CyberWire Daily - Charges in Vault 7 case. Olympic Destroyer appears to be back. Liberty Life hack. Does Tesla have a rogue insider? US Senate hits at ZTE. Guilty plea in OPM hack-related fraud. Motive: blackmail.
Episode Date: June 19, 2018In today's podcast we hear that the US has charged a former CIA engineer in the WikiLeaks Vault 7 case. Olympic Destroyer may be back, and preparing to hit chemical weapons investigators and arms co...ntrol specialists. Updates on the Liberty Life data extortion investigation. Elon Musk says Tesla Motors has an internal saboteur. The US Senate snatches the lifeline out of ZTE's hands. A guilty plea in OPM-breach-related fraud. A possible motive in the Jeopardy champ's email hacking. David Dufour from Webroot with insights on the impact they’re seeing from GDPR. Guest is Lenny Zeltser from Minerva Labs discussing his IT and security “cheat sheets.” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. has charged a former CIA engineer in the WikiLeaks Vault 7 case.
Olympic destroyer may be back and preparing to hit chemical weapons investigators
and arms control specialists,
updates on the Liberty Life data extortion investigation,
Elon Musk says Tesla Motors has an internal saboteur,
the U.S. Senate snatches the lifeline out of ZTE's hands,
a guilty plea in OPM breach-related fraud,
and a possible motive in the Jeopardy Champ's email hacking.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 19, 2018.
The U.S. Justice Department yesterday announced that it has charged Joshua Adam Schulte with, quote,
unauthorized disclosure of classified information and other offenses relating to the theft of classified material, end quote, from the CIA.
These charges have long been under preparation.
Schulte was arrested in New York back in August of last year on charges related to child pornography.
The FBI and the Department of Justice have since then been preparing a case against him in the matter of WikiLeaks' Vault 7,
a public dump of alleged CIA documents by Julian Assange's gadfly operation.
Schulte is alleged to be the source, or at least a major source, of Vault 7's contents.
is alleged to be the source, or at least a major source, of Vault 7's contents. The defendant's careless search for and online communications about illicit pornography are thought to have
constituted the OPSEC mistakes that led federal agents to him in the first place. A federal grand
jury issued the superseding indictment, superseding the original child pornography charges, that
included 13 counts.
The government believes Shulte's alleged theft of classified information occurred in 2016.
WikiLeaks dumped Vault 7 online in 2017.
Olympic Destroyer, the threat group responsible for disruption of digital aspects
of this past winter's Pyeongchang Olympic Games, is apparently back.
Kaspersky Lab is tracking activity that looks very much like Olympic destroyers against organizations associated with
chemical and biological weapons control. Targets in Germany, France, Switzerland, Russia, and Ukraine
are said to have been spearfished. One of the malicious word files found among the attachments in the spear phishing emails make reference to the Spitz Convergence 2018,
a conference in Switzerland organized by the Spitz Laboratory and scheduled for this coming September.
The conference will assess new biological developments and their, quote,
potential implications for chemical and biological arms control, end quote.
The evidence for Olympic destroyers' renewed activity lies principally in the obfuscation and spearfishing macros the recent attacks have employed.
Kaspersky, as is its custom, offers no attribution, but it did comment that the techniques are similar to those used by SOFACI, a threat group associated with Russia's GRU.
U.S. officials concluded in February that Olympic Destroyer was a Russian operation cloaked by false flags intended to divert suspicion toward North Korea.
Russia had resented the exclusion of its Olympic team from the Winter Games on grounds of illicit
doping.
This time, the resentment appears to be rooted in a different sort of chemical activity, the nerve agent attack in Salisbury, England, against an exchanged GRU
double agent and his daughter, and various chemical attacks by Russia's client Assad
against rebel and less-than-perfectly-loyal civilian populations in Syria. Russia has
objected strongly to investigations linking it to these incidents,
and the Spitz laboratory played a significant role in attribution of the Salisbury nerve agent
attack to Russia. Moscow claimed, to almost universal skepticism, that the attack was a
British-American provocation, aided and abetted by the Czech government, which Russian sources
said provided the Novichok agent used in the
attempted assassinations. This latest spearfishing round appears to be battle space preparation.
The attacks are complex. Some of the targets are clearly connected with chemical and biological
arms control, but others are not only unrelated, that is, their banks, but also Russian, Russian banks. This is probably misdirection.
There's no reason an early stage reconnaissance and staging would have to develop into a damaging
attack, so Russian banks may not in fact be at realistic risk. And even if they were, there's a
historical willingness to break eggs in the making of omelets that goes back very far in Russia,
through Stalin and Lenin and back to Father Gapon. willingness to break eggs in the making of omelets that goes back very far in Russia,
through Stalin and Lenin and back to Father Gapon.
Another set of meetings will also be worth watching in this context.
The Organization for the Prohibition of Chemical Weapons, the OPCW, will, at the request of the United Kingdom, hold a special session of the Conference of the State Parties on
June 26th and
27th. It's expected to address the non-attribution problems surrounding chemical weapon use,
and in particular to be a forum at which the UK and other states will forcefully bring up both
Salisbury and Syria. This is only the fourth special session of the OPCW in its two-decade history. OPCW should look to its emails.
Many of us believe it's important to give back to the InfoSec community,
and of course there are a variety of ways to do that. Lenny Zeltzer is VP of Product Management
at Minerva Labs and an instructor and author at SANS Institute. He's put together a collection
of free cheat sheets for IT and security professionals. He's put together a collection of free cheat sheets
for IT and security professionals.
Here's Lenny Zeltser.
The first one that I created, I believe,
was the one called Malware Analysis
and Reverse Engineering Cheat Sheet.
There's a wide variety here,
everything from tips for creating and managing new IT products
to critical log review checklist for security
incidents. And one of my personal favorites, how to suck at information security.
Yes, we could all use a little bit of advice on how to suck at information security if we're
into the idea that reverse psychology is something that might actually work in persuading others to
pay more attention to
information and cybersecurity. Yeah, I wrote that one, as you would expect, with a bit of a tongue
in cheek attitude. But it's one that's been getting quite a bit of attention because, you know,
when you work in cybersecurity, there's always some practice that you have witnessed that really
annoys you and you wish you could share with others what not to do. Why don't we dig in? Can you share a couple of the suggestions here for how to suck?
So here's some advice related to password management. Require your users to change
passwords too frequently. It's one of those things where it feels inherently like a good
thing for security. Let's change passwords all the time.
Once a week, once a month, or once a quarter.
But of course, those of us who've been doing this for a while realize that that simply encourages people to pick passwords that are easy to guess.
So that's one.
Or another advice, delete logs because they're becoming too big to read.
Just get rid of those logs.
I'm sure you won't need them.
Or classify all of your data assets as being highly confidential or top secret.
It's one of those tactics where if you're moving and packaging your stuff into boxes,
if you label everything fragile, that just means nothing is fragile.
And those of us in the security space who want to be extra cautious with information, if we label everything top secret or highly confidential, then people start
paying attention. Because, well, if everything is confidential, top secret, then how do you
apply security practices differently to data that maybe doesn't require as much protection?
Why is it important for you to put this out there and encourage the sharing of it?
Why is it important for you to put this out there and encourage the sharing of it? I appreciate the fact that everybody has their own spin on advising people in relation to IT or informational security practices.
You know, I shared with others what I feel is important, but I also recognize that somebody else might have different advice, might want to add or modify or remove some of the tips that I've shared in my cheat sheets. So that's one of the key reasons why I licensed these cheat sheets using the Creative Commons
attribution license, which means people can take these cheat sheets and use them in any
way that they want, as long as they attribute the source of the original cheat sheet to
me, the author.
And I make these available not just on my website, but also as files that people can
download in a PDF format or perhaps most usefully in Microsoft Word format. And when people do that,
I would encourage them to try to stick by the self-imposed limit that I defined. Well, just
for myself and others might disagree, but in most cases, my goal is to fit everything
in a cheat sheet on a single page. And I believe by trying to limit the space in which I can offer
advice forces me to be really selective and succinct about what it is I'm trying to say.
That's Lenny Zeltser. You can find all of his cheat sheets at zeltser.com slash cheat dash sheets.
Observers speculate that Liberty Life may have been the victim of a malicious insider.
The South African insurance company disclosed Saturday that it was undergoing extortion by criminals who threatened to release sensitive client data if they weren't paid their ransom demands.
release sensitive client data if they weren't paid their ransom demands.
Another malicious insider may be behind sabotage, including deliberately bad coding and data theft at Tesla, or so Elon Musk believes. The founder of Tesla, SpaceX, and The Boring Company has sent
a company-wide email to everybody, in which he said, quote, I was dismayed to learn this weekend
about a Tesla
employee who had conducted quite extensive and damaging sabotage to our operations.
This included making direct code changes to the Tesla manufacturing operating system under
false usernames and exporting large amounts of highly sensitive Tesla data to unknown
third parties, end quote.
