CyberWire Daily - Chip vulnerability disclosure controversial. Black market and point-of-sale malware. SEC charges ex-Equifax exec with breach-related insider trading. Tensions over Salisbury nerve agent attack.
Episode Date: March 15, 2018In today's podcast, we hear that AMD continues its investigation of the backdoors and other vulnerabilities CTS Labs publicly disclosed. That disclosure remains controversial. BlackTDS offers malware... distribution as-a-service on the black market. PinkKite is a small but persistent point-of-sale threat. The SEC charges a former Equifax exec with trading on non-public information of the credit bureau's data breach. Germany, France, and the United States join the United Kingdom in denouncing Russia for the Salisbury nerve agent attack. Rick Howard from Palo Alto Networks, with this year’s Cyber Cannon nominees. Guest is Ted Bardusch from Usermind on data-rich marketing and GDPR. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2osed, that disclosure remains controversial.
Black TDS offers malware distribution as a service on the black market.
Pink Kite is a small but persistent point-of-sale threat.
The SEC charges a former Equifax exec with trading on non-public information of the credit
bureau's data breach.
Germany, France, and the United States join the United Kingdom in denouncing Russia for
the Salisbury nerve agent attack.
I'm Dave Bittner with your CyberWire summary for Thursday, March 15, 2018.
AMD continues investigation of the backdoor's CTS lab, says it found in the manufacturer's chips.
A new investigation of the backdoors CTS lab says it found in the manufacturer's chips.
CTS claims the chipsets are shipping with exploitable manufacturer's backdoors,
installed by Taiwan-based manufacturer AS Media, a subsidiary of AsusTech.
The backdoors would thus seem to be a supply chain issue.
Motherboard observes that AsusTech settled a U.S. Federal Trade Commission case in February when the FTC complained that AsusTech hadn't been properly attentive to hardware security flaws in its routers.
CTS Labs apparently gave AMD just a day before going public with its disclosure.
They've been criticized sharply for the short deadline.
They've also been criticized for what some observers have seen as a disclosure
that's longer on marketing than it is on technical detail. In fairness to CTS Labs,
other researchers have since independently validated that the flaws they identified in
the chipsets are indeed real. There is disagreement about how serious a risk they represent.
Some agree with CTS Labs' very dark and alarming assessment.
Others think that assessment is overblown.
The vulnerabilities are second-stage vulnerabilities,
that is, exploitable only by an attacker
who had already obtained administrative access by some other means.
Phishing, perhaps.
The European Union's GDPR regulations kick in this coming May, and among the many groups it's sure to impact are online marketers.
Ted Bardouche is CISO at Usermind.com, a company that helps provide business process automation.
He joins us to help explain how data-rich marketing will intersect with GDPR.
Data-rich marketing is getting beyond just the old focus groups that people used
to do and taking advantage of the fact that with electronic and digital media, we have a
far better idea of who and what people are, what they do, what their interests are, what their
activities are. And there's a tension here, of course, is some people don't want us to know as
much about them as we do. Some people are very concerned about that. And Europe has led the way
in addressing that with a general data protection regulation that is providing a lot of guideposts
on what we can legitimately keep track of and what we can't and how we have to treat
people's data and what we have to do to assure the individual that we are handling things correctly.
So walk us through that. How do you strike that balance?
It's got to be something that's done, A, with respect for an individual's data. I think if
you approach it with the attitude that this data isn't
your data, it's the person's data, then you're going to have a lot easier time figuring out what
is the right or wrong thing to do. For example, not keep track of someone's data from 10 years ago
if you haven't been in touch with them since. There's a pretty good chance they don't remember
you and they don't consider that they have a relationship with you. So keeping their data is a way of forcing relationship they're not aware of. There's a
hub in England that decided their approach to being GDPR compliant was they deleted their
entire email list and told everybody, just come look at our website because they didn't want to
get it wrong. Now, I have to say, I suspect people are cynical when it comes to this sort of thing,
because we're in an environment where I think we feel like so much data is being collected,
and it often surfaces in, I think, what people describe as kind of creepy ways,
where you go shopping for something, and then ads for that thing shows up later when you're browsing on the Internet.
As someone who works in this space,
what do you recommend for people to do this in a way that's going to earn back consumers' trust?
