CyberWire Daily - A quick look back at yesterday’s White House industry meeting. Revolution, coup, or a bit of both? Storytelling for security. Lessons from Olympic scams. Notes from the underworld.
Episode Date: August 26, 2021Outcomes from the White House industry cybersecurity summit: standards, training, zero-trust, and multifactor authentication. The Cyber Partisans aim at the overthrow of Lukashenka’s rule in Minsk. ...A role for storytelling in security. Scams, sports, and streaming. Speculation about the ShinyHunters’ next moves. Verizon’s Chris Novak on Reducing false positives in threat intelligence. Bentsi Ben Atar from Sepio Systems on the risks of hardware-based attacks, internal abusers, corporate espionage, and Wi-Fi. And cybercriminals like their VPNs, too. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/165 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Outcomes from the White House Industry Cybersecurity Summit.
The cyberpartisans aim at the overthrow of Lukashenko's rule in Minsk.
A role for storytelling and security.
Scams, sports, and streaming.
Speculation about the shiny hunter's next moves.
Verizon's Chris Novak on reducing false positives in threat intelligence.
Benci Benatar from Sepio Systems
on the risks of hardware-based attacks,
internal abusers, corporate espionage, and Wi-Fi.
And cyber criminals like their VPNs, too.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 26, 2021.
U.S. President Biden met with industry leaders yesterday to formalize some cybersecurity national priorities.
Among the measures announced were a cooperative program between industry and the National Institute of Standards and Technology to bolster the security of the technology supply chain and the formal extension of the industrial control system's cybersecurity initiative to natural gas pipelines. Participants from industry committed to initiatives
ranging from coupling insurance coverage to compliance with certain basic security standards
to investment in cyber workforce development to committing resources to cybersecurity technology.
The initiatives that
stood out involve development of security standards and offering incentives to follow them,
training and workforce enhancement programs, and offers of free services. Zero trust,
multi-factor authentication, and risk management solutions figure prominently among these last.
The industry leaders in
attendance specifically committed to these undertakings. Apple will establish a program
to push continuous security improvements in the technology supply chain. The company will work
with suppliers, more than 9,000 of them in the United States, to, quote, drive the mass adoption
of multi-factor authentication, security training,
vulnerability remediation, event logging, and incident response, end quote. Google announced
an investment of $10 billion over the next five years to expand zero-trust programs,
help secure the software supply chain, and enhance open-source security.
supply chain and enhance open-source security. Mountain View will also assist 100,000 U.S.
workers earn industry-recognized digital skills certificates that will qualify them for tech jobs.
IBM also announced a training initiative. It intends to train 150,000 people in cybersecurity skills over the next three years. It will also partner with historically black
colleges and universities to establish cybersecurity leadership centers. Microsoft
will invest $20 billion over the next five years for integration of cybersecurity into design
and to develop and deliver advanced security solutions. It will also make $150 million in technical services available
to government organizations at the federal, state, and local levels. Redmond also plans
partnerships with community colleges and not-for-profits to deliver cybersecurity training.
Amazon will offer the public at no charge the same security awareness training it offers its employees.
All AWS account holders will also receive multi-factor authentication devices.
Two cyber insurance providers, Resilience and Coalition, also participated in the meetings.
Resilience will require policyholders to meet a minimal threshold of cybersecurity best practices as a condition of their coverage.
This follows the historical pattern of the role insurers have played in other sectors.
Coalition offer, free to any organization that wants it,
the underwriters' cybersecurity risk assessment and continuous monitoring platform.
We'll have other coverage of the White House Cybersecurity Summit,
including industry reaction, in this afternoon's CyberWire Pro policy briefing.
The Belarusian cyberpartisans seem to seriously intend the overthrow of President Lukashenko's government.
MIT Technology Review reports signs that the partisans may have help from inside the regime itself,
which suggests that should the regime succumb to this and other pressure,
and that seems unlikely, at least in the near term,
its fall will be at least as much coup d'etat as revolution.
