CyberWire Daily - Daily: Yahoo! warns Verizon deal may be at risk. More OPM-themed ransomware phishing. Cyber policy advice for, and speculation about, the next US Administration.
Episode Date: November 10, 2016In today's podcast, we look back at election hacking concerns in the US (most of which didn't happen) and we hear from some people who offer advice for the next administration's first 100 days. Fancy ...Bear is phishing with Adobe and Microsoft zero-days. Investigation of the Tesco fraud continues. It looks as if the Bangladesh Bank might recover some of its losses in the SWIFT heist. There's an OPM-themed phishing campaign afoot. Server database issues point up the importance of digital hygiene. More Yahoo troubles. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security explains new FCC privacy rules. Chuck Ames, Director of Cybersecurity for Maryland, describes new regulations for companies looking to do business with the government. Advice for the next US President. And, Marines, happy birthday and semper fi. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Elections in the U.S. are over without much hacking,
but don't worry, there'll be more cyber finagling from Moscow
as France and Germany go to the polls next year. Fancy bear is fishing with Adobe and Microsoft zero days. Investigation of the Tesco
fraud continues. It looks as if the Bangladesh bank might recover some of its losses in the
Swift heist. There's an OPM-themed fishing campaign afoot. Server database issues point
up the importance of digital hygiene. More Yahoo troubles, advice for the next U.S.
president, and Marines, happy birthday and Semper Fi.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, November 10, 2016.
The U.S. elections passed without apparent cyber perturbation from Russia or others.
There's a general consensus that the Russian services have been pretty active in cyberspace
around election times, with operations ranging from the relatively light-handed influence
operations deployed against American targets through the near coup d'etat reported in the
Balkans. If you find yourself nostalgic for worrying about election hacks, no worries.
France has elections coming up, as does Germany,
where Chancellor Merkel has just warned people
to expect disruptive cyber campaigns during 2017 voting.
Elections and the campaigns that precede them present a big attack surface.
To communicate some sense of the sheer amount of online activity
that swirls around the vote,
we'd like to share some stats AT&T sent us.
In just the election night parties the other day in Manhattan,
the Democrats and Republicans consumed 1.3 terabytes of mobile data,
and Hillary's beat the Donalds by nearly 300 gigabytes.
AT&T helpfully quantified this in selfie units, a measurement standard we like a lot,
and intend to start using along with hacker weight. Remember, one hacker weight equals 400 pounds.
Hillary's bash used 2.3 million selfies. The Donalds accounted for just 1.5 million selfies.
Make of this what you will, data scientists. We're just here to give you something for your
analytics to chew on. We're pretty sure Fancy and Cozy Bear are gnawing away on this themselves.
Whatever else the Russian services may be up to, Fancy Bear is busily scooping up gullible fish.
Trend Micro warns that this threat actor is showing unusual activity mid-week,
as it seeks to take advantage of the recently patched Microsoft Zero Days before users
can get around to applying the fixes. So, as usual, the prudent course of action is to patch
as soon as possible, and until then, to be on guard against the exploits being dangled as fishbait.
It can be difficult to keep up with the names of the threat actors. We're partial to CrowdStrike's
Fancy Bear because we're ursophiles, and also because it's easy to remember,
but you'll also hear people call Fancy Pawnstorm, APT28, Sophocy, and Strontium.
Whatever the branding, it's the same fine GRU product, except no substitutes.
Over in the UK, Tesco continues to mop up the fraud campaign that hit the bank's customers over the past week.
continues to mop up the fraud campaign that hit the bank's customers over the past week.
No clear word yet on how the fraud was accomplished, but speculation about an inside job continues.
There's an apparent win in court for another bank that was the victim of a major heist.
Officers from the Bangladesh Bank are in the Philippines, where courts have ruled that they can recover some of the millions lifted in the swift transfer caper. They expect to be able to get some $15 million back from the casino operator
to whom the funds were transferred in this complicated international scam.
