CyberWire Daily - Daily: Yahoo!'s Verizon deal still on. Mac trojan hits aerospace. Facebook poked by German privacy laws.
Episode Date: September 27, 2016In today's podcast we follow developments in the Yahoo! breach. Fancy Bear is back, and distributing a Mac Trojan to aerospace companies. Investigation of the Shadow Brokers' leak suggests inadvertent... exposure, not hackers or moles. A new variant of Virlock ransomware is out in the wild. The US Justice Department warns of IoT threats. A Hamburg magistrate finds Facebook in violation of German privacy law. And we hear from Johns Hopkins' Joe Carrigan on how to be your parents' CISO, and from ClearedJobs Kathleen Smith about the cyber labor market. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Yahoo's deal with Verizon is still on, but also still in doubt.
Industry observers wonder just who that state-sponsored hacker might be,
fancy bears
back and distributing a Mac Trojan to aerospace companies, investigation of the shadow broker's
leak suggests inadvertent exposure, not hackers or moles, a new variant of Verlach ransomware
is out in the wild, the U.S. Justice Department warns of IOT threats, and a Hamburg magistrate
finds Facebook in violation of German privacy law.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 27, 2016.
Yahoo's deal to sell its core assets to Verizon is still on, but it's also still in question.
The agreement gave both parties an out should some cyber issue not discovered during due diligence come to light, and Verizon was, according to reports, unaware of Yahoo's massive
breach until last week.
Quartz offers the assessment that, quote, Yahoo wasn't lying when it told Verizon it
didn't know about the biggest hack in history, end quote.
Most accounts still link discovery of the breach
to Yahoo's investigation of dark web claims
by cyber criminal Peace
that he or she had about 200 million Yahoo credentials for sale.
However, some reports late yesterday suggest
that Yahoo may have begun to have suspicions
before Peace started the ballyhoo.
Yahoo has claimed that a state-sponsored actor
was responsible for the breach,
but skeptical industry observers are offering theoretical grounds for thinking this unlikely.
Security company A10 Networks commented dismissively in a CSO story
that states are interested in intellectual property, not emails and passwords from a Yahoo account.
It is true that states, particularly China, have indeed been interested in intellectual property,
but one must also note that they're also interested in personal information,
as we saw in the OPM hack,
and that Russian intelligence services seem to have taken an interest
in White House and DNC email credentials,
so Aten's observation is interesting but hardly dispositive.
It's fair to say that blaming a nation-state for a hack
is hardly an admission against interest.
Almost every company that sustains a successful cyber attack
would prefer to be the victim of an intelligence service
as opposed to an ordinary crook,
even less a skid hobbyist or a random script kitty.
You look less negligent if your hacker was the PLA or the GRU.
It's also entirely possible, as security
company Flashpoint told CSO Magazine, that U.S. law enforcement agencies may have asked that Yahoo
refrain from saying too much about an ongoing investigation. Yahoo has the usual foreseeable
legal exposure due to the breach. Not only is the Verizon deal in doubt, but several class action
suits have been initiated. U.S. senators have also asked the Securities and Exchange Commission to investigate.
In other state-sponsored hacker news,
Fancy Bear is poking at Western aerospace industry targets with a new Mac Trojan, Complex.
Palo Alto Network's Unit 42 reports that the threat group otherwise known as the GRU
is distributing Complex via phishing
emails. There's no OS-10-0 day being exploited here. It's all user interaction. It's probably
worth running through the other names associated with Fancy Bear, since we've heard them before
and we'll hear them again. APT-28, Pawnstorm, Sofossi, and Sednet. Different badges, but the same familiar people.
We hear over and over again that there's a serious shortage of qualified candidates for
cybersecurity jobs. Kathleen Smith is Chief Marketing Officer at ClearedJobs.net,
and she joined us in our Baltimore studio to discuss a recent study addressing this issue.
This is the Hacking the Skills Shortage, which was commissioned
by Intel, done in partnership with the Center for Strategic International Studies, really looking at
the global workforce challenge along with what are governments doing and what level of education
programs are available in eight countries globally. So what's interesting is all
respondents in all eight countries said that they felt that their education programs were deficient.
And they really felt that it was the government's role to be able to make sure that the educational
programs were coming up to speed as far as providing enough cybersecurity programs.
Take us through some of the key findings of the study.
71% said that the shortage has caused measurable damage to their business.
One in four said the insufficient staff strength that they had, meaning not only the number of
people, but the depth and the breadth of the skills that the people had,
had damaged their reputation and led to intellectual property loss.
The skills that were in the shortest supply were intrusion detection, secure software development, attack mitigation,
and these were more important than the lack of communication or leadership or team management that companies say that they were
looking for. While half of the companies prefer a bachelor's degree for entry into the cybersecurity
workforce, it was not an indicator of skills they found. Hands-on skills and professional
certifications were valued higher. 68% said that CTFs, capture the flag programs, are critical in developing skills
within their organizations. And finally, 9 out of 10 respondents said that technology at some point
will be able to take up the slack by providing automation. So I think a takeaway from that,
if you're a student working your way up through your bachelor's degree, what should you
be doing? You should be making sure that if there is any Capture the Flag program going on locally,
regionally, that you are part of it. There are also several of the Capture the Flag competitions
available online. When I've done a recent search, you can find one pretty much going on every single week.
