CyberWire Daily - Daily: US to indict Iranians for Rye hack? ISIS loses HR records. Apple vs. FBI gets nastier.
Episode Date: March 11, 2016The US is said ready to indict Iranian operators for 2013's hack a Rye, NY dam. ISIS has an insider threat problem—disgruntled employees. Adobe and Oracle patch Flash and Java. The FCC and FTC stay ...busy with cyber regulation. The court fight between Apple and the US Department of Justice gets uglier. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security shares his views on the role of the FTC in cyber enforcement, and Tim Matthews from Imperva gives us some warning about the IoT. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. seems ready to attribute 2013's hack of a dam in Rye, New York, to Iran,
with indictments expected next week.
ISIS has an insider threat problem, disgruntled employees. Thank you. stays public and gets uglier. I'm Dave Bittner in Baltimore with your Cyber Wire summary for
Friday, March 11, 2016. According to officials familiar with the investigation, the U.S. will
publicly attribute the 2013 hack of a small flood control
dam in Rye, New York, to Iran. The Justice Department is expected to indict Iranian
operators next week following its earlier practice of seeing value in charging even the unreachable,
as the department did with Chinese officers involved in theft of trade secrets from U.S.
companies in Pennsylvania. Iran has long been the leading suspect in the incident,
which has played a loud second fiddle to the big Ukrainian grid hack.
The prospect of indictments, together with legislation pending in the Senate designed
to protect the power grid, makes it worth reviewing recent expert commentary on ICS security.
One set of observations, these from former U.S. Secretary of the Navy Richard Danzig,
points out that there's still considerable security value in the legacy,
air-gapped by default, world of mechanical switches.
If your main system is digital, you're stronger if your safeguard is analog, he says.
ICS security maven Joe Weiss also notes the risk of losing sight of defense in depth.
Digital, Weiss notes, even when it claims to have multiple layers,
is in a sense one layer. Turning to information operations and the war on terror, ISIS no doubt
remains a force in social media, with estimates of the number of sympathetic accounts ranging as
high as 90,000. But even the caliphate has issues with insider threats. A disgruntled jihadist,
disillusioned by what he saw as an excessive Ba'athist presence in ISIS,
stole one of his boss's USB drives with data on some 22,000 ISIS fighters,
then defected.
The information on the thumb drive is said to resemble
what any HR department might collect,
name, residence, skills, interests, and so on.
Western intelligence services are thought to be making
appropriate use of the material.
Adobe issues an emergency patch for Flash.
Users and admins are urged to apply it quickly.
The vulnerability the patch closes is being exploited in the wild.
In industry news, analysts have good things to say about Symantec,
Cisco, Checkpoint, Palo Alto, and Fortinet.
Speculation about the extent of IBM's layoffs continue,
with financial analysts at Bernstein telling Information Week
it expects Big Blue to shed about 14,000 jobs.
Regulatory agencies are also pushing further into the sector.
The U.S. Federal Communications Commission says it intends to require
Internet service providers to get customers' permission
before sharing the sort of personal data used in targeted advertising.
The FCC also intends to require more breach reporting from broadband providers.
We heard yesterday that the Federal Trade Commission was on what CSO Magazine called
an enforcement role as the FTC moved to require nine companies who audit payment processing,
specifically PricewaterhouseCoopers, Mandiant,
Foresight MSP, FreedMaxic CPAs, GuidePoint Security, NDB, SecurityMetrics, Sword and Shield
Enterprise Security, and Verizon Enterprise Solutions, to respond to detailed questions
about their auditing standards and practices. The IoT, or Internet of Things, continues to provide an ever-growing
attack surface for cybercriminals. Tim Matthews represents Imperva's Encapsula service, which they
say provides cloud-based protection for websites while giving them a speed boost. He visited us at
RSA and shared this warning about the IoT. A lot of people misunderstand website attacks,
thinking they've got to be very big machines with
a lot of bandwidth. But what we're seeing with the IoT is that there are so many of these devices
out there that are so easily compromised because they typically have default passwords. They're
not patched often, if at all. And so the criminals know this since we've seen instances of closed
circuit TV networks being taken over. We've seen home routers. We've seen other types of IoT
devices. And so it's really important to have your website protected because what the criminals are
doing is scanning websites for vulnerabilities and then enlisting these armies of bots, these
armies of devices that are compromised to attack you. I should point out that one of the nice
things about working in the cloud with so many customers, we have over 100,000 websites on our
service, is we think of it like crowdsourced security.