That is a very good question because I agree and I get creeped out sometimes too,
and I'm really careful. Where marketing is heading is to be able to do things that people
who don't think about it are going to suddenly get hit
with, wait a minute, how did you know I was looking for a car? Well, it could be that in
your Google Maps, you went to a car dealer and then you were on the internet and Google served
you an ad that talked about that car brand. And that's a legally legitimate thing to do,
but it may creep somebody out.
What we need to realize as people that are using a lot of this data is where people are going to think that's creepy and where they're not.
And there are all sorts of theories being bandied around that, oh, it's a generational gap or something else.
But I think people are just creeped out by what's creepy.
gap or something else. But I think people are just creeped out by what's creepy.
Yeah. And as we approach GDPR, do you suspect we're going to see a lot of people coming up short and being prepared for it? Oh, yeah, absolutely. I was just talking to a gentleman
who is working out of England, and he said he just saw a statistic that 25% of small and medium-sized
businesses do not know what GDPR is in England. So yes, there will definitely be a large gap when
we get to May 25th. I think a big thing that people are not keeping in their mind is that GDPR is more than just this. It's also
the right to be forgotten, the right to inspect data, to correct data, and to export data. And
those are things that previous privacy regulations and frameworks have not really addressed.
I think a lot of companies are just not taking that into account when they think about how to
be compliant. And those are things that we all have to respond to pretty quickly.
That's Ted Barduch from usermind.com.
Security firm Proofpoint says Black TDS, a traffic distribution system,
is gaining significant black market share. It's being sold in dark web markets
for $6 per day. Longer subscriptions bring a discount, $45 for 10 days, $90 a month.
Criminal clients post their malware and black TDS handles distribution. This is another
instance in which a black market functions like a legitimate market.
There's some new point-of-sale malware in circulation.
Kroll Cybersecurity describes PinkKite,
a small, unusually persistent bit of point-of-sale malware.
Its small size, less than 6K,
is comparable to other point-of-sale malware
like Abaddon POS and TinyPOS.
The small footprint helps it fly under the detection radar,
yet it's big enough to have
memory scraping and data validation tools. Kroll told the Kaspersky Security Conference this week
that Pink Kite differs from its competition in three main ways. Built-in persistence mechanisms,
hard-coded double XOR encryption, and a back-end infrastructure that uses clearinghouses to handle exfiltrated paycard data.
Pink Kite's clearinghouses were in Canada, the Netherlands, and South Korea.
This had some efficiencies from a criminal point of view,
as opposed to the more customary practice of reporting directly to a command and control server.
But on the other hand, it was a relatively noisy technique the researchers found helpful in their investigation.
Many wondered whether the U.S. Security and Exchange Commission's recently clarified
cybersecurity guidance actually had teeth.
Apparently it does.
Yesterday the SEC has brought insider trading charges against a former Equifax executive
who dumped his company's stock after learning of its 2017 breach,
but before that breach was publicly disclosed.
The SEC alleges that Jun Ying, former CIO of one of Equifax's business units
and in line to become the company's global CIO,
concluded on the basis of confidential non-public information, insider information,
that Equifax had sustained a serious data breach. Indeed, it had.
Knowing about a breach isn't, of course, criminal, but exercising your vested Equifax stock options
and selling the shares for nearly $1 million before public disclosure of the breach might well be.
The SEC says that the alleged insider selling enabled Ying to avoid more than $117,000 in losses.
The U.S. Attorney's Office for the Northern District of Georgia
yesterday announced parallel criminal charges against Ying.
Turning to international tensions that will have significant cybersecurity implications,
Moscow has taken a very hard line against British charges
that Russia tried to assassinate a spy in the UK with nerve agent.
Russian official representatives have demanded to see the evidence, called the attempted murder a provocation,
that is actually committed by British intelligence services or their allies,
warned against any of the cyber retaliation the UK is said to be considering,
and chillingly cautioned Britain against threatening
a nuclear power. Britain's allies have generally been strongly supportive of Her Majesty's
government's case against Russia. Many of those allies are particularly condemning the weapon
used to put Sergei Skripal and his daughter Julia into critical condition. NATO Secretary-General
Jens Stoltenberg today called the attack unacceptable,
saying nerve agents have no place in the civilized world.
He also connected the attempted assassination to Russian policy.
The attack in Salisbury has taken place against the backdrop
of a reckless pattern of Russian behavior over many years.
The UK has requested an emergency meeting of the United Nations Security Council.
U.S. Ambassador to the UN Nikki Haley denounced Russia for the attack in the strongest possible terms,
indicating that the UK can count upon U.S. support in the Security Council and probably beyond.