The OPM breach continues to be the gift that keeps on giving.
OPM-themed and spoofed emails to U.S. government workers and contractors
are serving up locky ransomware.
Don't open suspicious attachments.
OPM isn't actually sending documents saying something about your bank accounts.
Late last week, legal hackers reported finding shared server vulnerabilities
in MySQL, MariaDB, and Percona's server and ExtraDB cluster.
These popular database servers are used by Google, eBay, Cisco, Amazon, Netflix, Facebook, and Twitter.
We heard from LastLine's CMO, Bert Rankin,
who thought this discovery was a timely reminder of the importance of paying attention to the basics.
Next-generation detection and state-of-the-art mitigation are all very well and good,
and we mean that they are very well and good.
But as Rankin stressed to us,
quote, it's essential that organizations
commit to the basics, including
programmatic regular patch program for
servers, applications, and other
infrastructure in the data center.
Vulnerabilities such as this bug are
potential dangers only to those organizations
that aren't on top of their database
updates, but it's amazing how
many aren't. End quote.
So please be interested in the bugs you can SWAT.
You can be sure Fancy Bear is.
Chuck Ames is director of cybersecurity for the state of Maryland.
We checked in with him to learn about the role the states play in cybersecurity
and about an upcoming event he's moderating,
sponsored by the Chesapeake Regional Tech Council,
on insider threats and how the federal government expects the companies they do business with to
protect themselves. Where the federal government seems paralyzed as far as getting out appropriate
legislation to improve the electronic situation, the states seem pretty well poised to take
matters into their own hands. And just one example of that is
breach notification laws are well-versed throughout the states. So the states have
done a good job of, by and large, bringing that kind of law or compliance to their states
before the federal government. There's an event coming up sponsored by the Chesapeake Regional
Tech Council that you want to promote. This is a cyber forum on insider threats. So what can you
tell us about the event? So meeting the insider threat is important to every community. And I'm
just going to give you a little bit of background here. If you are a CISO of a state like I am,
so if you're the chief information security officer of the state, as I look through the survey
of myself and my peers, 47% of us say we are not ready to handle threats originating internally.
57% of us say we aren't able to handle threats originating externally. So there's a great deal
of work to be done on the insider threat piece. The federal government in response to that said businesses
that support federal work, they need to have an insider threat management program or a personnel
management program that will help them identify folks that might be at risk that are on their
network before they become an actual thief or an actual criminal of some other
intent or someone who works against the company's interest. Now, this mandate that's come down,
it's a soft mandate. So it's a NIST regulation that's come down in an industrial control letter.
But in the federal procurement space, companies, regardless of size, need to have that kind of
personnel management system where they, need to have that kind of personnel management system
where they normally don't have that. Who are the people you're targeting who should attend this
event? I think the CEOs, CTOs in small to medium companies should pay attention to this industrial
control letter. It's going to be a burden to them to develop the HR system themselves,
or they're going to have to react somehow and it'll be a burden to them to develop the HR system themselves, or they're
going to have to react somehow. And it'll be advantageous for them to then join as a sub to a
larger company. And that larger company would have the HR resources to handle a program like this.
If they want business in the federal government, they need to do something. And it's best to get
in front of that and start figuring out how they're going to meet this requirement.
That's Chuck Ames, Maryland's Director of Cybersecurity.
You can find out more about the Insider Threat event at the Chesapeake Regional Tech Council website in their events section.
In industry news, Yahoo makes a troubling admission to regulators and shareholders and to Verizon as well.
Yahoo has now discovered and disclosed that some of its personnel may have known as long ago as 2014
that foreign state-sponsored hackers had compromised the company's networks.
Yahoo tells investors that its deal with Verizon may be in jeopardy.
deal with Verizon may be in jeopardy. In happier industry news, security startup RiskIQ receives $30.5 million in a Series C funding round led by Georgian Partners.
