CyberWire Daily - Airline breach bigger than thought. Securing Mexican financial institutions. Demonbot vs. Hadoop. New decryptor out for GandCrab ransomware. Civilian Cybersecurity Corps?
Episode Date: October 26, 2018In today's podcast, we hear that British Airways' breach has gotten bigger. Mexico's financial institutions say they've contained the anomalies in interbank transfer systems. "Demonbot" is infesti...ng poorly secured Hadoop servers. Google receives criticism for slow action against ad fraud. Bitdefender and Romanian police produce a decryptor for GandCrab ransomware. Discussion of a "Civilian Cybersecurity Corps:" are white hats the radio hams of the Twenty-first Century? Daniel Prince from Lancaster University joins us to talk about quantum hardware primitives. And Britney Hommertzheim, director of information security at AMC Theaters, sits down with Dave to talk about building partnerships within your organization to strengthen security’s role. For links to all the stories mentioned in today' podcast, check out today's Daily Briefing: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_26.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Mexico's financial institutions say they've contained anomalies in interbank transfer systems.
Demonbot is infesting poorly secured Hadoop servers.
Google receives criticism for slow action against ad fraud.
Bitdefender and Romanian police produce a decryptor for Gancrab ransomware.
Discussions of a civilian cybersecurity corps.
Are white hats the radio hams of the 21st century?
From the CyberWire studios at DataTribe with your CyberWire summary for Friday, October 26, 2018,
I'm Peter Kilby, executive editor, sitting in for Dave Bittner,
who's probably wishing about now his vacation was just a little longer. He'll be back in your earbuds on Monday. The British Airways breach seems to have gotten
a little bigger. The airline has disclosed that 185,000 additional customers were also affected
and that credit card information was among the data exposed. Insurer AXA said yesterday that
its customers' information and resources were unaffected by the cyberattack
it discovered on October 22nd. AXA noticed anomalies in its transactions carried by the
Interbank Payment System, SPEI, and notified Mexico's Central Bank, which placed the country's
financial sector on heightened alert. New Sky Security and Radware are warning of a botnet
that's been quietly establishing itself in poorly secured Apache Hadoop servers. The intention appears to be to use the compromised servers for distributed denial-of-service attacks.
Radware calls the infestation DemonBot, was first noticed in New Sky Honeypots late this summer.
Researchers for now think that the botnet is the work of skids, but it's yet another annoyance to
deal with. In the U.S., Senator Warner, Democrat of Virginia, has asked the Federal
Trade Commission to look into what it characterizes as Google's inaction against ad fraud.
His letter was prompted by a report in BuzzFeed that Google had been sitting on its hands with
respect to ad fraud for some time. The article also prompted Google to move against the particular
kind of ad fraud BuzzFeed had described. Google hadn't been as utterly inattentive as one might conclude
from the senator's letter. Mountain View had, as Security Week points out, previously blocked
websites from its ad network when they violated Google's policies. What's new is that Google has
now moved against applications involved in the fraud. The action seems late to Senator Warner.
His letter decries, quote, inattention to misconduct within the app
store, unquote. He also complains that Google did not see fit to conduct a more thorough
investigation of ad fraud when researchers brought the matter to its attention in June.
The senator calls it, quote, willful blindness. After the break, we'll hear Dave's recent
conversation with Daniel Prince from Lancaster University, who shares his thoughts on quantum
hardware primitives. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
We wanted to talk about quantum hardware security primitives today,
and I have to admit, you sent that topic over.
I'm intrigued.
What are we going to cover today?
So this is based on some work that I'm doing with a spin-out company from Lancaster University
called QuantumBase and some of the work that some of our physicists are doing over in our
physics department. And instead of trying to bite off the whole quantum problem, building a quantum computer or doing complete quantum key distribution,
the approach that we've started to adopt here is to actually think about how can we use quantum effects to really provide some of the primitive functions within traditional cryptographic solutions.
And so some of the things that we're looking at here are things like random number generation and unique identifiers,
which, because of their quantum and their physical properties, means that they are impossible to replicate or clone.
But because they're operating on a very small scale, it enables us to embed quantum-like effects into our standard integrated circuits.
effects into our standard integrated circuits.
The beauty of that, I mean, is that what we can do now is start to increase the security capabilities of some of the standard cryptographic processes that we have.
So if you take, for example, the quantum random number generator, instead of using a pseudo
random number generator in terms of cryptographic processes, we now have a source of true random number generation.
Now, some of these elements have been around for a very long time.
So we've had quantum random number generation, particularly using optical processes.
But they require a lot of technology and are often quite large.
A number of the systems that are currently available, a full line card or a full card
for a PC,
and some of them are even dedicated pieces of equipment.
What we're trying to do is get them down to very, very small scales so these capabilities can be embedded into chipsets.
