CyberWire Daily - Counting coup against REvil (and other gangs are taking note). Export controls and dual use. A timing bug will surface this weekend.
Episode Date: October 22, 2021REvil’s troubles appear to be the work of an international law enforcement operation. Other gangs have noticed, and they’re looking a little spooked, even as they evolve their tactics in a maturin...g criminal-to-criminal market. Questions are raised about the efficacy of surveillance tool export controls. Caleb Barlow has cyber security considerations for CEOs and boards. Our guest is Mickey Boodeai of Transmit Security on the movement to do away with passwords. And if you liked Y2K, you’re going to love ten-twenty-four. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/203 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our evil's troubles appear to be the work of an international law enforcement operation.
Other gangs have noticed, and they're looking a little spooked.
Questions are raised about the efficacy of surveillance tool export controls.
Caleb Barlow has cybersecurity considerations for CEOs and boards.
Our guest is Mickey Bidet of Transmit Security on the movement to do away with passwords.
And if you liked Y2K, you're going to love 1024.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, October 22, 2021.
We close the week with what appears to be some good news.
Speculation that our-Evil's second disappearance
may have been induced by law enforcement activity
seems to have been borne out.
Reuters reported late yesterday
that R-Evil's difficulties in re-establishing itself,
including its loss of keys and loss of control over its servers,
were due to a concerted effort by law enforcement,
intelligence, and military
agencies, with the cooperation of private security companies, to knock the gang offline.
One feature of the operation appears to have been the compromise of our evil's backups,
an aspect of the operation some who commented found ironic, given the attention ransomware
gangs tried to pay to backups. A representative
of the U.S. National Security Council said only, according to Computing, a whole-of-government
ransomware effort, including disruption of ransomware infrastructure and actors.
So, whole-of-government, which implies both civilian and military agencies and organizations, but also an allied action.
The operation was also international, with participation by other unspecified but like-minded countries,
and so efforts to build an international consensus against ransomware may be bearing some first fruits in the action against our evil.
be bearing some first fruits in the action against our evil.
The cyber underworld will adapt and is already showing signs of doing so,
security researchers note.
One immediate response, noticed by security firm Profero and reported in the record,
is some shifting of ill-gotten assets.
The way in which the authorities wrapped our evil around their fingers clearly gave Darkseid, for one, the willies. That particular ransomware gang early
this morning began moving its assets, shifting about 107 bitcoin, that amounts to around 6.8
million dollars, from the wallet where they'd been cashed. Omri Segev Moyal, CEO and co-founder of Profero, told the
record, quote, basically since 2 a.m. UTC, whoever controlled the wallet started to break the Bitcoin
into smaller chunks. At the time of this writing, the attackers split the funds into seven wallets
of seven to eight Bitcoin, and the rest, 38 Bitcoin, is stored in the following wallet.
Bitcoin, and the rest, 38 Bitcoin, is stored in the following wallet. How effective that will prove in keeping the dark side stash safe from compromise and confiscation remains to be seen,
but it's worth noting that such shifts aren't invisible and aren't necessarily beyond the
reach of the authorities. Good hunting to them. Other recent trends among the gangs are also interesting.
We saw yesterday that Kaspersky researchers looked specifically at Roussophone Gangland,
the criminal market leader, and found increased division of labor,
commodification, and C2C marketing.
The criminal supply chain now extends to business email compromise.
Palo Alto Network's Unit 42 has found that BEC
is now being offered as a service. In this, Unit 42 told ZDNet, BEC is following the path of
ransomware. Quote, similar to ransomware, we're seeing an increased number of attackers getting
into BEC, and we're also seeing it mature into, like ransomware as a service, BEC as a service.
They're becoming more tech-savvy.
They've been in the commodity space and are starting to include publicly disclosed vulnerabilities.
They're becoming more professional, end quote.
Such professionalization is consistent with the ways in which criminal markets tend to imitate legitimate markets.
in which criminal markets tend to imitate legitimate markets.
It's also been seen in the deployment,
which we discussed earlier, of front companies by criminal gangs like FIN7.
These are recruiting gambits,
attempts to recruit staff with conventional promises
of regular hours, high pay, and the like.
No word on benefits like a 401k or a health plan,
but who knows?
Those might be coming too.
The Intercept has a long essay on the use of NSO Group's Pegasus tool by Moroccan security
services against that kingdom's dissidents. The surveillance isn't confined, the Intercept says,
to Pegasus infestations of targeted smartphones, but rather represent a general policy of inducing a sense of general surveillance,
a kind of panopticon, into the daily lives of the kingdom's subjects.
Morocco's government denies using Pegasus or other tools for such widely criticized purposes.
Restricting the export of tools that might be abused is one purpose, Decipher writes,
of the U.S. might be abused is one purpose, Decipher writes,
of the U.S. Commerce Department's interim final rule, which the Bureau of Industry and Security published at midweek.
The rule is intended to keep surveillance technology out of the hands of repressive regimes,
with U.S. rivals Russia and China figuring prominently among such bad actors.
