CyberWire Daily - Equifax breach news. Unsecured admin accounts. BlueBorne via Bluetooth. Hackable medical devices. Bots convince. A guilty plea draws a long sentence.
Episode Date: September 12, 2017In today's podcast, we hear about how Equifax has attracted more attention from plaintiffs, AGs, and Congress. Everyone else is on heightened alert for fraud and identity theft. MongoDB says users... of its database process were not assigning passwords to administrative accounts. A Bluetooth-based attack vector, "BlueBorne," is described. Syringe pumps are found to be hackable. Bots serve more effective social media clickbait than human operators can. Robert M. Lee from Dragos on deterrence.  Myke Cole, cyber security analyst and fantasy writer discussing the importance of empathy when considering your adversaries. And Roman Seleznev gets 27 years after he cops a plea to hacking. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to protect your endpoints against advanced threats, check out Cylance. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Equifax attracts more attention from plaintiffs, AGs, and Congress.
Everyone else is on heightened alert for fraud and identity theft.
MongoDB says users
of its database process were not assigning passwords to administrative accounts. A Bluetooth-based
attack vector, BlueBorn, is described. Syringe pumps are found to be hackable. Bots serve more
effective social media clickbait than human operators can. And Roman Seleznev gets 27 years
after he cops a plea to hacking.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 12, 2017.
Early and ambiguous comments about the Equifax breach pointed to an Apache Struts vulnerability, with the suggestion that the vulnerability the attackers exploited was CVE-2017-9805, a bug Apache fixed on September 5, 2017.
But according to Contrast Security and other observers from the security industry, it now seems likelier that the hackers exploited CVE-2017-5638, a vulnerability that was patched in March of this year.
The Equifax breach continues to draw litigation from the plaintiff's bar and regulatory inquests
from state and federal government bodies. Congress plans to hold hearings.
The company's share price dropped another 8 percent yesterday. In a kind of sector-wide collateral damage, Equifax's competitors TransUnion and Experian
also took smaller hits to their stock late last week, but both now seem to be recovering.
The Equifax breach is providing some tailwinds for another sector.
Unsurprisingly, that sector is cybersecurity.
Exchange-traded funds covering cyber have risen steadily since
the breach was disclosed last Thursday. The persons unknown who demanded ransom from Equifax
with a September 15th deadline now appear to be grifters unconnected with the hack.
There's been no further public word on attribution. Turning to another incident,
databases held for ransom.
MongoDB believes the recent wave of ransom attacks on users of its database products
have a common cause, failure to set passwords for administrative accounts.
The vendor says it hopes to improve its customers' security awareness.
Armis Labs has announced its discovery of a Bluetooth-based attack vector affecting major operating systems.
They call it BlueBorne.
It's said to affect equally desktop mobile and IoT systems.
In news of medical device vulnerabilities, ISC CERT has warned that MedFusion syringe pumps could be vulnerable to remote manipulation.
Mitigations are available.
ZeroFox research suggests that bots may be better than humans
at getting their marks to swallow social media clickbait.
In an experiment, the bots consistently achieved higher conversion rates
than the human social engineers they were compared against.
Their experiment has attracted renewed interest
as experts mull the increased weaponization of artificial intelligence by various bad actors.
In addition to the Cyber Wire podcast, I am also the host of the Recorded Future podcast,
where I have the pleasure of speaking with smart, interesting people on topics centered
around threat intelligence. Mike Cole is one of those interesting people.
He's an intelligence analyst, a reality TV personality, and an award-winning author of fantasy fiction. Here's a segment from our recent conversation. You are an award-winning and
best-selling author. And in order to write compelling characters, you have to be able to
put yourselves in the mindset of the characters that
you're writing. And I wonder how that informs your abilities as an analyst to be able to put
yourself in the mindset of your adversaries. I'm really glad you asked that question.
Because it's something I think that it's an issue actually, I kind of campaign on,
especially in law enforcement and intelligence and the
military, and it applies to cyber. Look, cyber is an incredibly analytical field, right? We are
attempting to interpret and understand machines and think like machines all the time. And that
necessarily takes you out of a human mindset. And then you marry that to the law enforcement
and intelligence field. You know what we call the people, our adversaries in every police department and in almost every intelligence agency,
we call them bad guys. And that's an incredibly judgmental position to take.
It's necessary because you can't be worrying about your adversary's relationship with their mother
if you're going to, you know, have to do the hard work of, you know, prosecuting them or if you're
in kinetic law enforcement, you know, literally putting cuffs on them and dragging them off.
So I'm not saying that that kind of snap judgment isn't necessary, but it is a roadblock,
and it does hold you back, because behind those computers are people, and people have
human motivations. Let me give you a corollary in fantasy fiction.
One that maybe a lot of your listeners will be familiar with is George R.R. Martin's famous series, A Song of Ice and Fire, which has been reinterpreted by HBO into the hit television show, A Game of Thrones, which I'm sure pretty much everybody listening to this podcast has seen.
If they haven't, they're living under a rock, I guess.
So George R.R.in is famous for evoking george r martin if you meet him he's a you know older overweight white guy um grew up in bayonne new jersey i think we can all safely say
that he's not a dwarf like tyrian lannister and that he's not a haughty, you know, noble queen like Cersei Lannister, right? And yet, he evokes these
characters so convincingly, that they resonate so realistically with an audience. Like, it's
amazing. It's like he knows them. And when people try to dissect how is it that he's able to do that
so well as a writer, and my answer is he's empathetic, is that he's able to do that so well as a writer. And my answer is he's empathetic, is that he's able to
step outside his own preconceived notions and judgments of the world and into the shoes of
someone who's utterly unlike them in a sympathetic manner. And that enables him to understand their
goals. Now think about that. Obviously that has utility in fiction because it enables us to make
realistic characters, but it also has utility in fiction because it enables us to make realistic characters.
