CyberWire Daily - Equifax C-suite retirements continue. Deloitte still has little to say about its breach. Mac OS zero-day goes unpatched. Russian influence operations.
Episode Date: September 26, 2017In today's podcast we hear that Equifax CEO Smith has joined the company's CSO and CIO in retirement, apparent expiation for the credit bureau's breacn. Deloitte remains tight-lipped. Suggestions a...bout how to handle identity and investigate breaches. Mac OS High Sierra suffers from a password exfiltration zero-day. Joe Carrigan discusses Dave's skepticism of password managers. Stephen Moore from Exabeam on post-breach cleanup.  Two days after Germany's elections and the Russian dog hasn't barked (or the Bears growled) but there are plenty of 2016 paw prints over US opinion. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper If you want to execute at machine speed, doesn’t make sense to see what the algorithms a good machine runs on can do for you? Check out sponsor Cylance .  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Equifax CEO Smith retires.
Deloitte remains tight-lipped.
Suggestions about how to handle identity and investigate breaches.
macOS High Sierra suffers from a password exfiltration zero day.
Two days after Germany's elections and the Russian dog hasn't barked or the bears growled,
but there are plenty of 2016 paw prints over U.S. opinion.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 26, 2017.
Equifax CEO and Chairman Richard Smith retired this morning in an apparent gesture of atonement for the company's massive data breach.
Paulino Dorrego Barros Jr. has been appointed interim CEO.
Mark Feidler will become non-executive chairman.
Smith joins the CIO and CSO in breach-linked retirement.
The company said that Smith and the board
expressly agreed to defer any formal characterization of his departure
and the determination of any payments or benefits Smith may be owed
until after the review of the data breach.
The new chairman said,
Equifax is a substantially stronger company than it was 12 years ago.
At this time, however, the board and Rick agree that a change of leadership is in order.
End quote.
Smith is still scheduled to be grilled by Congress in coming weeks.
Various senators and representatives have jumped up to declare their continuing dudgeon and reassure their constituents that they won't be mollified by a handful of high-profile retirements.
Equifax continues to receive very harsh reviews for incident response,
as experts warn all to brace for a breach-enabled cybercrime wave.
The McClatchy News Service offers a dismally probable list.
Theft of your tax refund or social
security check, someone getting a second mortgage on your house, renting a car while pretending to
be you and then wrecking that car, or buying a gun in your name. The incident should prompt some
serious examination of identity management. The old familiar forms of establishing you are who you say you are obviously are no longer remotely adequate. Deloitte continues to be tight-lipped about its
own breach. Reuters reports that the company says only six customers were affected, the information
lost was relatively minor, and the affected customers were informed in a timely fashion.
Deloitte's websites and Twitter feeds haven't addressed the breach yet, as far as we can tell.
Engage in proactive messaging to the broader base of stakeholders and the public
regarding what is known and not known, and what the organization is doing.
Those words figure into Deloitte's own advice on how to handle the strategic and reputational risk of a breach.
If the breach really is restricted in scope,
perhaps the number of stakeholders are sufficiently limited
that quiet and private communication is the appropriate approach.
There may indeed be good reason for holding information close.
Some observers think it possible the breach may be more widespread
and consequential in its effects, but it's still too early to tell.
With three major breaches disclosed in less than a month,
Equifax and Deloitte, unless we think this is all confined to the private sector,
let's not overlook the Securities and Exchange Commission.
There are many calls to do something.
One example of something that may be worth considering came from Ron Gula,
security expert and founder of Gula Tech Ventures.
He suggests that governments might play a role in post-breach investigation that's analogous
to the role the U.S. National Transportation Safety Board plays in accident investigation.
Some threshold would need to be established.
Suggestions are surely welcome.
Most observers agree that Equifax's response to their breach has been
handled poorly, to say the least. So what's the proper response to a breach? We spoke with Stephen
Moore, VP and Chief Security Strategist at Exabeam. Before joining Exabeam, he was with Anthem,
playing a leading role in the response and remediation of their breach. So his advice
comes from experience.
