CyberWire Daily - BlueKeep, again. Facebook’s cryptocurrency play. Updates on alleged or suspected electrical grid hacks. Catphishing and spying. Compromised social media accounts.
Episode Date: June 19, 2019More advice to patch BlueKeep, already. Facebook announces its planned launch of a cryptocurrency, Libra, to the accompaniment of considerable acclaim and at least as much skepticism. Updates on alleg...ed power grid cyber operations. Catphishing and the adaptation of traditional espionage craft in the digital age. And cheap sunglasses turn up as phishbait in compromised social media accounts. Justin Harvey from Accenture with thoughts on tabletop exercises. Guest is Tom Hickman from Edgewise Networks on access control and zero trust. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More advice to patch Bluekeep already.
Facebook announces its planned launch of a cryptocurrency, Libra,
and is greeted with considerable acclaim and at least as much skepticism.
Updates on alleged Power Grid cyber operations, catfishing and the adaptation of traditional espionage craft in the digital age,
and cheap sunglasses turn up as fish bait in compromised social media accounts.
accounts. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 19, 2019. If you haven't patched BlueKeep yet, you might want to get on the
bandwagon. Microsoft and NSA have urged you to do it, and the U.S. Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency this week has said users should patch
vulnerable systems immediately. It certainly looks as if it would be unwise to sleep on this one.
Facebook will soon launch its own cryptocurrency, Libra, complete with its own wallet, Calibra.
The announcement prompted concerns from regulators and legislators in the U.S.,
France, and Germany over antitrust, privacy, banking, and sovereign currency policy.
We've got some follow-up on stories that broke earlier this week.
First of all, that news alleging that the U.S. implanted malware in Russia's power grid
in an apparent move toward deterring Russian cyberattacks against the U.S. implanted malware in Russia's power grid in an apparent move toward deterring Russian cyberattacks against the U.S.
remains where it was when the New York Times broke its story at the beginning of the week.
Observers tend to regard the alleged activity as problematic,
but nonetheless arguably legitimate as a deterrent or reprisal.
Note again that the New York Times story describes preparation, not actual attacks.
Argentina's blackout remains under investigation, but the likelihood that it was caused by a cyber attack seems increasingly remote.
IEEE Spectrum's account of preliminary findings suggests that the outage was caused by disconnection of two 500-kilowatt transmission lines. The failure took place in the section of
Argentina's interconnection system that supplies the grid with power generated by two major
hydroelectric plants. One of the lines seemed to have failed in a short circuit. The other appears
to have been disconnected by an automated system. Automatic load-shedding mechanisms that ought to
have contained the outage failed for reasons still
unknown. Investigation is in progress, but it seems likelier that the outages were the result
of accidental failures than they were of a cyber attack. Many organizations, in addition to threat
and vulnerability detection, are implementing micro-segmentation, enhanced access controls,
and zero trust to better protect themselves and their employees.
Tom Hickman is vice president of engineering at Edgewise Networks.
One way that I think about this problem space is really personal.
I've been building and deploying SaaS solutions since 1999, 2000.
It was in networking management before that. And then in year 2000, started working at a company that was doing early stage software as a service before software as a service was even a term that was in vogue.
And what we faced was a nearly constant threat of attack that, again, you know, early days of cloud computing, early days of, you know, the sort of ubiquity of awareness about
cybersecurity threats. And I've been either fortunate or unfortunate to always be working
in companies that were data rich, that were, you know, extremely relevant targets for espionage or
for, you know, cyber risk and data exfiltration. So I've kind of been in the front lines of what has been
a cyber cold war for a long time as the cold war has heated up. And from that perspective,
the kind of modern view of the threat landscape, which essentially presumes that there's two kinds
of companies, those that will be breached and those that have been breached couldn't be more true. And that I think is really what's kind of led me on my
personal journey to kind of feel a, you know, strong sense of resonance with the zero trust
position and messaging. What's the evolution there? What's new about this?
What's new about zero trust is really sort of taking a more, from our perspective here at Edgewise, a more app-centricervices became en vogue, as ephemeral and auto scaling infrastructure came into place.