What's interesting is when you start to move to have quantum elements
within standard cryptography, you improve the overall quality
of the cryptographic
approaches that you have. And that improves the security for everybody without having to have the
wholesale leap to a complete quantum computer or complete quantum key distribution. And so it's
that intermediate step before we go straight into having quantum cryptographic solutions
for everybody.
Daniel Prince, thanks for joining us.
Gancrab Ransomware has been making a pest of itself for some time.
But now, thanks to some cooperation between Bitdefender and the Romanian police,
the NoMoreRansom project has released an improved free decryption tool for this malware strain.
It's an update to the earlier decryptor. This edition works against GAN Crab version 1 with a GDCB extension, version 4 with the Crab extension, and version 5 with its random 10-character extension, the latest model of GAN
Crab on the street. They're still working on a decryptor that will unlock data affected by GAN
Crab versions 2 and 3, but we
agree with Europol that this is nice work, so bravo Bitdefender and their colleagues in the
Romanian police. That sort of cooperation makes one think of some other ways in which private
persons and businesses can contribute to such matters of public good. We note that many,
probably most, do so already, and Bitdefender's release of the decryptor is by no means unusual
in the industry.
But some are considering ways in which this kind of action can be taken further.
The New America Foundation, for example, has published a study calling for the formation of a civilian cyber corps. The volunteer body would, the study says, help redress shortfalls
of cybersecurity labor. It's to the author's credit that they don't simply do some lazy
hand-waving in the
general direction of the National Guard. As they put it, quote, the organization would be modeled
after a blend of cybersecurity organizations in other nations and proven models in other domains
of security and safety inside the United States, specifically the Civil Air Patrol, Coast Guard
Auxiliary, or volunteer firefighters. The goal would be to better involve and mobilize the wider community in tackling core needs that are unlikely to be met through existing structures,
unquote. It would function as an auxiliary of the Department of Homeland Security,
and the organization would work mainly in three areas. One, education and outreach. Two,
testing, assessments, and exercise. And three, on-call expertise and emergency response.
We stress, of course, that this is one think tank's proposal
and not an existing or planned government program.
But it's worth considering, since we hear similar ideas floated
in various conferences and policy symposiums.
We might suggest a few thoughts of our own on the matter.
First, it's good to see the study's authors focusing on specific areas,
as opposed to offering the sweeping rhapsodies about whole-of-nation engagement one so often
hears. Second, it's worth noting that there's a regular market for all the kinds of services the
authors list. There isn't a comparable market for search and rescue or firefighting, and it would
not be a trivial matter to structure a volunteer corps in ways that don't compete or displace that market.
A study does point out, sensibly, that bug bounty programs amount in part to a mobilization of hobbyists. They don't overstate this. It's clear that the participation in bug bounties is also a
kind of job, either in the gig economy or even for some businesses. But there are enough white
hats who do this as a side hustle to make the point worth considering.
Bug bounties do pay successful hunters.
Regular trade does provide essential services.
Food, for example, is sold by groceries and supermarkets, and it's an important and legitimate business.
There are community food banks that seek out to provide for those who can't, for one reason or another, participate in that market.
Could a civilian cybersecurity corps take some lessons from food banks? Or would its activities map narrowly to what Washington
calls inherent government responsibilities? That is, the kinds of things you don't leave to the
market, like the Army's ground combat functions or the court's role in trying criminals. Third,
they suggest education and inspections as possible activities for their proposed corps.
The model here would be the Coast Guard Auxiliary with its safety inspections and boating safety classes.
They'll help you see that you've got a problem with your boat, but they're not going to fix it.
That's a job for the boatyard, and the training they offer is solid, but at the enthusiast level.
They have no intention of putting the Maritime Academies out of business.
Fourth, it's with respect to the kinds of emergency response that the study seems on its strongest ground.
The study's authors take the Civil Air Patrol as the principal model here,
although volunteer fire departments in the Coast Guard Auxiliary offer some analogies as well.
We'd like to offer, in our own volunteer spirit, a possibly instructive analogy we haven't encountered elsewhere.
AM radio.
a possibly instructive analogy we haven't encountered elsewhere, ham radio.
Amateur radio has long had a good reputation for providing emergency communications into areas hard hit by natural disasters.
This is less true today than it was in the glory days of ham radio, the 50s and 60s,
largely because of improved resilience in telecommunications and emergency service networks.
But there may be lessons there as well.
The American Ham Radio Relay League would be the place to start.
You can find them at aarl.org.
They've been around for a little over 100 years,
and the cyber sector may be able to learn a thing or two from them
about volunteering in the public spirit.
Brittany Homertzheim is the Director of Information Security at AMC Theaters.
When we come back, we'll have her conversation with Dave
on building partnerships within your organization to strengthen security's role.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Brittany Hammerstein. She's Director of Information Security at AMC Theatres,
the largest movie theatre chain in the world,
with over 10,000 screens in nearly 1,000 theaters worldwide.
She's responsible for the development and implementation of AMC's global security strategy.
She oversees all security personnel and ensures security concerns are addressed at the executive level.
