CyberWire Daily - Comments on the Deloitte breach. SEC Commissioner talks to the Senate. Sonic breached. Vulnerable stock-trading apps. Russian influence operations shift their focus.
Episode Date: September 27, 2017In today's podcast, we hear more about the Deloitte breach. Deloitte's stil saying little, but other people are talking. The SEC tells the Senate it's "deeply concerned" about its own breach. Po...pular iOS and Android stock-trading apps are found vulnerable. Sonic drive-ins have sustained what looks like a pretty big breach. Ben Yelin discusses a bipartisan bill to improve IoT security. Isaac Kohen from Teramind on detecting employees involved in radical political activities on company time. Russian influence operations against the US are turning toward local government, religious groups, civic associations and others at the grassroots. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper If you want to execute at machine speed, doesn’t make sense to see what the algorithms a good machine runs on can do for you? Check out sponsor Cylance .  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Deloitte continues to investigate its breach, saying little, but other people are talking.
The SEC tells the Senate it's deeply concerned about its own breach.
Popular iOS and Android stock trading apps are found vulnerable.
Sonic drive-ins have sustained what looks like a pretty big breach.
Russian influence operations against the U.S. are turning toward local government,
religious groups, civic associations, and others at the grassroots.
others at the grassroots.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 27, 2017.
Deloitte continues to say little about its breach, maintaining its position that few clients were affected.
Outside observers think the incident involved failure to use multi-factor authentication on an admin account.
They also think earlier reports that government organizations were affected seem to have been inaccurate.
We heard from experts at Vasco Data Security and Virsec Systems, who offered their views on the incident.
Vasco's John Gunn thinks massive leaks of pay card information and social security numbers have flooded the black market to the extent that these commodities have become devalued.
There's a glut on the market.
Gunn told us in an email, quote,
What we will see now is a continuing rise in attacks on other sources of confidential data that can profit attackers.
Material information that could be used, for example, for insider trading
or to yield trade secrets is now much more attractive than mere credit card number theft.
Firms such as Deloitte that have troves of sensitive non-public information
that could be used for illegal trading activity
will find themselves increasingly in the crosshairs of sophisticated hacking organizations.
William Leichter of Virsec commented that
what's critical is to react quickly and Leichter some follow-up questions.
First, Deloitte has said that only six customers were affected, and these only in relatively minor ways.
Are there any indications the breach may have been more widespread or more serious?
Gunn said,
My guess is that the hackers were likely seeking confidential or inside information
that they could use for gain in stock trades or for blackmail purposes.
It would be very challenging to make a reliable estimate of how many parties may have been affected.
If none of the information taken had any value, then the answer is zero.
Leichter had a different take, and he sees the slow response as telling,
both in the case of Deloitte and in that of Equifax. He said, quote,
Deloitte has not acted like this is a small or trivial breach. Even if only six of their
Fortune 500 clients were affected, this still could represent tens of thousands of records.
Multiple sources have reported that email servers and administrator accounts were compromised, and the damage could be extensive.
But the lack of transparency and slow response from Deloitte, Equifax, and other breached companies creates frustration, confusion, and more distrust.
frustration, confusion, and more distrust.
End quote.
We asked about reports that credit card information may have been lost.
That seemed to be an almost reflexive aspect of early reporting on the breach.
It's not clear what was lost beyond emails,
but Gunn pointed out the unlikelihood of Deloitte clients paying with credit or debit cards.
Quote,
This was not a traditional attack like the ones that we see against retail organizations with massive pools of consumer payment information, end quote. Finally, we asked them whether they had any insight
into why it took so long for this breach to become public. Deloitte has apparently known about it for
a few months. Gunn thinks the delay is unsurprising. He said, quote, corporate network breaches are not
like a physical break-in. You don't walk in one day and see a broken door and glass all over the floor, end quote.
So Deloitte hasn't necessarily been stonewalling.
Sometimes it simply takes a while.
As Gunn explained, quote,
It can take many months of complex forensic work to confirm that a breach occurred
and to determine the extent of the intrusion and possible damage, end quote.
Leichter thinks there are lessons here for public policy.
He said,
There is a fundamental problem with most disclosures of public breaches.
