CyberWire Daily - Department stores suffer a paycard breach. Atlanta still working on SamSam recovery. Ransomware in India. SWIFT fraud attempt. Facebook's troubles. Kremlin doxed. Reality Winner case update.
Episode Date: April 2, 2018In today's podcast we hear about Saks and hacks, Lord and Taylor and JokerStash: a department store data breach. Atlanta still can't get fully back on its feet after SamSam. An Indian power utility...'s billing data are held for ransom. More SWIFT fraud reported—this round seems to have been unsuccessful. Russia gets doxed. Facebook on who really cares for you. Threats to avionics and undersea cables. And Reality Winner's defense team wants to subpoena a lot of witnesses. Malek Ben Salem from Accenture Labs, looking at a long-term approach to implementation of cryptography. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sacks and Hacks, Lord & Taylor, and Joker Stash, a department store data breach.
Atlanta still can't get fully back on its feet after SamSam, an Indian power utility's
billing data is held for ransom, more swift fraud reported, this round seems to have been
unsuccessful, Russia gets doxed, Facebook on who really cares for you, threats to avionics
and undersea cables, and reality winner's defense team wants to subpoena a lot of witnesses.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 2, 2018.
A significant retail breach came to light over the weekend. Last Thursday, the Joker Stash Hacking Syndicate, also known as FIN7,
began offering more than 5 million payment cards for sale in dark web markets.
The cards appear to have been compromised in a breach of retailers Saks and Lord & Taylor,
both department store chains owned by the Toronto-based Hudson's Bay Company. The breach was disclosed yesterday, April 1, 2018,
in a blog post by Gemini Advisory that was subsequently confirmed by the Hudson's Bay Company.
Gemini Advisory believes the compromise dates back to May 2017 and has continued into the present.
Most of the card data is thought to have been stolen from customers in New York and New
Jersey. 125,000 records have been released for sale so far. The rest are expected to appear on
the black market within the next few months. Hudson's Bay Tersely says it's addressed problems
in its network security, continues to investigate, and plans to offer affected customers the usual
sorts of post-breach assistance, including free identity protection services, including credit and web monitoring.
The SAMSAM ransomware attack against Atlanta's municipal systems is proving distinctly difficult
to remediate.
Updates posted to the city's ransomware cyberattack information hub suggest that online payment systems Atlanta runs remain the most affected.
Airport Wi-Fi was disabled, the city say, out of an abundance of caution.
They don't think personal information has been compromised,
and so while they hope this will provide citizens and employees with some measure of reassurance,
they caution that they're proceeding on the cautious assumption that such data may have been affected.
The city is largely mum on how the attack happened and on when they expect recovery
to be complete.
Investigation and remediation continue with an array of partners at federal and state
level and from the private sector.
Outside observers suggest that the city is running a number of disparate legacy systems
and that policing all of these is an unusually messy process.
Gizmodo quotes several who noticed that the attack came a couple of months
after a January audit and report of Atlanta's cybersecurity
pointed out a number of vulnerabilities that the city was in the process of addressing.
CBS describes the report as saying inspectors found that, quote, the large number of severe
and critical vulnerabilities identified has existed for so long the organizations responsible
have essentially become complacent and no longer take action, end quote.
Wired quotes Perimeter Security's founder Dave Chronister as saying, quote, not to be
harsh, but looking at
this, their security strategy must be pretty bad, end quote. So the city of Atlanta is still
struggling to recover, and other cities of comparable size are rightly spooked by the
prospect that they might be next. A number of them are reassuring their citizens and business
communities that they're well protected and well drilled, but the Atlanta hack is a cautionary tale and cities would be well-advised not to get
cocky. The issues aren't confined to the United States either. City and regional governments in
many countries appear to have become attractive targets for criminal hackers. The automatic meter
reading system of Haryana Power Utilities in Pankhula, India, was raided last week,
the hackers demanding ransom for data.
The data held hostage is billing information, which of course poses a threat to the utility's cash flow.
Police are investigating and looking for the perpetrators.
Officials say that the billing data was backed up and that they've been recovering from those backups.
data was backed up and that they've been recovering from those backups.
Malaysia's central bank, Bank Negara Malaysia, identified a series of fraudulent wire transfer attempts last week.
Bank officials say that they stopped execution of the transfers before any money was lost
and that the attempted fraud came through falsified SWIFT transfer requests.
Banks in Southeast Asia are on alert.
The Russian government is more accustomed to pwning than being pwned, but the Ukrainian
Cyber Alliance, a hacktivist group strongly opposed to Russia's slow-motion re-engorgement
of their country, have released a third tranche of emails which observers provisionally at least
judge to be authentic. The emails detail Russian information operations
aimed at destabilizing and delegitimizing Ukraine's government.
Two points are particularly interesting.
First, the emails name the Professor Moriarty of Russian information operations,
one Valdislav Sirkov, who the Times of London describes as
a Kremlin spinmaster said by some to be Mr. Putin's Rasputin.
The other interesting point is the online astroturfing of kinetic demonstrations and
street violence. They were apparently working to recruit sportsmen skilled in martial arts as
muscle for protests in Ukraine. Tensions between Russia and Western nations remain high after the Salisbury nerve agent attacks,
and US findings that Russia is conducting ongoing reconnaissance and battle space preparation of American power grids.
