CyberWire Daily - Apple patched this week—how are your systems? Lastpass working on a patch for an undescribed bug (said to be complex). What IT staff actually work on. And a long talk about emerging Administration cyber policy.
Episode Date: March 30, 2017In today's podcast, we hear about Apple's patches issued this week—how are your systems? Lastpass is working on a patch for an undescribed bug (said to be a complicated one). What IT staff actually ...work on. Politico's Eric Geller discusses emerging Trump Administration cyber policy. Emily Wilson from Terbium Labs outlines the data breach timeline. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
LastPass is working on a patch for an undescribed bug.
What IT staff actually work on,
Eric Geller from Politico joins us to talk about emerging Trump administration cyber policy,
and have you patched your macOS and iOS devices?
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 30, 2017.
Today we'll be talking about the new U.S. administration's emerging
cybersecurity policy, but before we get to that, a few quick observations about developing news.
LastPass, the widely used password manager, was praised last week for their swift response to a
vulnerability disclosed to them by white hat researchers. Google's Project Zero has found
and disclosed a second bug. This one is more
complicated, and it's expected it will take LastPass some time to fix it. Exactly what that
bug is isn't generally known, and Project Zero and LastPass, who do know, are sensibly not telling.
So far, there's no known exploit for the vulnerability in the wild.
Gemalto's report on data breaches in 2016 claims that nearly a billion and a half data
records were obtained by cybercriminals last year.
We heard from Robert Capps of New Data Security, who commented on the report.
He sees criminals targeting large databases to get as much personal consumer information
as possible.
They then correlate data from multiple breaches to create detailed profiles of individuals. Those profiles can then be used for identity theft, banking fraud,
account takeovers, and other crimes. And as we heard yesterday at ITSEF, many of those criminals,
particularly in Russia, work hand-in-glove with intelligence services, whose appetite for data
has traditionally been insatiable.
Here in the U.S., we're only a couple of months into the Trump presidential administration,
and it's fair to say the transition has had its fits and starts.
Eric Geller is cybersecurity reporter at Politico,
and he joined us from Washington with his take on President Trump.
He takes a military-centric approach to cybersecurity.
Throughout all of his speeches, he has made sure to emphasize that he wants the Pentagon to be taking the lead. A number of his more concrete cyber policy promises involve a complete overview and an audit of the entire federal government computer system, looking for vulnerabilities, the development of new offensive capabilities.
So you have the
defensive and the offensive sides there. And with both of those, he originally said that he wanted
the Joint Chiefs of Staff and his Secretary of Defense to present him with a way of going about
that. Now, whether that actually ends up happening, it's unclear. Of course, we're waiting
for the executive order on cybersecurity, and that is not expected to be led by the Joint Chiefs.
It's expected to be led by the Office of Management and Budget. So already you can see that his
initial way of thinking has been sort of moderated, if you will, by the bureaucracy.
But that is certainly his philosophy, is that he sees cyber as a military domain, first and foremost.
I don't know necessarily if he understands exactly what the Department of Homeland Security does in this space.
I think he is much more familiar with Cyber Command and the National Security Agency.
And that, I think, is going to color a lot of the discussions that we have or that the government has with the public and amongst themselves about exactly how we want to pursue these different policy options.
Because he's coming at it from a perspective of let's give the military more
money and more power and more authority. Those are already things we can see happening in the
non-cyber context. And so my question will be, what happens to the development of international
norms at the State Department? What happens to public-private partnerships with security
researchers at the Commerce Department. Of course, what happens
to DHS programs? These are all avenues that, you know, we here at Politico are tracking very
closely to see if we can get a sense, an early sense, of what it means that his focus seems to
be so much on the military. Yeah, you know, we were all expecting the executive order not long
after the inauguration. It was said that we actually had a date, you know, we were expecting it, and then it got put off. When it got put off, they said it wasn't going
to be too long, and here we are still waiting on it. My understanding is that they had a first draft
written essentially by transition team people, which I think was, you know, obviously that was
leaked. That was widely questioned for some of the ways that it was written and for some of the
things that it contained. They overhauled that. They did a second draft, which was also leaked.
They were getting ready to have the president sign that. In fact, we were briefed on kind of
where it was going to be going the morning of the signing day. And then he had a meeting in the
Roosevelt room with Mayor Giuliani and Jared Kushner and former NSA director
Keith Alexander, some of the outside people who have been advising him on cybersecurity.
And he said, we're going to go and sign this thing later. And then we were told that it had
been canceled. So I don't know that that has ever happened where they've canceled a signing
that close to the actual signing time. Is there a sense from insiders in terms of,
is cyber within the government something that maybe doesn't need to be the top priority,
or there are other things that take appropriately higher priority in the first 100 days of his administration?
Well, I think if you talk to the career staffers who have been there,
been working on this for quite a long time,
they will tell you that they see cybersecurity as an incredibly important issue, particularly in the wake of some of these damaging hacks that we've
seen over the past few years. And those were not necessarily super sophisticated. In a lot of cases,
those were taking advantage of spear phishing, social engineering, things that involve training
and protocols, perhaps more so than locking you know, locking down the networks with
super high grade firewalls and things like that. And so the people who have lived through that,
they understand that this is an issue that you have to constantly train on. You have to constantly
equip people with the right with the right tools and the right knowledge. And so, you know, it
remains to be seen whether the political appointees who have come in see that as a pressing issue. I
think, you know, look,
you look at the first two months and they've been focused on a lot of other things. You know,
I don't see cyber as something that the president feels like he got elected on,
he needs to deliver on right away. And he certainly didn't. He got elected on a number
of other issues. And so I think this is an issue where, yeah, people are working on it in the
background and they're trying to evaluate whether they want to keep a lot of these Obama era directives.