While there are breach notification requirements in 47 states, there are not strict rules on
timelines and how much needs to be disclosed.
Many companies fall back on disclosing as little as possible and waiting as long as
possible to hopefully manage the fallout.
But as we've seen in many cases,
the fallout is usually worse if companies delay disclosure
and consumer data can be exposed for long periods without their knowledge.
We need to look at the new European GDPR rules,
which require notification of any serious breach to authorities within 72 hours.
End quote.
If you're an employer, no doubt you'd try
to strike a balance between respecting your employees' privacy and securing your network.
In the U.S., employers have the right to monitor what workers do on company-owned machines,
but nobody likes to think that the boss is looking over their shoulder.
Still, there are certain kinds of activity that can and should set off warnings.
Pornography is an obvious one, but what about radicalization?
How can you tell if a network user is simply curious about something they read in the news,
or on a path toward being brainwashed and radicalized?
Isaac Cohen is CEO at TerraMind, and he offers his perspective.
Radicalization starts by a person doing research, essentially, either because
they've heard of something or something triggered their desire to learn more about it. And then as
they do research, they come to certain websites, certain elements in social media that push them
and sort of brainwash them into that material that they want to brainwash. So obviously,
it's a big problem. Early detection is extremely important.
So you want to tackle the problem at the initial research stage.
And it's definitely something that educational institutions and even commercial organizations
are looking at.
So give us an overview here.
If I'm an organization and my employees are using our systems to search, to do research,
to just read things they're interested in on their lunch hour or before or after work.
What are my rights and responsibilities when it comes to that sort of web browsing?
Obviously, each country has its own rules and laws governing privacy.
What we focus on is employee usage of company computer,
company hardware during work hours.
That really narrows it down, but it's better than nothing.
And if you look at it objectively, that's eight hours of an employee's time
they spend on company computers a day.
So you can still capture a lot of that person's activity for better or worse.
You don't have to actively report or monitor anything.
I'm not talking about specifically any one software or another,
but what you can do is just define triggers.
So when someone sees the word jihad
or some other radicalization keyword on the screen,
then trigger an alert without violating that person's privacy,
without monitoring what they do in their private bank account, for example.
So how do you differentiate between someone who may just be curious about something,
maybe against the thing that they're searching for, and is just looking to do some research to
educate themselves versus someone who's headed down a slippery slope that you may want to
get in the way of? Well, the larger the organization, the easier it is because in a large organization, you'll have a baseline for anomaly detection, right? So if you
have a 10,000 person organization, then N%, a very small percentage, but whatever, will be interested
in this type of thing and research it. However, if 3% research jihad, but three people in the
organization research it, you know, six hours a day, then those three people should the organization research it six hours a day,
then those three people should be under watch or they would be the anomalies.
So it's not necessarily just a keyword trigger, right?
You would also say, well, where is the keyword?
Is it in an outgoing email that might have more weight than just browsing a website?
And if it's in an email, how many emails went out to how many recipients?
If it's in a website, what was the domain of the website?
Was it CNN or was it something in the dark web?
So there are many, many factors you can look at.
It's not as simple as a person seeing this keyword on the screen.
That would trigger lots of false positives and it would lose its value.
If you think about it, it's just as sensitive as investigating someone who might research about suicide.
It's something that you wouldn't want to tell others.
You would want to approach this person in an extremely sensitive way.
So you have to mitigate.
People get radicalized.
People from all walks of life, people get brainwashed.
The faster you catch it, the less damage you'll have.
That's Isaac Cohen from TerraMind.
Taking a quick look at our CyberWire event tracker,
the SANS Technology Institute has an online information session
September 28th, that's tomorrow, where you can learn all about
how to earn a master's degree in cybersecurity.
That's at noon on the 28th.
Coming up on the 9th and 10th of October in Krakow,
there's an event being held by CyberSec, the European Cybersecurity Forum.
It's called Dealing with Cyber Disruption.
ClearJobs.net is hosting a Cyber Maryland job fair on October 11th in Baltimore.
And UMBC has a Cybersecurity Graduate Program Information Session.
That's October 11th in Rockville, Maryland.
The International Information Sharing Conference is coming up
October 31st through November 1st in Washington, D.C.
It's called Cybersecurity is a Team Sport.