And where we come in and what I think the evolution of the industry really is, is to be more granular in the sense of looking explicitly at applications that are communicating on the wire.
of looking explicitly at applications that are communicating on the wire, and then more resilient,
I think, to change where we're able to look at things that are statistical aberrations and begin to layer controls over things that are anomalous, right? So you could think of it almost
as intrusion detection on your East-West communications inside your network. So it
would be things like from your data tier to your app tier. Now, suppose I'm someone who's going about my day-to-day business, working in
an organization that has adopted zero trust and things like micro-segmentation. What's going to
be different for me? Anything? I think day-to-day, nothing will be different, except you'll be in a
more secure position and you'll be less likely to have data exfiltration
from spreading from any sort of toehold that an attacker might get in a network.
Again, taking this from a personal perspective and part of why I'm excited to be here and be
building this solution, as a DevOps practitioner, my day-to-day life gets easier when a solution
like what we're building here at Edgewise is in place. I could bore you
with war stories for hours about the number of times that I've been waken from a cold dead sleep
at three in the morning because the network team did firewall change and the app that I'm
responsible for, that my teams are responsible for, suddenly, right? Where today, what we're able to do as
application-aware microsegmentation, the firewall changes of your are essentially obsolete, and we
would deploy our solution into an environment where the policy is sort of already, you know,
essentially pre-configured. And by virtue of that, we don't have the late night wake-up calls. We
don't have the rollback of firewall changes to have to kind of peel back, you know, with a gun to our head because we just induced a service outage.
I'm curious, are there some positive unexpected consequences?
I'm imagining that through this process, you could uncover incidences of well-intended shadow IT.
incidences of well-intended shadow IT? Well-intended shadow IT. And then just,
I think also in general, the level of complexity of any large distributed system is approximately unknowable by any one person. So not only do you get to see the shadow IT, you get to see the
systems that have been set up and deployed that are doing key critical business services that you had no idea about. You also get to see a topology map and a
kind of 10,000 foot view of the way that your core and key business services work.
That's Tom Hickman from Edgewise Networks.
In the wake of stories about catfishing on social media, where Ms. Katie Jones turned out to
be nobody at all, just a face generated by AI and an impressive resume designed to draw the eye of
policy and security wonks, ZDNet took a look back at recent FBI counterintelligence warnings.
The Bureau advised current and former holders of U.S. government clearances of the ways in which foreign intelligence services are using social media to recruit sources.
The approaches they discuss show the ways in which long-familiar techniques for recruiting agents
are being easily adapted to an online world.
The Bureau says foreign intelligence services have, for example,
been operating booths at technical trade shows.
These are obviously booths for front organizations, organizations that appear to be what they aren't.
Nobody is going to show up on the floor of RSA or Black Hat with a pull-up banner that says,
GRU, innovation for a better world, or Lazarus Group, working with you to build the future,
or Fancy Bear thinks disruptive technologies are
just right. At least we've never seen them. No, the booth would be for, let's say, the Acme company,
and they'll want to scan your badge and they'll be happy to exchange business cards. At least some
of the people approached at the shows gave personal information because they apparently
wanted to stop the booth's people pestering them.
Hey, I don't have purchase authority. Why do you still want to sell me something? Look,
here's my card. Good luck to you. Don't take this the wrong way, but I'm going to go across the aisle and I'm going to get a free t-shirt. Have you ever had such a conversation? Most of
us have. The personal information exchanged was minimal, usually just a business card,
but useful nonetheless.
The foreign intelligence services followed up with requests to connect over social media.
Ever connected with someone because you vaguely remember meeting them at a conference
and maybe you're worried you were rude, so you want to be nice?
Yeah, us too.
And finally, who doesn't like cheap sunglasses?
Well, Ray-Bans aren't cheap. They'll run you between $150 and $200, And finally, who doesn't like cheap sunglasses?
Well, Ray-Bans aren't cheap.
They'll run you between $150 and $200.
But what if they could be had for cheap?
Would you jump at the chance to pick up some Wayfarers for 90% off?
What's that you say?
You just saw an ad on a friend's Instagram wall?
You don't say.
Well, don't believe it.
Don't click and don't go there. It is, of course, a scam.
And it's not just Ray-Bans being dangled either.
Other famous brands are being spoofed as well.
The scammers use hijacked accounts to chum social media with their fish bait.
If you see this kind of thing on one of your friend's accounts,
let the friend know.
Their account may have been hijacked.
Recovery of an Instagram account that's been wrenched away from you has been notoriously difficult.
But as Naked Security points out, Instagram has just said it's made the process easier and less painful.