Usually what happens in most organizations, if they don't self-discover, is a lot of chaos and
a lot of quick political changes within the company. Heroes will emerge, a very quick change
will occur inside of the company, sort of when the aliens arrive, if you will. So everyone stops sort
of fighting internally and begins to focus
very clearly on a new and distinct problem. Do they find that the planning that they did
ahead of time is generally sufficient to recover or are things coming at them fast and furious?
From my experience, the planning that happens before is insufficient, largely because they
focused on the wrong problems. They may have protocols for
certain things, but they've never actually had to go and attack the problem at the speed
and at the breadth that they're faced with in a breach, especially if someone knocks on the door,
like a customer or maybe even an adversary or someone like the FBI and says, hey, you've had
a problem. What are the typical actions that people take and what parts are good and which parts are mistakes?
Part of the actions that are forced on someone or an organization, they typically buy into three
things. They're buying visibility. They're buying some sort of analytics or someone to sort of
decipher what has happened. And then response. Other things that pop up,
a great emphasis on managing the message, pulling people from one job into another.
There's a lot of other sort of operational sort of hero work that occurs as well.
And so in the meantime, the day-to-day business has to be done. How do organizations generally handle that? That's a fantastic question. In many cases, it doesn't. There are cases where,
depending on what happens inside the company, there may be a shutdown of critical systems.
There may not be enough resources or maybe enough planning to spin those up into another location. So I have experience with a company that I did business with in my past that provided a service.
It was such a bad situation that they had to shut down completely for months.
And as a service provider to my former employer, that was a very sticky situation
because now you're sort of in a vendor management disaster
recovery situation. Do people find themselves dealing with sort of an unexpected emotional hit?
Absolutely. I can tell you firsthand that when something like this happens,
people are afraid there's a hit to an ego. Often in information security, we get to play the hero.
We get to solve problems and do very cool things.
So when a negative event happens, it can really hurt our self-image, speaking very plainly and very directly.
And then the choice becomes, and I've had to share this firsthand with some of my staff and people I care about that I worked with, and say, the problem is here.
It's your choice on
how you behave. You know, you have to sort of ride the bomb all the way down. And your actions
through this crisis will dictate your career from here on out. And so there's a huge opportunity
as well. So take us through what kind of advice you have for organizations. What are some of the
best practices they can engage in if they get word that there's been a breach? The first thing they want to do is think very quickly
and be self-aware, if not already, about what gaps might they have. Do they have relationships with
the local authorities? Might they need outside investigative help or even PR help. So a quick triage of those things,
that's out of the gate. I mentioned earlier about sort of acquiring or buying or thinking about
visibility, analytics, and response. You're going to have to have that. And it may be a combination
of things you buy, services you acquire. That's a necessity. So scoping what you're doing and
using economies of scale to pull together
vast amounts of information to sort of stitch together timelines for response. So be aware
and then begin thinking about how you plan to run the investigation, obtain visibility,
obtain analytics and response. That's where I'd start.
You know, there's that old saying about how an ounce of prevention is
worth a pound of cure. What can people do on the preventative side to make things easier if they do
face something like this? One of the things, and this may be a weird one, when you're in a situation
like a breach, you're going to have to go deep. You're going to have to go very deep. You will
end up pulling in people who might have been an analyst, and they may need to
come up and operate like a director.
Let me explain.
In the Anthem breach, at the time, I was a junior-level director.
But because of circumstance, I had to get pulled into, very quickly, executive-level
discussions.
One story, I had to get on with 1,000 of our largest clients with seven minutes notice
and virtually no sleep for many days. Had my mentors not prepared me for really public speaking and being
able to share complex thoughts with a wide audience, I would have failed miserably. So
that's one thing I think you can do. Grab the up and comers and start inviting them in to even give
pitches, presentations before a crisis.
So identify those people knowing you're going to have to go deep.
That's Stephen Moore from Exabeam.
Apple is updating macOS High Sierra. Unfortunately, it comes with a security hole.