And we here at the Cyber Wire are pleased to present
the fourth annual Women in Cybersecurity reception
that's coming up Tuesday, October 17th here in Baltimore, Maryland.
You can find out more about all these events
and how to list yours at thecyberwire.com slash events.
Moving to another big breach story, the U.S. Securities and Exchange
Commission told the Senate that while it's deeply concerned, no personal information was compromised.
To most observers, that was never a concern. Exposure of sensitive material corporate
information was the issue. One newly reported breach, and it's a large one, does involve that
commodified paycard data that weren't the apparent targets of the hoods who hit Deloitte and the SEC.
This news comes from the U.S. drive-in restaurant chain Sonic.
The breach came to light yesterday as banks traced patterns of fraud to the Oklahoma-based chain.
Investigation is in its early stages, but millions of cards could be affected.
Investigation is in its early stages, but millions of cards could be affected.
IOactive took a look at the security of 21 popular mobile stock trading apps and found them wanting.
Many didn't require two-factor authentication to access bank accounts,
man-in-the-middle vulnerabilities were common, and some didn't encrypt traffic.
Investigation of Russian influence operations in the U.S. continues. The goal is by now clear, disruption and erosion of the trust that sustains civil society.
There are, foreign policy argues, signs that Russian information operations are shifting away from national targets
and moving toward local governments, associations, religious groups, and activists.
This is nothing new, considered
against the background of Russia's history with propaganda. Retrospectives on WannaCry continue
to attribute the ransomware or pseudo-ransomware to North Korean operators using tools allegedly
stolen from NSA. In an information operations display, Russia's Sputnik News strongly connects
those tools with a U.S. agency,
but passes over in silence how those tools were obtained and released.
After all, in influence operations, the important lies need a bodyguard of truth.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, we saw a story come by via
Krebs on Security about a new bill that's trying to improve Internet of Things security standards.
Yeah, so this is introduced in the United States Senate.
It has bipartisan support.
It was introduced by Republican Senator Cory Gardner and Steve Daines, and it's also supported by Mark Warner and Ron Wyden, who are Democrats.
And the bill would
direct the White House Office of Management and Budget, OMB, who does government contracting,
to develop alternative network level security requirements for devices with limited data
processing and software functionality. It requires every executive agency to inventory all of their
internet connected devices in use by the agency to make sure that
the devices can be patched, for example, when security updates are available, so that the
devices are not hard-coded, and to make sure that the vendors that they're using are ensuring that
the devices are free from known vulnerabilities when they're sold. Obviously, this comes in the
wake of very high-profile
cyber attacks, most notably on the Office of Personnel Management a couple of years ago.
And the bill is supported by basically every relevant group you can think of. This article
mentions the Center for Democracy and Technology, the Berkley Cybersecurity Project over at Harvard,
the Berkman Klein Center for Internet and Society. So it's a widely supported bill,
at least at this point. Obviously, with such an anemic Congress, we never know the true likelihood
of it being enacted, but I think the chances are pretty good. And would this apply to purchases by
the federal government itself? So this is really only applying to government things and not
necessarily, for example, consumer devices?
Yeah. So this would apply to government vendors, meaning when the government makes a purchase and they make millions of purchases, they would need to make sure that the devices that are being sold
have to have a basic level of security if it is a device that's an IoT, Internet of Things device.
So this does only apply to government purchasing.
But as we see in all areas of the law and policy, sometimes the government can really set the
standard. When the federal government wants to make a change, for example, to health policy,
some sort of payment reform, they'll do it through Medicare, which is a government program. But
because Medicare is such a large payer, it ends
up having a ripple effect on the rest of the healthcare system. And I think sort of the same
thing is happening here. If the standards for government vendors are higher, then perhaps the
private sector will naturally follow suit because the government is such a large purchaser of these
devices. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Hello, dearest listener. In the thick of the winter season, you may be in need of some joie de vivre. Well, look no further, honey, because Sunwing's Best Value Vacays has your
budget-friendly escapes all the way to five-star luxury. Yes, you heard correctly.
Budget and luxury, all in one
place. So instead of ice scraping
and teeth chattering, choose coconut
sippin' and pool splashing.
Oh, and book by February
16th with your local travel advisor or
at
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.