Some form of heightened cyber conflict can be expected,
as both sides to the dispute possess considerable
operational capabilities in cyberspace.
And finally, this morning the U.S. Treasury Department announced a new round of sanctions
against Russia as reprisal for both election influence operations and cyber attacks, specifically
the NotPetya campaign that spread from targets in Ukraine to a large number of victims elsewhere,
especially in Western Europe, but also in North America. Particularly targeted are individuals
and institutions named in the Justice Department indictments, like the notorious Internet Research
Agency, the St. Petersburg Troll Farm. But also affected are some of the wealthy oligarchs who
constitute mainstays of President Putin's rule.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io And joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto
Networks, and he also runs Unit 42,
which is their threat intelligence group.
Rick, welcome back. We have spoken
a few times about the Cybersecurity
Canon Project, which we agree with you all is an important way to help keep everybody safe out
there. You all are coming up on a milestone here. What's going on? Yes, it's hard to believe,
but we are coming up on five years of running this thing. I'm thrilled and excited and can't
believe it's taken that long. As you know, one of the reasons we started it was the fact that we are all busy people.
And if you were to decide this year that you're going to read a book or two to get smart on some new cybersecurity thing,
you might go over to Amazon and take a look at cybersecurity books.
Well, Amazon will return some 1,500 tomes to choose from.
So how do you choose which ones you're going to spend time with?
So the Canon Project consists of 15 committee members.
They're network defenders, they're CISOs, CIOs, CTOs, journalists, consultants, lawyers, general practitioners.
And they read the books, they write book reviews, and they make the case that a particular book falls into one of three buckets.
This is a must-read for all of us.
Not a must-read, but will have some niche interest for some of us.
And do not bother, which I think is the most important category we have there, right?
So this is kind of a community service for the network defender community.
So let me ask you, are you a sports fan or a music fan, or are you both?
I would say of the two, definitely more on the music side of things.
All right, so what we've done is set up a project similar to the Rock and Roll Hall of Fame,
to cater to my host here, right?
So the committee members read the books and make their recommendations.
If the book is a must-read, it goes on the candidate list.
Every year, the committee selects a handful from
the candidate list to be placed into the Hall of Fame, very similar to the Rock and Roll Hall of
Fame. So as of today, we have 76 books on the candidate list, and we put about 19 into the
Hall of Fame, which gets me to the gala was the reason we're having this conversation.
Right. Not just not just an announcement about the cybersecurity canon, but an invitation as well.
Exactly right. So on May 3rd, we are hosting the fifth annual Gala Dinner Awards ceremony at the stunning Mandarin Oriental Hotel in Washington, D.C.
You're quite the salesman, Rick. Go on. Go on. Keep going.
So we are inducting five new books
from the candidate list into the hall of fame this year and all the authors um will be present
to receive the reward so that's kind of cool they all come in you get to meet them and things right
yeah um now we modeled the gala after the academy awards so i i dress up in black tie just made my
uh appointment to go down to the men's warehouse to get my tux, right?
And I hand out these very heavy statues to all the authors. And so local cyber luminaries and
students from the tri-state area come to meet the authors. We have a great dinner and they all come
to support the cybersecurity canon project. So if anybody who's listening wants to come,
they can find me on LinkedIn and I will send them the invite. Would you have a favorite this year? One of the books on the Hall of Fame list that really struck you as being
important? My favorite book on the Hall of Fame list is the book that got me into cybersecurity
in the first place way back in the late 1980s. And it's Cuckoo's Egg by Clifford Stoll. And
it's the first time we all realized that there was actually cyber espionage going on. And in that particular
book, Mr. Stoll tracks down Russian cyber espionage spies that used East German hacker mercenaries
to break into university systems, to break into government systems. Because, you know, back then
there was no security. It was just strings and cans. Okay. That book reads like a novel and it's
just fantastic. And it turned the corner for me. It made me want to be a cybersecurity person.
Yeah, you know, one of my favorites is one of your recipients is Stephen Levy.
One of his books is on there.
And from way back, one of my favorite books is Hackers, Heroes of the Computer Revolution.
I devoured that book when I was, I guess, in high school age.
That really set my imagination going.
So, yeah, these books, they can make a difference.
Hackers, that book is right now on my bed stand and in the queue next to read.
So that's a good one.
Good choice.
All right, Rick.
Good talking to you as always.
Good luck with the event.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.