CyberWire Daily - EDGAR hack enabled illicit stock trades? Equifax tweets phishing url to troubled inquirers. Kaspersky ban clarified.
Episode Date: September 21, 2017In today's podcast, we hear that the SEC was hacked, and someone might have made a lot of money from the incident. Equifax tweets send inquirers to a phishing site. Investigation into the Avast ca...per suggests a state intelligence service's hand. The Department of Homeland Security clarifies its ban on Kaspersky products. Emily Wilson from Terbium Labs, cautioning us to not be so distracted by big shiny objects like "taking down the power grid" that we forget the basics, like enabling two-factor authentication. Richard Henderson, global security strategist at Absolute, commenting on the Equifax breach and the challenges of keeping up with patching. And chatbots turn spiritual. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SEC gets hacked and someone might have made a lot of money.
Equifax tweets send inquirers to a phishing site.
Investigation into the Avast
caper suggests a state intelligence service's hand. The Department of Homeland Security clarifies
its ban on Kaspersky products. And chatbots turn spiritual.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 21, 2017.
Late yesterday, the SEC announced that it had been hacked
and that the hackers may have been able to use the fruits of their labors to execute illegal trades.
The U.S. Securities and Exchange Commission discovered last year
that there had been unauthorized access to its EDGAR reporting
system. EDGAR, an acronym standing for Electronic Data Gathering Analysis and Retrieval, is the SEC's
central collection and distribution system for the various filings public companies are required to
submit. There appeared at the time to be little to worry about. That changed yesterday, September 20th, however,
when the SEC said that Edgar had been compromised by a threat actor. The commission revealed that
it concluded last month, that is in August 2017, that an intrusion into Edgar seems to have been
used for illegal stock trading. It's not yet known how large that trading was or how large the illicit gains were, but it could represent a very significant incident.
The disclosure appeared in a long statement by the SEC chair outlining the ways in which cybersecurity and resilience are important to the SEC and the sector it regulates,
and describing the Commission's initiation of an assessment of its cyber risk profile.
The relevant passages may be difficult to find, so we quote them now.
Quote,
Notwithstanding our efforts to protect our systems and manage cybersecurity risk,
in certain cases cyber threat actors have managed to access or misuse our systems.
In August 2017, the Commission learned that an incident previously detected in 2016
may have provided the basis for illicit gain through trading.
Specifically, a software vulnerability in the test-filing component of our EDGAR system, which was patched promptly after discovery, was exploited unauthorized access to personally identifiable information,
jeopardize the operations of the Commission, or result in systemic risk.
Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.
The statement is long and mostly concerned with all the ways the SEC is shoring up its cybersecurity as it works to drive down risk.
The emphasis in the statement on implementation of the NIST framework suggests that part of what's going
on here was prompted by the president's executive order. There are other security issues that have
surfaced during the SEC's cyber risk assessment. Some may have involved data corruption. The
commission's division of enforcement has investigated and filed cases
against individuals who are believed to have placed fake SEC filings on Edgar in order to
profit from resulting market movement. A number of the issues are old ones brought out to illustrate
what sort of risks the Commission is looking into. The SEC's Inspector General found in a 2014
internal review that some SEC laptops that might have contained non-public information couldn't be found.
The IG also found a few cases in which SEC personnel transmitted non-public information
through non-secure personal email accounts.
The SEC has come in for scrutiny with respect to its cybersecurity before.
There were reports in 2014 that access to
Edgar had enabled speculators to run trades shortly before material information was posted
to the service. The intervals were short, matters of seconds, but that's enough time to earn some
illicit money. And Reuters is reporting in an exclusive that a Department of Homeland Security report on January 23rd of this
year found five critical weaknesses in the SEC's systems. The report was one of DHS's regular scans
of federal networks. It's not known whether any of those vulnerabilities had anything to do with
the incursions into Edgar. The story is developing. Investors and Congress are said to have the jitters, as well they might.
