CyberWire Daily - Buggy APIs may expose credit scores. Dealing with ransomware. Iran-Israeli tensions are up. Russia says it will always see the Americans coming. Surge cyber capacity. NSA’s advice on OT security.
Episode Date: April 29, 2021An API bug may have exposed credit ratings. A study offers advice for the new anti-ransomware task forces emerging in the US and elsewhere. Israelis warned to keep their cyber-guard up on Quds Day nex...t week. Russia says it would spot any US cyberattack before it hit. The US Congress considers establishing surge cyber response capacity. Dinah Davis from Arctic Wolf has tips on preventing RDP attacks. Rick Howard speaks with Rehan Jalil from Securiti on GDPR. NSA offers advice for security OT networks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/82 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An API bug may have exposed credit ratings.
A study offers advice for the new anti-ransomware task force emerging in the U.S. and elsewhere.
Israelis warn to keep their cyber guard up on Kud's Day next week.
Russia says it would spot any U.S. cyber attack before it hit.
The U.S. Congress considers establishing surge cyber response capability.
Dinah Davis from Arctic Wolf has tips on preventing RDP attacks.
Rick Howard speaks with Rahan Jalil from security on GDPR.
And NSA offers advice for security OT networks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 29th, 2021.
Krebs on Security says that Experian has patched an API flaw in a partner website that exposed individuals' credit ratings.
The researcher believes the flaw may persist unaddressed in other partners' APIs.
The story is still developing it. We'll be following it as it does. IBM reviews the history and activity of the R-Evil ransomware gang,
also known as Sodinokibi, a new breed mob as interested in stealing information as it is
in encrypting it. The report is timely given the attention ransomware is currently receiving from
law enforcement organizations. As the U.S. Department of Justice organizes its anti-ransomware task force,
a report by the Institute for Security and Technology offers 48 recommendations. Prominent
among them are calls for close international regulation of cryptocurrencies and assistance
for victims who refuse to pay ransom. The beginning of wisdom concerning ransomware,
the report argues, is to recognize
that it's overwhelmingly a financially motivated crime, and as long as the profits outweigh the
risks, attacks will continue. So, governments and the private sector should work to disrupt
the criminal business model and make sure crime doesn't pay. A variety of actions should be taken,
it says, to disrupt payment systems and to make ransomware attacks less profitable, to disrupt the infrastructure used to facilitate attacks, and disrupt ransomware actors themselves through criminal prosecution and other tactics.
and remittance system is seen as a key enabler of ransomware. While no one should think that cryptocurrencies are inherently nefarious, they're not and have many benign uses, they should,
the report argues, be regulated. The regulation should start with their being held to existing
standards. Governments should require cryptocurrency exchanges, crypto kiosks,
and over-the-counter trading desks to comply with existing laws.
The victim assistance the report proposes would occur in several ways.
The financial aspects would be handled, the recommendations propose,
by establishing a ransomware response fund that would help those victims who refuse to pay the hoods.
The report says,
If such funding were available for ransomware victims,
then cost would play a smaller role in an organization's decision
about whether to pay the ransom.
As an incentive to invest in cybersecurity,
governments could consider requiring the organization
to cover some portion of the ransom as a deductible.
End quote.
May 7th is Quds Day, Jerusalem Day, observed by the Islamic Republic of Iran.
By coincidence, this year it falls near Israel's own Jerusalem Day, May 10th, which commemorates
Israel's unification of the city during the Six-Day War. The Times of Israel reports that
Israel's National Cyber Directorate has issued an alert to expect
Iran-associated cyberattacks in connection with the observances. The directorate expects
any cyberattacks this year to be more ambitious than the customary website defacements.
The difficulty of mopping up after the compromise of Microsoft Exchange Server,
presumably by Chinese intelligence services, and especially after the compromise of Microsoft Exchange Server, presumably by Chinese intelligence
services, and especially after the compromise and exploitation of the SolarWinds supply
chain, presumably by Russia's SVR, has prompted discussions in the U.S. Congress and elsewhere
about preparing a surge capacity to deal with future incidents.
