December 23, 2016

This Week in Cyber

Nathaniel Gleicher,

Find me on:

Five things I've just read:

This Week in Cyber

  1. Fancy Bear Targets Ukrainian Artillery: Crowdstrike released further analysis on the (less-and-less) mysterious actors behind the DNC hack, identifying malware used to target Ukrainian artillery units as coming from the same group. The report, which provides technical attribution for a set of Android malware derived from the same toolset regularly used by Fancy Bear, does an excellent job of strengthening even further the already-clear links between the group and the Russian military. For any holdouts left who doubt that the actors were in fact Russian, this should be the final word. This is what attribution looks like.

    It's also worth noting something else: Fancy Bear's facilitation of targeting Ukrainian artillery looks like it was strikingly effective. Over the last two years, according to the Crowdstrike report, Ukraine has lost 50 percent of their artillery, and 80 percent of the targeted weapons system. Needless to say, these numbers are very high, and a good reminder that for all the focus on information operations right now, cyber-offense can also be very effective when used for the more traditional purpose of enabling kinetic conflict. I'm reading: "Cyber Experts Cite Link Between DNC Hacks and Aggression Against Ukraine."

  2. Cybersecurity Must Be Hard if Even the Empire Can’t Do a Good Job: It’s good to be reminded that security is even hard in the world of Star Wars. Thankfully, no one in the real world has (yet) contemplated destroying the planet as an easy solution to a data leak. I’m reading: “How Bad Was Imperial Cybersecurity in Rogue One? We Asked Some Experts."

  3. What Does MVP Mean When You’re Building Technology for the Real World? Silicon Valley start ups have built their rapid development cycles on the concept of the minimal viable product – get something out the door in a beta stage, then iterate with customer interaction to improve the product as quickly as possible. How to handle this “fail fast, fail forward, iterate quickly” approach with technology that impacts the physical world is still an open question.

    Case in point: the early pilot of Uber’s self-driving cars in San Francisco has raised concern because autonomous vehicles have been identified running red lights and violating other traffic laws.

    There is immense pressure on the companies racing to capture the potential self-driving car market, not least of which because the first mover, if they get out a good product, could have a substantial advantage. This drives innovators to rapid development cycles, which will in turn increase the likelihood of “bugs” in early development versions. But when the cost of “bugs” isn’t a system crash, but a bike/car collision, what should be done to counter these pressures – even if that means slowing down the development cycle? And if we do slow down the development cycle, do we expose our leading-edge innovators to competition from other countries that might not have such concerns? I’m reading: “Uber Admits to Self-driving Car ‘Problem' in Bike Lanes as Safety Concerns Mount.”

  4. Don't Call it a Cyberattack: As much as 80 percent of alerts generated by security systems turn out to be false positives. This obviously raises serious concerns for defenders – how do you find the 20 percent of real alerts in the midst of all those false alarms?

    But it could also have defenders crying wolf about entirely legitimate activity. Case in point: According to the state of Georgia, after it refused DHS’ offer to help secure its voting systems in preparation for the 2016 election, DHS targeted it for a series of cyberattacks.

    According to DHS, however, the events that Georgia is identifying were nothing of the kind. For example, a “large attack” identified by the state on Nov. 15 was actually a DHS contractor visiting a state website to learn about a professional license.

    All of this started because Georgia’s cybersecurity system alerted on DHS’ behavior. Georgia claims that their security systems “would not have sounded the alarm over the activity DHS is describing,” but it seems like that’s exactly what happened. I'm reading: "Georgia asks Trump to investigate DHS 'Cyberattacks'" and "DHS: Georgia Incident was Legitimate Work, not a Hack."

  5. Cybersecurity and Arms Control: A Stormy Relationship Continues: It looks like security advocates that have been pushing for a renegotiation of the Wassenaar arms-control agreement on cybersecurity tools will have to keep pushing. Advocates have argued that the agreement, which is intended to limit the ability of repressive regimes to access surveillance technology that can be used to target dissidents and human rights activists, also forbids much of the modern business of cybersecurity research.

    There had been growing support for a renegotiation of the rule, but it appears that didn't happen. Little has been done with the international regulation in the US up to this point, as regulators struggle to distinguish between legitimate security research and malicious activity. The US had pushed for a revision of the rule, and as the new administration gets underway, we shall see how (if at all) we manage to untangle this difficult knot. I'm reading: "US-Backed Effort to Ease Software Export Limits Fails."

Topics: Adaptive Security, Illumio News

Share this post: