CyberWire Daily - ChatGPT continues to become more human, this time through hallucinations. Following Cl0p. Instagram works against CSAM. And data protection advice from an expert in attacking it.
Episode Date: June 8, 2023ChatGPT takes an unexpectedly human turn in having its own version of hallucinations. Updates on Cl0p’s ransom note, background, and recent promises. Researchers look at Instagram’s role in promot...ing CSAM. A look at KillNet's reboot. Andrea Little Limbago from Interos shares insight on cyber’s human element. Our guest is Aleksandr Yampolskiy from SecurityScorecard on how CISOs can effectively communicate cyber risk to their board. And a hacktivist auxiliary’s stellar advice for protecting your data. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/110 Selected reading. Can you trust ChatGPT’s package recommendations? (Vulcan) Ransomware group Clop issues extortion notice to ‘hundreds’ of victims (The Record) MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack (ITpro) Responding to the Critical MOVEit Transfer Vulnerability (CVE-2023-34362) (Kroll) MOVEit Transfer Critical Vulnerability (May 2023) (Progress) Cybergang behind N.S. breach says it erased stolen data, but experts urge caution (CBC Canada) Most SMBs admit to paying ransomware demands - here's why (TechRadar) Instagram Connects Vast Pedophile Network (Wall Street Journal) Addressing the distribution of illicit sexual content by minors online (Stanford University) Rebooting Killnet, a New World Order and the End of the Tesla Botnet (Radware) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ChatGPT takes an unexpectedly human turn in having its own version of hallucinations.
Updates on Klopp's ransom note, background, and recent promises.
Researchers look at Instagram's role in promoting C-scam. A look at Killnet's reboot.
Andrea Little-Limbago from Interos shares insights on cyber's human element.
Andrea Little-Limbago from Interos shares insights on cyber's human element.
Our guest is Aleksandr Yampolsky from Security Scorecard on how CISOs can effectively communicate cyber risk to their board.
And a Hacktivist Auxiliary's stellar advice for protecting your data. I'm Dave Bittner with your CyberWire Intel briefing for Thursday, June 8th, 2023. OpenAI's ChatGPT chatbot is often described as having their own version of hallucinations,
and these aren't the kind that medicine can fix.
Researchers at Vulcan Cyber warned that attackers can use ChatGPT
to trick developers into installing
malicious packages. Noting that developers have begun using chat GPT for coding assistance,
the researchers state that they've seen chat GPT generate URLs, references,
and even code libraries and functions that do not actually exist. These articles are the hallucinations referred to.
Large language model hallucinations, Vulcan says,
have been seen in the past, attributable to old training data.
If ChatGPT can fabricate false code libraries,
an attacker could, theoretically,
create a package that replaces the one that ChatGPT recommends.
Victims could then download
and use it. Following CLOP's ongoing efforts to extort victims affected by its exploitation of a
move-it vulnerability, reports say the gang has issued demands to negotiate ransoms to potentially
hundreds of victims. The Register reports that the ransomware group, in an uncharacteristic move,
gave a June 14th deadline for victims to contact the attackers. This change of tactics,
as ITPro reports, could be due to the unusually large amount of data stolen by the group,
saying that members of the cybersecurity industry have speculated that Klopp has ingested too much data for it to identify the company to which it belongs.
According to research from Kroll, Klopp could have discovered the MoveIt zero-day exploit as long as 2021.
Internet Information Services logs of impacted clients found evidence of similar activity occurring in multiple client environments last year, April 2022, and in some cases as early as
July 2021. Kroll also advises companies using MoveIt to check in their disk drive's directory
for suspicious.aspx files as indicators of compromise.
Progress, the software developer of MoveIt,
has created a webpage for the vulnerability that describes mitigation steps and provides situation updates.
Can you trust what a ransomware gang says when it's negotiating?
Experts say probably not.
CBC Canada reported yesterday that CLOP has claimed they've deleted all government data from their site.
Emsisoft threat analyst Brett Callow wrote in an email that the claims should be assumed to be false,
highlighting the fact that there is no reason for a criminal enterprise to simply delete information that may have value.
And even if it were deleted, he reminds us,
they still conducted the breach in the first place. Businesses today aren't exactly making
it difficult for ransomware attackers either. TechRadar writes that the amount of small and
medium-sized businesses in the United Kingdom deciding to cough up the cash when victimized
in a ransomware attack has increased significantly over the past year.
A CensorNet report shared that the shift to giving in
seems to stem from the general incapability of companies
to manage their cyber threats.
Email attacks were the primary vector against companies in the past year,
and the research shows that firms would benefit
from better, more widespread threat
solutions. An investigation by the Wall Street Journal and researchers at Stanford University
and the University of Massachusetts Amherst has found that Instagram's algorithms have a
vast network of accounts openly devoted to the commission and purchase of underage sex content.
openly devoted to the commission and purchase of underage sex content.
Researchers from the Stanford Internet Observatory discovered many accounts of those claiming to be minors
that are openly advertising self-generated child sexual abuse material for sale.
The researchers uncovered similar networks on Twitter and Telegram,
but note that Instagram, between recommendation algorithms
and direct messaging capabilities, is the most important platform. According to the journal,
a Meta spokesperson acknowledged that the company had failed to act on reports of child sex abuse
content, and the company condemned the behavior, asserting that investigations against these acts are in place.
Killmilk's reorganization of the hacktivist auxiliary they lead on behalf of the Russian intelligence and security teams continues.
Radware describes the reboot as a move toward a more professional, better disciplined organization.
Killnet had hitherto been willing to present itself as a grassroots movement, but no more.
Radware writes that the revised Killnet isn't for armchair hackers and DDoSers,
nor is it a platform for self-promotion or a ticket to overnight fame.
Only the most astute will find their place in the new Killnet auxiliary, says the cybersecurity firm.
So, Ivy League grads, there's finally a place that can put that well-earned degree to use.
Maybe just not one that you'd want to write home about.
And finally, who better to advise you on how to protect your data
than someone that wants to steal it?
No Name has been posting interesting IT stories
from the Russian perspective,
and with it, they also published their own tips to protect your financial data online
by following 12 simple steps.
How can you defend your financial assets on the Internet, they ask, helpfully and rhetorically,
and then go on to offer some advice on digital hygiene.
No Name seems to be positioning itself as a community leader,
offering advice and information to ordinary users. So why are they doing all this? They're
positioning themselves as a source of news for the Russian domestic audience,
and the stories they're offering are all straight out of the Kremlin's script.
the Kremlin's script.
Coming up after the break,
Andrea Little-Limbago from Interos
shares insights
on cyber's human element.
Our guest is
Alexander Yampolsky
from Security Scorecard
on how CISOs
can effectively communicate
cyber risk to their board.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
There's that old saying, that bit of wisdom, that everyone has a boss. No matter the title on your business card, there's someone to whom you are accountable. And for the cybersecurity
leadership in many organizations,
that means the board of directors. These past few years have undoubtedly seen board members
increase their knowledge and understanding of cybersecurity issues, but bridging the gap
between cyber risk and business risk can still be a challenge. Alexander Yampolsky is CEO at
Security Scorecard, and I checked in with him for insights on how CISOs can effectively communicate cyber risk to their board.
There's not been a lot of KPIs for cybersecurity, and I experienced that personally when I was a CISO at Guild Group.
I knew what my budget was.
I knew how much money I was spending.
But I had no idea if I spent a million dollars on the latest, greatest endpoint security technology.
I had no way of quantifying if I became 1% safer, 2% safer, 0% safer.
And that complete lack of KPI and ability to really quantify ROI
is a big issue because what you cannot measure, you cannot improve.
Yeah, it seems to me like for a lot of folks, they're stuck with that frustrating message, which is, you know, we spent all this money and nothing happened.
Good news.
Furthermore, not only that people can't measure things, they spend the money and then they can't quantify the risk.
They also lack complete visibility of their business partners because they could be protecting themselves, but then they're spending millions of dollars, for example, to host their solution on a cloud provider or they're spending millions of dollars with a law firm, but they have no idea if their information has been protected. It all goes back to measurement and quantification.
In any other field, we have metrics. You drive a car,
you have a speedometer showing to you how fast you drive. You go to a board meeting to review financials, you have gross margin, LTV to CAC,
EBITDA, and in cybersecurity, we have pretty much nothing.
What do you propose? I mean, what sort of measurements are available to us that we could turn into meaningful numbers?
Well, you know, I think that in any industry, there's no one number that magically captures every little nuance of a situation, right?
that magically captures every little nuance of a situation.
So a number is not a substitute for a human judgment, but that was actually the impetus for starting Security Scorecard.
Security Scorecard is a security ratings response and resilience company
where we came up with a way of how to objectively, in a trusted way,
measure security for any company in the world from outside and how to give security teams really a complete understanding of
the risk their business ecosystem poses, their partners, contractors,
third-party and fourth-party vendors. And so we came up with this platform that really
provides KPIs and measurements for over 12 million organizations worldwide.
provides KPIs and measurements for over 12 million organizations worldwide.
Well, can you give us some insights as to exactly how you go about doing this sort of thing?
Yeah, of course.
So the way that we do it is there are three steps in the process.
So number one, we collect the signals non-intrusively from outside,
and the signals are heterogeneous. For example, it could be indications that you have a
malware infection within the company, or that you have a set of SSL misconfigurations where you did
not configure them properly, or you have a number of patches that are missing. So we collect this
data non-intrusively from all over the world. Then for every company in the world, we discover
a tech surface for that company.
What are the business units?
What are the subsidiaries?
And then third, we compare companies to similar companies.
For example, if you have 100 malware infections, we don't know if it's good or bad.
So we're going to look at other similar-sized companies with the same attack surface and
see if they have 200 malware infections and you have 100, then
you're actually twice as good as everybody else.
So you can see how many standard deviations you are from what the median of the pack is.
And then we calibrated based on nine years of historical breaches, and we signed a score
representing likelihood of a company to get hacked.
And so we actually published the algorithm at
trust.securityscorecard.com. You could go to our website and we're very transparent about
how it works, what we measure and what ingredients go into it. But it's basically
based on comparing yourself to what median is in the industry and how you compare it to others.
Can you give us some insights as to what goes into quantifying
the cyber risk?
Well, look, to quantify the cyber risk,
you need to have a set of objective outside-in and inside-out indicators.
And any type of quantification needs to be objective, not subjective.
It needs to be transparent where you publish the methodology.
And it needs to be predictive.
So you have outside-in data points.
For example, you have data points like how does your attack surface appear to an attacker?
Are you patching your vulnerabilities fast enough? How fast do you take to remediate known issues?
What are the indicators of poor hygiene from outside, such
as you might look at a website and observe that you have
an out-of-date copyright notice. It's not a vulnerability, but it's an indication
that the company is not keeping its systems diligently up-to-date.
And then you can also have inside-out components.
For example, a company giving you a SOC 2 at the station,
a pentest report, architecture diagrams.
So really, in order to measure security,
you need to have a 360 view outside-in, inside-out,
and then you have to be able to plug it into quantification models
to really express how much money you could lose if a particular event occurs, like a DDoS attack or a ransomware.
And so what are your recommendations for a cybersecurity professional who goes down this path and then has to translate that for the board of directors or the higher-ups in the company?
Well, yeah, 100%.
So CISOs lack a common language for discussing cybersecurity risk
with business executives.
Board members are used to communicating in financial terms
and discussing how risks and opportunities translate
to organizational results.
So my advice for a CISO, you have to speak the language of the board,
talk about what business outcomes you're trying to prevent. For example, you could say
I'm spending $300,000 to mitigate a potential
$2 million outage due to denial of service attack.
Whenever possible, CISOs should report in financial terms.
How do you translate cyber risk into potential financial impact?
Scenario planning is also a powerful technique that CISOs can use to create effective cost-benefit analysis.
I think also the CISOs should really encourage the board to bring on a cyber expert.
A board member with a strong cybersecurity awareness and background can help support the CISO by amplifying the importance of their cybersecurity investments, form a cybersecurity committee at the board level,
but start talking about business outcomes, start doing scenario planning,
quantifying the possible risk and financial
terms and the cost-benefit analysis, and create a special cyber
committee on the board where you bring a cybersecurity expert. That would be some
pieces of advice. That's Alexander Yampolsky from Security Scorecard.
And joining me once again is Andrea Little-Limbago.
She is Senior Vice President for Research and Analysis at Interos.
Andrea, it's always great to welcome you back.
You know, you and I were talking about this year's RSA conference
and the theme of the human element.
And you've been part of RSA conference of helping with some of the programs and things
there. Where do you suppose we stand when it comes to that notion of the human element and
cybersecurity? Yeah, and thanks for having me, Dave. It's interesting. I think a decade ago,
it really wasn't discussed all that much. And now it's almost taken for granted. So that alone to me is a great transition acknowledgement.
