CyberWeekly: Ex-NSA Cyber Mercenaries in Mideast, Cyber Security Bootcamps, and Kids’ Fullz for Sale
CyberWeekly Newsletter: Weekly Edition
Cyber “Super-Weapon” Called Karma
The cyber-espionage campaign Project Raven is nuts! It’s has the makings of a Hollywood cyber thriller. It has an über-wealthy Middle Eastern monarchy, a secret cyber “super-weapon” called Karma (of unknown origins), and American, ex-NSA cyber mercenaries working for a foreign intelligence service. And they all come together to engage in the surveillance of other governments, militants, human rights activists, and… um, Americans... via their iPhones.
Wait, iPhones are a closed system. Aren’t they notoriously secure. Yep. So you can see why Karma—which doesn’t require the iPhone owner to interact with it (like, clicking a phishing link)—was dubbed a cyber “super-weapon.”
Reuters’s reporting on Project Raven and Karma is a great piece of investigative journalism. In case you haven’t read the articles yet, a group of Americans were hired (via a contracting firm) to conduct cyber-espionage for the United Arab Emirates with a cyber weapon purchased from some unreported third-party. If you thought that cyber security people were a bit too paranoid, these two Reuters articles may convince you that we’re not paranoid enough. By the way… pro tip. If a foreign entity ever offers you a contract gig that involves surveilling your fellow Americans—don’t walk—run away. Otherwise, the FBI may want a few words with you, when you get home.
Cyber Candidate Sources Beyond Universities
The cyber security workforce shortage is constantly reported. According to last year’s (ISC)2 Cybersecurity Workforce Study, the workforce shortage is up to 2.93 million people globally. If we as a society need more cyber security professionals so desperately, then what are we doing to train new entrants to the field? After all, the career field is so new that career paths (including entry) are not yet well defined. As cyber venture capitalist Robert Ackerman Jr. points out, “Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science.”
Bootcamps and community college programs will likely be key participants in the ecosystem that produces cyber security professionals going forward. Cyber bootcamps accept non-programmers, teach them key skills, then help them find jobs. Ackerman highlights SecureSet Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago. Personally, I’ve had great experience with graduates of NPower in New York. Both NPower graduates that I’ve worked with have been great and came out with CompTIA A+, Linux+, and CySA+ certifications.
Community colleges offer an interesting—oft overlooked—option for cyber security training as well. I’ve been a fan of the hybrid cyber security program at the City Colleges of Chicago (CCC) since the school’s partnership with the Department of Defense to develop cyber security training was announced in January 2017. There are now a multitude of cyber security programs at community colleges all across the United States. For many people these will be much more accessible and affordable pathway to a career in cyber security, than 4-year universities.
As the cyber security community seeks to reduce the skills gap, we’re going to have to get more creative in the training and hiring process. The availability and success of bootcamp and community college programs serves to highlight an important fact. People don’t necessarily need a 4-year bachelor of science in technology to get into cyber security. It is no doubt very helpful for some cyber security subfields, but it should not be used as a screening criteria for the overall field.
AWS Acquires Israeli Disaster-Recovery Startup
You may have seen me write recently that I foresee consolidation coming to the cybersecurity startup space. More specifically, I think cloud computing firms are natural buyers for cyber startups. As more companies move to the cloud and struggle with implementation, providing built-in security options could create a compelling offering.
Now we’re seeing evidence that I’m on to something with my prediction. Last month AWS acquired the Israeli disaster-recovery startup CloudEndure. Okay, I’ll admit that continuity-of-business (i.e., disaster-recovery) falls more naturally into information security, than cyber security. But it’s not far off the mark.
As 2019 progresses you can likely expect some aggressive acquisitions by Google Cloud and it’s new head Thomas Kurian as they play catch up with AWS and Microsoft Azure. Notably, the $18 billion software startup Splunk—producing excellent tools for data security—has been speculated as a potential acquisition target for Google Cloud. A Splunk acquisition could make Google Cloud a noticeably more compelling cloud solution for enterprise clients.
Bonus Prediction:
I anticipate we’ll see some consolidation amongst Threat Intelligence Platforms in particular. The space feels a bit crowded and many platforms don’t live up to the hype as much as Cyber Intelligence Analysts would hope.
Kids’ Fullz
This week on The CyberWire podcast Emily Wilson from Terbium Labs enlightened listeners about fullz for children that were found for sale on the dark web. Kids’ fullz can be particularly valuable as children—and most of their parents—don’t monitor their credit.
DEFINITION: Fullz is a slang term used by credit card hackers and data resellers meaning full packages of individuals' identifying information. "Fullz" usually contain an individual's name, Social Security number, birth date, account numbers and other data. Fullz are sold to identity thieves, who use them in credit fraud schemes. (Creditcards.com)
While there’s a wide variety of ways to steal credit information for adults, the options for kids are largely limited to breaching medical or government offices. In the instance the Wilson described, the fullz were stolen from pediatricians and hospital networks.
That seems timely as healthcare services is one of the most attacked industries in the United States. There is a monetary value to PII—personally identifiable information—and the “freshness” of the PII in children’s fullz is hard to come by for cybercriminals.
If you have children, put a freeze on their credit. They won’t need it for years! Check out this blog post from NerdWallet for instructions how.
Cool Job of the Week
Visa — Cybersecurity (Threat) Analyst (Location: Ashburn, VA)
Veteran-Preferred Job of the Week
BDO — Cybersecurity Advisory Intern - Summer 2019 (Location: New York, NY)
CORRECTION: Karma is a cyber weapon of unknown origins, not “originals.”
Hope you’ve enjoyed this week’s edition of the CyberWeekly Newsletter. Please share with a friend or colleague.
Click here to subscribe to the CyberWeekly Newsletter.
Stay vigilant,
Oritse J. Uku, Editor-in-Chief
Disclaimer: The opinions expressed in this newsletter are my own.