So when you think of a theater, you don't really think about all the different interactions and different types of networks that you have, as well as the data that you have to
protect. So if you think of a store, a theater is similar to that. So we have transactions and
merchandise that happen. We have third parties that are actually streaming the feeds to the
actual cinema. And then a big chunk of our focus goes on our loyalty
program. So anyone that signs up using one of our loyalty programs, we have a duty to them to
protect their data that they provide us as well. And so how do you protect each of those systems
individually? And is there cross talk between them? What's your approach
to that? All of our environments are fairly well segmented. Some of those are proprietary feeds,
so like IMAX, those types of things. We generally keep separate. Of course, our PCI environment,
we keep separate. Our corporate network is a little bit different than what hits our website.
So everything kind of, we try to segment
it as much as possible. So today, one of the things we want to touch on is this notion of
educating your board and getting your security projects funded. So what is your approach to this?
What is the interaction you have with your board? I generally talk to them. We have our board
meetings every quarter. So it is my
responsibility to kind of give them the threat landscape at what we're looking at, some of the
projects that we have going on and where to take it next. And has the board been open to your
message? So when I originally started here, and I think this is a good place for everyone to start,
generally boards and executives only come into contact with security via media feeds.
So anything that they see on TV or they hear about on the radio,
they're generally interested in that.
Security is relatively new.
So being able to change that into a business approach
and explain those things in a way that they understand
can be very difficult. But you have to know that you're going to be asked about those things.
So you have to be prepared and be able to relate that to your business.
Now, in terms of getting things funded, what's your approach there?
So first, you need to understand your executives. So what motivates them? Is it just fear, not being that
headline company? Is it more compliance related? So maybe audit findings or the penalties that come
along with those? Are they more interested in reputational brand damage that may hurt their
stock prices? Are they looking to get some financial gain out of having these security capabilities. So first you need to understand
what your executive team wants, what motivates them to invest in security. A lot of times you'll
be asked to compare to other industries. So this is kind of something that you want to be cautious
about. So whenever you're talking about your industry vertical,
and they start looking at these other companies, you have to start thinking about what is the size of the company that you're comparing yourself to? Are they the like industry? Are they feeding and
protecting the same type of data? And then most importantly, is their program successful?
A lot of times we see all these metrics and these dollars
behind businesses of this industry of this size that are spending X percent of their IT budget or
X percent of their annual budget on security. But how effective is that? So you have to be a little
bit cautious when you start comparing companies and like verticals. Yeah, that's a really interesting
insight. How do you handle pushback from the board? It depends. I don't, I guess is the answer.
I really take the approach that my job is to educate the board. So if I can effectively
communicate the risk, I have to be okay with them taking the business approach and saying,
that's not in the cards for this year, or there's another project that's going to need to be funded
over this, and them accepting that risk. So I don't necessarily push back, but if I fail to
educate my board so they can make educated decisions, that's certainly on me. I guess my first step in this
strategy is starting to create a security committee. And this security committee is
comprised of various business leaders. So you want to have anyone from marketing, HR,
certainly IT, but a representative from each part of your business be a part of this security committee. And you need
to understand what's important to them. So how is the business making money, first of all, and those
are the first things that you need to think about defending. But before you can start to put those
processes in place, you should start creating these partnerships, understanding your executives,
understanding your board members. Sometimes this means lunches or coffees or walking and knocking on someone's door. It takes a lot of time to do this. But what you gain in this, you start to understand your business partner's objectives.
if I'm talking with HR, I need to understand why they need to click on that attachment, right?
It's probably a resume that their job is to open up the resume. And you have to think about how your security projects are going to start to impact and affect the way that they do their
day-to-day business. Is this going to be something that's going to help them? Is this going to be
something that hinders them? Because if it's going to be something that hinders them, they're probably going to figure out a way to work around it. I like to think that everybody really wants to
do their job. And maybe that's me putting on my rainbow glasses, but I feel like people want to
do a good job. And so they're going to figure out a way to make the business more effective,
make their department more effective in streamlined processes. So you have to figure out a way that you can integrate your security projects
that actually improves their job function. So one of the things that I like to do is when I sit down
and I'm creating these partnerships is ask them, if there was one thing that would make your job
easier, what would that be? Sometimes you get information sharing. Sometimes it's
being able to have this type of tool. Well, that's good for me to know because then I can go back and
I may see a bunch of people across the business. Security is kind of unique in that it crosses
multiple departments. So you can start seeing consistencies in the actual business and provide
a tool that may actually help the business. And once you're able to do that, you create that partnership,
then you start generating these business champions. And so these are the people that
you've actually helped along the way. These are the people that are going to start feeding your
security message for you. And once you start to get these people on your security committee,
these business leaders that you've made changes and improvements in their department,
you start to really get the ball rolling, right? People are starting to buy into this idea of
security that it's no longer a hindrance. This is a security department, a security team
that can really provide some value to the company.
That's Brittany Homersheim from AMC Theaters.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.