But it also has utility in law enforcement and intelligence because when you can step into the mindset of an adversary and understand their goals intimately, you'll be able to move one step ahead of them.
that the motivation of a hacker is to do something for the lulz or to do something because they're ideologically sympathetic to ISIS, but not the same as ISIS. Well, I mean, that's a very,
very different set of actions. This is one of the things that always frustrated the heck out of me
when I was working CT. I can't remember the name of the head of FBI CT who famously said to
Congress that he looked for leadership skills,
whatever that means in his counterterrorism agents, because a bombing was a bombing,
a murder was a murder. He didn't think anybody needed to know Arabic or anything about Islam.
And I, you know, I want to choke the guy, um, because it's, that's exactly the opposite of
what's correct. Right. Um, is that the bad guys that we're judging, they have motivations.
And those motivations can serve as predictors for their actions.
And if you marry a real knowledge of the technology that they're using and an understanding of
what's making them tick and an empathetic and a sympathetic, yes, a sympathetic understanding
of what makes them tick.
I'm not saying you should betray your organization and assist a bad guy. What I'm saying is you should be able to understand
what makes them tick because it will help you stay one step ahead of them. And one of the watchwords
in fiction, one of the aphorisms you'll always hear a saying is that everyone is the hero of
their own story. That's Mike Cole. You can hear the rest of my interview with him on the Recorded Future podcast at recordedfuture.com slash podcast.
And finally, Roman Seleznev has been sentenced after copying a guilty plea to U.S. federal charges of wire fraud,
aggravated identity theft, and causing intentional damage to the protected computer.
aggravated identity theft, and causing intentional damage to the protected computer.
He'll get 27 years in club fed, and he's also been ordered to pay $170 million in restitution.
This is believed to be the stiffest sentence a U.S. judge has handed down for a cybercrime.
Mr. Seleznev admitted to being part of a carding ring and also to serving as a cashier, the guy who hoodwinked paycard transaction
processors into disgorging a cool $9.4 million from what must have been a large number of
ATMs.
Mr. Seleznev was nabbed in Maldives as he was headed for the airport about to return
from a vacation with his girlfriend.
The U.S. Secret Service agents who made the collar delivered him to the continental
U.S., stopping only for a quick appearance before a U.S. magistrate in the territory of Guam.
The case has had an unusually high profile. Not only is it international, but Mr. Seleznev,
a Russian citizen, is the son of Valery Seleznev, a big numero in the Russian Duma,
Moscow's parliament.
The Justice Department is pleased with its win.
The Russians are not.
They particularly object to the manner of Seleznev's apprehension.
The Russian embassy in Washington had this to say on the matter.
We continue to believe that the arrest of Russian citizen Roman Seleznev,
who de facto was kidnapped on the territory of a third country, is unlawful.
According to available information, Roman Selesnev's lawyer is planning to appeal against sentence. Another lesson to be learned here, if you are wanted by the law, don't vacation in
places that have serviceable relations and extradition agreements with the particular long arm you're on the lam from.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos.
Robert, talking about industrial control systems as we always do,
and I was curious about this notion of deterrence.
When we have stories like our suspicions that it's the Russians
who've been rattling around inside Ukraine's power grid system,
how much of this is actually wanting to break stuff? And how much of this
is folks like the Russians sort of showing the rest of the world, hey, this is what we're capable
of. Take notice of this. Yeah, great question. So when we look at these type of events, there's
from an international relations perspective, a lot of times there's multiple reasons to do
things right there's no guaranteed they're only trying to show off or guaranteed they're only
trying to do disruption and understanding exactly what an adversary's intent is is one of the most
difficult things in intelligence that being said we obviously can see that an adversary and all suspicions point very, very keenly to Russia and Russian based
groups are just absolutely going and disrupting a large portion of Ukraine, not only from the
power grid, but other sites. And a byproduct of that, whether they intended it or not, is
absolutely a level of showing that they can do this and are willing to do this.
And sometimes that second part, the willingness, is maybe even more important than the can.
Can the United States take down infrastructure?
Sure.
But if we are never willing to do so, it may not actually pose a threat to other nations.
And for that back and forth, it's very important to understand that it's got to be met with some sort of response.
So if Russia is responsible,
and really it doesn't even matter about attribution at this point, regardless of who is responsible,
the fact that we have seen indiscriminate malware like WannaCry and the NotPetya case where it
impacted Ukraine, as well as an attack that took down a portion of the power grid for the first
time in history through a cyber attack both in 2015 and 2016.
And that those things have been met with a silence.
Absolutely no senior level government officials like White House level officials have come out and condemned these attacks across two different administrations.
And that is concerning because it sets not only sort of a standard and emboldens the attacker to think that they can get away with this, but also erodes at any sort of norm setting that we might have hoped to have had in this space.
So it's not only an aspect of potential deterrence, which I would agree in, and I think it's a very keen point.
But it's also an aspect of writing the rules of the road, the future to come, of what is and isn't permissible.
of what is and isn't permissible.
And quite frankly, we really need to take a stand at indiscriminate attacks and attacks on civilian infrastructure,
because there's just too much harm to the global community in doing those.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.