CyberWire Daily - Dealing with Hafnium’s work against Microsoft Exchange Server and Holiday Bear’s visit to the SolarWinds supply chain. A plea for OSINT, and some wins for the cyber cops.
Episode Date: March 9, 2021CISA urges everyone to take the Microsoft Exchange Server vulnerabilities seriously. The SolarWinds compromise is also going to prove difficult to mop up. The US is said to be preparing a response to ...Holiday Bear’s SolarWinds compromise (some of that response will be visible, but some will not). A plea for more OSINT. Ben Yelin from UMD CHHS ponders face scanning algorithms in the job application process. Our guest is Sam Crowther from Kasada, asking why are we still talking about bots? And dragnets haul in some cybercrooks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/45 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA urges everyone to take the Microsoft Exchange server vulnerabilities seriously.
The SolarWinds compromise is also going to prove difficult to mop up.
The U.S. is said to be preparing a response to Holiday Bear's SolarWinds compromise.
Some of that response will be visible, but some will not.
A plea for more OSINT.
Ben Yellen ponders face scanning algorithms in the job application process.
Our guest is Sam Crowther from
Casada, asking why we're still
talking about bots. And
Dragnet's haul in some cyber crooks.
From the CyberWire
studios at DataTribe, I'm Dave
Bittner with your CyberWire summary for Tuesday, March 9th, 2021.
The U.S. Cybersecurity and Infrastructure Security Agency is urging all organizations across all sectors
to address Microsoft Exchange Server vulnerabilities.
CISA has provided a set of guidelines designed to walk IT security staffs and organizations' leaders
through the process of fixing the vulnerabilities.
Exploitation is ongoing, attackers may have established themselves in their victim systems,
and there's more to an effective response than simply patching.
As the U.S. National Security Council tweeted late Friday,
quote,
that any organization with a vulnerable server take immediate measures to determine if they were already targeted.
Organizations affected by both the Hafnium attack against Microsoft Exchange Server and the Holiday Bear campaign that centered on a SolarWinds Orion supply chain compromise
are finding their security teams feeling overtaxed, FCW writes.
That doesn't in itself make either incident a resource attack,
but resources are being affected nonetheless.
Recovery will be a long slog.
From the point of view of Hafnium and Holiday Bear, that's probably just gravy,
but the gravy probably tastes pretty good to the threat actors about now.
But the gravy probably tastes pretty good to the threat actors about now.
Cybersecurity firm Domain Tools this morning published an overview of how they see the SolarWinds incident as affecting security practices.
Among several conclusions, one stands out.
There will probably be a new interest in threat hunting. As they put it in their report,
in threat hunting. As they put it in their report, quote, organizations have slowly yet steadily reallocated resources and budget over the last five or six years to build proactive threat hunting
teams to combat advanced persistent threats and enhance their incident response speed and accuracy.
Threat hunting as a formalized practice within an existing cybersecurity team has been steadily making inroads toward becoming
mainstream, and SolarWinds might be the event that puts it over the edge in industry validation.
Of the 20% of security organizations that will receive increases to their budget as a direct
result of SolarWinds, threat hunting tooling is where the most additional resources will go to support.
End quote.
The U.S. government continues to suggest that it's mulling a range of responses to Holiday Bear's romp through SolarWinds,
and the New York Times quietly redacted its perhaps excessively muscular headline
from CyberStrike to Retaliation, as well as muting some of its text.
But Computing cites various sources
who speculate that the U.S. response will be both seen and unseen, with the mostly unseen coming
first, visible enough to Mr. Putin and his intelligence services, but not to most of the
rest of us. The sources said the first major move is expected over the next three weeks,
adding that these would involve a series of clandestine actions across Russian networks
that are intended to be evident to President Vladimir Putin and his intelligence services
and military, but not to the wider world, end quote. That, of course, and more economic sanctions,
which would be visible to everyone,
but at this stage in bilateral relations between Washington and Moscow,
economic sanctions against Russia are already so extensive
as to be deeply affected by the law of diminishing returns.
General Paul Nakasone, Director NSA and Commanding General of U.S. Cyber Command,
Snokasoni, director NSA and commanding general of U.S. Cyber Command, last Thursdayend Forward has been characterized as referring to activities that include executing operations outside U.S. military networks.