There's been much discussion of cyber conflict in all of its forms,
from direct action by nation-state intelligence services through political hacktivism to cyber privateering,
and much of that discussion has been dominated by analogies that seem to suggest themselves,
cyber Pearl Harbor to take one or cyber 9-11 to take another.
Some of these analogies can be lazily or inaptly applied. But is it worth
thinking about the role of analogy in a closer, more critical way? Earlier this month, author
Nick Shevelyov discussed his new book, Cyber War and Peace, building digital trust today
with history as our guide, with Cynet's Robert Rodriguez. Chevalhoff's purpose in writing was to explore the role of storytelling
in arriving at an understanding of cyber conflict.
That storytelling involves not only historical analogies,
but also proverbial narratives from myth and folklore.
It is, Chevalhoff argues, a superior way of arriving at an appreciation
of fundamental cyber principles.
Sometimes these stories are philosophical, like lessons the Stoics can teach risk managers.
Well, the ancient Stoics had this concept of a premeditation of evils, right? Think through all the things that can go wrong in your life and then start to reduce
the probability of those events. It's sort of like when you don't know what you really want,
well, think about all the things you don't want, and then that will help narrow your direction.
And so I started this concept and templatized it and operationalized it of premortems as before we set out on a journey, on a project, on a program.
avoid those? And what are the things that we didn't want to talk about because of incentives and because of a sense of urgency and because of building risk into our very own efforts?
You know, risk happens when there's pressure, opportunity, and rationalization.
Shavelyov's target audience is first, business leaders who wish to come to a better understanding of cybersecurity,
and second to security practitioners interested in improving their ability to communicate with the teams and the organizations those teams serve.
The book has been available since August 18th. You can listen to the whole interview on Cynet's website.
Listen to the whole interview on Cynet's website.
Researchers at security firm Zscaler's Threat Labs have released a report on scams and adware campaigns that accompanied the recent Tokyo Olympics. The conclusions are instructive because they illustrate the way in which high-profile events in sport and other cultural domains draw the attention of cybercriminals.
Other cultural domains draw the attention of cybercriminals.
One of the more common fraudulent approaches Zscaler observed involved streaming services,
suspicious streaming services, ThreatLabs calls them.
Quote, These streaming websites are not associated with legitimate Olympic streaming providers.
Instead, the websites claim to provide free access and then request payment credentials from customers.
The sites often reuse a template that we've seen for many current events,
including NBA, Olympic, and football events.
Registering with the dodgy sites require you to enter personal information,
including paycard data, and the consequences of filling in the scammers' forms can be easily imagined.
There's also a lot of adware, and here too the bait is usually a free or discount streaming service.
Zscaler finds that many of these come-ons redirect to ads for sites devoted to betting, auto-trading, and the like.
They've also seen some direct social engineering intended to get users to install adware.
Quote,
We've seen cases where users are redirected to install adware
in the form of browser extensions and fake software updaters.
In the case below, we can see olympicstreams.me
directing users to install the YourStreamSearch browser extension.
YourStreamSearch is a known browser hijacker So, sports fans, stream from legitimate sites only.
Digital Shadows looks at the Shiny Hunters, the criminal group that claimed to have compromised data held by AT&T, claims AT&T denies,
and notes their shift toward extortion and their here-today-gone-tomorrow mode of operation. Whatever turns out to be the case with the claimed AT&T attack,
the Shiny Hunters will probably recede temporarily, then reappear with refined technique.
temporarily, then reappear with refined technique.
Application security platform vendor Sequence finds that bot operators, like legitimate users, are finding virtual private networks useful in obscuring their origin and infrastructure.
VPN services that don't limit the number of connections are proving valuable in mounting
high-volume attacks.
the number of connections are proving valuable in mounting high-volume attacks.
So, some of the high-volume attacks benefit from the cloak a VPN can throw over other online activity.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
There are likely a handful of electronic devices in your office
that, as far as security is concerned, you tend not to give much thought to.
