CyberWire Daily - Daily: Governments nervously investigate Panama Papers. Industry sees layoffs & an IPO.
Episode Date: April 5, 2016In today's Daily Podcast we hear about the spreading Panama Papers tax evasion (or avoidance, or wealth hiding) scandal. US State Department databases may have unpatched vulnerabilities, and PII of Tu...rkish citizens is posted online. We talk to SCADAFence about securing the manufacturing Internet-of-things, and Markus Rauschecker from the University of Maryland Center for Health and Homeland Security tells us about how legal standards are established in cases involving cyber security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Governments around the world open investigations into the Panama Papers,
and the news organization that published them hints that there's much more to come.
U.S. State Department passport and visa databases appear to be vulnerable, but so far there
seems no evidence of actual compromise.
Turkish citizenship or residency data have been posted online.
Israel braces for Thursday's annual anonymous cyber action on behalf of the Palestinian
cause.
And there's another guilty plea in the Silk Road case.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, April 5th, 2016.
The Panama Papers, leaked either by an insider or by an external hacker,
no one is quite sure yet, although most speculation centers on an inside whistleblower.
Suggests that Panamanian law firm Masek Fonseca had ties to some 215,000 offshore shell companies.
14,153 names have been linked to the law firm and those shell companies.
The general consensus is that their activities were aimed at evading taxes and hiding wealth.
The law firm denies any wrongdoing, and indeed it remains unclear which, if any, laws were broken,
but the optics, as they say, are very bad indeed.
Several governments, including those of Australia, Austria, France, Germany, the Netherlands,
Sweden, and the United States, have opened formal investigations.
As the leaks work their way through the global press,
Iceland's government seems to face particular difficulties.
The country's prime minister, the finance minister,
and its interior minister have all been mentioned in the leaked documents.
International soccer is also getting a black eye from the leaks,
with FIFA officials and high-profile players appearing connected to various tax evasion schemes.
No prominent Americans appear to be named in the leaked documents,
but as the New York Times reports,
this may say more about U.S. law's governing formation of shell companies
than it does about a culture of rectitude.
Americans, an economist with the Tax Justice Network told Fusion,
don't really need to go to Panama.
Whatever the outcome of ongoing legal investigations proved to be,
the incident should serve as another cautionary tale about the importance and difficulty
of securing sensitive information.
All law firms, whether shady or sunny, should take note.
And another thing to note,
Sadoitsche Zeitink, which broke the story,
said yesterday, in effect, you ain't seen nothing yet. There are more leaks to come.
Because Sadoich Zaytink commented that more leaks were on the way in response to a question about
why there seemed to be no prominent Americans among Mossack Fonseca clients, there's general
speculation that such names will appear in a subsequent
tranche of data.
In the meantime, a Russian government spokesman dismisses the affair as an artifact of U.S.-driven
Putinophobia.
This Thursday, April 7th, will mark the Anonymous Collective's annual day of cyber protest
against Israel on behalf of Palestinian interests.
These operations have tended to fizzle in the past,
but sites likely to be hit are working on their precautions.
Internal audits have determined that a U.S. State Department database with information on more than
290 million passports, 184 million visas, and 25 million U.S. citizens living abroad is vulnerable
to compromise. Sources say the vulnerabilities have not yet been addressed,
but the State Department says there's no evidence of actual compromise.
There is, however, plenty of evidence that one or more Turkish government databases have leaked,
as names, addresses, and identification numbers of more than 49 million Turkish citizens
have been posted online.
The worst case is that this is a compromise of the National
Citizenship Database. A somewhat better case is that the information is a compendium of
residency databases already leaked some time ago. Investigation is underway.
Google issued its monthly patches yesterday. Eight critical vulnerabilities were addressed,
among them a fix for a bug being exploited in the wild to root Nexus 5 phones. Zemperium discovered the issue and privately disclosed it to Google on March 15th
of this year. In industry news, Dell SecureWorks is preparing for an initial public offering later
this month. Investment analysts rate the prospects of the spinoff as shaky. Revenue has been
disappointing and there are doubts about the company's ability to stand on its own. IBM continues to lay off workers. Operations in
Canada, Europe, and Australia are affected by this round, but more layoffs are also expected
in the U.S. Analysts believe the final tally may reach 14,000 lost jobs in the current fiscal year.
Palo Alto expands its partnership with other cybersecurity companies
as Recorded Future and ProtectWise both join Palo Alto Network's technology partner program.
Palo Alto and PwC's cybersecurity and privacy practice have also announced their intent to
jointly develop a new security architecture for their customers. A Bitdefender study suggests
that the greatly expanded attack
surface the smart home presents may make the IoT, at least over the near term, a significant
consumer security headache. As observers continue to worry about this, we spoke with industrial
control system security experts from Skate Offense about threats to manufacturing processes.
Yoni Shouet is CEO at Skate Offense.
In the past few years, these networks are becoming more and more connected to external environments and it exposes them to new cyber threats. I think the challenges that
are facing SCADA are unique, not because of vulnerabilities or zero days that exist inside
specific devices or specific protocols, but more about a general problem that these networks,
because they were isolated for so many years,
they're far behind what we see today as common best practices inside the IT world.
There might be ongoing attacks that we're just not aware of
because some of the companies and most of the companies
do not have today the proper monitoring and detection capabilities installed inside their environment. Skate Offense's
website is skateoffense.com. Finally, here's another Silk Road guilty plea. Dr. Clue, aka
Brian Farrell, told the feds before copying his plea, Mr. Farrell was Silk Road's 2.0 sysadmin, which is more than krill to be sure.
The big fish will receive up to eight years in a federal tank.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm joined once again by Marcus Roshecker.
He's from the University of Maryland Center for Health and Homeland Security.
They're one of our academic and research partners.
Marcus, from a legal perspective, what are the standards that courts look to for cases involving cybersecurity?
So it's really going to depend on the sector that we're talking about for a particular case.
really going to depend on the sector that we're talking about for this particular case. If we're talking, for example, about the financial sector, courts have the opportunity to look at some
legislation that's out there, like the Gramm-Leach-Bliley Act, or PCI standards when it comes
to payment card industry data security standards. So there'll be some established standards that
courts will look to and apply to a case that they're adjudicating. Similarly, if we're talking
about the healthcare industry, courts will look to HIPAA, the Health Insurance Portability Act,
or the new high-tech law. But the tricky part is really when we're talking about run-of-the-mill
negligence claims. A company will get sued for a data breach. Customers sue that company,
claiming that company was negligent and not protecting their data.
And then the question becomes, well, what is the standard of care that a court will look to to try to decide this case?
And that's really problematic because if we're not dealing with an industry where we have established a standard of care,
then the court will have to look somewhere else. One area where legal experts are thinking courts may go is to look to the NIST cybersecurity
framework as establishing a set standard of care by which companies and other organizations
should be acting when it comes to protecting their networks.
The NIST cybersecurity framework is a natural direction for the courts to look because of
the way that the NIST framework was established.
You had thousands of experts from the government, from the private sector, from academia,
come together and really agree to a common set of existing standards, guidelines, and best practices
in terms of what organizations should be doing to protect their networks.
So it's really a natural direction for courts to go to try to decide on a standard of
care by which a company that suffered a data breach should be judged. Marcus Roshecker,
thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.