The Obama administration did a lot on information security and they started a number of progress
reports and upgrades and overhauls.
And I have to say, I would be surprised to see a lot of that end just because it's not
controversial.
It's the kind of thing that if you have experienced cyber professionals,
you know, chief information security officer, that kind of thing, those people are not going
to recommend that the Trump, you know, OMB start killing these programs left and right.
So I don't see a lot of change on that kind of non-political side of things. I think what you
will see is, you know, this is a business-friendly administration. There are regulations that
relate to data breaches, that relate to risk management and compliance. And so we could
potentially see some changes there, but I think it's too early right now to say exactly what
form that's going to take. All right. Eric Geller, thanks for joining us. Sure thing. Thank you.
The software lifecycle automation shop IE has released a study of how IT professionals actually spend their working lives.
The key finding is that, as a group, IT pros are in a reactive profession.
They asked more than 1,000 what they do at work and found, on average,
IT workers spend 29% of every day reacting to unplanned incidents and emergencies.
More than half of them spend between 25% and 100% of their day reacting to unplanned incidents and emergencies. More than half of
them spend between 25 and 100 percent of their day on such emergencies. The most common incidents are
outages and performance issues. About half of the incidents are discovered within an hour,
but the mean time to fix them is more than five hours. And the bigger you are, the worse it seems
to get. Companies with 50,000 or more seats are three
times more likely than smaller enterprises to take more than a week to resolve a business-critical
request. And finally, for all you Apple users, we hope you've applied the important patches
Cupertino issued earlier this week. The patches fix 23 kernel-level vulnerabilities. The affected
products include not only macOS Sierra 10.12.4
and iOS 10.3, but also the iWork suite. Take a look at your systems and update as required.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part
of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous
film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and compliant. And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, there's this notion of hope for the best and plan for the worst.
And when it comes to having your information exposed online, there's timeline issues that
you sort of have to deal with. It may maybe when the information gets out there, that might not be the end of it. That's true. You know, in some cases,
people are leaking information as soon as they gain access to it, right? It's a much shorter
timeframe. And then even then you're dealing with the fallout of, great, all of my customers and all
of their information is now online. I'm going to have to deal with this for years to come.
In other cases, though, and I think, you know, all of the quote unquote legacy breaches we saw at the end of last year are a good example.
You know, just because your information was exposed doesn't mean it's going to be
leaked right away. What do you mean by a legacy breach? You think about things like LinkedIn or
Tumblr. These were older breaches. these are from years ago, or poor Yahoo,
right, wouldn't want to be in that position of, you know, oh, we found a breach, we found another one a little bit older than that, right? These are things that happened years ago that we're just
hearing about now. And I think that there are a lot of instances where the headline is, you know,
company is breached, all of their customers were exposed,
there's no evidence yet of information being leaked online. That doesn't mean it won't happen.
In a lot of cases, there's a lot of benefit in waiting to show your hand at the right moment.
I think we're going to see over the next couple of years as this becomes increasingly commonplace,
information from breaches that happened this year that we haven't heard more about yet.
You know, a good parallel here is the RNC and the DNC were both hacked. Obviously, we've heard quite
a bit about the DNC. We haven't really seen a bunch of RNC data yet. Will we ever? I don't know.
On the opposite end of the spectrum, the parent company for Hello Kitty had a bunch of their
information exposed, right? And a lot of this is actually minors.
Will we see this information end up online for sale? Will it end up leaked somewhere? I don't know yet. But just because you've been breached and hasn't shown up online yet doesn't mean it
won't ever. And what a situation to be in. If you know they've gotten the goods, now what? The worst
may be yet to come. Right. And, you know, it's sort of the
issue of the devil you know versus the devil you don't. You know, if someone's leaking information,
then you can at least get a sense of what they have. If you're not sure what they got away with,
if they have access to everything, what were they going for? What's their plan? Were they
looking at your customer records? Were they looking at your HR records? Were they looking
at your donor list? What were they doing? And just because they released certain pieces of information
doesn't mean that's all they have, right?
And so you're stuck in a situation where you don't know what they got away with,
you don't know what's going to be exposed, if it's going to be exposed.
You can't be lulled into this false sense of security that, you know,
we had a breach last year, we haven't heard anything yet,
so I'm sure everything is fine.
That's just not the case.
It may just be
that you need to wait a few more years. Someone's biding their time, waiting for the right opportunity
to maximize their return on that information. It's true. And it may even be a situation where
someone kind of gets all of the benefit that they wanted to get out of whatever information they
took, and now they're going to just dump it for vandalism because they can. You know, that final
blow of maybe I'm done exploiting your customers customers or maybe I got whatever kind of piece of sensitive information or intellectual property I needed.
But as insult to injury, here are a bunch of your internal emails.
You're welcome.
Not fun to think about.
All right.
Emily Wilson, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io And that's the Cyber Wire. We are proudly
produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.