Or if you do, you're confident that when they
were installed and set up, the proper settings were put in place to isolate them from sensitive
information. Bensi Benatar is co-founder of cloud services provider Sepio Systems, and he and his
colleagues have published a series of YouTube videos demonstrating common hardware vulnerabilities that could fly under
the radar. Obviously in the boardroom and meeting rooms, there's obviously a lot of sensitive
information that is being presented there. So how difficult would it be to capture that data
and exfiltrate it to an interested audience, so to speak. So the attacker wanted to get all the information that is being presented,
all the video that was being presented on a certain smart TV set that was located in a meeting room.
In order to do that, he used an internal abuser, in this case played by an evil maid, who was paid off to do a very simple task.
While she's cleaning the room, plugging a rubber ducky, which is a device that emulates a keyboard functionality, injects a certain payload.
Then she disconnects the payload.
The attack itself is very persistent.
then she disconnects the payload. The attack itself is very persistent. And then everything that is being displayed on that TV set is actually being recorded locally. And then the attacker,
using a preset access point where the TV connects to, can actually get all the files that were
captured and stored locally without setting foot in the victim's
office. Now, the cool thing about this attack is that we didn't need to manipulate anything on the
TV. So it is actually an out-of-the-box TV where we use a very simple method where you actually can
control everything on the TV by using the remote control.
And every smart TV and TV in general
that has a remote control
has also a USB input
that allows it to connect an external keyboard.
So, you know, romantic as I would like it to appear
or as professional as I would like it to appear,
no reverse engineering,
no malware, you engineering, no malware,
you know, flashy malware,
just a basic built-in functionality that is being used by the attacker
due to the fact that he decided
to use the hardware aspect as his attack vehicle
instead of trying to force his way in
through network interfaces or things like that.
I'll tell you another nice story about that.
One of the pushbacks that we get is from the data centers guy.
They would say, argue to some level of what they believe to be true,
is that no one can go in and out of a data center with anything.
can go in and out of a data center with anything.
And then I told him, you know, there's one thing that can go in and out without any examination whatsoever.
He can visit the facility on a periodic basis, which is an important thing when you're an
attacker.
And you never check what he brings in.
And the guy is the guy that brings the fire extinguishers.
And, you know, next to every rack in a data center, there's an automatic fire extinguishing system.
using a low-range exfiltration radio so that it won't be picked up by any flashy RF sensors or RF geolocation emitters or things like that.
And obviously, no one checks it.
No one scans the fire extinguishers.
And if you're a subcontractor, then you need to go on a periodic basis,
and you can change your storage devices,
you can modify where you're connecting your devices.
So it's a very easy setup.
And this is exactly what we're trying to generate awareness about.
The understanding that these devices do not require special
capabilities and that the the attack tools are readily available whether
through hack 5 shops or through a Aliexpress a online stores the
technology is very much available you don't need to be the brightest engineers
in in order to master them.
And attackers understand the progress and the landscape of the cybersecurity measures that are being put in place in order to block them. That's Bensi Ben-Attar from Sepio Systems. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Chris Novak. He is the global director of Verizon's Threat Research Advisory Center.
Chris, it is always great to have you back.
You know, one of the things that people deal with when they are ingesting threat intelligence is trying to deal with that, what I've heard described as that fire hose of information.
You know, and in that, you can get a lot of false positives. I know that's something you and your team have been focused on here. What can you share with us?
Yeah. Great to, great to be on the show again, Dave. Thanks. You're absolutely right. That's
probably the number one complaint. There's almost that groan in the room. The moment you say, Hey,
how about threat intelligence? And you kind of hear everyone go, that's, it's like the old days
of IDS, you know, everyone's like, oh, wow, this thing is
great. It's got all these blinking lights. I get, you know, a million alerts a day. And you're like,
but, but then you have a million alerts you need to dispatch and figure out, right?
Right.
And so we said, look, there's, you know, the famous, there's gotta be a better way.
You know, so we worked with our team on this and we said, you know, it was actually kind
of interesting from a threat intelligence perspective, us bringing something to the
market. I'd say we were actually pretty late to the game, but that was, I would say, maybe almost intentional.
Part of it was regulatory.
For years, we were not able to share because we were a telco and there were some changes in the laws that allowed us to share, you know,
essentially anonymized aggregated essentially cyber defense kind of data.