Sennac's chief security researcher Patrick Wardle has demonstrated a password exfiltration zero-day.
He says he disclosed it to Apple earlier this month, but that no patch was made available
for it.
Wardle told ZDNet he likes Macs a lot, but thinks Apple has badly oversold their product's
reputation for security.
Germany's Sunday elections returned Chancellor Merkel to office with a different coalition
and without much evidence of Russian influence.
More information on the influence operations in the 2016 U.S. elections is out, however.
Exactly how they sought to interfere is slowly coming to light.
Purchased Facebook placements are the latest tactic.
Why they were doing it is no mystery at all.
Division and discord based on race, religion and class seem to have been Moscow's goal. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
off. son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
joining me once again is joe kerrigan he's from the johns hopkins university information security institute joe welcome back hi dave how are you pretty good um you know you have made the point
several times here on the cyber wire that you're a big fan of password managers i am uh i am a
recent convert to password managers and And I must admit, I was
skeptical at first. Right. I thought, how could this, isn't this just another level of complexity
for me to throw into things, you know, having to manage my passwords? And I just... It adds
complexity to your passwords, but it makes it easy for you to do that and when you add complexity to your passwords
your passwords are better and what's impressed me is how um you know we're using one of the big name
ones i'm not going to name it here give them a free pre-plug but it's one of the ones you've
heard of and right um they really do make it easy they store your not only do they store your
passwords they store uh the sites where those passwords are,
so you can go in and, you know, because there are some things like I rarely use.
I rarely log into the account where my dental insurance is stored.
And so it's easy for me to forget what that password is.
But with the password manager, it's all right there.
It's automatic.
That's exactly right.
I will tell you the one I use because the one I use is open source. It was designed right there. It's automatic. That's exactly right. I will tell you the one I
use because the one I use is open source. It was designed by Bruce Schneier. It's called Password
Safe. It's not cloud-based, so I have to keep it somewhere where I can access it anywhere I need to
access it. I see. But I keep it on a thumb drive and have it available usually anywhere I need it to be.
It does all the same things.
It stores the website, stores my username, stores my password,
and allows me to have really, really complex passwords.
My default policy for a website is 20 characters, random generation.
It doesn't have to be pronounceable words or anything with all kinds of special symbols.
There's no way I'd ever be able to remember that. If somebody asked me right
now what my Facebook password is, I would not be able to tell them. Well, and another point was,
you know, people sort of push back and say, well, then don't you just have one password that rules
them all? And, you know, because you have to have a password to get into your password manager. And
so that's sort of the keys to the kingdom. It is the keys to the kingdom. You are creating essentially a single point of failure. But now
what has to happen is somebody has to target you specifically to get that. You know, that can
happen, certainly. It's a lot less likely than one of these 200 websites that are in my password
manager being hacked. That's actually far more likely. That's the bigger risk, I think.
And the other thing is that with these password managers,
you can have multi-factor authentication turned on.
So even if someone did get the main password,
the keys to the kingdom,
I would still get a notification
that I still have to do the multi-factor to log in.
Absolutely.
So there's a backup there.
It doesn't seem as dire as it was.
No, multi-factor authentication is great.
You won me over.
I'm glad.
I have to say.
Like I say, I was skeptical at first, but let me just put the word out there that from Joe and Dave,
if you're not using a password manager, it's easier than you think it's going to be,
and boy, does it really make your security.
It ups the level of security right off the bat.
It does.
Money well spent.
Yep, especially if it's free.
Especially if it's free.
And I know I've said it,
I've said that in the past,
I've said if it's free,
they're monetizing it somewhere,
but generally in open source software,
particularly with this product,
the password safe,
they're not monetizing it.
It's just something that somebody did
for the good of humanity.
Right.
Next week on The Cyber Wire, how Joe's passwords all got compromised by the free software he
was using online and how Dave laughs at him for not using a paid product.
So make sure you don't miss that.
All right, Joe.
Thanks for joining us.
My pleasure, Dave.
Thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and compliant.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly, budget and luxury, all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th
with your local travel advisor or at...
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.