The story is developing.
data to unknown third parties, end quote. The story is developing. The U.S. Senate voted yesterday to revoke the lifeline the administration had extended to ZTE. Huawei appears to be in congressional
crosshairs as well. Both Chinese companies are widely suspected by Five Eyes Security Services
to be too cozy with Chinese intelligence. ZTE's stock price plummeted 25% upon the news.
If you wondered what all that personal information stolen from the U.S. Office of Personnel Management,
that's OPM, was used for, here's a partial answer.
Carvia Cross of Bowie, Maryland, pleaded guilty yesterday to using PII stolen from OPM
to get fraudulent personal and vehicle loans from the Langley Federal Credit Union.
Her co-defendant, one Marlon McKnight, pleaded guilty earlier this month.
There's of course no suggestion that Ms. Cross or Mr. McKnight were the hackers who pwned OPM,
but they certainly found a use for the data that's spattered out.
And finally, to return one last time to the case of Jeopardy! champion
and sometime college history professor Stephanie Jask,
convicted of illicitly accessing email accounts at Adrian College,
you may have wondered what she was up to.
According to a fellow faculty member, whom Jask told about her caper,
Jask took advantage of a campus-wide password reset to,
in her former colleague's opinion, scan email accounts for blackmail material.
Sentencing is scheduled for next month. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is David DeFore.
He's Vice President of Engineering and Cybersecurity at WebRoot.
David, welcome back.
You know, the GDPR deadline has come and gone. I thought it'd be good to check in with you to see what kind of things you're seeing on the ground,
what effect it's had on your customers.
What can you share with us?
Hey, David.
First of all, thanks for having me back.
You know, GDPR, everybody talked about it.
I think
everybody kind of thought the world was going to come to an end or the sky was falling. But I think
we're rolling into it. We're just now starting to see implications of what's going on with GDPR,
how it's going to affect us. Last week, I was in London. There's a report of a mobile carrier there who had a data leakage and they
immediately, when they found out about it, reported it publicly. And so that's one positive
effect of GDPRs. We're seeing people reporting issues very quickly now when they occur. I
personally was nervous for this company because I don't know what their fine is going to be or
how that's going to play out. But some positive things that we're seeing are organizations knowing they need to report this quicker
and there's going to be a lot more leniency as they make those reportings as soon as possible.
Now, what are you seeing in terms of impact on U.S. companies?
Organizations that have high visibility to Europe, and I'm going to include ourselves into that,
with offices over
there. We spent a ton of time looking at our data, looking at where we store information,
putting processes in place. And we actually had an internal initiative to be ready for GDPR because
effectively we have offices over there and we knew it would directly have implications for us.
But what I'm seeing in
general is a lot of organizations in the United States who maybe run data centers in the States,
but have exposure to sales or things, customers in Europe, they're maybe not as prepared as they
should be. So I guess what I'm summarizing there is if people with boots on the ground in Europe
really do feel it, and people in the States, they're being a little bit more not as worried about it because it's so
far away. It was remarkable to me that even as we approach the deadline for it, it wasn't that
unusual for me to come across someone who is in this industry and would say, I'm sorry, GDPR,
what is that? That is a little bit scary. I hope most people know about GDPR, but you're absolutely right.
You know, the competence level seems to be high.
You know, we've done some surveys.
We've looked into, you know, how people were addressing this from a cybersecurity perspective.
And competence levels seem to be high in terms of people's belief they're prepared.
terms of people's belief they're prepared. But once we started drilling down into what would you do if you have to identify the data you collect for a customer? Or what would you do if
you had to get rid of information on a specific customer because they contacted you and wanted
that data removed? They couldn't get, you know, very specific about how they would handle those types of scenarios. So not being able
to answer those questions implies to me that a lot of organizations in the U.S. maybe aren't quite as
prepared as they should be. And their plan is to have contact points, have the ability for someone
to communicate with them about it, but kind of fill in the gaps as they go along on their processes.
Now, do you sense that folks are still sort of holding their breath to see what happens once the fines start happening?
Absolutely believe that. I can't fault organizations, especially smaller companies, because it's so expensive to try to prepare for something and not know exactly what you're trying to prepare for.
So there's a little bit of hope that if I can kind of fly under the radar, I can see what's going to happen legally with the larger organizations and then trend my processes or the things that I need to do in that direction.
But you are taking somewhat of a risk in that because if you have a data breach and you have data from Europe
and it becomes popular in the media, it could be game over for you.
Right. All right. Well, we're going to keep an eye on it, of course.
David DeFore, thanks for joining us.
Thanks for having me, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.