But no significant new developments, either diplomatic or cyber, have turned up so far this week.
Facebook's rough ride continues. It's receiving uncomfortable attention in the UK for its failure to do something, or
at least something more, about anti-Semitic content.
The criticism has grown alongside the ongoing Labour Party scandal involving scurrilous
social media activity by party leaders.
Facebook CEO Mark Zuckerberg did take some shots back at Apple, which last week didn't pass up an opportunity to repeat its view that when services are free,
it's the user and not the server that's the real product.
Mr. Zuckerberg's rejoinder was a two-quote way of sorts.
Quote,
I think it's important that we don't get all Stockholm Syndrome
and let the companies that work hard to charge you more convince you that they actually care more about you.
He's looking at you, Mr. Cook.
Mr. Zuckerberg also claimed that Facebook was looking out for the many people
who can't afford to pay a lot to be connected.
On the issue of fake news, he said the company hadn't really understood
the extent of Russian information operations, but they do now,
and they'll certainly be on the alert.
There are two stories that might at this point count as evergreen.
First, the recent minor and swiftly contained WannaCry appearance in Boeing's networks prompts
observers to warn again about the risk of cyberattack against airline avionics, with
the potential for disastrous disruption of flight systems.
And second, there are fresh warnings of Russian ships appearing in the vicinity of the trans-oceanic
cables, on which so much international and even domestic communication depends.
Concerns about this have been raised several times over the past two years, especially
in the United Kingdom, and the worries appear to be spreading.
two years, especially in the United Kingdom, and the worries appear to be spreading.
And finally, in the case of alleged NSA leaker Reality Winner, the defense appears to be planning to drag in as many parties as possible.
Politico reports that on Friday, Ms. Winner's lawyers filed an intention to subpoena representatives
of the 21 states that the Department of Homeland Security formally notified last year of targeting by Russian hackers.
They also intend to subpoena a number of well-known cybersecurity firms and news services to testify,
including Trend Micro, FireEye, CrowdStrike, Veloxity, F-Secure, ThreatConnect, Motherboard, SecureWorks, and Fidelis Cybersecurity.
The Defense has also asked for records and testimony
from the Central Intelligence Agency,
the Department of Defense, the National Archives,
the National Security Council,
the Office of Director of National Intelligence,
the Department of Homeland Security, and the White House.
Prosecutors call this an unchecked phishing expedition
that would constitute an oppressive and frivolous waste
of government resources.
that would constitute an oppressive and frivolous waste of government resources.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Ben-Salem.
She's the R&D manager for security at Accenture Labs.
She's also a New America Cybersecurity Fellow.
Malek, welcome back. You and I have been making our way through some tips for
getting ready for deployment of cryptography. We talked about some short-term plans last time we
spoke, and today we're going to look a little more at the long picture. What tips do you have
for looking at your long-term plans? Yeah, so we were talking about post-quantum cryptography
and getting ready for that. One thing that companies can do in the long
run is establish a process to verify the maturity of post-quantum crypto algorithms. We know that
today NIST has already launched a project to evaluate post-quantum crypto algorithms for
public key encryption. As a matter of fact, they're having their first conference in April in Florida
to review some of those proposed algorithms,
which will go through a three to five year evaluation process probably.
So in three to five years, we may have a recommendation or a standard
by NIST which companies can start deploying.
By that time, companies should establish a process to verify the maturity of that algorithm.
Is it still being under development or is it already endorsed by NIST or by ISO or some other standardization body?
integration body, they should have an understanding of the degree of integration of that algorithms and the degree of adoption of that algorithm by companies like Apple, Microsoft, or Intel.
And then they should decide for themselves whether they should be early adopters or not.
So we know that quantum computing technology, at least the way it's going to pose a threat to crypto, is not going to happen at least in 10 to 15 years.
That's by most optimistic accounts.
to be secured for in the long run, they would probably want to encrypt that data in advance using these post-quantum crypto algorithms so that they're not exposed, that data doesn't get
exposed. So if they have that type of data, then they may need to adopt early those types of
post-quantum crypto algorithms. We've heard stories where nation states in particular have started
gathering up data, even though it's encrypted and they can't decrypt it now,
with the hope that sometime in the future they will be able to decrypt it.
Exactly, exactly.
And that's what companies should be aware of, and they should be planning for that.
If they have data that needs to be safe in the long run,
they should upgrade their key links at least today.
The second step that they need to think about or they need to go through is once they've
identified the post-quantum crypto algorithm to deploy, then they'll have to define which
applications will be affected. You know, you have SecureMIME, you have SSL, SSH, VPN, obviously, you know,
long-term data archiving, you may have authentication systems that have to be,
that will be affected. So it's important to identify all of those applications, all of those
communications channels, and then decide, again, the keys and the certificates that have to be renewed and within which time.
All right. So as we've been discussing, really trying to get ahead of the game rather than finding yourself having to play catch up.
Absolutely. Yeah.
All right. Malek Ben-Salem, as always, thanks for joining us.
Thank you, David.
Thanks for joining us.
Thank you, David.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.