And so that really kind of took our handcuffs off and said, okay,
now we can actually get into this space and share what it is we've always seen.
Cause it was kind of, you know, the way I would describe it to people,
it was like we were kind of sitting back,
kind of looking at the internet like like you'd see the movie, The Matrix, and we could see everything going on.
We just couldn't talk about it. So that kind of unleashed our ability to talk about it. And what
we actually found was a lot of times when we look at these incidents, we find that they are, you
know, rarely in isolation. About 80 plus percent of all the breaches we investigate are connected to other
breach events. But a lot of times it's that connective tissue that you don't necessarily
always have the luxury of seeing unless you're an ISP. We've done a lot there to reduce the false
positives to say, look, as we collect more data, you inherently have the potential for there to be
more false positives. How do you reduce that kind of fire hose, as you mentioned? And so one of the things that we did was Verizon is a massive
managed security services company. People may not necessarily know, but there are millions of
devices around the world that we manage for customers, as well as millions of devices
within Verizon that obviously our corporate security team manages.
And so what we put together was this concept of active false positive reduction, where we said,
when our investigative team goes out and finds something, let's take that data that we would normally ingest into our feed, curate and send out to customers of our intelligence feed,
and let's bounce it against our MSS and our internal systems and see whether
or not we get anything that lights up somewhere. And what can we learn from it? Because one of the
challenges we found a lot of customers had with threat intelligence is there's not a feedback loop.
I mean, you think about it, if you subscribe to a news feed, you know, like a threat intelligence
feed, you get data, but you rarely give data back to
say, hey, this was a false positive or this triggered three times or a hundred times.
In many cases, the threat intelligence feed provider has no knowledge of what you do with it
after they've kind of flung the data over the fence to you. And that was another one of those,
there's got to be a better way kind of thoughts. And we said, all right, well, if we take that data
and bounce it against all these millions of devices that we manage that are across, you know, essentially span the globe.
So they've got a geographic footprint, span all industries. So we've got, you know, really little to no bias in the data. Let's see what lights up. positives that are managed security services or internal corporate security teams flag,
we can essentially tamp that down or remove that data altogether from the feed without a customer
even having to be bothered by it. Go one step further. If you have the ability to actually
see demographics. So think about it, Dave. If you could see that an indicator of compromise goes off
predominantly in Japan, and that's the only
place you see it, you might start saying, well, hey, maybe let me see if I can enrich
this intelligence a little bit further and find out, you know, why when I push this intelligence
out to my globally diverse set of endpoints, do I only ever see it light up in Japan?
Maybe that tells me something about who the threat actor is.
Maybe it tells me something about their motives.
Maybe that tells me something about who the threat actor is.
Maybe it tells me something about their motives.
It may not come right out and spell it out for me, but it gives me a thread that I can pull at to say, let's enrich this a little further.
Let's answer the question of why.
Is there a danger that, you know, something that is a false positive to me may be a very
interesting bit of information for you?
Ah, excellent point.
So there's always a chance of that.
But one of the things that we look at there is typically a false positive is not going
to be removed or indicated as a, quote, false positive just based on any one flag.
So if one entity says, hey, this is a false positive or one endpoint we manage, it kind of looks like a false positive.
What we're looking at is data on an aggregated level.
So we have millions of endpoints in which we're collecting data on.
If one or two flag it as a false positive but hundreds, thousands or tens of thousands say this is actually good, it may actually be whoever it is that flagged that as a false positive is wrong or doesn't have
as big of a picture view as maybe some of those other endpoints do. And so that's where that kind
of, there's a machine learning element to the back end to kind of collect and aggregate the
feedback that we get and essentially score it. So if we say, hey, this response is typically always
very well received and this response is often wrong,
we can actually take that into the bigger picture view as we determine whether or not
do we mark it as a false positive or not? Or do we just reduce the confidence in it as opposed
to flat out marking it as a false positive? All right. Well, fascinating stuff for sure.
Chris Novak, thanks so much for joining us. Thanks, Dave. flavors of pistachio, or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabe, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.