CyberWire Daily - Breaches, extortion, and insider threats. Credit bureaus and GDPR. HP addresses spyware allegations. When is a snack bag more than a snack bag?
Episode Date: November 30, 2017In today's podcast we learn that British shipping giant Clarksons was breached but refuses to pay hackers extortion. The US House may be reaching consensus on surveillance authorities. INSCOM mops ...up Red Disk leak. The US Defense Department may have more work to do countering insider threats. HP denies reports of spyware in its PCs. Apple fixes High Sierra. Credit services think through the implications of GDPR. Robert M. Lee from Dragos, reviewing ICS and natural gas. Shaun Walsh from Cylance on AI. And snack foods, mens rea, Faraday cages, and employment law. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2 be reaching consensus on surveillance authorities. INSCOM mops up red disk leak.
The U.S. Defense Department may have more work to do countering insider threats.
HP denies reports of spyware in its PCs.
Apple fixes High Sierra.
Credit services think through the implications of DDPR.
And snack food's a guilty mind.
Faraday cages and employment law.
Faraday Cages and Employment Law.
I'm Dave Bittner with your CyberWire summary for Thursday, November 30, 2017.
Clarkson's, the UK-based global shipping company, said its network had been compromised by criminals who accessed proprietary information and demanded ransom in exchange for keeping the information unannounced.
Clarkson's declined to pay and turned the matter over to the police.
The criminals appear to have achieved access through a single compromised legitimate user's account,
which has since been disabled, not by exploiting a software vulnerability.
U.S. Representative Adam Schiff, a Democrat from California,
ranking member of the House Intelligence Committee, says the committee is close to consensus on how to reform and reauthorize Section 702 foreign electronic surveillance authorities.
Section 702 sunsets at the end of this month, so the deadline is approaching.
HP denies media reports that its PCs came preloaded with spyware that surreptitiously reported usage data back to HP without users' permission.
The accusations surrounded the company's Touchpoint Analytics, which do report performance data, HP says, but only with users' permission.
HP's VP of Customer Experience for Personal Systems, Mike Nash, told CRN that,
You have to click yes or no.
If you click nothing, we take that as a no.
Apple has patched the root vulnerability in macOS High Sierra.
The upgrade appears to be quick and painless to install.
All Mac users are advised to do so.
Call Credit, Equifax, and Experian are said to be preparing for GDPR implementation
by working on a Credit Reference Agency Information Notice, or CRANE.
The document is intended to bring credit bureau use of personal information
into line with the EU's pending requirements.
Cylance recently released a report based on a survey of over 650 industry professionals
titled Artificial
Intelligence in the Enterprise. Sean Walsh is Senior Vice President of Marketing at Cylance,
and he shares what they learned. If you look at the RSA conference last year, I don't think you
could walk by a booth that didn't say they were using either AI or machine learning. The question
became, if it's become an overused, overhyped term, what is really
being done with it by IT people who do this for a living? Are they taking the risk or are they
sitting back and watching? As you can imagine, AI can sometimes be a polarizing topic. We have
people like Elon Musk and others out there that are concerned about certain capabilities of AI.
But when you look at it from an IT perspective, you know,
are people sharing those concerns? Or are they looking at this as a better mousetrap to solve
the existing business problems they have today? And I think what the survey bore out is that they
do see it as a better mousetrap. Someday in the future, it might be a different tool. But today,
we think this is the state of the art in terms of looking at how to prevent and predict attacks.
Take us through some of the key findings from the survey.
Yeah, so I think the biggest thing that surprised me when I looked at it was they said that 60%
of IT decision makers say they're already using AI-powered technology in their data center.
That was a number that I expected to be much lower. Now, when you talk about across a data
center, there's probably dozens and dozens of applications that they're including in the generic AI area, not just specifically security-related items.
And then the next big thing that really surprised me is that they said 93% said AI will create new jobs.