The rule has met with mixed reviews, and not because people are in favor of aiding repression. Indeed, some of those who've expressed reservations,
like the Electronic Frontier Foundation, typically have a libertarian take on technology.
In this case, however, there are concerns that the rule might be framed in excessively broad terms,
and might punish or at least inhibit legitimate security research.
There are also concerns, summarized in a piece appearing in ThreatPost,
that the controls themselves might also be anemic,
ineffectual in keeping potentially misused technology out of the hands of ill-willed state actors.
There are familiar dual-use problems here.
Technologies with perfectly
legitimate uses may be abused. Penetration testing tools are a good example. By their
very nature, they can be and have been abused by criminals and intelligence services.
Finally, CISA warned yesterday that a GPS daemon rollover bug will hit network time protocol servers this Sunday,
October 24th, rolling the date back 1,024 weeks to March 2002, with predictable disruption to
services using NTP. It's a punning bug, 1024, like Sunday's date. Get it? Listeners of a certain age will be reminded of the Y2K bug,
the millennial apocalypse, that in the end turned out to be more of a whimper than a bang.
But this particular problem, while not to be ignored, is fixable and so shouldn't be exaggerated
either. The problem affects only GPSD versions 3.2 through 3.22.
The fix is an obvious one.
Upgrade systems to version 3.23 or later,
and that version has been available for months.
CISA recommends that concerned users
consult the SANS Institute's account of the bug
for more background and information.
Take a look and upgrade if you need to.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we
rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Okay, so real quick, name a part of your everyday computing experience you would love to see put out to pasture.
For me, it's probably email.
But I'll bet a good number of you in the security world are thinking passwords.
They are all too often too easy to guess, reused from site to site, and a prime target in data breaches and business email compromise. Mickey Boudet is CEO and founder of
Transmit Security, where they are working to change the password business by getting rid of them
entirely. So I would say that today we're still very much in a password world.
And the problem with passwords is pretty much clear.
It has actually two aspects to it.
The first one is on the security side, and the second one is on the customer experience side.
And both of them are getting worse over time. So from security
perspective, we know the statistics, we see the attacks every day, but more than 80% of data
breaches today are due to account takeover. And account takeover is typically done by stealing passwords. And stealing passwords is becoming easier and
easier over time, just because the techniques for stealing passwords from phishing to malware to
social engineering are becoming more sophisticated. And it's much easier to get users to reveal their passwords when they have so many
passwords and so many interactions with so many systems. So we're seeing a constant increase
in the number of attacks, in the sophistication of these attacks, and obviously in the damage that passwords
are eventually causing to the industry. Do you feel as though we're having success in getting
folks to adopt things like password managers and then, of course, multi-factor authentication?
Well, the problem with password managers is that you can't really enforce them, definitely not on consumers. So it's up to the consumer to decide whether they want to use a password manager, which one they use, how they use it, and how to make sure that fraudsters are unable to steal access to their password manager, which is obviously the worst thing that could happen for the consumer.
From a two-factor authentication perspective,
this is actually something that you can enforce on your consumers.
The problem with that is the price you're paying in terms of customer experience.
So the more restrictions, the more constraints you put on consumers when it comes to password,
the worse the customer experience is.
And there is a direct correlation between customer experience and business results for consumer-facing applications.
So you would see that consumers, for example, that forget their passwords or that they're faced with a two-factor authentication every time they try to log in or transact or buy something, they're less likely to use these services
and they're more likely to look for alternatives.
So it's a very delicate balance when it comes to passwords.
So what's next then?
I mean, if we're going to do away with passwords,
how are we going to handle secure logins? Well, actually, the technology has evolved significantly in terms of password
alternatives or alternatives to passwords. It used to be just one-time authentication using
links that you're getting over email or OTP codes. Both of them are not very convenient
and also not very secure for the long term. But over the past, I would say, five years,
we're seeing an increase in the number of devices that support biometric authentication,
in the number of devices that support biometric authentication,
on-device authentication, on-device biometrics,
which is the biometric readers that are embedded in the device itself. So this could be fingerprint authentication or face recognition.
And with that, our ability to provide a much more secure login process, as well as a much more
convenient login process, has increased significantly.
The quality of these readers, both in terms of security and in terms of the customer's
experience, is increasing from one generation to another generation in a very fast way.
So from that perspective, we're seeing for the first time ever
a technology that is not just secure or not just convenient,
but is both highly secure and highly convenient.
That's Mickey Boudet from Transmit Security.
There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview
Selects, where you'll get access to this and many more extended interviews.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is our CyberWire contributor, Caleb Barlow.
Caleb, it's always great to have you back.
You know, I wanted to check in with you today because you have been in the unique position of being both a security professional, but also the CEO of a public company. And I want to check in with you,
what is the reality of that? What sort of things do you have to worry about from a security
perspective when you're sitting in that top seat? Well, you know, Dave, I recently finished the role
as the CEO of a public company, which, let's face it, gives me a little more latitude to talk about
what you've got to think about in that seat than when you're in it, right? So the responsibilities
of being a public company CEO or on the board of a public company are no joke. But a lot of these
same governance factors apply to any company. And
it's a bit different of a perspective than you might have at a small startup. But I think there's
a lot we can learn from that. So now that I've got a little bit more freedom to talk about it,
I kind of laid out five things that you've really got to think about at kind of that level.