Any such action undertaken by U.S. Cyber Command or NSA would, if significant enough, be referred to the White House for approval, review, and modification by the National Security Council. An essay in Foreign Affairs argues that intelligence
agencies face a bare market for secrets and that they should adapt to work in the growing and
increasingly transparent world of OSINT. Among other things, doing so would necessarily involve overcoming
the widespread human tendency to confuse cost with value. The essayists rightly point out that
a call for more attention to open-source intelligence isn't new, going back at least
as far as Admiral Stansfield Turner, who was President Carter's Director of Central Intelligence in the late 70s.
They see the intelligence community as oriented toward exclusive,
compartmented sources and methods,
and they argue that this not only tends toward narrow, siloed analysis,
which in fairness is part of protecting not only restricted intelligence,
but also the sources and methods used to build it,
but that it also
overlooks the considerable growth of commercial intelligence companies. These offer access to
collection and analysis that incorporates everything from cyberspace to high-resolution
overhead imagery. The authors suggest, as part proposal, part thought experiment,
establishing a platform managed by the Office of the Director of National Intelligence
through which intelligence professionals could easily and quickly access OSINT
from such non-traditional sources.
This wouldn't replace the intelligence community's traditional closed architecture,
but it would, at the very least, afford a useful source of alternative viewpoints and analysis.
at the very least afford a useful source of alternative viewpoints and analysis.
And finally, some news of collars in the world of cybercrime.
Police in the Spanish province of Catalonia have arrested four men on charges of allegedly operating the FluBot malware,
an Android trojan that's been used mostly for stealing banking credentials.
The Record by Recorded Future reports that some FluBot activity has persisted, trojan that's been used mostly for stealing banking credentials the record by recorded
future reports that some flu bot activity has persisted but that it's not clear whether some
other members of the gang remain at large and active or whether some of the flu bot servers
are just running on inertia the czech republic has extradited two alleged ukrainian goons to
the northern district of texas where they face.S. federal charges of providing money laundering services to cyber gangs.
And the South Korean National Police have nabbed an alleged gandcrab affiliate
on charges of distributing the ransomware to South Korean targets.
The record says the police tracked the young gentleman through his cryptocurrency transactions.
So, from Prague to Barcelona to Dallas to Seoul, well done, law enforcement.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
If, like me, you are of a certain age, you may remember lining up outside your favorite store
to be the first on your block to get the newest hot Atari video game or perhaps a Star Wars action figure.
These days, most of that queuing takes place online,
and instead of worrying about the kid down the street beating you to it,
hot items like PS5s or the latest sneakers find
themselves snatched up by bots to be later auctioned off to the highest bidder. Sam Crowther
is founder at security firm Casada, where they have their sights set on beating the bots.
As a society, right, as we're doing more things in a world where it's harder and harder for us to have a level of assurance that the
other people that we're interacting with from a social media perspective or the people who
are interacting with us from an organizational perspective online are actually who they say
they are. And yet the problem is only getting worse just because we're enabling everyone to do more things online, right?
We're enabling people to book vaccines online.
We're enabling people now to perform transactions online thanks to COVID that were maybe previously only ever done in the real world.
And so it's creating more and more avenues for abuse at the end of the day.
Can you give us a rundown of the spectrum of types of bots
that are out there, the places where they're causing trouble?
I think we could probably break them down into
two main categories. There's bots who are there
to influence, and that's very popular amongst
disinformation campaigns that are
to look like real humans to spread ideas. And there's ones that are used, you know, on a bit
more of a personal level for, you know, real monetary gain. So that could be everything from
your more traditional fraud, right, where you're washing credit cards that have been stolen through
a payment gateway, you're stealing credentials to break into people's accounts,
or it could even be that the personal gain of getting someone in line for a vaccine ahead of everyone else.
So what can folks do here?
I mean, if I'm an online retailer, how do I ensure that my customers are going to be getting the best experience
by trying to keep bots out of my system?
Yeah, so I think the first step in dealing with this sort of issue is trying to isolate and understand the problem.
Because it is going to be somewhat unique to every business based on what you're doing online.