You know, that's one of the knocks that people have against any major generational turn of technology is, will it take jobs away? And the
part that happens in every major generational turn of technology, from the Industrial Revolution
through the computer age, through all these different changes, is that ultimately more
jobs are created. They're different jobs than we had before, but there is no shortage of new jobs
that are created. So I guess one of the things that this survey bears out
is that people are looking to AI to help fill that gap.
Yeah, and that's really what it is.
It's about scaling the workforce today and in the future
so that you can reapply those resources to better tools.
One of the papers we have published on our website
is a survey that Forrester did on a total economic impact study. And what they said
was, look, this is really, really simple for us. With your AI-based solutions, we used to have six
people managing desktop solutions across our 3,500-person organization. I was able to make
that two people. And I took those other four individuals, and I put them on a next-generation
project that took them out of maintenance mode and put them into proactive improvement mode.
And that's what people like about AI is it lets them scale.
It lets them have better visibility into what the problems are they face and that they can get more scale out of the human beings that are involved.
It is an augmentation. It is not a replacement.
That's Sean Walsh from Cylance.
A note about our interview with Cylance's Sean Walsh. Cylance is our sustaining sponsor and
has a long and, on our part, much valued relation with the Cyber Wire. But we interview Sean not
for this reason, but because we think he has something interesting to say about artificial
intelligence. We appreciate Cylance's sponsorship, but with interviews like this,
they go through the same process as everyone else.
It's not pay for play, and neither we nor they would have it any other way.
And finally, for your consideration, here's some creative slacking,
not that we recommend this pro tip from Down Under.
A gentleman in Western Australia was dismissed from his position at water management joint venture Aruna Alliance
when it was determined that he was not in fact out on the job troubleshooting water distribution issues,
but instead out on the links shooting a few rounds of golf.
Well, actually it wasn't a few, but more like 140, give or take a few bogeys and birdies and 19th holes.
Mr. Tom Colella, age 60 and an electrician, was disappointed in his efforts to get the Australian Fair Work Commission to overturn his dismissal.
The gentleman had evidently been in the habit of placing his GPS-enabled personal digital assistant inside a snack bag,
thereby shielding it from monitoring by his employer.
Managers at Aruna Alliance apparently knew he liked to keep his PDA and crisps together,
but evidently mentally wrote this off as a charming eccentricity until,
hey, well, wait a minute, where is this guy anyway?
The judgment of Fair Work Commissioner Bernie Riordan is worth quoting in full,
especially since it offers some perspective on professional knowledge and professional judgment of Fair Work Commissioner Bernie Riordan is worth quoting in full, especially
since it offers some perspective on professional knowledge and professional responsibility.
Quote, I have taken into account that Mr. Colella openly stored his PDA device in an
empty foil twisties bag. As an experienced electrician, Mr. Colella knew that this bag
would work as a Faraday cage, thereby preventing the PDA from working properly,
especially the provision of regular GPS coordinate updates.
Mr. Colella went out of his way to hide his whereabouts.
He was concerned about Aruna tracking him when the company introduced the PDA into the workplace.
He protested about Aruna having this information at that time.
Mr. Colella then went out of his way to inhibit the functionality of the PDA by placing it in a foil bag to create a Faraday cage. End quote. The snack brand preferred
by Mr. Colella was Twisties, a corn-based cheese curl which comes in a variety of appealing flavors,
including original cheese, chicken, Hawaiian pizza, sweet butter toffee, Spice Burger,
and our favorite, the now sadly discontinued Bag of Ghosts.
Always a crowd pleaser around Halloween.
It's unclear whether the flavor affected the electromagnetic performance of the bag,
but it seems a safe bet that the aluminized Mylar bags would all exhibit some degree of Faraday shielding.
So don't try this around your workplace, friends, no matter how hard you're working on your handicap.