If you're a CEO or a board member or supporting one of them from a cybersecurity perspective.
First and foremost, you need a CISO. If you're a company of
any size nowadays, you're going to need a CISO.
Here's the really key thing. Where do they report?
We've seen a lot of change in the industry on this over the last few years.
I think the best practice now is really not to have the CISO report into the CIO, which many of them do, or report into the CFO.
And the reason for this is governance.
And you've got to understand that the CIO is responsible for delivery and performance of IT services for a given cost.
for delivery and performance of IT services for a given cost.
But the CISO's role is really a bit different in that they're responsible for managing risk and consequence.
And that security budget, well, it's got to be reviewed relative to the corporate
risk, not as part of the IT budget.
And you've got to determine that appropriate risk threshold, most likely
at the board level.
What other things do you have on your list?
Well, the second thing is almost every company out there has gone out and got some sort of security assessment, but it's time to take that up a notch.
There's new tools and a lot of new services from companies out there offering security
validation assessments.
Now, what these are, and I would really encourage this actually to be contracted at the board
level, not from the CISO or the CIO.
Now, granted, they should be involved in supporting it and everything else, but it is important
from a governance perspective that a board of directors actually goes out and is seen
as contracting this directly.
actually goes out and is seen as contracting this directly.
Now, what a validation assessment will do is actually launch an inoculated attack.
Let's say it's a malware attack
or a ransomware incident or something like that,
and actually keeps a log of what happened at what time
and does this by looking at the logs.
So, okay, we launched a fictitious WannaCry incident.
We see that the IPS detected at a given point,
the firewall detected it. Did it correlate properly or not in the SIM? How long did it
take for the SOC to recognize the issue? Maybe it was an outsourced vendor. It took them four hours.
That's not too good. Did they open a ticket? How long did it take to open the ticket? Did they
follow procedure? Did the disposition appropriately?
You kind of get this, not even just the normal things you get in a security assessment, but you also get this timeline of when we tested your entire system.
Here's what the timeline looked like.
And either it's green in that it matches exactly the way it should, or hey, there's a few red
elements in here.
You know, the guy that was on at two o'clock in the morning running your sock didn't notice this
for four hours. What's wrong? Or the SIM didn't correlate properly. It is so critical to do that
level of assessment at a board level, because if you are breached, if a regulator does come on
board, not only can you show you've done this work, but in addition to that, you can demonstrate that,
hey, when we did this assessment, here were the results and here are the actions we took from it.
Okay.
What else is on your list?
Well, hey, we know we need to drive security into the culture.
We've all talked about this before.
But I want you to do it at the board level, right?
So what does that mean at the board level?
right? So what does that mean at the board level? That means not only regularly having security as a topic on your board meetings, but a couple of things that are now best practice. You get past
the green, yellow, red lights where the CISO comes in and tells you everything's green, right?
You've got to get into these becoming more educational sessions where you're talking about,
you know, not the Harvey balls and the traffic lights, but getting into talking about what threats do you see,
actor, campaign, motivation, maybe that we're up against, educating that board on the latest
threats. Remember, it's important from a governance perspective for a board to show not only are they
paying attention to cybersecurity, but they're getting educated on cybersecurity. And that's
something CISOs have to take on
as part of their charter
is to make sure that their board
is constantly getting educated and coming up to speed.
I've seen some great practices recently.
You know, one large cloud company ensures
that their senior leadership team has a standing meeting
with all of their security leadership
on a regular reoccurring basis.
In this case, it was weekly. That way, they know that if there's a security issue that needs to
get elevated to senior management, it can and without multiple levels to ensure transparency.
I've even seen, and lawyers hate this, but I think it makes a ton of sense. I've even seen
situations where all security incidents are exposed to the board level so that board members have the ability to kind of peruse not only what happened, but what was the corrective action.
Again, it's important that a board can demonstrate that not only were they making decisions and having the meetings, but they were getting educated and staying on top of these things.
Interesting. One more on your list?
One more. Our security documentation, Dave, it kind of sucks.
I mean, I'm sorry. We all know it.
It's just us talking here. But it's time to up the security
documentation to that of the level of what you'd see your CFO
deals with, or if you're
in a manufacturing world, kind of Six Sigma or, you know, ISO, security documentation is really
lacking out there. And why this is so important is when you're breached, when there's litigation,
you need to be able to demonstrate that you said what you did and you did what you said.
And what I tell people to think about all the time is the volcano test.
If one of your critical people fell into a volcano,
is the security documentation robust enough
that a new hire off the street,
you know, with the right skills and training,
could figure it out and could recreate your environment?
If it's not, then you've got some work to do.
All right.
Well, a good list for sure.
Caleb Barlow, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Doel Santos from Palo Alto Network's Unit 42.
We're discussing their recent report, Ransomware Groups to Watch, Emerging Threats Research.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.