Some of the other components that I really liked about this study was really looking at the employer dynamics.
While many studies will say we need to invest in more students, we need to invest in more education, a core aspect is this is the employer dynamics.
It is not just filling butts in seats.
It's really looking holistically at how you're going to recruit, cultivate, and retain your workforce.
So many of the employers said that they were just interested in filling the seats.
They were not interested in looking at further investment.
not interested in looking at further investment. And it is a challenge because when you look at the candidates in the workforce who say, I need more to be able to stay at this company,
I need to be sponsored to participate in events, I need to be sure that those certifications that
you're requiring me to have that you're going to help pay for those. So it is really looking at shifting the dynamics of the employers,
not just on how they recruit, but how they retain their workforce.
That's Kathleen Smith from clearedjobs.net.
We'll hear more from her on tomorrow's Cyber Wire podcast,
including her views on what companies need to do to attract and retain the best of the best.
need to do to attract and retain the best of the best.
Many Cisco routers vulnerable to the zero days exposed by the shadow brokers remain unpatched.
The FBI's investigation into where the shadow brokers got the material they leaked is said to be moving away from the theories that Russian services accessed NSA networks,
or that a Snowden-esque insider compromised NSA tools and toured the NSA's own view.
Someone inadvertently left the material exposed on a server.
Ransomware continues to concern enterprises, especially in the healthcare and educational sectors.
Netscope researchers warned this morning against a new strain of Veerlok ransomware.
Veerlok itself is about two years old, but its newest variant is polymorphic. It
both encrypts and infects, and it's particularly troublesome in a cloud environment where VeerLock
can spread through syncing and file sharing. The DDoS campaign that took Krebs on security
offline last week continues to arouse fears around Internet of Things security. The very
large denial-of-service attack was evidently accomplished using IoT
botnets. The U.S. Justice Department is issuing new expressions of concern over IoT-based threats.
And finally, if you didn't much care for Facebook's use of WhatsApp user data,
you're not alone. In Germany, Hamburg's Commissioner for Data Protection and Freedom
of Information has found the social media giant in violation of privacy laws.
So the relationship status here should be set, at best, to complicated.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm joined once again by Joe Kerrigan. He's from the Johns Hopkins
University Information Security Institute. Joe, I spent
some time over the previous weekend helping my father with his computer,
just updating the OS. And, you know, it struck me that when it
comes to older folks, which my father is, you know, they're particularly vulnerable when it
comes to people trying to come after them to steal their stuff in the cyber world.
Right. Yeah, they are more vulnerable because they didn't grow up in the kind of environment
that they exist in now. And I don't know what study I could point to, but I have this general feeling that as
we get older, we get a little less adaptive to change and to the way things are becoming
different around us.
And if you think of this generation that's now retiring, they have seen a significant
amount of change in their lifetimes.
They've gone from having no computers in the world or in their life rather to having computers all around them.
And that is a hugely significant change that's happened.
Yeah, and one of the things I ran into was that he was a couple of versions of the operating system behind.
And you don't like to see that because you want him to be up to date because that's a best security practice.
Well, exactly.
And that's kind of my point is that while I want to have him on the latest version for all of the security reasons, it's hard to bring him up to date because things change in the operating system.
And that's a discomfort point for him.
Yeah, the user interface changes.
And he's gotten accustomed to using the old interface
and now he gets a new system and there's a completely new interface. Right. Well, but I
think for those of you and me, and I'm sure most of the people who are probably listening to this
show, we end up being the default tech support for our older parents and our loved ones. And
from the security point of view, I basically have my father trained to whenever something unusual happens on his computer,
I get a phone call or an email. Yeah, I get the same thing.
And I think that's a good thing. I would agree. I think that's very important. You know,
you certainly don't want them picking up the phone and calling some scammer and saying,
well, what do I do now? Right. And the answer is always, well, you give me your credit card number.
Right.
Don't.
Yeah.
And I do, you know, it's funny.
Sometimes I have to check myself because it can be frustrating, you know, to be interrupted
whatever you're doing to take care of their basic needs.
Yeah.
You know, I find that that's not something that happens just between me and, say, my
older parents, but even between me and my wife or between me and my kids or other kids,
I get this feeling like, why don't you understand this? And the answer to that is that they don't
understand it like you don't understand it because they're not steeped in it every day, right?
Yeah. Well, you know, I remind myself that our day will come and someday our children will be
looking to us, looking at us, you know, shaking their head ruefully at our inability to understand the latest technology the same way that we are with our parents.
How do you work the Snapchat?
That's right. That's right. All right, Joe. Good talking to you.
Good talking to you, too.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.