You're not going to turn into Greg the Shark Norman in any case, and you're not going to be able to claim lack of mens rea if you have any electrical knowledge at all. But a question, would this kind of hack work equally
well with Utz potato chips, much favored along the Baltimore-Harrisburg-Pittsburgh line? And
would maybe the bags for the Old Bay crab chip flavored items be a good choice for a Faraday cage?
You know, if you like, sealed the bag and grounded it.
Just asking for a friend.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal
instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos.
Robert, welcome back. You know, I thought we could run through some of the ICS environments that you all deal with. And why don't we start with natural gas? Give us an idea here in the
United States. What is the lay of the land with our natural gas system?
How is it controlled?
And what are the threats?
Absolutely.
So when it comes to natural gas, it's an interesting changing point for the industry.
For years, although it was still critical and important, there wasn't as much national attention on it because it wasn't as critical to the bulk electric system.
the bulk electric system. As we have moved away from coal and moved more towards renewable sources, we still need a quick way to be able to generate power, which is natural gas. And so natural gas
is starting to feed the electric grid much more so, even a lot of larger energy companies buying
up natural gas companies, which means that that national focus has definitely increased.
There are threats that have targeted natural gas already, and we've heard about these over the years. We've never seen destruction or disruption as a result
of an intentional attack. But of course, it's still something that weighs very heavily on the
focus of minds, especially when we start seeing the criticality of the industry increase.
What they're sort of up against today is a variety of risk that they're trying to mitigate.
One of the factors for them
is they do have sort of that traditional SCADA approach, meaning very long distances, right? A
lot of pipelines, very large landscape that they have to cover, as well as very boutique kind of
systems. You know, gas compressor station along the side of a pipeline is not really normal
knowledge for a lot of those, even in the
industrial control security community. So for them, they're trying to reduce that risk, not only to
physical threats and the things they have to deal with, like crazies along the pipelines, but also
in the fact that their threats can get out to those locations. And it's not some easily tapped
infrastructure. It's not like they could drive to every single gas compressor station and every
single aspect of the pipeline and storage wells and all that and throw a managed switch on there and start tapping that traffic.
It's not really achievable in that way. So they're much more around ingress and egress
filtering and understanding if they can identify threats from the control center down or back up
again from those sites. And at the same time, they're just dealing with the nature of the
politics. So we've got some good organizations like the Downstream Natural Gas, ISAC, who's trying to do a lot of advocacy and outreach in that sector.
But I expect this will be a very turbulent next couple of years for them as they try to figure out how to articulate what the real risk is while minimizing it without letting, as you noted, the hysteria get taken away as congressional members and others start asking questions on, oh, no, what is the threat to this new industry? It was not really new, but this industry that's new
in its criticality to the electric grid. So fantastic opportunity for them,
definite challenges. But as always, we've got some fantastic people taking on that challenge.
And what would be the impact of an interruption of natural gas service?
It could be significant. It depends on
a lot of factors, but one of the factors to consider is other generation sources of power
in that region, as well as time of the year. So as an example of a particularly bad scenario,
if we're talking about the dark sort of months of the year, we're not getting as much in terms
of like solar and move towards solar more in the grid. And we also combine that with it being winter in places like the northeast or northwest.
You know, a significant outage could actually have loss of life impact when it comes to
people in that region.
And we're not talking about everybody in the region dying, but but nobody should take any
loss of life lightly.
So we're talking a number that is uncomfortable, mostly just because
we're talking about people's lives there. So I think there's a realistic scenario where an attacker
can make planned and coordinated strikes against pipelines that have real repercussions, but it
still is much more difficult and nuanced than people make it out to be. But the complexity of
a natural gas pipeline is not the
same as the complexity of the overall grid, which means to take down a giant portion of the grid for
any significant portion of time is a very complex problem. It's not as complex in gas pipelines,
but it is still not trivial by any stretch of the imagination. Robert M. Lee, thanks for joining us.
Lee, thanks for joining us. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.