Bipartisan sentiment has therefore grown in the U.S. Congress for
establishing a cyber reserve that could surge for incident response. Some proposals call for
more cyber capability going into the National Guard. The Guard, it should be noted, already has
cyber units. Another proposal, Defense News reports, would pilot a civilian cyber security
reserve that could be called up to augment both
Department of Defense and Department of Homeland Security organizations during an emergency.
It would be composed of former federal civilians and military veterans with relevant training.
Versions of the bill establishing a pilot civilian cybersecurity reserve have been
introduced in both the Senate and the House of Representatives.
It's not just response and remediation, of course, that could have been under discussion in the U.S.
since the SolarWinds incident, but also more active measures, with various rumblings out
of Washington concerning the possibility of deterrence and, more directly, retaliation.
Are the Russians ready for it? Moscow says they are.
The Russian news service Interfax quotes senior Russian official Andrei Krutsky to the effect that
it would be technologically impossible for the U.S. to mount an undetectable cyber attack
in retaliation for Russia's SolarWinds campaign, which Russia doesn't admit it conducted.
Russia's SolarWinds campaign, which Russia doesn't admit it conducted. It's all stupidity, Krutschek said. Anything the Americans might try, Russia will surely see coming. Maybe, but on the other hand,
the Americans didn't really see Holiday Bear come snuffling up until it was too late.
The SolarWinds incident also raised concerns about the degree to which operational technology might have been compromised, either actually or potentially.
NSA has taken note.
This morning, the U.S. National Security Agency released a cybersecurity advisory covering ways of stopping malicious activity against connected operational technology, that is, OT networks.
The agency gives as its motivation for
the advisory a recent shift in adversary attacks. Quote, recent adversarial exploitation of IT
management software and its supply chain has resulted in publicly documented impacts across
the U.S. government and the defense industrial base. Malicious cyber activities directed at OT also continue to threaten these networks.
So, cozy bear, Fort Meade is looking at you.
Essentially, NSA advocates a rigorous cost-risk-benefit analysis of any connectivity.
At its highest level, the advisory recommends a two-step process.
First, determine whether the cost of connecting OT networks to
IT networks, and especially the cost of increased risk, is worth the benefits it might bring,
such as greater efficiency, reduced labor costs, and so on. This cost-versus-risk-versus-benefit
analysis should take it as a guiding assumption, NSA says, that a standalone, unconnected, islanded OT system
is safer from outside threats than one connected to an enterprise IT system with external connectivity,
no matter how secure the outside connections are thought to be.
Second, should you decide in favor of connecting IT and OT networks, systematically improve
the cybersecurity of those networks,
with particular attention to managing, monitoring, and baselining the systems.
The advice isn't surprising, but it's brief and to the point, worth attending to by organizations
grappling with securing their operational technology. The days are long gone when
they could count on a nice, safe, default air gap.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll see you next time. with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The CyberWire's own CSO, Rick Howard, continues his series of conversations with experts about cyber threat intelligence.
Here's Rick. GDPR, or the EU's General Data Protection Regulation, has been on the legal
books since January 2012. But there is still a lot of industry confusion about what it is
and how you might go about complying with it. Rehan Jalil is the CEO of Security, spelled with an I, a data privacy, security,
and governance company. I asked him to explain what GDPR is. GDPR is all tied to how you handle
people's personal data and how you collect it with or without their consent, how you store it,
how you provide protections around it. People do get the rights to either request a copy of the data
to understand how much of their personal information is being collected
from various different sources.
They also get the right to request the companies to go delete this information.
GDPR treats personal data as the property of the owner
and it treats data privacy as a human right.
That's really the fundamental premise.
When they passed the law,
there weren't a lot of tools available
to help us get a handle on this new requirement.
So what did we do?
Well, like most self-respecting security professionals,
whenever confronted with some new problem
to characterize and understand,
we broke out the universal tool in everybody's toolbox,
the ubiquitous spreadsheet. Initially, companies took the approach of doing manual inventories
and asking people across the organization, what kind of data you have. You won't believe initially
it was spreadsheets and you won't believe it was just spreadsheet-like tools which will simply ask people,
hey, what data do you have?
And they would kind of log it somewhere
and that was the data mapping.
And it was certainly early days
and in some ways, frankly, completely useless
because data changes every second
and it flows and it goes across different systems,
across different parts of the organization.