If somebody else gets attacked by something new, we fix it,
and then you don't have to worry about that because you're taking advantage of the crowd.
You can learn more about Imperva's Encapsula service at imperva.com.
Some regulation and legislation are producing more uncertainty than clarity.
CIOs generally aren't sure what the
coming European-U.S. Privacy Shield Agreement will mean for them, and several laws pending in the U.S.
Senate, chief among them one that would fine companies who failed to decrypt their products
for law enforcement, raise eyebrows among industry and policy observers. Apple and the FBI have moved
into what observers are calling the open hostilities phase of their dispute
over whether Apple should help unlock the San Bernardino jihadist's county-issued iPhone.
Apple says the FBI is in effect on the side of the hackers.
The Department of Justice suggests that Apple has been a lot cozier and more forthcoming
with the People's Republic of China than it seems willing to be with the United States of America,
and that the company's public rhetoric has been false and corrosive.
And Justice goes on to suggest that maybe simply requiring Apple to hand over its signing keys
would be easier for everybody.
Apple says, with some heat, that the requests from Justice sound more like indictments
than invitations to cooperate in an investigation.
And there are, of course, no shortage of people pointing out that sound mobile device management on the part of San Bernardino County would have helped avoid the whole issue.
Returning for a moment to the travails of ISIS human resources, CSO's Salted Hash has composed a breach disclosure letter the Caliphate's HR might consider using.
Buried in that letter is the offer of identity protection services. Quote, We have partnered with a reputable firm in North Carolina
to handle all applications for this valuable assistance.
You may contact them directly.
Simply provide your name, location, and inform them
that you were one of our members exposed during this incident.
They'll take it from there.
We're pretty sure that it's got to be a Fayetteville address.
See you on Hay Street, Delta.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Once again, I'm joined by Marcus Roschecker.
He's from the University of Maryland Center for Health and Homeland Security.
They're one of our academic and research partners.
Marcus, the role of the FTC, the Federal Trade Commission,
what is their role in regulating cyber?
So the Federal Trade Commission has really been asserting itself
when it comes to protecting consumers in cybersecurity matters.
The Federal Trade Commission Act prohibits unfair and deceptive trade practices,
and this is the language from which the FTC draws its authority.
The FTC can go after businesses that conduct unfair and deceptive trade practices.
The FTC has interpreted the unfair and deceptive trade practices language from the FTC Act
as giving it the authority to go after businesses
that aren't doing enough to adequately safeguard consumer information. And there's always been a
question about whether or not the FTC really has the authority to regulate businesses that aren't
protecting consumer information. The important thing to note here is that the Third Circuit Court of Appeals ruled that indeed the FTC does have the
authority to regulate based on the FTC Act and based on unfair and deceptive trade practices.
So if a business doesn't do enough to secure consumer or customer information, according to
Third Circuit, the FTC does have the authority to go and regulate that business. So what do we see on the horizon?
How can we expect to see the FTC exerting their authority?
Well, given the ruling by the Third Circuit,
I think we'll see that the FTC will assert itself more and more.
And I think a lot of people are looking to the FTC
to actually fill that role of regulating
when it comes to insufficient security practices.
The FTC will also be a resource to consumers.
An example of the FTC becoming more of a resource for consumers would be the creation of a website,
identitytheft.gov, that the FTC has set up where consumers can go if they've been victims
of identity theft.
The website will guide them through the response to any kind of identity theft that they might have experienced.
Marcus Roshecker, thanks for joining us.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
and that's the cyber wire we are proudly produced in maryland by our talented team of editors and producers i'm dave bittner thanks for listening Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.