Equifax continues to struggle with incident response.
Communication through social media has for some time been understood as an important way of getting the story out
when an organization is responding to an incident.
So it's unsurprising and even commendable that Equifax should have taken to Twitter to get its news out.
Here again, however, the execution was flawed.
The company's tweets were telling people concerned about the breach to go to securityequifax2017.com instead of equifaxsecurity2017.com.
The correct site, of course, you've seen this coming, right, was EquifaxSecurity2017.com.
The one the tweets were sending people to was, in fact, a phishing site set up by a white hat who was curious to see who would arrive.
In this case, no damage was done, but the mistake persisted for two weeks,
which is an uncomfortably long time to send your stakeholders out into a phish net.
Again, the lesson is plain.
If we learn nothing else from Equifax's experience,
we should at least learn the importance of incident planning
and of exercising those plans when you come up with them.
One of the most asked questions about the Equifax breach
is why didn't they simply patch their systems more quickly?
For some perspective on
that, we reached out to Richard Henderson from Absolute Software, a company that specializes
in endpoint security and data risk management solutions. Richard is global security strategist
at Absolute. I'm on the fence about this because on one side, I mean, I really think they deserve
the lumps they're getting. But on the flip side, I understand how difficult it can be for enterprises to really patch that stuff.
The issue was that it was a server-side vulnerability issue.
And that's a whole different kettle of fish when it comes to vulnerabilities on the endpoint.
Typically, with your endpoint devices, you just run your Windows update, you patch your applications, and for most parts, you're good to go.
your Windows update, you patch your applications, and for most parts, you're good to go.
The problem with the server-side vulnerabilities, in this case with Apache Struts, which is what we believe the issue was, is that it's embedded in pretty much hundreds, if not thousands,
of custom applications. And a lot of these enterprises, they're building their own custom
products to be used inside of their networks. And it can be very difficult to update that software or that
server-side software because, one, the code is complex. The code base is very large. You may not
even have the original developers on staff anymore who developed it and someone else is trying to
fix it. You may not even know that it's there. So I feel for them in that maintaining and managing
and patching vulnerabilities in customized enterprise software is very difficult.
But at the same time, we have to understand that it's not 15 years ago where most of the software that was created back then was very rudimentary.
It was very basic.
It was easier to maintain.
Everything is connected today.
Everything is connected to the internet.
We're making this call over the internet. Your cell phone, your desk phone now, everything on the
back end is all connected through IP. And that means that for enterprises who aren't taking
the idea of vulnerability management seriously, they're leaving giant holes in their network.
And that's what happened with these guys. They weren't taking that critical vulnerability seriously enough. And that means either they weren't paying attention,
or they weren't giving it the significant level of risk calculation that they should have,
or just, you know, it fell through the cracks. That's entirely possible. But again,
you know, there's no excuses. And I don't think we should accept excuses. But at the same time,
it's not an easy battle. But this isn't just a problem with them. This is a problem with a lot of enterprises. They just, you know, there's
so many things out there that need to be fixed. They really need dedicated teams whose job it is
just to monitor what's happening in the world of vulnerability management. And they can, you know,
sufficiently triage or assess the impact of risk on their environment. I feel for them. I feel really
bad for the people down in the trenches, the regular IT staff, the regular security staff
who are really taking it on the chin right now. And whether that's rightly deserved or not is not
really for me to say. But at the end of the day, this company was responsible for maintaining the
security of some of our most intimate and
personal and critical data. So the onus is on them and other organizations who collect similar data
to be able to protect that data in ways that go above and beyond what we consider, you know,
what is expected in norm. They really had an obligation to protect that data,
and I think that's where they fail. That's Richard Henderson from Absolute Software.
The supply chain problems that backdoored an Avast product increasingly looks like the
work of a state espionage agency.
The U.S. Department of Homeland Security has clarified and qualified its ban on Kaspersky.