Different approaches to remedying shortages of cyber labor are being mooted around the world,
from marketing the field to students as early as grade school, to educational initiatives,
including competitions and scholarships,
to moving toward a gig economy and vulnerability testing and research.
The EU's General Data Protection Regulation, DDPR, which goes into full effect in 2018,
will require some 75,000 data protection officers, and not just in the EU.
The US will need about 9,000.
We will leave it as an exercise for you techno-libertarians,
and we know you're out there,
to calculate what this might amount to as deadweight regulatory drag,
and we'll merely observe that the GDPR will place a further global squeeze
on the already tight security labor market.
There's no shortage of cyber policy advice, news, and speculation swirling around President-elect Trump. Thank you. days. NUIX's Chris Pogue and Keith Lowry suggest four initiatives. First, work toward federal data
breach notification requirements. There are, Pogue observes, 47 distinct state-level breach
disclosure notification laws. He thinks a federal standard would go a long way toward simplifying
the process for organizations that happen to be compromised. Next, take your own medicine.
Pogue also thinks that the feds,
who face the same kinds of threats the country does at large,
should rigorously test systems, address vulnerabilities,
and deploy security teams that train the way they'll fight.
And recognize that the threat's not only an external one.
For his part, Lowry would like to see the next administration
work up a thorough program of defense in depth
that accounts for all potential bad actors, insiders, outsiders,
and we'd add, outsiders who've established themselves inside.
And last, get experience at the top.
The outgoing administration's Cybersecurity National Action Plan
and appointment of the first federal CISO were positive steps,
but Lowry thinks they're not enough.
He'd like to see the new administration go even further,
maybe even creating a cabinet position dedicated to all areas of cybersecurity.
And finally, today is a birthday worth marking.
Whose birthday, you might ask? Well, we'll tell you.
On this day in 1775, the United States Marine Corps was formed in Tun Tavern, a Philadelphia watering hole.
America's Corps of Marines has been ready to cross water uninvited ever since.
We'll make one more historical observation.
Major General Benedict Arnold, shortly after you were organized, called you the refuse of every regiment.
What did he know?
Sometimes your best recommendation is the enemies
you make. So Semper Fi Marines, and thanks for your service.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Joining me once again is Marcus Roschecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, welcome back.
I saw a story here that the FCC has just passed some sweeping new rules to protect online privacy.
Take us through what the FCC has done here.
Yeah, this was a pretty big decision by the FCC.
It does a lot to protect consumer privacy.
I think we all know or should know at this point that whenever we're online,
the websites that we visit or the Internet service providers that we're using
are collecting a lot of information about us,
about how we're using the Internet and how we're browsing the websites, where we're located.
So there's a lot of information being collected about us.
And companies are actually using this information to make a lot of money off of this information.
They end up selling this kind of information to other companies.
And it's a pretty big business for these companies.
And so what kind of restrictions has the FCC placed upon them?
Internet companies are going to be required to get consumer consent before they start selling
that kind of personal information about usage and online behavior. Basically, the FCC is requiring those companies to get explicit approval from users on them being able to sell their information before they go ahead and do that.
Before this ruling from the FCC, that was not the case.
Companies were able to sell information about their users whenever they wanted to. And now with this new ruling from the FCC, consumers will be
able to now explicitly authorize or not authorize the selling of their personal information,
according to this new FCC ruling. Now, this was a 3-2 party line vote by the FCC's five
commissioners. Is this a done deal or could there be legal challenges to it? Well, I think you'll see a lot of resistance to this ruling on the part of these big companies
who have been selling information to make a lot of money.
I think since it is such a big business and such a big revenue opportunity for large companies,
they're going to be very opposed to it and they're going to be looking for all kinds of ways to reverse this decision.
All right. We'll keep an eye on it.
Marcus Roschek, thanks for joining us. And now a message from Black Cloak. Did you know the easiest
way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.