.
You know, this, you know, got infected by ransomware.
Well, it was a phishing email.
You know, you could point back to basic cyber hygiene in almost everything.
That's Matthew Dunlop.
He is vice president and chief information security officer for Under Armour.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.