Kaspersky software embedded in other vendors' products is not banned,
nor are Kaspersky intelligence and training services.
And finally, Motherboard reports, with appropriate skepticism, a new field for the use of chatbots,
spiritual counseling. Researchers at Northeastern University and the Boston Medical Center have been working on a chatbot to take the place of a palliative care coach.
You can set the bot to either spiritual or neutral. The spiritual settings come up in Christian,
Jewish, Buddhist, Muslim, Sikh, and Hindu. The goal is to reduce people's anxiety in the face
of death. A good thing, all things being equal, we suppose, but we can't help thinking of Tay,
Microsoft's well-intentioned AI-based chatbot
who quickly developed a set of really bad manners.
Tay, call your office.
You may have a new career in nursing.
Or what the heck, ministry.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber, that's Vanta.com slash cyber for a thousand dollars off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award nominated Amy Adams stars as a passionate artist who puts her
career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis
at Terbium Labs. Emily, welcome back. You know, we were talking about Black Hat. You
were mentioning that there was an interesting keynote there, and it was really about sort of staying focused, not chasing shiny objects.
Yes, and you know this is a favorite topic of mine, so I was pleased to see that brought up.
I think a good example of this is the recent discussions about the ability to hack our power grids
or other big, shiny, scary topics that reasonably would keep you up at night.
And the need for the industry to focus both internally and externally about the real problems.
And by real problems here, I'm talking about the things that actually cause you an issue day to day.
If somebody actually manages to take down the power grid, which is a pretty inflammatory phrase,
that would be a real problem. But in the meantime,
your employees are being phished and you're reusing passwords and you're not turning on
two-factor because it's an inconvenience. So is this sort of like, you know, people are much more
afraid of dying in an airplane crash than crossing the street, but they're much more likely to die
when they're crossing the street? It's true. And I think some of that is perspective
and some of that is awareness. You know, you can't be worried about crossing the street every time
in the same way that you can't be worried that every time you log into your bank account that
someone's going to steal your credentials. But I think there's a need to be realistic and pragmatic
and focused on really targeting the everyday issues that are causing
a lot of the problems. You can decide that you want to put a pool in the backyard because you
think it'll raise the value of your house. But if you haven't replaced the lock on your front door,
maybe your priorities aren't quite right. And you make the point that those of us who
are in the cybersecurity industry need to sort of drive this conversation.
It's true. I think that it's very easy to talk about new, flashy, shiny things, right?
We've talked here before about, you know, when ransomware has a logo and a theme song, it makes the headlines. There are important emerging and changing trends to discuss, but it's very easy to get distracted from the day-to-day reality of what's actually causing problems.
And it's also hard to sell those things.
Right. There's definitely the buzzword compliance piece of this, right?
Everyone wants to check off that list.
You know, does it have machine learning?
Is it AI?
Is it faster than machine time or whatever?
is it AI? Is it faster than machine time or whatever? And there's some fatigue over the same things you've heard over and over again. Turn on two-factor. Don't reuse passwords. Use
a password manager. Talk to your employees about phishing. Don't click on that link. Don't trust
what you see. And I think people get tired of hearing it. And people also have a sense of,
oh, but I know.
I know how this works. I'm not going to miss something that obvious. And because of that,
people don't want to hear it anymore. And they tune it out and they skip over it because it's much easier to focus on this bigger, more abstract concept of a security risk than,
you know, the monotony of going through and changing passwords on however many dozens of accounts you have online.
So despite all the new scary things coming down the pike,
you still can't take your eye off the basics?
I think that's a reasonable way to think of it.
And I think that you can worry about every possible eventuality,
every one in a hundred million chance,
but look at what's actually causing you problems.
Look at what's actually putting you at risk day to day
and look at what is actually going to impact
your organization now or you as an individual now.
Wouldn't you fix the problems you can fix more easily
instead of worrying about the ones that might never happen?
All right, Emily Wilson, thanks for joining us.
Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.