CyberWire Daily - Configuring AWS buckets. New threats and vulnerabilities. Apple and Oracle patch.
Episode Date: July 20, 2017In today's podcast, we discuss a reminder from Amazon Web Services is timely: check your cloud's configuration. Hacks now seem to affect revenue for years. A rundown of some new threats and vulnerabi...lities. Apple issues security patches for iOS, MacOS, and Safari. Oracle fixes more than 300 bugs. Dale Drew from Level 3 Communications on the responsibilities of ISPs. Chris Ensey from Dunbar Cyber Security, on the roles states play in creating an environment for innovation and success in cyber security. And forget Mayweather-Macgregor—the pay per view we'd sign up for is Putin-Wittes. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Amazon Web Services has a timely reminder.
Check your cloud's configuration.
Hacks now seem to affect revenue for years.
A rundown of some new
threats and vulnerabilities. We've got some insights into the criminal carding market and
the training it offers. We've got some patch news. And forget about Mayweather McGregor.
The pay-per-view we'd sign up for is Putin-Wittes.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 20, 2017.
Amazon Web Services has sent its customers a reminder that access control lists, those are ACLs,
they govern who can see the content of their S3 buckets,
and that they should look at their buckets to ensure that public read access is enabled only where it's supposed to be.
Misconfiguration, often by third parties, has hit data held by large organizations hard this summer,
but AWS wants customers to remember that protecting information from inadvertent exposure isn't that hard.
So, an S3 bucket isn't exactly a set-it-and-forget-it Ronco toaster oven, but really it's not that
complicated. TokTok's revenues declined in the first quarter, and analysts attribute this in
large measure to the breach the telco sustained in 2015. This report suggests effects of cyber
attacks can linger, a lesson worth considering in the wake of NotPetya, particularly with respect
to its effects on shipping and manufacturing.
TalkTalk, whose breach is nearly two years old, is still suffering.
It reported a 3.2% slip in revenue in the first quarter this year.
Its CEO at the time of the incident was Baroness Dido Harding, who left her job at the beginning
of April.
The proximate cause of the revenue decline is given as recontracting consumer customers to new, lower-cost, fixed-rate plans.
Some new threats and vulnerabilities are worth a mention. Malformed Windows MSI files are now
known to infect Linux systems, too. Researchers call the vulnerability bad taste. CyberArk's
Red Team reports a form of domain fronting
that can mask attackers' command and control traffic.
It abuses content delivery networks and high-traffic domains.
Domain fronting uses different domain names at different layers of communication.
The technique, CyberArk says, is in use in the wild
and can be applied to highly targeted attacks.
As fears of election hacking persist, the Dark Hotel APT group appears ready to offer
a fresh approach to political hacking.
The online gang uses whaling, digital certificate factoring, and InXMAR malware in its attacks.
In the second cryptocurrency heist reported this week, a hacker stole Ethereum currency worth approximately $30 million by exploiting a vulnerability in a Parity wallet. Parity is working on a fix.
This is a distinct attack from the one CoinDash reported earlier this week in the course of its initial token offering.
Komodo, the New Jersey-based security firm, warns of a new kind of fish bait being used
by criminals in the wild. It's a continuation of the long-running trend of fishing growing more
clever and more tightly targeted, almost to the point of spearfishing. This new approach presents
the phishing email as a response to an earlier request for information by the victim. Most of
the intended marks of
the technique are in the U.S., but the approach has been seen in at least 20 other countries.
Taking a quick look at our CyberWire event tracker, if you're headed to Black Hat,
don't miss Deep Instinct at booth 873. B-Sides Las Vegas is happening July 25th and 26th.
You don't want to miss that. ClearedJobs.net is having a Cyber Texas job fair on August 1st.
There are cybersecurity summits coming up in Chicago on August 8th
and New York on September 15th.
And the 8th annual Billington Cybersecurity Summit
is coming up September 13th, 2017 in Washington, D.C.
You can find all the details and find out how to list your event
on our CyberWire event tracker at thecyberwire.C. You can find all the details and find out how to list your event on our CyberWire
event tracker at thecyberwire.com. Cybersecurity is, of course, a rapidly growing industry,
attracting innovation and investment, and with that comes a desire by the states to attract and
nurture cybersecurity companies, with the high-paying jobs and highly educated people
that come with them. Chris Ence is chief operating officer at Dunbar Cybersecurity,
and he also co-chairs the governor's Workforce Development Board Cybersecurity Task Force for the state of Maryland.
I asked him about what it takes for states to compete in a hot cybersecurity market.
So, you know, you are a Maryland company, as are we here at the Cyber Wire,
and so we have a certain amount of pride of our local accomplishments and so forth.
But I'm curious, when you look at the bigger picture of any individual state,
when a state tries to compete for cybersecurity dollars, for cybersecurity workforce,
what are the kinds of things that states have to take stock of
and look toward in terms of investments and being able to attract organizations and people?
So I think the resources that they have in terms of the workforce are oftentimes going to be looked at as one of the lifebloods of any thriving business in this industry.
They have to look at, do we have the resources?