So looking at the data that you have access to about who these items are being sold to,
information about how they're interacting with the website, whilst it is a retroactive exercise,
can give you a good insight into how bad the problem may or may not be, right? You could also
take customer feedback, you know, from, you know, if everyone's complaining that they can't get
their hands on them, you know, maybe there's something to look into and from there it's really i think got to be solved initially
with technology uh the reality is it's very difficult to see this type of behavior and so
you need to work with um you know someone at least who has expertise in this area and can help you
isolate that traffic and then subsequently deal with it
and prevent it from stealing what the humans are entitled to. That's Sam Crowther from Quesada.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Ben, great to have you back.
Good to be with you again, Dave.
There is a fascinating story from the Washington Post. This is written by Drew Harwell,
and it's titled, A Face Scanning Algorithm Increasingly Decides Whether You Deserve
the Job. This is an older story here, but I think it speaks to some issues you and I have certainly been discussing
on the Caveat podcast here. What's going on? So yeah, this is November 2019, which seems like
eons ago, but as you say, it's still very relevant. So there is a company called HireVue,
which uses artificial intelligence to give an employability score to various applicants.
It's hard to know exactly what goes into the secret sauce here, but some of it has to do with facial movements, word choice, speaking voice,
the types of things that to me seem to be rather insignificant in terms of judging potential employees, if you're an employer.
But this has been persuasive to some of the country's largest employers. They mentioned
Hilton as one of them here. They've used this company called HireVue to help analyze applicants.
So a lot of privacy advocates are not surprisingly up in arms saying it's a very disturbing development that we have technology that claims to be able to distinguish between a productive worker and a non-productive worker based on tone of voice, mannerisms, facial expressions, etc.
And that it could end up hurting large classes of potential applicants, including non-native speakers.
You know, from a human perspective, I just don't, I can understand the use of artificial intelligence in any context that you can think of, even if I don't agree with it.
This just seems like it's completely unnecessary. I mean, even large companies would benefit from having face-to-face interactions with their employees
and judging them by their experience, their characteristics, how they come across in an interview.
This just seems like a very bizarre thing to siphon off to artificial intelligence.
Well, the case that they make here is that if you have a hot job and a thousand people apply for that job, only one person is going to get the job.
And they just don't have the resources to meet with 999 people.
This gives them a way to allow people to submit a video of themselves and let the AI have at it and decide whether.
And I'm laughing here because, again, it just seems absurd.
And yet companies are finding this useful.
Here's the problem I have with it.
And this is what brought this to my attention was somebody referenced this article in a tweet about
the differences between people from different cultures, right? So, you know, let's say you grew
up in one culture, I grew up in another culture, you know, some, I'll just be hypothetical here,
you know, an Italian American family versus an Irish American family, right? And if I go have
dinner with your family, it might be a very different environment than what I'm used to.
The way people are communicating, you know, using their hands, talking over each other, or,
you know, different people communicate in different ways. And artificial intelligence,
what might be a run-of-the-mill conversation with one social
group may be perceived as being aggressive or argumentative, right? And how do you handle that
subtlety? I'm not convinced the AI can do that. No, I mean, it's one of those things where as
humans, we have biases, of course,
and those factor into our hiring decisions. And you see it all the time. Attractive people who
are well-spoken, you know, disproportionately get hired over unattractive people who are not
well-spoken, even, you know, if all other aspects of their applications are the same.
Right. And, you know, there are certainly racial elements to it.
When you send people identical resumes,
you know, with one name sounding like a white person
and one name sounding like an African-American person,
you get very disparate responses.
But my question is why we would want to bring those things,
which to me are negative, into,
like, why would we want to transfer that
over to an artificial system? I think the solution would be rooting that out in the non-artificial
system, becoming more aware of our biases, not sort of transferring them to a non-human entity
like artificial intelligence. And that's what's so baffling to me, is I'm just not sure what problem this is trying to solve. There are other ways that, you know, you can cull down resumes, even for
jobs where there are, you know, where there is a lot of interest. You know, having certain
thresholds in terms of experience, you know, even things like grade point averages, universities,
those are a lot more objective and less subjective
than the types of things that are being analyzed by this system.
Well, maybe we're just missing the boat here.
Clearly they've got customers and folks who believe in it,
so maybe we're cynical and jaded here.
But I don't know.
I think it's definitely worth keeping our eye on this.
It just makes me a little bit unsettled,
and it sounds like you and I are in the same boat.
I think so, yes.
Yeah, yeah.
All right, well, Ben Yellen, thanks for joining us.
Thank you.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
The big train for small hands.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.