And if companies were trying to do this mapping
on spreadsheet equivalent tools,
it was certainly a recipe of failure in some ways.
Of course, things have gotten better.
In this world of automation and DevOps
and site reliability engineering,
technology can help solve this problem too.
Now, technologies can actually help to map the requirements to the individual and the residencies and then do a lot of automation on the back end to discover the data, figure out the way data should be hosted or not hosted.
hosted or not hosted, and then a request comes in to make sure what kind of rights can be given to that individual based on residency and based on what regulations in that particular residency.
What you see is very rapidly, a lot of technologies are evolving to understand where exactly is the
data, you can catalog it, and then you can now provide rights to people on that data.
And then you can now provide rights to people on that data.
And in a much better position, if ever there's an audit that happens, you can open up your books and show here, this is the methodology, this is the tool, and you can run a query.
And here's our data, and this is what we're doing.
So the chances of fines could be a lot less. But this still feels like a very big problem.
like a very big problem. With our data scattered across various data islands like on endpoints,
back at headquarters, in our data centers, in hundreds of SaaS applications, in multiple cloud provider networks, and in giant data lakes, most of us don't know where to start. The good news is
that the kind of data we are worried about for GDPR compliance is a small fraction of the data
we typically collect day to day.
I think you've really hit it on the head.
The important thing is to narrow down to that personal data, discover it, point it out where
that data is and catalog it and use that knowledge as your mechanism to give people rights on
the data.
So be of stout heart.
GDPR and all privacy compliance laws can be measured with a little planning and probably
a lot of automation.
You've been meaning to get moving on that DevOps project anyway.
Automating GDPR compliance might be a good place to start.
That's the CyberWire's own Chief Security officer, Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Dinah Davis.
She's the VP of R&D at Arctic Wolf. Dinah, great to have you back. I want to touch today about ransomware and some of the things that you've been tracking there. What can you share with us today?
Ransomware comes in from phishing and other social engineering vulnerabilities, right?
And it does.
It absolutely does come in that way. But one that doesn't often get discussed is the Remote Desktop Protocol, or RDP.
So remote desktop is exactly what the name implies.
It's an option to remotely control a computer system.
it's an option to remotely control a computer system.
And so because of COVID and because everybody's working from home,
you know, a lot more ports are open to the internet than previously there would have been, right?
Because they would have been behind company firewalls
in their physical networks, right?
So how do attackers use RDP to do a ransomware attack?
Basically, they try to reverse brute force the account.
So if they see a port is open and they know who you are, they probably can just try lots of common passwords like using a dictionary attack on it, right? Or using
credential stuffing, given that maybe there was a database of valid usernames and passwords
out there, and then they try those. There's also the hybrid brute force, which starts with
combinations that would be more specific to you, the person that they're trying to attack, and then go over to a dictionary attack.
So we're seeing still like 50% of ransomware
attacks are from RDP. And what they do
is they get in through that port and then they'll install the ransomware in your
system because they have remote access to your machine, right?
So a big thing here is how to prevent this.
And it's actually not hard.
Go on.
Okay.
So to prevent an RDP attack,
the best thing to do is if you don't need to use RDP,
then just close all the ports and don't use it.
And then it's not an attack vector,
especially closing port 3389.
Slow down here, Dinah. You're getting a little bit ahead of me. Don't get too technical.
Just shut her down.
It's turning it off. Yeah. All right. All right. Go on. Go on.
Let's say you do need to use it as part of your job. There's not a way around it. So at the very
least, use strong passwords. Make RDP only available through a corporate VPN, right?
So it makes it harder for an attacker to get at.
Use network level authentication and if possible, enable two-factor auth.
And still close any external access to port 3389 and use a different port.
external access to port 3389 and use a different port.
Because there's so many bots on the internet that are just going through looking for open port 3389s, that that's
one of the simplest things you can do to avoid getting
ransomware via RDP.
Oh, change it from the default port to something else.
Yeah.
Alright, well good information as always.
Dinah Davis,
thanks for
joining us.
And that's
The Cyber Wire.
For links to
all of today's
stories, check
out our daily briefing at thecyberwire.com. The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.