Are we developing the right talent skill sets? And can we keep those talented people in the state? So I think Maryland is in a unique
position because of our geography almost to retain a lot of localized talent. We've got,
obviously, the influences of the Department of Defense and the intel agencies, Washington, D.C., co-located right
next to us. Also, a growing set of commercial entities that are focused on opportunities here
and beyond. There's a lot of really interesting things happening locally in terms of incubators,
startups, new technology that's emerging that's coming either out of government programs,
institutions, and the academic community, or even just homegrown things that have emerged that are starting to take a
national and even a global footprint. That said, I don't want to over sugarcoat it either. I think
there's a lot of things we still have to do to take a seat at the table of the best states in
the United States that are focused and have resources for cybersecurity.
What are some of the areas where you think a state like Maryland needs to improve?
Well, I think while we've built out some great companies and we've taken a definite,
noticeable position in the U.S. as a source of cybersecurity talent, mainly due to the fact that
we have the federal influence and the centers of excellence here from a security perspective.
I think that if you look at the overall ecosystem that's out there of producers of cybersecurity services and products and technology,
we would fall kind of far down the list.
One of the areas I think that limits Maryland in a sense is that sometimes we do have a myopic focus on the Department of Defense
contractors and the type of work that goes into that sector. And I think that at times can maybe
detract a little bit from the opportunities that are out there to build global products and
solutions that make their mark in terms of the state's place in the competitive landscape of
companies that are out there. One of the things I'm always critical of in the state of Maryland, when I look at all these
different activities that are going on and different business development initiatives and
training programs and grant programs that people are contemplating, is that what are we doing to
put all those pieces together? And I think in general, I see a lot of overlapping initiatives.
I see a lot of competing interests almost. And I
think that's holding us back to a degree. We haven't quite cracked the code on how do we
make it so that we're bringing more opportunities to the state at mass scale, using every resource
we have in conjunction to make it happen as explosively as possible. That's Chris Encey
from Dunbar Cybersecurity.
There have been some more patches this week. Apple has issued patches for macOS, iOS, and Safari,
and Oracle has fixed 386 vulnerabilities in its products. Many of Oracle's issues were discovered and reported by security vendor Onapsis. Finally, we're noticing a couple of
things these days. First, we're aware that Mayweather and
McGregor are holding a round of really interesting joint press conferences in the run-up to their
middleweight title bout, as our sports desk keeps telling us. And remember back in the 80s when it
was morning in America? Our Heartland desk does. And they remind us that a candidate for governor
of Texas challenged Libyan strongman Muammar Gaddafi to a duel to the death in a cabin cruiser on the line of death that Colonel Gaddafi drew across the mouth of the Gulf of Sidra.
The chosen weapon was bowie knives.
It didn't happen, as far as we know, and the challenger lost the election.
But his spirit lives on.
We're thinking that spirit lives on in particular over
at Lawfare, a blog we often read with interest on cyber legal and cyber policy issues. President
Vladimir Putin is a noted martial artist, but the editor of Lawfare, Benjamin Wittes, thinks he's a
chump ripe for the dropping. I'll fight Putin anytime, anyplace he can't have me arrested,
I'll fight Putin anytime, anyplace he can't have me arrested, the extreme editors said back in October 2015.
But we think the time is finally right for it now.
If the editor can pull it off, we'll set it up on pay-per-view.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, welcome back. You had an important point to make today, and that was that
as we see the evolution of some of these threats,
you're seeing that ISPs have some specific responsibilities, and those responsibilities
may be growing. Yeah, absolutely. And what I'd say is, you know, what we're seeing is,
we're seeing threats becoming much more global, much more often. We're seeing threats that the
bad guys want to take advantage of these sort
of deep entrenched and deep rooted protocols and systems that have large scale impacts across the
entire net. And again, you know, WannaCry is a really good example of a single exposure that
has a significant sort of global impact. Today, we rely on a very specific set of community members within the security community who are analyzing malware at the application layer to be able to be the eyes and ears for that sort of global problem.
to detect those exposures, but be able to stop those exposures and then collaborate across networks to be able to get as close to the edge of the bad guy as you possibly can to stop it and
figure out where the fingers on the keyboard are. If you look at level three as an example,
we are a huge proponent of something called DOTS, which is the DDoS Open Threat Signaling Protocol.
Now, that protocol is originally being established to help be able to communicate about DDoS attacks across ISPs to be able to stop DDoS attacks quickly. But
it's more of a signaling protocol on threats. And so you expand a protocol like that to be
threat-based. You can push phishing attacks and malware attacks and DDoS attacks across the entire
network ecosystem and eventually the entire security
ecosystem to be able to stop threats. The ISP could also be shutting down command and control
systems. We do this once every two hours. We find C2s that have significant influence in the
industry and we block the C2. And ISPs, they're very concerned
about blocking internet addresses
because they don't know the other purpose
that IP address serves.
So they tend to be a little gun shy in that.
And I think it's time that we start leaning
into this problem a lot more.
Are you seeing the adoption
of these kinds of techniques by ISPs?
Is that collaboration happening?
Are people getting on board?
I think today when the threat level reaches a certain saturation point that the community comes together and tries to solve it.
But it takes a global event right now for us to be able to do that.
And that capacity, that capacity for the entire ecosystem to work together at once is there.
That apparatus is available.
And I think that we need to get a
lot more proactive in being able to stop these threats before they become global problems and
use that entire ecosystem apparatus to make it much more difficult for the bad guy to operate.
Dale Drew, thanks for joining us.
us. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.