According to Naked Security, which is published by security firm Sophos,
you can recommend that your friend first change their Instagram password, make it a strong one,
second, set up two-factor authentication,
and third, take a look at access they Second, set up two-factor authentication. And third,
take a look at access they've granted to third-party apps or services and revoke any they don't recognize or use or ones that look suspicious. The chance of getting some discount
aviators just isn't worth it. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident leader at accenture i wanted to touch today on tabletop exercises and i wanted to get your take on
what's good what's bad what's the right approach what's not you have some good opinions here what
can you share when i think about tabletops my geeky mind goes to dungeons and dragons
that we played in the 80s and the 90s in fact fact, Dave, I don't know if you know this, but they're still playing Dungeons and Dragons and it's just as popular today. It's a great social interaction.
My son, Jack, who people know because he comes on the show every now and then, just started learning Dungeons and Dragons. So it is alive and well and it makes me smile. But yes, go on.
So tabletops in the cyber defense aspect, there's kind of a spectrum. On the light end,
there is your typical D&D style approach. You have all the executives around a table,
you have a game master, aka dungeon master, that says, okay, and I've seen various iterations of
this. There's the classic, just make it all verbal paper-based. I've seen one of our competitors out there, they have a little card game.
There's all sorts of approaches to this, but it's essentially a role-playing exercise where you're
at the table and the dungeon master, the game master says, now someone has encrypted all of
your customer data and they hand them a card maybe with some of the technical
details and the CISO looks at it and says, oh my gosh, and she runs over to legal and brings them
over. It's a very big paperwork exercise. And then on the other end of the spectrum,
there is what I would consider full-blown simulation, but not in your environment.
So there are facilities out there that people that are
cropping up that people are going to, and they're bringing their executive team, like the CISO,
the director of IR, legal, PR, marketing. They all show up at a third party site.
All the systems are laid out. They go through the motions of a normal day, and then they're
hit with a cyber attack and they bring in actors playing CNN reporters. And it's very executive-centric. In my opinion, the best approach to this is a hybrid
approach, which is doing it in the environment of the organization. I like to run scenarios where
we're in their environment, where they are comfortable using their own systems. So we've
done simulations where we take one of their own systems. So we've done simulations
where we take one of their laptops and we load some indicators of compromise on there, not live
malware, but sometimes we'll put on some inoculated malware, some indicators that are definitely going
to trip the AV and we go hide the laptop in the building. We like to see a scenario where you force the technologists and the executives to get out of
their comfort zone and for me that is the most important thing it's really making them uncomfortable
not just to go through their emotions and it's just a normal day of work and they high five at
the end of the day and it's Miller time I'm talking about really presenting them some of the day and it's Miller time, I'm talking about really presenting them some of the hardest questions and hardest scenarios that we've had to deal with. For example, one of the scenarios that
we run that is based upon a real case is executives love to say, yes, we're not going to pay any
ransom. It doesn't matter. We are a no ransom environment. So if we get held for ransom,
we're just going to restore for backups. And that's when the dungeon master or the game master looks at them and says, okay,
your manifest for all of your backups that you have at your offsite backup is now encrypted.
What are you going to do? And they look at, they say, oh gee, we didn't anticipate this.
Okay. We're going to recover. Okay. It's going to take you 60 days to recover. And in that period
of time, you're not going to be able to ship product or
take money because your ERP system is down. Oh, gosh. So now you're looking at, do you go bankrupt
or you put 50,000 people out of work or do you pay the ransom? Let me roll a 20-sided die and
see how that comes out. It's more like a Sophie's Choice, right? It's like, do you pick this over
principles or do you pick this over restoring
that? You know, back to the tabletops thing, I really like to see custom-made scenarios that
are really tailored for that industry. And that really throws the curve balls out to make them
think through some of these problems. So if, and when it does happen, they feel like they have
enough information around that. And from the technology
perspective, you know, we've worked cases where we interface with a forensics team for during a
breach and we say, well, you need to go collect these 25 images. And they say, do you realize
there's only me and this other guy? Like there's only two of us. We can't collect and analyze
25, 50, a hundred machines in parallel. So by making the technologists uncomfortable
or putting them also through their paces,
it really helps to underscore and uncover
where there are some gaps and deficiencies
with that sort of scenario.
Yeah, I mean, it sounds like a real eye-opener for everybody.
It's one of my favorite things to do
is to scare everybody in these environments.
I don't like scaring them when the real stuff happens.
I like putting them through and making them feel uncomfortable so that we don't have to
come back so that they are a little bit more prepared and able to defend themselves in
today's threat-centric industry and market.
Yeah.
All right.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Thank you. Thanks for listening. We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.