I think we still tend to see quite a bit on blaming the user.
User is stupid. There's nothing you can do.
And that defeatism doesn't necessarily help,
and it certainly doesn't help in creating technologies
that take for granted that humans are going to click on things
and may be imperfect.
But I'd say that the segment of the community
that still kind of is in that paradigm is decreasing
and we're seeing more and more the objective of,
how can we create technology that works given human flaws?
Because we all have them.
It can be very easy to be tricked into clicking on something
that's very targeted at you.
So I think we're seeing really a nascent movement
in some of the innovation for how we can create technologies
that take into account human fallibility,
but also then help provide the defenses
that take that into account.
So a couple of different areas that we're seeing that.
One is just really the notion of security culture.
I think that helps a lot, and that's the non-technology.
I think perhaps we looked at people, processes, and technology.
The processes is a good part where the security culture,
we saw a lot of interest in that for submissions for RSA this year.
I think that's great, but it's interesting because on the one hand, it seems like it's been talked about for quite a bit,
but it is something that's really hard to do. And I think anyone who's worked
in an organization knows that creating a culture is
very, very hard. And destroying one is actually
quite easy. And so making sure that you're building a security culture that enables
people to feel comfortable
saying they may have done something wrong
versus penalizing them for it can go a long way.
And so there was a fair amount of interest
and innovative ways for the security culture.
And that's actually some of the technology
can come into play as far as different gaming solutions
to help people make it more the gamification of security,
to help them understand and learn
and make it more interesting
than a click-through PowerPoint might be.
And so I think that's an interesting way,
an area that we've seen.
I'd say also there's a lot of discussion on the metaverse
and how we can think about security
before it becomes widespread.
And one, I think that that's great
that we're at a point
of maturity where we can think about
security as the technology
is really still being built
and growing instead of it
being an afterthought.
So I'm cautiously optimistic about that,
but still I think there isn't enough
discussion on it. There will be some
discussion on it and how to think about that,
but the metaverse introduces all sorts of the very similar kinds of problems that we see
currently on the internet. You mentioned maturity. And in my mind, I think that's a big part of it.
I wonder about the kind of professionalization of cybersecurity that we've seen over the last decade or so. You know, it's not, it's no longer that elite group of, you know, hackers who came up with
their soldering irons and, you know, working hard, you know, throughout the night.
It's not so individual based anymore is what I'm saying.
And I think, as you say, that's leading to more diversity in both the types of people, but also in thought.
And so it seems to me like that's a big part of what's leading us to better solutions.
Yeah, and I think that's absolutely right.
The professionalization of the industry, which I know some have kind of pushed back against, but for the most part, it's here.
We need to see every company has security concerns at this point.
And so the professionalization of it has helped in that manner.
And it has, I think that coupled with the many diversity efforts that we see,
and then coupled with just the way academia has changed and evolved as well
to integrate various aspects of security across disciplines in many regards.
There's still a ways to go, but I think all of those together
really have helped increase the maturity of it.
It's more and more discussion of CISOs being
in the C-suite now versus being on the side.
Right, C in name only.
Yeah, yeah, exactly.
That's exactly it.
Right.
And so I think that helps out a lot.
Again, I think there's a ways to go, but the professionalization of it really will also help us provide and learn lessons from others so we can then share.
I think that's also a core component is the information sharing.
We often think about that as sharing on IOCs, which is important, but sharing lessons learned on how to build a security culture, for instance, or how to deal with insider threats, those kinds of lessons learned, sharing those across
the profession is really, really important.
And that, again, is also something else that we're seeing is a greater desire to help both
acknowledge some of the challenges you're having and see if others have figured out
a way to solve those, or if something is working, sharing that with others so they also can.
Because at the end of the day, we're trying to raise up all boats, right?
Because think about it within your supply chain,
very often it's the company that you maybe have a partnership with
that has the lowest level of security that could then be the entryway into your own company.
And so it is in everyone's best interest to help raise up the cultural awareness
across all of your partners and across the entire industry.
And so it's nice seeing a movement in that direction.
I think it's a little overdue
and it's still not where we need it to be,
but it's great seeing a broader awareness
and encouragement of collaboration
to help everyone build a better security culture.
Yeah, for sure.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Great. Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and
senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Receive alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.